MD5: bed2e85383207b29fc4184ca85d7ccf1
SHA1: c0bd3354b59a82dba14d0d589103c366fc85c16c
SHA256: 6454b003b0b810d5c3b1b3512c6123a13b4d04d90fbfd197d836d5b06cb410a6
SSDeep: 24576:Q81EdVcVj 1hPnGBP3krdeiVQuavzPPjKz9SGq1fLGk1lJAEAo5:QZ/3PnGtkrdjiPkLQJAX4
Size: 1097287 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-12-17 23:24:34
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

server.exe:980
%original file name%.exe:644

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process server.exe:980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\system.ini (72 bytes)

The process %original file name%.exe:644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\7bebte13352740412.jpg (2368 bytes)

Registry activity

The process server.exe:980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_0" = "3432392762"
"a1_3" = "369175827"
"a1_4" = "3854877565"

[HKCU\Software\Aas\695404737]
"35845605" = "387"

[HKCU\Software\Aas]
"a1_6" = "1444987664"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKCU\Software\Aas]
"a1_2" = "1147964647"
"a3_6" = "59977839"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas\695404737]
"50183847" = "8D047AF7229C9B8962BA0482D99D368E2F27DA435BE2A7386A33EDC80BF5E291731E9D01A5491DAF960D9F12BEF04EC6593B061C5B93136EC6BFEC34C08A20B0C1FA17DCC2BD245ECA59601A83B2A1E4EA6D8C1E0D407E7C34901CE485312CA99533EF94DBD09BAC13BC887C7B5FA8BD183F0B60FDAC439D9A828FBE91ABBD7D"

[HKCU\Software\Aas]
"a3_4" = "11991981"

[HKCU\Software\Aas\695404737]
"43014726" = "0A00687474703A2F2F63696B6D61796564656B70617263612E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F6272756365676172726F642E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F6362626173696D6576692E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F6272616E64616F656D61746F732E636F6D2E62722F696D616765732F6C6F676F692E67696600687474703A2F2F6361676C617274656B6E696B2E636F6D2F6C6F676F732E67696600687474703A2F2F6268617261746973616E676C692E696E2F6C6F676F692E67696600687474703A2F2F636163732E6F72672E62722F6E6F766F736974652F6C6F676F732E67696600687474703A2F2F62757461636D2E676F2E726F2F6C6F676F732E67696600687474703A2F2F626F7961626174656D6C2E6B31322E74722F696D616765732F6C6F676F732E67696600687474703A2F2F636173627967726F75702E636F6D2F696D616765732F6C6F676F732E676966"

[HKCU\Software\Aas]
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"
"a1_1" = "1313561096"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_4" = "28676484"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKCU\Software\Aas]
"a1_5" = "1008453933"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "121"

"21507363" = "0"
"28676484" = "35"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 09 4B AC F7 42 EB 7D B3 06 22 C8 65 83 F7 01"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a2_6" = "43012043"
"a2_5" = "35840104"
"a2_4" = "28673033"
"a2_3" = "21510318"
"a2_2" = "14343503"
"a2_1" = "7172588"
"a2_0" = "5517"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_5" = "35845605"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKCU\Software\Aas]
"a3_5" = "52535244"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%]
"server.exe" = "%Program Files%\server.exe:*:Enabled:ipsec"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

The process %original file name%.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%]
"server.exe" = "server"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   server.exe:980
   %original file name%.exe:644

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %WinDir%\system.ini (72 bytes)
   %Program Files%\7bebte13352740412.jpg (2368 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.