Win32.Parite.C_69f68d9f60

by malwarelabrobot on June 28th, 2017 in Malware Descriptions.

Win32.Parite.C (BitDefender), Virus:Win32/Parite.C (Microsoft), Virus.Win32.Parite.c (Kaspersky), Win32.Parite.c (v) (VIPRE), Win32.Parite.3 (DrWeb), Win32.Parite.C (B) (Emsisoft), W32/Pate.c (McAfee), W32.Virut.CF (Symantec), Virus.Win32.Ramnit (Ikarus), Win32.Parite.C (FSecure), Win32:Parite (AVG), Win32:Parite (Avast), PE_PARITE.A (TrendMicro), Win32.Parite.C (AdAware), Trojan.Win32.Bumat.FD, Virus.Win32.Parite.B.FD, VirusParite.YR (Lavasoft MAS)
Behaviour: Trojan, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 69f68d9f60cd882f05baa8fc78ef694c
SHA1: 48a021a2ea51e4a03fe5e5abe2c36347293bb86e
SHA256: 0e6fd3eccad66025d4a89e25cd2c456e4355cf576e610bcf44f9ae226ced3268
SSDeep:
Size: 231918 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-04 15:35:59
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3732

The Trojan injects its code into the following process(es):

Explorer.EXE:520
Dwm.exe:524

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3732 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ejc5B2A.tmp (11190 bytes)

Registry activity

The process %original file name%.exe:3732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\GraphicsDrivers\Configuration\NOEDID_15AD_0405_00000000_000F0000_0^20ED182961F2CFDB3A2D28C95A99744F\00]
"Position.cx" = "0"
"Position.cy" = "0"

[HKLM\System\CurrentControlSet\Control\GraphicsDrivers\Configuration\NOEDID_15AD_0405_00000000_000F0000_0^20ED182961F2CFDB3A2D28C95A99744F\00\00]
"HSyncFreq.Numerator" = "259380000"
"ScanlineOrdering" = "1"

[HKLM\System\CurrentControlSet\Control\GraphicsDrivers\Connectivity\NOEDID_15AD_0405_00000000_000F0000_0^20ED182961F2CFDB3A2D28C95A99744F]
"Recent" = "NOEDID_15AD_0405_00000000_000F0000_0"

[HKLM\System\CurrentControlSet\Hardware Profiles\UnitedVideo\CONTROL\VIDEO\{E6CBEC98-7179-4DE4-B38F-C95065B85D16}\0000]
"Attach.ToDesktop" = "1"
"DefaultSettings.DriverExtra" = "60 EA 00 00 E8 03 00 00 15 00 00 00 01 00 00 00"
"DefaultSettings.Orientation" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\UnitedVideo\CONTROL\VIDEO\{E6CBEC98-7179-4DE4-B38F-C95065B85D16}\0000\Mon00000000]
"DefaultSettings.YPanning" = "0"

[HKLM\System\CurrentControlSet\Control\GraphicsDrivers\Configuration\NOEDID_15AD_0405_00000000_000F0000_0^20ED182961F2CFDB3A2D28C95A99744F\00]
"ColorBasis" = "2"

[HKLM\System\CurrentControlSet\Control\GraphicsDrivers\Configuration\NOEDID_15AD_0405_00000000_000F0000_0^20ED182961F2CFDB3A2D28C95A99744F\00\00]
"PixelRate" = "539510400"
"VSyncFreq.Denominator" = "1"
"VideoStandard" = "1"

[HKLM\System\CurrentControlSet\Control\GraphicsDrivers\Configuration\NOEDID_15AD_0405_00000000_000F0000_0^20ED182961F2CFDB3A2D28C95A99744F\00]
"PrimSurfSize.cx" = "1916"

[HKLM\System\CurrentControlSet\Hardware Profiles\UnitedVideo\CONTROL\VIDEO\{E6CBEC98-7179-4DE4-B38F-C95065B85D16}\0000\Mon00000000]
"DefaultSettings.DriverExtra" = "60 EA 00 00 E8 03 00 00 15 00 00 00 01 00 00 00"

[HKLM\System\CurrentControlSet\Control\GraphicsDrivers\Configuration\NOEDID_15AD_0405_00000000_000F0000_0^20ED182961F2CFDB3A2D28C95A99744F\00\00]
"Scaling" = "255"

[HKLM\System\CurrentControlSet\Hardware Profiles\UnitedVideo\CONTROL\VIDEO\{E6CBEC98-7179-4DE4-B38F-C95065B85D16}\0000]
"DefaultSettings.FixedOutput" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\UnitedVideo\CONTROL\VIDEO\{E6CBEC98-7179-4DE4-B38F-C95065B85D16}\0000\Mon00000000]
"DefaultSettings.XResolution" = "1916"
"DefaultSettings.BitsPerPel" = "32"
"DefaultSettings.YResolution" = "902"

