MD5: dcb4b3d681f66a703fc21b26dffd8099
SHA1: 2faa7115283f2489961921ca9a0fc06f65a0464c
SHA256: 569c719423ea7d6e35579c97a4876b359c3db0a43c3a0523d0268622b6c01817
SSDeep: 12288:VuBSP/amCoBJSpc/aaT9/gur79Yq63kfydqAKTE1qH:sA6oBwy/aI/gK79YH0FAgxH
Size: 607756 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-09-06 06:53:58
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

wio.exe:316
%original file name%.exe:1908
BqjnC0gFVHRul8.exe:2504
rundll32.exe:2616
win.exe:264

The Trojan injects its code into the following process(es):

gaebak.exe:1848
rundll32.exe:2080
svchost.exe:2776
svchost.exe:860
spoolsv.exe:1224
Explorer.EXE:2024

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process wio.exe:316 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\WSCNTV1.dll (105 bytes)

The process %original file name%.exe:1908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\BqjnC0gFVHRul8.exe (418 bytes)
C:\Users\"%CurrentUserName%"\wio.exe (195 bytes)
C:\Users\"%CurrentUserName%"\wiq.exe (350 bytes)
C:\Users\"%CurrentUserName%"\win.exe (1458 bytes)

The process BqjnC0gFVHRul8.exe:2504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\gaebak.exe (2057399 bytes)

The process rundll32.exe:2080 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\WSCNTV1.dll (106 bytes)

The process win.exe:264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7BC3.tmp (673 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7BC4.tmp (0 bytes)

Registry activity

The process wio.exe:316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ypayahubozerahem]
"Rtizemahedilawe" = "32 01 30 03 32 05 33 07 3C 09 38 0B 3C 0D 3A 0F"
"Ssugobed" = "43 01 38 03 58 05 53 07 7B 09 6F 0B 7E 0D 7D 0F"

The process BqjnC0gFVHRul8.exe:2504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"gaebak" = "C:\Users\"%CurrentUserName%"\gaebak.exe /o"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process gaebak.exe:1848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"gaebak" = "C:\Users\"%CurrentUserName%"\gaebak.exe /d"

The process rundll32.exe:2616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ypayahubozerahem]
"Ssugobed" = "43 01 38 03 58 05 53 07 7B 09 6F 0B 7E 0D 7D 0F"

The process rundll32.exe:2080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ypayahubozerahem]
"Fwazih" = "201"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Hwejagubina" = "rundll32.exe C:\Users\"%CurrentUserName%"\AppData\Local\WSCNTV1.dll,Startup"

The process win.exe:264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7E35.tmp,"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "UNKNOWN" the Trojan controls loading executable images into a memory by installing the Load image notifier.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1044
b8b0558f999691b31309dc47989efb0c
d915c3346714afca80d3c631f3cb0222
970b857d4ee5a9dd59bc260771979391
811814fa3690b0d406fddeac25bc530a
5c366641540d02ff6774d402852bfcd8
1af57d417de61f80468c971b7dd64060
904600f806cd27dc740ca03dbf62c496
5abc6bb55d2a90c28133b37c223ae32b
e2b67e4219c3198073b18b2217c9befd
8bf8b90749c805905e918eaa2eafd4aa
591cf2aca498d2d7b1fcbadee24eaed1
d9feb22f36887a2fcfe161af0a82badb
0a02ea330e4b870d22eab8701b049f9d
631b18b828bcf7680d987936e82d0bcd
27895da36896eb59817e8aa3f67e0f1b
b0d451a2fbf53a1a10b229a48de86dfd
a473860e6b19a0a9747114e0f1b80032
fb1443e3a8036a044d4d715764a594d0
9b3cc10cee059a5d011d521652f82bef
f25ca0ad6c3b6305ee7720acfbe41248
1c01a122cf5c7437ab30b0e6d3c6351d
7816e63f86221fe8e2504550bb94cae2
71797386529cf26263483f9298e3d52a
06a4fbd7452424230f3c043bef934b00
1c768e16ea78e33f7476ac4f450a5a92
d11b323fd0532e9d8f170b99afbbcea5

URLs

URL	IP
teredo.ipv6.microsoft.com	157.56.106.189
dns.msftncsi.com	131.107.255.255
232307e10513.edataupdate.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

@.reloc

KERNEL32.dll

USER32.dll

msvcrt.dll

imagehlp.dll

ntdll.dll

Av.TBv

?.ulf

.ue9]

ole32.dll

_amsg_exit

_wcmdln

rundll32.pdb

name="Microsoft.Windows.Shell.rundll32"

version="5.1.0.0"

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

name="Microsoft.Windows.Shell.rundll32"

version="5.1.0.0"

