HackTool.Win32.PassView_3fa6f1da9d
Trojan.Win32.Generic!BT (VIPRE), GenericAutorunWorm.YR, HackToolPassView.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, HackTool, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 3fa6f1da9dc57902a82ccd391b50e619
SHA1: c497d7160a8defe8dd50ef3f66d872434d24c820
SHA256: 305fe590e1aa8aab5f130c976b0e12ae1c6aa12da3b383d72a82f372a1e01292
SSDeep: 12288:DrYkTPUn4i5OWdlZ9/dxFNkJTuRnl7QgDhQai6aYQ:nYkTPUPOWfZ9s9wlsgDhS
Size: 791552 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: Fusion Install
Created at: 2014-02-18 23:43:47
Analyzed on: WindowsXP SP3 32-bit
Summary:
HackTool. Can be used to investigate, analyze or compromise the system security. Some HackTools are multi-purpose programs, while others may have legitimate uses.
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the HackTool's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The HackTool creates the following process(es):
bridgemigplugin.exe:2928
vbc.exe:2392
vbc.exe:2056
The HackTool injects its code into the following process(es):
bridgemigplugin.exe:2164
%original file name%.exe:1060
%original file name%.exe:1092
FlashUtil__ActiveX.exe:404
File activity
The process bridgemigplugin.exe:2164 makes changes in the file system.
The HackTool deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\Winamp\bridgemigplugin.exe (0 bytes)
The process %original file name%.exe:1060 makes changes in the file system.
The HackTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\pid.txt (4 bytes)
%System%\wbem\Logs\wbemprox.log (150 bytes)
%Documents and Settings%\%current user%\Application Data\pidloc.txt (39 bytes)
The HackTool deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@taobao[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\holderwb.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@eyereturn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\holdermail.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@java[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@support[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@alimama[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@opera[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@chrome[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ok365[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@dasf[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cfusion[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@faith-hill-shows-off-new-braces-at-grammys[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adobe[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@openx[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
The process %original file name%.exe:1092 makes changes in the file system.
The HackTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Winamp\bridgemigplugin.exe (5873 bytes)
%Documents and Settings%\%current user%\Application Data\Winamp\FlashUtil__ActiveX.exe (15 bytes)
The process vbc.exe:2392 makes changes in the file system.
The HackTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\holderwb.txt (2 bytes)
Registry activity
The process bridgemigplugin.exe:2164 makes changes in the system registry.
The HackTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 97 72 01 17 EA 25 C0 E8 8B DD 5D 85 CC 20 26"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process bridgemigplugin.exe:2928 makes changes in the system registry.
The HackTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E D1 61 77 9C AD 87 86 12 18 7D 59 FE B1 D2 83"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:1060 makes changes in the system registry.
The HackTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 AA 25 64 90 44 84 2E 6B B1 FD F6 1A C3 B5 6E"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\3fa6f1da9dc57902a82ccd391b50e619\DEBUG]
"Trace Level" = ""
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
The HackTool deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\3fa6f1da9dc57902a82ccd391b50e619\DEBUG]
"Trace Level"
The process %original file name%.exe:1092 makes changes in the system registry.
The HackTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 1A 1B C5 57 8B 5A AD 69 9E 31 24 77 7E C6 7A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Winamp]
"FlashUtil__ActiveX.exe" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The HackTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The HackTool modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The HackTool modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process FlashUtil__ActiveX.exe:404 makes changes in the system registry.
The HackTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 AE 38 F0 B9 48 8D 9F CF E9 42 2D 28 AF 26 0A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Winamp]
"bridgemigplugin.exe" = " Offline Files Migration Plugin"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The HackTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The HackTool modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
The HackTool modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the HackTool adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Microsoft .NET Framework v1.0 compatibility" = "%Documents and Settings%\%current user%\Application Data\Winamp\FlashUtil__ActiveX.exe"
The process vbc.exe:2392 makes changes in the system registry.
The HackTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 73 DE 2D 85 80 EA E0 0A 04 D7 AC 27 92 0B 6F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The process vbc.exe:2056 makes changes in the system registry.
The HackTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 AF CB F5 3B 4B B1 54 62 B3 44 25 94 CB 1B 14"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://whatismyipaddress.com/ |  67.203.139.148 |
| smtp.163.com |  220.181.12.11 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the HackTool's file once a user opens a drive's folder in Windows Explorer.
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
bridgemigplugin.exe:2928
vbc.exe:2392
vbc.exe:2056 - Delete the original HackTool file.
- Delete or disinfect the following files created/modified by the HackTool:
%Documents and Settings%\%current user%\Application Data\pid.txt (4 bytes)
%System%\wbem\Logs\wbemprox.log (150 bytes)
%Documents and Settings%\%current user%\Application Data\pidloc.txt (39 bytes)
%Documents and Settings%\%current user%\Application Data\Winamp\bridgemigplugin.exe (5873 bytes)
%Documents and Settings%\%current user%\Application Data\Winamp\FlashUtil__ActiveX.exe (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\holderwb.txt (2 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Microsoft .NET Framework v1.0 compatibility" = "%Documents and Settings%\%current user%\Application Data\Winamp\FlashUtil__ActiveX.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
