Trojan-Dropper.Win32.Polymorph1_48535dffe3

by malwarelabrobot on June 8th, 2014 in Malware Descriptions.

Trojan-Dropper.Win32.Sysn.aamv (Kaspersky), Trojan.Generic.KDV.826485 (B) (Emsisoft), Trojan.Generic.KDV.826485 (AdAware), GenericAutorunWorm.YR, GenericInjector.YR, GenericIRCBot.YR, TrojanDropperPolymorph1.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm, WormAutorun, IRCBot


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 48535dffe3e11f79ab2653165386ebdd
SHA1: 2df62327ef1ed8ac9dc8d4a0f2f9ef6c64171e19
SHA256: 2ad50ae5e899809ce562ef58a53c5d561feb3ad427882e457e4c4f8c2916abe7
SSDeep: 3072:1RthH4z7f32D3/td1GGgXoutrhY2jAPlGpbGGpbGGpbG/kqqqqqqqqqqqqqp:3fsfG7/4TXoS1Y6AT
Size: 245760 bytes
File type: PE32
Platform: WIN32
Entropy: Not Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: P i gr r m Lrrr t d .
Created at: 2012-10-13 20:05:01
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan-Dropper's file once a user opens a drive's folder in Windows Explorer.
IRCBot A bot can communicate with command and control servers via IRC channel.


Process activity

The Trojan-Dropper creates the following process(es):

%original file name%.exe:888
%original file name%.exe:896
winlogen.exe:440
winlogen.exe:1668

The Trojan-Dropper injects its code into the following process(es):

%original file name%.exe:1764
winlogen.exe:1788
winlogen.exe:1784
Explorer.EXE:840

File activity

The process %original file name%.exe:896 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GCYXB.bat (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GCYXB.txt (159 bytes)
%Documents and Settings%\%current user%\Application Data\Mut\winlogen.exe (5723 bytes)

The Trojan-Dropper deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GCYXB.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GCYXB.txt (0 bytes)

Registry activity

The process %original file name%.exe:888 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE D4 2A CC FD DF FA DD D2 4A 9B A1 A6 E5 3D 66"

The process %original file name%.exe:896 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 0A 90 79 3F 7C 8E 78 9E C6 DA 94 53 DD 08 DF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"GCYXB.bat" = "GCYXB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Mut]
"winlogen.exe" = "epaulette sisterions conspires"

The Trojan-Dropper modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Dropper modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan-Dropper modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan-Dropper deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-8964"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-880"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"Procmon.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9227"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"cmd.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"sandbox_svc.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9217"
"SHELL32.dll,-9216"

The process %original file name%.exe:1764 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 0E A3 E3 E8 BF ED 0B EC E7 2D E0 35 A4 1D 7F"

The process winlogen.exe:1788 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB A4 EC B9 02 D0 A2 73 77 8D FF 42 0A 0E 0C BA"

The process winlogen.exe:440 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 76 E1 84 81 8E 0F 2A 1A 0A 27 86 65 D0 64 58"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe" = "%Documents and Settings%\%current user%\Application Data\svchost.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe" = "%Documents and Settings%\%current user%\Application Data\svchost.exe"

The process winlogen.exe:1784 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 8A 22 18 B0 8B E6 F9 1B A8 B8 69 24 05 62 76"

The process winlogen.exe:1668 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 1F C6 69 B9 CA A6 65 A0 54 63 A4 15 99 CC 94"

Dropped PE files

MD5 File path
f29013183ec951671f9f7a53c411de1c c:\Documents and Settings\"%CurrentUserName%"\Application Data\svchost.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan-Dropper's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name: HD Player
Product Version: 1.00
Legal Copyright:
Legal Trademarks:
Original Filename: setup.exe
Internal Name:
File Version:
File Description: epaulette sisterions conspires
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 385024 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 389120 65536 65536 5.53409 4333f0ba462123821d31c96e6ed51243
.rsrc 454656 180224 179200 3.78559 04120f85d0b6cda0b23ffd131604086a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan-Dropper connects to the servers at the folowing location(s):

