Backdoor.Win32.FlyAgent_22f929ce1c
Trojan.Win32.Generic!BT (VIPRE), Backdoor.Win32.FlyAgent!IK (Emsisoft), BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The sample has been submitted by Lavasoft customers.
MD5: 22f929ce1ca36cb691e688649ef87f06
SHA1: 8f52076e67ed47bd0fda0beb7b97376315761404
SHA256: 050d1c5d69c42adb1814d5d65c5f0e493392da5f91404ec8c299f44672de4bfa
SSDeep: 768:xkHUucR2Xy8sx5nzMRLuIzZuiD0DRuA0:yHUuq6oxtdIzciADRu9
Size: 25088 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PECompactV2X, PECompactv20, UPolyXv05_v6
Company: no certificate found
Created at: 2013-12-06 02:39:22
Analyzed on: WindowsXP SP3 32-bit
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
No processes have been created.
The Backdoor injects its code into the following process(es):
%original file name%.exe:1396
File activity
The process %original file name%.exe:1396 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Program Files%\Common Files\%original file name%.exe (25088 bytes)
C:\koreaautoup.bmp (36 bytes)
%System%\drivers\etc\hosts (20712260 bytes)
%System%\drivers\etc\hosts.ics (20712260 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\919687\TemporaryFile (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\919687 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\919609\TemporaryFile (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\919609 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\919609\TemporaryFile\TemporaryFile (0 bytes)
Registry activity
The process %original file name%.exe:1396 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 2E 1D EB 21 FE 46 11 5B C5 61 BD E6 C5 62 BC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ServerInfoTimeOut" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"jinyo" = "%Program Files%\Common Files\%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"DnsCacheEnabled" = "0"
"DnsCacheTimeout" = "0"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 10488644 bytes in size. The following strings are added to the hosts file listed below:
| 126.126.234.137 | kBstar.coM |
| 126.126.234.137 | kisa.kBstar.coM |
| 126.126.234.137 | www.kBstar.coM |
| 126.126.234.137 | oBank.kBstar.coM |
| 126.126.234.137 | Open.kBstar.coM |
| 126.126.234.137 | oBank1.kBstar.coM |
| 126.126.234.137 | Banking.nonghyup.coM |
| 126.126.234.137 | kisa.nonghyup.coM |
| 126.126.234.137 | nonghyup.coM |
| 126.126.234.137 | open.nonghyup.com |
| 126.126.234.137 | iBz.nonghyup.coM |
| 126.126.234.137 | www.nonghyup.coM |
| 126.126.234.137 | wooriBank.coM |
| 126.126.234.137 | www.wooriBank.coM |
| 126.126.234.137 | open.wooribank.com |
| 126.126.234.137 | kisa.wooribenk.com |
| 126.126.234.137 | piB.wooriBank.coM |
| 126.126.234.137 | u.wooriBank.coM |
| 126.126.234.137 | shinhan.coM |
| 126.126.234.137 | www.shinhan.coM |
| 126.126.234.137 | Banking.shinhan.coM |
| 126.126.234.137 | BizBank.shinhan.coM |
| 126.126.234.137 | Open.shinhan.coM |
| 126.126.234.137 | kisa.shinhan.coM |
| 126.126.234.137 | iBk.co.kR |
| 126.126.234.137 | kisa.ibek.co.kr |
| 126.126.234.137 | www.iBk.co.kR |
| 126.126.234.137 | kiup.iBk.co.kR |
| 126.126.234.137 | Open.iBk.co.kR |
| 126.126.234.137 | hanaBank.coM |
| 126.126.234.137 | kisa.hanabenk.com |
| 126.126.234.137 | www.hanaBank.coM |
| 126.126.234.137 | Open.hanaBank.coM |
| 126.126.234.137 | www.hanaBank.coM |
| 126.126.234.137 | kfcc.co.kR |
| 126.126.234.137 | www.kfcc.co.kR |
| 126.126.234.137 | kisa.kfcc.co.kr |
| 126.126.234.137 | iBs.kfcc.co.kR |
| 126.126.234.137 | open.kfcc.co.kr |
| 126.126.234.137 | keB.co.kR |
| 126.126.234.137 | kisa.keB.co.kR |
| 126.126.234.137 | www.keB.co.kR |
| 126.126.234.137 | online.keB.co.kR |
| 126.126.234.137 | Open.keB.co.kR |
| 126.126.234.137 | epostBank.go.kR |
| 126.126.234.137 | kisa.epostbenk.go.kr |
| 126.126.234.137 | www.epostBank.go.kR |
| 126.126.234.137 | www.epostbank.kr |
| 126.126.234.137 | www.epostbank.co.kr |
| 126.126.234.137 | standardchartered.co.kr |
| 126.126.234.137 | www.standardchartered.co.kr |
| 126.126.234.137 | iB.scfirstBank.coM |
| 126.126.234.137 | open.scfirstbank.com |
| 126.126.234.137 | www.scfiirstbank.com |
| 126.126.234.137 | scfirstBank.coM |
| 126.126.234.137 | daum.neT |
| 126.126.234.137 | www.daum.neT |
| 126.126.234.137 | hanmail.neT |
| 126.126.234.137 | naver.coM |
| 126.126.234.137 | www.naver.coM |
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Program Files%\Common Files\%original file name%.exe (25088 bytes)
C:\koreaautoup.bmp (36 bytes)
%System%\drivers\etc\hosts (20712260 bytes)
%System%\drivers\etc\hosts.ics (20712260 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
