MD5: b716fb5b5e0ecd14fb839d4d27875601
SHA1: 2862d3c66bdbfb75eac0773da77b56d5e12a93f1
SHA256: 15d5da5c700d8e17a02cf3cb1904215a7b406125219468af3b3b3c6d10b74a8d
SSDeep: 768:s4o oy/qdgQFXfxtaw8E4RYphsyN9AEVCteAe:kbyiiQB5r8E2 AjeAe
Size: 37888 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company:
Created at: 2009-07-25 18:30:12
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

Process activity

The DeepScan creates the following process(es):

taskkill.exe:504
taskkill.exe:744
taskkill.exe:1764
sc.exe:1144
rundll32.exe:2008
cacls.exe:1336

The DeepScan injects its code into the following process(es):

%original file name%.exe:368

Mutexes

The following mutexes were created/opened:

RasPbFile
WininetProxyRegistryMutex
c:!documents and settings!adm!local settings!history!history.ie5!
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
DBWinMutex
ShimCacheMutex
135896

File activity

The process %original file name%.exe:368 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\10A8YH0M\desktop.ini (67 bytes)
C:\ (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0SRP20XU\desktop.ini (67 bytes)
C:\autorun.inf (21 bytes)
%System%\m1846741.dll (12169462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V7JJDNL4\desktop.ini (67 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b0.dat (4 bytes)
%System%\drivers\etc\hosts (5 bytes)
%WinDir% (384 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\94S2IMRP\desktop.ini (67 bytes)
%System% (744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\config (100 bytes)
%System%\drivers (96 bytes)
%WinDir%\s265006334.dll (35485887 bytes)
C:\1.exe (37 bytes)

The process rundll32.exe:2008 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

%System%\drivers\acpiec.sys (14 bytes)

Registry activity

The process taskkill.exe:504 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 11 BC C7 61 61 E7 2C 13 31 AC 36 38 11 24 E8"

The process taskkill.exe:744 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C E1 C4 B7 A3 52 FD F5 84 B1 79 5E 56 2E 50 44"

The process taskkill.exe:1764 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 49 62 01 9C 06 C0 5B CF B7 F5 33 E6 7F C1 39"

The process sc.exe:1144 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 35 4D 48 51 80 C1 C9 18 F6 BC E5 FC 88 CF 09"

The process rundll32.exe:2008 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 5A 2B 36 60 61 86 EA A3 42 48 57 EE 97 46 55"

The process cacls.exe:1336 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 EF E8 C7 13 09 BE 1D 37 7D 9F 18 E3 97 83 99"

Dropped PE files

HOSTS file anomalies

The DeepScan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 5743 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The DeepScan installs the following kernel-mode hooks:

ZwQuerySystemInformation

Using the driver "%System%\drivers\pcidump.sys" the DeepScan substitutes IRP handlers in a file system driver (NTFS) to control operations with files:

MJ_CREATE

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the DeepScan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Microsoft Corporation
Product Name: Microsoft(R) Windows(R) Operating System
Product Version: 5.1.2600.0
Legal Copyright: (C) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: CALC.EXE
Internal Name: CALC
File Version: 5.1.2600.0 (xpclient.010817-1148)
File Description: Windows Calculator application file
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
24e75bde7d18226edd597ae697d87e7e

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The DeepScan connects to the servers at the folowing location(s):

`.rsrc

%s\s%d

32.exe m

:%dm^`[

%s\s%d%d.dll

rundll32.exe %s, droqp

%s\system32\m%d%d.dll

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cacls %s /e /p everyone:f

cacls "%s" /e /p everyone:f

\temp\explorer.exe

\drivers\gm.dls

explorer.exe

[ffi][nil:>:,::mn^::K<?CRT

 ,1(*(*( 

 ,1(*(*(,

 ,1(*(*(-

 ,1(*(*(*

 , ( .( * (02

 ,1( ( ( 

 ,1(*( ( 

0 ( ,2( 1 (  /42*2*

 , (  (3*(13

 ,/(3*(22(-2

,*.( 11(3,(02

, *(1.( ./(,-0

, *(10(*( --

, 3( ,3(,-3(,,*

0 ( 00(-,(,

, 3( /-(.*(,, 

, 2(3,( 20(,1

, 3( /-(.0(,1

, 3( /-(/,( ,-

,, ( 3/(.,(1 

,,,(1-(, 2(  /

,*-(  *( 02(,--42*

,*-(  *( 02(,, 42*

/3(-.( - (/.

, *(/ (./(/

/3(-.( 32(,,2

/3(-.( 32(22

/3(-.( 32(31

0*( 3*(  .( * 

0*( 3*(, 2(-.

