MD5: 171279fab5510a3668c2090114c539c0
SHA1: 5dd0b3e7b0071c164972de521ffe7f9d017f991c
SHA256: b82e15150317911f941dbaca9c17b7b5f298cb1d9831c5ce5f6913450ff56388
SSDeep: 3072:UcHxzcOaRSqHjWExEbTywK9fkCuEsO2vND3lcj0Nn8CIaXxmVpQ4xM1jD:BHSSq6uuO9fIEyNDyjR/awp3xM1P
Size: 208896 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AirInstaller
Created at: 2004-12-03 02:32:14

Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

171279fab5510a3668c2090114c539c0.exe:2632

The Trojan injects its code into the following process(es):

ctfmon.exe:252

File activity

The process 171279fab5510a3668c2090114c539c0.exe:2632 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%System%\config\software (3028 bytes)
%System%\config\software.LOG (5300 bytes)
%WinDir%\AppPatch\ibigpox.exe (1697 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)

Registry activity

The process 171279fab5510a3668c2090114c539c0.exe:2632 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 9C B2 3E 1A 47 C9 FF B5 17 90 C2 1A 31 71 34"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\ibigpox.exe_, \??\%WinDir%\apppatch\ibigpox.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"d8cc41db" = "CêkæÚ`Ã¥D 5õÔPÃ¥KP£yp.)Üà”¸a4d‚\yìqA}(Äé¼ü4|Âá@
”°™,¡¤üHrѼ©€©”´D0}éiXª¸|Èy4¡RYÑúièmÑ
©È„IáØð±¼(¤ ádIÚبìd˜ XYâÀeœiü¥AšIi¸r¥(¡A\y 9€éñ$ZÔaxÙ9

The process ctfmon.exe:252 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

Network activity (URLs)

URL	IP
hxxp://198.74.50.135/login.php
hxxp://109.74.196.143/login.php (ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server (group 1) , Malicious)

Rootkit activity

The Trojan installs the following user-mode hooks in USER32.dll:

GetClipboardData
SetThreadDesktop
GetMessageA
GetMessageW
TranslateMessage

The Trojan installs the following user-mode hooks in ntdll.dll:

RtlGetNativeSystemInformation

Propagation

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   171279fab5510a3668c2090114c539c0.exe:2632
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %System%\config\software (3028 bytes)
   %System%\config\software.LOG (5300 bytes)
   %WinDir%\AppPatch\ibigpox.exe (1697 bytes)

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.