MD5: 92ba7a6ffbeaf11f08bf1b80e290b006
SHA1: a48844d3b71464fa0fb5253bf76afec418b4d4f6
SHA256: a1df0abbbf5d633bfa8b2c383faad7baac1e77c4a4f3691181a3bafaae7b2bb7
SSDeep: 3072:PKWQaSusddv0jIQ44sVPF/TCSUnL67d1zkeQ4uHeOdHSj/MmJ6fAkNsfJ TN:Pydv0jIQ0N/TnUnO7dQ GHurfu
Size: 246272 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-07-25 18:30:12
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The DeepScan creates the following process(es):

taskkill.exe:188
taskkill.exe:1368
taskkill.exe:1376
sc.exe:1500
rundll32.exe:492
cacls.exe:1028

The DeepScan injects its code into the following process(es):

%original file name%.exe:580

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process rundll32.exe:492 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

%System%\drivers\acpiec.sys (14 bytes)

The process %original file name%.exe:580 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

C:\autorun.inf (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\m1846741.dll (12169462 bytes)
%WinDir% (384 bytes)
C:\ (4 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs (96 bytes)
%System%\drivers\etc\hosts (5 bytes)
%WinDir%\s265006334.dll (35485887 bytes)
C:\1.exe (1281 bytes)
C:\$Directory (4 bytes)
%System%\config (104 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%System%\drivers (96 bytes)
%System% (744 bytes)

Registry activity

The process taskkill.exe:188 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 58 FD 22 CB 6E 36 15 12 5C 48 0B 6B 2C 18 C0"

The process taskkill.exe:1368 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 95 7B 00 07 E1 2E B2 06 F3 52 BB D1 AE 48 F5"

The process taskkill.exe:1376 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 A6 E2 CB AA 5C 0A 51 A4 3F 91 3A 4A FC DF DB"

The process sc.exe:1500 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 88 1A A9 31 BF 59 51 8F FE 69 81 45 B8 3A 56"

The process rundll32.exe:492 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 13 19 BE 46 A9 93 D2 E3 FC 62 09 A1 75 92 55"

The process cacls.exe:1028 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 1D 98 88 15 B6 3B 40 D2 86 87 B1 5C 06 33 5D"

Dropped PE files

HOSTS file anomalies

The DeepScan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 5743 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The DeepScan installs the following kernel-mode hooks:

ZwQuerySystemInformation

Using the driver "%System%\drivers\pcidump.sys" the DeepScan substitutes IRP handlers in a file system driver (NTFS) to control operations with files:

MJ_CREATE

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the DeepScan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Sherry.ai Software
Product Name: Sherry.ai(R) Windows(R)
Product Version: 1.0.0.1
Legal Copyright: (C) Sherry.ai. All rights reserved.
Legal Trademarks:
Original Filename: Svchost.EXE
Internal Name: CALC
File Version: 1.0.0.1
File Description:
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The DeepScan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.vmp0

`.vmp1

.reloc

%s\s%d%d.dll

rundll32.exe %s, droqp

%s\system32\m%d%d.dll

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cacls %s /e /p everyone:f

cacls "%s" /e /p everyone:f

\temp\explorer.exe

\drivers\gm.dls

explorer.exe

windows

webtrap

WEBSCANX

WEBSCAN

smtpsvc

safeweb

Kabackreport

[ffi][nil:>:,::mn^::K<?CRT

 ,1(*(*( 

 ,1(*(*(,

 ,1(*(*(-

 ,1(*(*(*

 , ( .( * (02

 ,1( ( ( 

 ,1(*( ( 

0 ( ,2( 1 (  /42*2*

 , (  (3*(13

 ,/(3*(22(-2

,*.( 11(3,(02

, *(1.( ./(,-0

, *(10(*( --

, 3( ,3(,-3(,,*

0 ( 00(-,(,

, 3( /-(.*(,, 

, 2(3,( 20(,1

, 3( /-(.0(,1

, 3( /-(/,( ,-

,, ( 3/(.,(1 

,,,(1-(, 2(  /

,*-(  *( 02(,--42*

,*-(  *( 02(,, 42*

/3(-.( - (/.

, *(/ (./(/

/3(-.( 32(,,2

/3(-.( 32(22

/3(-.( 32(31

0*( 3*(  .( * 

0*( 3*(, 2(-.

0*( 3 ( ,.(,/,

0 ( ./(  1(, ,

0 ( /1( *3(,,,

1/( ,0(-(, 0

1/( ,0(-(, 1

1/( ,0(-(, 2

/3( ,/(,- ( 114 1111

1/( ,0(-(,,*

1/( ,0(-(,, 

1/( ,0(-(,,,

3-3?3\3{3

/!/-/6/`0~0

Ci>_f_n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

F;.VF

7O6%F

!pJ%C

.zx\)

LR(.Xu

d;.UP

jn/%c

WinExec

user32.dll

MSVCRT.dll

SHELL32.dll

KERNEL32.DLL

GetWindowsDirectoryA

Sherry.ai Software

1.0.0.1

(C) Sherry.ai. All rights reserved.

Svchost.EXE

Sherry.ai(R) Windows(R)

%original file name%.exe_580_rwx_10000000_00001000:

.data

.rsrc

@.reloc

psapi.dll

\patch.exe

\dstdisk.exe

\defence.exe

192yuioealdjfiefjsdfas.txt

%SystemRoot%\System32\DRIVERS\puid.sys

\drivers\pcidump.sys

System32\DRIVERS\pcidump.sys

%SystemRoot%\system32\drivers\puid.sys

\\.\pcidump

\drivers\gm.dls

%s%d.txt

>>tmp.tmp

@echo rcx>>tmp.tmp

@echo %X>>tmp.tmp

@echo n tmp2>>tmp.tmp

@echo w>>tmp.tmp

@echo q>>tmp.tmp

@debug<tmp.tmp>nul

@rename tmp2 tmp2.exe

tmp2.exe

Windows

1.exe

autorun.inf

Open=1.exe

urlmon

\setup.exe

?mac=%s&ver=%s&key=%d&os=windows

.html

.hhqg

qq.exe

360safe.exe

\explorer.exe

\temp\explorer.exe

nfect_exe

\pipe\browser

\\%s\IPC$

Bd

%original file name%.exe_580_rwx_1000A000_00002000:

\??\c:\%original file name%.exe

\??\%WinDir%\explorer.exe

ers\gm.dls

WinExec

CreatePipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

ADVAPI32.dll

WS2_32.dll

InternetOpenUrlA

WININET.dll

rundll32.exe_492:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   taskkill.exe:188
   taskkill.exe:1368
   taskkill.exe:1376
   sc.exe:1500
   rundll32.exe:492
   cacls.exe:1028

3. Delete the original DeepScan file.
   
4. Delete or disinfect the following files created/modified by the DeepScan:
   

   %System%\drivers\acpiec.sys (14 bytes)
   C:\autorun.inf (21 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %System%\m1846741.dll (12169462 bytes)
   %WinDir%\SoftwareDistribution\DataStore\Logs (96 bytes)
   %System%\drivers\etc\hosts (5 bytes)
   %WinDir%\s265006334.dll (35485887 bytes)
   C:\1.exe (1281 bytes)
   C:\$Directory (4 bytes)
   %System%\config (104 bytes)
   %System%\drivers\pcidump.sys (5404535 bytes)
   

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.