Trojan.Agent.ANCF_2f675b0e0d
Trojan-Dropper.Win32.Mudrop.blg (Kaspersky), Trojan.Agent.ANCF (B) (Emsisoft), Trojan.Agent.ANCF (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 2f675b0e0d8bfe343e1067171e56e17a
SHA1: 4852124979c119febf7386798c0f706d0c431372
SHA256: 8b9c27f125bc8780126dda2be6e81300bf131a4b91f716d4860c683019f94d08
SSDeep: 1536:gnnW/w8CMdV2XPcZkl2QHdt5a2aiMldnfBB:gSYPwlkaLn
Size: 151552 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: Fusion Install
Created at: 2009-07-05 09:16:42
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
taskkill.exe:464
taskkill.exe:1760
taskkill.exe:1736
sc.exe:384
ipconfig.exe:1244
rundll32.exe:476
mscorsvw.exe:1912
cacls.exe:1504
cacls.exe:1044
The Trojan injects its code into the following process(es):
%original file name%.exe:1592
File activity
The process %original file name%.exe:1592 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\phpq.dll (22141559 bytes)
C:\autorun.inf (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%WinDir% (96 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%System%\drivers\etc\hosts (5 bytes)
%System%\func.dll (18378359 bytes)
C:\1.exe (673 bytes)
C:\$Directory (288 bytes)
%System%\config (108 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
The process rundll32.exe:476 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\drivers\acpiec.sys (13 bytes)
Registry activity
The process %original file name%.exe:1592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B CF 3C 40 D2 3A 8F 93 BC B4 EB F7 39 98 6D 1A"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process taskkill.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 20 E1 AA 18 41 3A E9 FA 43 D0 25 F3 A6 34 E6"
The process taskkill.exe:1760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 A8 F1 CE 59 49 CE 89 41 51 35 15 B7 ED 02 E6"
The process taskkill.exe:1736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 96 0C 44 59 71 BA 5D 62 82 A5 D5 FD 97 74 69"
The process sc.exe:384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 55 2E 68 9F 29 28 AE A1 EA 30 7F D7 34 D5 10"
The process ipconfig.exe:1244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B A1 DB FE 0A 79 CC 67 E8 48 B5 6D 38 FF 65 73"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
"EventMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"
The process rundll32.exe:476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 53 8A C2 81 2B 5E 48 C9 5E 54 09 D7 C0 AD 58"
The process mscorsvw.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1320000"
The process cacls.exe:1504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 8F 89 EA 83 80 6D E8 32 5C 7C AA C9 1D 3C BC"