0*( 3 ( ,.(,/,

0 ( ./(  1(, ,

0 ( /1( *3(,,,

1/( ,0(-(, 0

1/( ,0(-(, 1

1/( ,0(-(, 2

/3( ,/(,- ( 114 1111

1/( ,0(-(,,*

1/( ,0(-(,, 

1/( ,0(-(,,,

3-3?3\3{3

/!/-/6/`0~0

Ci>_f_n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

windows

webtrap

WEBSCANX

WEBSCAN

smtpsvc

safeweb

Kabackreport

WinExec

GetWindowsDirectoryA

.text

`.rdata

@.data

.rsrc

.CJ66

aMSg3u

O`.rdha

KERNEL32.DLL

MSVCRT.dll

SHELL32.dll

Windows Calculator application file

5.1.2600.0 (xpclient.010817-1148)

CALC.EXE

Microsoft(R) Windows(R) Operating System

5.1.2600.0

%original file name%.exe_368_rwx_00401000_0001D000:

%s\s%d%d.dll

rundll32.exe %s, droqp

%s\system32\m%d%d.dll

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cacls %s /e /p everyone:f

cacls "%s" /e /p everyone:f

\temp\explorer.exe

\drivers\gm.dls

explorer.exe

[ffi][nil:>:,::mn^::K<?CRT

 ,1(*(*( 

 ,1(*(*(,

 ,1(*(*(-

 ,1(*(*(*

 , ( .( * (02

 ,1( ( ( 

 ,1(*( ( 

0 ( ,2( 1 (  /42*2*

 , (  (3*(13

 ,/(3*(22(-2

,*.( 11(3,(02

, *(1.( ./(,-0

, *(10(*( --

, 3( ,3(,-3(,,*

0 ( 00(-,(,

, 3( /-(.*(,, 

, 2(3,( 20(,1

, 3( /-(.0(,1

, 3( /-(/,( ,-

,, ( 3/(.,(1 

,,,(1-(, 2(  /

,*-(  *( 02(,--42*

,*-(  *( 02(,, 42*

/3(-.( - (/.

, *(/ (./(/

/3(-.( 32(,,2

/3(-.( 32(22

/3(-.( 32(31

0*( 3*(  .( * 

0*( 3*(, 2(-.

0*( 3 ( ,.(,/,

0 ( ./(  1(, ,

0 ( /1( *3(,,,

1/( ,0(-(, 0

1/( ,0(-(, 1

1/( ,0(-(, 2

/3( ,/(,- ( 114 1111

1/( ,0(-(,,*

1/( ,0(-(,, 

1/( ,0(-(,,,

3-3?3\3{3

/!/-/6/`0~0

Ci>_f_n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

windows

webtrap

WEBSCANX

WEBSCAN

smtpsvc

safeweb

Kabackreport

WinExec

GetWindowsDirectoryA

.text

`.rdata

@.data

.rsrc

.CJ66

aMSg3u

%original file name%.exe_368_rwx_10000000_00001000:

.data

.rsrc

@.reloc

psapi.dll

\patch.exe

\dstdisk.exe

\defence.exe

192yuioealdjfiefjsdfas.txt

%SystemRoot%\System32\DRIVERS\puid.sys

\drivers\pcidump.sys

System32\DRIVERS\pcidump.sys

%SystemRoot%\system32\drivers\puid.sys

\\.\pcidump

\drivers\gm.dls

%s%d.txt

>>tmp.tmp

@echo rcx>>tmp.tmp

@echo %X>>tmp.tmp

@echo n tmp2>>tmp.tmp

@echo w>>tmp.tmp

@echo q>>tmp.tmp

@debug<tmp.tmp>nul

@rename tmp2 tmp2.exe

tmp2.exe

Windows

1.exe

autorun.inf

Open=1.exe

urlmon

\setup.exe

?mac=%s&ver=%s&key=%d&os=windows

.html

.hhqg

qq.exe

360safe.exe

\explorer.exe

\temp\explorer.exe

nfect_exe

\pipe\browser

\\%s\IPC$

Bd

%original file name%.exe_368_rwx_1000A000_00002000:

\??\c:\%original file name%.exe

\??\%WinDir%\explorer.exe

ers\gm.dls

WinExec

CreatePipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

ADVAPI32.dll

WS2_32.dll

InternetOpenUrlA

WININET.dll

rundll32.exe_2008:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   taskkill.exe:504
   taskkill.exe:744
   taskkill.exe:1764
   sc.exe:1144
   rundll32.exe:2008
   cacls.exe:1336

3. Delete the original DeepScan file.
   
4. Delete or disinfect the following files created/modified by the DeepScan:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\10A8YH0M\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0SRP20XU\desktop.ini (67 bytes)
   C:\autorun.inf (21 bytes)
   %System%\m1846741.dll (12169462 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V7JJDNL4\desktop.ini (67 bytes)
   %WinDir%\Temp\Perflib_Perfdata_7b0.dat (4 bytes)
   %System%\drivers\etc\hosts (5 bytes)
   %System%\drivers\pcidump.sys (5404535 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\94S2IMRP\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %System%\config (100 bytes)
   %WinDir%\s265006334.dll (35485887 bytes)
   C:\1.exe (37 bytes)
   %System%\drivers\acpiec.sys (14 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.