Backdoor.Win32.CosmicDuke_d92faef56f

by malwarelabrobot on August 12th, 2014 in Malware Descriptions.

HEUR:Backdoor.Win32.CosmicDuke.gen (Kaspersky), Gen:Variant.Graftor.143683 (B) (Emsisoft), Gen:Variant.Graftor.143683 (AdAware), Trojan.Win32.Swrort.3.FD (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: d92faef56fa25120cb092f1b69838731
SHA1: af9a7f87262f898ebc17fe6946680ab2f346a5fa
SHA256: 7bc13f1e9b91465ed7d03d6a1d64c7f89ebfa71fc390a80fc276006135d27a31
SSDeep: 6144:TnEpURD51wpd4OtsAmcxKYpYXgZ3rHfVj:2El1wpd4OtspcxKYntj
Size: 2316059 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-11-13 11:51:48
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

ntid.exe:1848

The Backdoor injects its code into the following process(es):

wmctf.exe:576
%original file name%.exe:1336

Mutexes

The following mutexes were created/opened:

c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!history!history.ie5!
WininetStartupMutex
WininetConnectionMutex
_!MSFTHISTORY!_
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
WininetProxyRegistryMutex
RasPbFile
ShimCacheMutex

File activity

The process %original file name%.exe:1336 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Documents\ntuser{4CDE3D7F-7653-4906-878D-FFFFFFFF70AA0201}.pol (4 bytes)
%System%\wmctf.exe (16422 bytes)
%System%\dspapi.exe (16243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\163062b6-50f7-4328-8051-df4d9628c5ca (3 bytes)
%WinDir%\Tasks\Watchmon Service.job (288 bytes)
%System%\dnsschd.scr (799 bytes)
%System%\ntid.exe (841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3bf15b30-58bb-458b-bbfb-866b70c895a6 (5 bytes)
%System%\cfgsvc.scr (16363 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\lsasvc.scr (0 bytes)

Registry activity

The process ntid.exe:1848 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 D4 8F DB 74 1A 3A A0 2B 0E 95 5A 8E 9A 6C 23"

The process %original file name%.exe:1336 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 5F 51 C8 33 36 0A C9 67 0E 02 A3 C1 EC 75 CF"

[HKCU\Control Panel\Desktop]
"ScreenSaveUtility" = "%System%\cfgsvc.scr"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Control Panel\Desktop]
"ScreenSaveTimeOut" = "60"
"ScreenSaveBackup" = "%WinDir%\System32\logon.scr"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"EnableBalloonTips" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Chrome]
"Supplement" = "22 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00"

[HKCU\Control Panel\Desktop]
"SCRNSAVE.EXE" = "%System%\dnsschd.scr"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Adobe Systems Incorporated
Product Name: Adobe Acrobat Updater
Product Version: 1.5.5.0
Legal Copyright: Copyright 2010 Adobe Systems Incorporated
Legal Trademarks:
Original Filename:
Internal Name: Adobe Acrobat Updater
File Version: 1.5.5.0
File Description: Adobe Acrobat Updater
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 169332 169472 4.61021 88ccb9dba8c0cf7f7d72891833dddc76
.rdata 176128 23144 23552 3.46838 4a1cb0b9c8679a882fae489d88ca67fc
.data 200704 2967520 534016 1.36387 4732db80767e1518e28293d3876eb08e
.rsrc 3170304 3758 4096 3.43229 5f329555dafd88b533d2087a653476ab

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Backdoor connects to the servers at the folowing location(s):

%original file name%.exe_1336_rwx_00400000_00020000:

.text
`.rdata
@.data
.rsrc
@.reloc
PSSSSSSh
PSSSSSSh#
PSSSSSSh"
D$.Ph(
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded

