Backdoor.Win32.Caphaw_QKKBAL_fa16ff46e9

by malwarelabrobot on March 24th, 2014 in Malware Descriptions.

Trojan.Win32.Generic!BT (VIPRE), GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: fa16ff46e932b831ca0a89f1e0b8e967
SHA1: b0a0cb1042ccf7436376ac9f2c4ad142536f88f9
SHA256: 29fd46775d084d3308b3c43f2c05dd6a2c9df4e2b224adb0614ab426952b3e31
SSDeep: 6144:sddKh/ERAnDQexUn9w0B I9raBZjGYc9F9YLgGi9V9rRQ a:sr0/ERADQ3zr8ZKv9YwL9rRQ
Size: 273920 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: ApPure
Created at: 2014-03-21 18:24:36
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

kyim.exe:1132
kyim.exe:744
tmp09924f2b.exe:1008
%original file name%.exe:688

The Backdoor injects its code into the following process(es):
No processes have been created.

File activity

The process tmp09924f2b.exe:1008 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Yklavi\kyim.exe (283 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpbc8913d5.bat (189 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Yklavi (0 bytes)
%Documents and Settings%\%current user%\Application Data\Yklavi\kyim.exe (0 bytes)

The process %original file name%.exe:688 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmpa4a419f7.bat (177 bytes)
%Documents and Settings%\%current user%\Application Data\Yklavi\kyim.exe (273 bytes)

Registry activity

The process kyim.exe:1132 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 FB 14 98 C1 8D 35 9D 26 98 D1 D3 2A 51 94 8F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process kyim.exe:744 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 0C 87 D6 01 99 0C F5 EF B2 63 EA CD 5F 73 FD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process tmp09924f2b.exe:1008 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 7D BE E5 4B 07 B9 78 94 30 2B 1A 6B 51 68 11"

[HKCU\Software\Microsoft\Mekui]
"Xyew" = "6F 11 69 8F 04 B2 9C 24 8E 84 29 1E 1F 9D C6 B9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"WarnonBadCertRecving" = "0"

[HKCU\Software\Microsoft\Mekui]
"Vuwude" = "FC 7F 15 51 7A 35 B4 60 1A 81 8B 23 55 AB 6A B4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"EnableSPDY3_0" = "0"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor deletes the following value(s) in system registry:
The Backdoor disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"{9E3E114F-ABBF-D144-5A4A-418346001DD6}"

The process %original file name%.exe:688 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 2D E5 27 4F DA D9 99 C1 AC 45 AE 98 44 E4 3C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

Network activity (URLs)

URL IP
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://www.google.com/webhp 173.194.43.52
hxxp://www.google.ca/webhp?gfe_rd=cr&ei=QkEvU46JB6Pb8gfS7IHQCQ 173.194.43.63
www.download.windowsupdate.com 63.151.28.75
seooptimisaion2traffic.com 46.118.31.184


HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Backdoor installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpOpenRequestW
InternetConnectW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
InternetConnectA
HttpOpenRequestA

The Backdoor installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Backdoor installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Backdoor installs the following user-mode hooks in WS2_32.dll:

WSASend
WSARecv
send
closesocket

The Backdoor installs the following user-mode hooks in kernel32.dll:

GetFileAttributesExW

The Backdoor installs the following user-mode hooks in ntdll.dll:

NtCreateThread

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    kyim.exe:1132
    kyim.exe:744
    tmp09924f2b.exe:1008
    %original file name%.exe:688

  3. Delete the original Backdoor file.
  4. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Application Data\Yklavi\kyim.exe (283 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpbc8913d5.bat (189 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpa4a419f7.bat (177 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now