DeepScan.Generic.Malware.SLNg.DF912DEA_0704f553c4
Trojan.GenericKD.30598445 (BitDefender), Worm:Win32/Cambot.A (Microsoft), Trojan.Win32.Llac.llzl (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), BackDoor.BotSiggen.51 (DrWeb), Trojan.GenericKD.30598445 (B) (Emsisoft), W32/Generic.worm!p2p (McAfee), ML.Attribute.HighConfidence (Symantec), P2P-Worm.Win32.BlackControl (Ikarus), Trojan.GenericKD.30598445 (FSecure), Win32:Banker-IZK [Trj] (AVG), Win32:Banker-IZK [Trj] (Avast), TSPY_VB_GA250A05.UVPM (TrendMicro), DeepScan:Generic.Malware.SLN!g.DF912DEA (AdAware), GenericAutorunWorm.YR, WormAinslot_VariantOfZeus.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Worm, P2P-Worm, WormAutorun, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 0704f553c46d80e21f1e7b498f3545cc
SHA1: 2b900e3e6626855bf8e0d25f32a0439564570c06
SHA256: 77138029cb7ab443afd219deb7d0ebdaf2e0dabdaf8b8e15ca96222ad203e263
SSDeep: 3072:3Hjk 0oLnWFnzBHv/xWFsg8WatFBGFVWPE5ac0pG/1z QVMbg1d:Xo/BHng5HaVG4G/1z QVMbg1d
Size: 202696 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualBasicv50v60
Company: Crawler.com, LLC
Created at: 2011-06-29 03:05:34
Analyzed on: Windows7 SP1 32-bit
Summary:
Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the DeepScan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The DeepScan creates the following process(es):
%original file name%.exe:3940
The DeepScan injects its code into the following process(es):
No processes have been created.
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:3940 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\AG58FPQON.exe (60060 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\JNPEXYM8RIU5I (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ag58fpqon.exe.jpg (18300 bytes)
Registry activity
The process %original file name%.exe:3940 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"VLXHCMT5KJ" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\AG58FPQON.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"VLXHCMT5KJ" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\AG58FPQON.exe"
To automatically run itself each time Windows is booted, the DeepScan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"VLXHCMT5KJ" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\AG58FPQON.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VLXHCMT5KJ" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\AG58FPQON.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| d6f506d83193d21db84e7890cbc5a1ca | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\ag58fpqon.exe.jpg |
| d6f506d83193d21db84e7890cbc5a1ca | c:\Users\"%CurrentUserName%"\AppData\Roaming\AG58FPQON.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the DeepScan's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 189928 | 192512 | 4.47684 | 66c3b26fe4151f9acbcac382daaaf952 |
| .data | 196608 | 9180 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 208896 | 16 | 4096 | 0 | 620f0b67a91f7f74151bc5be745b7110 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| hxxp://migsel.com/system/classes/alive.php?key=Blackshades_Key&pcuser=adm&pcname=WIN-UK0FFOO83I6&hwid=10F5F7ED&country=United States |  95.128.128.129 |
| hxxp://migsel.com/system/classes/fg.php?key=Blackshades_Key | 95.128.128.129 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
ET TROJAN VirTool-Win32-VBInject.gen-FA Reporting
Traffic
Web Traffic was not found.
The DeepScan connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:3940
- Delete the original DeepScan file.
- Delete or disinfect the following files created/modified by the DeepScan:
C:\Users\"%CurrentUserName%"\AppData\Roaming\AG58FPQON.exe (60060 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\JNPEXYM8RIU5I (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ag58fpqon.exe.jpg (18300 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"VLXHCMT5KJ" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\AG58FPQON.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VLXHCMT5KJ" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\AG58FPQON.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
