Gen.Variant.Kazy.161416_fa074acd52
Trojan.Win32.Agent.aghbi (Kaspersky), Gen:Variant.Kazy.161416 (B) (Emsisoft), Gen:Variant.Kazy.161416 (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: fa074acd523f1f99181b90bb1688c36f
SHA1: b573cd46f72a87b6fe600a5e082df8d6c3c48e97
SHA256: e5b8fa9ac49ac8e788eee149831444906eb01daff4bf5001fd284118ef10157f
SSDeep: 12288:S0t5l 0rZX ZTu1kxyIhtsLlnd72IU3Va8e299wwAUuxYSRP:DlV3wX01
Size: 487424 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: Windows
Created at: 2014-04-28 08:03:21
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
0.exe:1980
%original file name%.exe:1164
The Trojan injects its code into the following process(es):
0.exe:348
File activity
The process 0.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\MSASCui.exe (601 bytes)
%System%\drivers\etc\hosts (120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\stcheck.txt (8 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@insurance[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)
The process %original file name%.exe:1164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\0.exe (129 bytes)
Registry activity
The process 0.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 87 06 8C B1 10 4B F4 C2 9F AE 08 90 7F 03 74"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender" = "%Documents and Settings%\%current user%\Local Settings\Temp\MSASCui.exe"
The process 0.exe:1980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 DD 29 5E FE 27 10 29 61 A8 C9 25 E7 7A 0D 4E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:1164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 35 4D 51 30 95 34 D8 F8 BB CC F7 77 2E 4D 90"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"0.exe" = "amsu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Dropped PE files
| MD5 | File path |
|---|---|
| 04c79b7d4ddbf513b48a072e78d595b7 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\0.exe |
| 04c79b7d4ddbf513b48a072e78d595b7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\MSASCui.exe |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 120 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | 74.53.201.162 |
| 127.0.0.1 | 66.66.132.220.30 |
| 127.0.0.1 | 66.35.241.92 |
| 127.0.0.1 | 94.23.199.60 |
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
Company Name:
Product Name:
Product Version: 0.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: AU_PRO_Beta2.1.exe
Internal Name: AU_PRO_Beta2.1.exe
File Version: 0.0.0.0
File Description:
Comments:
Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 462916 | 466944 | 2.76746 | 8c027484c9d94f7653bc813d2e45de62 |
| .rsrc | 475136 | 11704 | 12288 | 4.28415 | a2d56ed78694b04f918d512cdf81cc17 |
| .reloc | 491520 | 12 | 4096 | 0.011035 | 47951c75e1a143e2a563a306506d8b2a |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
`.sdata
.rsrc
@.reloc
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
v2.0.50727
Microsoft.VisualBasic
Syslogger_Stub.My
MyWebServices
SQLiteDataTypes
Keyboard
KeyStructure
CMSNMessengerPasswords
MSNPass
CMSNMessengerPassword
Syslogger_Stub.My.Resources
SQLiteHandler
sqlite_master_entry
Microsoft.VisualBasic.ApplicationServices
WindowsFormsApplicationBase
.ctor
Microsoft.VisualBasic.Devices
.cctor
get_WebServices
m_MyWebServicesObjectProvider
WebServices
System.Windows.Forms
System.Collections
loadCerts
System.Text
GetProcessHeap
sqlite3_open
sqlite3_close
sqlite3_exec
sqlite3_errmsg
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_count
sqlite3_column_name
sqlite3_column_type
sqlite3_column_int
sqlite3_column_double
sqlite3_column_text
sqlite3_column_blob
sqlite3_column_table_name
sqlite3_finalize
SQL_OK
SQL_ROW
SQL_DONE
System.Data
System.ComponentModel
smtp
port
ftpuser
ftppass
ftpurl
ftpst
DeleteMozillaCookies
DeleteMozillaSignons
user32.dll
AntiKeyscrambler
SetWindowsHookEx
KeyDelegate
SetWindowsHookExA
UnhookWindowsHookEx
Keys
System.Collections.Generic
HKEY_CURRENT_USER
KEY_QUERY_VALUE