%original file name%.exe_1764:

.rsrc
C:\Windows\SysWOW64\msvbvm60.dll\3
iphlpapi.dll
GetExtendedTcpTable
SetTcpEntry
getTCPConnections
dnsapi.dll
kernel32.dll
ws2_32.dll
NTDLL.DLL
VBA6.DLL
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
.text
`.data
-gE};
Ankt%S\
KERNEL32.DLL
MSVBVM60.DLL
ilmioip.it
http://www.ilmioip.it
avp.exe
127.0.0.1
update.exe
avast.setup
avgmfapx.exe
guardxup.exe
mcupdmgr.exe
FPAVServer.exe
drwupsrv.exe
BullGuardUpdate.exe
fshoster32.exe
Upgrader.exe
ALUpdate.exe
62.67.184
84.233.19
89.202.14
93.184.71
89.202.15
178.77.12
92.51.171
80.237.15
46.163.12
83.169.60
217.115.1
ekrn.exe
AVKProxy.exe
WinHttp.WinHttpRequest.5.1
WatchIt!.exe

%original file name%.exe_1764_rwx_00400000_0000C000:

.rsrc
C:\Windows\SysWOW64\msvbvm60.dll\3
iphlpapi.dll
GetExtendedTcpTable
SetTcpEntry
getTCPConnections
dnsapi.dll
kernel32.dll
ws2_32.dll
NTDLL.DLL
VBA6.DLL
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
.text
`.data
-gE};
Ankt%S\
KERNEL32.DLL
MSVBVM60.DLL
ilmioip.it
http://www.ilmioip.it
avp.exe
127.0.0.1
update.exe
avast.setup
avgmfapx.exe
guardxup.exe
mcupdmgr.exe
FPAVServer.exe
drwupsrv.exe
BullGuardUpdate.exe
fshoster32.exe
Upgrader.exe
ALUpdate.exe
62.67.184
84.233.19
89.202.14
93.184.71
89.202.15
178.77.12
92.51.171
80.237.15
46.163.12
83.169.60
217.115.1
ekrn.exe
AVKProxy.exe
WinHttp.WinHttpRequest.5.1
WatchIt!.exe

winlogen.exe_1784:

.rsrc
C:\Windows\SysWOW64\msvbvm60.dll\3
iphlpapi.dll
GetExtendedTcpTable
SetTcpEntry
getTCPConnections
dnsapi.dll
kernel32.dll
ws2_32.dll
NTDLL.DLL
VBA6.DLL
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
.text
`.data
-gE};
Ankt%S\
KERNEL32.DLL
MSVBVM60.DLL
ilmioip.it
http://www.ilmioip.it
avp.exe
127.0.0.1
update.exe
avast.setup
avgmfapx.exe
guardxup.exe
mcupdmgr.exe
FPAVServer.exe
drwupsrv.exe
BullGuardUpdate.exe
fshoster32.exe
Upgrader.exe
ALUpdate.exe
62.67.184
84.233.19
89.202.14
93.184.71
89.202.15
178.77.12
92.51.171
80.237.15
46.163.12
83.169.60
217.115.1
ekrn.exe
AVKProxy.exe
WinHttp.WinHttpRequest.5.1
WatchIt!.exe

winlogen.exe_1784_rwx_00400000_0000C000:

.rsrc
C:\Windows\SysWOW64\msvbvm60.dll\3
iphlpapi.dll
GetExtendedTcpTable
SetTcpEntry
getTCPConnections
dnsapi.dll
kernel32.dll
ws2_32.dll
NTDLL.DLL
VBA6.DLL
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
.text
`.data
-gE};
Ankt%S\
KERNEL32.DLL
MSVBVM60.DLL
ilmioip.it
http://www.ilmioip.it
avp.exe
127.0.0.1
update.exe
avast.setup
avgmfapx.exe
guardxup.exe
mcupdmgr.exe
FPAVServer.exe
drwupsrv.exe
BullGuardUpdate.exe
fshoster32.exe
Upgrader.exe
ALUpdate.exe
62.67.184
84.233.19
89.202.14
93.184.71
89.202.15
178.77.12
92.51.171
80.237.15
46.163.12
83.169.60
217.115.1
ekrn.exe
AVKProxy.exe
WinHttp.WinHttpRequest.5.1
WatchIt!.exe

winlogen.exe_1788:

