MD5: f7c7fa2abac6c8468bc76f1580d1db6a
SHA1: 8a2c146a6538d7ef8165d78e74933b4ed869cddc
SHA256: b9b97a41761d40fcc9e3cf40ca7fcd4b9096d2481977b64c11372c75e9818773
SSDeep: 6144:QVLoqNwUB255gHwaVNMwTJTO1/ 67nG20zVaH6PKucCkU6qHX2LQK5pikuJxsO0I:gi5GBJ4GkH6m1Xq3Kl5AtJxJ
Size: 446976 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-01-21 00:50:41
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

dwwin.exe:1880

The Trojan injects its code into the following process(es):

%original file name%.exe:700
rundll32.exe:1240

Mutexes

The following mutexes were created/opened:

ShimCacheMutex

File activity

The process %original file name%.exe:700 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\221f_appcompat.txt (6214 bytes)
%System%\msicga32.dll (175 bytes)

The process dwwin.exe:1880 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2524AA.dmp (86136 bytes)

Registry activity

The process %original file name%.exe:700 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 4A CA 68 8A A9 7A 8F A1 D0 B2 F5 5D 66 6C 57"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MSIDLL" = "rundll32.exe msicga32.dll,HpbkmVGASdJ"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:f7c7fa2abac6c8468bc76f1580d1db6a"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

The process dwwin.exe:1880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 6C 29 DD 7B 00 67 14 97 60 00 82 62 A0 56 6A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process rundll32.exe:1240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 52 F4 A6 86 DF 98 71 30 1B DA AE A8 F3 1A 24"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

winver.exe

ntdll.dll

Kernel32.dll

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

operator

GetProcessWindowStation

USER32.DLL

KERNEL32.DLL

ADVAPI32.dll

COMDLG32.dll

GDI32.dll

SHELL32.dll

USER32.dll

WINSPOOL.DRV

GetCPInfo

RegOpenKeyExA

RegCloseKey

RegCreateKeyW

SetViewportExtEx

GetKeyboardLayout

.wTlHlARgK%

H(<>b?Lmgq

k<M.rpwU

FEXE

4.cF f&E

qNz.xov

XmsG

.OBzZu

.Ef9L

.cV5^

RHyc0FEXE

{Km%DJvu

4$k.yo

)@;.MMtV

.fzPs

Mcrt@

S%Cwa<

a%.iD

.aTwm

:.JrU8m

a1.iD

k.qPZ\

TR.jv

BRmZ2%c\F

QgZ.[qz%dOD5

eZB:^GQ"kEY

#.fEJ6

jdxrJlGbvXuacmD@`JlK^eKuAhpEQ

 ;$=7$)?

'6(64#?&1

.vuZS).

i.jjazPHuv

we?wan`ZqJFx%F

yP[;D%F

[eO%u9a

uRp%Dvm

tC%Fg(

.hzi9v

#.uY %

yy.SF

.eB@N

eFtpbq

!~.tv

%s!nS

.SzNPY4t

>Hx;S.RE

-.UpJ

?}1MSG

Ê2A

HwÝkE

VI6g.xrF_

n.az 

.PeoM

.yJLxd

cQQdnZ.ME

.EU_@ko

uGM4%D

Ze.nt

.oL]U

># !%D^p

WQ8.Ir

mg

.kD$a

l{~

#J.NY

S|sBiSQlTz

_p\.cDgXYEmIZY]

mGuHNQPB#.ldkBEo

b%6.X

,Ud]ih.wf

fq4aF%S

notepad.chm

c:\%original file name%.exe

mscoree.dll

*.txt

m*.txt

/.SETUP

\*.txt

notepad.hlp

Text Documents (*.txt)

Not enough memory available to complete this operation. Quit one or more applications to increase available memory, and then try again.KThe %% file is too large for Notepad.

Make sure that the path and filename are correct.RCannot carry out the Word Wrap command because there is too much text in the file.

You cannot quit Windows because the Save As dialog

dialog box, and then try quitting Windows again.

