MD5: 830276713aa87bfb6169f614f0211c7a
SHA1: 8b0369769b409ba371af973ad3ea2d2a8e78816e
SHA256: 4a7ae9b0ce55bb85736861b771e3b726aa2a5482180a4d9f16f0895f23cdd081
SSDeep: 768:auHO2kB41lc056szhvn pVmVY6dMo4SBN l0:agkBaT56szhv pV6HMM l0
Size: 31744 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2009-08-03 06:05:25
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

Process activity

The DeepScan creates the following process(es):

taskkill.exe:1832
taskkill.exe:1536
sc.exe:1824
rundll32.exe:1672
cacls.exe:1752

The DeepScan injects its code into the following process(es):

%original file name%.exe:1600

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1600 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

C:\autorun.inf (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\m1846741.dll (11993590 bytes)
%WinDir% (384 bytes)
C:\ (4 bytes)
%System%\drivers\etc\hosts (5 bytes)
%WinDir%\s265006334.dll (22141543 bytes)
C:\1.exe (31 bytes)
C:\$Directory (4 bytes)
%System%\config (12 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%System% (744 bytes)

The process rundll32.exe:1672 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

%System%\drivers\acpiec.sys (14 bytes)

Registry activity

The process taskkill.exe:1832 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 29 3C A4 A8 03 C6 6D CE 9B CA E9 BF 41 0B 23"

The process taskkill.exe:1536 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B E4 0A 42 BF EB EE FC 4E 2B C6 67 04 EB 51 EB"

The process sc.exe:1824 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 2A 28 F0 78 50 EC 23 9F 79 BA AB 66 F6 ED A7"

The process rundll32.exe:1672 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 07 43 11 48 B4 FF 39 07 A8 A3 06 58 D4 09 A0"

The process cacls.exe:1752 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 74 95 C8 45 71 BB 32 00 43 00 43 2E 16 9D 0F"

Dropped PE files

HOSTS file anomalies

The DeepScan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 5743 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The DeepScan installs the following kernel-mode hooks:

ZwQuerySystemInformation

Using the driver "%System%\drivers\pcidump.sys" the DeepScan substitutes IRP handlers in a file system driver (NTFS) to control operations with files:

MJ_CREATE

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the DeepScan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Microsoft Corporation
Product Name: Microsoft(R) Windows(R) Operating System
Product Version: 5.1.2600.0
Legal Copyright: (C) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: CALC.EXE
Internal Name: CALC
File Version: 5.1.2600.0 (xpclient.010817-1148)
File Description: Windows Calculator application file
Comments:
Language: Chinese (Simplified, PRC)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2
e59e813e8662d81d7bcc84869fa63890
9c635e7f73019be2d88b085a3e1834b8

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The DeepScan connects to the servers at the folowing location(s):

`.rsrc

iZT/_%s\s%d

%d.dllrun

32.exe

^d:%dm^`[

%s\s%d%d.dll

rundll32.exe %s, droqp

%s\system32\m%d%d.dll

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cacls %s /e /p everyone:f

cacls "%s" /e /p everyone:f

\temp\explorer.exe

\drivers\gm.dls

explorer.exe

[ffi][nil:>:,::mn^::K<?CRT

 ,1(*(*( 

 ,1(*(*(,

 ,1(*(*(-

 ,1(*(*(*

 , ( .( * (02

 ,1( ( ( 

 ,1(*( ( 

0 ( ,2( 1 (  /42*2*

 , (  (3*(13

 ,/(3*(22(-2

,*.( 11(3,(02

, *(1.( ./(,-0

, *(10(*( --

, 3( ,3(,-3(,,*

0 ( 00(-,(,

, 3( /-(.*(,, 

, 2(3,( 20(,1

, 3( /-(.0(,1

, 3( /-(/,( ,-

,, ( 3/(.,(1 

,,,(1-(, 2(  /

,*-(  *( 02(,--42*

,*-(  *( 02(,, 42*

/3(-.( - (/.

, *(/ (./(/

/3(-.( 32(,,2

/3(-.( 32(22

/3(-.( 32(31

0*( 3*(  .( * 

0*( 3*(, 2(-.