%original file name%.exe_1336_rwx_00420000_00020000:

operator
GetProcessWindowStation
?456789:;<=
!"#$%&'()* ,-./0123
FtpOpenFileW
FtpSetCurrentDirectoryW
URLOpenBlockingStreamW
LoginName
LoginServer
LoginPassword
Password
PK11_GetInternalKeySlot
sqlite3_open16
sqlite3_close
sqlite3_exec
sqlite3_free
select id, hostname, usernamefield, passwordfield, encryptedusername, encryptedpassword from moz_logins
abe2869f-9b47-4cd9-a358-c22904dba7f7
82BD0E67-9FEA-4748-8672-D5EFE5B779B0
D:\PRODUCTION\NITRO\SVA\Generations\80B8A0BA\bin\bot.pdb
GetWindowsDirectoryW
CreateNamedPipeW
KERNEL32.dll
GetKeyboardType
GetKeyboardLayoutNameW
USER32.dll
RegEnumKeyW
RegCreateKeyExW
RegOpenKeyW
RegOpenKeyExW
RegCloseKey
CryptSetKeyParam
CryptImportKey
CryptDestroyKey
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
RPCRT4.dll
WTSAPI32.dll
Secur32.dll
WININET.dll
WS2_32.dll
SHLWAPI.dll
CRYPT32.dll
MPR.dll
GetCPInfo
.text
`.rdata
32.dll
KeyW
C`.rdat
@.rs\rc
PI.dll
echo del %0 >> "%TEMP%\msicheck.cmd"
echo copy /y "%SYSTEMROOT%\system32\ping.exe" "%TEMP%\smss.exe" >> "%TEMP%\msicheck.cmd"
echo :z >> "%TEMP%\msicheck.cmd"
echo del %1 >> "%TEMP%\msicheck.cmd"
echo "%TEMP%\smss.exe" 127.1 -n
>> "%TEMP%\msicheck.cmd"
echo attrib -s -h %1 >> "%TEMP%\msicheck.cmd"
echo if exist %1 goto z >> "%TEMP%\msicheck.cmd"
echo del "%TEMP%\smss.exe" >> "%TEMP%\msicheck.cmd"
echo del "%TEMP%\msicheck.cmd" >> "%TEMP%\msicheck.cmd"
"%SYSTEMROOT%\system32\cmd.exe" /c "%TEMP%\msicheck.cmd"
zcÁ
c:\%original file name%.exe
55
;%</<7<=<
3ueck.cs
.32)>1899`
.cmd"4
2k.cmd"
hicheck.cmd"
WUSER32.DLL
\system32\cmd.exe
cmd.exe
savadminservice.exe
scfservice.exe
savservice.exe
ekrn.exe
msseces.exe
MsMpEng.exe
dwengine.exe
ekern.exe
nod32.exe
nod32krn.exe
AvastUi.exe
AvastSvc.exe
kav.exe
navapsvc.exe
mcods.exe
mcvsescn.exe
outpost.exe
acs.exe
avp.exe
ntdll.dll
kernel32.dll
crypt32.dll
MyKeyContainer
hXXp://
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Software\Microsoft\Windows NT\CurrentVersion
wininet.dll
ntuser{4CDE3D7F-7653-4906-878D-
}.pol
\\.\pipe\4056DAB2-F62E-093E-8A91-736FF2FA2AA2
*.exe;*.ndb;*.mp3
*.doc;*.xps;*.xls;*.ppt;*.pps;*.wps;*.wpd;*.ods;*.odt;*.lwp;*.jtd;*.pdf;*.zip;*.rar;*.docx;*.xlsx;*.pptx;*.ppsx;*.pst;*.ost;*psw*;*pass*;*login*;*admin*;*sifr*;*sifer*;*vpn;*.jpg*
*.url;*.exe;*.dll;*.tmp;*.obj;*.ocx;*.js
*temporary;*Cookies;*games;*system32;*program files;*\windows\;*\System Volume Information
>\config.xml
Microsoft\Windows\Media Center\PSBDARegisterSW
SCRNSAVE.EXE
SOFTWARE\Chrome
WXX
XXXXXXXXXXX
=X&
=XX&
urlmon.dll
webclient
XXXXXX
%d.%d.%d %d:%d
Nick
Web Data
Login Data
Google\Chrome\User Data\Default\
hXXp://VVV.facebook.com/login.php
hXXps://login.facebook.com/login.php
hXXp://VVV.facebook.com/
hXXp://VVV.facebook.com/index.php
hXXp://m.facebook.com/login.php
hXXp://m.myspace.com/login.wap
hXXp://VVV.myspace.com/
hXXp://VVV.myspace.com/index.cfm
hXXp://babelfish.yahoo.com/translate_url
hXXp://services.msn.com/svcs/hotmail/httpmail.asp
hXXp://google.com/
hXXps://VVV.google.com/analytics/reporting/login
hXXps://VVV.google.com/groups/signin
hXXps://VVV.google.com/accounts/ManageAccount
hXXp://VVV.google.com/
hXXps://VVV.google.com/accounts/Login
hXXp://mail.google.com/mail/
hXXps://VVV.google.com/accounts/ServiceLoginAuth
hXXps://VVV.google.com/accounts/ServiceLogin
wand.dat
\Application Data\Opera
nx
%s::%s --> %s (decrypted: %s)
%s::%s --> %s
%s::%s
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
\account.cfn
nss3.dll
sqlite3.dll
mozsqlite3.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\thunderbird.exe
Mozilla
signons.sqlite
s\Application Data\Mozilla\Firefox\Profiles
INTERNET EXPLORER 7.x-8.x HTTPPASS
advapi32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
%Documents and Settings%\All Users\Documents\ntuser{4CDE3D7F-7653-4906-878D-FFFFFFFF70AA0201}.pol
%Documents and Settings%\All Users\Documents\ntuser{4CDE3D7F-7653-4906-878D-FFFFFFFF80CD9101}.pol
%Documents and Settings%\All Users\Documents\ntuser{4CDE3D7F-7653-4906-878D-FFFFFFFF8094E303}.pol
c:\program files\common files\
Host Process for Windows Services
6.1.7600.16385
svchost.exe
Windows
Operating System
hXXp:///uio