The process cacls.exe:1044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 46 7A 62 79 77 3F 30 58 2A 01 0C C9 C1 A0 E0"
Dropped PE files
| MD5 | File path |
|---|---|
| ebdc3051a283f2785a50ff5c979cc403 | c:\WINDOWS\LastGood\system32\drivers\acpiec.sys |
| 52cbe2a2e72929bbd00a7a798ca70b5e | c:\WINDOWS\phpq.dll |
| 9859c0f6936e723e4892d7141b1327d5 | c:\WINDOWS\system32\dllcache\acpiec.sys |
| ebdc3051a283f2785a50ff5c979cc403 | c:\WINDOWS\system32\drivers\OLD3.tmp |
| 601b3f2466bfa6989b9c7586b5ba54aa | c:\WINDOWS\system32\drivers\pcidump.sys |
| 955d621a50ff52e0ead1ab78755e5a69 | c:\WINDOWS\system32\func.dll |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 5743 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | v.onondown.com.cn |
| 127.0.0.2 | ymsdasdw1.cn |
| 127.0.0.3 | h96b.info |
| 127.0.0.0 | fuck.zttwp.cn |
| 127.0.0.0 | www.hackerbf.cn |
| 127.0.0.0 | geekbyfeng.cn |
| 127.0.0.0 | 121.14.101.68 |
| 127.0.0.0 | ppp.etimes888.com |
| 127.0.0.0 | www.bypk.com |
| 127.0.0.0 | CSC3-2004-crl.verisign.com |
| 127.0.0.1 | va9sdhun23.cn |
| 127.0.0.0 | udp.hjob123.com |
| 127.0.0.2 | bnasnd83nd.cn |
| 127.0.0.0 | www.gamehacker.com.cn |
| 127.0.0.0 | gamehacker.com.cn |
| 127.0.0.3 | adlaji.cn |
| 127.0.0.1 | 858656.com |
| 127.1.1.1 | bnasnd83nd.cn |
| 127.0.0.1 | my123.com |
| 127.0.0.0 | user1.12-27.net |
| 127.0.0.1 | 8749.com |
| 127.0.0.0 | fengent.cn |
| 127.0.0.1 | 4199.com |
| 127.0.0.1 | user1.16-22.net |
| 127.0.0.1 | 7379.com |
| 127.0.0.1 | 2be37c5f.3f6e2cc5f0b.com |
| 127.0.0.1 | 7255.com |
| 127.0.0.1 | user1.23-12.net |
| 127.0.0.1 | 3448.com |
| 127.0.0.1 | www.guccia.net |
| 127.0.0.1 | 7939.com |
| 127.0.0.1 | a.o1o1o1.nEt |
| 127.0.0.1 | 8009.com |
| 127.0.0.1 | user1.12-73.cn |
| 127.0.0.1 | piaoxue.com |
| 127.0.0.1 | 3n8nlasd.cn |
| 127.0.0.1 | kzdh.com |
| 127.0.0.0 | www.sony888.cn |
| 127.0.0.1 | about.blank.la |
| 127.0.0.0 | user1.asp-33.cn |
| 127.0.0.1 | 6781.com |
| 127.0.0.0 | www.netkwek.cn |
| 127.0.0.1 | 7322.com |
| 127.0.0.0 | ymsdkad6.cn |
| 127.0.0.0 | www.lkwueir.cn |
| 127.0.0.1 | 06.jacai.com |
| 127.0.1.1 | user1.23-17.net |
| 127.0.0.1 | 1.jopenkk.com |
| 127.0.0.0 | upa.luzhiai.net |
| 127.0.0.1 | 1.jopenqc.com |
| 127.0.0.0 | www.guccia.net |
| 127.0.0.1 | 1.joppnqq.com |
| 127.0.0.0 | 4m9mnlmi.cn |
| 127.0.0.1 | 1.xqhgm.com |
| 127.0.0.0 | mm119mkssd.cn |
| 127.0.0.1 | 100.332233.com |
| 127.0.0.0 | 61.128.171.115:8080 |
| 127.0.0.1 | 121.11.90.79 |
| 127.0.0.0 | www.1119111.com |
| 127.0.0.1 | 121565.net |
| 127.0.0.0 | win.nihao69.cn |
| 127.0.0.1 | 125.90.88.38 |
| 127.0.0.1 | 16888.6to23.com |
| 127.0.0.1 | 2.joppnqq.com |
| 127.0.0.0 | puc.lianxiac.net |
| 127.0.0.1 | 204.177.92.68 |
