Gen.Heur.Minggy.1_b41665584d
Trojan.Win32.Agent.icgh (Kaspersky), Gen:Heur.Minggy.1 (B) (Emsisoft), Gen:Heur.Minggy.1 (AdAware), Trojan.Win32.Swrort.4.FD, TrojanSwrort.YR (Lavasoft MAS)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: b41665584db8d11622d5a0668677ff0a
SHA1: 533f72f5fb2bff383800bce38554f4058c9cc124
SHA256: a9570d73c259f778299ca381a7f6a18f881317ee228bb98cd0dabb1e6be423f1
SSDeep: 12288:71/aGLDCMNpNAkoSzZWD8ayX2M7Cw7D00B9lF8bunHlpzvC3JKy2kOOykvJt gYp:71/aGLDCM4D8ayGMLB9lPHPMvJt NTis
Size: 741815 bytes
File type: EXE
Platform: WIN32
Entropy: Probably Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-02-27 08:41:59
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
vnkpdd.exe:972
%original file name%.exe:556
The Trojan injects its code into the following process(es):
No processes have been created.
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process vnkpdd.exe:972 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\AUTOEXEC.BAT .exe (1455811 bytes)
C:\MSDOS.SYS .exe (1455811 bytes)
C:\IO.SYS .exe (1455811 bytes)
C:\%original file name%.exe .exe (1455811 bytes)
C:\boot.ini .exe (1455811 bytes)
%Documents and Settings% .exe (1455811 bytes)
C:\RECYCLER .exe (1455811 bytes)
C:\ntldr .exe (1455811 bytes)
C:\original .exe (1455811 bytes)
C:\totalcmd .exe (1455811 bytes)
C:\NTDETECT.COM .exe (1455811 bytes)
C:\System Volume Information .exe (1455811 bytes)
C:\CONFIG.SYS .exe (1455811 bytes)
C:\marker .exe (1455811 bytes)
%Program Files% .exe (1455811 bytes)
%WinDir% .exe (1455811 bytes)
C:\pagefile.sys .exe (1455811 bytes)
The Trojan deletes the following file(s):
C:\Mirax (0 bytes)
C:\Mirau (0 bytes)
C:\Miraw (0 bytes)
C:\Mirar (0 bytes)
C:\Miras (0 bytes)
C:\Miral (0 bytes)
C:\Miran (0 bytes)
C:\Mirao (0 bytes)
C:\Mirah (0 bytes)
C:\Mirai (0 bytes)
C:\Mirak (0 bytes)
C:\Mirad (0 bytes)
C:\Miraf (0 bytes)
C:\Mirag (0 bytes)
C:\Miraa (0 bytes)
C:\Mirab (0 bytes)
The process %original file name%.exe:556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\Saaaalamm\Mira.h (542871 bytes)
%Documents and Settings%\All Users\Application Data\vnkpdd.exe (914498 bytes)
Registry activity
The process vnkpdd.exe:972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft® Windows® Operating System" = "%Documents and Settings%\All Users\Application Data\vnkpdd.exe"
The process %original file name%.exe:556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 10 72 AE C4 C1 A3 C0 83 C5 A7 00 C6 72 3F 1B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
| MD5 | File path |
|---|---|
| 46c00b0934cea970d24bb7559958e0e5 | c:\AUTOEXEC.BAT .exe |
| f5c66277491f9c1a3bcf8fc70b915a3f | c:\CONFIG.SYS .exe |
| 97dc9ed21e34a4e8a17281158d3b4ba6 | c:\Documents and Settings .exe |
| a17c5d4d029b25865e8d97986fd5aaa3 | c:\Documents and Settings\All Users\Application Data\Saaaalamm\Mira.h |
| c524dc7fa43366c878f63d05fbc07265 | c:\Documents and Settings\All Users\Application Data\vnkpdd.exe |
| 91dbc96978035a89a343921a080909c8 | c:\IO.SYS .exe |
| 4e44b3e1e99951fef5047315757dc2db | c:\MSDOS.SYS .exe |
| ad863e8a1884310b276faaa28b3ffe47 | c:\NTDETECT.COM .exe |
| b05881e3244590d6d8f46c528322facb | c:\Perl .exe |
| f4799ecc0dee6758c927b7c49151dbe2 | c:\Program Files .exe |
| ead4ded261c41a95a534bd0629ec634b | c:\RECYCLER .exe |
| b38296cc9e85d6f1becb01bae840eead | c:\System Volume Information .exe |
| 103989f53fe28f7c34733ce36b3dfb9c | c:\WINDOWS .exe |
| 96ed04f29a17676336ba4ac34e897e57 | c:\%original file name%.exe .exe |
| 13c56dba2e739b6e622c9366e4ad823e | c:\boot.ini .exe |
| 8adc317d06996bb3fbe6910e3dd0d770 | c:\marker .exe |
| bcaafd80747c95e631a603e1a7593c8e | c:\ntldr .exe |
| acab1d219611d5fe18f22a99f3d05de0 | c:\original .exe |
| d7a60e6cfa009a84fb92ba74a7e23dfc | c:\pagefile.sys .exe |
| 8a64afb6bbc9a2119e0d5486fdc3414c | c:\totalcmd .exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 245368 | 245760 | 3.92625 | a2b4f664355a47ef637ab1b69cef2c5e |
| .data | 249856 | 608 | 1024 | 0.488703 | 6fda88cf7188a8245a53dfde927250fd |
| .rdata | 253952 | 9384 | 9728 | 3.47165 | dbe852009dbd077a9976cb0ecfb9aadf |
| .bss | 266240 | 18576 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 286720 | 2212 | 2560 | 2.97703 | 5e5242c565219f3bd33a6568632559dc |
| .rsrc | 290816 | 26552 | 26624 | 4.17148 | 92863b1f9ca0d911b1b73f81b0afa90d |
Dropped from:
88315805f76e4709bf3767c2518029e2
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
`.data
.rdata
@.bss
.idata
%Documents and Settings%\All Users\Application Data\vnkpdd.exe
Software\Microsoft\Windows\CurrentVersion\Run
Windows
Operating System
%H:%M:%S
%m/%d/%y
-0123456789
%s:%u: failed assertion `%s'
RegCloseKey
RegOpenKeyA
ADVAPI32.DLL
KERNEL32.dll
msvcrt.dll
SHELL32.DLL
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
vnkpdd.exe:972
%original file name%.exe:556 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\AUTOEXEC.BAT .exe (1455811 bytes)
C:\MSDOS.SYS .exe (1455811 bytes)
C:\IO.SYS .exe (1455811 bytes)
C:\%original file name%.exe .exe (1455811 bytes)
C:\boot.ini .exe (1455811 bytes)
%Documents and Settings% .exe (1455811 bytes)
C:\RECYCLER .exe (1455811 bytes)
C:\ntldr .exe (1455811 bytes)
C:\original .exe (1455811 bytes)
C:\totalcmd .exe (1455811 bytes)
C:\NTDETECT.COM .exe (1455811 bytes)
C:\System Volume Information .exe (1455811 bytes)
C:\CONFIG.SYS .exe (1455811 bytes)
C:\marker .exe (1455811 bytes)
%Program Files% .exe (1455811 bytes)
%WinDir% .exe (1455811 bytes)
C:\pagefile.sys .exe (1455811 bytes)
%Documents and Settings%\All Users\Application Data\Saaaalamm\Mira.h (542871 bytes)
%Documents and Settings%\All Users\Application Data\vnkpdd.exe (914498 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft® Windows® Operating System" = "%Documents and Settings%\All Users\Application Data\vnkpdd.exe"
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
