Gen.Variant.Symmi.27799_8ebf735471
Trojan.GenericKDZ.19749 (BitDefender), Trojan:Win32/Nedsym.G (Microsoft), Backdoor.Win32.Androm.ssu (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.DownLoad3.10724 (DrWeb), Trojan.Win32.Zbot (A) (Emsisoft), Artemis!8EBF73547148 (McAfee), Trojan.GenericKDZ.19749 (FSecure), SHeur4.BJNT (AVG), Win32:Downloader-TLG [Trj] (Avast), TROJ_GEN.RCBCDF1 (TrendMicro), Gen:Variant.Symmi.27799 (AdAware), Trojan.Win32.Nedsym.FD, TrojanNedsym.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 8ebf73547148fef6a8514c66d87775c8
SHA1: 0bd911dadba752560ebfdcfeb791c620ef344a00
SHA256: 03f3e85f53772b86aed05ce1edd0940a6895e3c7f04ea88393b5ad07ee314bb1
SSDeep: 1536:SOUCnF4a1XNLaEWXg0D3d29QG0wAUv3niztVYliwCzlGHu:SOFFP11aEWQ0BUQnmnJpCzkHu
Size: 127488 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-05-28 22:11:39
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:2936
svcnost.exe:1692
The Trojan injects its code into the following process(es):
svcnost.exe:2616
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:2936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\drivers\etc\hosts (5 bytes)
The Trojan deletes the following file(s):
C:\Windows\System32\drivers\etc\hosts (0 bytes)
The process svcnost.exe:2616 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\ntuser.dat (112 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\desktop.ini (21 bytes)
Registry activity
The process %original file name%.exe:2936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Init" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\xs3jqv1l3xougzaxxmjfkslczmaxbzxw2\svcnost.exe"
The process svcnost.exe:2616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\"%CurrentUserName%"\AppData\Roaming\xs3jqv1l3xougzaxxmjfkslczmaxbzxw2]
"svcnost.exe" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\xs3jqv1l3xougzaxxmjfkslczmaxbzxw2\svcnost.exe:*:Enabled:ldrsoft"
[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"SavedLegacySettingsML" = "31 30 32 32 31 38 33 35 32"
Dropped PE files
| MD5 | File path |
|---|---|
| 4a27242b307c6a836993353035fafc16 | c:\Users\"%CurrentUserName%"\AppData\Roaming\desktop.ini |
| 7e8e966927e04a35aec644602b8a9e05 | c:\Users\"%CurrentUserName%"\AppData\Roaming\ntuser.dat |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 5915 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | downloads4.kaspersky-labs.com |
| 127.0.0.1 | downloads3.kaspersky-labs.com |
| 127.0.0.1 | downloads2.kaspersky-labs.com |
| 127.0.0.1 | downloads1.kaspersky-labs.com |
| 127.0.0.1 | downloads-us1.kaspersky-labs.com |
| 127.0.0.1 | rads.mcafee.com |
| 127.0.0.1 | www.secuser.com |
| 127.0.0.1 | a188.x.akamai.net |
| 127.0.0.1 | liveupdate.symantecliveupdate.com |
| 127.0.0.1 | liveupdate.symantec.com |
| 127.0.0.1 | liveupdate.symantec.d4p.net |
| 127.0.0.1 | update.symantec.com |
