MD5: 625334336a3e76847cc128b36ce55ea3
SHA1: 20c1d36981ada39e0710a801aeb45b2143b943cd
SHA256: 45501b21d4e079d3a2e8488d0c5b306e3236815b7522884eb57a7fe09b42bfea
SSDeep: 1536:9P/SUYRI4Qd7MDXKpTLTaFVs/GoMcxQXoDd LG6:tU d78Xi3T0caoD96
Size: 61952 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualCv71EXE, UPolyXv05_v6
Company: no certificate found
Created at: 2010-03-11 18:04:05
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:432
rundll32.exe:1196

The Trojan injects its code into the following process(es):

rundll32.exe:652
Explorer.EXE:532

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:432 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\TPavavan.dll (61 bytes)

Registry activity

The process %original file name%.exe:432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 BC 06 28 6E DD 9D BD 1C 1B 93 39 CD B3 CA 03"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"
"Ydapup" = "44 01 47 03 33 05 3F 07 38 09 32 0B 49 0D 4C 0F"

The process rundll32.exe:652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 0B BD 68 97 DE 6B 24 65 01 64 62 F7 3C 69 6C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Eqegaqojoqoka" = "154"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Ihoragiqinicim" = "rundll32.exe %WinDir%\TPavavan.dll,Startup"

The process rundll32.exe:1196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 46 A5 4F ED 96 5A 4F 95 64 BC 8D 84 87 7C 19"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Open Source Software community project
Product Name:
Product Version: 2, 1, 0, 0
Legal Copyright: Copyright (C) Project contributors 1998-2004
Legal Trademarks:
Original Filename: pthreadVC
Internal Name: pthreadVC
File Version: 2, 1, 0, 0
File Description:
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://102107de0805.gerborn.com/get2.php?c=HUXKCMMH&d=26606B67393436333A2F676268307D3F222022232225223177757E4469747A2219151A4210121F150E5C434F11696B1809010A767673050E090D0B0C7A040A7D76777A74727002027E700B790A6B2C263E273721696463637E383E36616C783013170711595048564E1D030807505E5F40414A45434647455E0908141F403B07F0EDEDF1E1F7A8C2D0CCACE7E8FFD1EAADA0B4F0F8FBE2C8FDA4AABDEBABAAA29087C49E9583D49A998FC9C5C8C193F7E08694F6FBE7	208.73.211.83
0000831609.948a4792.01.de7908ebf391417f94b668765de69a2f.n.empty.1042.empty.5_1._t_i.ffffffff.sandbox_svc_exe.154.rc2.a4h9uploading.com	50.116.35.251

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Hiloti/Mufanom Downloader Checkin
ET TROJAN Hiloti Style GET to PHP with invalid terse MSIE headers

Traffic

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

rundll32.exe_652_rwx_00930000_00010000:

%SjOh

rundll32.exe_652_rwx_10000000_00001000:

.text

`.data

.reloc

Explorer.EXE_532_rwx_00ED0000_00001000:

.text

`.data

.reloc

Explorer.EXE_532_rwx_01FF0000_00010000:

%SjOh

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:432
   rundll32.exe:1196
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %WinDir%\TPavavan.dll (61 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Ihoragiqinicim" = "rundll32.exe %WinDir%\TPavavan.dll,Startup"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.