Trojan.Delf.Inject.AK_96704b621f
HEUR:Worm.Win32.Generic (Kaspersky), Trojan.Delf.Inject.AK (B) (Emsisoft), Trojan.Delf.Inject.AK (AdAware), GenericMSNWorm.YR, GenericAutorunWorm.YR, GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun, IRCBot, MSNWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 96704b621f81164b2ca1e26057d427b1
SHA1: 1c82f7a17d24228908acd575ad682a11f455427b
SHA256: 64cba2aeb989e16ebca03f13568754e1e7df705d96a1954d52e0b9daaa84de65
SSDeep: 1536: odIqeV7/DwTaZ4GEt2hR8x7AwJ8x7AwS:oqeVPwTaZqmix7x6x7xS
Size: 55296 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: no data
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
| MSNWorm | A worm can spread its copies through the MSN Messanger. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:636
svhost.exe:1524
The Trojan injects its code into the following process(es):
No processes have been created.
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:636 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3ETRQ6AX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UAMN61ZC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ISIUYYK3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QPYBHCLC\desktop.ini (67 bytes)
%WinDir%\svhost.exe (55 bytes)
Registry activity
The process %original file name%.exe:636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB F7 FC 1B 4A 04 5D 4B 64 4D 19 FA 1C 80 39 B0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Messanger Control Center" = "svhost.exe"
The process svhost.exe:1524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 52 9D B7 27 81 E7 9C C8 FD D6 EB 6D EE 90 FA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
A worm can spread its copies through the MSN Messanger.
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| CODE | 4096 | 18280 | 18432 | 4.46099 | fde03d7ebcbda002ca6538bec2c59cda |
| DATA | 24576 | 280 | 512 | 1.96418 | 487bd4c3e1408b573ecc7c630f0a9405 |
| BSS | 28672 | 1785 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 32768 | 1158 | 1536 | 2.50712 | 0d295d29ad0c514539397dea5c1c3d7c |
| .edata | 36864 | 70 | 512 | 0.426673 | cb286ec0666b81e0e8059da933292ac2 |
| .tls | 40960 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 45056 | 24 | 512 | 0.14174 | 44d7eea98589ca89f9a1dc09e347e00f |
| .reloc | 49152 | 1236 | 1536 | 4.07757 | feba9bee55af72035b5cb6c99508d010 |
| .rsrc | 53248 | 143360 | 19968 | 5.53008 | 8daace41e62de910125112e4a9e512e7 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
bbe4dc1b3c89e679000a6eb4bef8293c
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
`.rdata
@.data
t1SSSSh
SSShl
r.getfile
r.new
r.update
r.upd4te
login
msn.msg
msn.stop
aim.msg
aim.stop
triton.msg
triton.stop
GetWindowsDirectoryA
KERNEL32.dll
VkKeyScanA
keybd_event
USER32.dll
MSVCRT.dll
_acmdln
RegCloseKey
RegCreateKeyExA
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
%s Welcome.
%s Fail.
%s Spy: %s!%s@%s (PM: "%s")
%s Fail by: %s!%s@%s (Pass Tried: %s)
%s %s out.
%s <%i> out.
%s No user at: <%i>
%s Invalid slot: <%i>
%s Kill: <%d> threads
%s No threads
%s Killed thread: <%s>
%s Failed kt: <%s>
%s %s already running: <%d>.
%s Fail start %s, err: <%d>.
%s Status: %s. Box Uptime: %s, Bot Uptime: %s, Connected for: %s.
%s Bot installed on: %s.
Go fuck yourself %s.
MSN// Message & Zipfile sent to: %d contacts.
MSN// Message sent to: %d Contacts.
MSN// Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.
Infected USB Drive %s
%s logged in.
Removed by: %s!%s@%s
%s Advapi.dll Failed
%s PStore.dll Failed.
%s Naim thd.
%s RuC.
%s mis param.
%s Failed to parse command.
%s Downloading URL: %s to: %s.
%s Downloading update from: %s to: %s.
%seraseme_%d%d%d%d%d.exe
%s Thread Disabled.
%s Thread Activated: Sending Message.
%s Bad URL or DNS Error, error: <%d>
%s Update failed: Error executing file: %s.
%s Process Finished: "%s", Total Running Time: %s.
%s Created process: "%s", PID: <%d>
%s Failed to create process: "%s", error: <%d>
%s Couldn't parse path, error: <%d>
%s File download: %.1fKB to: %s @ %.1fKB/sec.
%s Couldn't open file for writing: %s.
Ping Timeout? (%d-%d)%d/%d
USER %s * 0 :%s
NICK %s
PASS %s
QUIT %s
PONG %s
NICK
PRIVMSG
JOIN
PRIVMSG %s :%s
JOIN %s
JOIN %s %s
MODE %s %s %s
MODE %s %s
__oxFrame.class__
shlwapi.dll
psapi.dll
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
ShellExecuteA
shell32.dll
mpr.dll
GetUdpTable
GetTcpTable
iphlpapi.dll
dnsapi.dll
netapi32.dll
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetOpenUrlA
FtpPutFileA
FtpGetFileA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
ws2_32.dll
RegEnumKeyExA
advapi32.dll
user32.dll
kernel32.dll
%s!%s@%s
svhost.exe
[email protected]
Windows Messanger Control Center
love.mydyn.net
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
%s\%s
%s No %s thread found.
%s %s thread stopped. (%d thread(s) stopped.)
\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
autorunme.exe
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}\Desktop.ini
del "%s">nul
if exist "%s" goto Repeat
ping 0.0.0.0>nul
%s\removeMe%i%i%i%i.bat
192.168.1.125
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:636
svhost.exe:1524 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3ETRQ6AX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UAMN61ZC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ISIUYYK3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QPYBHCLC\desktop.ini (67 bytes)
%WinDir%\svhost.exe (55 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Messanger Control Center" = "svhost.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
