Backdoor.Win32.Fynloski_ba9bb47e1a
Trojan.Win32.Jorik.DarkKomet.ba (Kaspersky), Backdoor.Win32.Fynloski.FD, Trojan.Win32.Iconomon.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericInjector.YR, BackdoorFynloski.YR, GenericDownloader.YR, TrojanDownloaderAndromeda.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Backdoor, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: ba9bb47e1a3f5a8f287c477cb9136af1
SHA1: 766325fd85ed28018320f2506319f789ff44c9d1
SHA256: 4f5212b7306316b1752c069dd958c87fbec533bb7ad3af02c7ba78ec37b080b5
SSDeep: 6144:VMbUP17dlNfTuXuACK0CjCKwkXxH6FNz/RJU49TEnvF5Eayt33WJ:VcUP1plgl0 CKfXMj/QCwnvF53
Size: 323584 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC; UPolyXv05_v6; NETexecutable
Company: no certificate found
Created at: 2013-07-24 07:50:41
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
ba9bb47e1a3f5a8f287c477cb9136af1.exe:1396
AppLaunch.exe:620
AppLaunch.exe:212
AppLaunch.exe:1340
AppLaunch.exe:196
AppLaunch.exe:1124
AppLaunch.exe:584
AppLaunch.exe:1160
AppLaunch.exe:1900
AppLaunch.exe:1632
AppLaunch.exe:1772
AppLaunch.exe:1852
AppLaunch.exe:1192
AppLaunch.exe:1692
AppLaunch.exe:1376
AppLaunch.exe:476
AppLaunch.exe:1508
AppLaunch.exe:1752
AppLaunch.exe:892
AppLaunch.exe:628
AppLaunch.exe:1168
AppLaunch.exe:1956
AppLaunch.exe:1804
AppLaunch.exe:844
AppLaunch.exe:1704
AppLaunch.exe:2216
AppLaunch.exe:1188
AppLaunch.exe:1800
AppLaunch.exe:1724
AppLaunch.exe:2272
AppLaunch.exe:2148
wbemcore.exe:1336
The Backdoor injects its code into the following process(es):
SyncHost.exe:1176
AppLaunch.exe:2020
wbemcore.exe:1736
File activity
The process SyncHost.exe:1176 makes changes in a file system.
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\SyncHost.exe (0 bytes)
The process ba9bb47e1a3f5a8f287c477cb9136af1.exe:1396 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\wbemcore.exe (10 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\SyncHost.exe (1425 bytes)
Registry activity
The process SyncHost.exe:1176 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB C5 E1 D1 4E E7 E4 3B 91 14 CB F3 DA 78 03 F8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The process ba9bb47e1a3f5a8f287c477cb9136af1.exe:1396 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 0D A4 D3 2A 14 40 28 7C 3F 6B 7B 7B 60 FE 44"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Microsoft\Windows]
"wbemcore.exe" = "Windows Management Instrumentation"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The process AppLaunch.exe:620 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 7E 64 BF BA 34 2F 2E 81 31 C3 FA 44 72 DF 31"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:33:10 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:212 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 3F ED 47 8C 67 AB 76 9F 88 86 C9 EF D7 3D F6"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:33:03 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:1340 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 E5 AC 31 E0 C0 89 AF E8 1C 31 D9 0E 80 9A 13"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:32:43 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:196 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 1C B6 9F EA F8 52 7D 91 FD 77 3C 41 E5 CD 1E"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:32:25 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:1124 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 93 69 38 40 A2 B0 D7 3D C5 86 76 A8 5F 78 C5"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:32:56 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:584 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 27 9D F2 88 E2 CE FD 88 E1 05 9A E6 33 D8 F1"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:32:48 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:1160 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 91 77 C7 3F 2B 9C 00 7D 25 22 AE 76 0F D2 4D"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:33:00 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:1900 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB 2C C3 18 6C 7B B9 95 73 3D 82 AB AB 66 AF 29"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:32:36 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:1632 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 B2 2A 23 F7 3E E6 62 84 93 57 8C 71 49 EA 55"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:33:23 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:1772 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB B3 2A F2 27 D9 FC 29 E2 EC CD 73 46 52 DD F0"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:32:28 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:1852 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 EC 4C 0D 3D 7D B5 56 BE 69 F7 01 B3 65 17 75"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:33:06 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:1192 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 86 80 AD 3E E7 DD 62 0D 5C 83 61 1E 84 E5 D2"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:33:18 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:1692 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 4E 2C 3D 05 A4 6F 32 5C D1 7B 2C 9A A5 EE E5"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:32:45 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:1376 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 75 48 91 72 76 85 67 7C 4D DE E7 BD 8A D8 