Backdoor.Turkojan.AF_c8a4cd3e3a

by malwarelabrobot on March 4th, 2015 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Backdoor.Turkojan.AF (B) (Emsisoft), Backdoor.Turkojan.AF (AdAware), RATTurkojan.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: c8a4cd3e3a5fa88dbd7a234775e1b96d
SHA1: 807f39e8301c21a94d7de12d2306608314c239b1
SHA256: 8c8c40e7ca41450939e4a9cfb23a3f2e22dc6be16428c4e2d62f3c6822dc93be
SSDeep: 1536:kVuNAXTj4Fj/91/NnLZqeWEPVpa8DzePjkgcwYS7S5 Vfk09 2pIwUhSlnouy8:ioy8j7VnNdrPHaSekwi mW 2cS9out
Size: 110592 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:320

The Backdoor injects its code into the following process(es):

mstwain32.exe:1628
Explorer.EXE:1572

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:320 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\mstwain32.exe (601 bytes)

The process mstwain32.exe:1628 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\cmsetac.dll (33 bytes)
%WinDir%\ntdtcstp.dll (7 bytes)

Registry activity

The process %original file name%.exe:320 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 09 04 F5 EA 4D 62 72 9F 1E 1B 26 65 22 B8 D6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"mstwain32.exe" = "mstwain32"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process mstwain32.exe:1628 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F F5 CB 67 46 23 28 C5 D1 F0 17 62 F3 4F C1 50"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"mstwain32" = "%WinDir%\mstwain32.exe"

Dropped PE files

MD5 File path
22bb9fd837f17d990aef4f1a38f82b2a c:\WINDOWS\cmsetac.dll
67587e25a971a141628d7f07bd40ffa0 c:\WINDOWS\ntdtcstp.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 208896 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 212992 110592 108032 5.53958 953f4e212bd1f8e9797a6fb60ef104b2
.rsrc 323584 4096 1536 2.00561 e137ebb09303218ddc96f554a8217534

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
7cbb6274f098a6816a75f2208c57ffd6

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Backdoor connects to the servers at the folowing location(s):

mstwain32.exe_1628:

`.rsrc
Portions Copyright (c) 1999,2003 Avenger by NhT
D:\turkojan4\completed\Server\Kol.pas
Unsupported bitmap format
1.2.3
PSAPI.dll
ntdtcstp.dll
cmsetac.dll
VMPipe32.dll
KB8888239.log
KB8888113.log
twmsico.dll
explorer.exe
\Uninstall.bat
Dsdvq%Dkqlslwpv
DSB%Dkqlslwpv
Dpqm`kqlph%Dkqlslwpv
HfDc``%SlwpvVfdk
Udkad%Dkqlslwpv*Clw`rdii
UF(fliilk%Dkqlslwpv
Kjwqjk%U`wvjkdi%Clw`rdii
Fjhjaj%Clw`rdii
`Qwpvq%@_%Clw`rdii
Ndvu`wvn|%Dkqlmdfn`w
HfDc``%U`wvjkdi%Clw`rdii
Kjwhdk%U`wvjkdi%Clw`rdii
Jpqujvq%U`wvjkdi%Clw`rdii
Udkad%Dkql(Slwpv*Clw`rdii
N`wlj%U`wvjkdi%Clw`rdii
Qlk|%U`wvjkdi%Clw`rdii
GlqA`c`ka`w%*%Gpii%Bpdwa%Dkqlslwpv
V|bdq`%U`wvjkdi%Clw`rdii
shell32.dll
user32.dll
%s\%s
@}uijw`wYVm`ii%Cjia`wv
kernel32.dll
Windows
v`qúdpalj%ajjw%ju`k
v`qúdpalj%ajjw%fijv`a
%dx%d, %d colors
Vqdwq%Udb`
%dx%d
00-00-00-00-00-00
127.0.0.1 localhost
127.0.0.1
127.0.0.1
getimpasswords
getftppasswords
explorerpasswords
mailpasswords
dialpasswords
downloaderpasswords
otherpasswords
HTTP/1.1
TClassClientSocketKey
taskmgr.exe
Creat-reg-key
KEYL1
KEYL2
deneme.exe
hXXp://VVV.turkojan.com
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
0123456789
scorpionoir.no-ip.biz
mstwain32.exe
File executed
Can't execute file
.idata
.edata
P.reloc
P.rsrc
GetProcessHeap
MapVirtualKeyExA
GetKeyboardState
GetKeyboardLayout
UnhookWindowsHookEx
SetWindowsHookExA
KBHook.dll
ý}d
l}io%fpvpbax$
&Dv`.|bp$v{wh%pmoq-|kp.rlkp%zj-fhj}`-vawx`
KWindows
untWebcam
HuntHttpDownload
Kernel32.dll
WinExec
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
text/x-msmsgscontrol
wsock32.dll
ntdll.dll
advapi32.dll
msnmsgr.exe
msmsgs.exe
iexplore.exe
GetKeyboardType
RegOpenKeyExA
RegCloseKey
oleaut32.dll
GetWindowsDirectoryA
wsock32_hook.dll
mstwain32.exe"@
PeekNamedPipe
GetCPInfo
CreatePipe
RegQueryInfoKeyA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
ShellExecuteA
SHFileOperationA
keybd_event
UnregisterHotKey
RegisterHotKey
GetKeyState
ExitWindowsEx
EnumWindows
.rdata
KERNEL32.DLL
AVICAP32.dll
gdi32.dll
msacm32.dll
netapi32.dll
winmm.dll

