Gen.Variant.Kazy.488548_3cf6abb049

by malwarelabrobot on November 19th, 2014 in Malware Descriptions.

Trojan.Win32.Foxhiex.cdg (Kaspersky), Gen:Trojan.Heur.DNP.Lm0@aC4Qisl (B) (Emsisoft), Gen:Variant.Kazy.488548 (AdAware), GenericAutorunWorm.YR, HackToolPassView.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, HackTool, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 3cf6abb0498d73caf7b138a082cd7d97
SHA1: b23a44a2441cd4f820443c750f2cd1f438ca3beb
SHA256: c892dd42ad9d008b7c143361164a27b9ed130315e776a98ddfe1ee6fc5f439fc
SSDeep: 12288:7CbhfSKwGYtEM rg76rpr6hMJKvoAUJe08G8ezqe:WlRwGYiJAmaou087e
Size: 606720 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AirInstaller Inc.
Created at: 2014-11-02 23:45:02
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

vbc.exe:2568
vbc.exe:2680
%original file name%.exe:3672

The Trojan injects its code into the following process(es):

%original file name%.exe:3928

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process vbc.exe:2568 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\holdermail.txt (2 bytes)

The process %original file name%.exe:3672 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\JiVlrz.exe (4185 bytes)

The process %original file name%.exe:3928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\pid.txt (4 bytes)
%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe (4185 bytes)
%System%\wbem\Logs\wbemprox.log (160 bytes)
%Documents and Settings%\%current user%\Application Data\pidloc.txt (39 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\holdermail.txt (0 bytes)

Registry activity

The process vbc.exe:2568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D B5 8D FF 3C 28 C1 84 7F 38 B4 B4 1B 72 30 1C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The process vbc.exe:2680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 21 64 BA F0 FC FE 7B 02 32 16 B6 70 3B AA FF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process %original file name%.exe:3672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 27 00 2D 61 DB 67 76 AF 49 BD 39 A9 B4 04 2C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"bSILlzCwXBS" = "%Documents and Settings%\%current user%\Application Data\Microsoft\JiVlrz.exe"

The process %original file name%.exe:3928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 4D C4 73 98 B5 C6 1A 31 1B 83 C3 D0 2D 0D EE"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\3cf6abb0498d73caf7b138a082cd7d97\DEBUG]
"Trace Level" = ""

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\3cf6abb0498d73caf7b138a082cd7d97\DEBUG]
"Trace Level"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name: JiVlrz
Product Version: 2.5.10.54837
Legal Copyright: (c)2014 Jnz68m All Rights Reserved.
Legal Trademarks:
Original Filename: 6239.exe
Internal Name: 6239.exe
File Version: 2.5.10.54837
File Description: JiVlrz
Comments: JiVlrz
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 581097 581120 5.53652 32abe61571f590f0976597a8144d9ddc
.rsrc 589824 24402 24576 3.74719 44bba85a286527159f50ad2f2edc0fe9
.reloc 614400 12 512 0.070639 ab1feb615a5816a4ab35827d3dccc6ee

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://whatismyipaddress.com/ 66.171.248.172
smtp.gmail.com 173.194.76.108


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    vbc.exe:2568
    vbc.exe:2680
    %original file name%.exe:3672

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\holdermail.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\JiVlrz.exe (4185 bytes)
    %Documents and Settings%\%current user%\Application Data\pid.txt (4 bytes)
    %Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe (4185 bytes)
    %System%\wbem\Logs\wbemprox.log (160 bytes)
    %Documents and Settings%\%current user%\Application Data\pidloc.txt (39 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "bSILlzCwXBS" = "%Documents and Settings%\%current user%\Application Data\Microsoft\JiVlrz.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Windows Update" = "%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now