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

{00000000-0000-0000-0000-000000000000}

\\?\Volume

\\?\UNC\

rundll32.exe

Windows host process (Rundll32)

6.1.7600.16385 (win7_rtm.090713-1255)

RUNDLL32.EXE

Windows

Operating System

6.1.7600.16385

rundll32.exe_2080_rwx_10000000_00001000:

.text

`.data

.reloc

svchost.exe_2776:

`.rsrc

%uw"BF

hXXp://funvids.cu.cc/?id=0?watch=6yx9pe

ntdll.dll

Host: VVV.facebook.com

POST /ajax/chat/send.php?

msg_id=

&msg_text=

IEXPLORE.EXE

firefox.exe

Xfire.exe

msgtype

MySpaceIM.exe

YahooMessenger.exe

ICQ.exe

aim.exe

MSVCR90.dll

user32.dll

xprt6.dll

Safari.exe

Ws2_32.dll

kernel32.dll

msnmsgr.exe

YMSG

Z:\ISpread-NEW\Release\iSpreader Release Version.pdb

.text

`.rdata

@.data

.rsrc

@.reloc

http:

//funvids.cu.cc/?=0?watch=6 

oz.php?Gmsg_

# v.rd

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

KERNEL32.DLL

USER32.dll

PresenceIM.dll

exprt6.dll

coolcore59.dll

nspr4.dll

'Xfire.exe

WININET.dll

CFNetwork.dll

svchost.exe_2776_rwx_00400000_0000E000:

`.rsrc

%uw"BF

hXXp://funvids.cu.cc/?id=0?watch=6yx9pe

ntdll.dll

Host: VVV.facebook.com

POST /ajax/chat/send.php?

msg_id=

&msg_text=

IEXPLORE.EXE

firefox.exe

Xfire.exe

msgtype

MySpaceIM.exe

YahooMessenger.exe

ICQ.exe

aim.exe

MSVCR90.dll

user32.dll

xprt6.dll

Safari.exe

Ws2_32.dll

kernel32.dll

msnmsgr.exe

YMSG

Z:\ISpread-NEW\Release\iSpreader Release Version.pdb

.text

`.rdata

@.data

.rsrc

@.reloc

http:

//funvids.cu.cc/?=0?watch=6 

oz.php?Gmsg_

# v.rd

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

KERNEL32.DLL

USER32.dll

PresenceIM.dll

exprt6.dll

coolcore59.dll

nspr4.dll

'Xfire.exe

WININET.dll

CFNetwork.dll

gaebak.exe_1848:

.text

`.data

.rsrc

MSVBVM60.DLL

VBA6.DLL

/95/#%1^/

vpzfvlejPqklQf.exe

svchost.exe_860_rwx_005B0000_0001D000:

msvcrt.dll

%d %d %d %d %d %d

hXXps://

hXXp://

.com/

Global\C3819288-93FA-4E29-A254-BD9476B53C20

cfg.ini

%s\%s

bckfg.tmp

lsflt7.ver

0;225;224;77;38;56;16;74;75

maxhttpredirects

software\microsoft\windows\currentversion\internet settings

enablehttp1_1

software\microsoft\windows\currentversion\internet settings\zones\3

{AEBA21FA-782A-4A90-978D-B72164C80120}

{A8A88C49-5EB2-4990-A1A2-0876022C854F}

Opera\Opera\operaprefs.ini

\profile\operaprefs.ini

\prefs.js

network.cookie.cookieBehavior

Mozilla\Firefox\Profiles\

/login/;/tweet/;action=embed-flash;/faq/;/terms/;/contact/;/Forgotpassword/;d.gossipcenter.com/ck.php

hXXp://%s/?xurl=%s&xref=%s

ole32.dll

winmm.dll

atl.dll

oleaut32.dll

clk=%s&bid=%s&aid=%s&sid=%s&rd=%s

n%D,3

Global\6C29A0C8-62C6-415C-9538-B87690BC58D2

lsash.xp

%d|%d|%s|%s

cmd.dll

cmd64.dll

setup.exe

%[^.].%[^(](%[^)])

command|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s

%s -g yes -o %s -u bpslemnq -p labgsurwkk

conhost.exe

%s -g no -t %u -o %s -u %s -p %s

masks|%s

hXXp://NO REF/

.softgeek.

%s#%s

url|%s%s|

%s.dll

kernel32.dll

12345678

0123456789

.text

.rdata

HTTP/1.1 302 Found

Location: %s

HTTP/1.1 200 OK

Content-Length: %d

%sConnection: close

<body><a id=link target=_top></body><script>var url='%s';try{var x=document.getElementById('link');x.href=url;x.click()}catch(e){try{var x=parent?parent:window;x.location.replace(url)}catch(e){}}</script><noscript><META http-equiv="refresh" content="0;URL='%s'"></noscript>

<iframe src='%s' style='visibility:hidden;'></iframe>

<script>history.back()</script>

Set-Cookie: %s; expires=%s, u-%s-u u:u:u GMT

urlmon.dll

Global\56684A82-D074-4384-AEB9-D1A40041D9FB

chrome

wermgr.exe

-queuereporting_svc

firefox

opera

svchost.exe

ping.exe

127.0.0.1 -t

Global\B10C62E4-234C-4BF6-A1D5-1C0309CED145

Global\D6E9C81C-3831-4873-96BA-7C98D2DEBEF9

Global\a68d7de8-eba6-4a54-90e0-9cb9d93b3ed7

Global\cc51461b-e32a-4883-8e97-e0706dc65415

keywords

Accept-Language: %s

%s hXXp://%s/?xurl=%s&xref=%s

%s %s

1.8|%s|%s|%s|%s|%s|%s

software\classes\http\shell\open\command

<>:"/\|?*

%s-%s

. d SP.%s

google;yahoo;bing.;live.com;msn.com;altavista.com;ask.com;exalead.com;excite.com;dogpile.com;metacrawler.com;webcrawler.com;alltheweb.com;.lycos.;gigablast.com;cuil.com;.aol.;entireweb.com;.search.com;mamma.com;mytalkingbuddy.com;about.com;conduit.com;alexa.com;alltheinternet.com;blinkx.com;aolcdn.com;othersonline.com;everesttech.net;adrevolver.com;tribalfusion.com;adbureau.net;abmr.net;gstatic.com;virtualearth.net;atdmt.com;ivwbox.;powerset.net;yimg.com;2mdn.net;doubleclick.net;iwon.com;scorecardresearch.com;66.235.120.66;66.235.120.67;ytimg.com;infospace.com;edgesuite.net;superpages.com;lygo.com;compete.com;firmserve.com;worthathousandwords.com;yieldmanager.com;wazizu.com;meedea.com;atwola.com;doubleverify.com;tacoda.net;truveo.com;openx.org;adcertising.com;twimg.com;picsearch.com;oneriot.com;.com.com;flickr.com;searchvideo.com;.tqn.com;myspacecdn.com;fimservecdn.com;alexametrics.com

%u|%u

ver=%s&bid=%s&aid=%s&sid=%s&rd=%s&eng=%s&q=%s

hXXp://%s%s

VVV.google.

search.yahoo.com

.altavista.com

/web/results

.ask.com

VVV.exalead.com

/search/web/results

VVV.alltheweb.com

search.lycos.

tab=web

gigablast.com

cuil.com

.aol.

entireweb.com

md=web

VVV.search.com

VVV.mamma.com

mytalkingbuddy.com

searchservice.myspace.com

type=web

search.conduit.com

search.toolbars.alexa.com

alltheinternet.com

/ws/results/web/

?xurl=

http/1.

mozilla

windowsupdate

534886730

1495581554

\\?\globalroot\device\0000081a\32eac016\lsash.xp

C:\Windows\system32\svchost.exe

\\?\globalroot\device\0000081a\32eac016

\\?\globalroot\device\0000081a\32eac016\cfg.ini

WinExec

SHEnumKeyExA

ExitWindowsEx

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoW

InternetCrackUrlA

`.rdata

@.data

.reloc

a.tqn

.aUmKXp

KERNEL32.DLL

ADVAPI32.dll

imagehlp.dll

ntdll.dll

SHELL32.dll

SHLWAPI.dll

USER32.dll

WININET.dll

WebBrowser

127.0.0.1

/c.php?

.google.

%s-%d

{123F30C3-762B-4FAA-869B-07A50D8789D4}

{E2C86015-B91F-4928-ABD6-F569064EB5F5}

{2F03C69D-A22C-419D-87C8-A2BA764D6414}

{AE090FB3-4539-4FF1-92DC-BEA7BF817A6A}

{51A05BC8-BDCC-475F-BBF5-8DFCDB9C824C}

{EFAD2171-191D-48AF-875D-7468BB3A8051}

{77405340-F779-4E3C-B2D6-E9890B19333D}

{C4CEE207-5021-4948-99EA-DE6D8E537DB3}

{D2FE562E-139B-490F-A31C-4F0F7CD82677}

{d5978630-5b9f-11d1-8dd2-00aa004abd5e}

EventSystem.EventSubscription

eplorer\iexplore.exe" -nohome

spoolsv.exe_1224_rwx_00710000_00028000:

