Gen.Variant.Zusy.84257_2f1fdfb4b5

by malwarelabrobot on March 14th, 2014 in Malware Descriptions.

Trojan.Win32.Cutwail.cks (Kaspersky), Trojan.Win32.Cutwail (VIPRE), Gen:Variant.Zusy.84257 (B) (Emsisoft), Gen:Variant.Zusy.84257 (AdAware), GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Relationships

Map

Strings from Dumps

Removals

MD5: 2f1fdfb4b528feda34b92a938f9d537b
SHA1: 19f10fab361ec4ac5e20b725cb25449ef3078748
SHA256: d52932b4dee4bb8e88c6b19d221f0c3fe1d29da9cfa9d378f9d203a1750ef87e
SSDeep: 768:1hUt3mlfaZSr4H5pU0WXTBTumE1vmeMbiHvwcman D3 byte6haOE6Z1:1hUtqro5u0gBqhvpvwcmTCbyte3OdZ1
Size: 59392 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-02-27 13:20:41
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

CTFMON.EXE:296

The Trojan injects its code into the following process(es):

%original file name%.exe:160

File activity

The process %original file name%.exe:160 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\easyformations[1].htm (19245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\momonophoto[1].htm (17270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\robertmcintyre.com[1].htm (14774 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigtopmultimedia[1].txt (125 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\sydney[1].htm (18938 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\solutioncorp[1].htm (46313 bytes)
%Documents and Settings%\%current user%\cabwulvycamy.exe (59392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\fraser-high.school[2].htm (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\kamaruka.vic.edu[1].htm (30346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\violadagamba[1].htm (16078 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\empordalia[1].htm (10118 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@fujino-lab[1].txt (134 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\index[1].htm (24757 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\home[1].htm (13470 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (126 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@4pipp[1].txt (114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\bigtopmultimedia[1].htm (848 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@appelfarm[1].txt (118 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigjohnsbeefjerky[1].txt (126 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@golfpark-moossee[1].txt (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\combine.or[1].htm (1255 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[1].txt (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\yamamoto-sr[1].htm (10271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\biurimex[1].htm (3966 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@graceweb[1].txt (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\theprintinghouseltd.co[1].htm (10181 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[2].txt (159 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@freepatentauction[1].txt (93 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@screaminpeach[1].txt (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\brijindia[1].htm (28403 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@neurotoxininstitute[1].txt (128 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (123 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@graintrain[2].txt (280 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\suspendedpage[1].htm (3639 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\hostphd.com[1].htm (24588 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@graintrain[1].txt (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\search[1].htm (62920 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@altonhousehotel[1].txt (124 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@glmghotels[1].txt (119 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[3].txt (331 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[1].txt (81 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@traderush[1].txt (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\teasing-video[1].htm (47973 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (93 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\urantiaproject[1].htm (2189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\robertmcintyre.com[2].htm (14774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\sortedorganizing[1].htm (4747 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\budbad[1].htm (19741 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (136 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@malagacorp[1].txt (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\lexjuridica[1].htm (3979 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@telenavis[1].txt (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\wkhk[1].htm (27105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\teknorhino[1].htm (24401 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\photoclubs[1].htm (57448 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\woodlandhillwinery[1].htm (622 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (356352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\fraser-high.school[1].htm (759 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@westhillsstl[1].txt (121 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sarahdavid[1].txt (119 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-606747145-1060284298-839522115-1004\c5b88721db08c824db69d0bbc702beb8_3fee1f9f-d02d-4fef-b156-d6ca90eade2d (2136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\redconeretreat[1].htm (27538 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\slcago[1].htm (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\teasing-video[1].htm (53807 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\easyformations[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\robertmcintyre.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\kamaruka.vic.edu[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\violadagamba[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\empordalia[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\index[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\home[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\biurimex[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\budbad[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\combine.or[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\yamamoto-sr[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\theprintinghouseltd.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\brijindia[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@graintrain[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\teasing-video[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\urantiaproject[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\robertmcintyre.com[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\woodlandhillwinery[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\fraser-high.school[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\lexjuridica[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\hostphd.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\momonophoto[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\redconeretreat[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\slcago[1].htm (0 bytes)

Registry activity

The process %original file name%.exe:160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 0C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"cabwulvycamyzap" = "B0 6F A1 D3 92 C4 F6 B5 E7 1A D8 0B 3D 6F 2E 60"

