Backdoor.Win32.Cycbot_078a75bf8c
Gen:Variant.Kazy.55514 (BitDefender), Backdoor:Win32/Cycbot.B (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Backdoor.Win32.Cycbot.G (v) (VIPRE), BackDoor.Gbot.2017 (DrWeb), Gen:Variant.Kazy.55514 (B) (Emsisoft), BackDoor-EXI.gen.ah (McAfee), Backdoor.Cycbot!gen10 (Symantec), Backdoor.Win32.Cycbot (Ikarus), Gen:Variant.Kazy.55514 (FSecure), BackDoor.Agent.11.BR (AVG), Win32:Cycbot-SF [Trj] (Avast), BKDR_CYCBOT.SMTE (TrendMicro), Backdoor.Win32.Cycbot.FD, Trojan.Win32.Alureon.FD, Trojan.Win32.Swrort.3.FD, BackdoorCycbot.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 078a75bf8ccb9b91ac753bb1aeeeee4c
SHA1: ddf053955e0b789cd6420987726e526b93856b68
SHA256: b88b7d4d9074361b4471a410b9ef9d2ae96fb20a9ef26eb088c2b522b05c8921
SSDeep: 6144:6FsLoloqJipUUNGCrE9GE2s8GrqSUKxXLzYyiJyWyVcNdGckx:6Fswoq0UUgGy2sUiXPY7oerGckx
Size: 282624 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Frserira s
Created at: 2005-09-16 20:59:39
Analyzed on: WindowsXP SP3 32-bit
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
%original file name%.exe:1248
%original file name%.exe:500
msiexec.exe:1776
The Backdoor injects its code into the following process(es):
%original file name%.exe:1376
7.tmp:1560
File activity
The process %original file name%.exe:1376 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Program Files%\LP\D1F5\7.tmp (12588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\config\SOFTWARE.LOG (2467 bytes)
%System%\config\software (963 bytes)
%Program Files%\LP\D1F5\C29.exe (270066 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (3946 bytes)
Registry activity
The process %original file name%.exe:1248 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 83 4F 68 0A C3 A1 C9 69 71 C7 8E 27 E8 CD 1D"
[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"
The process %original file name%.exe:500 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 84 A4 FF DD 1F 64 B6 C3 5D 38 E0 B8 69 BF E5"
[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"
The process %original file name%.exe:1376 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 03 00 00 00 14 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:59455"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 0F 2D 80 17 48 39 F6 52 BB 7F 1E 56 7D 4D 2F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\D1F5\C29.exe"
Automatic startup of the following service is disabled:
[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "3"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyOverride"
The process 7.tmp:1560 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 D4 00 54 DC 3C 77 4B A7 60 70 A4 A4 58 51 96"
[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\WinRAR]
"HWID" = "7B 30 30 41 30 38 35 32 32 2D 43 30 38 31 2D 34"
The process msiexec.exe:1776 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 2B 71 53 C8 86 C7 AB F4 5F 01 DF FA 30 D8 86"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://e6845.ce.akamaiedge.net/pca3-g2.crl |  |
| hxxp://e6845.ce.akamaiedge.net/CSC3-2009.crl | |
| hxxp://e6845.ce.akamaiedge.net/pca3.crl | |
| hxxp://e6845.ce.akamaiedge.net/CSC3-2009-2.crl | |
| hxxp://freedownload3.com/screenshot/4/s/89_3278.gif?sv=40&tq=gJ4WK/SUh4TDhRMw9YLJiMSTUivqg4aExZJbK+/bxWq1SfkIYXB6 |  114.207.112.26 |
| hxxp://vzhutm.datastoreplus.com/logo.png?sv=286&tq=gL5HtzoYwLzEpUb5fU3HxcW1Bv06EsazybMRtyFZ0umG8Ar0SsSA/gSoSEU= | 69.43.161.170 |
| hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt | |
| hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab | |
| hxxp://vzhutm.datastoreplus.com/logo.png?sv=746&tq=gKZEtzoYwLzEvUb5dQzRsrCqAfUlTca3l74EgC5OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU= | |
| crl.verisign.com | 23.60.133.163 |
| csc3-2009-2-crl.verisign.com | 23.61.181.163 |
| www.download.windowsupdate.com | 65.172.31.16 |
| csc3-2009-crl.verisign.com | 23.65.5.163 |
| pb86unl.onlineblogplus.com | 69.43.161.170 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1248
%original file name%.exe:500 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Program Files%\LP\D1F5\7.tmp (12588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\config\SOFTWARE.LOG (2467 bytes)
%System%\config\software (963 bytes)
%Program Files%\LP\D1F5\C29.exe (270066 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (3946 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\D1F5\C29.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
