DDoS.Win32.Nitol_f85bf0be2e
Trojan.Win32.MicroFake.ba (Kaspersky), Trojan.Win32.Ramnit.d (v) (VIPRE), Trojan.Win32.MicroFake!IK (Emsisoft), DDoS.Win32.Nitol.FD, DDoSNitol.YR (Lavasoft MAS)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: f85bf0be2e89fbe0806ad4f4f8c2e01c
SHA1: 014ec5ae70d5483a855d0740877eeadbfe08847d
SHA256: 89a985b717d072e8f5c869178db7bbb8d51fa781f0f8eb932e48edf53957aa80
SSDeep: 1536:OmL6BS7LL1BZ o9yHSmoZ5obCdcoLMomnI6c477NpYDe Hu07Xb:OFBon1BZJyHSsbONLMRnI6ckNpoX/
Size: 95744 bytes
File type: DLL
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: no certificate found
Created at: 2010-06-08 12:59:36
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The DDoS creates the following process(es):
regsvr32.exe:240
hrl1.tmp:568
The DDoS injects its code into the following process(es):
No processes have been created.
File activity
The process regsvr32.exe:240 makes changes in the file system.
The DDoS creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (88 bytes)
The process hrl1.tmp:568 makes changes in the file system.
The DDoS creates and/or writes to the following file(s):
%System%\uuccug.exe (601 bytes)
Registry activity
The process regsvr32.exe:240 makes changes in the system registry.
The DDoS creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 87 8B 17 A0 06 48 09 9A C0 CF 97 F0 45 EC D8"
The process hrl1.tmp:568 makes changes in the system registry.
The DDoS creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 F6 13 B0 B2 87 C2 62 58 3E 93 49 2F 4C 76 73"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
The DDoS modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | ZieF.pl |
Rootkit activity
The DDoS installs the following user-mode hooks in ntdll.dll:
NtQueryInformationProcess
ZwOpenFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regsvr32.exe:240
hrl1.tmp:568 - Delete the original DDoS file.
- Delete or disinfect the following files created/modified by the DDoS:
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (88 bytes)
%System%\uuccug.exe (601 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
