MD5: d7a6ec8eda1fc374a95ac2b1f71c77d2
SHA1: 63194d1009fe6abd3703d1db8bfa4e608d1cd68f
SHA256: d863517204d39341ff416d26d6b353a76ab4a2f07fae43fce7d6f1a3e1a3f0ed
SSDeep: 1536:PIVVQNo2o/3 mYpERjuX s9tDQZsnNZ/TDjjKDFB3X8WYhNiFTK:UVQNor/DkSW/9VFnjrDfKDH87DoK
Size: 94287 bytes
File type: PE32
Platform: WIN32
Entropy: Not Packed
PEID: Armadillov171, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-05 08:26:10

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

Process activity

The Backdoor creates the following process(es):

Reader_sl.exe:1064
wuauclt.exe:344

The Backdoor injects its code into the following process(es):

73027.exe:596

File activity

The process wuauclt.exe:344 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Backdoor deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

Registry activity

The process 73027.exe:596 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 4D FC D1 AE 3C 40 C2 C1 F9 B4 0B 6D 16 1C 11"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fuquehoj" = "%System%\hycoukyvas.exe"

The process Reader_sl.exe:1064 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Network activity (URLs)

No activity has been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   wuauclt.exe:344
   

2. Delete the original Backdoor file.
   
3. Delete or disinfect the following files created/modified by the Backdoor:
   

   %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
   %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
   %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "fuquehoj" = "%System%\hycoukyvas.exe"

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.