MD5: e75ba12aea996b400ffe525c6d597318
SHA1: 39618ecaa452b64610e95c9e98652f72bef0cbd0
SHA256: 0c0a8e1c9aaab77e4d8129ae7e06be576c24393bb29cfa34220d5984ca24f468
SSDeep: 768:D z0vIRLwOH2PqzHuZRCPEcH7leYmMB7J9vE/F6JW:g0vIRMVq3EcH7leYmMB7nc/FN
Size: 37888 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: Name Disposition
Created at: 2009-07-25 18:30:12
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

Process activity

The DeepScan creates the following process(es):

taskkill.exe:1936
taskkill.exe:368
taskkill.exe:1532
sc.exe:1388
rundll32.exe:212
cacls.exe:396

The DeepScan injects its code into the following process(es):

%original file name%.exe:556

Mutexes

The following mutexes were created/opened:

RasPbFile
WininetProxyRegistryMutex
c:!documents and settings!adm!local settings!history!history.ie5!
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
DBWinMutex
ShimCacheMutex
135896

File activity

The process rundll32.exe:212 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

%System%\drivers\acpiec.sys (14 bytes)

The process %original file name%.exe:556 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

C:\autorun.inf (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\m1846741.dll (12169462 bytes)
%WinDir% (384 bytes)
C:\ (4 bytes)
%System%\drivers\etc\hosts (5 bytes)
%WinDir%\s265006334.dll (35485887 bytes)
C:\1.exe (37 bytes)
%System%\config (108 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%System%\drivers (96 bytes)
%System% (744 bytes)

Registry activity

The process taskkill.exe:1936 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B F7 B2 17 1D 7E 36 2F 94 13 C4 DE 51 1A 89 DD"

The process taskkill.exe:368 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 3F D5 C1 27 14 D8 F0 7D 61 CD 0F CA DF C9 F0"

The process taskkill.exe:1532 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D AA F6 87 C8 06 91 59 4C D2 11 41 8E 2F 5E C5"

The process sc.exe:1388 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 20 FD 9D DB 0F BE C4 EB 08 6A E8 E5 06 6D E1"

The process rundll32.exe:212 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 C8 35 3C 3B 2A A9 F0 3C 7E DF C9 59 39 FB 27"

The process cacls.exe:396 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D B6 D2 8D B8 B0 69 4A EA 9E D5 1A C9 8B 2A 0E"

Dropped PE files

HOSTS file anomalies

The DeepScan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 5743 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The DeepScan installs the following kernel-mode hooks:

ZwQuerySystemInformation

Using the driver "%System%\drivers\pcidump.sys" the DeepScan substitutes IRP handlers in a file system driver (NTFS) to control operations with files:

MJ_CREATE

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the DeepScan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Microsoft Corporation
Product Name: Microsoft(R) Windows(R) Operating System
Product Version: 5.1.2600.0
Legal Copyright: (C) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: CALC.EXE
Internal Name: CALC
File Version: 5.1.2600.0 (xpclient.010817-1148)
File Description: Windows Calculator application file
Comments:
Language: Swedish (Sweden)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The DeepScan connects to the servers at the folowing location(s):

`.rsrc

%s\s%d

32.exe

%s\s%d%d.dll

rundll32.exe %s, droqp

%s\system32\m%d%d.dll

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cacls %s /e /p everyone:f

cacls "%s" /e /p everyone:f

\temp\explorer.exe

\drivers\gm.dls

explorer.exe

[ffi][nil:>:,::mn^::K<?CRT

 ,1(*(*( 

 ,1(*(*(,

 ,1(*(*(-

 ,1(*(*(*

 , ( .( * (02

 ,1( ( ( 

 ,1(*( ( 

0 ( ,2( 1 (  /42*2*

 , (  (3*(13

 ,/(3*(22(-2

,*.( 11(3,(02

, *(1.( ./(,-0

, *(10(*( --

, 3( ,3(,-3(,,*

0 ( 00(-,(,

, 3( /-(.*(,, 

, 2(3,( 20(,1

, 3( /-(.0(,1

, 3( /-(/,( ,-

,, ( 3/(.,(1 

,,,(1-(, 2(  /

,*-(  *( 02(,--42*

,*-(  *( 02(,, 42*

/3(-.( - (/.

, *(/ (./(/

/3(-.( 32(,,2

/3(-.( 32(22

/3(-.( 32(31

0*( 3*(  .( * 

0*( 3*(, 2(-.