| 127.0.0.1 | ftp.nai.com |
| 127.0.0.1 | www.grisoft.cz |
| 127.0.0.1 | www.grisoft.com |
| 127.0.0.1 | free.grisoft.cz |
| 127.0.0.1 | tds.diamondcs.com.au |
| 127.0.0.1 | ieupdate.gdata.de |
| 127.0.0.1 | ieupdate6.gdata.de |
| 127.0.0.1 | ieupdate5.gdata.de |
| 127.0.0.1 | ieupdate4.gdata.de |
| 127.0.0.1 | ieupdate3.gdata.de |
| 127.0.0.1 | ieupdate2.gdata.de |
| 127.0.0.1 | ieupdate1.gdata.de |
| 127.0.0.1 | www.iavs.cz |
| 127.0.0.1 | download7.avast.com |
| 127.0.0.1 | download6.avast.com |
| 127.0.0.1 | download5.avast.com |
| 127.0.0.1 | download4.avast.com |
| 127.0.0.1 | download3.avast.com |
| 127.0.0.1 | download2.avast.com |
| 127.0.0.1 | download1.avast.com |
| 127.0.0.1 | upgrade.bitdefender.com |
| 127.0.0.1 | windowsupdate.microsoft.com |
| 127.0.0.1 | www.lavasoftusa.com |
| 127.0.0.1 | www.a-2.org |
| 127.0.0.1 | updates.a-2.org |
| 127.0.0.1 | niuone.norman.no |
| 127.0.0.1 | www.diamondcs.com.au |
| 127.0.0.1 | www.attechnical.com |
| 127.0.0.1 | www.zeylstra.nl |
| 127.0.0.1 | fractus.mat.uson.mx |
| 127.0.0.1 | www.toonbox.de |
| 127.0.0.1 | radius.turvamies.com |
| 127.0.0.1 | diamondcs.fileburst.com |
| 127.0.0.1 | downloads.My-eTrust.com |
| 127.0.0.1 | acs.pandasoftware.com |
| 127.0.0.1 | v4.windowsupdate.microsoft.com |
| 127.0.0.1 | www.NoAdware.net |
| 127.0.0.1 | www.nod32.com |
| 127.0.0.1 | www.eset.sk |
| 127.0.0.1 | avu.zonelabs.com |
| 127.0.0.1 | retail.sp.f-secure.com |
| 127.0.0.1 | retail01.sp.f-secure.com |
| 127.0.0.1 | retail02.sp.f-secure.com |
| 127.0.0.1 | www.moosoft.com |
| 127.0.0.1 | secuser.model-fx.com |
| 127.0.0.1 | secuser.com |
| 127.0.0.1 | downloads-eu1.kaspersky-labs.com |
| 127.0.0.1 | downloads2.kaspersky-labs.com |
| 127.0.0.1 | downloads4.kaspersky-labs.com |
| 127.0.0.1 | downloads1.kaspersky-labs.com |
| 127.0.0.1 | pccreg.antivirus.com |
| 127.0.0.1 | dl1.antivir.de |
| 127.0.0.1 | dl2.antivir.de |
| 127.0.0.1 | dl3.antivir.de |
| 127.0.0.1 | dl4.antivir.de |
| 127.0.0.1 | ad.doubleclick.net |
| 127.0.0.1 | ad.fastclick.net |
| 127.0.0.1 | ads.fastclick.net |
| 127.0.0.1 | ar.atwola.com |
| 127.0.0.1 | atdmt.com |
| 127.0.0.1 | avp.ch |
| 127.0.0.1 | avp.com |
| 127.0.0.1 | avp.com |
| 127.0.0.1 | avp.ru |
| 127.0.0.1 | awaps.net |
| 127.0.0.1 | banner.fastclick.net |
| 127.0.0.1 | banners.fastclick.net |
| 127.0.0.1 | ca.com |
| 127.0.0.1 | ca.com |
| 127.0.0.1 | click.atdmt.com |
| 127.0.0.1 | clicks.atdmt.com |
| 127.0.0.1 | customer.symantec.com |
| 127.0.0.1 | dispatch.mcafee.com |
| 127.0.0.1 | dispatch.mcafee.com |
| 127.0.0.1 | download.mcafee.com |
| 127.0.0.1 | download.mcafee.com |
| 127.0.0.1 | download.mcafee.com |
| 127.0.0.1 | download.microsoft.com |
| 127.0.0.1 | downloads.microsoft.com |
| 127.0.0.1 | downloads1.kaspersky-labs.com |
| 127.0.0.1 | downloads1.kaspersky-labs.com |
| 127.0.0.1 | downloads1.kaspersky-labs.com |
