MD5: e3c9d930fa03ceaaa2282cbe32232918
SHA1: 287f6665d6c2082b3cc8246800f110b6b282be44
SHA256: 22ca53697c125ab9ef362921c9e46f4c32acdc3fa0eb8cfcc432b69613a7e969
SSDeep: 3072:FFsJrEEfoI8K5DNmESPhvMtkzNU2Vo0NQQAZcigcVCv De4HsJMTZj /l6bEeE:nsxr8KofphP5QQAZjgcVs D1M0xa6gP
Size: 212992 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: AirInstaller
Created at: 2007-05-18 03:00:41
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:464

The Trojan injects its code into the following process(es):

rundll32.exe:1504

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process rundll32.exe:1504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\drivers\etc\hosts (25 bytes)

The process %original file name%.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\gvsxrto.dll (169 bytes)

Registry activity

The process rundll32.exe:1504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B E0 B2 FC BB 34 4E D9 CF 90 84 09 5A CE E5 80"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKCR\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B20509}\InProcServer32]
"(Default)" = "%System%\gvsxrto.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKCR\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B20509}\InProcServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DCOM Server 20509" = "{2C1CD3D7-86AC-4068-93BC-A02304B20509}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304B20509}" = "DCOM Server 20509"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"DCOM Server"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1698 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

rundll32.exe_1504_rwx_10001000_00D2B000:

.tTPV

^}•xy

FTPjK

FtPj;

F.PjRWj

u.WWj

u.VVj

portuguese-brazilian

user32.dll

zcÁ

- '%s'.

GIF-LIB undefined error %d.

GIF-LIB error: %s.

%s: Null entry in quantized color map - that's weird.

GET /last2.php?id=%d HTTP/1.1

Host: %s

EXCEPTION: addr=0xx, code=0xx; maindll base: 0xx, parent base: 0xx

ERROR: check_files failed (code %d)

ERROR: get_data_info failed (code %d)

ERROR: download_data failed (code %d)

NOTE: downloading %s

hXXp://%s/%s

NOTE: bases are ok (age: %d)

maindll.dll

riched20.dll

81.95.148.188

66.197.156.5

81.95.149.10

81.95.149.2

65.111.175.129

%u.%u.%u.%u.IN-ADDR.ARPA

PIPELINING

EHLO %s

HELO %s

RCPT TO: <%s>

MAIL FROM: <%s>

aol.com

verizon.net

ameritech.net

cox.net

rr.com

adelphia.net

comcast.net

optonline.net

=X

[%d-%d]

NUMBER(%d-%d)

STR_RNDLEN(%d-%d)

d.d.d

d.d.d

%s, %d %s %d d:d:d % 03ld00

127.0.0.1

Windows-1251

Windows-1252

XSMTPX

%s\Microsoft\%d.dat

%s\%d.dat

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

%s %u%n

rundll32.exe "%s",run

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

DCOM Server %d

{2C1CD3D7-86AC-4068-93BC-A02304B%d}

Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

SOFTWARE\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B%d}\InProcServer32

hs5pdllv4%d

rcpt to: %s

127.0.0.1 %s

VVV.symantec.com

securityresponse.symantec.com

symantec.com

VVV.sophos.com

sophos.com

VVV.mcafee.com

mcafee.com

liveupdate.symantecliveupdate.com

VVV.viruslist.com

viruslist.com

f-secure.com

VVV.f-secure.com

downloads1.kaspersky-labs.com

downloads2.kaspersky-labs.com

downloads3.kaspersky-labs.com

downloads4.kaspersky-labs.com

kaspersky.com

VVV.avp.com

VVV.kaspersky.com

avp.com

VVV.networkassociates.com

networkassociates.com

VVV.ca.com

ca.com

mast.mcafee.com

my-etrust.com

VVV.my-etrust.com

download.mcafee.com

dispatch.mcafee.com

secure.nai.com

nai.com

VVV.nai.com

update.symantec.com

updates.symantec.com

liveupdate.symantec.com

customer.symantec.com

rads.mcafee.com

trendmicro.com

VVV.trendmicro.com

us.mcafee.com

Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}

140509033276

%System%\rundll32.exe

GetCPInfo

RegOpenKeyExA

RegCreateKeyExA

RegDeleteKeyA

RegCloseKey

EnumChildWindows

EnumThreadWindows

.text

.rdata

@.data

.reloc

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:464

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %System%\drivers\etc\hosts (25 bytes)
   %System%\gvsxrto.dll (169 bytes)

4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.