Trojan-Dropper.Win32.Vtimrun_26c17c8ca8

by malwarelabrobot on March 23rd, 2014 in Malware Descriptions.

Trojan.Win32.Chifrax.d (Kaspersky), Trojan.Win32.Chifrax.d (v) (VIPRE), Trojan.Win32.Chifrax!IK (Emsisoft), TrojanDropperVtimrun.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 26c17c8ca859423a86f35a59b2756f25
SHA1: 3a4c3910f6e21cce11030422f6e7b2d6151a1430
SHA256: c5bc67d4f5a536049fbc993e289e3a8bb1b1f62d6e76af1209ae84969d0af522
SSDeep: 6144:Xj7eio9bGpTlOrVF66dobVz08PrVipnXd cQy8ts0JIGimpwu6OhD x:X BypYF66Ix0npnt cQrlrimpwu9G
Size: 369816 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: SafeSoft
Created at: 2004-08-04 09:01:37
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan-Dropper creates the following process(es):

ttttdownloader.exe:3388
%original file name%.exe:3352
wuauclt.exe:1152

The Trojan-Dropper injects its code into the following process(es):

BNHIRKG.sys:936
ntvdm.exe:1732

File activity

The process ttttdownloader.exe:3388 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP001.TMP\MIHVTPJ_.bat (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP001.TMP\BNHIRKG.sys (5128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP001.TMP\USODBMI.bat (198 bytes)

The process %original file name%.exe:3352 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\adobe.flash.cs4.v10.0.professional-patch.exe (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\ttttdownloader.exe (6720 bytes)

The process ntvdm.exe:1732 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings% (4 bytes)
C:\ (4 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP001.TMP\BNHIRKG.sys (752 bytes)
%WinDir%\WinSxS (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
%WinDir%\AppPatch (4 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%WinDir%\REGISTRATION (4 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
%WinDir% (1784 bytes)
C:\$Directory (3476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP001.TMP\USODBMI.bat (4 bytes)
%System% (8176 bytes)
%Program Files% (8 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\test.pml (2321 bytes)
%System%\wbem\Repository\FS\OBJECTS.DATA (600 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%WinDir%\Prefetch\SANDBOX_SVC.EXE-26624197.pf (20 bytes)
%System%\wbem (1064 bytes)
%System%\drivers (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP001.TMP\MIHVTPJ_.bat (4 bytes)
%Documents and Settings%\%current user% (4 bytes)
%WinDir%\Temp\scs1.tmp (33880 bytes)
%System%\wbem\Repository\FS\INDEX.BTR (1600 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
%WinDir%\Temp\scs2.tmp (10145 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)

The Trojan-Dropper deletes the following file(s):

%WinDir%\Temp\scs1.tmp (0 bytes)
%WinDir%\Temp\scs2.tmp (0 bytes)

The process wuauclt.exe:1152 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (4392 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Trojan-Dropper deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

Registry activity

The process ttttdownloader.exe:3388 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F C6 0E 82 F1 DB 1F 3E 89 CD 65 42 D0 D7 E4 F2"

To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup1" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP001.TMP\"

The process BNHIRKG.sys:936 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB A3 25 C6 F6 2D BF F9 0B 22 DE 53 B9 17 84 C7"

The process %original file name%.exe:3352 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A F2 54 23 11 2A 8C 66 F9 79 22 69 E2 99 02 75"

To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

Network activity (URLs)

URL IP
hxxp://zone.yourfreehosting.net/setup.exe 82.98.86.169


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ttttdownloader.exe:3388
    %original file name%.exe:3352
    wuauclt.exe:1152

  2. Delete the original Trojan-Dropper file.
  3. Delete or disinfect the following files created/modified by the Trojan-Dropper:

    %Documents and Settings%\%current user%\Local Settings\Temp\IXP001.TMP\MIHVTPJ_.bat (55 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP001.TMP\BNHIRKG.sys (5128 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP001.TMP\USODBMI.bat (198 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\adobe.flash.cs4.v10.0.professional-patch.exe (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\ttttdownloader.exe (6720 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs (4 bytes)
    %WinDir%\WinSxS (96 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
    %WinDir%\AppPatch (4 bytes)
    %WinDir%\REGISTRATION (4 bytes)
    C:\$Directory (3476 bytes)
    %System% (8176 bytes)
    %Program Files% (8 bytes)
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\test.pml (2321 bytes)
    %System%\wbem\Repository\FS\OBJECTS.DATA (600 bytes)
    %WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
    %WinDir%\Prefetch\SANDBOX_SVC.EXE-26624197.pf (20 bytes)
    %System%\drivers (36 bytes)
    %WinDir%\Temp\scs1.tmp (33880 bytes)
    %System%\wbem\Repository\FS\INDEX.BTR (1600 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
    %WinDir%\Temp\scs2.tmp (10145 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (4392 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "wextract_cleanup1" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP001.TMP\"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now