KEY_ENUMERATE_SUB_KEYS
KEY_NOTIFY
KEY_SET_VALUE
KEY_CREATE_SUB_KEY
KEY_READ
KEY_WRITE
kernel32.dll
advapi32.dll
crypt32.dll
RegOpenKeyEx
hKey
lpSubKey
RegOpenKeyExA
RegEnumKeyEx
RegEnumKeyExA
RegCloseKey
shell32.dll
msidcrl.dll
PassportFreeMemory
m_MSNPass
getMSN75Passwords
DOMAIN_PASSWORD
DOMAIN_CERTIFICATE
DOMAIN_VISIBLE_PASSWORD
lpstrKeyword
strLogin
strPass
m_szLogin
m_szPassword
szLogin
szPassword
get_Password
get_Login
Password
Login
System.Resources
System.Globalization
System.Configuration
opera_salt
key_size
sUrlTemp
sPassTemp
sUrl
sPass
lasturl
LoginData
SQLDataTypeSize
sql_statement
System.CodeDom.Compiler
System.Diagnostics
Microsoft.VisualBasic.CompilerServices
System.ComponentModel.Design
HelpKeywordAttribute
System.Reflection
ContainsKey
InvalidOperationException
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.IO
DllImportAttribute
Crypt32.dll
System.Threading
System.Text.RegularExpressions
mozsqlite3
System.Drawing
get_ExecutablePath
MsgBoxResult
MsgBoxStyle
MsgBox
System.Net.Mail
SmtpClient
System.Net
set_Port
Operators
FtpWebRequest
WebRequest
Microsoft.Win32
Microsoft.VisualBasic.MyServices
System.Collections.ObjectModel
Microsoft.VisualBasic.FileIO
System.Security.Cryptography
set_Key
RegistryKey
OpenSubKey
GetExecutingAssembly
IsKeyLocked
get_ModifierKeys
Syslogger Stub.exe
Syslogger_Stub.Resources.resources
Syslogger_Stub.Form1.resources
8.0.0.0
My.Application
My.Forms
My.Computer
My.WebServices
My.User
System.Windows.Forms.Form
My.MyProject.Forms
4System.Web.Services.Protocols.SoapHttpClientProtocol
3System.Resources.Tools.StronglyTypedResourceBuilder
4.0.0.0
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
10.0.0.0
My.Settings
4.3.2.1
$92cfe5a8-c556-4a58-8735-4e19116a1afa
_CorExeMain
mscoree.dll
C:\Users\Public\Documents\Visual Studio 2010\Projects\SysLogger Stub\SysLogger Stub\obj\x86\Release\Syslogger Stub.pdb
\Google\Chrome\User Data\Default\Login Data
logins
origin_url
password_value
|----------------------------------------|Google Chrome|--------------------------------------------|
Password:
\Mozilla Firefox\
Password:
Mozilla Firefox
---Firefox---
mozcrt19.dll
nspr4.dll
plc4.dll
plds4.dll
ssutil3.dll
sqlite3.dll
mozsqlite3.dll
nssutil3.dll
softokn3.dll
nss3.dll
PK11_GetInternalKeySlot
SELECT name FROM sqlite_master WHERE type IN (
System.Int32
System.Single
System.String
icheck.txt
st.txt
stcheck.txt
|-----------------------------------|Windows Live Messenger|-----------------------------------|
Login:
127.0.0.1 74.53.201.162
127.0.0.1 66.66.132.220.30
127.0.0.1 66.35.241.92
127.0.0.1 94.23.199.60
\Steam\config\SteamAppData.vdf
HKEY_LOCAL_MACHINE\SOFTWARE\Valve\Steam
ClientRegistry.blob
%Documents and Settings%\All Users\Start Menu\Programs\Startup\MSASCui.exe
Windows Defender
MSASCui.exe
errorchecker.txt
\Mozilla\Firefox\Profiles
svchost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HDDFile.com
autorun.inf
shellexecute=
Software\Microsoft\Windows\CurrentVersion\Run
keyscrambler
npfmsg
lo.txt
\MSN Messenger\msidcrl.dll
ps:password
PasswordMSN Messenger Service
Password.NET Messenger Service
User.NET Messenger Service
Passport.Net\*
82BD0E67-9FEA-4748-8672-D5EFE5B779B0
Syslogger_Stub.Resources
\Opera\Opera\wand.dat
\Opera\Opera\profile\wand.dat
http://
https://
ftp://
---Opera---
SQLite format 3
Not a valid SQLite 3 Database File
Auto-vacuum capable database is not supported
No supported Schema layer file-format
1.2.3.4
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
0.exe:1980
%original file name%.exe:1164 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\MSASCui.exe (601 bytes)
%System%\drivers\etc\hosts (120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\stcheck.txt (8 bytes)
%Documents and Settings%\%current user%\Application Data\0.exe (129 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender" = "%Documents and Settings%\%current user%\Local Settings\Temp\MSASCui.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