| 127.0.0.0 | pud.lianxiac.net |
| 127.0.0.1 | 210.74.145.236 |
| 127.0.0.0 | 210.76.0.133 |
| 127.0.0.1 | 219.129.239.220 |
| 127.0.0.0 | 61.166.32.2 |
| 127.0.0.1 | 219.153.40.221 |
| 127.0.0.0 | 218.92.186.27 |
| 127.0.0.1 | 219.153.46.27 |
| 127.0.0.0 | www.fsfsfag.cn |
| 127.0.0.1 | 219.153.52.123 |
| 127.0.0.0 | ovo.ovovov.cn |
| 127.0.0.1 | 221.195.42.71 |
| 127.0.0.0 | dw.com.com |
| 127.0.0.1 | 222.73.218.115 |
| 127.0.0.1 | 203.110.168.233:80 |
| 127.0.0.1 | 3.joppnqq.com |
| 127.0.0.1 | 203.110.168.221:80 |
| 127.0.0.1 | 363xx.com |
| 127.0.0.1 | www1.ip10086.com.cm |
| 127.0.0.1 | 4199.com |
| 127.0.0.1 | blog.ip10086.com.cn |
| 127.0.0.1 | 43242.com |
| 127.0.0.1 | www.ccji68.cn |
| 127.0.0.1 | 5.xqhgm.com |
| 127.0.0.0 | t.myblank.cn |
| 127.0.0.1 | 520.mm5208.com |
| 127.0.0.0 | x.myblank.cn |
| 127.0.0.1 | 59.34.131.54 |
| 127.0.0.1 | 210.51.45.5 |
| 127.0.0.1 | 59.34.198.228 |
| 127.0.0.1 | www.ew1q.cn |
| 127.0.0.1 | 59.34.198.88 |
| 127.0.0.1 | 59.34.198.97 |
| 127.0.0.1 | 60.190.114.101 |
| 127.0.0.1 | 60.190.218.34 |
| 127.0.0.0 | qq-xing.com.cn |
| 127.0.0.1 | 60.191.124.252 |
| 127.0.0.1 | 61.145.117.212 |
| 127.0.0.1 | 61.157.109.222 |
| 127.0.0.1 | 75.126.3.216 |
| 127.0.0.1 | 75.126.3.217 |
| 127.0.0.1 | 75.126.3.218 |
| 127.0.0.0 | 59.125.231.177:17777 |
| 127.0.0.1 | 75.126.3.220 |
| 127.0.0.1 | 75.126.3.221 |
| 127.0.0.1 | 75.126.3.222 |
| 127.0.0.1 | 772630.com |
| 127.0.0.1 | 832823.cn |
| 127.0.0.1 | 8749.com |
| 127.0.0.1 | 888.jopenqc.com |
| 127.0.0.1 | 89382.cn |
| 127.0.0.1 | 8v8.biz |
| 127.0.0.1 | 97725.com |
| 127.0.0.1 | 9gg.biz |
| 127.0.0.1 | www.9000music.com |
| 127.0.0.1 | test.591jx.com |
| 127.0.0.1 | a.topxxxx.cn |
| 127.0.0.1 | picon.chinaren.com |
| 127.0.0.1 | www.5566.net |
| 127.0.0.1 | p.qqkx.com |
| 127.0.0.1 | news.netandtv.com |
| 127.0.0.1 | z.neter888.cn |
| 127.0.0.1 | b.myblank.cn |
| 127.0.0.1 | wvw.wokutu.com |
| 127.0.0.1 | unionch.qyule.com |
| 127.0.0.1 | www.qyule.com |
| 127.0.0.1 | it.itjc.cn |
| 127.0.0.1 | www.linkwww.com |
| 127.0.0.1 | vod.kaicn.com |
| 127.0.0.1 | www.tx8688.com |
| 127.0.0.1 | b.neter888.cn |
| 127.0.0.1 | promote.huanqiu.com |
| 127.0.0.1 | www.huanqiu.com |
| 127.0.0.1 | www.haokanla.com |
| 127.0.0.1 | play.unionsky.cn |
| 127.0.0.1 | www.52v.com |
| 127.0.0.1 | www.gghka.cn |
| 127.0.0.1 | icon.ajiang.net |
| 127.0.0.1 | new.ete.cn |
| 127.0.0.1 | www.stiae.cn |
| 127.0.0.1 | o.neter888.cn |
| 127.0.0.1 | comm.jinti.com |
| 127.0.0.1 | www.google-analytics.com |
| 127.0.0.1 | hz.mmstat.com |
| 127.0.0.1 | www.game175.cn |
| 127.0.0.1 | x.neter888.cn |
| 127.0.0.1 | z.neter888.cn |
| 127.0.0.1 | p.etimes888.com |
