MD5: 1db3623cbefc41c27b147334f7ac771e
SHA1: 1f367f5501a5e41dae20dd6908321ff2019b3059
SHA256: d374e1d0fba410a6969a13d73060804cd67a6f3488d7d6d107a624aa56cc5b33
SSDeep: 6144:GNR8Y6laYKuwPCGSQ1m2NR8Y6laYKuwPCGSQ1m3:GsY6Ju82sY6Ju83
Size: 365072 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-06-03 16:09:17
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan-Dropper creates the following process(es):

%original file name%.exe:2816

The Trojan-Dropper injects its code into the following process(es):
No processes have been created.

File activity

The process %original file name%.exe:2816 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Start\update.exe (2105 bytes)

Registry activity

The process %original file name%.exe:2816 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1]
"MRUListEx" = "FF FF FF FF"

[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0]
"MRUListEx" = "01 00 00 00 00 00 00 00 FF FF FF FF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "C:\Users\"%CurrentUserName%"\AppData\Local\Start"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"WebViewBarricade" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\28\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1]
"MRUListEx" = "00 00 00 00 01 00 00 00 FF FF FF FF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Startup" = "C:\Users\"%CurrentUserName%"\AppData\Local\Start"

[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0]
"1" = "9E 00 31 00 00 00 00 00 00 00 00 00 17 00 31 64"

[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU]
"NodeSlots" = "02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02"

[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1]
"NodeSlot" = "27"

[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\Shell]
"KnownFolderDerivedFolderType" = "{57807898-8C4F-4462-BB63-71042380B109}"

[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU]
"MRUListEx" = "01 00 00 00 06 00 00 00 00 00 00 00 05 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
"ShowSuperHidden" = "0"

The Trojan-Dropper deletes the following value(s) in system registry:

[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1]
"MRUList"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:2816

2. Delete the original Trojan-Dropper file.
   
3. Delete or disinfect the following files created/modified by the Trojan-Dropper:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Start\update.exe (2105 bytes)

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.