DDoS.Win32.Nitol_efa8c342df
Trojan.Microfake.D (BitDefender), Trojan.Win32.MicroFake.ba (Kaspersky), Trojan.Win32.Ramnit.d (v) (VIPRE), DDoS.Rincux.316 (DrWeb), Trojan.Microfake.D (B) (Emsisoft), Trojan-FCKC!EFA8C342DFF5 (McAfee), Backdoor.Trojan (Symantec), Trojan.Win32.ServStart (Ikarus), Generic21.ANLJ (AVG), Win32:Malware-gen (Avast), TROJ_GEN.F0C2C00KF13 (TrendMicro), DDoS.Win32.Nitol.FD, DDoSNitol.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: efa8c342dff536ddbdd9bb4b93115c9f
SHA1: 8f842aea3409edc7cb6ce430e34d89662e5d9d6a
SHA256: a507d4afb2a6aee2efc4dfaad4828e4f360c4872684fb7ffed547b4774be7558
SSDeep: 1536:Vmeq7WuHEqU0xlayH2mmJ7KKugJz2NKXnvaLk:VdeHEKuyH2vJ7KsyNIag
Size: 71168 bytes
File type: DLL
Platform: WIN32
Entropy: Probably Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-06-08 12:59:36
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The DDoS creates the following process(es):
dwwin.exe:1464
regsvr32.exe:1792
hrl1.tmp:1560
File activity
The process dwwin.exe:1464 makes changes in the file system.
The DDoS creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q50NKF49\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\CWK2PQBY\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\S96Z4XA3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\4L2VW563\desktop.ini (67 bytes)
The process regsvr32.exe:1792 makes changes in the file system.
The DDoS creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (63 bytes)
The process hrl1.tmp:1560 makes changes in the file system.
The DDoS creates and/or writes to the following file(s):
%System%\hydhyi.exe (63 bytes)
Registry activity
The process regsvr32.exe:1792 makes changes in the system registry.
The DDoS creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A AD C9 E3 AA 25 95 1D A0 82 58 75 4D 3B 55 11"
Network activity (URLs)
| URL | IP |
|---|---|
| ytrkkq.com |  Unresolvable |
| zsgjyb.com | Unresolvable |
| uirlhu.com | Unresolvable |
| eiyeie.com | Unresolvable |
| gjaiqe.com | Unresolvable |
| okjsuu.com | Unresolvable |
| ttcbzi.com | Unresolvable |
HOSTS file anomalies
The DDoS modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | www.Brenz.pl |
Rootkit activity
The DDoS installs the following user-mode hooks in ntdll.dll:
NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
dwwin.exe:1464
regsvr32.exe:1792
hrl1.tmp:1560 - Delete the original DDoS file.
- Delete or disinfect the following files created/modified by the DDoS:
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q50NKF49\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\CWK2PQBY\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\S96Z4XA3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\4L2VW563\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (63 bytes)
%System%\hydhyi.exe (63 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
