Trojan.NSIS.StartPage_bde22ac03a
not-a-virus:AdWare.Win32.Inffinity.yas (Kaspersky), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: bde22ac03a3f59684b84f95b09c929fd
SHA1: d7117729bc5918d673c1f52094ac7f5c8ac4138a
SHA256: 2d527c905318f87fd82890eb9e8ebfd7e2da13f89113e1018e50b82c76ecafc6
SSDeep: 6144:He34R2lhmWzh36dqXEV2rnCeZG/t7FTBqTzP7n7O7L6K2Bfo7pu:T2bbzh36VV2Go0ZTsnz7O7L6ju7pu
Size: 566824 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1784
The Trojan injects its code into the following process(es):
No processes have been created.
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:1784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\UAC.dll (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\modern-wizard.bmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\captura.bmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\BrandingURL.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\ioSpecial.ini (7139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\InstallOptions.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\LangDLL.dll (13 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7944.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\show_page_toolbar (0 bytes)
Registry activity
Dropped PE files
| MD5 | File path |
|---|---|
| 71c46b663baa92ad941388d082af97e7 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\BrandingURL.dll |
| 325b008aec81e5aaa57096f05d4212b5 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\InstallOptions.dll |
| 9384f4007c492d4fa040924f31c00166 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\LangDLL.dll |
| a5f8399a743ab7f9c88c645c35b1ebb5 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\NSISdl.dll |
| 09caf01bc8d88eeb733abc161acff659 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\UAC.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
| .rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
| .data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
| .ndata | 192512 | 110592 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 303104 | 16544 | 16896 | 4.13341 | e957b93201e1ddf40aa35ce0a75289ff |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 5612
0a1caace976174f8bffc383c4c3c0fa8
6c0dd3fd53001055d10e6c3b58b132fc
34fc7a7d6c5c000de38f15416e248650
1fe5758661d47a7463311a23be5afc6d
47a989cbf81ee8781ab8e4fcea78e0a6
80fc6018bfb9bfa9c6106a2f6671af3c
53fb1689dda0202c988a9647598a7076
82ab071eb5dae7c473a6a532df07ee4f
d608c8b5046a858542a4be4bc1518cd6
274f9329d87252ba0759faae6d54efab
a2c42bcfa6b9b4ae21d5d30a3fc4449c
9cd7fed5983dc222494dee5067d07d44
e46a6f026f343b82ef1b89c8547087df
a73568d4b4cf791553d20452cb3f2059
562afd7351e91104bccde6123ac2ed62
f2f2f48ed0f0bb349c59226586843b18
d7ef7dba9427c6ac00635ef58b3af430
c97e53869fb36099d60bbfd5a4e3618d
bcc26e9c2ef7871d62fefcca0adeb2de
06af7d27eea09bbf0c878a5c8f90bf85
9dc462916a0e3561935005d57bb68b17
edd3ca449e3aeb7304af05a848d953e1
6d029e8f6961ffb648035057d7d9e826
edaf5fce3680f79f13548f2fc46d5b48
921efa2fcc2ae90b9125b617e545bb96
URLs
| URL | IP |
|---|---|
| hxxp://phpnuke.org/installers/nsis/pantallatoolbar_babylon_coupish_en.ini |  |
| hxxp://download.phpnuke.org/installers/nsis/pantallatoolbar_babylon_coupish_en.ini | 91.134.159.129 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1784
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\UAC.dll (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\modern-wizard.bmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\captura.bmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\BrandingURL.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\ioSpecial.ini (7139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\InstallOptions.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\LangDLL.dll (13 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
