MD5: 64a2324d92b484310acf3dde966753c4
SHA1: 3b7cbf47dd227b8193a6f23bdb14c319109ea924
SHA256: d9814dfcf458328004a46e617c5eb93f44738e7cf58d8f87ccb26f7cd931c1fa
SSDeep: 192: L98TYoauLzvs0klCjypohzREWOzXk3xFYMeLV MwAx0SjuZcK2TzDQVKFyUHwHs:lHnsSEooYuxpra3Sah/Z6OUVVf
Size: 40464 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: WinterSoft
Created at: 2012-08-13 10:35:05

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:1320
Reader_sl.exe:1064

The Backdoor injects its code into the following process(es):

temp273244605.exe:1776

File activity

The process temp273244605.exe:1776 makes changes in the file system.
The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp.exe (0 bytes)

The process %original file name%.exe:1320 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\temp273244605.exe (6296 bytes)

Registry activity

The process temp273244605.exe:1776 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 D8 75 9A BD BF 9D AC B1 33 C3 FD 86 68 D9 D4"

[HKCU\Software\Microsoft\Notepad]
"sizeCompletedValid" = "DOJdgY SJFowAelESacU3aqcgxXZmSi2syPVGLxVoykAkUZ8zMOo w7TGCK6ITOyyQ=="

[HKCU\Software\Sysinternals\Process Monitor]
"UrlEnabledUse" = "80"

[HKLM\System\CurrentControlSet\Services\nm\Parameters]
"EnableStationQueries" = "1"
"ComputerName" = "XP8"

[HKCU\Software\Microsoft\Notepad]
"infoPlayedCurrent" = "00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"DBSavedUse" = "A2 49 4D F3 D9 1E 9F 88 01 01 08 6A 00 03 D1 01"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Sysinternals\Process Monitor]
"FlagsModifiedValid" = "00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Notepad]
"styleModifiedPrev" = "80"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"PlatformCompressedValid" = "00 00 00 00 00 00 00 00"
"PersistentLocalizedName" = "21 80 F9 7F 7A 75 BD EA 4C 62 79 E8 F1 68 69 AE"

[HKCU\Software\Sysinternals\Process Monitor]
"DefaultCompressedRecord" = "21 80 F9 7F 73 2C AD B8 3F 26 2B 40 E0 58 E6 09"

[HKCU\Software\Microsoft\Notepad]
"activeModifiedTheme" = "21 80 F9 7F 87 0A A0 1E C0 30 30 07 B6 86 51 C5"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"RecordEnabledCheck" = "80"

[HKCU\Software\Sysinternals\Process Monitor]
"RecordModifiedMax" = "DOJdgY SJFowAelESacU3aqcgxXZmSi2syPVGLxVoykAkUZ8zMOo w7TGCK6ITOyyQ=="

[HKLM\System\CurrentControlSet\Services\nm\Parameters]
"UserName" = "%CurrentUserName%"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"LineLoadedQuick" = "DOJdgY SJFowAelESacU3aqcgxXZmSi2syPVGLxVoykAkUZ8zMOo w7TGCK6ITOyyQ=="

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetworkUpdater" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\temp273244605.exe"

The process %original file name%.exe:1320 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 55 E9 9E B1 BB 1D 10 92 80 EC 5B 2E B0 84 17"

The process Reader_sl.exe:1064 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Network activity (URLs)

URL	IP
hxxp://93.95.185.26/traff01.exe (Malicious)

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1320
   

2. Delete the original Backdoor file.
   
3. Delete or disinfect the following files created/modified by the Backdoor:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\temp273244605.exe (6296 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "NetworkUpdater" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\temp273244605.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.