MD5: d61befb1443773ad0a80477d4ab16402
SHA1: 835ccae43124605a8263eb77117a90a55555dbdb
SHA256: 080346fe8d9db818c47962c40857e85077eec5fd1d58bab69dd741a77a8b7adc
SSDeep: 12288:wTT4mQKjM0 y4mkCawEcIQBx6Ow/wjEdCLlf86PgV3d2UH9F:ox6Ow/9dC26ozH9F
Size: 452200 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: AirInstaller
Created at: 2011-05-19 13:41:30
Analyzed on: WindowsXP ESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

tasklist.exe:352
%original file name%.exe:1300
oo.exe:1788
pvc32.exe:1268
m6PEES9OLyE21U.exe:968

The Trojan injects its code into the following process(es):

xaufuoz.exe:1988
mscorsvw.exe:1912
pp.exe:1988
Explorer.EXE:128
svchost.exe:1096
spoolsv.exe:1424

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1300 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\pp.exe (32 bytes)
%Documents and Settings%\%current user%\m6PEES9OLyE21U.exe (267 bytes)
%Documents and Settings%\%current user%\pvc32.exe (1568 bytes)
%Documents and Settings%\%current user%\oo.exe (628 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\7zS3F.tmp (0 bytes)

The process oo.exe:1788 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\40.tmp (673 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\41.tmp (0 bytes)

The process pvc32.exe:1268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

The process m6PEES9OLyE21U.exe:968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\xaufuoz.exe (1991786 bytes)

Registry activity

The process xaufuoz.exe:1988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 3E D8 86 1F F4 95 33 A6 4E 1E 89 BA 38 3F 47"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"xaufuoz" = "%Documents and Settings%\%current user%\xaufuoz.exe /S"

The process tasklist.exe:352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 9A 8C 66 60 C2 BE C6 DC 40 CC 5C B1 3E D8 3E"

The process %original file name%.exe:1300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 16 9F 54 50 CC E1 9E 8E 93 C9 59 93 79 2A 5E"

The process oo.exe:1788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 03 BE FA 3B 53 42 B7 65 07 9B 04 40 2E 2B 34"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1305799195"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\42.tmp,"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "oo.exe"

The process pvc32.exe:1268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 31 90 FA 3F 7E DC AF BB 3F BF 8F BA B2 AE 56"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process pp.exe:1988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 46 BF AA 8A 81 27 3A E5 D9 02 0F 04 4D 5F AE"

The process m6PEES9OLyE21U.exe:968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B D7 B3 3C D2 EF 8C 82 3F 65 C5 95 AE CF 53 FB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%]
"xaufuoz.exe" = "xaufuoz"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "UNKNOWN" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Using the driver ROOTKITPATH the Trojan intercepts DriverStartIO in a miniport driver of a hard drive controller (ATAPI) to handle request to its own files:

StartIo

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

MSVBVM60.DLL

}#$##$$$

}    / //00&&()#

];<4*/%'

SHDocVwCtl.WebBrowser

(7),01444

'9=82<.342

OE.yw

[`%x,

ieframe.dll

WebBrowser

VBA6.DLL

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

SsF}_%System%\ieframe.oca

pasSeconds

pvc32.exe

xaufuoz.exe_1988:

.text

`.data

.rsrc

MSVBVM60.DLL

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

VBA6.DLL

ZmfuJkzQmTtcRN.exe

Explorer.EXE_128_rwx_00E70000_0000A000:

PSSht4

.exeu]