Common Dialog error (0xx)

%original file name%.exe_700_rwx_00A90000_0005A000:

[%.2d/%.2d/%.4d %.2d:%.2d:%.2d] - %s %s

c:\boot.log

Profile: %s

Port

password

Software\FTPWare\COREFTP

- password: %s

\Mozilla\Firefox\

profiles.ini

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

%Program Files%\Mozilla Firefox\

\signons.txt

\signons2.txt

\signons3.txt

nspr4.dll

plc4.dll

plds4.dll

softokn3.dll

nss3.dll

PK11_GetInternalKeySlot

PK11_CheckUserPassword

port

Sites.dat

<Port>

<Password>

\SmartFTP

/admin/index.php

madcapphotoworks.com

wolle.person.dk

VVV.autoradio.wz.cz

<FTPItem>

</Port>

<Login>

</Login>

<Pass>

</Pass>

</FTPItem>

<HTTPItem>

<URL>

</URL>

<LoginParam>

</LoginParam>

<PassParam>

</PassParam>

</HTTPItem>

iexplore.exe

firefox.exe

opera.exe

chrome.exe

kernel32.dll

CURL::Get: %s

CURL::Get(): trying to inject to ie and load...

CURL::Get(): %s

CURL::Get(): trying to download directly...

CURL::Post: %s, %s

CURL::GetIEProcessID

CURL::GetIEProcessID(): findwindow returned 0x%X

CURL::GetIEProcessID(): GetWindowThreadProcessId returned 0x%X

CURL::GetIEProcessID(): 0x%X

mscoree.dll

- This application cannot run using the active version of the Microsoft .NET Runtime

Please contact the application's support team for more information.

GetProcessWindowStation

user32.dll

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

GetWindowsDirectoryA

GetProcessHeap

KERNEL32.dll

USER32.dll

GDI32.dll

RegCloseKey

RegEnumKeyExA

RegOpenKeyA

RegOpenKeyExA

CryptDestroyKey

CryptDeriveKey

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

shlwapi.dll

WSOCK32.dll

GetCPInfo

pr_ni.dll

\p_sys.dll

\sysclos.exe

\*.dat

db Xh

.data

%sLen equ %lu

SOFTWARE\Microsoft\Windows\ShellNoRoam\MUICache

SSSSkernel32.dll

|shfolder.dll

psapi.dll

P:\Projects\password_recovery\cinch\tools\out.bin

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

\account.cfg

\account.cfn

%s Database

Password

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\&RQ

\&RQ.exe

crypted-password

\andrq.ini

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian\

\aim.ini

\users\global\profiles.ini

Software\Ghisler\Windows Commander

FtpIniName

\wcx_PTF.ini

\Mailbox.ini

PassWd

INETCOMM Server Passwords

Outlook Account Manager Passwords

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

%s\%s\%s

%s\%s

SMTP Email Address

POP3 Password

POP3 Password2

IMAP Password

IMAP Password2

pstorec.dll

crypt32.dll

w\GlobalSCAPE\CuteFTP\

\GlobalSCAPE\CuteFTP Pro\

\cutftp32.exe

%Program Files%\CuteFTP\

sm.dat

tree.dat

smdata.dat

SOFTWARE\Far\Plugins\FTP\Hosts

WS_FTP

\*.ini

\Ipswitch\WS_FTP\Sites

\Ipswitch\WS_FTP Home\Sites

\win.ini

\ws_PTF.ini

\ws_PTF.exe

\Opera

\Mail\accounts.ini

\profile\wand.dat

Software\Opera Software

Incoming Password

\Mozilla\Profiles

urlmon.dll

wininet.dll

URLDownloadToCacheFileA

URLDownloadToFileA

HttpOpenRequestA

HttpSendRequestA

Googlebot/2.1 ( hXXp://VVV.google.com/bot.html)

Content-Type: application/x-www-form-urlencoded

More information: hXXp://VVV.ibsensoftware.com/

zcÁ

c:\f7c7fa2abac6c8468bc76f1580d1db6a

c:\%original file name%.exe:*:Enabled:f7c7fa2abac6c8468bc76f1580d1db6a

c:\%original file name%.exe

%Documents and Settings%\%current user%\Start Menu\Programs\Startup

A2C-196E-4210-9C04-2B1BC21F07EF}

8.3.2.1593

%Documents and Settings%\%current user%\Application Data\The Bat!\*.*

d:\Procmon.exe

ec.exe

t.dll,-331

es.dll,-1646

.dll,-20003

%Documents and Settings%\%current user%\Trillian\User Settings\

%APPDATA%\GHISLER\wcx_PTF.ini

Identities\{37E80C13-CB45-4DCE-A438-545B791476AC}\Software\Microsoft\Internet Account Manager\Accounts