0*( 3 ( ,.(,/,

0 ( ./(  1(, ,

0 ( /1( *3(,,,

1/( ,0(-(, 0

1/( ,0(-(, 1

1/( ,0(-(, 2

/3( ,/(,- ( 114 1111

1/( ,0(-(,,*

1/( ,0(-(,, 

1/( ,0(-(,,,

Ci>_f_n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

windows

webtrap

WEBSCANX

WEBSCAN

smtpsvc

safeweb

Kabackreport

WinExec

GetWindowsDirectoryA

.text

`.rdata

@.data

.rsrc

.CJ66*

}-D.K.Q.hKx.~.

,mF %c

B`.rd}

KERNEL32.DLL

MSVCRT.dll

SHELL32.dll

Windows Calculator application file

5.1.2600.0 (xpclient.010817-1148)

CALC.EXE

Microsoft(R) Windows(R) Operating System

5.1.2600.0

%original file name%.exe_1600_rwx_00401000_00016000:

%s\s%d%d.dll

rundll32.exe %s, droqp

%s\system32\m%d%d.dll

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cacls %s /e /p everyone:f

cacls "%s" /e /p everyone:f

\temp\explorer.exe

\drivers\gm.dls

explorer.exe

[ffi][nil:>:,::mn^::K<?CRT

 ,1(*(*( 

 ,1(*(*(,

 ,1(*(*(-

 ,1(*(*(*

 , ( .( * (02

 ,1( ( ( 

 ,1(*( ( 

0 ( ,2( 1 (  /42*2*

 , (  (3*(13

 ,/(3*(22(-2

,*.( 11(3,(02

, *(1.( ./(,-0

, *(10(*( --

, 3( ,3(,-3(,,*

0 ( 00(-,(,

, 3( /-(.*(,, 

, 2(3,( 20(,1

, 3( /-(.0(,1

, 3( /-(/,( ,-

,, ( 3/(.,(1 

,,,(1-(, 2(  /

,*-(  *( 02(,--42*

,*-(  *( 02(,, 42*

/3(-.( - (/.

, *(/ (./(/

/3(-.( 32(,,2

/3(-.( 32(22

/3(-.( 32(31

0*( 3*(  .( * 

0*( 3*(, 2(-.

0*( 3 ( ,.(,/,

0 ( ./(  1(, ,

0 ( /1( *3(,,,

1/( ,0(-(, 0

1/( ,0(-(, 1

1/( ,0(-(, 2

/3( ,/(,- ( 114 1111

1/( ,0(-(,,*

1/( ,0(-(,, 

1/( ,0(-(,,,

Ci>_f_n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

windows

webtrap

WEBSCANX

WEBSCAN

smtpsvc

safeweb

Kabackreport

WinExec

GetWindowsDirectoryA

.text

`.rdata

@.data

.rsrc

.CJ66*

%original file name%.exe_1600_rwx_10000000_00001000:

.data

.rsrc

@.reloc

psapi.dll

\patch.exe

\dstdisk.exe

\defence.exe

192yuioealdjfiefjsdfas.txt

%SystemRoot%\System32\DRIVERS\puid.sys

\drivers\pcidump.sys

System32\DRIVERS\pcidump.sys

%SystemRoot%\system32\drivers\puid.sys

\\.\pcidump

\drivers\gm.dls

Windows

1.exe

autorun.inf

Open=1.exe

urlmon

\setup.exe

?mac=%s&ver=%s&key=%d&os=windows

.html

.hhqg

qq.exe

360safe.exe

\explorer.exe

\temp\explorer.exe

nfect_exe

rundll32.exe_1672:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

%original file name%.exe_1600_rwx_10005000_00001000:

\??\c:\%original file name%.exe

\??\%WinDir%\explorer.exe

ers\gm.dls

WinExec

CreatePipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

ADVAPI32.dll

InternetOpenUrlA

WININET.dll

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   taskkill.exe:1832
   taskkill.exe:1536
   sc.exe:1824
   rundll32.exe:1672
   cacls.exe:1752

3. Delete the original DeepScan file.
   
4. Delete or disinfect the following files created/modified by the DeepScan:
   

   C:\autorun.inf (21 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %System%\m1846741.dll (11993590 bytes)
   %System%\drivers\etc\hosts (5 bytes)
   %WinDir%\s265006334.dll (22141543 bytes)
   C:\1.exe (31 bytes)
   C:\$Directory (4 bytes)
   %System%\config (12 bytes)
   %System%\drivers\pcidump.sys (5404535 bytes)
   %System%\drivers\acpiec.sys (14 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.