Trojan.Generic.3283836_b0fa365a76
HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.3283836 (B) (Emsisoft), Trojan.Generic.3283836 (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: b0fa365a761201542a7d14310813418e
SHA1: df00019b3dc9526b1c754c8e7d9a79cabdbc602d
SHA256: 9e37af42f69c539c6b240b185c6853f273e56b43d6d3d2003b438cb8a3b3fd8a
SSDeep: 3072:AVLuYD rys7kgt4nW2mGkiExS3yPzdXZ:AFuMms7kgtKWjGkiQS3KFZ
Size: 114688 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: no certificate found
Created at: 2009-05-01 19:23:09
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:560
The Trojan injects its code into the following process(es):
Explorer.EXE:532
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\olhrwef.exe (601 bytes)
%System%\drivers\klif.sys (3 bytes)
%System%\nmdfgds0.dll (92 bytes)
The Trojan deletes the following file(s):
%System%\drivers\klif.sys (0 bytes)
Registry activity
The process %original file name%.exe:560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Services\KAVsys]
"Type" = "1"
"ImagePath" = "\??\%System%\drivers\klif.sys"
"ErrorControl" = "1"
The following driver will be automatically launched by the NT Native code (IoInitSystem method):
[HKLM\System\CurrentControlSet\Services\KAVsys]
"Start" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cdoosoft" = "%System%\olhrwef.exe"
The Trojan deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Services\KAVsys]
Dropped PE files
| MD5 | File path |
|---|---|
| 1bd8003532a096642365018a86072e65 | c:\WINDOWS\system32\nmdfgds0.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 32768 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .data | 36864 | 20480 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 57344 | 53248 | 53248 | 5.54205 | 744168b5e4166c208013971dddea15b3 |
| .rdata | 110592 | 77824 | 77824 | 5.54311 | 3c5c7a19b797bf14f248dbaea95c562d |
| .sdata | 188416 | 24576 | 22528 | 5.22625 | a2e50f5340ed52d8c5daa511b61c586c |
| .rsrc | 212992 | 4096 | 4096 | 0.601716 | d97cd3d4ba80f25274e7a95ac65503e5 |
| 0 | 0 | 0 | 0 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
|%System%\nmdfgds0.dll
Explorer.EXE_532_rwx_02891000_00028000:
exefile.exe
python25.dll
%s?a=%s&s=%s&u=%s&p=%s&sp=%s&r=%s&l=%d&m=%d
pol.exe
polcore.dll
app.dll
explorer.exe
\foool.dat
ntdll.dll
kernel32.dll
maplestory.exe
ws2_32.dll
%s?a=%s&s=%s&u=%s&p=%s&ss=%s&sp=%s
%s?a=%s&s=%s&u=%s&p=%s&ss=%s&sp=%s&r=%s&l=%d&m=%d
%s?a=%s&s=%s&u=%s&p=%s&sp=%s&r=%s&l=%d&m=%d&pc=%s
hXXp://aoc-eu-update.live.ageofconan.com/upm
hXXp://aoc-us-update.live.ageofconan.com/upm
localconfig.xml
ageofconan.exe
%s?a=%s&s=%s&u=%s&p=%s
rohanclient.exe
%s?a=%s&s=%s&u=%s&p=%s&sp=%s&r=%s&l=%d&m=%d&st=%d
\fooolMJ.dat
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\The Lord of the Rings Online\lotroclient.log
WindowsForms10.COMBOBOX.app3
WindowsForms10.EDIT.app3
WindowsForms10.Window.8.app3
<add key="DataCenter.GameName" value="
turbinelauncher.exe.config
lotroclient.exe
turbinelauncher.exe
Kernel32.dll
Urlmon
HttpQu-y9fo,3|`GOpenJ
urlinfo
coc.exe
aaa.dat
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
\explorer.exe
SoftWare\Microsoft\Windows\CurrentVersion\Run
autorun.inf
knightonline.exe
%s?a=%s&s=%s&u=%s&p=%s&sp=%s
sro_client.exe
gamemon.des
dekaron.exe
gameguard.des
216.107.243.53
216.107.243.51
216.107.243.52
%s(%d)/
lin.bin
%s?a=%s&s=%s&u=%s&p=%s&pin=%s&r=%s&l=%d&m=%d
\WTF\config.wtf
/safebox_password
metin2.bin
\channel.inf
hXXp://VVV.metin2.org/game_signup.php
\patch.cfg
__MSVCRT_HEAP_SELECT
user32.dll
YSSSSSh
cabalmain.exe
hXXp://hjyuw2.com/xmfx/help1.rar
wow.exe
%WinDir%\Explorer.EXE
WS2_32.dll
open=fbak.exe
shell\open\Command=fbak.exe
)>!%"-8)
%>)/8#>5
88>%.98)?
"8)> #/')(
"/>)!)"8
)/>)!)"8
"%8%- %6)
":%>#"!)"8
;?<>%"8*
#>) >#9"(
>%:% ) )
>%:% ) )?
KERNEL32.DLL
USER32.dll
WININET.dll
ADVAPI32.dll
.code5
l32.dll
HttpQ
LIVESRV.EXE
rosoft\Windows\Cur
\\.\%s
udpB6
.tTa_
`.rd\aSN
PSAPI.DLL
RegCloseKey
ANTIVM.dll
Q6~.Ns
qÎ,
%u9.~
Explorer.EXE_532_rwx_02C10000_00080000:
.code
Kernel32.dll
Urlmon
HttpQu-y9fo,3|`GOpenJ
LIVESRV.EXE
*.dll(MOVE)
*.exe(MOVE)
VCRMON.EXE
Update.exe
CCSVCHST.EXE
ALUSCHEDULERSVC.EXE
luall.exe
ASHDISP.EXE
avast.setup
setup.ovr
AVP.EXE
prupdate.ppl
AYAGENT.AYE
AYUpdate.aye
UFSEAGNT.EXE
SfFnUp.exe
UfUpdUi.exe
AVGNT.EXE
preupd.exe
update.exe
VSTSKMGR.EXE
vsupdate.dll
mcupdate.exe
AVGRSX.EXE
avgupd.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ntdll.dll
\\.\%s
%s%s\Security
%s%s\Enum
\Registry\Machine\System\CurrentControlSet\Services\%s
\??\%s
System\CurrentControlSet\Services\%s
\\.\%c:
\dllcache\cdaudio.sys
\drivers\cdaudio.sys
\drivers\klif.sys
NTDLL.DLL
GetWindowsDirectoryA
RegCreateKeyA
RegDeleteKeyA
RegOpenKeyExA
RegCloseKey
.text
`.rdata
@.data
.reloc
rosoft\Windows\Cur
udpB6
.tTa_
`.rd\aSN
KERNEL32.DLL
ADVAPI32.dll
PSAPI.DLL
USER32.dll
ANTIVM.dll
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:560
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\olhrwef.exe (601 bytes)
%System%\drivers\klif.sys (3 bytes)
%System%\nmdfgds0.dll (92 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cdoosoft" = "%System%\olhrwef.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