| 127.0.0.1 | hx.etimes888.com |
| 127.0.0.1 | abc.qqkx.com |
| 127.0.0.1 | dm.popdm.cn |
| 127.0.0.1 | www.yl9999.com |
| 127.0.0.1 | www.dajiadoushe.cn |
| 127.0.0.1 | v.onondown.com.cn |
| 127.0.0.1 | www.interoo.net |
| 127.0.0.1 | bally1.bally-bally.net |
| 127.0.0.1 | www.bao5605509.cn |
| 127.0.0.1 | www.rty456.cn |
| 127.0.0.1 | www.werqwer.cn |
| 127.0.0.1 | 1.360-1.cn |
| 127.0.0.1 | user1.23-16.net |
| 127.0.0.1 | www.guccia.net |
| 127.0.0.1 | www.interoo.net |
| 127.0.0.1 | upa.netsool.net |
| 127.0.0.1 | js.users.51.la |
| 127.0.0.1 | vip2.51.la |
| 127.0.0.1 | web.51.la |
| 127.0.0.1 | qq.gong2008.com |
| 127.0.0.1 | 2008tl.copyip.com |
| 127.0.0.1 | tla.laozihuolaile.cn |
| 127.0.0.1 | www.tx6868.cn |
| 127.0.0.1 | p001.tiloaiai.com |
| 127.0.0.1 | s1.tl8tl.com |
| 127.0.0.1 | s1.gong2008.com |
| 127.0.0.1 | 4b3ce56f9g.3f6e2cc5f0b.com |
Rootkit activity
The Trojan installs the following kernel-mode hooks:
ZwQuerySystemInformation
Using the driver "%System%\drivers\pcidump.sys" the Trojan substitutes IRP handlers in a file system driver (NTFS) to control operations with files:
MJ_CREATE
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
Company Name:
Product Name: ????
Product Version: 4, 3, 1, 1
Legal Copyright: ???? (C) 2009
Legal Trademarks:
Original Filename: notepad.EXE
Internal Name: test
File Version: 1, 0, 0, 1
File Description: Microsoft ???????
Comments:
Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .nsp0 | 4096 | 102400 | 102400 | 4.13442 | 6929a5c550767586b339a96da1e27210 |
| .nsp1 | 106496 | 32768 | 32768 | 5.2032 | 1f8d704cdc591009b2af876d6062d618 |
| .nsp2 | 139264 | 12288 | 12288 | 0.175405 | 39861d402675a72f79361fd09da8c1db |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.nsp0
.nsp1
.nsp2
GetWindowsDirectoryA
WinExec
\phpq.dll
rundll32.exe func.dll, droqp
\system32\func.dll
cmd /c taskkill /im ScanFrm.exe /f
cmd /c taskkill /im egui.exe /f
cmd /c taskkill /im ekrn.exe /f
cmd /c sc config ekrn start= disabled
cmd /c cacls "%s" /e /p everyone:f
cmd /c cacls %s /e /p everyone:f
\temp\explorer.exe
\drivers\gm.dls
Explorer.EXE
explorer.EXE
EXPLORER.EXE
EXPLORER.exe
Explorer.exe
explorer.exe
GetProcAddressLoadLibraryACloseHandleGetSystemTimeGetModuleHandleAOutputDebugStringASleepGetTempPathACopyFileAGetWindowsDirectoryAGetSystemDirectoryAGetModuleFileNameACreateMutexAGlobalAddAtomAOpenMutexAGlobalFindAtomAstrcpymemsetsprintfstrcatstrstrstrlen
Ci=l_[n_Msg\ifc]Fche
,-2) ) ),
,-2) ) )-
,-2) ) ).
,-2) ) )
,-,),/), ,)13
,-2),),),
,-2) ),),
1,),-3),2,),,053 3
,-,),,)4 )24
,-0)4 )33).3
- /),22)4-)13
-, )2/),/0)-.1
-, )21) ),..
-,4),-4)-.4)--
1,),11).-)-
-,4),0.)/ )--,
-,3)4-),31)-2
-,4),0.)/1)-2
-,4),0.)0-),-.