| 127.0.0.1 | downloads2.kaspersky-labs.com |
| 127.0.0.1 | downloads3.kaspersky-labs.com |
| 127.0.0.1 | downloads4.kaspersky-labs.com |
| 127.0.0.1 | downloads-us1.kaspersky-labs.com |
| 127.0.0.1 | downloads-us2.kaspersky-labs.com |
| 127.0.0.1 | downloads-us3.kaspersky-labs.com |
| 127.0.0.1 | engine.awaps.net |
| 127.0.0.1 | fastclick.net |
| 127.0.0.1 | f-secure.com |
| 127.0.0.1 | f-secure.com |
| 127.0.0.1 | ftp.avp.ch |
| 127.0.0.1 | ftp.downloads2.kaspersky-labs.com |
| 127.0.0.1 | ftp.f-secure.com |
| 127.0.0.1 | ftp.kasperskylab.ru |
| 127.0.0.1 | ftp.sophos.com |
| 127.0.0.1 | go.microsoft.com |
| 127.0.0.1 | ids.kaspersky-labs.com |
| 127.0.0.1 | kaspersky.com |
| 127.0.0.1 | kaspersky-labs.com |
| 127.0.0.1 | liveupdate.symantec.com |
| 127.0.0.1 | liveupdate.symantec.com |
| 127.0.0.1 | liveupdate.symantec.com |
| 127.0.0.1 | liveupdate.symantecliveupdate.com |
| 127.0.0.1 | liveupdate.symantecliveupdate.com |
| 127.0.0.1 | mast.mcafee.com |
| 127.0.0.1 | mast.mcafee.com |
| 127.0.0.1 | mcafee.com |
| 127.0.0.1 | mcafee.com |
| 127.0.0.1 | media.fastclick.net |
| 127.0.0.1 | msdn.microsoft.com |
| 127.0.0.1 | my-etrust.com |
| 127.0.0.1 | my-etrust.com |
| 127.0.0.1 | nai.com |
| 127.0.0.1 | nai.com |
| 127.0.0.1 | networkassociates.com |
| 127.0.0.1 | networkassociates.com |
| 127.0.0.1 | office.microsoft.com |
| 127.0.0.1 | phx.corporate-ir.net |
| 127.0.0.1 | rads.mcafee.com |
| 127.0.0.1 | secure.nai.com |
| 127.0.0.1 | secure.nai.com |
| 127.0.0.1 | securityresponse.symantec.com |
| 127.0.0.1 | securityresponse.symantec.com |
| 127.0.0.1 | service1.symantec.com |
| 127.0.0.1 | sophos.com |
| 127.0.0.1 | sophos.com |
| 127.0.0.1 | spd.atdmt.com |
| 127.0.0.1 | support.microsoft.com |
| 127.0.0.1 | symantec.com |
| 127.0.0.1 | symantec.com |
| 127.0.0.1 | trendmicro.com |
| 127.0.0.1 | update.symantec.com |
| 127.0.0.1 | update.symantec.com |
| 127.0.0.1 | update.symantec.com |
| 127.0.0.1 | updates.symantec.com |
| 127.0.0.1 | updates.symantec.com |
| 127.0.0.1 | updates1.kaspersky-labs.com |
| 127.0.0.1 | updates1.kaspersky-labs.com |
| 127.0.0.1 | updates2.kaspersky-labs.com |
| 127.0.0.1 | updates3.kaspersky-labs.com |
| 127.0.0.1 | updates3.kaspersky-labs.com |
| 127.0.0.1 | updates4.kaspersky-labs.com |
| 127.0.0.1 | updates5.kaspersky-labs.com |
| 127.0.0.1 | us.mcafee.com |
| 127.0.0.1 | us.mcafee.com |
| 127.0.0.1 | vil.nai.com |
| 127.0.0.1 | viruslist.com |
| 127.0.0.1 | viruslist.ru |
| 127.0.0.1 | windowsupdate.microsoft.com |
| 127.0.0.1 | www.avp.ch |
| 127.0.0.1 | www.avp.com |
| 127.0.0.1 | www.avp.com |
| 127.0.0.1 | www.avp.ru |
| 127.0.0.1 | www.awaps.net |
| 127.0.0.1 | www.ca.com |
| 127.0.0.1 | www.ca.com |
| 127.0.0.1 | www.fastclick.net |
| 127.0.0.1 | www.f-secure.com |
| 127.0.0.1 | www.f-secure.com |
| 127.0.0.1 | www.grisoft.com |
| 127.0.0.1 | www.kaspersky.com |