wmctf.exe_576_rwx_00400000_00020000:

.text
`.rdata
@.data
.rsrc
@.reloc
PSSSSSSh
PSSSSSSh#
PSSSSSSh"
D$.Ph(
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded

wmctf.exe_576_rwx_00420000_00020000:

operator
GetProcessWindowStation
?456789:;<=
!"#$%&'()* ,-./0123
FtpOpenFileW
FtpSetCurrentDirectoryW
URLOpenBlockingStreamW
LoginName
LoginServer
LoginPassword
Password
PK11_GetInternalKeySlot
sqlite3_open16
sqlite3_close
sqlite3_exec
sqlite3_free
select id, hostname, usernamefield, passwordfield, encryptedusername, encryptedpassword from moz_logins
abe2869f-9b47-4cd9-a358-c22904dba7f7
82BD0E67-9FEA-4748-8672-D5EFE5B779B0
D:\PRODUCTION\NITRO\SVA\Generations\80B8A0BA\bin\bot.pdb
GetWindowsDirectoryW
CreateNamedPipeW
KERNEL32.dll
GetKeyboardType
GetKeyboardLayoutNameW
USER32.dll
RegEnumKeyW
RegCreateKeyExW
RegOpenKeyW
RegOpenKeyExW
RegCloseKey
CryptSetKeyParam
CryptImportKey
CryptDestroyKey
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
RPCRT4.dll
WTSAPI32.dll
Secur32.dll
WININET.dll
WS2_32.dll
SHLWAPI.dll
CRYPT32.dll
MPR.dll
GetCPInfo
.text
`.rdata
32.dll
KeyW
C`.rdat
@.rs\rc
PI.dll
echo del %0 >> "%TEMP%\msicheck.cmd"
echo copy /y "%SYSTEMROOT%\system32\ping.exe" "%TEMP%\smss.exe" >> "%TEMP%\msicheck.cmd"
echo :z >> "%TEMP%\msicheck.cmd"
echo del %1 >> "%TEMP%\msicheck.cmd"
echo "%TEMP%\smss.exe" 127.1 -n
>> "%TEMP%\msicheck.cmd"
echo attrib -s -h %1 >> "%TEMP%\msicheck.cmd"
echo if exist %1 goto z >> "%TEMP%\msicheck.cmd"
echo del "%TEMP%\smss.exe" >> "%TEMP%\msicheck.cmd"
echo del "%TEMP%\msicheck.cmd" >> "%TEMP%\msicheck.cmd"
"%SYSTEMROOT%\system32\cmd.exe" /c "%TEMP%\msicheck.cmd"
zcÁ
%System%\wmctf.exe
55
;%</<7<=<
3ueck.cs
.32)>1899`
.cmd"4
2k.cmd"
hicheck.cmd"
WUSER32.DLL
\system32\cmd.exe
cmd.exe
savadminservice.exe
scfservice.exe
savservice.exe
ekrn.exe
msseces.exe
MsMpEng.exe
dwengine.exe
ekern.exe
nod32.exe
nod32krn.exe
AvastUi.exe
AvastSvc.exe
kav.exe
navapsvc.exe
mcods.exe
mcvsescn.exe
outpost.exe
acs.exe
avp.exe
ntdll.dll
kernel32.dll
crypt32.dll
MyKeyContainer
hXXp://
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Software\Microsoft\Windows NT\CurrentVersion
wininet.dll
ntuser{4CDE3D7F-7653-4906-878D-
}.pol
\\.\pipe\4056DAB2-F62E-093E-8A91-736FF2FA2AA2
*.exe;*.ndb;*.mp3
*.doc;*.xps;*.xls;*.ppt;*.pps;*.wps;*.wpd;*.ods;*.odt;*.lwp;*.jtd;*.pdf;*.zip;*.rar;*.docx;*.xlsx;*.pptx;*.ppsx;*.pst;*.ost;*psw*;*pass*;*login*;*admin*;*sifr*;*sifer*;*vpn;*.jpg*
*.url;*.exe;*.dll;*.tmp;*.obj;*.ocx;*.js
