Backdoor.Win32.IRC_c7c7345bb0
HEUR:Trojan.Win32.Generic (Kaspersky), BackdoorIRC.YR, GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, IRCBot
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: c7c7345bb0c0e14a9b6b937fc7ebb2fd
SHA1: 2fc4db8a76a30b2b37ab06e850725bd5cb470cb7
SHA256: b5b8f6cb3a23fc266fcd76c319939c9cd008234989e856730b4b3133670baf0d
SSDeep: 6144:vDVpEvBTe/muyUxGUMj7dDJqa/Fc6HUtNHu:RpItepyUUUMj7bFUtVu
Size: 259664 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-07-07 04:05:17
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Backdoor. Malware that enables a remote control of victim's machine.
IRCBot. A bot communicates with command and control servers via IRC channel.
Process activity
The Backdoor creates the following process(es):
c7c7345bb0c0e14a9b6b937fc7ebb2fd.exe:416
CTFMON.EXE:296
ojpzifh.exe:1652
ojpzifh.exe:1892
The Backdoor injects its code into the following process(es):
ojpzifh.exe:1760
File activity
The process c7c7345bb0c0e14a9b6b937fc7ebb2fd.exe:416 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%System%\ojpzifh.exe (259664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
The process ojpzifh.exe:1760 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\index.dat (28672 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (74 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (197 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
Registry activity
The process c7c7345bb0c0e14a9b6b937fc7ebb2fd.exe:416 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 2A A8 22 9D 2C BC 33 87 66 85 F3 1D B5 E9 FF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
The process CTFMON.EXE:296 makes changes in a system registry.
The Backdoor deletes the following value(s) in system registry:
The Backdoor disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
The process ojpzifh.exe:1760 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Microsoft\yOLE]
"Supports RAS Connections" = "ojpzifh.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 0C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\SYSTEM\CurrentControlSet\Control\Lsa]
"Supports RAS Connections" = "ojpzifh.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\yOLE]
"Supports RAS Connections" = "ojpzifh.exe"
[HKLM\System\CurrentControlSet\Control\Lsa]
"Supports RAS Connections" = "ojpzifh.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 11 33 63 08 02 F5 79 BB 2E 1C 37 A9 F4 02 87"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Supports RAS Connections" = "ojpzifh.exe"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Supports RAS Connections" = "ojpzifh.exe"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Supports RAS Connections" = "ojpzifh.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Supports RAS Connections" = "ojpzifh.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
Network activity (URLs)
A bot communicates with command and control servers via IRC channel.
URL: hxxp://www.v.dropbox.com/s/eysw6hxovddeau5/nn.exe?dl=1 Country: United States Verdict: Malicious
URL: www.dropbox.com IP: 199.47.217.171
URL: videos.p0rn-lover.us IP: 146.82.5.222
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
c7c7345bb0c0e14a9b6b937fc7ebb2fd.exe:416
ojpzifh.exe:1652
ojpzifh.exe:1892 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%System%\ojpzifh.exe (259664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (28672 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (74 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (197 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Supports RAS Connections" = "ojpzifh.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Supports RAS Connections" = "ojpzifh.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Supports RAS Connections" = "ojpzifh.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Supports RAS Connections" = "ojpzifh.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
