Trojan-Dropper.Win32.Vundo_a3e027ba85
HEUR:Trojan.Win32.Generic (Kaspersky), Trojan-Dropper.Win32.Vundo.t (v) (VIPRE), Backdoor.Win32.Cidox!IK (Emsisoft), Trojan-Dropper.Win32.Vundo.FD, TrojanDownloaderVundo.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan-Downloader, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: a3e027ba8560f95157be78e4517148ed
SHA1: 87693fc5dd4fbe875041aefc1acda2a6f913eeaf
SHA256: 8741f152f1f164f34860257437b74a887873f4de8fd775de95ab94d9ff806fca
SSDeep: 3072:q yvo Y7Z0RXOZKfrsu2nFqqpN09nd9KiXNbd:JF7O0Ya3pNandUy
Size: 180736 bytes
File type:
Platform:
Entropy:
PEID: UPolyXv05_v6
Company: no certificate found
Created at: no data
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Payload
No specific payload has been found.
Process activity
The Trojan-Dropper creates the following process(es):
regedit.exe:244
%original file name%.exe:2412
The Trojan-Dropper injects its code into the following process(es):
No processes have been created.
File activity
The process %original file name%.exe:2412 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\My Documents\Iterra\T03emp03.reg (359 bytes)
%Documents and Settings%\%current user%\My Documents\Iterra\0105.tmp (42 bytes)
The Trojan-Dropper deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\EU882P3A.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\JK0ZZRA2.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\MGI9BYQN.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\TVQFYKIK.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\CNLPSAS7.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\MU6TQKFF.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\VTW0E77D.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\9CUEXINV.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\GEW5B9X2.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\HPK4L4V7.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\4NM96XJ2.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\83R0WJES.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\L92RAFFM.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\PY4CQK11.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\KJWHN2KF.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\AFAW0ZJH.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\LMTG02V5.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\J38WTN19.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\AGQF9B5H.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\TQJTOFKH.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\FUZBGJEL.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\86P32JSK.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\21S1S12T.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5 (0 bytes)
%Documents and Settings%\%current user%\Cookies\UVGQDFD4.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\3XNCDN2V.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\5DO19V3G.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\VI1D65BO.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\282UZDIJ.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\13KJ53OP.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\93J9L024.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\3QE1QHRN.txt (0 bytes)
Registry activity
The process regedit.exe:244 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 FB E2 0A ED DA 1E B7 D6 2B 99 E7 6A E5 39 AB"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"
"AppInit_DLLs" = "%System%\nxrcrsa.dll"
The process %original file name%.exe:2412 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://getintsu.com/phpbb/get.php?id=D8CC41DB8DF1CB72000C293BDF2F0000&key=3025&av=0&vm=0&al=0&p=177&os=5.1.2600.3&z=458&hash=bydFbWvZ68HPi7YFgfEf2vH6yYRjIhEmI/BgkV2yq6EkbA6/OMtwIELIxCNQd3MK0M9ltL2Qq4oDWJ/ykYVzBDouiZVl9wgg |  208.73.211.249 |
| hxxp://getintsu.com/phpbb/get.php?id=D8CC41DB8DF1CB72000C293BDF2F0000&key=3025&av=0&vm=0&al=0&p=177&os=5.1.2600.3&z=458&hash=bydFbWvZ68HPi7YFgfEf2vH6yYRjIhEmI/BgkV2yq6EkbA6/OMtwIELIxCNQd3MK0M9ltL2Qq4oDWJ/ykYVzBPof2I8fKqOw | |
| hxxp://tryatdns.com/phpbb/get.php?id=D8CC41DB8DF1CB72000C293BDF2F0000&key=3025&av=0&vm=0&al=0&p=177&os=5.1.2600.3&z=458&hash=bydFbWvZ68HPi7YFgfEf2vH6yYRjIhEmI/BgkV2yq6EkbA6/OMtwIELIxCNQd3MK0M9ltL2Qq4oDWJ/ykYVzBJ95jbqcPb4I | 208.73.211.246 |
| hxxp://fescheck.com/phpbb/get.php?id=D8CC41DB8DF1CB72000C293BDF2F0000&key=3025&av=0&vm=0&al=0&p=177&os=5.1.2600.3&z=458&hash=bydFbWvZ68HPi7YFgfEf2vH6yYRjIhEmI/BgkV2yq6EkbA6/OMtwIELIxCNQd3MK0M9ltL2Qq4oDWJ/ykYVzBM7oYhaV8ZaE | 208.73.211.230 |
| hxxp://tryatdns.com/phpbb/get.php?id=D8CC41DB8DF1CB72000C293BDF2F0000&key=3025&av=0&vm=0&al=0&p=177&os=5.1.2600.3&z=458&hash=bydFbWvZ68HPi7YFgfEf2vH6yYRjIhEmI/BgkV2yq6EkbA6/OMtwIELIxCNQd3MK0M9ltL2Qq4oDWJ/ykYVzBDouiZVl9wgg | |
| hxxp://fescheck.com/phpbb/get.php?id=D8CC41DB8DF1CB72000C293BDF2F0000&key=3025&av=0&vm=0&al=0&p=177&os=5.1.2600.3&z=458&hash=bydFbWvZ68HPi7YFgfEf2vH6yYRjIhEmI/BgkV2yq6EkbA6/OMtwIELIxCNQd3MK0M9ltL2Qq4oDWJ/ykYVzBGTaRPvH2Ur7 | |
| inzavora.com | 208.73.211.246 |
| getavodes.com | 208.73.211.249 |
| nshouse1.com | 208.73.211.230 |
| clickbeta.ru |  Unresolvable |
| veroconma.com | Unresolvable |
| getinball.com | Unresolvable |
| terrans.su | Unresolvable |
| theloamva.com | Unresolvable |
| clickclans.ru | Unresolvable |
| dentagod.com | Unresolvable |
| denareclick.com | Unresolvable |
| debijonda.com | Unresolvable |
| liteworns.com | Unresolvable |
| vengibit.com | Unresolvable |
| tryangets.com | Unresolvable |
| netrovad.com | Unresolvable |
| vornedix.com | Unresolvable |
| clickstano.com | Unresolvable |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regedit.exe:244
%original file name%.exe:2412 - Delete the original Trojan-Dropper file.
- Delete or disinfect the following files created/modified by the Trojan-Dropper:
%Documents and Settings%\%current user%\My Documents\Iterra\T03emp03.reg (359 bytes)
%Documents and Settings%\%current user%\My Documents\Iterra\0105.tmp (42 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
