MD5: 9b8b27fd8ed1a9b9f7942a403d0b6111
SHA1: bfac7a8c14732397dba6ed806d52faa482e1a0de
SHA256: 00d95a8f0fb7609634c6218caddf57df2d2d9dafbb92d5a2c451eeff3cc29969
SSDeep: 24576:9wlBrygOW3mFYoIHSSNeW25bXK6GNvr VJNEywH7qBci:w5mFYH85ba7YEywbq9
Size: 4321280 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2007-11-25 11:21:46
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

rundll32.exe:2524

The Trojan injects its code into the following process(es):

%original file name%.exe:1760

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1760 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\regsvr.exe (31071 bytes)
C:\Windows\System32\setting.ini (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut9CEA.tmp (2577 bytes)
C:\Windows\System32\svchost .exe (31071 bytes)
C:\Windows\System32\setup.ini (164 bytes)
C:\Windows\System32\regsvr.exe (31071 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut9CEA.tmp (0 bytes)

The process rundll32.exe:2524 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\STRODXPL\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PYQ059LX\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KJF02ERK\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PZ9ZH5LA\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:1760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\9b8b27fd8ed1a9b9f7942a403d0b6111_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\9b8b27fd8ed1a9b9f7942a403d0b6111_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares]
"shared" = "\New Folder .exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9b8b27fd8ed1a9b9f7942a403d0b6111_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9b8b27fd8ed1a9b9f7942a403d0b6111_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9b8b27fd8ed1a9b9f7942a403d0b6111_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\System\CurrentControlSet\Services\Schedule]
"AtTaskMaxHours" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9b8b27fd8ed1a9b9f7942a403d0b6111_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\9b8b27fd8ed1a9b9f7942a403d0b6111_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\9b8b27fd8ed1a9b9f7942a403d0b6111_RASAPI32]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9b8b27fd8ed1a9b9f7942a403d0b6111_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Msn Messsenger" = "C:\Windows\system32\regsvr.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe regsvr.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 4, 3, 4, 6
File Description:
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 18
c748c67262c7d48b67c4d661666b895d
cf499e3fd5c96bc618f08fec5f0305e6
1e48d8e927b55d88e63abb2821e7cbf8
d98562530a505ba2c328a1914462ff0b
8dad1c458958d16e1e4980448f9f04d3
035193b755395e7f358e7daadd1342c6
d21b7aa566fb45d95e15b3b0bc9aea3c
91b8380723371e90ad9af91fa8135ddd
8db2eae6e6720ee320f9adbcfd252293
2e0ceb262ba5eb08116231b3dde7b746
32badf5f808afb9903cc5dc5c0581838
e79e3d7da2e20072df8b9827e2c5664c
1de08754727406f42eefba2c4f48f24f
16c74c270d1417745f864d2d520b9f22
4ec2176d18f9502c77ab6cb4eb32a1eb
51c366835763a73843e76db451e63880
7c5a26bae5712c577a962ca11443df38
7fe0f093013b702523c8d89a29ee4d78

URLs

URL	IP
hxxp://yahoo.com/setting.doc
hxxp://fd-fp3.wg1.b.yahoo.com/setting.xls

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Possible Worm W32.Svich or Other Infection Request for setting.doc
ET TROJAN Possible Worm W32.Svich or Other Infection Request for setting.xls

Traffic

The Trojan connects to the servers at the folowing location(s):

`.rsrc

.MUPX1

PSShD

|$(;|$,~

t=Ht.Ht

t.Ht Ht

YtMSSh

!!!!!!""#$%&'(((((())* ,-.DDDDDDDD//01234555676789:;<:;<DDD=>?@ABC

.VVVVVSRSSj

tGHt.Ht&

Bv=kAv.SCvs

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is not compiled with PCRE_UTF8 support

PCRE does not support \L, \l, \N, \U, or \u

support for \P, \p, and \X has not been compiled

(*VERB) with an argument is not supported

mscoree.dll

.mixcrt

KERNEL32.DLL

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

kernel32.dll

This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.

uxtheme.dll

APPSKEY

ASC 0%d

Psapi.dll

shell32.dll

user32.dll

Wininet.dll

FtpGetFileSize

ICMP.DLL

InternetOpenUrlW

HttpOpenRequestW

HttpSendRequestW

HttpQueryInfoW

FtpOpenFileW

InternetCrackUrlW

Advapi32.dll

zcÁ

GetWindowsDirectoryW

CreatePipe

PeekNamedPipe

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

RegDeleteKeyW

RegCreateKeyExW

RegEnumKeyExW

RegCloseKey

RegOpenKeyExW

SetViewportOrgEx

ShellExecuteExW

SHFileOperationW

ShellExecuteW

UnregisterHotKey

ExitWindowsEx

EnumThreadWindows

GetAsyncKeyState

GetKeyboardState

GetKeyState

VkKeyScanA

GetKeyboardLayoutNameA

EnumWindows

EnumChildWindows

MapVirtualKeyW

GetKeyboardLayoutNameW

RegisterHotKey

SetKeyboardState

keybd_event

.text

`.rdata

@.data

.rsrc

3333333330

3333330

333333333333330

.LjR=W

.Jbjx=

^_^\^_\^[__^^_^^__^^^^___^__^\_\\_^^^^\^^_[__^^__^_^__^^\[^^_^_^^_^\_^_^^\^\^[^[[__^\^^^\-

