Trojan-Banker.Win32.Brasil_b3c3159e99

by malwarelabrobot on August 5th, 2014 in Malware Descriptions.

Trojan-Banker.Win32.Brasil.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericEmailWorm.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Worm, EmailWorm, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: b3c3159e99ba1a65607247f496503cf2
SHA1: 6f418d0b2d77ef7348ec4d461a523dc646b9460a
SHA256: b7bc30f72a579744289d261f3e7b92adbd41a1284f068aaf17ff7e6ffdb3a6c8
SSDeep: 196608:HZhe5lVDbc/iPRuwK vfSjKJACwq1HhCp KxhbQKBzeA7dlyFhL:iVtRuwKQsKJA01BCQYhbQKBZhliB
Size: 10615200 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphiv60v70_v2, BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: PC Utilities Software Limited
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan-Banker creates the following process(es):

Driver_Pro.exe:140
DPSchedule.exe:1744
DriverPro.exe:1984
DriverPro.exe:1508
%original file name%.exe:1888
Driver_Pro.tmp:1632
DPStartScan.exe:644

The Trojan-Banker injects its code into the following process(es):

DriverPro.exe:640

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Driver_Pro.exe:140 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-2FVMD.tmp\Driver_Pro.tmp (7386 bytes)

The Trojan-Banker deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-2FVMD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2FVMD.tmp\Driver_Pro.tmp (0 bytes)

The process DPSchedule.exe:1744 makes changes in the file system.
The Trojan-Banker deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DPSchedule.madExcept (0 bytes)

The process DriverPro.exe:640 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Driver Pro\Scan.ini (599 bytes)
%Documents and Settings%\%current user%\Application Data\Driver Pro\Devices.ini (26 bytes)
%Documents and Settings%\%current user%\Application Data\Driver Pro\PCInfo.ini (175 bytes)

The Trojan-Banker deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DriverPro.madExcept (0 bytes)

The process DriverPro.exe:1984 makes changes in the file system.
The Trojan-Banker deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DriverPro.madExcept (0 bytes)

The process DriverPro.exe:1508 makes changes in the file system.
The Trojan-Banker deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DriverPro.madExcept (0 bytes)

The process %original file name%.exe:1888 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Driver_Pro.exe (75554 bytes)

The Trojan-Banker deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Driver_Pro.exe (0 bytes)

The process Driver_Pro.tmp:1632 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Program Files%\Driver Pro\is-OIF81.tmp (56 bytes)
%Program Files%\Driver Pro\is-CU8I6.tmp (7433 bytes)
%Documents and Settings%\%current user%\Application Data\Driver Pro\is-F7R1L.tmp (4 bytes)
%Documents and Settings%\%current user%\Application Data\Driver Pro\is-F797O.tmp (526038 bytes)
%Documents and Settings%\%current user%\Desktop\Driver Pro.lnk (701 bytes)
%Program Files%\Driver Pro\is-IV5HB.tmp (26 bytes)
%Documents and Settings%\%current user%\Application Data\Driver Pro\is-N5HHN.tmp (558848 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Driver Pro\Help.lnk (713 bytes)
%Program Files%\Driver Pro\is-AQ7C2.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Driver Pro\is-F5VMB.tmp (61 bytes)
%Program Files%\Driver Pro\is-B8QKG.tmp (5873 bytes)
%Program Files%\Driver Pro\is-4APLU.tmp (12 bytes)
%Program Files%\Driver Pro\unins000.msg (646 bytes)
%Program Files%\Driver Pro\unins000.dat (5536 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Driver Pro\Uninstall Driver Pro.lnk (708 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Driver Pro\Driver Pro.lnk (713 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Driver Pro\Driver Pro on the Web.lnk (708 bytes)
%Program Files%\Driver Pro\is-G5A3C.tmp (3361 bytes)
%Program Files%\Driver Pro\is-JE206.tmp (7433 bytes)
%Program Files%\Driver Pro\is-PDQHR.tmp (5873 bytes)
%Program Files%\Driver Pro\is-6LRG3.tmp (31891 bytes)
%Program Files%\Driver Pro\is-7875K.tmp (547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-BTJDJ.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\Driver Pro\is-CAQAH.tmp (3073 bytes)
%Program Files%\Driver Pro\is-ALHR4.tmp (30427 bytes)

