Backdoor.Win32.Farfli_2d20841949
HEUR:Trojan.Win32.Generic (Kaspersky), Backdoor.Win32.Farfli.FD, Backdoor.Win32.Xtrat.FD, Trojan.Win32.IEDummy.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 2d20841949546e056fdf4d1619ccf734
SHA1: 9bb1a2ad2ec065ed4bb29ffb9d729fe493a1e975
SHA256: 467589a0a9e3dd354215450fc9e35cfa192351a6386224b9832fdfc31edfa7b8
SSDeep: 6144:8Eucj4M/v8aATV64fj4Ery/zPRCPWMkp0:8Euk4gkpM4fjVe/bRXMkp0
Size: 284672 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualBasicv50v60, UPolyXv05_v6
Company: no certificate found
Created at: 2013-02-03 00:33:31
Analyzed on: WindowsXP SP3 32-bit
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Backdoor creates the following process(es):
%original file name%.exe:212
The Backdoor injects its code into the following process(es):
%original file name%.exe:372
iexplore.exe:1840
File activity
The process %original file name%.exe:212 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Program Files%\Internet Explorer\IEXPLORE.EXE (124 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\x.html (0 bytes)
The process iexplore.exe:1840 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\ORQZRSIN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\GL0R2PUD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\Instal\1100000er.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\5WE6JTXP\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\55AC3VKY\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\suSieqZ5H.dat (314 bytes)
Registry activity
The process %original file name%.exe:372 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C E9 88 E8 DC 84 0E CA 45 62 FC 10 15 9A A2 69"
The process %original file name%.exe:212 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 17 A0 26 48 36 12 E2 2E A5 66 CD 28 F2 97 02"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | jL.chura.pl |
Rootkit activity
The Backdoor installs the following user-mode hooks in ntdll.dll:
NtQueryInformationProcess
ZwOpenFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:212
- Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Program Files%\Internet Explorer\IEXPLORE.EXE (124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\ORQZRSIN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\GL0R2PUD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\Instal\1100000er.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\5WE6JTXP\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\55AC3VKY\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\suSieqZ5H.dat (314 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
