Trojan-Downloader.Win32.Torcohost_21f8b9d9a6
Trojan:Win32/Malex.gen!J (Microsoft), Trojan.Win32.Fsysna.fej (Kaspersky), Artemis!21F8B9D9A6FA (McAfee), Win32/DH{IANhDx4kIiUtexM} (AVG), Trojan-Downloader.Win32.Torcohost.FD (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 21f8b9d9a6fa3a0cd3a3f0644636bf09
SHA1: 0392f25130ce88fdee482b771e38a3eaae90f3e2
SHA256: 31d4e1b2e67706fda51633b450b280554c0c4eb595b3a0606ef4ab8421a04dc9
SSDeep: 98304:/9 taUtxVN7lLB9KpK5V Ahe9skiVNiQ/RkrEdElxYheKpUw1bVc:ItaU7lLB9KpK58oe9skUNiQKrEdkYIKW
Size: 5224645 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1970-01-01 03:00:00
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.
Payload
No specific payload has been found.
Process activity
The Trojan-Downloader creates the following process(es):
spoolsv.exe:2000
%original file name%.exe:208
The Trojan-Downloader injects its code into the following process(es):
No processes have been created.
File activity
The process spoolsv.exe:2000 makes changes in the file system.
The Trojan-Downloader deletes the following file(s):
C:\%original file name%.exe (0 bytes)
The process %original file name%.exe:208 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\Startup\spoolsv.exe (5224645 bytes)
Registry activity
The process spoolsv.exe:2000 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE B8 3B 3E C2 8B 9D DD 27 AC 31 97 79 2E 3F 70"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
The process %original file name%.exe:208 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB DE B4 B9 4D EE FC BF 12 E2 E3 7D 16 D8 24 F3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://ekiga.net/ip/ |  86.64.162.35 |
| hxxp://5ji235jysrvwfgmb.onion/sendlog.php | Tor |
| hxxp://5ji235jysrvwfgmb.onion/recvdata.php | Tor |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:208
- Delete the original Trojan-Downloader file.
- Delete or disinfect the following files created/modified by the Trojan-Downloader:
%Documents and Settings%\All Users\Start Menu\Programs\Startup\spoolsv.exe (5224645 bytes)
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