| 127.0.0.1 | www.kaspersky.ru |
| 127.0.0.1 | www.kaspersky.ru |
| 127.0.0.1 | www.kaspersky-labs.com |
| 127.0.0.1 | www.mcafee.com |
| 127.0.0.1 | www.mcafee.com |
| 127.0.0.1 | www.my-etrust.com |
| 127.0.0.1 | www.my-etrust.com |
| 127.0.0.1 | www.nai.com |
| 127.0.0.1 | www.nai.com |
| 127.0.0.1 | www.networkassociates.com |
| 127.0.0.1 | www.networkassociates.com |
| 127.0.0.1 | www.sophos.com |
| 127.0.0.1 | www.sophos.com |
| 127.0.0.1 | www.symantec.com |
| 127.0.0.1 | www.symantec.com |
| 127.0.0.1 | www.trendmicro.com |
| 127.0.0.1 | www.trendmicro.com |
| 127.0.0.1 | www.viruslist.com |
| 127.0.0.1 | www.viruslist.ru |
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 27988 | 28160 | 2.96229 | 907209efee56729ac32a1d82f01744ba |
| .data | 32768 | 8656 | 8704 | 1.46716 | ef7ae0534def471f1518837a21a2b775 |
| .rdata | 45056 | 12416 | 12800 | 2.44511 | 5c59fcd9a9a4d6f6b810517354e5b59a |
| .bss | 61440 | 432 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 65536 | 928 | 1024 | 2.76924 | a127ca9dad6fb2400277ef3272a943f4 |
| .rsrc | 69632 | 77824 | 75776 | 5.45933 | f5768dc1138be3b0e3e96aea97e181a2 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| dns.msftncsi.com |  131.107.255.255 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
The Trojan connects to the servers at the folowing location(s):
`.rsrc
kernel32.dll
PSAPI.dll
shell32.dll
\svcnost.exe
2\svcnost.exe"
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Init
.text
`.rdata
@.data
.reloc
1.2.3
LDR.ML.STARTED
user32.dll
ws2_32.dll
RegCloseKey
RegCreateKeyA
RegEnumKeyA
RegOpenKeyA
advapi32.dll
FindCloseUrlCache
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryW
FindNextUrlCacheEntryA
wininet.dll
ole32.dll
dnsapi.dll
crypt32.dll
Mailer.dll
87.75.44.12
:9:::>:::
':::*:::
*%:*"%:*
s:\5E;
::;:::<:::<:::
9::::;::>:::
q.jlk
y.hlj
.lmD]
:*>:>:2:>:
:*>:?:*:2:
:*>:>:*:*:*
:8;8;:**
: =7::2^::2
:*==::2`::2 ::3
: =5::2\::2
:*=0::2[::2
: =7::2_::2
: =5::2]::2
(?3: ?;2,?
(?7: ?;6,?
::9:>:?:<:=:2:3:0:1:7:5: :):-:!:%:
:::;:8:9:>:?:=:3:7: :#:
;;8;9;>;<;2;6;*;";
:2:):3:);3:
;3:1:3:1;3:
;3:!:3:!;3:
;3:=:3:=;3:
;3:}:3:};3:
;3:]:3:];3:
;3:-:3:-;3:
;3:5:3:5;3:
;3:%:3:%;3:
;:::8:::9:::>:::<:::2:::6:::*:::":::
::::;:8:9:>:?:<:=:2:3:0:1:6:7:4:5:*: :(:):.:/:,:-:":#: :!:&:':$:%:
::;:8:;:::8:8:;:::8:
6h6C6V6i6
2'2-23292C2I2}2
KWindows
RegOpenKeyExA
RegCreateKeyExA
GetKeyboardType
.idata
.rdata
P.reloc
P.rsrc
>">0>5>;
]VY\URL
-EWD}I
.kRtl8wi
KERNEL32.DLL
gdi32.dll
SHFolder.dll
svcnost.exe_2616_rwx_002E1000_0001C000:
1.2.3
LDR.ML.STARTED
kernel32.dll
user32.dll
ws2_32.dll
RegCloseKey
RegCreateKeyA
RegEnumKeyA
RegOpenKeyA
advapi32.dll
FindCloseUrlCache
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryW
FindNextUrlCacheEntryA
wininet.dll
ole32.dll
dnsapi.dll
crypt32.dll
Mailer.dll
87.75.44.12
/stat1.php
/stat2.php
/smtps.php
/u.php?
