Gen.Variant.Symmi.23204_c5e6fa7c36
HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Kryptik.awym (v) (VIPRE), Gen:Variant.Symmi.23204 (B) (Emsisoft), Gen:Variant.Symmi.23204 (AdAware), Trojan-Downloader.Win32.Torcohost.FD, Trojan-PSW.Win32.Zbot.6.FD, Trojan.Win32.Swrort.3.FD, GenericInjector.YR, GenericIRCBot.YR, PUPTorClient.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan-PSW, Trojan, PUP, IRCBot
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: c5e6fa7c36c8f30cadf99da36ea3e9ad
SHA1: 5912135038f15d48bc215d29ce20486196bf8447
SHA256: 6739499c20a81e7ea80c6037d8c38646ac4dd0c6482a32ef979325150d6b75c3
SSDeep: 49152:7zXaeyFojU3etR8N6cXvBB 8sE75gqH6mvHAqsiCbdsmPHxFg1lc0:7zXaRFojTr8Bq8sW5gqHDA9JTPRUl1
Size: 3809280 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualCv71EXE, MicrosoftVisualCv70, UPolyXv05_v6
Company: QuickSet
Created at: 2011-06-27 00:20:39
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.
Payload
| Behaviour | Description |
|---|---|
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:864
iexplore.exe:1372
The Trojan injects its code into the following process(es):
iexplore.exe:188
iexplore.exe:980
File activity
The process iexplore.exe:188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OpenCL.dll (51200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
The process iexplore.exe:980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\tor\state.tmp (222 bytes)
%Documents and Settings%\%current user%\Application Data\tor\hidden_service\hostname.tmp (24 bytes)
%Documents and Settings%\%current user%\Application Data\tor\cached-microdescs.new (2055607 bytes)
%Documents and Settings%\%current user%\Application Data\tor\cached-certs.tmp (20814 bytes)
%Documents and Settings%\%current user%\Application Data\tor\cached-microdesc-consensus.tmp (1098107 bytes)
%Documents and Settings%\%current user%\Application Data\tor\unverified-microdesc-consensus.tmp (1098107 bytes)
%Documents and Settings%\%current user%\Application Data\tor\hidden_service\private_key.tmp (906 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\tor\unverified-microdesc-consensus (0 bytes)
Registry activity
The process %original file name%.exe:864 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 16 B8 95 3E 48 7B 54 36 28 B5 A5 96 65 BB 88"
The process iexplore.exe:188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2F 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 37 0E 0C FE 71 E0 D2 DB D2 3E 01 EF CC 5B 4F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process iexplore.exe:980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\iexplore\DEBUG]
"Trace Level" = ""
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 39 A3 74 22 47 6A EA D0 60 A7 F1 63 CE 45 3C"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\iexplore\DEBUG]
"Trace Level"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://checkip.dyndns.com/ |  |
| checkip.dyndns.org | 216.146.43.70 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 3752916 | 3756032 | 4.10526 | 826609854f8c85db7463b7498332a049 |
| .rdata | 3760128 | 10455 | 12288 | 3.29656 | 743975daf766e8c1105ee47b49b1fc77 |
| .data | 3772416 | 6552 | 4096 | 2.90979 | a4d3beb72eb5ae055a833176a86fb669 |
| .rsrc | 3780608 | 30560 | 32768 | 4.24861 | da7c40aec26f405001c555b7d38c3a0d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:864
iexplore.exe:1372 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OpenCL.dll (51200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\tor\state.tmp (222 bytes)
%Documents and Settings%\%current user%\Application Data\tor\hidden_service\hostname.tmp (24 bytes)
%Documents and Settings%\%current user%\Application Data\tor\cached-microdescs.new (2055607 bytes)
%Documents and Settings%\%current user%\Application Data\tor\cached-certs.tmp (20814 bytes)
%Documents and Settings%\%current user%\Application Data\tor\cached-microdesc-consensus.tmp (1098107 bytes)
%Documents and Settings%\%current user%\Application Data\tor\unverified-microdesc-consensus.tmp (1098107 bytes)
%Documents and Settings%\%current user%\Application Data\tor\hidden_service\private_key.tmp (906 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
