Gen.Variant.Symmi.21945_2b8f885d04
HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Kryptik.awym (v) (VIPRE), Win32.Torbot!IK (Emsisoft), Gen:Variant.Symmi.21945 (AdAware), Trojan-Downloader.Win32.Torcohost.FD, Trojan-PSW.Win32.Zbot.6.FD, Trojan.Win32.Swrort.3.FD, BackdoorCaphaw_QKKBAL.YR, GenericInjector.YR, GenericIRCBot.YR, TrojanPSWZbot.YR, PUPTorClient.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan-PSW, Trojan, Backdoor, PUP, IRCBot
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The sample has been submitted by Lavasoft customers.
MD5: 2b8f885d0496929a092730e1240354a5
SHA1: 97c08ab7bd6a64b5ff0b373bb98bcc08cca4caf6
SHA256: 2c661c61b286a39303e6d84cf05da2a04ca07f724f03b44d6377ca947c02a5d3
SSDeep: 98304:1Wh6fffy0QKcUDstfiWACDE317cmTdPS0dfMwL:1zfdQaDso5AEiydP/yw
Size: 3809280 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualCv71EXE, MicrosoftVisualCv70, UPolyXv05_v6
Company: AirInstaller Inc.
Created at: 2011-05-16 09:06:45
Analyzed on: Windows7 SP1 64-bit
Summary:
Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.
Payload
| Behaviour | Description |
|---|---|
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Trojan creates the following process(es):
WMIADAP.EXE:1556
jusched.exe:2760
The Trojan injects its code into the following process(es):
No processes have been created.
File activity
The process WMIADAP.EXE:1556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini (2888 bytes)
C:\Windows\System32\PerfStringBackup.TMP (1841358 bytes)
C:\Windows\System32\perfc009.dat (208 bytes)
C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini (28 bytes)
C:\Windows\System32\perfh009.dat (1234 bytes)
C:\Windows\System32\wbem\Performance\WmiApRpl_new.h (6 bytes)
C:\Windows\System32\PerfStringBackup.INI (5441 bytes)
C:\Windows\inf\WmiApRpl\WmiApRpl.h (3 bytes)
The Trojan deletes the following file(s):
C:\Windows\inf\WmiApRpl\0009 (0 bytes)
C:\Windows\System32\PerfStringBackup.TMP (0 bytes)
C:\Windows\inf\WmiApRpl (0 bytes)
C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini (0 bytes)
C:\Windows\System32\wbem\Performance\WmiApRpl.h (0 bytes)
C:\Windows\System32\wbem\Performance\WmiApRpl.ini (0 bytes)
C:\Windows\inf\WmiApRpl\WmiApRpl.h (0 bytes)
The process jusched.exe:2760 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jusched.log (129 bytes)
Registry activity
The process WMIADAP.EXE:1556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib]
"Updating" = "WmiApRpl"
[HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance]
"First Help" = "7151"
"Last Counter" = "7316"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib]
"Last Help" = "7149"
[HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance]
"PerfIniFile" = "WmiApRpl.ini"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib]
"Last Counter" = "7148"
[HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance]
"Last Help" = "7317"
"First Counter" = "7150"
"Object List" = "7150 7156 7166 7176 7196 7240 7250 7288 7294 7310"
The Trojan deletes the following value(s) in system registry:
[HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance]
"Library Validation Code"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib]
"Updating"
[HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance]
"First Help"
"Last Counter"
"Disable Performance Counters"
"Last Help"
"First Counter"
"Object List"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 3754388 | 3756032 | 4.10571 | 77b6f1d0806fd6afb19be763147bf0d0 |
| .rdata | 3760128 | 10455 | 12288 | 3.30005 | eb170d92012d2a1f0b9d572500d4cc28 |
| .data | 3772416 | 6296 | 4096 | 2.87722 | 5e71b1ee648927fe7ed7c888f052c1d2 |
| .rsrc | 3780608 | 30560 | 32768 | 3.99634 | 9c7adc880e4fb2e8231c57600fd94529 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 0
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
WMIADAP.EXE:1556
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini (2888 bytes)
C:\Windows\System32\PerfStringBackup.TMP (1841358 bytes)
C:\Windows\System32\perfc009.dat (208 bytes)
C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini (28 bytes)
C:\Windows\System32\perfh009.dat (1234 bytes)
C:\Windows\System32\wbem\Performance\WmiApRpl_new.h (6 bytes)
C:\Windows\System32\PerfStringBackup.INI (5441 bytes)
C:\Windows\inf\WmiApRpl\WmiApRpl.h (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jusched.log (129 bytes) - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
