MD5: 10ad77f97d3530288996e18b40875e75
SHA1: 5f3e708e741df77347e05230003b6a5769a6bcc2
SHA256: 532828a0d3af9d410e9c5572e9fe5b0013032e6b3edd5017fa8b6f6802d20efa
SSDeep: 6144:1kthniZIxEchhDmCI62sVGjGhowtRf0Oi0 D tRDMyJfFx aijq6UgyXpt67:mt5EI3hBILjyrtJ0o GDDJWaRNX
Size: 360448 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Firseria s.l.
Created at: 2004-04-22 11:13:46
Analyzed on: WindowsXP SP3 32-bit

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:864

The Backdoor injects its code into the following process(es):

mscorsvw.exe:1912

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:864 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AbyoLops\IbwejPuben.dat (1639 bytes)

Registry activity

The process %original file name%.exe:864 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 2A 11 C5 33 B4 34 4F 96 35 D5 11 13 E9 F5 AA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Classes\CLSID\{7BD47FDD-1028-4944-A268-024C76A61BA9}]
"#sd" = "63 3A 5C 31 30 61 64 37 37 66 39 37 64 33 35 33"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"IbwejPuben" = "regsvr32.exe %Documents and Settings%\All Users\Application Data\IbwejPuben\IbwejPuben.dat"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Backdoor installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Backdoor installs the following user-mode hooks in ADVAPI32.dll:

CreateProcessAsUserA
CreateProcessAsUserW

The Backdoor installs the following user-mode hooks in kernel32.dll:

CreateProcessA
CreateProcessW

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 5.2.3790.0
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: kbdmon.dll
Internal Name: kbdmon (3.12)
File Version: 5.2.3790.0 (srv03_rtm.030324-2048)
File Description: Mongolian Keyboard Layout
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Backdoor connects to the servers at the folowing location(s):

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:864
   

3. Delete the original Backdoor file.
   
4. Delete or disinfect the following files created/modified by the Backdoor:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\AbyoLops\IbwejPuben.dat (1639 bytes)

5. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "IbwejPuben" = "regsvr32.exe %Documents and Settings%\All Users\Application Data\IbwejPuben\IbwejPuben.dat"

6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.