[HKLM\System\CurrentControlSet\Hardware Profiles\UnitedVideo\CONTROL\VIDEO\{E6CBEC98-7179-4DE4-B38F-C95065B85D16}\0000]
"DefaultSettings.VRefresh" = "60"

[HKLM\System\CurrentControlSet\Control\GraphicsDrivers\Configuration\NOEDID_15AD_0405_00000000_000F0000_0^20ED182961F2CFDB3A2D28C95A99744F\00\00]
"Rotation" = "1"

[HKLM\System\CurrentControlSet\Control\GraphicsDrivers\Configuration\NOEDID_15AD_0405_00000000_000F0000_0^20ED182961F2CFDB3A2D28C95A99744F]
"TimeStamp" = "Type: REG_QWORD, Length: 8"

[HKLM\System\CurrentControlSet\Hardware Profiles\UnitedVideo\CONTROL\VIDEO\{E6CBEC98-7179-4DE4-B38F-C95065B85D16}\0000]
"DefaultSettings.YResolution" = "902"

[HKLM\System\CurrentControlSet\Control\GraphicsDrivers\Configuration\NOEDID_15AD_0405_00000000_000F0000_0^20ED182961F2CFDB3A2D28C95A99744F\00]
"PrimSurfSize.cy" = "902"

[HKLM\System\CurrentControlSet\Hardware Profiles\UnitedVideo\CONTROL\VIDEO\{E6CBEC98-7179-4DE4-B38F-C95065B85D16}\0000\Mon00000000]
"DefaultSettings.Orientation" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\UnitedVideo\CONTROL\VIDEO\{E6CBEC98-7179-4DE4-B38F-C95065B85D16}\0000]
"DefaultSettings.XResolution" = "1916"

[HKLM\System\CurrentControlSet\Control\GraphicsDrivers\Configuration\NOEDID_15AD_0405_00000000_000F0000_0^20ED182961F2CFDB3A2D28C95A99744F\00\00]
"Flags" = "3808558854"

[HKLM\System\CurrentControlSet\Hardware Profiles\UnitedVideo\CONTROL\VIDEO\{E6CBEC98-7179-4DE4-B38F-C95065B85D16}\0000\Mon00000000]
"Attach.RelativeY" = "0"
"Attach.RelativeX" = "0"

[HKLM\System\CurrentControlSet\Control\GraphicsDrivers\Configuration\NOEDID_15AD_0405_00000000_000F0000_0^20ED182961F2CFDB3A2D28C95A99744F\00\00]
"ActiveSize.cy" = "902"
"ActiveSize.cx" = "1916"

[HKLM\System\CurrentControlSet\Hardware Profiles\UnitedVideo\CONTROL\VIDEO\{E6CBEC98-7179-4DE4-B38F-C95065B85D16}\0000\Mon00000000]
"DefaultSettings.XPanning" = "0"

[HKLM\System\CurrentControlSet\Control\GraphicsDrivers\Configuration\NOEDID_15AD_0405_00000000_000F0000_0^20ED182961F2CFDB3A2D28C95A99744F\00]
"PixelFormat" = "21"

[HKLM\System\CurrentControlSet\Hardware Profiles\UnitedVideo\CONTROL\VIDEO\{E6CBEC98-7179-4DE4-B38F-C95065B85D16}\0000]
"DefaultSettings.Flags" = "0"
"DefaultSettings.XPanning" = "0"
"DefaultSettings.YPanning" = "0"
"DefaultSettings.BitsPerPel" = "32"

[HKLM\System\CurrentControlSet\Hardware Profiles\UnitedVideo\CONTROL\VIDEO\{E6CBEC98-7179-4DE4-B38F-C95065B85D16}\0000\Mon00000000]
"DefaultSettings.Flags" = "0"

[HKLM\System\CurrentControlSet\Control\GraphicsDrivers\Connectivity\NOEDID_15AD_0405_00000000_000F0000_0^20ED182961F2CFDB3A2D28C95A99744F]
"Internal" = "NOEDID_15AD_0405_00000000_000F0000_0"

[HKLM\System\CurrentControlSet\Control\GraphicsDrivers\Configuration\NOEDID_15AD_0405_00000000_000F0000_0^20ED182961F2CFDB3A2D28C95A99744F\00]
"Stride" = "7664"

[HKLM\System\CurrentControlSet\Hardware Profiles\UnitedVideo\CONTROL\VIDEO\{E6CBEC98-7179-4DE4-B38F-C95065B85D16}\0000]
"Attach.RelativeY" = "0"
"Attach.RelativeX" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\UnitedVideo\CONTROL\VIDEO\{E6CBEC98-7179-4DE4-B38F-C95065B85D16}\0000\Mon00000000]
"DefaultSettings.VRefresh" = "60"

