MD5: 4d09d31642941e557d10c3af20d0ecf1
SHA1: 895e32e176425b231d1e59f887b15e1e78ff3875
SHA256: a186267086ea556efe666000865a2b89454a498303e291d6c0bb8bc70b6182ef
SSDeep: 768:UmXDH1yVy2vSmUKL6fimyEERm EPe4jGsh48F5lxYgd7OAO:NDH1J2vS L6fimyEsmqKGNCvO
Size: 35378 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2009-02-08 21:09:15
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:772

The Trojan injects its code into the following process(es):

%original file name%.exe:872

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:872 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\fxstaller.exe (35 bytes)

Registry activity

The process %original file name%.exe:872 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 0E 4B 7B D9 DD 2A 73 7F 0A 3E EA 2C B1 4F A3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows UDP Control Center" = "fxstaller.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread its copies through the MSN Messanger.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

t1SSSSh

SSShp

p.jusufii

r.new

r.update

p.princi

login

msn.msg

msn.stop

aim.msg

aim.stop

triton.msg

triton.stop

GetWindowsDirectoryA

KERNEL32.dll

VkKeyScanA

keybd_event

USER32.dll

MSVCRT.dll

_acmdln

RegCloseKey

RegCreateKeyExA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

%s Welcome.

%s Fail.

%s Spy: %s!%s@%s (PM: "%s")

%s Fail by: %s!%s@%s (Pass Tried: %s)

%s %s out.

%s <%i> out.

%s No user at: <%i>

%s Invalid slot: <%i>

%s Kill: <%d> threads

%s No threads

%s Killed thread: <%s>

%s Failed kt: <%s>

%s %s already running: <%d>.

%s Fail start %s, err: <%d>.

%s Status: %s. Box Uptime: %s, Bot Uptime: %s, Connected for: %s.

%s Bot installed on: %s.

Go fuck yourself %s.

MSN// Message & Zipfile sent to: %d contacts.

MSN// Message sent to: %d Contacts.

MSN// Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.

%s logged in.

Removed by: %s!%s@%s

%s Advapi.dll Failed

%s PStore.dll Failed.

%s Naim thd.

%s RuC.

%s mis param.

%s Failed to parse command.

%s Downloading URL: %s to: %s.

%s Downloading update from: %s to: %s.

%seraseme_%d%d%d%d%d.exe

%s Thread Disabled.

%s Thread Activated: Sending Message.

%s Bad URL or DNS Error, error: <%d>

%s Update failed: Error executing file: %s.

%s Process Finished: "%s", Total Running Time: %s.

%s Created process: "%s", PID: <%d>

%s Failed to create process: "%s", error: <%d>

%s Couldn't parse path, error: <%d>

%s File download: %.1fKB to: %s @ %.1fKB/sec.

%s Couldn't open file for writing: %s.

Ping Timeout? (%d-%d)%d/%d

USER %s * 0 :%s

NICK %s

PASS %s

QUIT %s

PONG %s

NICK

PRIVMSG

JOIN

PRIVMSG %s :%s

JOIN %s

JOIN %s %s

MODE %s %s %s

MODE %s %s

__oxFrame.class__

shlwapi.dll

psapi.dll

SQLDisconnect

SQLFreeHandle

SQLAllocHandle

SQLExecDirect

SQLSetEnvAttr

SQLDriverConnect

odbc32.dll

ShellExecuteA

shell32.dll

mpr.dll

GetUdpTable

GetTcpTable

iphlpapi.dll

dnsapi.dll

netapi32.dll

Mozilla/4.0 (compatible)

InternetCrackUrlA

InternetOpenUrlA

FtpPutFileA

FtpGetFileA

HttpSendRequestA

HttpOpenRequestA

wininet.dll

ws2_32.dll

RegEnumKeyExA

advapi32.dll

user32.dll

kernel32.dll

%s!%s@%s

fxstaller.exe

*!*@pri.gov

Windows UDP Control Center

cufii123.pr1nc.ch

Windows Microsoft Viewer

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

%s\%s

%s No %s thread found.

