Backdoor.Win32.Kelihos_25789eec9e
Trojan.Win32.Badur.fsmi (Kaspersky), Trojan.Win32.Kryptik.mwe (v) (VIPRE), Backdoor.Win32.Kelihos.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 25789eec9e0d4b5cdf184bf41460808e
SHA1: 8c1b9ae7fd5295e1c8e1ee0f8a896595b91ef3f1
SHA256: eca0b72e38bec783311d7264f535a677fcefa1b04ac39e4733a2265f107f538a
SSDeep: 384:PuRzY Me3t5uA37kQXQHh80OYWZnMsJmxMZ8L:GRznMe3tQA3wQuhoZDJmc
Size: 22544 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-05-19 10:21:55
Analyzed on: WindowsXP SP3 32-bit
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
temp3830475590.exe:548
%original file name%.exe:1336
The Backdoor injects its code into the following process(es):
temp1033573107.exe:624
File activity
The process %original file name%.exe:1336 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\temp1033573107.exe (3910 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\temp3830475590.exe (6377 bytes)
The process temp1033573107.exe:624 makes changes in the file system.
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmp.exe (0 bytes)
Registry activity
The process temp3830475590.exe:548 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E E4 C7 D1 0B A1 C1 C9 C6 52 6F 1B 7D AC 6D E0"
The process %original file name%.exe:1336 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 96 7D 03 3D 3F F9 A3 B4 DA 91 1B D8 B5 12 A3"
The process temp1033573107.exe:624 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 10 F7 D3 88 2E 84 DD DF FB FC 61 33 99 17 69"
[HKCU\Software\Microsoft\Notepad]
"sizeCompletedValid" = "DHuAxdAeTvCuxv/f3z/LP8OgiKX7ifHeA 1h 1jyTcdKOnQl4vfyWwPXssa9Y0gQoQ=="
[HKCU\Software\Sysinternals\Process Monitor]
"UrlEnabledUse" = "80"
[HKLM\System\CurrentControlSet\Services\nm\Parameters]
"EnableStationQueries" = "1"
"ComputerName" = "XP3"
[HKCU\Software\Microsoft\Notepad]
"infoPlayedCurrent" = "00 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"DBSavedUse" = "A2 49 4D F3 D9 1E 9F 88 01 01 08 6A 00 03 39 04"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Sysinternals\Process Monitor]
"FlagsModifiedValid" = "00 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Notepad]
"styleModifiedPrev" = "80"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"PlatformCompressedValid" = "00 00 00 00 00 00 00 00"
"PersistentLocalizedName" = "24 80 F9 7F 7A 08 E8 3B 9B 03 91 C6 19 4F 99 47"
[HKCU\Software\Sysinternals\Process Monitor]
"DefaultCompressedRecord" = "24 80 F9 7F 73 BC 04 50 31 0A 92 96 47 40 9F AA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Notepad]
"activeModifiedTheme" = "24 80 F9 7F 87 51 D1 F5 0A 70 98 FD F0 F7 45 48"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"RecordEnabledCheck" = "80"
[HKCU\Software\Sysinternals\Process Monitor]
"RecordModifiedMax" = "DHuAxdAeTvCuxv/f3z/LP8OgiKX7ifHeA 1h 1jyTcdKOnQl4vfyWwPXssa9Y0gQoQ=="
[HKLM\System\CurrentControlSet\Services\nm\Parameters]
"UserName" = "%CurrentUserName%"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"LineLoadedQuick" = "DHuAxdAeTvCuxv/f3z/LP8OgiKX7ifHeA 1h 1jyTcdKOnQl4vfyWwPXssa9Y0gQoQ=="
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetworkChecker" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\temp1033573107.exe"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://159.224.26.217/mod1/b0ber01.exe (Malicious) |  |
| hxxp://37.75.103.48/mod2/b0ber01.exe (Malicious) |  |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
temp3830475590.exe:548
%original file name%.exe:1336 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\temp1033573107.exe (3910 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\temp3830475590.exe (6377 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetworkChecker" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\temp1033573107.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
