MD5: a2e04faa2ab56f806c2dc7255d2c9b6d
SHA1: 45aefe4d633033cf35542807533bca95aa829362
SHA256: 495077bbd41bb7e1ee0b08389c355300b480cb8bbcf5c44c7550ce374155823f
SSDeep: 3072:vxAHNZL/I /9yajam oz4cDh4 O1qAFLRgTJWqS:JkPLAmDjlvEoAFLRW4
Size: 1130496 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-04-05 17:48:51
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):

%original file name%.exe:852

The Dropped injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:

c:!documents and settings!adm!cookies!
_!MSFTHISTORY!_
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
WininetProxyRegistryMutex
WininetConnectionMutex
RasPbFile
ShimCacheMutex
48C56927-A0DB-4e31-8C32-FE15FBA45043

File activity

The process %original file name%.exe:852 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5b0420fb-f88b-4b88-aa34-0015c7d55007 (4 bytes)
%System%\inforasip.ocx (4 bytes)
%System%\srvsvcinfo.exe (327681 bytes)
%System%\pdbpoolfwc.exe (327681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ee0c9b8c-9d6b-4e8c-9e74-98e962b397b7 (42 bytes)
%System%\svcctfdisp.exe (327681 bytes)
%System%\poolipdhcp.exe (327681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\de64b09e-733d-4087-90e9-983e892b9682 (4 bytes)

Registry activity

The process %original file name%.exe:852 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}]
"IconsBinary" = "%System%\svcctfdisp.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\82.146.51.22]
"*" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID]
"(Default)" = "AcroIEHelperShim.AcroIEHelperShimObj"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion]
"SerialIID" = "CC FE 34 01 63 8E 34 12 08 21 02 2A 5D 9D 1F F5"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}]
"StubPath" = "rundll32.exe %System%\themeuichk.dll,ThemesSetupInstallCheck"

[HKCU\Control Panel\Desktop]
"ForegroundLockTimeout" = "20250408"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Check_Associations" = "no"

[HKCR\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
"(Default)" = "Adobe PDF Link Helper"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}]
"ComponentID" = "DOTNETFRAMEWORKS"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}]
"IsInstalled" = "1"

[HKCR\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}]
"DontAsk" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Adobe\CommonFiles]
"IconsStorage0" = "%System%\poolipdhcp.exe"

[HKCR\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID]
"(Default)" = "AcroIEHelperShim.AcroIEHelperShimObj.1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED AD 04 64 EA 8B C6 9B 6F C4 41 1C C6 21 1F 0A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}]
"(Default)" = "Themes Setup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}]
"Version" = "1,1,1,2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"recovery" = "%System%\pdbpoolfwc.exe"

[HKCR\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32]
"(Default)" = "%System%\inforasip.ocx"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"recovery" = "%System%\pdbpoolfwc.exe"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
"(Default)" = "AcroIEHelperStub"

"NoExplorer" = "1"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Intel NGO
Product Name: NGO
Product Version: 6, 5, 0, 0
Legal Copyright: Copyright (C) 2007
Legal Trademarks: Intel Corp.
Original Filename: NGO
Internal Name: Intel NGO
File Version: 6, 5, 1, 1
File Description: Intel Motherboard Service
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Dropped connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

PSSSSSSh

PSSSSSSh#

PSSSSSSh"

SSj%S

n%D,3

deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly

inflate 1.1.4 Copyright 1995-2002 Mark Adler

.mixcrt

KERNEL32.DLL

mscoree.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

kernel32.dll

operator

GetProcessWindowStation

USER32.DLL

?456789:;<=

!"#$%&'()* ,-./0123

abe2869f-9b47-4cd9-a358-c22904dba7f7

82BD0E67-9FEA-4748-8672-D5EFE5B779B0

d:\src\abordaje\bin\Release\Bot.pdb

ADVAPI32.dll

CRYPT32.dll

ole32.dll

OLEAUT32.dll

RPCRT4.dll

Secur32.dll

SHELL32.dll

USER32.dll

WININET.dll

WS2_32.dll

WTSAPI32.dll

CreatePipe

PeekNamedPipe

GetWindowsDirectoryW

GetCPInfo

GetProcessHeap

RegDeleteKeyW

RegQueryInfoKeyW

RegCloseKey

RegOpenKeyW

RegCreateKeyExW

RegEnumKeyExW

RegEnumKeyW

RegOpenKeyExW

RegSetKeySecurity

PFXExportCertStoreEx

CertCloseStore

CertOpenStore

GetKeyboardLayoutNameW

1.1.4

,q%fR

L8.CM

hXXp://82.146.51.22/joomla/modules/xsnt-direct.php

82.146.51.22

HTTP/1.1

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.0.9) Gecko/2009042113 Ubuntu/9.04 (jaunty) Firefox/3.0.9