0*( 3 ( ,.(,/,

0 ( ./(  1(, ,

0 ( /1( *3(,,,

1/( ,0(-(, 0

1/( ,0(-(, 1

1/( ,0(-(, 2

/3( ,/(,- ( 114 1111

1/( ,0(-(,,*

1/( ,0(-(,, 

1/( ,0(-(,,,

3-3?3\3{3

/!/-/6/`0~0

Ci>_f_n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

windows

webtrap

WEBSCANX

WEBSCAN

smtpsvc

safeweb

Kabackreport

WinExec

GetWindowsDirectoryA

.text

`.rdata

@.data

.rsrc

V "se`T%DP

B`.rdha

KERNEL32.DLL

MSVCRT.dll

SHELL32.dll

Windows Calculator application file

5.1.2600.0 (xpclient.010817-1148)

CALC.EXE

Microsoft(R) Windows(R) Operating System

5.1.2600.0

%original file name%.exe_556_rwx_00401000_0001D000:

%s\s%d%d.dll

rundll32.exe %s, droqp

%s\system32\m%d%d.dll

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cacls %s /e /p everyone:f

cacls "%s" /e /p everyone:f

\temp\explorer.exe

\drivers\gm.dls

explorer.exe

[ffi][nil:>:,::mn^::K<?CRT

 ,1(*(*( 

 ,1(*(*(,

 ,1(*(*(-

 ,1(*(*(*

 , ( .( * (02

 ,1( ( ( 

 ,1(*( ( 

0 ( ,2( 1 (  /42*2*

 , (  (3*(13

 ,/(3*(22(-2

,*.( 11(3,(02

, *(1.( ./(,-0

, *(10(*( --

, 3( ,3(,-3(,,*

0 ( 00(-,(,

, 3( /-(.*(,, 

, 2(3,( 20(,1

, 3( /-(.0(,1

, 3( /-(/,( ,-

,, ( 3/(.,(1 

,,,(1-(, 2(  /

,*-(  *( 02(,--42*

,*-(  *( 02(,, 42*

/3(-.( - (/.

, *(/ (./(/

/3(-.( 32(,,2

/3(-.( 32(22

/3(-.( 32(31

0*( 3*(  .( * 

0*( 3*(, 2(-.

0*( 3 ( ,.(,/,

0 ( ./(  1(, ,

0 ( /1( *3(,,,

1/( ,0(-(, 0

1/( ,0(-(, 1

1/( ,0(-(, 2

/3( ,/(,- ( 114 1111

1/( ,0(-(,,*

1/( ,0(-(,, 

1/( ,0(-(,,,

3-3?3\3{3

/!/-/6/`0~0

Ci>_f_n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

windows

webtrap

WEBSCANX

WEBSCAN

smtpsvc

safeweb

Kabackreport

WinExec

GetWindowsDirectoryA

.text

`.rdata

@.data

.rsrc

%original file name%.exe_556_rwx_10000000_00001000:

.data

.rsrc

@.reloc

psapi.dll

\patch.exe

\dstdisk.exe

\defence.exe

192yuioealdjfiefjsdfas.txt

%SystemRoot%\System32\DRIVERS\puid.sys

\drivers\pcidump.sys

System32\DRIVERS\pcidump.sys

%SystemRoot%\system32\drivers\puid.sys

\\.\pcidump

\drivers\gm.dls

%s%d.txt

>>tmp.tmp

@echo rcx>>tmp.tmp

@echo %X>>tmp.tmp

@echo n tmp2>>tmp.tmp

@echo w>>tmp.tmp

@echo q>>tmp.tmp

@debug<tmp.tmp>nul

@rename tmp2 tmp2.exe

tmp2.exe

Windows

1.exe

autorun.inf

Open=1.exe

urlmon

\setup.exe

?mac=%s&ver=%s&key=%d&os=windows

.html

.hhqg

qq.exe

360safe.exe

\explorer.exe

\temp\explorer.exe

nfect_exe

\pipe\browser

\\%s\IPC$

Bd

%original file name%.exe_556_rwx_1000A000_00002000:

\??\c:\%original file name%.exe

\??\%WinDir%\explorer.exe

ers\gm.dls

WinExec

CreatePipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

ADVAPI32.dll

WS2_32.dll

InternetOpenUrlA

WININET.dll

rundll32.exe_212:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   taskkill.exe:1936
   taskkill.exe:368
   taskkill.exe:1532
   sc.exe:1388
   rundll32.exe:212
   cacls.exe:396

3. Delete the original DeepScan file.
   
4. Delete or disinfect the following files created/modified by the DeepScan:
   

   %System%\drivers\acpiec.sys (14 bytes)
   C:\autorun.inf (21 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %System%\m1846741.dll (12169462 bytes)
   %System%\drivers\etc\hosts (5 bytes)
   %WinDir%\s265006334.dll (35485887 bytes)
   C:\1.exe (37 bytes)
   %System%\config (108 bytes)
   %System%\drivers\pcidump.sys (5404535 bytes)
   

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.