Backdoor.Win32.Napolar.vn_bc14507891

by malwarelabrobot on April 7th, 2014 in Malware Descriptions.

Backdoor.Win32.Napolar.vn (Kaspersky)
Behaviour: Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: bc14507891da9a9592edce81f6cd9311
SHA1: 84cd506cb055411f5a503950534e1b2c9bdf3987
SHA256: b57c89235d7c7f59f3fed8f26df30181d3c9db01affae55eb5de79c40ae77203
SSDeep: 3072:PAycG/885J4Mqpx srgvuCZdyhAFTmqwIdtOccwEjAWkj:TFq1xfcvdZkKhmkgV8
Size: 170856 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2014-03-27 19:57:58
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

{897da024-84c6-cb43-f92a-b6a6897da024}.exe:2596
{897da024-84c6-cb43-f92a-b6a6897da024}.exe:2504
%original file name%.exe:1248
%original file name%.exe:1724

The Backdoor injects its code into the following process(es):

Explorer.EXE:2080

File activity

The process %original file name%.exe:1248 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Главное меню\Программы\Автозагрузка\{897da024-84c6-cb43-f92a-b6a6897da024}.exe (170856 bytes)

Registry activity

The process {897da024-84c6-cb43-f92a-b6a6897da024}.exe:2596 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Главное меню\Программы\Автозагрузка"

The process {897da024-84c6-cb43-f92a-b6a6897da024}.exe:2504 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Главное меню\Программы\Автозагрузка"

The process %original file name%.exe:1248 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Главное меню\Программы\Автозагрузка"

The process %original file name%.exe:1724 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Главное меню\Программы\Автозагрузка"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Backdoor installs the following user-mode hooks in WS2_32.dll:

send

The Backdoor installs the following user-mode hooks in ntdll.dll:

DbgUiRemoteBreakin
ZwSetValueKey
NtResumeThread
NtQueryDirectoryFile

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 8533 12288 3.45701 d7710c14dc529bea7e63831e55260e7d
.rdata 16384 4177 8192 2.0181 3be4f4fd23cc1ffbc8eee143db178abb
.data 24576 751 4096 0.372667 758b24e4ffba4fa0d1a1988b2f20fa0c
.rsrc 28672 4997 8192 3.02847 f73aa029f84e5f4474aa229864fdff66

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
yghqlyz.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Explorer.EXE_2080_rwx_01EA0000_0001A000:

0%D$!
URLM
CHROME.Aq
OPERA
PORTUTIL
C:\plug
in.bine
form-url
01234567
\\.\pipe
v=%d.%
d&u=%s&c
=%s&h
http://
%s HTTP/
t: %s
pad.exe
olPort 9
fig.me/
.bin@2b
C:\sw8i.t!
z.com_
URLMON
CHROME.DLL
OPERA.DLL
RAPPORTUTIL
C:\plugin.bin
\tor.bin
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
GET /?lX HTTP/1.1
HOST: %s
User-Agent: %s
POST / HTTP/1.1
Content-Length: %d
\\.\pipe\npSolar
v=%d.%d&u=%s&c=%s&s=%s&w=%d.%d.%d&b=%d
lX.exe
p=%s&h=%s&u=%s&s=lX
.rdata
.text
https://
%d.%d.%d.%d
127.0.0.1
POST %s HTTP/1.0
Host: %s
\notepad.exe
ControlPort 9001
SocksListenAddress 127.0.0.1
SocksPort 9002
http://ipv4.icanhazip.com
http://myip.dnsomatic.com
http://api.exip.org?call=ip
http://ip.comax.fr
http://ip1.dynupdate.no-ip.com
http://ifconfig.me/ip
application/x-www-form-urlencoded
\explorer.exe
set_url
C:\swi.txt
yghqlyz.com
{897da024-84c6-cb43-f92a-b6a6897da024}
elX.exe
Microsoft\Windows\CurrentVersion\Run
Microsoft\Windows NT\CurrentVersion\Windows\run
Microsoft\Windows NT\CurrentVersion\Windows\load
Microsoft\Windows\CurrentVersion\Policies\Explorer\run
Microsoft\Windows NT\CurrentVersion\Winlogon
e\notepad.exe
n.bin
e\explorer.exe
%Documents and Settings%\%current user%\
\{897da024-84c6-cb43-f92a-b6a6897da024}.exe
%Documents and Settings%\%current user%\Application Data\tor.bin
%Documents and Settings%\%current user%\Application Data\torrc
%Documents and Settings%\%current user%\Application Data\{897da024-84c6-cb43-f92a-b6a6897da024}\
%Documents and Settings%\%current user%\Application Data

Explorer.EXE_2080_rwx_02030000_00001000:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Explorer.EXE_2080_rwx_02080000_00001000:

v=1.1&u=adm&c=MAS1&s={897da024-84c6-cb43-f92a-b6a6897da024}&w=2.5.1&b=32


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    {897da024-84c6-cb43-f92a-b6a6897da024}.exe:2596
    {897da024-84c6-cb43-f92a-b6a6897da024}.exe:2504
    %original file name%.exe:1248
    %original file name%.exe:1724

  3. Delete the original Backdoor file.
  4. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Главное меню\Программы\Автозагрузка\{897da024-84c6-cb43-f92a-b6a6897da024}.exe (170856 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now