The Trojan-Banker deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-BTJDJ.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-BTJDJ.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-BTJDJ.tmp (0 bytes)

The process DPStartScan.exe:644 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

Registry activity

The process Driver_Pro.exe:140 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 A9 E7 6D E4 09 38 88 36 C1 93 57 CD DD 1C DD"

The process DPSchedule.exe:1744 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 63 CE 37 23 37 69 A1 D3 D8 C9 5E 7C A4 40 92"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Driver Pro]
"s_Date" = "00 00 00 00 E0 6F E4 40"
"s_Exec" = "1"

The Trojan-Banker modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Banker modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan-Banker modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process DriverPro.exe:640 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Driver Pro]
"s_Enable" = "1"
"CloseToTray" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Driver Pro]
"UpdateWindowShown" = "0"
"InstallStat" = "1"
"BackupPath" = "%Documents and Settings%\%current user%\My Documents\Driver Pro\Backup\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Driver Pro]
"s_SmartScan" = "1"
"Feedback1" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Driver Pro]
"ShowAlertMessages" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Driver Pro]
"ShowUpdateWindow" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Driver Pro]
"QuerryDate" = "02 7A CD D3 E3 6F E4 40"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Driver Pro]
"ProxyPassword" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Driver Pro]
"s_SmartMode" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Driver Pro]
"LastScan" = "4F DF 80 D3 E3 6F E4 40"
"TotalDrivers" = "64"
"DownloadPath" = "%Documents and Settings%\%current user%\My Documents\Driver Pro\Drivers\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Driver Pro]
"ProxyPort" = ""
"LastUpdate" = "08 64 61 D3 E3 6F E4 40"
"ScanAtStartup" = "0"
"ForceUpdate" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Driver Pro]
"ProxyAddress" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Driver Pro]
"OutdatedDrivers" = "1"
"nDownloads" = "3"
"LastDatabaseCheck" = "9C 00 61 D3 E3 6F E4 40"

"DatabaseDate" = "00 00 00 00 80 52 E4 40"
"ShowSRPMessage" = "1"
"ScanExecuted" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Driver Pro]
"s_Mode" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 E3 63 41 64 3A 58 40 B1 FC E3 E5 F8 2B FF D5"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Driver Pro]
"DPSchedule.exe" = "Driver Pro Schedule"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Driver Pro]
"AppStart" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Driver Pro]
"UseProxy" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Driver Pro]
"ShowRebootMessage" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKCU\Software\Driver Pro]
"ProxyLogin" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

The Trojan-Banker modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Banker modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Banker modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Banker deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process DriverPro.exe:1984 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 60 27 4F 42 36 4C 5B E7 85 78 9D 84 76 07 F7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process DriverPro.exe:1508 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 98 D0 A7 02 0B DC CB 31 3F 00 88 CF C1 D1 5A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The process %original file name%.exe:1888 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 E9 86 1C 7C CF 93 13 7F 8F E4 15 BF 05 78 12"

[HKCU\Software\Driver Pro]
"setupname" = "c:\%original file name%.exe"

The process Driver_Pro.tmp:1632 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"DisplayVersion" = "3.1"
"NoRepair" = "1"
"Inno Setup: Language" = "en"
"MajorVersion" = "3"
"Inno Setup: Deselected Tasks" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"URLUpdateInfo" = "http://www.pcutilitiespro.com"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"Inno Setup: Icon Group" = "Driver Pro"
"Inno Setup: Setup Version" = "5.5.3 (u)"
"Inno Setup: User" = "%CurrentUserName%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"UninstallString" = "%Program Files%\Driver Pro\unins000.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"DisplayName" = "Driver Pro v3.1"
"Inno Setup: App Path" = "%Program Files%\Driver Pro"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"InstallLocation" = "%Program Files%\Driver Pro\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"URLInfoAbout" = "http://www.pcutilitiespro.com"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Driver Pro]
"Language" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"HelpLink" = "http://www.pcutilitiespro.com"
"InstallDate" = "20140804"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"Publisher" = "PC Utilities Software Limited"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 44 F7 AB FC 9D 52 C0 36 4A D1 F0 17 68 83 57"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"Inno Setup: Selected Tasks" = "desktopicon"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"QuietUninstallString" = "%Program Files%\Driver Pro\unins000.exe /SILENT"
"NoModify" = "1"
"MinorVersion" = "1"

