MD5: b9323d6cec8fa12cf71a7751bb84e053
SHA1: 1481c8e21f86da987bd5f8fb2c2de704f9b05611
SHA256: c6893af2e6f10ddd8deb9578ab4308f5105aae21a39aeebd3eada01631ea0b02
SSDeep: 6144:j2DCpL75/OthTkY1kvYySZGd/MJ2uh3cgH7L8jeI96TRto4IDgUF7:qHthTkF9SZGdkEuh3zbQKI4RtCD3F7
Size: 454039 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2004-09-12 12:55:29
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ntvdm.exe:2944

The Trojan injects its code into the following process(es):

b9323d6cec8fa12cf71a7751bb84e053.usr:1780
%original file name%.exe:1908

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process ntvdm.exe:2944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs7A1E.tmp (335 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs7A2F.tmp (269 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs7A1E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs7A2F.tmp (0 bytes)

The process %original file name%.exe:1908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (24978 bytes)
C:\Windows\USR_Shohdi_Photo_USR.exe (6889122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.exe (408872 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (444160 bytes)
C:\b9323d6cec8fa12cf71a7751bb84e053.usr (336768 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.usr (0 bytes)
C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.usr (0 bytes)

Registry activity

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 864 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
ZwCreateUserProcess
ZwCreateProcessEx
NtCreateProcess
ZwCreateFile

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 11
dedb3373d31e0ce73f867c5d571473b3
0ed1831d384ea5ef28231bf804ff383e
b732b585786e0deb68dc30facce165d4
177abe696d0f067e633beb0d455b9c89
b3f914c9ea8671bf7aeb55f89463b063
a292340828a0fad205ddedf4da216310
2704720d932ae1a351b9282daf5f8208
c7e116f32750928217894a88769f8330
07cef319f85a5696ca73824394de071a
246690f764ed5b3869a0b8f43e1efddd
c2a97f2bb092e5f0b2e6fb5ea4689862

URLs

URL	IP
sys.zief.pl	148.81.111.121

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Reply Sinkhole - irc-sinkhole.cert.pl

Traffic

The Trojan connects to the servers at the folowing location(s):

`.rsrc

D$(PSSh

ccRegVfy.exe

ccApp.exe

IEXPLORE.EXE

windows

\*.exe

33333330

3333333

33333333

.text

.data

.rsrc

msvcrt.dll

KERNEL32.dll

nddeapir.pdb

_acmdln

m.Zw%

ADVAPI32.DLL

\USERINIT.EXE

%s:*:enabled:@shell32.dll,-1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

Qoysys.zief.pl

core.ircgalaxy.pl

NICK avabcadz

SFC.DLL

SFC_OS.DLL

USER32.DLL

SHLWAPI.DLL

WSOCK32.DLL

WININET.DLL

%.6x . . :%c%.8x%x %s

JOIN

127.0.0.1 jL.chura.pl

#<iframe src="hXXp://jL.chura.pl/rc/" style="width:1px;height:1px"></iframe>

KERNEL32.DLL

windowsupdate

drweb

user32.dll

kernel32.dll

MSVCIRT.dll

MSVCRT.dll

5.1.2600.0 (xpclient.010817-1148)

NDDEAPIR.EXE

Windows

Operating System

5.1.2600.0

%original file name%.exe_1908_rwx_00401000_00002000:

D$(PSSh

%original file name%.exe_1908_rwx_00419000_00005000:

ADVAPI32.DLL

\USERINIT.EXE

%s:*:enabled:@shell32.dll,-1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

Qoysys.zief.pl

core.ircgalaxy.pl

NICK avabcadz

SFC.DLL

SFC_OS.DLL

USER32.DLL

SHLWAPI.DLL

WSOCK32.DLL

WININET.DLL

%.6x . . :%c%.8x%x %s

JOIN

127.0.0.1 jL.chura.pl

#<iframe src="hXXp://jL.chura.pl/rc/" style="width:1px;height:1px"></iframe>

KERNEL32.DLL

windowsupdate

drweb

b9323d6cec8fa12cf71a7751bb84e053.usr_1780:

