MD5: 24e75bde7d18226edd597ae697d87e7e
SHA1: d411c7bf7b85b0d28d6fb5cbdb388eb1f7ca85e6
SHA256: ed504a9ad748eb6743b6519201d634b96a7f44d03d4bfd57f4fa9e6e584e4a27
SSDeep: 768:8K6Wpy9udnJcd46Wm8rS8OFfUQQkM0MxRBkhUooda:xBy9uEd4S8rSRykHMLBo7
Size: 37888 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2009-07-25 18:30:12
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

Process activity

The DeepScan creates the following process(es):

taskkill.exe:604
taskkill.exe:360
taskkill.exe:552
sc.exe:1788
rundll32.exe:744
cacls.exe:692

The DeepScan injects its code into the following process(es):

%original file name%.exe:820

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:820 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

C:\ (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
C:\autorun.inf (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (388 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Perflib_Perfdata_2a4.dat (100 bytes)
%System%\m1846741.dll (12169462 bytes)
%System%\drivers\etc\hosts (5 bytes)
%WinDir%\Temp\Perflib_Perfdata_124.dat (100 bytes)
%WinDir% (384 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%System% (744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\config (100 bytes)
%System%\drivers (96 bytes)
%WinDir%\s265006334.dll (35485887 bytes)
C:\1.exe (37 bytes)

The process rundll32.exe:744 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

%System%\drivers\acpiec.sys (14 bytes)

Registry activity

The process taskkill.exe:604 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 1F 05 A9 5B 59 36 28 27 B3 C2 D6 6E 7D 3E CE"

The process taskkill.exe:360 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 C2 50 F8 81 18 F2 72 1F A5 F4 9E 76 EB 52 B5"

The process taskkill.exe:552 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 17 27 1F 56 F2 FB D2 90 8D FB A5 1D 94 96 73"

The process sc.exe:1788 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 22 35 F3 5C 2B 74 53 FE 55 07 73 07 B9 14 8D"

The process rundll32.exe:744 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 60 41 55 9A 75 9F D4 D7 4E BD EC 3D 0B D1 36"

The process cacls.exe:692 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 40 A9 07 F8 AB B5 7B 4F B5 38 EF F3 86 AA AA"

Dropped PE files

HOSTS file anomalies

The DeepScan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 5743 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The DeepScan installs the following kernel-mode hooks:

ZwQuerySystemInformation

Using the driver "%System%\drivers\pcidump.sys" the DeepScan substitutes IRP handlers in a file system driver (NTFS) to control operations with files:

MJ_CREATE

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the DeepScan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Microsoft Corporation
Product Name: Microsoft(R) Windows(R) Operating System
Product Version: 5.1.2600.0
Legal Copyright: (C) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: CALC.EXE
Internal Name: CALC
File Version: 5.1.2600.0 (xpclient.010817-1148)
File Description: Windows Calculator application file
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The DeepScan connects to the servers at the folowing location(s):

`.rsrc

%s\s%d

32.exe

%dm^`[

%s\s%d%d.dll

rundll32.exe %s, droqp

%s\system32\m%d%d.dll

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cacls %s /e /p everyone:f

cacls "%s" /e /p everyone:f

\temp\explorer.exe

\drivers\gm.dls

explorer.exe

[ffi][nil:>:,::mn^::K<?CRT

 ,1(*(*( 

 ,1(*(*(,

 ,1(*(*(-

 ,1(*(*(*

 , ( .( * (02

 ,1( ( ( 

 ,1(*( ( 

0 ( ,2( 1 (  /42*2*

 , (  (3*(13

 ,/(3*(22(-2

,*.( 11(3,(02

, *(1.( ./(,-0

, *(10(*( --

, 3( ,3(,-3(,,*

0 ( 00(-,(,

, 3( /-(.*(,, 

, 2(3,( 20(,1

, 3( /-(.0(,1

, 3( /-(/,( ,-

,, ( 3/(.,(1 

,,,(1-(, 2(  /

,*-(  *( 02(,--42*

,*-(  *( 02(,, 42*

/3(-.( - (/.

, *(/ (./(/

/3(-.( 32(,,2

/3(-.( 32(22

/3(-.( 32(31

0*( 3*(  .( * 

0*( 3*(, 2(-.