^d:\Procmon.exe

Pro\6.0\sm.dat

e\Sites\*.ini

%WinDir%\win.ini

%Documents and Settings%\%current user%\Application Data\Opera\*.*\Mail\accounts.ini

%Documents and Settings%\%current user%\Application Data\Mozilla\Profiles\*.*

< <$<(<,<0<4<8<

7p7C7l7x7

3=3N3_3m3

SmartFTP

x86 9.0.30729.4148

iER\wcx_PTF.ini

%original file name%.exe_700_rwx_00BD0000_00086000:

vSSSh

FTPjK

FtPj;

C.PjRV

Content-Type: application/x-www-form-urlencoded

yahoo.com

HttpQueryInfoA

InternetOpenUrlA

HttpSendRequestA

HttpOpenRequestA

wininet.dll

Chrome_WidgetWin_0

rundll32.exe

kernel32.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

unsupported version

&?9'%?-7

8!?.<*-"5

) >3.':"

."#9'  =

(4=,"%<&&.4

;=#)- 18

_AcRt

cRTS

.?AV?$oserializer@Vxml_oarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@

.?AV?$singleton_wrapper@V?$oserializer@Vxml_oarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@@detail@serialization@boost@@

.?AV?$singleton_wrapper@V?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@@detail@serialization@boost@@

.?AV?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@

.?AV?$singleton@V?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@@serialization@boost@@

.?AVMCmdList@@

.?AV?$iserializer@Vxml_iarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@

.?AV?$singleton_wrapper@V?$iserializer@Vxml_iarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@@detail@serialization@boost@@

zcÁ

c:\%original file name%.exe

GetProcessHeap

GetConsoleOutputCP

GetCPInfo

RegCreateKeyExA

RegCloseKey

MsgWaitForMultipleObjectsEx

.text

`.rdata

@.data

.reloc

@.MN<

KERNEL32.DLL

ADVAPI32.dll

GDI32.dll

SHLWAPI.dll

USER32.dll

aABOuK.dll

mscoree.dll

rundll32.exe_1240:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

rundll32.exe_1240_rwx_10001000_00083000:

vSSSh

FTPjK

FtPj;

C.PjRV

Content-Type: application/x-www-form-urlencoded

yahoo.com

HttpQueryInfoA

InternetOpenUrlA

HttpSendRequestA

HttpOpenRequestA

wininet.dll

Chrome_WidgetWin_0

rundll32.exe

kernel32.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

unsupported version

&?9'%?-7

8!?.<*-"5

) >3.':"

."#9'  =

(4=,"%<&&.4

;=#)- 18

_AcRt

cRTS

.?AV?$oserializer@Vxml_oarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@

.?AV?$singleton_wrapper@V?$oserializer@Vxml_oarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@@detail@serialization@boost@@

.?AV?$singleton_wrapper@V?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@@detail@serialization@boost@@

.?AV?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@

.?AV?$singleton@V?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@@serialization@boost@@

.?AVMCmdList@@

.?AV?$iserializer@Vxml_iarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@

.?AV?$singleton_wrapper@V?$iserializer@Vxml_iarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@@detail@serialization@boost@@

zcÁ

%System%\rundll32.exe

GetProcessHeap

GetConsoleOutputCP

GetCPInfo

RegCreateKeyExA

RegCloseKey

MsgWaitForMultipleObjectsEx

.text

`.rdata

@.data

.reloc

KERNEL32.DLL

mscoree.dll

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   dwwin.exe:1880
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\221f_appcompat.txt (6214 bytes)
   %System%\msicga32.dll (175 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\2524AA.dmp (86136 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "MSIDLL" = "rundll32.exe msicga32.dll,HpbkmVGASdJ"

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.