*temporary;*Cookies;*games;*system32;*program files;*\windows\;*\System Volume Information
>\config.xml
Microsoft\Windows\Media Center\PSBDARegisterSW
SCRNSAVE.EXE
SOFTWARE\Chrome
WXX
XXXXXXXXXXX
=X&
=XX&
urlmon.dll
webclient
XXXXXX
%d.%d.%d %d:%d
Nick
Web Data
Login Data
Google\Chrome\User Data\Default\
hXXp://VVV.facebook.com/login.php
hXXps://login.facebook.com/login.php
hXXp://VVV.facebook.com/
hXXp://VVV.facebook.com/index.php
hXXp://m.facebook.com/login.php
hXXp://m.myspace.com/login.wap
hXXp://VVV.myspace.com/
hXXp://VVV.myspace.com/index.cfm
hXXp://babelfish.yahoo.com/translate_url
hXXp://services.msn.com/svcs/hotmail/httpmail.asp
hXXp://google.com/
hXXps://VVV.google.com/analytics/reporting/login
hXXps://VVV.google.com/groups/signin
hXXps://VVV.google.com/accounts/ManageAccount
hXXp://VVV.google.com/
hXXps://VVV.google.com/accounts/Login
hXXp://mail.google.com/mail/
hXXps://VVV.google.com/accounts/ServiceLoginAuth
hXXps://VVV.google.com/accounts/ServiceLogin
wand.dat
\Application Data\Opera
nx
%s::%s --> %s (decrypted: %s)
%s::%s --> %s
%s::%s
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
\account.cfn
nss3.dll
sqlite3.dll
mozsqlite3.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\thunderbird.exe
Mozilla
signons.sqlite
s\Application Data\Mozilla\Firefox\Profiles
INTERNET EXPLORER 7.x-8.x HTTPPASS
advapi32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
%Documents and Settings%\All Users\Documents\ntuser{4CDE3D7F-7653-4906-878D-FFFFFFFF70AA0201}.pol
%Documents and Settings%\All Users\Documents\ntuser{4CDE3D7F-7653-4906-878D-FFFFFFFF80CD9101}.pol
%Documents and Settings%\All Users\Documents\ntuser{4CDE3D7F-7653-4906-878D-FFFFFFFF8094E303}.pol
Host Process for Windows Services
6.1.7600.16385
svchost.exe
Windows
Operating System
hXXp:///uio


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ntid.exe:1848

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\All Users\Documents\ntuser{4CDE3D7F-7653-4906-878D-FFFFFFFF70AA0201}.pol (4 bytes)
    %System%\wmctf.exe (16422 bytes)
    %System%\dspapi.exe (16243 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\163062b6-50f7-4328-8051-df4d9628c5ca (3 bytes)
    %WinDir%\Tasks\Watchmon Service.job (288 bytes)
    %System%\dnsschd.scr (799 bytes)
    %System%\ntid.exe (841 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3bf15b30-58bb-458b-bbfb-866b70c895a6 (5 bytes)
    %System%\cfgsvc.scr (16363 bytes)

  4. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now