"AppManagement" = "4C 0B 3D FB 2E EC 1F 51 10 42 01 33 65 24 56 15"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 BD 47 96 9D 6B 03 33 55 31 3F 85 3A 54 89 15"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cabwulvycamy" = "%Documents and Settings%\%current user%\cabwulvycamy.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process CTFMON.EXE:296 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

Network activity (URLs)

URL	IP
hxxp://link-list-uk.com/	91.109.14.224
hxxp://bocr.cz/	217.198.113.104
hxxp://floridadoubled.com/	64.59.81.104
hxxp://teasing-video.com/	99.192.154.182
hxxp://business-edge.com/	69.64.85.11
hxxp://xing-group.com/	59.106.165.171
hxxp://e-storming.com/	91.121.66.183
hxxp://neurotoxininstitute.com/	190.93.243.134
hxxp://nori-k.com/	210.172.144.24
hxxp://d-j-b.net/	210.172.144.247
hxxp://vbwgz.com/	204.13.64.180
hxxp://topex.ro/	193.226.61.45
hxxp://dithd.com/	216.177.135.4
hxxp://miltinio-teatras.lt/	92.61.39.244
hxxp://sspackaginggroup.com/	192.206.4.119
hxxp://digpro.se/	89.221.250.12
hxxp://sullyfrance.com/	216.8.179.23
hxxp://y8k6h.x.incapdns.net/
hxxp://unslp.edu.bo/	50.28.58.0
hxxp://robertmcintyre.com.au/	199.73.58.66
hxxp://genmar.gen.tr/	108.162.197.71
hxxp://macgregor.co.kr/	14.63.168.164
hxxp://thesergery.com/	202.47.95.44
hxxp://gamblingonlinemagazine.com/	198.1.90.242
hxxp://osouji-school.com/	211.13.204.89
hxxp://kvadratoff.ru/	188.93.212.32
hxxp://courtney.ca/	67.223.102.97
hxxp://ryumachi-jp.com/	111.68.174.253
hxxp://trinity-works.com/	219.94.206.70
hxxp://lexjuridica.com/	176.28.103.205
hxxp://nd-evenementiel.com/	79.98.23.30
hxxp://naijagurus.com/	192.64.112.193
hxxp://empordalia.com/	5.56.61.199
hxxp://appelfarm.org/	162.159.247.49
hxxp://yamamoto-sr.com/	49.212.235.209
hxxp://rea-soft.ru/	78.47.135.34
hxxp://telenavis.com/	108.162.199.13
hxxp://buzzkillmedia.com/	173.201.140.128
hxxp://redconeretreat.com/	173.204.163.136
hxxp://hinnenwiese.de/	85.13.146.133
hxxp://cbsprinting.com.au/	162.159.249.145
hxxp://theautospas.com/	70.32.102.108
hxxp://geodecisions.com/	216.174.25.93
hxxp://automa.it/	95.110.195.52
hxxp://xuanxiao.com/	222.216.190.60
hxxp://myfilecenter.com/	66.33.213.228
hxxp://authentica-travel.com/	68.168.112.98
hxxp://kagu-hokuren.com/	180.37.186.131
hxxp://iktus.fr/	37.187.20.229
hxxp://woodlandhillwinery.com/	198.252.69.69
hxxp://rewardhits.com/	66.45.248.130
hxxp://toddpipe.com/	173.247.243.173
hxxp://mandi-man.com/	210.172.144.61
hxxp://shakeyspizza.ph/	122.55.79.88
hxxp://slcago.org/	97.74.80.192
hxxp://totalearthcare.com.au/	108.162.197.53
hxxp://combine.or.id/	202.162.33.14
hxxp://altonhousehotel.com/	162.159.251.52
hxxp://nanfangcw.com/	119.145.168.16
hxxp://vanguardpkg.com/	50.62.115.1
hxxp://sarahdavid.com/	198.41.191.66
hxxp://mastechn.com/	64.207.148.243
hxxp://golfpark-moossee.ch/	199.83.130.50
hxxp://lognetic.com/	78.47.37.140
hxxp://nazcapictures.com/	69.0.211.58
hxxp://acmepacificrepairs.com/	69.198.129.78
hxxp://graintrain.coop/	204.93.213.45
hxxp://glmghotels.com/	162.159.252.130
hxxp://malagacorp.com/	108.162.198.168
hxxp://korta-sa.com/	91.200.116.222
hxxp://e-kagami.com/	54.249.238.243
hxxp://rueggeberg.com/	81.209.182.37
hxxp://justconnect.co.za/	5.9.122.172
hxxp://doctsf.com/	213.186.33.97
hxxp://ixtractor.com/	173.199.114.43
hxxp://marcusgrimes.co.uk/	109.74.242.160
hxxp://bigtopmultimedia.com/	108.162.199.246
hxxp://taykon.com/	94.102.11.89
hxxp://d4drmedia.com/	208.70.247.105
hxxp://egao.net/	121.83.133.146
hxxp://stecom.nl/	193.23.143.117
hxxp://www.google.com/search?q=Stecom ICT Uw Apple specialist	204.9.80.24
hxxp://westhillsstl.org/	108.162.197.220
hxxp://berkshirebusiness.org/	64.99.80.30
hxxp://dbcomponents.com/	66.147.244.241
hxxp://austriansurfing.at/	85.13.151.94
hxxp://urantiaproject.com/	69.94.124.47
hxxp://ziuabarbatului.ro/	194.50.126.226
hxxp://screaminpeach.com/	198.41.249.164
hxxp://eleterno.com/	184.168.233.1
hxxp://stormwildlifeart.com/	70.86.7.138
hxxp://eyggroup.com/	85.233.160.22
hxxp://freepatentauction.com/	213.186.33.4
hxxp://photoclubs.com/	209.50.251.101
hxxp://brijindia.com/	67.18.185.98
hxxp://eygwindows.co.uk/
hxxp://wkhk.net/	203.189.104.242
hxxp://bigjohnsbeefjerky.com/	162.159.244.192
