DDoS.Win32.Nitol_1bb2a09457
Trojan.Microfake.D (BitDefender), DDoS:Win32/Nitol.A (Microsoft), Trojan.Win32.MicroFake.ba (Kaspersky), Trojan.Win32.Ramnit.d (v) (VIPRE), DDoS.Rincux.316 (DrWeb), Trojan.Microfake.D (B) (Emsisoft), Trojan-FCKC!1BB2A09457D7 (McAfee), Backdoor.Trojan (Symantec), Trojan.Win32.MicroFake (Ikarus), Generic21.ANLJ (AVG), Win32:Malware-gen (Avast), PE_VIRUX.R-2 (TrendMicro), DDoS.Win32.Nitol.FD, DDoSNitol.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 1bb2a09457d7acb98710b397fef16626
SHA1: 5407457a65aa36d07fdf24ac20c4dcc8fd59696f
SHA256: bc606a15702c803a45790b5c0c176e1417be50721f1b85aaca9398947c1958ee
SSDeep: 1536:0m/iI2tZ7XDBZzn6yH1mgkGuMgYehHFgFj1RmjR:0MHsZHBZuyH196hpupG
Size: 75776 bytes
File type: DLL
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-06-08 12:59:36
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The DDoS creates the following process(es):
regsvr32.exe:2664
hrl1.tmp:2772
The DDoS injects its code into the following process(es):
No processes have been created.
File activity
The process regsvr32.exe:2664 makes changes in the file system.
The DDoS creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (68 bytes)
The process hrl1.tmp:2772 makes changes in the file system.
The DDoS creates and/or writes to the following file(s):
%System%\vmjfic.exe (601 bytes)
Registry activity
The process regsvr32.exe:2664 makes changes in the system registry.
The DDoS creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D A9 EF 60 A7 A6 CC EB A7 47 37 86 CB 2F D9 18"
The process hrl1.tmp:2772 makes changes in the system registry.
The DDoS creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 6A 71 A1 F7 EF F8 E4 7D 1D 95 5A E6 1F 7D 14"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
The DDoS modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | www.Brenz.pl |
Rootkit activity
The DDoS installs the following user-mode hooks in ntdll.dll:
NtQueryInformationProcess
ZwOpenFile
ZwDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
ZwCreateFile
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regsvr32.exe:2664
hrl1.tmp:2772 - Delete the original DDoS file.
- Delete or disinfect the following files created/modified by the DDoS:
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (68 bytes)
%System%\vmjfic.exe (601 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
