MD5: 251e8a930ae92a5d76b8b326726936ea
SHA1: 972e8f413a695fcf4e5db608f75939f32ea16edc
SHA256: 0986eaa479667840ccca8fc952586476300418d198b800170158ad89fb16d4d6
SSDeep: 1536:KdBp7Jo9vfxeGhqykdBPO735nouy81MZCi3b:WBLC3xeGhqdBPO1outU
Size: 78336 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualCv71EXE, UPolyXv05_v6
Company: no certificate found
Created at: 2007-05-21 16:18:28
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1008

The Trojan injects its code into the following process(es):

Explorer.EXE:884

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

The process %original file name%.exe:1008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 24576 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

Using the driver "%System%\drivers\jjuoxu.sys" the Trojan controls creation and closing of processes by installing the process notifier.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

user32.dll

kernel32.dll

%System%\jjuoxu.dll

Explorer.EXE_884_rwx_01CA0000_00004000:

Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel

Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu

{871C5380-42A0-1069-A2EA-08002B30309D}

VVV.haol23.net/?a29//

\Internet Explorer\IEXPLORE.EXE

msvcrt

000000000000

1234567890

XXXXXX

kernel32.dll

user32.dll

explorer.exe

msvcrt.dll

KERNEL32.dll

USER32.dll

ADVAPI32.dll

SHELL32.dll

ole32.dll

HttpQueryInfoA

InternetOpenUrlA

WININET.dll

SHLWAPI.dll

RPCRT4.dll

NETAPI32.dll

PSAPI.DLL

QqHelperJ.dll

20150412

hXXp://update.microfsot.cn/dl/1.dat?%s

2#2*21292

4&4,42484

\Internet Explorer.lnk

Q\bc_aCroetqMLA.qM

RRlh?Jqka=1.mfTffrcR\TaeGgLE=qi

/.khJpoO?H4_F22qk-j

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1008
   

3. Delete the original Trojan file.
   
4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.