Backdoor.Win32.Caphaw_QKKBAL_9b257af2c4
GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)
Behaviour: Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 9b257af2c47dfd8ada60fc489cd74126
SHA1: 266f39583eee3e81146f1064a80c4dfa6b4ba3c6
SHA256: 852e776ae73c52125a4088bd15b9e6c149c4e2272d95e2eed3f8bfbdb3267402
SSDeep: 6144:rrBHJVzc95yCdqFLtKYBIks6UFBZAFx0ZHGwbMa:rVH/ifycUrcBZ/Rbp
Size: 337400 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2007-10-15 18:13:00
Analyzed on: WindowsXP SP3 32-bit
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
%original file name%.exe:416
The Backdoor injects its code into the following process(es):
alg.exe:380
spoolsv.exe:1440
File activity
The process %original file name%.exe:416 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\yzvecm.dat (316 bytes)
Registry activity
The process alg.exe:380 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKU\S-1-5-19\Software\AppDataLow\{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}]
"{4E153850-602D-4819-B83D-3CCD0A1E7351}" = "9E 6D CE 35"
The process spoolsv.exe:1440 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKU\.DEFAULT\Software\AppDataLow\{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}]
"{4E153850-602D-4819-B83D-3CCD0A1E7351}" = "9E 6D CE 35"
The process %original file name%.exe:416 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 C9 74 02 CB 66 6E 98 87 FF 54 9B E0 8D 5D A7"
[HKCU\Software\AppDataLow\{7BD47FDD-1028-4944-A268-024C76A61BA9}]
"#sd" = "63 3A 5C 39 62 32 35 37 61 66 32 63 34 37 64 66"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"yzvecm" = "regsvr32.exe %Documents and Settings%\All Users\Application Data\yzvecm.dat"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Backdoor installs the following user-mode hooks in ADVAPI32.dll:
CreateProcessAsUserA
CreateProcessAsUserW
The Backdoor installs the following user-mode hooks in kernel32.dll:
CreateProcessA
CreateProcessW
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:416
- Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\All Users\Application Data\yzvecm.dat (316 bytes)
- Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"yzvecm" = "regsvr32.exe %Documents and Settings%\All Users\Application Data\yzvecm.dat" - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
