Gen.Variant.Barys.290_8153f61785
HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Barys.290 (B) (Emsisoft), Gen:Variant.Barys.290 (AdAware)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 8153f617855daad2a9389b5fad50de22
SHA1: c06b08223841c3de2bc2e6b2163094667ffceffa
SHA256: df657c2b54946e6d44a2cc53525d6aab40ac834c0c4d1ec78db0a6f25e68ac59
SSDeep: 12288:jroDjby1gT5o1pRoDqnPigbO4Ui 85gidVHVD00nRAxFVP bBkLec1s5tR/HNcIJ:nJyi jsJl/UZpL7utXp9U4hu
Size: 913920 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2011-07-20 02:01:46
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
explorer.exe.ex:1552
%original file name%.exe:964
The Trojan injects its code into the following process(es):
rundll32.exe:552
File activity
The process %original file name%.exe:964 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\161 KB\sexe.jpg\12.12.12.12\explorer.exe.exe (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sexe.jpg (165 bytes)
Registry activity
The process explorer.exe.ex:1552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 14 58 4E 1A A6 AA 4A 96 97 49 8E 5A 12 E9 C0"
The process rundll32.exe:552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 50 D8 8D 6C 30 14 94 89 83 C6 E7 6E E9 22 CA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"shimgvw.dll" = "Windows Picture and Fax Viewer"
Dropped PE files
| MD5 | File path |
|---|---|
| 83fc1174661b795eae9e1accfae98073 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\161 KB\sexe.jpg\12.12.12.12\explorer.exe.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name: 161 KB
Product Name: sexe.jpg
Product Version: 12.12.12.12
Legal Copyright: sexe.jpg
Legal Trademarks: sexe.jpg
Original Filename: server2nojpg.exe
Internal Name: server2nojpg.exe
File Version: 12.12.12.12
File Description: JPEG image
Comments: JPEG image
Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 810676 | 811008 | 4.54183 | 494a63080db798c0aec3c8c8bca2f55d |
| .rsrc | 819200 | 101432 | 101888 | 5.51695 | eecca34c1da65fabd28f2e658c2faa6c |
| .reloc | 925696 | 12 | 512 | 0.067931 | 9c41ee6f0a97c8b53a04c88b8f2ac18c |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
explorer.exe.ex:1552
%original file name%.exe:964 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\161 KB\sexe.jpg\12.12.12.12\explorer.exe.exe (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sexe.jpg (165 bytes) - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