`.rsrc
DetectWindows
advapi32.dll
ntdll.dll
VBA6.DLL
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
shell32.dll
ShellExecuteEx
lz32.dll
.text
`.data
.rsrc
windows32*1*|OFF|*appdata*Mut\*winlogen.exe*
KERNEL32.DLL
MSVBVM60.DLL
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
WScript.Shell
explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Scripting.FileSystemObject
Explorer.exe,
a.exe

winlogen.exe_1788_rwx_00400000_0000B000:

`.rsrc
DetectWindows
advapi32.dll
ntdll.dll
VBA6.DLL
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
shell32.dll
ShellExecuteEx
lz32.dll
.text
`.data
.rsrc
windows32*1*|OFF|*appdata*Mut\*winlogen.exe*
KERNEL32.DLL
MSVBVM60.DLL
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
WScript.Shell
explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Scripting.FileSystemObject
Explorer.exe,
a.exe

Explorer.EXE_840_rwx_01450000_0000E000:

.data
.idata
.rsrc
@.reloc
Successfully Killed And Removed Malicious File: "%s"
Usage: %s IP PORT DELAY LENGTH
Failed To Start Thread: "%d"
Failed: "%d"
Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
Filed To Visit: "%s"
Successfully Visited: "%s"
%s #%s
%s %s
Running From: "%s"
[%s][%s] - "%s"
{%s}: %s
Successfully Executed Process: "%s"
Failed To Create Process: "%s", Reason: "%d"
Successfully Downloaded File To: "%s"
Downloading File: "%s"
http://api.wipmania.com/
JOIN
NICK
PRIVMSG
AryaN{%s-%s-x%d}%s
New{%s-%s-x%d}%s
%s "" "%s" :%s
%s %s :[AryaN]: %s
%s %s %s
Finished Flooding "%s:%d"
Terminated UDP Flood Thread
%d%d%d%d%d%d%d%d
Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
AutoRun Infected Removable Device: "%s\"
j[YPSSh
SSSSh
VSSSh
udpflood
udpflood.stop
download.stop
join
lopta100.no-ip.info
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteA
SHELL32.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
ADVAPI32.dll
svchost.exe
7$7*70767<7
%userprofile%
%s\removethis_%d%d%d.exe
%temp%\oldfile.exe
Mozilla/5.0 (compatible)
%s\%d%d%d.exe
explorer.exe
Kernel32.dll
%s-deadlock
%s\SysWOW64
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
dnsapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
msvcrt.dll
dwm.exe
alg.exe
csrss.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s-readfile
cmd.exe
Software\Microsoft\Windows\CurrentVersion\Run
%temp%\deletethis.exe
Removable_Drive.exe
%s\{%s-%s}
/k "%s" Open %s
%windir%\System32\cmd.exe
%s\Removable_Drive.exe
%s\%s
%s\%s.lnk
icon=Shell32.dll,7
shell\open\Command=%s
open=%s
shell\explore\Command=%s
%s\autorun.inf
%Documents and Settings%\%current user%\Application Data\svchost.exe
%Documents and Settings%\%current user%\Application Data\Mut\winlogen.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:888
    %original file name%.exe:896
    winlogen.exe:440
    winlogen.exe:1668

  2. Delete the original Trojan-Dropper file.
  3. Delete or disinfect the following files created/modified by the Trojan-Dropper:

    %Documents and Settings%\%current user%\Local Settings\Temp\GCYXB.bat (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GCYXB.txt (159 bytes)
    %Documents and Settings%\%current user%\Application Data\Mut\winlogen.exe (5723 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "svchost.exe" = "%Documents and Settings%\%current user%\Application Data\svchost.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "svchost.exe" = "%Documents and Settings%\%current user%\Application Data\svchost.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now