MD5: e83e1c36b2e8edb62dc0749713f00a2b
SHA1: 7e23252848be27095c3b43e43c7bc94120613cf5
SHA256: eb3150b4563e7d8bd6fd55391c5e1060b75a15a4ac85a20dd3ea343f90b97e9b
SSDeep: 3072:qVz5JcRAD7QDKBB2F9LmJirrCzvPwWUDA/b:qVz5Sg7QWOFFmvznWDs
Size: 141200 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: Ke v in S o l w a y
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit

Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

%original file name%.exe:320

The Malware injects its code into the following process(es):

%original file name%.exe:1364

Mutexes

The following mutexes were created/opened:

bzwdh9 rif
aqstx 3-_d53-q-al#
_mwhhsatt#u-j2d
mfsjnsm_in7u_k
wmw8l4oed
wa8_tjliumgc9r
9vgdcyu
se7zvchlt39ot dszrkz
05wu7t48mfvzp
89000t5vj8h
k
zk5cilkw
hn9dmo3ri444et8#fe
77-x4ctrab
age2 n-eh-hr5
o49wm4qrp
q 6 _mq7
hb3
_7 uw
au2ufhzvu#89g
0si4la0padpds
%no id%
0 8p5ok4#wj
o yqyq0izrowk#
#mz
_!MSFTHISTORY!_
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!history!history.ie5!
WininetStartupMutex
WininetConnectionMutex
WininetProxyRegistryMutex
RasPbFile
ZonesCacheCounterMutex
ZonesCounterMutex
ZonesLockedCacheCounterMutex
ShimCacheMutex

File activity

The process %original file name%.exe:1364 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ULKLCREP\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2AZ3HDB0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q967U5EX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JXVQUFIE\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:320 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 17 12 C7 C1 F6 48 46 26 98 CA D0 05 6D 03 C1"

The process %original file name%.exe:1364 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 E7 C0 24 EC 43 E8 F7 4D F9 AC 66 B4 1D 1F 51"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Downloader
Product Version: 1, 0, 0, 0
Legal Copyright: Copyright 2013
Legal Trademarks:
Original Filename: Downloader.exe
Internal Name: Downloader
File Version: 1, 0, 0, 0
File Description: Downloader
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Malware connects to the servers at the folowing location(s):

.text

P`.data

.idata

.rsrc

GetProcessHeap

KERNEL32.dll

USER32.dll

kernel32.dll

1, 0, 0, 0

Downloader.exe

%original file name%.exe_1364_rwx_00400000_0000D000:

.text

P`.data

.idata

.rsrc

GetProcessHeap

KERNEL32.dll

USER32.dll

1, 0, 0, 0

Downloader.exe

%original file name%.exe_1364_rwx_10001000_0000E000:

It.It%It

u%C;^

SSSSh

%d.%s%d

>%d.%s%d

A%d.%s%d

0A%d %s

CMD == %d

https

Downloader MLR 1.0.0

Request returned code %d

code: %d, requested %d bytes, read %d bytes, total: %d of %d

Range: bytes=%d-

.xdl!

Protocol not supported

partner_new_url_inet

partner_online_url

partner_new_url

/partner_new_url=

http://sputnikmailru.cdnmail.ru/mailrusputnik.exe

mailrusputnik.exe

%s%s%d

DL: failed to save runner (%s)

DL: run failed with code %d

DL: Running <%s> with args <%s>

runprog.exe

00000000

Downloader Touch MLR 1.0.0

http://internetmailru.cdnmail.ru/Internet.exe

Internet.exe

http://detailinfo.ru/pterror=

%s.%d.exe

(*.*)

http://sputnik.mail.ru/

http://internet.mail.ru/

A%s\%s

%d%% - %s

Filename: %s

/partner_online_url=

.text

`.rdata

@.reloc

RunProg: run failed with code %d

RunProg: running <%S> with args <%S>

RunProg: argv [%d]: <%S>

RunProg: argc: %d

RunProg: args: <%S>

SHLWAPI.dll

GetProcessHeap

KERNEL32.dll

ShellExecuteW

SHELL32.dll

ShellExecuteA

ShellExecuteExA

InternetOpenUrlA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

@.data

.rsrc

7.text

B`.rdata

HLWAPI.dll

KERNEL32.DLL

COMDLG32.dll

GDI32.dll

USER32.dll

WININET.dll

tiny-dl.dll

download.exe

example.com

@mail.ru

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:320
   

2. Delete the original Malware file.
   
3. Delete or disinfect the following files created/modified by the Malware:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ULKLCREP\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2AZ3HDB0\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q967U5EX\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JXVQUFIE\desktop.ini (67 bytes)

4. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.