.text

.data

.rsrc

advapi32.dll

advpack.dll

wininit.ini

Software\Microsoft\Windows\CurrentVersion\App Paths

setupapi.dll

setupx.dll

IXPd.TMP

TMP4351$.TMP

FINISHMSG

USRQCMD

ADMQCMD

msdownld.tmp

wextract.pdb

e\setup\iexpress\wextract\obj\i386\wextract.pdb

PSSSSSSh

t8SSh

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

RegQueryInfoKeyA

ADVAPI32.dll

GetWindowsDirectoryA

KERNEL32.dll

GDI32.dll

ExitWindowsEx

MsgWaitForMultipleObjects

USER32.dll

COMCTL32.dll

VERSION.dll

rundll32.exe %s,InstallHinfSection %s 128 %s

SHELL32.DLL

Software\Microsoft\Windows\CurrentVersion\RunOnce

PendingFileRenameOperations

System\CurrentControlSet\Control\Session Manager\FileRenameOperations

wextract_cleanup%d

%s /D:%s

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"

Command.com /c %s

33333330

3333333

33333333

hnetwiz.dll

icsdclt.dll

ncxp16.dll

ncxp32.dll

ncxpnt.dll

WinXPChk.exe

HasUPnP.inf

NoUPnP.inf

ssdpapi.dll

upnp.dll

SSDPSRV.EXE

.bBbg5

nbr.iq

\.ENW

f#.Kn

oN%UX

@.Cud0

SqLi}

z(.zc

l.sc?}

.nS,<"

%X KjL6|

.KiK$

'f/

ÕRb

 %%U_

!E%Xk

ZFh.ds

$.hwo-7<

.oa>31Y

 CrT?

5B%DM

4f-uT}'

,`%DJ

R~.qV

QV%Svz

%sM)#!"

%D&E n

PADWelcome to the Network Setup Wizard. Before continuing, Windows must install some network support files on your computer and possibly restart your computer. If you are running Windows XP, the wizard will start immediately. Do you want to continue?

The Network Setup Wizard is supported only on Windows 98, Windows 98 SE, Windows Millennium Edition, and Windows XP. Instructions for configuring a network for other operating systems can be found in the help files in those systems.

@sqloc

Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.

CFailed to get disk space information from: %s.

System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?

8Unable to retrieve operating system version information.!Memory allocation request failed.

Filetable full.Ên not change to destination folder.

Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.

(Error creating process <%s>. Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.

Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install

Could not create folder '%s'

To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.

Error retrieving Windows folder

$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .

System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.

/C:<Cmd> -- Override Install Command defined by author.

eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?

Could not find the file: %s.

:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.

6.00.2448.0000 (Lab04_N(rahulth).010206-1320)

WEXTRACT.EXE

Microsoft(R) Windows (R) 2000 Operating System

6.00.2448.0000

b9323d6cec8fa12cf71a7751bb84e053.usr_1780_rwx_01001000_00001000:

advapi32.dll

advpack.dll

wininit.ini

Software\Microsoft\Windows\CurrentVersion\App Paths

setupapi.dll

setupx.dll

IXPd.TMP

TMP4351$.TMP

FINISHMSG

USRQCMD

ADMQCMD

msdownld.tmp

wextract.pdb

e\setup\iexpress\wextract\obj\i386\wextract.pdb

PSSSSSSh

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   ntvdm.exe:2944
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs7A1E.tmp (335 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs7A2F.tmp (269 bytes)
   C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (24978 bytes)
   C:\Windows\USR_Shohdi_Photo_USR.exe (6889122 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.exe (408872 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (444160 bytes)
   C:\b9323d6cec8fa12cf71a7751bb84e053.usr (336768 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.