To automatically run itself each time Windows is booted, the Trojan-Banker adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Driver Pro" = "%Program Files%\Driver Pro\DPLauncher.exe"

The process DPStartScan.exe:644 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKCU\Software\Driver Pro]
"SupportURL" = "http://support.pcutilitiespro.com/"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Driver Pro]
"MachineGuid" = "CC57B4D1-F266-E131-ED57-979C433F8811"
"UninstallURL" = "https://safecart.com/pcutilitiespro/.dp-xsell-special/purchase?sid=121001231-US-003"
"DelayedStart" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Driver Pro]
"UseAds" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Driver Pro]
"QuerryDate" = "B7 A5 4A D3 E3 6F E4 40"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Driver Pro]
"OS" = "102"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Driver Pro]
"BuyNowURL" = "http://pcup26b2.pcutilitiespro.revenuewire.net/driverpro/xsell?121001231-US-003_CC57B4D1-F266-E131-ED57-979C433F8811"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Driver Pro]
"Querry" = "http://bi.softservers.net/t/dp?sid=121001231-US-003&dt=%dt%&gid=%GID%&tz=%tz%&ln=%ln%&lc=%lc%&bis=%bis%&bief=%bief%&biefx=%biefx%&bif=%bif%&os=%os%&f=1510085629"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Driver Pro]
"homepageurl" = "http://www.pcutilitiespro.com/"
"AppStart" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 71 52 8E A5 A2 BE 62 DC 25 6F BA 28 EE 3A 20"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Driver Pro]
"DriverPro.exe" = "Driver Pro"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Driver Pro]
"InstallDate" = "D3 82 3E D3 E3 6F E4 40"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

The Trojan-Banker modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Banker modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Banker modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Banker deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
84ceb93407bd2df6e758d57cc8e6da47 c:\Program Files\Driver Pro\DPLauncher.exe
b9dcf8ec0fcb6c9acae61c4bca3675ac c:\Program Files\Driver Pro\DPSchedule.exe
060ba8f552e6d9502d0a73ab9f1d4025 c:\Program Files\Driver Pro\DPSmartScan.exe
aa4789ba11e54360f6ee26fc8d79cbb8 c:\Program Files\Driver Pro\DPStartScan.exe
4a1ae76d0634c7b8f575a446d9b7bdf3 c:\Program Files\Driver Pro\DPUninstaller.exe
25d29176ebb0e5f54b75cadd3ec225a6 c:\Program Files\Driver Pro\DriverPro.exe
0f66e8e2340569fb17e774dac2010e31 c:\Program Files\Driver Pro\sqlite3.dll
fe547eb408703b1f8e98643180b48f55 c:\Program Files\Driver Pro\unins000.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: PC Utilities Software Limited
Product Name: DriverPro
Product Version: 3.1.0.0
Legal Copyright: PC Utilities Software Limited
Legal Trademarks:
Original Filename:
Internal Name: DriverPro
File Version:
File Description: DriverPro
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 75644 75776 4.45296 341f60451089865a24c3c84ec3821c82
DATA 81920 1428 1536 2.76929 f76f4515a2e2b60cda146361ff2e6e44
BSS 86016 2185 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 90112 2862 3072 3.11744 3a510b9194a87490600faea96f544b5a
.tls 94208 12 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 98304 24 512 0.14174 6b2b783af3ecd764905292c9b75d8ea4
.reloc 102400 6084 6144 4.57315 5b58562521fe8470d3ba9da0f91e605b
.rsrc 110592 10520576 10520576 5.52698 545e100ee294189abc22493808e3a4a6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 10
6a47bb51997f1bae446c3bafb640ab74
0277a8488e21336ba6837ddb8667cc4c
10c046644095f6559e2ddd2cfe70fd03
cd047c070fd6d4e0ebcb011b248a168c
d0e6a7164e04419cffc764c3c2bbe3cb
b71de35f0ce797d8de50891f11003cbd
fb23f3836be89d88085a9713c903d5b3
88669a0972341a0bdeadb024e0d5e5a9
0231df9ee0b3fdb9f14672d9490c5bf6
16fd87484867798b7e64984fbabd1077

