Trojan.Generic.1454285_a46900a94c
HEUR:Worm.Win32.Generic (Kaspersky), Trojan.Generic.1454285 (B) (Emsisoft), Trojan.Generic.1454285 (AdAware), GenericMSNWorm.YR, GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, IRCBot, MSNWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: a46900a94cb811ede6ece68a8b83e917
SHA1: b4c0adbe8b28593bbeaabe1d389644dd4658e47d
SHA256: c806162a60d3fd9ca57704af54630faadb7f4e03c0379f59dd04a5faeda3361e
SSDeep: 1536:OwqYbQ4FuLkOW6PrNNUishYWDt93Wsx4bQ:1bPqlWeNKhhYyt91xT
Size: 53760 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
| MSNWorm | A worm can spread its copies through the MSN Messanger. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:888
%original file name%.exe:2028
winup32.exe:1048
winup32.exe:1480
The Trojan injects its code into the following process(es):
No processes have been created.
File activity
The process %original file name%.exe:2028 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%WinDir%\winup32.exe (53 bytes)
Registry activity
The process %original file name%.exe:888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 94 1E 45 72 D8 B6 CE 0D 50 8C D2 B7 A1 70 1F"
The process %original file name%.exe:2028 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 BA 5F BB 25 02 1B 64 E2 0C 3C 25 AB A4 B3 F6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows UDPs Control Serveic" = "winup32.exe"
The process winup32.exe:1048 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 40 C6 59 6C 4E 03 3C 97 32 18 8E C2 4B 24 F3"
The process winup32.exe:1480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 FB BB DB A8 E1 B5 CE 0F 22 FE 2E F4 0E FA 27"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread its copies through the MSN Messanger.
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| CODE | 4096 | 19268 | 19456 | 4.50307 | cd8a91ccb52fce65288148955929f9e2 |
| DATA | 24576 | 264 | 512 | 1.80262 | 46ec47b8e8074d655442643a582c1efe |
| BSS | 28672 | 2121 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 32768 | 1272 | 1536 | 2.67112 | 8aa4420564aec91d4759d1c1593839bd |
| .tls | 36864 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 40960 | 24 | 512 | 0.14174 | d7a33da2bb61d9db13e52b1be8ea9917 |
| .reloc | 45056 | 1268 | 1536 | 4.11453 | e0da3a3ed0f87084e584cb4663dcf630 |
| .rsrc | 49152 | 28852 | 29184 | 5.52058 | 5118f1e97ddf972603c45061ebc643fc |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
`.rdata
@.data
t1SSSSh
r.upd4te
msn.msg
msn.stop
aim.msg
aim.stop
t.msg
t.stop
GetWindowsDirectoryA
KERNEL32.dll
VkKeyScanA
keybd_event
USER32.dll
MSVCRT.dll
_acmdln
RegCloseKey
RegCreateKeyExA
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
%s Welcome.
%s Fail.
%s Spy: %s!%s@%s (PM: "%s")
%s Fail by: %s!%s@%s (Pass Tried: %s)
%s %s out.
%s <%i> out.
%s No user at: <%i>
%s Invalid slot: <%i>
%s Kill: <%d> threads
%s No threads
%s Killed thread: <%s>
%s Failed kt: <%s>
%s %s already running: <%d>.
%s Fail start %s, err: <%d>.
%s Status: %s. Box Uptime: %s, Bot Uptime: %s, Connected for: %s.
%s Bot installed on: %s.
Go fuck yourself %s.
MSN// Message & Zipfile sent to: %d contacts.
MSN// Message sent to: %d Contacts.
MSN// Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.
%s logged in.
Removed by: %s!%s@%s
%s Advapi.dll Failed
%s PStore.dll Failed.
%s Naim thd.
%s RuC.
%s mis param.
%s Failed to parse command.
%s Downloading URL: %s to: %s.
%s Downloading update from: %s to: %s.
%seraseme_%d%d%d%d%d.exe
%s Thread Disabled.
%s Thread Activated: Sending Message.
%s Bad URL or DNS Error, error: <%d>
%s Update failed: Error executing file: %s.
%s Process Finished: "%s", Total Running Time: %s.
%s Created process: "%s", PID: <%d>
%s Failed to create process: "%s", error: <%d>
%s Couldn't parse path, error: <%d>
%s File download: %.1fKB to: %s @ %.1fKB/sec.
%s Couldn't open file for writing: %s.
Ping Timeout? (%d-%d)%d/%d
USER %s * 0 :%s
NICK %s
PASS %s
QUIT %s
PONG %s
NICK
PRIVMSG
JOIN
PRIVMSG %s :%s
JOIN %s
JOIN %s %s
MODE %s %s %s
MODE %s %s
__oxFrame.class__
shlwapi.dll
psapi.dll
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
ShellExecuteA
shell32.dll
mpr.dll
GetUdpTable
GetTcpTable
iphlpapi.dll
dnsapi.dll
netapi32.dll
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetOpenUrlA
FtpPutFileA
FtpGetFileA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
ws2_32.dll
RegEnumKeyExA
advapi32.dll
user32.dll
kernel32.dll
%s!%s@%s
winup32.exe
Windows UDPs Control Serveic
ic.wele.info
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
%s\%s
%s No %s thread found.
%s %s thread stopped. (%d thread(s) stopped.)
del "%s">nul
if exist "%s" goto Repeat
ping 0.0.0.0>nul
%s\removeMe%i%i%i%i.bat
192.168.1.129
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:888
%original file name%.exe:2028
winup32.exe:1048
winup32.exe:1480 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%WinDir%\winup32.exe (53 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows UDPs Control Serveic" = "winup32.exe"
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