hxxp://nasz-sklep.pl/	91.192.164.134
hxxp://acicinvestor.ca/	207.150.203.36
hxxp://cabooseonline.com/	192.138.20.228
hxxp://fraser-high.school.nz/	210.48.67.144
hxxp://schiedel.it/	217.145.99.26
hxxp://sortedorganizing.com/	74.220.199.6
hxxp://choice-select.com/	50.56.218.189
hxxp://icigrain.com/	199.91.125.58
hxxp://biurimex.pl/	89.161.181.123
hxxp://paulrenna.com/	198.154.229.165
hxxp://pbna.com/	93.186.180.72
hxxp://theprintinghouseltd.co.uk/	46.20.228.113
hxxp://momonophoto.com/	203.189.105.136
hxxp://denville.ca/	204.11.237.35
hxxp://violadagamba.com/	74.124.195.5
hxxp://penavision.co.in/	174.136.57.160
hxxp://4pipp.com/	141.101.116.69
hxxp://paintball.be/	213.186.33.19
hxxp://ezmedi.com/	218.150.78.243
hxxp://christybarry.com/	66.49.139.143
hxxp://fastarchofamerica.com/	75.119.209.232
hxxp://christybarry.com/cgi-sys/suspendedpage.cgi
hxxp://childscope.com/	173.203.121.238
hxxp://spiti.org/	217.199.187.58
hxxp://geothermusa.com/	50.62.125.1
hxxp://childscope.com/web/store/home
hxxp://sun-ele.co.jp/	210.169.184.168
hxxp://safetyconnection.ca/	209.222.48.210
hxxp://accel.lt/	216.64.219.60
hxxp://mattiussiecologia.com/	95.110.203.75
hxxp://a1683.b.akamai.net/
hxxp://mattiussiecologia.com/en/index.aspx
hxxp://a1683.b.akamai.net/main.php
hxxp://graceweb.net/	208.97.174.44
hxxp://cf-protected-www.graceweb.net.cdn.cloudflare.net/
hxxp://budbad.com/	144.76.86.115
hxxp://wlf.louisiana.gov/	184.106.119.164
hxxp://churchsupplies.net/	66.232.99.164
hxxp://optiver.com.au/	217.195.114.124
hxxp://sigmametalsinc.com/	208.113.149.173
hxxp://www.optiver.com/sydney/	217.195.124.19
hxxp://nuritech.com/	222.239.78.139
hxxp://fujino-lab.com/	8.5.1.48
hxxp://www.sigmaaero.com/	208.113.225.142
hxxp://tvndra.net/	91.216.141.46
hxxp://easyformations.net/	88.208.216.219
hxxp://hostphd.com.br/	192.196.156.73
hxxp://mail57.us2.mcsv.net/	173.231.139.57
hxxp://avant-ime.com/	37.148.207.99
hxxp://guberman.com.br/	186.202.149.17
hxxp://victoria.com.pl/	89.161.158.128
hxxp://eurasia.it/	54.229.116.65
hxxp://solutioncorp.com/	209.208.32.245
hxxp://bethisraelcenter.org/	204.213.246.4
hxxp://structives.org/	70.32.113.95
hxxp://asj.co.jp/	219.118.206.4
hxxp://kamaruka.vic.edu.au/	112.140.176.61
www.biurimex.pl	89.161.181.123
www.ixtractor.com	173.199.114.43
www.graceweb.net	108.162.197.90
www.patentauction.com	213.186.33.4
chocolatecovers.com	67.192.11.8
aciuba.com.br	186.249.220.203
kurecci.or.jp	119.245.187.119
mailchimp.com	173.192.210.69
www.traderush.com	199.83.128.93
msasys.com	216.70.112.211
www.myfilecenter.com	66.33.213.228
celebikalip.com.tr	10.0.0.1
ibcd.com.br	192.168.0.1
coe.pku.edu.cn	162.105.5.245
vitalur.by	178.159.246.76
norakuroya.com	175.45.136.72
www.accel.lt	216.156.249.24
www.childscope.com	173.203.121.238
audio-direkt.net	127.0.0.1
eomc.net	213.208.149.2
jeansmate.co.jp	211.1.230.105
www.mattiussiecologia.com	95.110.203.75
hpp-services.com	127.0.0.1
www.momonophoto.com	203.189.105.136
www.photoclubs.com	209.50.251.101
aethora.com	67.207.143.253
www.bocr.cz	217.198.113.104
mojacar-vacaciones.com	127.0.0.1
www.justconnect.co.za	5.9.122.172
www.icigrain.com	199.91.125.58
www.wkhk.net	203.189.104.242
zeronet.co.jp	49.212.5.127
e-shuukyaku.com	211.13.204.89
www.solutioncorp.com	209.208.32.245
steelpennygames.com	54.227.239.237
dormfantasies.com	184.94.149.35
bredainternet.nl	127.0.0.1
www.teknorhino.com	66.45.248.130
leadershipforum.us	66.39.30.185
iaiglobal.or.id	49.50.8.93
smtp.live.com	65.55.96.11
www.eygwindows.co.uk	173.0.131.15
trenpalau.com
nichedictionary.com
etcycles.com
enzoyrodrigo.com.br.ukraine.luluoffice.com
isle-karnataka.org.ukraine.luluoffice.com
x-cellcommunications.de.ukraine.luluoffice.com
hoyuu.com
bapasitaramsevatrust.org.ukraine.luluoffice.com
aipi.co.nz.ukraine.luluoffice.com
meubles-jacquelin.com
urayasu.net
manuyantralaya.com
hifuken.com
toutenmeuse.com
urayasu.net.ukraine.luluoffice.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Backdoor.Win32.Pushdo.s Checkin
ET RBN Known Russian Business Network IP group 73
ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
ET POLICY Http Client Body contains pw= in cleartext
ET CURRENT_EVENTS TDS Sutra - page redirecting to a SutraTDS
ET RBN Known Russian Business Network IP group 379