mstwain32.exe_1628_rwx_00401000_0004C000:

Portions Copyright (c) 1999,2003 Avenger by NhT
D:\turkojan4\completed\Server\Kol.pas
Unsupported bitmap format
1.2.3
PSAPI.dll
ntdtcstp.dll
cmsetac.dll
VMPipe32.dll
KB8888239.log
KB8888113.log
twmsico.dll
explorer.exe
\Uninstall.bat
Dsdvq%Dkqlslwpv
DSB%Dkqlslwpv
Dpqm`kqlph%Dkqlslwpv
HfDc``%SlwpvVfdk
Udkad%Dkqlslwpv*Clw`rdii
UF(fliilk%Dkqlslwpv
Kjwqjk%U`wvjkdi%Clw`rdii
Fjhjaj%Clw`rdii
`Qwpvq%@_%Clw`rdii
Ndvu`wvn|%Dkqlmdfn`w
HfDc``%U`wvjkdi%Clw`rdii
Kjwhdk%U`wvjkdi%Clw`rdii
Jpqujvq%U`wvjkdi%Clw`rdii
Udkad%Dkql(Slwpv*Clw`rdii
N`wlj%U`wvjkdi%Clw`rdii
Qlk|%U`wvjkdi%Clw`rdii
GlqA`c`ka`w%*%Gpii%Bpdwa%Dkqlslwpv
V|bdq`%U`wvjkdi%Clw`rdii
shell32.dll
user32.dll
%s\%s
@}uijw`wYVm`ii%Cjia`wv
kernel32.dll
Windows
v`qúdpalj%ajjw%ju`k
v`qúdpalj%ajjw%fijv`a
%dx%d, %d colors
Vqdwq%Udb`
%dx%d
00-00-00-00-00-00
127.0.0.1 localhost
127.0.0.1
127.0.0.1
getimpasswords
getftppasswords
explorerpasswords
mailpasswords
dialpasswords
downloaderpasswords
otherpasswords
HTTP/1.1
TClassClientSocketKey
taskmgr.exe
Creat-reg-key
KEYL1
KEYL2
deneme.exe
hXXp://VVV.turkojan.com
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
0123456789
scorpionoir.no-ip.biz
mstwain32.exe
File executed
Can't execute file
.idata
.edata
P.reloc
P.rsrc
GetProcessHeap
MapVirtualKeyExA
GetKeyboardState
GetKeyboardLayout
UnhookWindowsHookEx
SetWindowsHookExA
KBHook.dll
ý}d
l}io%fpvpbax$
&Dv`.|bp$v{wh%pmoq-|kp.rlkp%zj-fhj}`-vawx`
KWindows
untWebcam
HuntHttpDownload
Kernel32.dll
WinExec
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
text/x-msmsgscontrol
wsock32.dll
ntdll.dll
advapi32.dll
msnmsgr.exe
msmsgs.exe
iexplore.exe
GetKeyboardType
RegOpenKeyExA
RegCloseKey
oleaut32.dll
GetWindowsDirectoryA
wsock32_hook.dll
mstwain32.exe"@
PeekNamedPipe
GetCPInfo
CreatePipe
RegQueryInfoKeyA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
ShellExecuteA
SHFileOperationA
keybd_event
UnregisterHotKey
RegisterHotKey
GetKeyState
ExitWindowsEx
EnumWindows
.rdata

mstwain32.exe_1628_rwx_662B1000_00001000:

HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
oleaut32.dll

Explorer.EXE_1572_rwx_00F00000_00001000:

%WinDir%\mstwain32.exe

Explorer.EXE_1572_rwx_014E1000_00001000:

gHgfsSharedMemoryData.sharedMem
gHgfsSharedMemoryData.mutex
d:\build\ob\bora-528969\bora-vmsoft\build\release\hgfs\dll\hgfssharedmem.c
HgfsProvider: Failed to check IsWow64, error %d
HgfsProvider: Failed to open or create the data directory (%d).
HgfsGetMappedFilePath: SetSecurityDescriptorOwner failed (%d)
HgfsGetMappedFilePath: SetSecurityDescriptorDacl failed (%d)
HgfsGetMappedFilePath: InitializeSecurityDescriptor failed (%d)
HgfsGetMappedFilePath: FindFirstFile failed (%d)
HgfsGetMappedFilePath: Application data path = %S
HgfsProvider: GetFolderPath returned %s.
HgfsProvider: ShGetFolderPath %S
HgfsProvider: ShGetFolderPath failed again(%x)
HgfsProvider: ShGetFolderPath failed(%x)
HgfsProvider: Load library failed %d.
Resource %s already exists for the user %#I64x
Section is too small: used size %d, alloc size %d, local name %S,remote name %S
Error %d adding resource: local name = %s, remote name = %s
Upgrade from V2: adding resource: local name = %s, remote name = %s
HgfsInitResourcesFromV2: sharedMem Version =% d size = %#x resources = %d
Shared memory INCONSISTENT: last resurce size %d > spaceLeft %d
Shared memory INCONSISTENT: nextEntryOffset %d > spaceLeft %d
Shared memory INCONSISTENT: used %d < resourcesOffset %d
Shared memory INCONSISTENT: used %d > allocated %d
HgfsOpenSharedMemory: return status: %d
HgfsOpenSharedMemory: ReleaseMutex failed(%d)
HgfsOpenSharedMemory: Older Version %d
HgfsOpenSharedMemory: Signature %S
HgfsOpenSharedMemory: CreateFileMapping failed(%d)
HgfsOpenSharedMemory: CreateFile succeeded(%d)
HgfsOpenSharedMemory: Mapped file name is: %S
HgfsOpenSharedMemory: CreateFile failed(%d)
HgfsOpenSharedMemory: MapViewOfFile failed(%d)
HgfsOpenSharedMemory: File Mapping %S (%d)
Hgfs network provider versioning supported
%s\%s
shfolder.dll
hgfs.dat

Explorer.EXE_1572_rwx_5AD71000_00001000:

UxTheme.dll

Explorer.EXE_1572_rwx_5BA61000_00001000:

display.hlp
Microsoft\Windows\Themes\Custom.theme
%s\%s
visualstyle.css

Explorer.EXE_1572_rwx_68001000_00001000:

EExport
SExport
PSKEYS
WNetGetCachedPassword
WNetCachePassword
MPR.DLL
hSoftware\Microsoft\Cryptography\DESHashSessionKeyBackward
DefaultKeys
rsaenh.dll
RSA Full (Signature and Key Exchange)
key expansion
client write key
server write key
ole32.dll

Explorer.EXE_1572_rwx_6F881000_00001000:

TerminateExe
RemoveInvalidW2KWindowStyles
RemoveDDEFlagFromShellExecuteEx
RedirectWindowsDirToSystem32
RedirectEXE
RecopyExeFromCD
PropagateProcessHistory
IgnoreCRTExit
ForceWorkingDirectoryToEXEPath
ForceWindowsFirewallUI
DisableStickyKeys
DisableFilterKeys
DeRandomizeExeName


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:320

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %WinDir%\mstwain32.exe (601 bytes)
    %WinDir%\cmsetac.dll (33 bytes)
    %WinDir%\ntdtcstp.dll (7 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "mstwain32" = "%WinDir%\mstwain32.exe"

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now