0*( 3 ( ,.(,/,

0 ( ./(  1(, ,

0 ( /1( *3(,,,

1/( ,0(-(, 0

1/( ,0(-(, 1

1/( ,0(-(, 2

/3( ,/(,- ( 114 1111

1/( ,0(-(,,*

1/( ,0(-(,, 

1/( ,0(-(,,,

3-3?3\3{3

/!/-/6/`0~0

Ci>_f_n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

windows

webtrap

WEBSCANX

WEBSCAN

smtpsvc

safeweb

Kabackreport

WinExec

GetWindowsDirectoryA

.text

`.rdata

@.data

.rsrc

,gF %c

B`.rdh

KERNEL32.DLL

MSVCRT.dll

SHELL32.dll

Windows Calculator application file

5.1.2600.0 (xpclient.010817-1148)

CALC.EXE

Microsoft(R) Windows(R) Operating System

5.1.2600.0

%original file name%.exe_820_rwx_00401000_0001D000:

%s\s%d%d.dll

rundll32.exe %s, droqp

%s\system32\m%d%d.dll

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cacls %s /e /p everyone:f

cacls "%s" /e /p everyone:f

\temp\explorer.exe

\drivers\gm.dls

explorer.exe

[ffi][nil:>:,::mn^::K<?CRT

 ,1(*(*( 

 ,1(*(*(,

 ,1(*(*(-

 ,1(*(*(*

 , ( .( * (02

 ,1( ( ( 

 ,1(*( ( 

0 ( ,2( 1 (  /42*2*

 , (  (3*(13

 ,/(3*(22(-2

,*.( 11(3,(02

, *(1.( ./(,-0

, *(10(*( --

, 3( ,3(,-3(,,*

0 ( 00(-,(,

, 3( /-(.*(,, 

, 2(3,( 20(,1

, 3( /-(.0(,1

, 3( /-(/,( ,-

,, ( 3/(.,(1 

,,,(1-(, 2(  /

,*-(  *( 02(,--42*

,*-(  *( 02(,, 42*

/3(-.( - (/.

, *(/ (./(/

/3(-.( 32(,,2

/3(-.( 32(22

/3(-.( 32(31

0*( 3*(  .( * 

0*( 3*(, 2(-.

0*( 3 ( ,.(,/,

0 ( ./(  1(, ,

0 ( /1( *3(,,,

1/( ,0(-(, 0

1/( ,0(-(, 1

1/( ,0(-(, 2

/3( ,/(,- ( 114 1111

1/( ,0(-(,,*

1/( ,0(-(,, 

1/( ,0(-(,,,

3-3?3\3{3

/!/-/6/`0~0

Ci>_f_n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

windows

webtrap

WEBSCANX

WEBSCAN

smtpsvc

safeweb

Kabackreport

WinExec

GetWindowsDirectoryA

.text

`.rdata

@.data

.rsrc

,gF %c

%original file name%.exe_820_rwx_10000000_00001000:

.data

.rsrc

@.reloc

psapi.dll

\patch.exe

\dstdisk.exe

\defence.exe

192yuioealdjfiefjsdfas.txt

%SystemRoot%\System32\DRIVERS\puid.sys

\drivers\pcidump.sys

System32\DRIVERS\pcidump.sys

%SystemRoot%\system32\drivers\puid.sys

\\.\pcidump

\drivers\gm.dls

%s%d.txt

>>tmp.tmp

@echo rcx>>tmp.tmp

@echo %X>>tmp.tmp

@echo n tmp2>>tmp.tmp

@echo w>>tmp.tmp

@echo q>>tmp.tmp

@debug<tmp.tmp>nul

@rename tmp2 tmp2.exe

tmp2.exe

Windows

1.exe

autorun.inf

Open=1.exe

urlmon

\setup.exe

?mac=%s&ver=%s&key=%d&os=windows

.html

.hhqg

qq.exe

360safe.exe

\explorer.exe

\temp\explorer.exe

nfect_exe

\pipe\browser

\\%s\IPC$

Bd

%original file name%.exe_820_rwx_1000A000_00002000:

\??\c:\%original file name%.exe

\??\%WinDir%\explorer.exe

ers\gm.dls

WinExec

CreatePipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

ADVAPI32.dll

WS2_32.dll

InternetOpenUrlA

WININET.dll

rundll32.exe_744:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   taskkill.exe:604
   taskkill.exe:360
   taskkill.exe:552
   sc.exe:1788
   rundll32.exe:744
   cacls.exe:692

3. Delete the original DeepScan file.
   
4. Delete or disinfect the following files created/modified by the DeepScan:
   

   C:\ (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
   C:\autorun.inf (21 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (388 bytes)
   C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Perflib_Perfdata_2a4.dat (100 bytes)
   %System%\m1846741.dll (12169462 bytes)
   %System%\drivers\etc\hosts (5 bytes)
   %WinDir%\Temp\Perflib_Perfdata_124.dat (100 bytes)
   %System%\drivers\pcidump.sys (5404535 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %System%\config (100 bytes)
   %WinDir%\s265006334.dll (35485887 bytes)
   C:\1.exe (37 bytes)
   %System%\drivers\acpiec.sys (14 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.