%skxyyp.php?adv=adv414&code1=%s&code2=%s&id=%d&p=%s&b=%s&c=%d

Chrome

Firefox

Opera

%syjeqmxs.exe

%slmzdd.php?adv=adv414&id=%d&c=%d

%shuwhjcx.exe

%swjwwnae.php?adv=adv414&id=%d&c=%d

%svlnjwlil.exe

%svvvmmddhvl.php?adv=adv414&id=%d&c=%d

%sdfojmv.exe

%shhlycptx.php?adv=adv414&id=%d&c=%d

%strqwcc.exe

%ssbsfwao.php?adv=adv414&id=%d&c=%d

%sbebcklqy.exe

%suhhymdqu.php?adv=adv414&id=%d&c=%d

%sjcxwpv.exe

%sivjwneei.php?adv=adv414&id=%d&c=%d

%sojsbbw.exe

%sbosgwxbeff.php?adv=adv414&id=%d&c=%d

%sogqpmmg.exe

%sscctgxkbb.php?adv=adv414&id=%d&c=%d

%sqrls.exe

%slyyyzdduh.php?adv=adv414&id=%d&c=%d

%sapfnemre.exe

%snnrfjmqeh.php?adv=adv414&id=%d&c=%d

%svvvjzar.php?adv=adv414&id=%d&c=%d

hXXp://balegion.com/bdqqu/

hXXp://aaaholic.com/bdqqu/

psapi.dll

ddraw.dll

urlmon.dll

shell32.dll

kernel32.dll

user32.dll

wininet.dll

ntdll.dll

\svchost.exe

explorer.exe

%Documents and Settings%\%current user%\pp.exe

ShellExecuteExA

InternetOpenUrlA

.text

`.rdata

@.data

.reloc

&ew%.YY

ver74%skxyyp.php?adv=

SafariChromeFiref

r[z`.rd

KERNEL32.DLL

ADVAPI32.dll

DDRAW.dll

PSAPI.DLL

SHELL32.dll

SHLWAPI.dll

USER32.dll

WININET.dll

svchost.exe_1096_rwx_01730000_00014000:

hXXp://%s/?xurl=%s&xref=%s

winmm.dll

ole32.dll

maxhttpredirects

software\microsoft\windows\currentversion\internet settings

enablehttp1_1

software\microsoft\windows\currentversion\internet settings\zones\3

%s\%s

clk=%s&bid=%s&aid=%s&sid=%s&rd=%s

atl.dll

oleaut32.dll

n%D,3

%d|%d|%s|%s

Mozilla/4.0 (compatible; MSIE 1.0; Windows NT; CMD3)

%s%s|%s|%s|%s

DownloadAndExecute

DownloadCryptedAndExecute

DownloadCryptedAndExecute2

CmdExec

%s%s|%s|%d|%.8s

%[^.].%[^(](%[^)])

command|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s

CmdExecMain

_CmdExecServers

%s%s|%s|%s

setup.exe

google;yahoo;bing.;live.com;msn.com;altavista.com;ask.com;exalead.com;excite.com;dogpile.com;metacrawler.com;webcrawler.com;alltheweb.com;.lycos.;gigablast.com;cuil.com;.aol.;entireweb.com;.search.com;mamma.com;mytalkingbuddy.com;about.com;conduit.com;alexa.com;alltheinternet.com;blinkx.com;aolcdn.com;othersonline.com;everesttech.net;adrevolver.com;tribalfusion.com;adbureau.net;abmr.net;gstatic.com;virtualearth.net;atdmt.com;ivwbox.;powerset.net;yimg.com;2mdn.net;doubleclick.net;iwon.com;scorecardresearch.com;66.235.120.66;66.235.120.67;ytimg.com;infospace.com;edgesuite.net;superpages.com;lygo.com;compete.com;firmserve.com;worthathousandwords.com;yieldmanager.com;wazizu.com;meedea.com;atwola.com;doubleverify.com;tacoda.net;truveo.com;openx.org;adcertising.com;twimg.com;picsearch.com;oneriot.com;.com.com;flickr.com;searchvideo.com;.tqn.com;myspacecdn.com;fimservecdn.com;alexametrics.com

HTTP/1.1 302 Found

Location: %s

HTTP/1.1 200 OK

Content-Length: %d

%sConnection: close

<body><a id=link target=_top></body><script>var url='%s';try{var x=document.getElementById('link');x.href=url;x.click()}catch(e){try{var x=parent?parent:window;x.location.replace(url)}catch(e){}}</script><noscript><META http-equiv="refresh" content="0;URL='%s'"></noscript>

<iframe src='%s' style='visibility:hidden;'></iframe>

<script>history.back()</script>

Set-Cookie: %s; expires=%s, u-%s-u u:u:u GMT

bckfg.tmp

hXXp://95.143.193.171/

dkmks.tmp

cfg.ini

urlmon.dll

chrome

%s|%s|%s|%s|%s|%s|%s|%s

hXXp://95.143.193.138/xxxx_5/

svchost.exe

Global\9e6af8f3-75f3-4b67-877a-c80125d7bc08

update|%s

firefox

opera

Global\a68d7de8-eba6-4a54-90e0-9cb9d93b3ed7

Global\cc51461b-e32a-4883-8e97-e0706dc65415

keywords

Accept-Language: %s

%s hXXp://%s/?xurl=%s&xref=%s

%s %s

1.6|%s|%s|%s|%s|%s|%s

0123456789

software\classes\http\shell\open\command

<>:"/\|?*

%s-%s

. d SP.%s

%s.dll

kernel32.dll

.text

.rdata

Global\452fefe0-a06e-400f-8d6b-6a12a0a09d4b

VVV.google.

search.yahoo.com

.altavista.com

/web/results

.ask.com

VVV.exalead.com

/search/web/results

VVV.alltheweb.com

search.lycos.

tab=web

gigablast.com

cuil.com

.aol.