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	1436	1536	2.15227	6906e4712ef6400da99f7fd38d250ac3
.rdata	8192	222	512	1.37902	bc634afefb223c21725357088300c807
.data	12288	31796	0	0	d41d8cd98f00b204e9800998ecf8427e
dta	45056	81	512	0.852872	d9ceba73c42ef82d0616ece555520bea
.rsrc	49152	55768	55808	4.60998	c1565553d1aa53f8d4752faccc9ae368

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

%original file name%.exe_160:
.text
`.rdata
@.data
.rsrc
kernel32.dll
gdi32.dll
user32.dll
0.KZw
'Iu.Rn
rattle exemplified
porter
8,3,4,46
Incomplete.exe
8,2,1,13
Figatner's dwindling lovely)Caffrey's normal writing Elijah pronounce.sports dryingline mayor historic Grimes couple
spoons remain desire gentleman'touching second brought aside dialogues(arrangement either trespassers cesspools

%original file name%.exe_160_rwx_04000000_0000F000:
.text
`.rdata
@.data
.reloc
software\microsoft\windows\currentversion\run
%s\%s.exe
Content-Length: %d
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
\system32\svchost.exe
software\microsoft\windows\currentversion
del %s
if exist %s goto :repeat
hXXp://%s
kernel32.dll
smtp.compuserve.com
mail.airmail.net
smtp.directcon.net
smtp.sbcglobal.yahoo.com
smtp.mail.yahoo.com
smtp.live.com
CRYPT32.dll
PSAPI.DLL
USERENV.dll
IPHLPAPI.DLL
HttpQueryInfoA
HttpSendRequestA
HttpAddRequestHeadersA
HttpOpenRequestA
InternetCrackUrlA
WININET.dll
WS2_32.dll
SHLWAPI.dll
GetProcessHeap
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
CryptImportKey
CryptDestroyKey
CryptExportKey
CryptGenKey
ADVAPI32.dll
ole32.dll
hXXp://%s/
InternetOpenUrlA
-9276543007814
.EhSj
%Documents and Settings%\%current user%\cabwulvycamy.exe
53595`5}5
9-9K9}9
?$?(?,?0?4?

