Gen.Variant.Zusy.123960_78f0cf98f4

by malwarelabrobot on August 2nd, 2015 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.123960 (B) (Emsisoft), Gen:Variant.Zusy.123960 (AdAware), Backdoor.Win32.Xtrat.FD, Trojan.Win32.IEDummy.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Worm, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 78f0cf98f47abb6968e68387580969df
SHA1: a77f3e2a2251872f0be5172821a329df3dfb0056
SHA256: fb5370d6a6397e8b4b807ac247db2fbbd7544e67be2346b1f38a207f458cd820
SSDeep: 6144:dLM3L6hWtnvqI6vu5G2p0u8opELOlMi4YfkhaW5/OHRQyDH:BMbaWtn6vkDSu8oS04YfkhFq
Size: 358973 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2015-01-21 12:31:38
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:860

The Trojan injects its code into the following process(es):

iexplore.exe:1488

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:860 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\My Documents\explorer.exe (2105 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\startup.exe (2105 bytes)

Registry activity

The process %original file name%.exe:860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C B0 8A D5 17 33 11 E0 A2 30 0A 31 BE E7 8B 5D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup\startup.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Microsoft
Product Name: Microsoft
Product Version: 9.1.3.23
Legal Copyright: @2015
Legal Trademarks: Microsoft (TM)
Original Filename: war.exe
Internal Name: war.exe
File Version: 9.1.3.23
File Description: Microsoft
Comments: Microsoft Coprotion
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	8192	135284	135680	4.44812	6d9dd2e47798a19c2271edcbe08271cf
.sdata	147456	177	512	1.5075	17ee383034c2bf121a69e919594e429e
.rsrc	155648	4532	4608	3.33891	6c3fe415d32cac375f8f825ad50ee854
.reloc	163840	12	512	0.067931	b7fbb324efef06bef4c12cb55076fd1e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

iexplore.exe_1488:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

iexplore.exe_1488_rwx_10000000_00080000:

`.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

$,((&&"*"

,nRL.Px

/,;

HHH4HHH9HHH:HHH9HHH8HHH7EDD0>>>.XZZf

HHH.HHH7HHH5HHH5GGG2@??'MNNB

GGG#HHH.FFF2>??-UVVX

===.FFF7III/HHH

KWindows

TServerKeylogger

GetWindowsDirectoryW

RegOpenKeyExW

RegCreateKeyW

RegCloseKey

RegOpenKeyExA

FindExecutableW

ShellExecuteW

SHDeleteKeyW

URLDownloadToCacheFileW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

GetKeyboardType

GetKeyboardState

FtpPutFileW

FtpSetCurrentDirectoryW

.idata

.rdata

P.reloc

P.rsrc

URLDb

KERNEL32.DLL

ntdll.dll

oleaut32.dll

shlwapi.dll

wininet.dll

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

127.0.0.1

Server.exe

C:\Windows\SysWOW64\urlmon.

MsgHKCU

{5460C4DF-B266-909E-CB58-E32B79832EB2}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

\sw%SERVER%

%iles\local.ini

Microsoft\Windows\Start Men

PTF.ftpserver.com

Microsoft\Windows\GameExplo

ftpuser

%Documents and Settings%\%current user%\My Documents\explorer.exe

%Program Files%\Internet Explorer\iexplore.exe

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:860
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\My Documents\explorer.exe (2105 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\startup.exe (2105 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup\startup.exe"
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Zusy.123960_78f0cf98f4

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Gen.Variant.Zusy.123960_78f0cf98f4

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet