MD5: 00d3a6e9b6575e8b8004d7e6fbddff70
SHA1: 058d111df8c0de8f32f9c466ef17362435ed9d52
SHA256: b037d83231fd5652353d81fb48548cba3f492f820627575ccab240a6387ffffd
SSDeep: 12288:3v3NeALfAmzzZv7AR6pBHprI28rTbCj/hZR6/:vN/L4mzZvEwr38PbajA/
Size: 521504 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-07-27 04:43:48
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

zmmon.exe:1264
ZKJxkNR73D83.exe:2016
%original file name%.exe:1664
tasklist.exe:424
tasklist.exe:480
zlmon.exe:504

The Trojan injects its code into the following process(es):

axsvr.exe:1036
juovea.exe:252
svchost.exe:1116
spoolsv.exe:1448

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process zmmon.exe:1264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (1281 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (0 bytes)

The process ZKJxkNR73D83.exe:2016 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\juovea.exe (2004827 bytes)

The process %original file name%.exe:1664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\ZKJxkNR73D83.exe (943 bytes)
%Documents and Settings%\%current user%\axsvr.dll (172 bytes)
%Documents and Settings%\%current user%\zlmon.exe (24 bytes)
%Documents and Settings%\%current user%\axsvr.exe (27 bytes)
%Documents and Settings%\%current user%\zmmon.exe (2374 bytes)

Registry activity

The process zmmon.exe:1264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 C1 90 45 79 26 04 8B 92 B5 06 8D 6C 66 3C 20"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\4.tmp,"

The process axsvr.exe:1036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 19 60 21 5B 02 A6 5F A4 8C AC 87 6A 2B 7C 23"

The process ZKJxkNR73D83.exe:2016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 6F CE AF A4 3F AE 4C 7D 7F 2C 00 BB 98 AD DA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%]
"juovea.exe" = "juovea"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"juovea" = "%Documents and Settings%\%current user%\juovea.exe /H"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:1664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 DF BD C4 6C 8A D0 BB 07 53 3C C5 20 98 41 C1"

The process juovea.exe:252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 79 D9 29 B2 56 67 A2 47 F0 12 FB 4A FA E9 B2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"juovea" = "%Documents and Settings%\%current user%\juovea.exe /E"

The process tasklist.exe:424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 9C DE F9 F3 5E 1A 38 56 31 E6 3C 81 D2 FA C4"

The process tasklist.exe:480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B A7 F9 63 20 3F B6 B4 30 E2 22 C8 64 4D 9A 13"

The process zlmon.exe:504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 B5 73 36 DD 96 F7 54 BD 70 81 91 0B B7 05 34"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "UNKNOWN" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Using the driver ROOTKITPATH the Trojan intercepts DriverStartIO in a miniport driver of a hard drive controller (ATAPI) to handle request to its own files:

StartIo

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.link

.rloc

axsvr.exe

axsvr.dll

COMCTL32.DLL

GDI32.DLL

KERNEL32.DLL

OLE32.DLL

OLEAUT32.DLL

USER32.DLL

CreateDialogIndirectParamA

SetWindowsHookExA

juovea.exe_252:

.text

`.data

.rsrc

MSVBVM60.DLL

U.lPJ

VBA6.DLL

cmdNextTip

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

cmdOK

TIPOFDAY.TXT

TtwSqtkrdyoH.exe

svchost.exe_1116_rwx_009F0000_0001B000:

Fmsvcrt.dll

%d %d %d %d %d %d

hXXps://

hXXp://

.com/

Global\C3819288-93FA-4E29-A254-BD9476B53C20

cfg.ini

%s\%s

bckfg.tmp

lsflt7.ver

0;225;224;77;38;56;16;74;75

maxhttpredirects

software\microsoft\windows\currentversion\internet settings

enablehttp1_1

software\microsoft\windows\currentversion\internet settings\zones\3

{AEBA21FA-782A-4A90-978D-B72164C80120}

{A8A88C49-5EB2-4990-A1A2-0876022C854F}

Opera\Opera\operaprefs.ini

\profile\operaprefs.ini

\prefs.js

network.cookie.cookieBehavior

Mozilla\Firefox\Profiles\

/login/;/tweet/;action=embed-flash;/faq/;/terms/;/contact/;/Forgotpassword/

hXXp://%s/?xurl=%s&xref=%s

ole32.dll

winmm.dll

atl.dll

oleaut32.dll

clk=%s&bid=%s&aid=%s&sid=%s&rd=%s

n%D,3

Global\6C29A0C8-62C6-415C-9538-B87690BC58D2

lsash.xp

%d|%d|%s|%s

cmd.dll

cmd64.dll

setup.exe

%u|%s

%s=%u|%s

%[^.].%[^(](%[^)])

command|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s

masks|%s

hXXp://NO REF/

.softgeek.