Content-Type: application/x-www-form-urlencoded

echo del %0 > "%TEMP%\msicheck.cmd"

echo copy /y "%SYSTEMROOT%\system32\ping.exe" "%TEMP%\smss.exe" >> "%TEMP%\msicheck.cmd"

echo :z >> "%TEMP%\msicheck.cmd"

echo del %1 >> "%TEMP%\msicheck.cmd"

echo "%TEMP%\smss.exe" 127.1 -n 30 >> "%TEMP%\msicheck.cmd"

echo attrib -s -h %1 >> "%TEMP%\msicheck.cmd"

echo if exist %1 goto z >> "%TEMP%\msicheck.cmd"

echo del "%TEMP%\msicheck.cmd" >> "%TEMP%\msicheck.cmd"

echo del "%TEMP%\smss.exe" >> "%TEMP%\msicheck.cmd"

"%SYSTEMROOT%\system32\cmd.exe" /c "%TEMP%\msicheck.cmd"

c:\%original file name%.exe

\system32\cmd.exe

cmd.exe

ntdll.dll

hXXp://

Software\Microsoft\Windows NT\CurrentVersion

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\

Global\48C56927-A0DB-4e31-8C32-FE15FBA45043

hXXp://82.146.51.22/joomla/modules/xsnt.php

Software\Microsoft\Keyboard

vdm.dll

\twunk_16.exe

\debug.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

hXXp://VVV.facebook.com/login.php

hXXps://login.facebook.com/login.php

hXXp://VVV.facebook.com/

hXXp://VVV.facebook.com/index.php

hXXp://m.facebook.com/login.php

hXXp://m.myspace.com/login.wap

hXXp://VVV.myspace.com/

hXXp://VVV.myspace.com/index.cfm

hXXp://babelfish.yahoo.com/translate_url

hXXp://services.msn.com/svcs/hotmail/httpmail.asp

hXXp://google.com/

hXXps://VVV.google.com/analytics/reporting/login

hXXps://VVV.google.com/groups/signin

hXXp://translate.google.com.tr/translate

hXXp://translate.google.com.ua/translate

hXXps://VVV.google.com/accounts/ManageAccount

hXXp://VVV.google.com/

hXXps://VVV.google.com/accounts/Login

hXXp://mail.google.com/mail/

hXXps://VVV.google.com/accounts/ServiceLoginAuth

hXXps://VVV.google.com/accounts/ServiceLogin

hXXp://mail.bigmir.net/

hXXp://win.mail.ru/cgi-bin/login

hXXp://love.mail.ru/tips/

hXXp://my.mail.ru/cgi-bin/login

hXXp://love.mail.ru/my/login.phtml

hXXp://VVV.mail.ru/

hXXp://mail.ru/

advapi32.dll

INTERNET EXPLORER 7.x-8.x HTTPPASS

pstorec.dll

INTERNET EXPLORER 6.x HTTPPASS

SMTP

Password

POP3 Port

IMAP Port

SMTP Port

hXXp://82.146.51.22/joomla/modules/xbrk.php

{22d7f312-b0f6-11d2-94ab-0080c33c7e95}

system32\themeuichk.dll

themeuichk.dll

rundll32.exe

system32\wlrsacert.nls

wlrsacert.nls

RSACertPath

Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rsacert31

Firefox\Profiles\

extensions.ini

extensions.rdf

extensions.cache

{8919CE9F-23FD-411a-A2D3-A91DAC20C4FA}

chrome.manifest

install.rdf

fsoverlay.js

fsoverlay.xul

galaxy.dll

firefox-cln.exe

IGalaxyComponent.xpt

glxcodec.exe

\Mozilla

advsec32.dll

{18DF081C-E8AD-4283-A596-FA578C2EBDC3}

AcroIEHelperShim.AcroIEHelperShimObj.1

AcroIEHelperShim.AcroIEHelperShimObj

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

6, 5, 1, 1

6, 5, 0, 0

iexplore.exe_1636:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:852

2. Delete the original Dropped file.
   
3. Delete or disinfect the following files created/modified by the Dropped:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\5b0420fb-f88b-4b88-aa34-0015c7d55007 (4 bytes)
   %System%\inforasip.ocx (4 bytes)
   %System%\srvsvcinfo.exe (327681 bytes)
   %System%\pdbpoolfwc.exe (327681 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ee0c9b8c-9d6b-4e8c-9e74-98e962b397b7 (42 bytes)
   %System%\svcctfdisp.exe (327681 bytes)
   %System%\poolipdhcp.exe (327681 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\de64b09e-733d-4087-90e9-983e892b9682 (4 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "recovery" = "%System%\pdbpoolfwc.exe"

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.