Trojan.Generic.17630393_fc39851a2b

by malwarelabrobot on August 8th, 2016 in Malware Descriptions.

Trojan.Generic.17630393 (BitDefender), Trojan.PWS.Stealer.1932 (DrWeb), Trojan.Generic.17630393 (B) (Emsisoft), Artemis!FC39851A2B4D (McAfee), Trojan.Gen (Symantec), Trojan.Crypt (Ikarus), Trojan.Generic.17630393 (FSecure), Win32:Malware-gen (Avast), TROJ_GEN.R00XC0OGS16 (TrendMicro), Trojan.Generic.17630393 (AdAware), Trojan.Win32.IEDummy.FD (Lavasoft MAS)
Behaviour: Trojan, Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: fc39851a2b4d82038705e45d73442341
SHA1: c42204e486279975465433a879617e56bd0ad0d1
SHA256: caa99c17e0b7c474a58ae89bf1f9708877ee26667bab44a91e40489548390e27
SSDeep: 49152:vsqAGEYG8yijUMjDHXjgG8 OT5PpSyDOsyTTzXV/6U0eNzZLPjdSyW64NB1a5P:7AAGh8UMjDsG8rlP1Dkzl/6U00jjHL4u
Size: 3044888 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PECompactV2X, UPolyXv05_v6
Company:
Created at: 2016-07-05 16:54:22
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:468

The Trojan injects its code into the following process(es):

Wormix v55.exe:1572

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (1 bytes)
%System%\drivers\etc\hosts (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Wormix v55.exe (18248 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (20873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nyhnwhc (196 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
%System%\drivers\etc\hosts (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nyhnwhc (0 bytes)

Registry activity

The process %original file name%.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 67 4C CA 55 70 8C 38 7E 8C BD 1A 32 A7 26 BB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"Wormix v55.exe" = "Wormix v55"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process Wormix v55.exe:1572 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 CA A2 18 2C D9 50 CA C6 FD F4 4D 38 A5 E9 8A"

Dropped PE files

MD5	File path
d67360492fdf369f7956793ae232d147	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Wormix v55.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 151 bytes in size. The following strings are added to the hosts file listed below:

173.194.71.100	hack-games-vk.ru
173.194.71.100	forum-hack-games-vk.ru
173.194.71.100	www.forum-hack-games-vk.ru

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Chinese (Simplified, PRC)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	3538944	3019776	5.54513	dcf3769e71d1b86f17039bb86cddb91a
.rsrc	3543040	24576	24064	3.91126	9cf0c2a610b4c2083df165f4480fb41f
.reloc	3567616	512	24	1.82008	41944e795bec5d5d73effabc669d6554

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

iexplore.exe_1068:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

Wormix v55.exe_1572:

.text

`.itext

`.data

.idata

.didata

.edata

@.tls

.rdata

.rsrc

Wormix.exe

R=*.lN

RegDeleteKeyW

syg%d

2shell32.dll

z.XT."

)#%f)

Zenix Yang [[email protected]]Zenix Yang [[email protected]]

SShRf

gdi32.dll

kernel32.dll

advapi32.dll

|O%s5

%sFF

9L.pSS

sR.Sg

_?ü

|Jnd%F

.Mjut

.rTTn_

e.qh<

Hj.ij

|TP.ik

$L@%s

.rc(k

_%c&j(

.Ain2

.ur4*

dÏp

|.izR

=.XjU

.TC'`

.lhCF

c.IL:F

Hv(U

.cI$Y

:%s@-

j8.fwt

.mU.I

[msGD

_F.su,

.Ra0h

jU]j

.EB?R

e.Vnv

.LV;W

v6.wq{l\

?w.Xt

x%xQh

,uW.CUW

nb.cA"

%d(YWe

>q.qYg

.Xq.Tg

.ORF*

A-%Xp

`V#-1}

`%sGa]v

6xwEB

.Co5A

.nU7>

/3%DPQunX

.Re F

.Xfl!jr

:Q>4%s

]vJ^G\%F

(l.RqN

*(.HJ

Sc .cO

yPe.wl1

4.XmFP

#P%S9

%x_O8-

yU.Vr

<%U9>

Ò:9

HC.EF

k%X["

.JUHo

7{M%f

$?}

(#%C-U

>]!p.UN}"Q

bt&^.Ew

xg3%F

B.MsX

.cG&<q

s$.zD

f.cSGd:

6.di}

.;%xv

-6.Zz n

.uSH"

.XPC>

.akI3E

|L.mRmK8z)M

.Mul"

(%xM8}

.aBuM

Dz.ib

.fg^G

\.sU\

]D.yG

7Q.rg5s

C.bNp0

n'q.Np

-s}`v&>

{TJ.yOC

o:\@j

n1e%x

6.Vp*

{.QIX

<A4/.IZ

.QF|sH3

|&.XX

@o.wx

5%Slq

BCmd

Tw.vHM

.PfTZ

:e>.jf=>

aym%c

H=.ap

d.ARE

s.gRG

_".ji3xf,g

%.LfO

8%s8o5

.ZaB}

.pNk-^

%SG0c

YFtp

0%Xhj

O".CS-

%x[D&

6|].HM

[H>D%S

zz.Lgf

.KFS9O

X%xQX|3

0k.tz

fweB

j0.Et:

-KZ7}

.NZDp

eZW<OV‚X>

v5.QsX

xgF%s

.ihkw

Vn.Jy

i.VcaT

guk6%Cj

%F`gXU

_!%uFoJ

.nFT08

y.zP"

b.Py(

q%s.tx

|%XQ8

.Bil]

^%U)Kv

N^.uy

0.pT>

%F$Ab

[.6]*,"`

.PU%~

usql

p|%ua8

.NpjQ

~%uh:c4j

jm{o%C

}.Jg^

gb=%d

^.xV_U

.fm5,C

r.JNTp

I.QN8

X%X[=

.gq'/~

vYFtP

.jBK]3_`

.vL<j]E

4JO2%xy

_S8:\0$.bW

XTD

`%X\*O

oR.ER

kJSmSgi

JC%7x

2uDpKf

F.ux!

.%.iI

.Vx72

k%U*U

O\.HC

Ê&T

2t

.Tk;:

|D`UDpk

\ylrR_C.hm

-,.hH3fV2

.YK"gM

_3~%x

-JR}e

%S':t

HU.XvD

f3.eR

ob.byk

%u?"&

%.wUJV

dg|COc.wR

Sgk%f

\V\B%uX.

comctl32.dll

j'%d,

winspool.drv

oleaut32.dll

}KWEb

ZeNiX [forum.exetools.com]

TZeNiX [forum.exetools.com]

version.dll

Buser32.dll

netapi32.dll

user32.dll

ýu@

w*$6ole32.dll

Lmsvcrt.dll

1.0.0.0

Wormix v55.exe_1572_rwx_00B67000_00001000:

ýu@

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:468
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (1 bytes)
%System%\drivers\etc\hosts (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Wormix v55.exe (18248 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (20873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nyhnwhc (196 bytes)
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost
Reboot the computer.