Backdoor.Win32.Fynloski_a0ea3f2c7a
Trojan-Dropper.Win32.FrauDrop.abbru (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Backdoor.Win32.Fynloski.FD, Trojan.Win32.Iconomon.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericInjector.YR, BackdoorFynloski.YR, GenericDownloader.YR, TrojanDownloaderAndromeda.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan-Downloader, Trojan, Backdoor, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: a0ea3f2c7a24dac26a0d19f29cf162d2
SHA1: 16198822dc2fabc9733de08b0da7c72c4a52d337
SHA256: a8da5242c268c29569161ab239af0c97a761a43099b6f6a9c638c6b305baa196
SSDeep: 12288:EwIVW4Cq2dpcsOCcBaPGmIni8fB/Mi0jEDM8lsbbY7aANbZhaogZhm0xvrtF9ci:f2W4Cqmpc7Cinl/e4Y8CorNnaogZg0Ei
Size: 714752 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC; UPolyXv05_v6; NETexecutable
Company: no certificate found
Created at: 2013-07-08 01:05:00
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
antidebugger.exe:548
WScript.exe:504
a0ea3f2c7a24dac26a0d19f29cf162d2.exe:1480
Reader_sl.exe:1064
wuauclt.exe:344
jusched.exe:1056
The Backdoor injects its code into the following process(es):
cvtres.exe:1572
dzsjrcqp.exe:1604
File activity
The process antidebugger.exe:548 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\All Users\dzsjrcqp.exe (48 bytes)
The process a0ea3f2c7a24dac26a0d19f29cf162d2.exe:1480 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\daTplDd5D8\6d4JaEZINr.exe (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\antidebugger.exe (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cc.vbs (387 bytes)
The process wuauclt.exe:344 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Backdoor deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process jusched.exe:1056 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
Registry activity
The process antidebugger.exe:548 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 1B 3E DC 81 E8 3A 86 FC A4 79 9F 80 1B 3C 64"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users]
"dzsjrcqp.exe" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The process WScript.exe:504 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 4D B1 2E 05 46 41 DD E6 86 69 FF 7D CA 65 05"
The process a0ea3f2c7a24dac26a0d19f29cf162d2.exe:1480 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D A0 61 E1 65 57 7C 16 B7 F0 35 FD 56 AA CE C5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"antidebugger.exe" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%\System32]
"WScript.exe" = "Microsoft (R) Windows Based Script Host"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The process Reader_sl.exe:1064 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process cvtres.exe:1572 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 E2 07 66 AF 92 BC 70 61 45 8A 36 4A E3 95 EA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process dzsjrcqp.exe:1604 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 BC B0 02 E9 77 89 D5 17 CC 37 48 05 12 0B 5D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NkQwMjJCMEI1N0NGMkQwMD" = "%Documents and Settings%\All Users\dzsjrcqp.exe"
Network activity (URLs)
| URL | IP | Country |
| hxxp://api.wipmania.com/ (ET POLICY External IP Lookup Attempt To Wipmania ) | 69.197.137.58 |  |
| fatguy.no-ip.biz | 173.74.230.179 | |
| flashirc.sytes.net | 88.198.225.4 |  |
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
antidebugger.exe:548
WScript.exe:504
a0ea3f2c7a24dac26a0d19f29cf162d2.exe:1480
wuauclt.exe:344 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\All Users\dzsjrcqp.exe (48 bytes)
%Documents and Settings%\%current user%\Application Data\daTplDd5D8\6d4JaEZINr.exe (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\antidebugger.exe (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cc.vbs (387 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NkQwMjJCMEI1N0NGMkQwMD" = "%Documents and Settings%\All Users\dzsjrcqp.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
