MD5: 5787cc139a006533b5eeffba829622cf
SHA1: 50513bf1328a7b62508350c817add3a0242c9555
SHA256: d8a9cab55f8ada84fa54345465712f9099b9b2dfa38e8ad51a51d1a37c8a73e9
SSDeep: 24576:B4GxvSihOxhZKJZfrFHs6AnaJ3wEK0sVaFJSTORUEXYNUkupGqHQ0/T EHAazAjG:B9qigxuLAnaJAER
Size: 6687934 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: App.install
Created at: 2013-11-18 22:50:57
Analyzed on: WindowsXP SP3 32-bit

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:628
EB8D8F.exe:1572
EB8D8F.exe:812

The Backdoor injects its code into the following process(es):

DF8F8D.exe:948
Taskmgr.exe:780
svchost.exe:1072

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:628 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EB8D8F.exe (15801 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DF8F8D.exe (1744 bytes)

The process EB8D8F.exe:812 makes changes in the file system.
The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF6950.tmp (0 bytes)

The process Taskmgr.exe:780 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8XUV0DUF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLIJWH6B\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\TWVXfZtP3L.dat (322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8PQFSLA3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WHYV4XUR\desktop.ini (67 bytes)
%System%\Microsoft\svchost.exe (16582 bytes)

Registry activity

The process DF8F8D.exe:948 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 DF 9A C8 AF FD B6 73 47 19 AC CC 40 71 AB 3F"

The process %original file name%.exe:628 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 B9 FC 1C 5C 11 9E 23 4D DC 89 41 74 B4 23 16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process EB8D8F.exe:1572 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 31 2A 82 E2 C3 27 46 43 8E 5A A9 E8 21 8F 2E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\XtremeRAT]
"Mutex" = "TWVXfZtP3L"

The process EB8D8F.exe:812 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E D1 F5 2A D7 46 03 78 63 FD B4 D6 F3 C0 48 DA"

The Backdoor deletes the following registry key(s):

[HKCU\Software\Microsoft\MediaPlayer\Health\{00AAE079-C6DE-40BA-A3E3-6201FCABDDE8}]

The process Taskmgr.exe:780 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\TWVXfZtP3L]
"ServerStarted" = "29/06/2014 06:24:02"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1208111732"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Taskmgr.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\TWVXfZtP3L]
"ServerName" = "%System%\Microsoft\svchost.exe"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{13KD28X5-3D85-0JRE-75YT-VMMW03328833}]
"StubPath" = "%System%\Microsoft\svchost.exe restart"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 56 2F AD 17 77 84 F8 56 C3 3C 1A 47 3B 31 3D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Java Runtime" = "%System%\Microsoft\svchost.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe" = "%System%\Microsoft\svchost.exe"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name: MeckPix Loader
Product Version: 1.0.0.0
Legal Copyright: Copyright (c) 2013
Legal Trademarks:
Original Filename: MeckPix Loader.exe
Internal Name: MeckPix Loader.exe
File Version: 1.0.0.0
File Description: MeckPix Loader
Comments:
Language: English (Australia)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Backdoor connects to the servers at the folowing location(s):

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

svchost.exe_1072_rwx_10000000_0004A000:

.idata

.rdata

P.reloc

P.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

http://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

GetKeyboardType

RegOpenKeyExA

RegCloseKey

oleaut32.dll

RegOpenKeyExW

RegCreateKeyW

GetWindowsDirectoryW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

shlwapi.dll

SHDeleteKeyW

FindExecutableW

URLDownloadToCacheFileW

wininet.dll

FtpPutFileW

FtpSetCurrentDirectoryW

GetKeyboardState

ShellExecuteW

ntdll.dll

1 1$1(1,10141

KWindows

TServerKeylogger

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

spygbr.no-ip.org

Taskmgr.exe

OLEAUT32.dll

{13KD28X5-3D85-0JRE-75YT-VMMW03328833}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

r.exe

OLE%SERVER%

C:\Windows

ftp.ftpserver.com

ftpuser

Taskmgr.exe_780:

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

iphlpapi.dll

COMCTL32.dll

SHLWAPI.dll

SHELL32.dll

Secur32.dll

VDMDBG.dll

taskmgr.chm

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

WTSAPI32.dll

WINSTA.dll

MSGINA.dll

NetGetJoinInformation

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

UTILDLL.dll

ole32.dll

taskmgr.pdb

SSSSh

RegCloseKey

RegOpenKeyExW

RegCreateKeyExW

GetProcessHeap

SetProcessShutdownParameters

GetKeyState

ExitWindowsEx

GetAsyncKeyState

EnumWindowStationsW

EnumWindows

CloseWindowStation

SetProcessWindowStation

GetProcessWindowStation

OpenWindowStationW

CascadeWindows

TileWindows

ntdll.dll

RegOpenKeyExA

Windows Shell

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

Software\Microsoft\Windows NT\CurrentVersion\TaskManager

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system

mcmd.exe

%ComSpec%

Software\Microsoft\Windows\CurrentVersion\Policies\System

%d %%

%s -p %ld

-%sd%sd

d %

lsass.exe

services.exe

smss.exe

winlogon.exe

csrss.exe

ntvdm.exe

drwtsn32.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug

ShadowHotkeyShift

ShadowHotkeyKey

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

The Processor Affinity setting controls which CPUs the process will be allowed to execute on.