/error.php?
/logacc.php
102218352
:9:::>:::
':::*:::
*%:*"%:*
s:\5E;
::;:::<:::<:::
9::::;::>:::
q.jlk
y.hlj
.lmD]
:*>:>:2:>:
:*>:?:*:2:
:*>:>:*:*:*
:8;8;:**
: =7::2^::2
:*==::2`::2 ::3
: =5::2\::2
:*=0::2[::2
: =7::2_::2
: =5::2]::2
(?3: ?;2,?
(?7: ?;6,?
::9:>:?:<:=:2:3:0:1:7:5: :):-:!:%:
:::;:8:9:>:?:=:3:7: :#:
;;8;9;>;<;2;6;*;";
:2:):3:);3:
;3:1:3:1;3:
;3:!:3:!;3:
;3:=:3:=;3:
;3:}:3:};3:
;3:]:3:];3:
;3:-:3:-;3:
;3:5:3:5;3:
;3:%:3:%;3:
;:::8:::9:::>:::<:::2:::6:::*:::":::
::::;:8:9:>:?:<:=:2:3:0:1:6:7:4:5:*: :(:):.:/:,:-:":#: :!:&:':$:%:
::;:8:;:::8:8:;:::8:
6h6C6V6i6
2'2-23292C2I2}2
svcnost.exe_2616_rwx_003E0000_0001A000:
kernel32.dll
uuser32.dll
huws2_32.dll
vadvapi32.dll
vwininet.dll
vole32.dll
vdnsapi.dll
tcrypt32.dll
svcnost.exe_2616_rwx_00400000_00062000:
`.rsrc
kernel32.dll
PSAPI.dll
shell32.dll
\svcnost.exe
2\svcnost.exe"
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Init
.text
`.rdata
@.data
.reloc
1.2.3
LDR.ML.STARTED
user32.dll
ws2_32.dll
RegCloseKey
RegCreateKeyA
RegEnumKeyA
RegOpenKeyA
advapi32.dll
FindCloseUrlCache
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryW
FindNextUrlCacheEntryA
wininet.dll
ole32.dll
dnsapi.dll
crypt32.dll
Mailer.dll
87.75.44.12
:9:::>:::
':::*:::
*%:*"%:*
s:\5E;
::;:::<:::<:::
9::::;::>:::
q.jlk
y.hlj
.lmD]
:*>:>:2:>:
:*>:?:*:2:
:*>:>:*:*:*
:8;8;:**
: =7::2^::2
:*==::2`::2 ::3
: =5::2\::2
:*=0::2[::2
: =7::2_::2
: =5::2]::2
(?3: ?;2,?
(?7: ?;6,?
::9:>:?:<:=:2:3:0:1:7:5: :):-:!:%:
:::;:8:9:>:?:=:3:7: :#:
;;8;9;>;<;2;6;*;";
:2:):3:);3:
;3:1:3:1;3:
;3:!:3:!;3:
;3:=:3:=;3:
;3:}:3:};3:
;3:]:3:];3:
;3:-:3:-;3:
;3:5:3:5;3:
;3:%:3:%;3:
;:::8:::9:::>:::<:::2:::6:::*:::":::
::::;:8:9:>:?:<:=:2:3:0:1:6:7:4:5:*: :(:):.:/:,:-:":#: :!:&:':$:%:
::;:8:;:::8:8:;:::8:
6h6C6V6i6
2'2-23292C2I2}2
KWindows
RegOpenKeyExA
RegCreateKeyExA
GetKeyboardType
.idata
.rdata
P.reloc
P.rsrc
>">0>5>;
]VY\URL
-EWD}I
.kRtl8wi
KERNEL32.DLL
gdi32.dll
SHFolder.dll
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2936
svcnost.exe:1692 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\System32\drivers\etc\hosts (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\ntuser.dat (112 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\desktop.ini (21 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Init" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\xs3jqv1l3xougzaxxmjfkslczmaxbzxw2\svcnost.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