5C"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:33:26 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:476 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF 48 95 4A FE 70 9D 0B 06 9B 9B 79 8F B6 C0 A3"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:33:21 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:1508 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 CC EB F4 F8 0E 5F E4 22 A4 0F 34 B7 B8 82 BB"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:32:33 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:1752 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF CD 7A A2 1C 1B 8C 55 77 B1 DE 23 D9 6E 49 B0"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:33:13 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:892 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 DE E9 18 4F F7 85 D1 9C 4F 8E 23 43 31 62 1E"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:32:38 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:628 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 4D 2D 4E E4 DB 7E 0F F0 CD 06 F7 53 13 C1 4C"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:32:53 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:1168 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 5E 91 CB 5F 33 52 9D 36 A7 9F 31 21 AC 29 91"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:32:20 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:1956 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 04 C0 F5 53 01 1E C8 A1 5A 98 B4 8F 67 D0 DF"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:32:58 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:1804 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 14 CA 84 BB E1 FA 66 70 BE 28 CF 4A 77 A0 3C"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:33:15 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:844 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 CD 58 F8 FB F9 9F 6F 63 AB B8 D2 3A 23 65 4A"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:32:31 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:1704 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 86 96 FA D9 DB 97 0F AA FF C2 02 D1 CB 04 5C"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:32:41 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:2216 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D C2 0D 2E F6 79 FD 77 09 92 1C AB 8D 88 E1 E7"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:33:31 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:1188 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 71 C6 71 DF FA 94 45 93 F2 D2 6B B9 94 C3 46"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:33:08 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:1800 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E F7 6A EA 49 C8 45 A7 E4 2E 71 31 D8 2D CB 8E"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:32:23 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:1724 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 70 25 E8 96 82 78 EC 01 DF 4D 34 FA 07 A4 8D"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:32:50 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:2272 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 FE 0B 04 90 59 2C 87 09 27 B3 20 9A 35 6B 2A"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:33:34 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process AppLaunch.exe:2020 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 B8 05 7E 78 5F DF CE 11 78 3D A4 2A 09 8B 18"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process AppLaunch.exe:2148 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 E4 2F 7A 27 5B 12 76 61 3E 20 6A CA FF E8 1C"
[HKCU\Software\DC3_FEXEC]
"7/26/2013 at 11:33:28 PM" = "{118c04c0-7454-11e2-81a8-806d6172696f-2829482533}"
The process wbemcore.exe:1336 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 BF F4 29 D7 8F 22 FD 79 63 42 0E FD 0A 5E 72"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Windows Management Instrumentation" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\wbemcore.exe"
The process wbemcore.exe:1736 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 AA 9B 03 1C 5E 11 30 72 BF C7 D9 75 1F 1F 42"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Windows Management Instrumentation" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\wbemcore.exe"
Network activity (URLs)
| URL | IP |
|---|---|
| jazibaba.no-ip.org |  67.215.4.123 |
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
ba9bb47e1a3f5a8f287c477cb9136af1.exe:1396
AppLaunch.exe:620
AppLaunch.exe:212
AppLaunch.exe:1340
AppLaunch.exe:196
AppLaunch.exe:1124
AppLaunch.exe:584
AppLaunch.exe:1160
AppLaunch.exe:1900
AppLaunch.exe:1632
AppLaunch.exe:1772
AppLaunch.exe:1852
AppLaunch.exe:1192
AppLaunch.exe:1692
AppLaunch.exe:1376
AppLaunch.exe:476
AppLaunch.exe:1508
AppLaunch.exe:1752
AppLaunch.exe:892
AppLaunch.exe:628
AppLaunch.exe:1168
AppLaunch.exe:1956
AppLaunch.exe:1804
AppLaunch.exe:844
AppLaunch.exe:1704
AppLaunch.exe:2216
AppLaunch.exe:1188
AppLaunch.exe:1800
AppLaunch.exe:1724
AppLaunch.exe:2272
AppLaunch.exe:2148
wbemcore.exe:1336 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\wbemcore.exe (10 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\SyncHost.exe (1425 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Windows Management Instrumentation" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\wbemcore.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