%s %s thread stopped. (%d thread(s) stopped.)

del "%s">nul

if exist "%s" goto Repeat

ping 0.0.0.0>nul

%s\removeMe%i%i%i%i.bat

%original file name%.exe_872_rwx_00400000_0004C000:

.text

`.rdata

@.data

t1SSSSh

SSShp

p.jusufii

r.new

r.update

p.princi

login

msn.msg

msn.stop

aim.msg

aim.stop

triton.msg

triton.stop

GetWindowsDirectoryA

KERNEL32.dll

VkKeyScanA

keybd_event

USER32.dll

MSVCRT.dll

_acmdln

RegCloseKey

RegCreateKeyExA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

%s Welcome.

%s Fail.

%s Spy: %s!%s@%s (PM: "%s")

%s Fail by: %s!%s@%s (Pass Tried: %s)

%s %s out.

%s <%i> out.

%s No user at: <%i>

%s Invalid slot: <%i>

%s Kill: <%d> threads

%s No threads

%s Killed thread: <%s>

%s Failed kt: <%s>

%s %s already running: <%d>.

%s Fail start %s, err: <%d>.

%s Status: %s. Box Uptime: %s, Bot Uptime: %s, Connected for: %s.

%s Bot installed on: %s.

Go fuck yourself %s.

MSN// Message & Zipfile sent to: %d contacts.

MSN// Message sent to: %d Contacts.

MSN// Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.

%s logged in.

Removed by: %s!%s@%s

%s Advapi.dll Failed

%s PStore.dll Failed.

%s Naim thd.

%s RuC.

%s mis param.

%s Failed to parse command.

%s Downloading URL: %s to: %s.

%s Downloading update from: %s to: %s.

%seraseme_%d%d%d%d%d.exe

%s Thread Disabled.

%s Thread Activated: Sending Message.

%s Bad URL or DNS Error, error: <%d>

%s Update failed: Error executing file: %s.

%s Process Finished: "%s", Total Running Time: %s.

%s Created process: "%s", PID: <%d>

%s Failed to create process: "%s", error: <%d>

%s Couldn't parse path, error: <%d>

%s File download: %.1fKB to: %s @ %.1fKB/sec.

%s Couldn't open file for writing: %s.

Ping Timeout? (%d-%d)%d/%d

USER %s * 0 :%s

NICK %s

PASS %s

QUIT %s

PONG %s

NICK

PRIVMSG

JOIN

PRIVMSG %s :%s

JOIN %s

JOIN %s %s

MODE %s %s %s

MODE %s %s

__oxFrame.class__

shlwapi.dll

psapi.dll

SQLDisconnect

SQLFreeHandle

SQLAllocHandle

SQLExecDirect

SQLSetEnvAttr

SQLDriverConnect

odbc32.dll

ShellExecuteA

shell32.dll

mpr.dll

GetUdpTable

GetTcpTable

iphlpapi.dll

dnsapi.dll

netapi32.dll

Mozilla/4.0 (compatible)

InternetCrackUrlA

InternetOpenUrlA

FtpPutFileA

FtpGetFileA

HttpSendRequestA

HttpOpenRequestA

wininet.dll

ws2_32.dll

RegEnumKeyExA

advapi32.dll

user32.dll

kernel32.dll

%s!%s@%s

fxstaller.exe

*!*@pri.gov

Windows UDP Control Center

cufii123.pr1nc.ch

Windows Microsoft Viewer

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

%s\%s

%s No %s thread found.

%s %s thread stopped. (%d thread(s) stopped.)

del "%s">nul

if exist "%s" goto Repeat

ping 0.0.0.0>nul

%s\removeMe%i%i%i%i.bat

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:772

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %WinDir%\fxstaller.exe (35 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Windows UDP Control Center" = "fxstaller.exe"

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.