Gen.Variant.Sinowal.1_9181c2e137
Gen:Variant.Sinowal.1 (BitDefender), Trojan.Win32.Fsysna.kzc (Kaspersky), Gen:Variant.Sinowal.1 (B) (Emsisoft), Artemis!9181C2E13726 (McAfee), Gen:Variant.Sinowal.1 (FSecure), Win32/Cryptor (AVG), Gen:Variant.Sinowal.1 (AdAware)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 9181c2e137268c299775215e7ef1f025
SHA1: 4c81f21e831be8f6e5ceb6fb843f696d7f01e522
SHA256: 1a5581dcb6188f0239d3f3d11d4294c7abb555e3ff948caea50921ae3381a7a2
SSDeep: 49152:miCkE7zk7vUTDMTGGE/Qg9jpjz7rPR0lTTp2eu8 kP0GgbsS:WNErUTDRGaQg9jpjfKlTTEs ksk
Size: 2303488 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-12-23 13:51:26
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
rundll32.exe:324
%original file name%.exe:1476
ctfmon.exe:536
The Trojan injects its code into the following process(es):
No processes have been created.
File activity
The process %original file name%.exe:1476 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libblkmaker-0.1-0.dll (22016 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\scrypt130511.cl (23825 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\zlib1.dll (88576 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libjansson-4.dll (52736 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libcurl-4.dll (228352 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\bfgminer-rpc.exe (20480 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\pthreadGC2.dll (99058 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\bfgminer-rpc.exe (33280 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\pdcurses.dll (102912 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\backtrace.dll (1123328 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\taskhost.exe (55296 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\dll\hookdll.dll (42496 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\dll\hookdll64.dll (41984 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libblkmaker_jansson-0.1-0.dll (22016 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\pthreadGC2.dll (87040 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libusb-1.0.dll (76800 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\scrypt130511.cl (23825 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\minerd.exe (735709 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\bfgminer.exe (1223680 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\pdcurses.dll (92672 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\zlib1.dll (98304 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\zlib1.dll (109568 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\pthreadGC2.dll (45056 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\libcurl-4.dll (633352 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libblkmaker_jansson-0.1-0.dll (13824 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libjansson-4.dll (66048 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\bfgminer.exe (846336 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libusb-1.0.dll (117760 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libblkmaker-0.1-0.dll (13824 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libcurl-4.dll (238080 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\backtrace.dll (1123328 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\rundll32.exe (166912 bytes)
Registry activity
The process rundll32.exe:324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 16 2C FB 4A 4B 1C B4 B5 8A 9C 01 91 22 0B 67"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Host Process" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\rundll32.exe"
The process %original file name%.exe:1476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 6D 69 C4 27 B2 F3 76 8D AC A9 EE F4 28 AA AB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process ctfmon.exe:536 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
rundll32.exe:324
%original file name%.exe:1476 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libblkmaker-0.1-0.dll (22016 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\scrypt130511.cl (23825 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\zlib1.dll (88576 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libjansson-4.dll (52736 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libcurl-4.dll (228352 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\bfgminer-rpc.exe (20480 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\pthreadGC2.dll (99058 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\bfgminer-rpc.exe (33280 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\pdcurses.dll (102912 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\backtrace.dll (1123328 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\taskhost.exe (55296 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\dll\hookdll.dll (42496 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\dll\hookdll64.dll (41984 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libblkmaker_jansson-0.1-0.dll (22016 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\pthreadGC2.dll (87040 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libusb-1.0.dll (76800 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\scrypt130511.cl (23825 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\minerd.exe (735709 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\bfgminer.exe (1223680 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\pdcurses.dll (92672 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\zlib1.dll (98304 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\zlib1.dll (109568 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\pthreadGC2.dll (45056 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\libcurl-4.dll (633352 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libblkmaker_jansson-0.1-0.dll (13824 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libjansson-4.dll (66048 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\bfgminer.exe (846336 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libusb-1.0.dll (117760 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libblkmaker-0.1-0.dll (13824 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libcurl-4.dll (238080 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\backtrace.dll (1123328 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\rundll32.exe (166912 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Host Process" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\rundll32.exe"
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