%original file name%.exe_160_rwx_08900000_00012000:
.textVF
g E.rdat!
.text
`.rdata
@.data
.reloc
software\microsoft\windows\currentversion\run
%s\%s.exe
Content-Length: %d
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
\system32\svchost.exe
software\microsoft\windows\currentversion
del %s
if exist %s goto :repeat
hXXp://%s
kernel32.dll
smtp.compuserve.com
mail.airmail.net
smtp.directcon.net
smtp.sbcglobal.yahoo.com
smtp.mail.yahoo.com
smtp.live.com
CRYPT32.dll
PSAPI.DLL
USERENV.dll
IPHLPAPI.DLL
HttpQueryInfoA
HttpSendRequestA
HttpAddRequestHeadersA
HttpOpenRequestA
InternetCrackUrlA
WININET.dll
WS2_32.dll
SHLWAPI.dll
GetProcessHeap
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
CryptImportKey
CryptDestroyKey
CryptExportKey
CryptGenKey
ADVAPI32.dll
ole32.dll
hXXp://%s/
InternetOpenUrlA
-9276543007814
.EhSj
53595`5}5
9-9K9}9
?$?(?,?0?4?
@.reloc
@595`5}5
KERNEL32.DLL

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\easyformations[1].htm (19245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\momonophoto[1].htm (17270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\robertmcintyre.com[1].htm (14774 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigtopmultimedia[1].txt (125 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\sydney[1].htm (18938 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\solutioncorp[1].htm (46313 bytes)
%Documents and Settings%\%current user%\cabwulvycamy.exe (59392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\fraser-high.school[2].htm (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\kamaruka.vic.edu[1].htm (30346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\violadagamba[1].htm (16078 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\empordalia[1].htm (10118 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@fujino-lab[1].txt (134 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\index[1].htm (24757 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\home[1].htm (13470 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (126 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@4pipp[1].txt (114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\bigtopmultimedia[1].htm (848 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@appelfarm[1].txt (118 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigjohnsbeefjerky[1].txt (126 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@golfpark-moossee[1].txt (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\combine.or[1].htm (1255 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[1].txt (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\yamamoto-sr[1].htm (10271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\biurimex[1].htm (3966 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@graceweb[1].txt (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\theprintinghouseltd.co[1].htm (10181 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[2].txt (159 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@freepatentauction[1].txt (93 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@screaminpeach[1].txt (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\brijindia[1].htm (28403 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@neurotoxininstitute[1].txt (128 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (123 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@graintrain[2].txt (280 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\suspendedpage[1].htm (3639 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\hostphd.com[1].htm (24588 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@graintrain[1].txt (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\search[1].htm (62920 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@altonhousehotel[1].txt (124 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@glmghotels[1].txt (119 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[3].txt (331 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[1].txt (81 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@traderush[1].txt (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\teasing-video[1].htm (47973 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (93 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\urantiaproject[1].htm (2189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\robertmcintyre.com[2].htm (14774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\sortedorganizing[1].htm (4747 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\budbad[1].htm (19741 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (136 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@malagacorp[1].txt (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\lexjuridica[1].htm (3979 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@telenavis[1].txt (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\wkhk[1].htm (27105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\teknorhino[1].htm (24401 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\photoclubs[1].htm (57448 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\woodlandhillwinery[1].htm (622 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (356352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\fraser-high.school[1].htm (759 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@westhillsstl[1].txt (121 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sarahdavid[1].txt (119 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-606747145-1060284298-839522115-1004\c5b88721db08c824db69d0bbc702beb8_3fee1f9f-d02d-4fef-b156-d6ca90eade2d (2136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\redconeretreat[1].htm (27538 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\slcago[1].htm (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\teasing-video[1].htm (53807 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cabwulvycamy" = "%Documents and Settings%\%current user%\cabwulvycamy.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Zusy.84257_2f1fdfb4b5

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Gen.Variant.Zusy.84257_2f1fdfb4b5

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet