MD5: a61c1e2f7d8e12f860cc81f7e1f02b24
SHA1: 01db0f6f821bdac7f440f0fed29588d73ef70c97
SHA256: 3a3442c8b37d63a648c85ee70ad27107701e5cf842b3682548556188a6288530
SSDeep: 3072:jox34lgaah0gQYujo9ia8wDekuc0Sa2UoA8wklJ1bH5yj:jm38gaQJgjha8w3BAdkbB5Y
Size: 129506 bytes
File type: DLL
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: LLC Pentagon
Created at: 2008-10-11 00:48:33
Analyzed on: WindowsXP SP3 32-bit

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

regsvr32mgr.exe:2728
regsvr32.exe:2632
ajvmmkjkbtsibwto.exe:3016

The Backdoor injects its code into the following process(es):

ctfmon.exe:252

File activity

The process regsvr32mgr.exe:2728 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ajvmmkjkbtsibwto.exe (601 bytes)

The process regsvr32.exe:2632 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%System%\regsvr32mgr.exe (116 bytes)

The process ajvmmkjkbtsibwto.exe:3016 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\psyykfdm.sys (15 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\psyykfdm.sys (0 bytes)

Registry activity

The process ctfmon.exe:252 makes changes in the system registry.
The Backdoor deletes the following value(s) in system registry:
The Backdoor disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

The process regsvr32mgr.exe:2728 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 37 2A 77 31 C3 1F 75 5A 6D A2 63 A4 D4 6A 74"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"ajvmmkjkbtsibwto.exe" = "ajvmmkjkbtsibwto"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process regsvr32.exe:2632 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 65 13 CC 41 3C B7 52 B3 59 51 0C 84 0D 00 10"

The process ajvmmkjkbtsibwto.exe:3016 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 98 77 4F F2 DF E7 80 FB 3A EE 1D 7A 9B 4B C4"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Backdoor installs the following kernel-mode hooks:

ZwCreateKey
ZwOpenKey

The Backdoor installs the following user-mode hooks in USER32.dll:

TranslateMessage

The Backdoor installs the following user-mode hooks in WS2_32.dll:

WSASendTo
WSARecvFrom
WSASend
recv
WSARecv
send
closesocket
recvfrom
sendto

The Backdoor installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread
ZwQueryDirectoryFile

Propagation

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   regsvr32mgr.exe:2728
   regsvr32.exe:2632
   ajvmmkjkbtsibwto.exe:3016

3. Delete the original Backdoor file.
   
4. Delete or disinfect the following files created/modified by the Backdoor:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\ajvmmkjkbtsibwto.exe (601 bytes)
   %System%\regsvr32mgr.exe (116 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\psyykfdm.sys (15 bytes)

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.