MD5: d9872a07f9990e94feab39de2fa22373
SHA1: 375a2ca5e369f46f53efd625921edda573a458f4
SHA256: 1d56c27c56154845c7931bb54fc5935f82fa51b3b3b501b43a933afa55dc9f8b
SSDeep: 6144:ZbiTBxCdEuTJComYUS/AABLYg9RtrS4KQlpW4GMQ G4kUVCAkpfJNgUuUX7Nyx3f:ZbiTBxCOUJCaTPUg9RgrQlP1Q15UV9YC
Size: 347449 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-11-08 17:42:50
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2744
%original file name%.exe:2916
neaz.exe:2492
neaz.exe:2544

The Trojan injects its code into the following process(es):

Explorer.EXE:1948

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2916 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Ejizqy\neaz.exe (2452 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IPM2A89.bat (173 bytes)

The process neaz.exe:2492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\ntuser.dat.LOG (5848 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (6428 bytes)

Registry activity

The process %original file name%.exe:2744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D DB 77 21 D4 C8 97 88 E2 B5 F7 63 D7 B3 82 E6"

The process %original file name%.exe:2916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 82 83 DE 86 51 AA 0E BD B0 06 4C FA 8F 9F 13"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process neaz.exe:2492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 21 E3 F8 33 36 96 6D A9 8D B6 9D 58 C3 B9 A3"

[HKCU\Software\Microsoft\Obxidaule]
"23959ic7" = "umtV2w9fmYTKG2mFQ7s CA==#"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process neaz.exe:2544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 4E 83 60 92 F2 3C CE 88 67 03 7E D5 83 17 26"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExW
HttpSendRequestExA
InternetWriteFile
InternetReadFileExA
InternetReadFileExW
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
HttpQueryInfoW
InternetCloseHandle
HttpQueryInfoA
InternetReadFile

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan installs the following user-mode hooks in Secur32.dll:

UnsealMessage
SealMessage
DeleteSecurityContext

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.reloc

Invalid parameter passed to C runtime function.

)"4(7*</

!*< ?"4'

0123456789

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

hXXp://VVV.google.com/

hXXp://VVV.bing.com/

REPORT

gdiplus.dll

GdiplusShutdown

RegDeleteKeyExW

HTTP/1.1

m9.td

t.Ht$HHt

ntdll.dll

KERNEL32.dll

ExitWindowsEx

MsgWaitForMultipleObjects

GetKeyboardState

USER32.dll

CryptGetKeyParam

CryptImportKey

CryptDestroyKey

RegCreateKeyExW

RegCloseKey

RegQueryInfoKeyW

RegDeleteKeyW

RegOpenKeyExW

RegFlushKey

RegEnumKeyExW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

ole32.dll

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

InternetCrackUrlA

HttpOpenRequestA

HttpEndRequestA

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

IPHLPAPI.DLL

VERSION.dll

msvcrt.dll

zcÁ

: :$:(:,:0:4:

7!7%7)7-7175797

4-5}5

:":(:3:9:

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s

"%s" %s

/c "%s"

kernel32.dll

urlmon.dll

launchpadshell.exe

dirclt32.exe

wtng.exe

prologue.exe

pcsws.exe

fdmaster.exe

shell32.dll

\StringFileInfo\xx\%s

cabinet.dll

Wadvapi32.dll

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Local Settings\Application Data

Global\{01E22063-0823-4088-6532-C4CE7D78E7DC}

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:2744
   %original file name%.exe:2916
   neaz.exe:2492
   neaz.exe:2544
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Application Data\Ejizqy\neaz.exe (2452 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IPM2A89.bat (173 bytes)
   %Documents and Settings%\%current user%\ntuser.dat.LOG (5848 bytes)
   %Documents and Settings%\%current user%\NTUSER.DAT (6428 bytes)

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.