Backdoor.Win32.Cycbot_d853521b72
HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Encpk.aco (v) (VIPRE), Backdoor.Win32.Agent!IK (Emsisoft), Backdoor.Win32.Cycbot.FD, Trojan.Win32.Alureon.FD, Trojan.Win32.Swrort.3.FD, BackdoorCycbot.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: d853521b7258f3ebca4a110cec93c408
SHA1: ef45068a8ade50420632c07a2a5207c58764b82d
SHA256: 146a58e7120f11ca481d6c2daa630262ed423757e8452479ea1378a30125d912
SSDeep: 6144:Crb7M40z4MtqH NEfNq5Gc1Qu1nlSqU/NPIxeMO:XfMYqezGaQu1YTiNO
Size: 277504 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2005-10-24 04:29:08
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
d853521b7258f3ebca4a110cec93c408.exe:752
d853521b7258f3ebca4a110cec93c408.exe:1604
msiexec.exe:1044
The Backdoor injects its code into the following process(es):
8.tmp:1480
d853521b7258f3ebca4a110cec93c408.exe:1716
File activity
The process 8.tmp:1480 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
The process d853521b7258f3ebca4a110cec93c408.exe:1716 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Program Files%\LP\D1F5\9.exe (1 bytes)
%System%\config\SOFTWARE.LOG (3782 bytes)
%System%\config\software (1289 bytes)
%Program Files%\LP\D1F5\C29.exe (264306 bytes)
%Program Files%\LP\D1F5\8.tmp (12588 bytes)
%Program Files%\LP\D1F5\7.exe (1 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (4156 bytes)
The Backdoor deletes the following file(s):
%Program Files%\LP\D1F5\9.exe (0 bytes)
%Program Files%\LP\D1F5\7.exe (0 bytes)
Registry activity
The process 8.tmp:1480 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 33 D4 1D 0C A2 B5 C0 85 30 FE 9B 51 42 B6 E9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\WinRAR]
"HWID" = "7B 44 42 30 46 35 44 35 41 2D 46 34 37 35 2D 34"
The process d853521b7258f3ebca4a110cec93c408.exe:752 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 23 8C 81 01 07 AD 53 A3 01 1E 28 A8 3A DC 1A"
The process d853521b7258f3ebca4a110cec93c408.exe:1716 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 F0 B3 B6 21 10 3C 66 03 F8 A7 EF B6 13 7B 84"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\D1F5\C29.exe"
Automatic startup of the following service is disabled:
[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "3"
The process d853521b7258f3ebca4a110cec93c408.exe:1604 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B CB 11 10 32 55 20 18 E4 D9 51 EC AF 84 AE AE"
The process msiexec.exe:1044 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 51 2B D9 BE CA 47 2A 44 6E 5F 3D 5F 10 8E BB"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://e6845.ce.akamaiedge.net/pca3-g2.crl |  |
| hxxp://e6845.ce.akamaiedge.net/CSC3-2009.crl | |
| hxxp://e6845.ce.akamaiedge.net/pca3.crl | |
| hxxp://e6845.ce.akamaiedge.net/CSC3-2009-2.crl | |
| hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt | |
| hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab | |
| hxxp://w9bsdg5.cloudstorepro.com/logo.png?sv=345&tq=gL5HtzoYwLzEpUb5fU3HxcW3A/U6EsazybMRtyFa0umG8Ar0SsSA/gSoSEU= | 208.73.211.167 |
| hxxp://8tvkzneaa.cloudstorepro.com/logo.png?sv=766&tq=gKZEtzoYwLzEvUb5dQzRsrCqA/AtTca3l74EgC5OjrPGpgfib1XGp5zpRPksUt+A/gSoSEU= | 208.73.210.210 |
| hxxp://TRANSERSDATAFORME.COM/gate.php (ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server (group 6) , Malicious) | |
| hxxp://k23b81tz0.cloudstorepro.com/logo.png?sv=597&tq=gKZEtzoYwLzEvUb5dQzRsrCqA/AtTca3l74EgC9OjrPGpgfib1XGp5zpRPksUt+A/gSoSEU= | 208.73.210.200 |
| csc3-2009-2-crl.verisign.com | 23.65.5.163 |
| crl.verisign.com | 23.65.5.163 |
| www.download.windowsupdate.com | 23.3.98.58 |
| csc3-2009-crl.verisign.com | 23.65.5.163 |
| transersdataforme.com | 192.155.89.148 |
| jointhenewworldorder.com | 216.92.12.78 |
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
d853521b7258f3ebca4a110cec93c408.exe:752
d853521b7258f3ebca4a110cec93c408.exe:1604 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\LP\D1F5\9.exe (1 bytes)
%System%\config\SOFTWARE.LOG (3782 bytes)
%System%\config\software (1289 bytes)
%Program Files%\LP\D1F5\C29.exe (264306 bytes)
%Program Files%\LP\D1F5\8.tmp (12588 bytes)
%Program Files%\LP\D1F5\7.exe (1 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (4156 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\D1F5\C29.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