4444444

333333333333333

444444444

33333333333333

ADVAPI32.dll

COMCTL32.dll

comdlg32.dll

GDI32.dll

MPR.dll

ole32.dll

OLEAUT32.dll

SHELL32.dll

USER32.dll

VERSION.dll

WINMM.dll

WSOCK32.dll

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

ISKEYWORD

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

URLDOWNLOADTOFILE

==> %s

\??\%s

GUI_RUNDEFMSG

FtpBinaryMode

SendKeyDelay

SendKeyDownDelay

TCPTimeout

AUTOITCALLVARIABLE%d

Keyword

AutoIt.Error

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

.AUTOITX64

HOTKEYPRESSED

AUTOITEXE

WINDOWSDIR

SOFTWARE\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

UNKN%d

WIN32_WINDOWS

.DEFAULT\Control Panel\Desktop\ResourceLocale

3, 2, 10, 0

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

c:\%original file name%.exe

C:\%original file name%.exe

4, 3, 4, 6

%original file name%.exe_1760_rwx_00401000_000A4000:

PSShD

|$(;|$,~

t=Ht.Ht

t.Ht Ht

YtMSSh

!!!!!!""#$%&'(((((())* ,-.DDDDDDDD//01234555676789:;<:;<DDD=>?@ABC

.VVVVVSRSSj

tGHt.Ht&

Bv=kAv.SCvs

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is not compiled with PCRE_UTF8 support

PCRE does not support \L, \l, \N, \U, or \u

support for \P, \p, and \X has not been compiled

(*VERB) with an argument is not supported

mscoree.dll

.mixcrt

KERNEL32.DLL

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

kernel32.dll

This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.

uxtheme.dll

APPSKEY

ASC 0%d

Psapi.dll

shell32.dll

user32.dll

Wininet.dll

FtpGetFileSize

ICMP.DLL

InternetOpenUrlW

HttpOpenRequestW

HttpSendRequestW

HttpQueryInfoW

FtpOpenFileW

InternetCrackUrlW

Advapi32.dll

zcÁ

GetWindowsDirectoryW

CreatePipe

PeekNamedPipe

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

RegDeleteKeyW

RegCreateKeyExW

RegEnumKeyExW

RegCloseKey

RegOpenKeyExW

SetViewportOrgEx

ShellExecuteExW

SHFileOperationW

ShellExecuteW

UnregisterHotKey

ExitWindowsEx

EnumThreadWindows

GetAsyncKeyState

GetKeyboardState

GetKeyState

VkKeyScanA

GetKeyboardLayoutNameA

EnumWindows

EnumChildWindows

MapVirtualKeyW

GetKeyboardLayoutNameW

RegisterHotKey

SetKeyboardState

keybd_event

.text

`.rdata

@.data

.rsrc

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

ISKEYWORD

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

URLDOWNLOADTOFILE

==> %s

\??\%s

GUI_RUNDEFMSG

FtpBinaryMode

SendKeyDelay

SendKeyDownDelay

TCPTimeout

AUTOITCALLVARIABLE%d

Keyword

AutoIt.Error

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

.AUTOITX64

HOTKEYPRESSED

AUTOITEXE

WINDOWSDIR

SOFTWARE\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

UNKN%d

WIN32_WINDOWS

.DEFAULT\Control Panel\Desktop\ResourceLocale

3, 2, 10, 0

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

c:\%original file name%.exe

C:\%original file name%.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   rundll32.exe:2524
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Windows\regsvr.exe (31071 bytes)
   C:\Windows\System32\setting.ini (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut9CEA.tmp (2577 bytes)
   C:\Windows\System32\svchost .exe (31071 bytes)
   C:\Windows\System32\setup.ini (164 bytes)
   C:\Windows\System32\regsvr.exe (31071 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\STRODXPL\desktop.ini (67 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PYQ059LX\desktop.ini (67 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini (67 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KJF02ERK\desktop.ini (67 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat (16 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini (67 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PZ9ZH5LA\desktop.ini (67 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Msn Messsenger" = "C:\Windows\system32\regsvr.exe"

5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   "Shell" = "Explorer.exe regsvr.exe"

6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.