entireweb.com

md=web

VVV.search.com

VVV.mamma.com

mytalkingbuddy.com

searchservice.myspace.com

type=web

search.conduit.com

search.toolbars.alexa.com

alltheinternet.com

/ws/results/web/

%u|%u

ver=%s&bid=%s&aid=%s&sid=%s&rd=%s&eng=%s&q=%s

hXXp://%s%s

?xurl=

%s#%s

url|%s%s

http/1.

mozilla

windowsupdate

%WinDir%\System32\svchost.exe

62052111302

\\?\globalroot\device\000002d9\09b0091c

cmd.dll

\\?\globalroot\device\000002d9\09b0091c\keywords

\\?\globalroot\device\000002d9\09b0091c\cfg.ini

WinExec

SHEnumKeyExA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoW

InternetCrackUrlA

`.rdata

@.data

.reloc

maWuage%X

CMD3)

:h.dE;'

l8Z.RS

KERNEL32.DLL

ADVAPI32.dll

imagehlp.dll

ntdll.dll

SHLWAPI.dll

USER32.dll

WININET.dll

WebBrowser

%s-%d

eplorer\iexplore.exe" -nohome

spoolsv.exe_1424_rwx_00DD0000_00100000:

/%DWR

s.VgcB\Ca

(x%sN

VP.xt

%b%xDc

.text

`.rdata

@.data

.config

.reloc

t%SSS

N. d SP.

%x%x%x%x%x%x

%s|%s|%s|%x|%x|%s|%x|%x|prn15

%[^;];%[^;];%[^;];

kernel32.dll

ntdll.dll

\\?\globalroot\systemroot\system32\kernel32.dll

%s\cfg.ini

%s\config.ini

%s\drv32

cmd.dll

%s\bckfg.tmp

%s\cmd.dll

%s\cmd64.dll

Global\9e6af8f3-75f3-4b67-877a-c80125d7bc08

%[^|]|%[^|]|%s

system\currentcontrolset\services\%x

\\?\globalroot%s\cmd.dll

\\?\globalroot%s\cfg.ini

\\?\globalroot%s\bckfg.tmp

\\?\globalroot%s\ldr16

\\?\globalroot%s\ldr32

\\?\globalroot%s\ldr64

\\?\globalroot%s\drv64

\\?\globalroot%s\cmd64.dll

cmd64.dll

\\?\globalroot%s\drv32

\\?\globalroot\systemroot\system32\kdcom.dll

\\?\globalroot\systemroot\system32\hal.dll

\\?\globalroot\systemroot\system32\ntoskrnl.exe

\\?\globalroot\systemroot\system32\drivers\etc\hosts

cfg.ini

aid=%s

sid=%s

*=cmd.dll

* (x64)=cmd64.dll

[cmd]

srv=%s

wsrv=%s

psrv=%s

bckfg.tmp

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2"><ms_asmv2:security><ms_asmv2:requestedPrivileges><ms_asmv2:requestedExecutionLevel level="requireAdministrator"></ms_asmv2:requestedExecutionLevel></ms_asmv2:requestedPrivileges></ms_asmv2:security></ms_asmv2:trustInfo></assembly>

ZwConnectPort

spoolsv.exe

GetWindowsDirectoryW

KERNEL32.dll

RegCreateKeyA

RegCloseKey

ADVAPI32.dll

SHDeleteKeyA

SHLWAPI.dll

imagehlp.dll

PSAPI.DLL

RPCRT4.dll

InternetCrackUrlA

HttpOpenRequestA

HttpSendRequestA

WININET.dll

ShellExecuteW

SHELL32.dll

ole32.dll

WINSPOOL.DRV

.pnLu

`.reloc

kdcom.dll

ntoskrnl.exe

`.pdata

6.nX*

.iLUZ

.ZmtP

re.npp

qc.beJ6

(|)%D

.PFkX

:F-I}|

.JOf~

O.BY#

3&343:3@3

\{x-x-x-x-xx}

\registry\machine\%S

\??\physicaldrive%d

services.exe

\??\globalroot\systemroot\system32\tasks\%x

\\?\globalroot%s

%s.manifest

%s\setup%u.exe

r\\?\globalroot%s

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   tasklist.exe:352
   %original file name%.exe:1300
   oo.exe:1788
   pvc32.exe:1268
   m6PEES9OLyE21U.exe:968
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\pp.exe (32 bytes)
   %Documents and Settings%\%current user%\m6PEES9OLyE21U.exe (267 bytes)
   %Documents and Settings%\%current user%\pvc32.exe (1568 bytes)
   %Documents and Settings%\%current user%\oo.exe (628 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\40.tmp (673 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\xaufuoz.exe (1991786 bytes)

5. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "xaufuoz" = "%Documents and Settings%\%current user%\xaufuoz.exe /S"

6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.