MD5: b4d0188120077315f02173a7d3dbc379
SHA1: 2699969c24e56d7de4cc4fe913a3edd39d2d586a
SHA256: 4bd0a3a005a868d2f3989da4a40955f603b084527936c90c8c65f148b4f1bc01
SSDeep: 3072:7GswnzyfwsCVqVXyHGG8HcOclpEZjgX8cRSv:6yfwsCVqVXyHWklMgXbRSv
Size: 120320 bytes
File type: DLL
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 2010-09-14 11:27:39
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

regsvr32.exe:1696
hrl1.tmp:1348

The Trojan injects its code into the following process(es):

aakqaw.exe:1808

File activity

The process regsvr32.exe:1696 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (108 bytes)

The process aakqaw.exe:1808 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\RCX2.tmp (8759 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\lpk.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\lpk.dll (601 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\lpk.dll (601 bytes)
%System%\hra33.dll (12 bytes)

The Trojan deletes the following file(s):

%System%\hra33.dll (0 bytes)

The process hrl1.tmp:1348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\aakqaw.exe (601 bytes)
%System%\taskkill.exe (1556 bytes)

Registry activity

The process regsvr32.exe:1696 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 99 3D 63 78 3F 61 47 18 DC 1F A4 74 6C BA 4B"

Network activity (URLs)

URL	IP
jxaode.com	210.209.80.222
hsfloy.com	Unresolvable
mmnopo.com	Unresolvable

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   regsvr32.exe:1696
   hrl1.tmp:1348

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (108 bytes)
   C:\RCX2.tmp (8759 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\lpk.dll (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\lpk.dll (601 bytes)
   %Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\lpk.dll (601 bytes)
   %System%\hra33.dll (12 bytes)
   %System%\aakqaw.exe (601 bytes)
   %System%\taskkill.exe (1556 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.