%s#%s

url|%s%s|

%s.dll

kernel32.dll

12345678

0123456789

.text

.rdata

HTTP/1.1 302 Found

Location: %s

HTTP/1.1 200 OK

Content-Length: %d

%sConnection: close

<body><a id=link target=_top></body><script>var url='%s';try{var x=document.getElementById('link');x.href=url;x.click()}catch(e){try{var x=parent?parent:window;x.location.replace(url)}catch(e){}}</script><noscript><META http-equiv="refresh" content="0;URL='%s'"></noscript>

<iframe src='%s' style='visibility:hidden;'></iframe>

<script>history.back()</script>

Set-Cookie: %s; expires=%s, u-%s-u u:u:u GMT

urlmon.dll

Global\56684A82-D074-4384-AEB9-D1A40041D9FB

chrome

wermgr.exe

-queuereporting_svc

firefox

opera

Global\B10C62E4-234C-4BF6-A1D5-1C0309CED145

svchost.exe

Global\a68d7de8-eba6-4a54-90e0-9cb9d93b3ed7

Global\cc51461b-e32a-4883-8e97-e0706dc65415

keywords

Accept-Language: %s

%s hXXp://%s/?xurl=%s&xref=%s

%s %s

1.8|%s|%s|%s|%s|%s|%s

software\classes\http\shell\open\command

<>:"/\|?*

%s-%s

. d SP.%s

google;yahoo;bing.;live.com;msn.com;altavista.com;ask.com;exalead.com;excite.com;dogpile.com;metacrawler.com;webcrawler.com;alltheweb.com;.lycos.;gigablast.com;cuil.com;.aol.;entireweb.com;.search.com;mamma.com;mytalkingbuddy.com;about.com;conduit.com;alexa.com;alltheinternet.com;blinkx.com;aolcdn.com;othersonline.com;everesttech.net;adrevolver.com;tribalfusion.com;adbureau.net;abmr.net;gstatic.com;virtualearth.net;atdmt.com;ivwbox.;powerset.net;yimg.com;2mdn.net;doubleclick.net;iwon.com;scorecardresearch.com;66.235.120.66;66.235.120.67;ytimg.com;infospace.com;edgesuite.net;superpages.com;lygo.com;compete.com;firmserve.com;worthathousandwords.com;yieldmanager.com;wazizu.com;meedea.com;atwola.com;doubleverify.com;tacoda.net;truveo.com;openx.org;adcertising.com;twimg.com;picsearch.com;oneriot.com;.com.com;flickr.com;searchvideo.com;.tqn.com;myspacecdn.com;fimservecdn.com;alexametrics.com

%u|%u

ver=%s&bid=%s&aid=%s&sid=%s&rd=%s&eng=%s&q=%s

hXXp://%s%s

VVV.google.

search.yahoo.com

.altavista.com

/web/results

.ask.com

VVV.exalead.com

/search/web/results

VVV.alltheweb.com

search.lycos.

tab=web

gigablast.com

cuil.com

.aol.

entireweb.com

md=web

VVV.search.com

VVV.mamma.com

mytalkingbuddy.com

searchservice.myspace.com

type=web

search.conduit.com

search.toolbars.alexa.com

alltheinternet.com

/ws/results/web/

?xurl=

http/1.

mozilla

windowsupdate

590612975

1429695310

\\?\globalroot\device\000001d9\2188754f\lsash.xp

%WinDir%\System32\svchost.exe

\\?\globalroot\device\000001d9\2188754f

\\?\globalroot\device\000001d9\2188754f\cfg.ini

WinExec

SHEnumKeyExA

ExitWindowsEx

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoW

InternetCrackUrlA

`.rdata

@.data

.reloc

rt.dll

 https

l\C3819288-93FA-4E29-A254-BD9476]

cfg.inics\

HTTP/1.1 3

%u,bmr

.]TCpP

KERNEL32.DLL

ADVAPI32.dll

imagehlp.dll

ntdll.dll

SHELL32.dll

SHLWAPI.dll

USER32.dll

WININET.dll

WebBrowser

127.0.0.1

.google.