--,),40)/-)2,
---)2.)-,3),,0
- .),, ),13)-..53
- .),, ),13)--,53
.1.ss)^jh
04)./),.,)0/
-, )0,)/0)0
04)./),43)--3
04)./),43)33
04)./),43)42
1 ),4 ),,/), ,
1 ),4 )-,3)./
1 ),4,),-/)-0-
1,),/0),,2)-,-
1,),02), 4)---
20),-1).)-,1
20),-1).)-,2
20),-1).)-,3
04),-0)-.,),225,2222
20),-1).)--
20),-1).)--,
20),-1).)---
kjk.om\k)`s`
KERNEL32.DLL
MSVCRT.DLL
%dyGn3
Jm?.XY
1, 0, 0, 1
notepad.EXE
4, 3, 1, 1
%original file name%.exe_1592_rwx_00401000_00019000:
GetWindowsDirectoryA
WinExec
\phpq.dll
rundll32.exe func.dll, droqp
\system32\func.dll
cmd /c taskkill /im ScanFrm.exe /f
cmd /c taskkill /im egui.exe /f
cmd /c taskkill /im ekrn.exe /f
cmd /c sc config ekrn start= disabled
cmd /c cacls "%s" /e /p everyone:f
cmd /c cacls %s /e /p everyone:f
\temp\explorer.exe
\drivers\gm.dls
Explorer.EXE
explorer.EXE
EXPLORER.EXE
EXPLORER.exe
Explorer.exe
explorer.exe
GetProcAddressLoadLibraryACloseHandleGetSystemTimeGetModuleHandleAOutputDebugStringASleepGetTempPathACopyFileAGetWindowsDirectoryAGetSystemDirectoryAGetModuleFileNameACreateMutexAGlobalAddAtomAOpenMutexAGlobalFindAtomAstrcpymemsetsprintfstrcatstrstrstrlen
Ci=l_[n_Msg\ifc]Fche
,-2) ) ),
,-2) ) )-
,-2) ) ).
,-2) ) )
,-,),/), ,)13
,-2),),),
,-2) ),),
1,),-3),2,),,053 3
,-,),,)4 )24
,-0)4 )33).3
- /),22)4-)13
-, )2/),/0)-.1
-, )21) ),..
-,4),-4)-.4)--
1,),11).-)-
-,4),0.)/ )--,
-,3)4-),31)-2
-,4),0.)/1)-2
-,4),0.)0-),-.
--,),40)/-)2,
---)2.)-,3),,0
- .),, ),13)-..53
- .),, ),13)--,53
.1.ss)^jh
04)./),.,)0/
-, )0,)/0)0
04)./),43)--3
04)./),43)33
04)./),43)42
1 ),4 ),,/), ,
1 ),4 )-,3)./
1 ),4,),-/)-0-
1,),/0),,2)-,-
1,),02), 4)---
20),-1).)-,1
20),-1).)-,2
20),-1).)-,3
04),-0)-.,),225,2222
20),-1).)--
20),-1).)--,
20),-1).)---
kjk.om\k)`s`
%original file name%.exe_1592_rwx_10000000_00001000:
.data
.rsrc
@.reloc
psapi.dll
\patch.exe
\dstdisk.exe
\defence.exe
192yuioealdjfiefjsdfas.txt
%SystemRoot%\System32\DRIVERS\puid.sys
\drivers\pcidump.sys
System32\DRIVERS\pcidump.sys
%SystemRoot%\system32\drivers\puid.sys
\\.\pcidump
\drivers\gm.dls
Windows
1.exe
autorun.inf
Open=1.exe
urlmon
\setup.exe
?mac=%s&ver=%s&key=%d&os=windows
.html
.hhqg
qq.exe
360safe.exe
\explorer.exe
\temp\explorer.exe
nfect_exe
rundll32.exe_476:
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s
%original file name%.exe_1592_rwx_10005000_00001000:
\??\c:\%original file name%.exe
\??\%WinDir%\explorer.exe
ers\gm.dls
WinExec
CreatePipe
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
ADVAPI32.dll
InternetOpenUrlA
WININET.dll
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
taskkill.exe:464
taskkill.exe:1760
taskkill.exe:1736
sc.exe:384
ipconfig.exe:1244
rundll32.exe:476
mscorsvw.exe:1912
cacls.exe:1504
cacls.exe:1044 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\phpq.dll (22141559 bytes)
C:\autorun.inf (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%System%\drivers\etc\hosts (5 bytes)
%System%\func.dll (18378359 bytes)
C:\1.exe (673 bytes)
C:\$Directory (288 bytes)
%System%\config (108 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
%System%\drivers\acpiec.sys (13 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
