Trojan-Dropper.Small_63ed7ac86f
HEUR:Trojan.Win32.Generic (Kaspersky), Trojan-Dropper.Small!IK (Emsisoft)
Behaviour: Trojan-Dropper, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 63ed7ac86f2a246abb94243fa864a2ab
SHA1: c5f02492436121b69ae22105da7437535e386890
SHA256: 5b194c98a1ba921658aace8b2e375eb7871563c952859514e143138bf3515aa7
SSDeep: 24576:iAvAkZIFFesoyXJ4dj3Ql8rIMM6QmOwvQGwKjuTrV7Ht3 4sP7s:R4qe83Ua4wvQGyD
Size: 1461829 bytes
File type: PE32
Platform: WIN32
Entropy: Not Packed
PEID:
Company: AirInstaller Inc.
Created at: 2013-07-07 21:06:23
Summary:
Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Payload
No specific payload has been found.
Process activity
The Trojan-Dropper creates the following process(es):
63ed7ac86f2a246abb94243fa864a2ab.exe:992
ping.exe:416
58685.exe:1364
img_snapshot.exe:1468
The Trojan-Dropper injects its code into the following process(es):
rundll32.exe:400
58685.exe:1740
File activity
The process 63ed7ac86f2a246abb94243fa864a2ab.exe:992 makes changes in a file system.
The Trojan-Dropper creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\uyrfg.png (143 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\img_snapshot.exe (3811 bytes)
The process 58685.exe:1364 makes changes in a file system.
The Trojan-Dropper creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\58685\58685.exe (3073 bytes)
The process 58685.exe:1740 makes changes in a file system.
The Trojan-Dropper creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\srvhosts1\srv.exe.exe (6146 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\srv.exe.exe (3073 bytes)
%Documents and Settings%\%current user%\Application Data\r58Ies.tmp (45 bytes)
%System%\wbem\Logs\wbemprox.log (75 bytes)
The Trojan-Dropper deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\srvhosts1\srv.exe.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\srvhosts1 (0 bytes)
The process img_snapshot.exe:1468 makes changes in a file system.
The Trojan-Dropper creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\58685.exe (1800 bytes)
Registry activity
The process 63ed7ac86f2a246abb94243fa864a2ab.exe:992 makes changes in a system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 04 8C 62 45 19 24 DE 76 9F A9 4D 95 2E 56 55"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"shimgvw.dll" = "Windows Picture and Fax Viewer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"img_snapshot.exe" = "Windows Sidebar"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan-Dropper modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-Dropper modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-Dropper modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The process ping.exe:416 makes changes in a system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 BC 2D 7B 27 8D C3 35 30 37 0E 71 A6 45 EF 7B"
The process rundll32.exe:400 makes changes in a system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D A8 0B 29 CB EB E4 28 56 DE 29 5C FC C5 D2 15"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process 58685.exe:1364 makes changes in a system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 8D 6F 35 CD 28 EC EF B1 06 9B 66 08 BF FC 4B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\58685]
"58685.exe" = "Windows Sidebar"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan-Dropper modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-Dropper modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan-Dropper modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The process 58685.exe:1740 makes changes in a system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 3A D8 CB 48 C5 E9 7A 2E ED 97 6E D2 BB CC 5E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Environment]
"SEE_MASK_NOZONECHECKS" = "1"
To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"srvhosts" = "%Documents and Settings%\%current user%\Application Data\srvhosts1\srv.exe.exe"
The process img_snapshot.exe:1468 makes changes in a system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 97 39 42 5B 2F 9D 1D 23 D6 A7 27 89 B5 48 A8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"58685.exe" = "Windows Sidebar"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The Trojan-Dropper modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan-Dropper modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-Dropper modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Network activity (URLs)
No activity has been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
63ed7ac86f2a246abb94243fa864a2ab.exe:992
ping.exe:416
58685.exe:1364
img_snapshot.exe:1468 - Delete the original Trojan-Dropper file.
- Delete or disinfect the following files created/modified by the Trojan-Dropper:
%Documents and Settings%\%current user%\Local Settings\Temp\uyrfg.png (143 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\img_snapshot.exe (3811 bytes)
%Documents and Settings%\%current user%\Application Data\58685\58685.exe (3073 bytes)
%Documents and Settings%\%current user%\Application Data\srvhosts1\srv.exe.exe (6146 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\srv.exe.exe (3073 bytes)
%Documents and Settings%\%current user%\Application Data\r58Ies.tmp (45 bytes)
%System%\wbem\Logs\wbemprox.log (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\58685.exe (1800 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"srvhosts" = "%Documents and Settings%\%current user%\Application Data\srvhosts1\srv.exe.exe" - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