%s-%d

eplorer\iexplore.exe" -nohome

spoolsv.exe_1448_rwx_00F40000_00027000:

.text

`.rdata

@.data

.config

.reloc

t%SSS

N. d SP.

%x%x%x%x%x%x

%s|%s|%s|%x|%x|%s|%x|%x|prn15

%[^;];%[^;];%[^;];

kernel32.dll

ntdll.dll

\\?\globalroot\systemroot\system32\kernel32.dll

%s\cfg.ini

%s\config.ini

%s\drv32

cmd.dll

%s\bckfg.tmp

%s\cmd.dll

%s\cmd64.dll

%[^|]|%[^|]|%s

system\currentcontrolset\services\%x

\\?\globalroot%s\cmd.dll

\\?\globalroot%s\cfg.ini

\\?\globalroot%s\bckfg.tmp

%d.%d.%d %d:%d:%d

\\?\globalroot%s\ldr16

\\?\globalroot%s\ldr32

\\?\globalroot%s\ldr64

\\?\globalroot%s\drv64

\\?\globalroot%s\cmd64.dll

cmd64.dll

\\?\globalroot%s\drv32

\\?\globalroot\systemroot\system32\kdcom.dll

\\?\globalroot\systemroot\system32\hal.dll

\\?\globalroot\systemroot\system32\ntoskrnl.exe

\\?\globalroot\systemroot\system32\drivers\etc\hosts

aid=%s

sid=%s

installdate=%s

*=cmd.dll

* (x64)=cmd64.dll

[cmd]

srv=%s

wsrv=%s

psrv=%s

cfg.ini

bckfg.tmp

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2"><ms_asmv2:security><ms_asmv2:requestedPrivileges><ms_asmv2:requestedExecutionLevel level="requireAdministrator"></ms_asmv2:requestedExecutionLevel></ms_asmv2:requestedPrivileges></ms_asmv2:security></ms_asmv2:trustInfo></assembly>

ZwConnectPort

spoolsv.exe

GetWindowsDirectoryW

KERNEL32.dll

RegCreateKeyA

RegCloseKey

ADVAPI32.dll

SHDeleteKeyA

SHLWAPI.dll

imagehlp.dll

PSAPI.DLL

RPCRT4.dll

InternetCrackUrlA

HttpOpenRequestA

HttpSendRequestA

WININET.dll

ShellExecuteW

SHELL32.dll

ole32.dll

WINSPOOL.DRV

.pnLu

`.reloc

kdcom.dll

ntoskrnl.exe

`.pdata

F.il|

rD.mK

Ls.Tc

ZuDP

u.cq[

%|'.IQ{S%.f1

.ZyDL

>g?.yC

.PFkX

:F-I}|

.JOf~

O.BY#

\{x-x-x-x-xx}

\registry\machine\%S

\??\physicaldrive%d

services.exe

\??\globalroot\systemroot\system32\tasks\%x

\\?\globalroot%s

%s.manifest

%s\setup%u.exe

r\\?\globalroot%s

spoolsv.exe_1448_rwx_012E0000_00047000:

.itext

@.text

`.edata

@.rdata

@.data

.rsrc

@.reloc

KERNEL32.dll

ScaleViewportExtEx

GDI32.dll

SHLWAPI.dll

comdlg32.dll

COMCTL32.dll

GetKeyState

VkKeyScanW

MapVirtualKeyExA

USER32.dll

ntdll.dll

BbRtJfwnRSDv.exe

$}.Ww

zg.SO

.%U#E:U

SSh?Vl

7"s.QD

.gT.o

\1%X*j"

7.vm^

nY..EA

3,.Xb

UrL=f2

_.ywp

H:\tmtxZlu\PfTh\ZNRHnkU\bRrFYv.pdb

8”9x9

3#3)31373=3

7&707`7~7

3 3$3(3,3034383<3

F:\gjkLHJjfhkjl\LKJDkljkdlj\KJDFj.hhg

Mlpnqqbeipgsshxi

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   zmmon.exe:1264
   ZKJxkNR73D83.exe:2016
   %original file name%.exe:1664
   tasklist.exe:424
   tasklist.exe:480
   zlmon.exe:504
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (1281 bytes)
   %Documents and Settings%\%current user%\juovea.exe (2004827 bytes)
   %Documents and Settings%\%current user%\ZKJxkNR73D83.exe (943 bytes)
   %Documents and Settings%\%current user%\axsvr.dll (172 bytes)
   %Documents and Settings%\%current user%\zlmon.exe (24 bytes)
   %Documents and Settings%\%current user%\axsvr.exe (27 bytes)
   %Documents and Settings%\%current user%\zmmon.exe (2374 bytes)

5. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "juovea" = "%Documents and Settings%\%current user%\juovea.exe /H"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "juovea" = "%Documents and Settings%\%current user%\juovea.exe /E"

6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.