MD5: 5bee692ac74b1452977387616e77d4c9
SHA1: 4d136153c1661b8dd605c10d35257d7c5a604c31
SHA256: 98bc8d2a47a84cafd677a124646a1a0ec9291bb953c7b4d5658b67ea4d680281
SSDeep: 3072:NZEO4EOrXf T ZgmJauEYd2DQ5baaKRriOrdeo5gIv/Y52BB:N 5Ewv CZL8etKRhd15i50
Size: 160983 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: ezinstall manager
Created at: 2012-11-12 05:03:28
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:404
reg.exe:1328
reg.exe:1592

The Trojan injects its code into the following process(es):

%original file name%.exe:864

File activity

The process %original file name%.exe:404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TZTZDEL.bat (215 bytes)

Registry activity

The process %original file name%.exe:404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"TZTZDEL.bat" = "TZTZDEL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"FrameServr.exe" = "FrameServr"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:864 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E F4 6A 8E B2 30 8F 45 C8 F1 79 6C 8F 9E 75 E0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\winlogon]
"UserInit" = "%System%\userinit.exe,%System%\DCIM.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%System%\DCIM.exe"

The process reg.exe:1328 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 6F 3F 69 9B 5F 4E 9D D5 63 24 31 24 5C 68 27"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kernelfaultEx" = "C:\Windows\system32\FRAMES~1.EXE"

The process reg.exe:1592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 76 11 62 8B F3 ED 12 0F 41 D4 32 9E 3C A6 1B"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"kernelfaultEx" = "C:\Windows\system32\FRAMES~1.EXE"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

.data

.rsrc

@.mdata

MSVBVM60.DLL

D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB

VBA6.DLL

\r.tY

@*\AC:\sxs\Project1.vbp

open=DCIM.exe

Scripting.FileSystemObject

Wscript.Shell

\DCIM.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

\userinit.exe,

HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit

\autorun.inf

\AUTORUN.INF

BOOT.INI

1.00.0081

DCIM.exe

FrameServr.exe_1588:

.text

`.rdata

@.data

.rsrc

kernel32.dll

explorer.exe

%s*.*

%s%s\

TREAT %s OK %s

TREAT %s FAIL %s

%sRecord.dll

<>

INJECT OK %s

INJECT FAIL %s

<>

%s~%s

UServerExitd

c:\windows\temp\

c:\windows\system32\

c:\windows\debug\

KERNEL32.dll

MSVCR80.dll

_amsg_exit

_crt_debugger_hook

C:\Users\ASPIRE~1\AppData\Local\Temp\

C:\Windows\system32\

C:\Windows\system32\FrameServr.exe

FrameServr.exe

server.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:404
   reg.exe:1328
   reg.exe:1592

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\TZTZDEL.bat (215 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "kernelfaultEx" = "C:\Windows\system32\FRAMES~1.EXE"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "kernelfaultEx" = "C:\Windows\system32\FRAMES~1.EXE"

5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   "UserInit" = "%System%\userinit.exe,%System%\DCIM.exe"

6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.