.text

`.rdata

@.data

.config

.reloc

t%SSS

N. d SP.

%x%x%x%x%x%x

%s|%s|%s|%x|%x|%s|%x|%x|prn15

%[^;];%[^;];%[^;];

kernel32.dll

ntdll.dll

\\?\globalroot\systemroot\system32\kernel32.dll

%s\cfg.ini

%s\config.ini

%s\drv32

cmd.dll

%s\bckfg.tmp

%s\cmd.dll

%s\cmd64.dll

%[^|]|%[^|]|%s

system\currentcontrolset\services\%x

\\?\globalroot%s\cmd.dll

\\?\globalroot%s\cfg.ini

\\?\globalroot%s\bckfg.tmp

%d.%d.%d %d:%d:%d

\\?\globalroot%s\ldr16

\\?\globalroot%s\ldr32

\\?\globalroot%s\ldr64

\\?\globalroot%s\drv64

\\?\globalroot%s\cmd64.dll

cmd64.dll

\\?\globalroot%s\drv32

\\?\globalroot\systemroot\system32\kdcom.dll

\\?\globalroot\systemroot\system32\hal.dll

\\?\globalroot\systemroot\system32\ntoskrnl.exe

\\?\globalroot\systemroot\system32\drivers\etc\hosts

aid=%s

sid=%s

installdate=%s

*=cmd.dll

* (x64)=cmd64.dll

[cmd]

srv=%s

wsrv=%s

psrv=%s

cfg.ini

bckfg.tmp

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2"><ms_asmv2:security><ms_asmv2:requestedPrivileges><ms_asmv2:requestedExecutionLevel level="requireAdministrator"></ms_asmv2:requestedExecutionLevel></ms_asmv2:requestedPrivileges></ms_asmv2:security></ms_asmv2:trustInfo></assembly>

ZwConnectPort

spoolsv.exe

GetWindowsDirectoryW

KERNEL32.dll

RegCreateKeyA

RegCloseKey

ADVAPI32.dll

SHDeleteKeyA

SHLWAPI.dll

imagehlp.dll

PSAPI.DLL

RPCRT4.dll

InternetCrackUrlA

HttpOpenRequestA

HttpSendRequestA

WININET.dll

ShellExecuteW

SHELL32.dll

ole32.dll

WINSPOOL.DRV

.pnLu

`.reloc

kdcom.dll

ntoskrnl.exe

`.pdata

K`.ba

W.pFK

}NL%X|7

4.Zt-

.PFkX

:F-I}|

.JOf~

kc-6}d V

ZAw%dw

4-T}`

%F%*3

\{x-x-x-x-xx}

\registry\machine\%S

\??\physicaldrive%d

services.exe

\??\globalroot\systemroot\system32\tasks\%x

\\?\globalroot%s

%s.manifest

%s\setup%u.exe

r\\?\globalroot%s

spoolsv.exe_1224_rwx_02520000_00056000:

.text

`.idata

@.data

.rsrc

@.reloc

VkKeyScanA

USER32.dll

KERNEL32.dll

comdlg32.dll

msvcrt.dll

GDI32.dll

COMCTL32.dll

ntdll.dll

SHLWAPI.dll

:n.zb8

ck%sg:rS

dym%f

j.jl=cr

k[.ou

iK%%c

7Ie6%f

j.SIv1

d&ni.ir

b,.Xz

.th .

Windows_NT

"*")"("7"6"5"4"3"2"1"0"?">",

windows_Nt

.Yqk05u5-

E 0.cw TZ5

0w5R0.HNzF0

H:\bgta\pcwk\DtDdhBj\oSal\EbrXLR.pdb

HMocs569.exe

Explorer.EXE_2024_rwx_10000000_00001000:

.text

`.data

.reloc

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   wio.exe:316
   %original file name%.exe:1908
   BqjnC0gFVHRul8.exe:2504
   rundll32.exe:2616
   win.exe:264
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\WSCNTV1.dll (105 bytes)
   C:\Users\"%CurrentUserName%"\BqjnC0gFVHRul8.exe (418 bytes)
   C:\Users\"%CurrentUserName%"\wio.exe (195 bytes)
   C:\Users\"%CurrentUserName%"\wiq.exe (350 bytes)
   C:\Users\"%CurrentUserName%"\win.exe (1458 bytes)
   C:\Users\"%CurrentUserName%"\gaebak.exe (2057399 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7BC3.tmp (673 bytes)

5. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "gaebak" = "C:\Users\"%CurrentUserName%"\gaebak.exe /o"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "gaebak" = "C:\Users\"%CurrentUserName%"\gaebak.exe /d"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Hwejagubina" = "rundll32.exe C:\Users\"%CurrentUserName%"\AppData\Local\WSCNTV1.dll,Startup"

6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.