[HKLM\System\CurrentControlSet\Control\GraphicsDrivers\Configuration\NOEDID_15AD_0405_00000000_000F0000_0^20ED182961F2CFDB3A2D28C95A99744F\00\00]
"VSyncFreq.Numerator" = "60"
"HSyncFreq.Denominator" = "1000"

[HKLM\System\CurrentControlSet\Hardware Profiles\UnitedVideo\CONTROL\VIDEO\{E6CBEC98-7179-4DE4-B38F-C95065B85D16}\0000\Mon00000000]
"DefaultSettings.FixedOutput" = "0"
"Attach.ToDesktop" = "1"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"

Dropped PE files

MD5 File path
fe763c2d71419352141c77c310e600d2 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\ejc5B2A.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
ZwCreateUserProcess
ZwCreateProcessEx
NtCreateProcess
ZwCreateFile

Propagation

VersionInfo

Company Name: ATI Technologies, Inc.
Product Name: ATI Default Resolution Update
Product Version: 6, 14, 10, 2495
Legal Copyright: Copyright (c) ATI Technologies Inc. 2000
Legal Trademarks:
Original Filename: ATI2MDXX.EXE
Internal Name: ATI2MDXX
File Version: 6, 14, 10, 2495
File Description: ATI2MDXX
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 16788 16896 4.53062 fd52cb91f269934b66b377e2a2c684bb
.rdata 24576 5256 5632 2.87957 13ec843b1608415dbc27746b75abad5c
.data 32768 3672 1024 1.43684 c4458d5dc25b7b0fbbc4ae0b07677c57
.rsrc 36864 30208 29184 5.46254 76dcfe9ee91470cdee14a6603806001a
.pmj 69632 4096 2048 4.49525 6f4cc53ec097c886918b6773341213b5

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
ilo.brenz.pl 148.81.111.121
ant.trenz.pl 148.81.111.121
iswwaf.com
zipzwy.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Known Hostile Domain ilo.brenz.pl Lookup

Traffic

.. ..Y....9...!....c7 .T....*U.....v4...O....@......&.y.....




:irc 001 ffdhuyte :Hi virtu.:irc 376 ffdhuyte :End of /MOTD command.:i
rc 001 ffdhuyte :Hi virtu.:irc 376 ffdhuyte :End of /MOTD command...

The Trojan connects to the servers at the folowing location(s):

Explorer.EXE_520_rwx_048A1000_00071000:

UDPSockError
NMUDP
Errmsg
Port
TNMUDP
TNMUDPxp
RemotePort
LocalPort
ReportLevel4o
0.0.0.0
%d.%d.%d.%d
Portt:
AutoHotkeysp
AutoHotkeys
:].tJ
EInvalidGraphicOperation
KeyPreview
WindowStatep
OnKeyDown
OnKeyPressL~
OnKeyUp
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
readbook.exe
rundll32.exe
wry.exe
*.exe
*.scr
UdpT
UdpOnDataReceived
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
An exception (X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
Gw2.Hw
ReportLevel
GetCPInfo
GetProcessHeap
GetWindowsDirectoryA
RegCreateKeyExA
RegFlushKey
SetViewportOrgEx
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
SetWindowsHookExA
UnhookWindowsHookEx
€00404
8 @ @ @ @ @
.text
`.data
.idata
@.edata
@.rsrc
@.reloc
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt  Clipboard does not support Icons
!Control '%s' has no parent window
Error reading %s%s%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s

Dwm.exe_524_rwx_016D1000_00071000:

UDPSockError
NMUDP
Errmsg
Port
TNMUDP
TNMUDPxpm
RemotePort
LocalPort
ReportLevel4om
0.0.0.0
%d.%d.%d.%d
Portt:q
AutoHotkeysp
AutoHotkeys
:].tJ
EInvalidGraphicOperation
KeyPreview
WindowStatep
OnKeyDown
OnKeyPressL~o
OnKeyUp
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
Uh%uo
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
readbook.exe
rundll32.exe
wry.exe
*.exe
*.scr
UdpT
UdpOnDataReceived
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
An exception (X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
Gw2.Hw
ReportLevel
GetCPInfo
GetProcessHeap
GetWindowsDirectoryA
RegCreateKeyExA
RegFlushKey
SetViewportOrgEx
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
SetWindowsHookExA
UnhookWindowsHookEx
€00404
8 @ @ @ @ @
.text
`.data
.idata
@.edata
@.rsrc
@.reloc
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt  Clipboard does not support Icons
!Control '%s' has no parent window
Error reading %s%s%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3732

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ejc5B2A.tmp (11190 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now