URLs

URL IP
hxxp://bi.softservers.net/t/dp?sid=121001231-US-003&dt=1407120728&gid=CC57B4D1-F266-E131-ED57-979C433F8811&tz=2&ln=1&lc=0&bis=0&bief=0&biefx=0&bif=0&os=102&f=1510085629 107.6.170.117
hxxp://service.smartpcupdate.com/rpc/sendinstall?partner=PCUtilitiesPro&build=3.1 176.9.2.105


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /rpc/sendinstall?partner=PCUtilitiesPro&build=3.1 HTTP/1.1
Host: service.smartpcupdate.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Server: nginx/1.0.4
Date: Sun, 03 Aug 2014 23:52:09 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.14
12..{"ok":1,"error":0}..0..



GET /t/dp?sid=121001231-US-003&dt=1407120728&gid=CC57B4D1-F266-E131-ED57-979C433F8811&tz=2&ln=1&lc=0&bis=0&bief=0&biefx=0&bif=0&os=102&f=1510085629 HTTP/1.1
Host: bi.softservers.net
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Sun, 03 Aug 2014 23:52:08 GMT
Content-Type: application/octet-stream
Content-Length: 0
Connection: keep-alive
content-type: text/html







The Trojan-Banker connects to the servers at the folowing location(s):














Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    Driver_Pro.exe:140
    DPSchedule.exe:1744
    DriverPro.exe:1984
    DriverPro.exe:1508
    %original file name%.exe:1888
    Driver_Pro.tmp:1632
    DPStartScan.exe:644
    

    2. 

  2. Delete the original Trojan-Banker file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan-Banker:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\is-2FVMD.tmp\Driver_Pro.tmp (7386 bytes)
    %Documents and Settings%\%current user%\Application Data\Driver Pro\Scan.ini (599 bytes)
    %Documents and Settings%\%current user%\Application Data\Driver Pro\Devices.ini (26 bytes)
    %Documents and Settings%\%current user%\Application Data\Driver Pro\PCInfo.ini (175 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Driver_Pro.exe (75554 bytes)
    %Program Files%\Driver Pro\is-OIF81.tmp (56 bytes)
    %Program Files%\Driver Pro\is-CU8I6.tmp (7433 bytes)
    %Documents and Settings%\%current user%\Application Data\Driver Pro\is-F7R1L.tmp (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Driver Pro\is-F797O.tmp (526038 bytes)
    %Documents and Settings%\%current user%\Desktop\Driver Pro.lnk (701 bytes)
    %Program Files%\Driver Pro\is-IV5HB.tmp (26 bytes)
    %Documents and Settings%\%current user%\Application Data\Driver Pro\is-N5HHN.tmp (558848 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Driver Pro\Help.lnk (713 bytes)
    %Program Files%\Driver Pro\is-AQ7C2.tmp (54 bytes)
    %Documents and Settings%\%current user%\Application Data\Driver Pro\is-F5VMB.tmp (61 bytes)
    %Program Files%\Driver Pro\is-B8QKG.tmp (5873 bytes)
    %Program Files%\Driver Pro\is-4APLU.tmp (12 bytes)
    %Program Files%\Driver Pro\unins000.msg (646 bytes)
    %Program Files%\Driver Pro\unins000.dat (5536 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Driver Pro\Uninstall Driver Pro.lnk (708 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Driver Pro\Driver Pro.lnk (713 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Driver Pro\Driver Pro on the Web.lnk (708 bytes)
    %Program Files%\Driver Pro\is-G5A3C.tmp (3361 bytes)
    %Program Files%\Driver Pro\is-JE206.tmp (7433 bytes)
    %Program Files%\Driver Pro\is-PDQHR.tmp (5873 bytes)
    %Program Files%\Driver Pro\is-6LRG3.tmp (31891 bytes)
    %Program Files%\Driver Pro\is-7875K.tmp (547 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-BTJDJ.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Program Files%\Driver Pro\is-CAQAH.tmp (3073 bytes)
    %Program Files%\Driver Pro\is-ALHR4.tmp (30427 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Driver Pro" = "%Program Files%\Driver Pro\DPLauncher.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now