MD5: 88f0b8169c1f4f5cc9d03e98a133f41e
SHA1: a03615ed12321c11f3ad0eb491d73a1feb8703e8
SHA256: 4e07e06d52ecc39c1e5967fdf5327239653e36df2bda7227bda83d77732c1a30
SSDeep: 12288:E4AOQecA7gkGcMfDaN tSZY4RQ19pyNW9agpb6A/958RiumubSSRsnbEdpuBSmxe:EJIF7jGccvtSZY4Rij9Nb60n8bmubLse
Size: 718848 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: WinterSoft
Created at: 2013-12-01 15:19:46

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

gyAbDqTrxa.exe:1808
reg.exe:1780

The Backdoor injects its code into the following process(es):

vbc.exe:952
%original file name%.exe:384

File activity

The process %original file name%.exe:384 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\gyAbDqTrxa.exe (33822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\.exe (3791 bytes)

Registry activity

The process gyAbDqTrxa.exe:1808 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 5E 8A EF 7B 32 FD 84 F1 A1 8B 39 F6 7B 6E A7"

[HKCU\Software\DC3_FEXEC]
"12/2/2013 at 3:44:03 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"

The process vbc.exe:952 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 21 E6 74 01 3D D1 CD 1A A2 35 5A FC BB 5B 6D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process reg.exe:1780 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 EA 3E 64 E0 23 28 D2 B9 51 06 98 A3 E5 AF AF"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MyImgur" = "%Documents and Settings%\%current user%\Local Settings\Temp\.exe"

The process %original file name%.exe:384 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 B1 A6 C3 4E EF 49 72 4B E2 64 47 BC 38 56 30"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Network activity (URLs)

URL	IP
hxxp://directxex.com/uploads/628872640.sv.exe	108.162.198.96

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   gyAbDqTrxa.exe:1808
   reg.exe:1780
   

2. Delete the original Backdoor file.
   
3. Delete or disinfect the following files created/modified by the Backdoor:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\gyAbDqTrxa.exe (33822 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\.exe (3791 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "MyImgur" = "%Documents and Settings%\%current user%\Local Settings\Temp\.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.