Connect Password Required

Enter the selected User's password:

Hot key

To end a remote control session, press this key, plus the keys selected below:

To end a remote control session, press this key on the numeric keypad, plus the keys selected below:

&Windows

&Log Off %s

WinKey L

Windows TaskManager

5.1.2600.5512 (xpsp.080413-2105)

taskmgr.exe

Windows

Operating System

5.1.2600.5512

;Brings a task to the foreground, switch focus to that task.BBrings a task to the front, but does not switch focus to that taskCTask Manager remains in front of all other windows unless minimized@Task Manager is minimized when a SwitchTo operation is performed$Minimizes the selected windows tasks0Maximizes the windows to the size of the desktop

4Restores the selected windows to their default state6Cascades the selected windows diagonally on the screen.Tiles the selected windowed tasks horizontally,Tiles the selected windowed tasks vertically#Displays tasks by using large icons

Graph bytes received.-Graph the sum of the bytes sent and received.
;Displays program information, version number, and copyright$Updates the display twice per second%Updates the display every two seconds&Updates the display every four seconds%Display does not automatically update
8Select which columns will be visible on the Process pageDForce Task Manager to update now, regardless of Update Speed setting'Provides access to point and click help?Controls which processors the process will be allowed to run on.Displays kernel time in the performance graphs;The process must have affinity with at least one processor.
CPU %d
Create New TaskeType the name of a program, folder, document, or Internet resource, and Windows will open it for you.
Windows Task Manager
Non Operational
Operational
'The operation could not be completed.
Unable to Change Priority,The operation is not valid for this process.
Minimizes the windows
Maximizes the windows.Cascades the windows diagonally on the desktop-Tiles the windows horizontally on the desktop
9Shows 16-bit Windows tasks under the associated ntvdm.exe
This operation will attempt to terminate this process and any
be ended. The operation was not fully successful.6Select which columns will be visible on the Users page
Message from %s - %s2Unhandled error occurred while connecting.
#%u %s#Enter the selected User's password.'Session (ID %lu) remote control failed.YCan't remote control Session (ID %lu) because Remote control is disabled on that Session.iCan't remote control Session (ID %lu) because it is disconnected with user's required permission enabled.
&The password was incorrect. Try again.
Tasks: %d
Processes: %d
CPU Usage: %d%%
 Tiles the windows vertically on the desktop
;Your message to user %s (SessionId=%d) could not be sent. 1User %s (SessionId=%d) could not be logged off. 3User %s (SessionId=%d) could not be disconnected.

Taskmgr.exe_780_rwx_10000000_0004A000:


.idata
.rdata
P.reloc
P.rsrc
ServerKeyloggerU
789:;<&'()* ,-./12345
%SERVER%
URLMON.DLL
shell32.dll
http://
advapi32.dll
kernel32.dll
mpr.dll
version.dll
comctl32.dll
gdi32.dll
opengl32.dll
user32.dll
wintrust.dll
msimg32.dll
GetKeyboardType
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
GetWindowsDirectoryW
UnhookWindowsHookEx
SetWindowsHookExW
MapVirtualKeyW
GetKeyboardLayout
GetKeyState
shlwapi.dll
SHDeleteKeyW
FindExecutableW
URLDownloadToCacheFileW
wininet.dll
FtpPutFileW
FtpSetCurrentDirectoryW
GetKeyboardState
ShellExecuteW
ntdll.dll
1 1$1(1,10141
KWindows
TServerKeylogger
x.html
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
[Execute]
KeyDelBackspace
.html
XtremeKeylogger
Software\Microsoft\Windows\CurrentVersion\Run
.functions
icon=shell32.dll,4
shellexecute=
autorun.inf
\Microsoft\Windows\
ÞFAULTBROWSER%
svchost.exe
spygbr.no-ip.org
Taskmgr.exe
OLEAUT32.dll
{13KD28X5-3D85-0JRE-75YT-VMMW03328833}
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
r.exe
OLE%SERVER%
C:\Windows
ftp.ftpserver.com
ftpuser
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\EB8D8F.exe



Remove it with Ad-Aware



Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.



Manual removal*



Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:628
EB8D8F.exe:1572
EB8D8F.exe:812


Delete the original Backdoor file.

Delete or disinfect the following files created/modified by the Backdoor:

%Documents and Settings%\%current user%\Local Settings\Temp\EB8D8F.exe (15801 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DF8F8D.exe (1744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8XUV0DUF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLIJWH6B\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\TWVXfZtP3L.dat (322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8PQFSLA3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WHYV4XUR\desktop.ini (67 bytes)
%System%\Microsoft\svchost.exe (16582 bytes)

Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Java Runtime" = "%System%\Microsoft\svchost.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe" = "%System%\Microsoft\svchost.exe"

Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.

Reboot the computer.


*Manual removal may cause unexpected system behaviour and should be performed at your own risk.






 Did you found this article useful: 
 


Select ratingPoorOkayGoodGreatAwesome

 
No votes yet