Trojan.GenericKD.1371384_5892fed98a
Trojan.Win32.Agent.ibbb (Kaspersky), Trojan.GenericKD.1371384 (B) (Emsisoft), Trojan.GenericKD.1371384 (AdAware), GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 5892fed98a0283b7f9a99b428a765875
SHA1: b7f47c0047f245d372b4744177254234f01adcd0
SHA256: 8fe615d515cf116b22ac840ec95b198b59f979a1ec1802e966f9b90ded792ab2
SSDeep: 768:yFb9rb3MWE83xo7tdgI2MyzNtRQtONlIwoHNV2XBFV72B4lA7TJ5ZeeN216G:4dm83xo7tdgI2MyzNtRQtONlIwoHNV2R
Size: 26272 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2004-10-14 08:53:14
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
budha.exe:596
kilf.exe:1748
%original file name%.exe:1272
imapcy.exe:1668
mscorsvw.exe:172
The Trojan injects its code into the following process(es):
No processes have been created.
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process budha.exe:596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB7.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8J2SIGQ3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RXRLBLM5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3FC5CUEG\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\E2OSCB5T\img_05[1].exe (1720 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabB6.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\E2OSCB5T\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@getappsforpc[1].txt (171 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabB4.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB5.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kilf.exe (1720 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\TarB7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabB6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB5.tmp (0 bytes)
The process kilf.exe:1748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\BCVC86F.bat (171 bytes)
%Documents and Settings%\%current user%\Application Data\Ymivko\imapcy.exe (2760 bytes)
The process %original file name%.exe:1272 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\budha.exe (26 bytes)
The process imapcy.exe:1668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (6096 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (5668 bytes)
Registry activity
The process budha.exe:596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"kilf.exe" = "kilf"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 BD 05 0A 79 17 69 3D D7 9A D3 16 B7 E8 50 27"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process kilf.exe:1748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 39 B8 76 48 F2 D4 EC 84 DA 9A 73 FB 40 DA FA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process %original file name%.exe:1272 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 64 64 A8 E9 AA 3C 63 E5 53 99 42 E3 35 7F BE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"budha.exe" = "budha"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process imapcy.exe:1668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 15 F2 58 2E C8 D4 23 E7 43 BC 32 6E 17 82 E4"
[HKCU\Software\Microsoft\Xytoezapemu]
"e526a4e" = "10 B6 43 78 52 BB 4D 0C 6D 83 FC 4D 84 F6 FF 15"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process mscorsvw.exe:172 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1260000"
Dropped PE files
| MD5 | File path |
|---|---|
| 0147d58670e22d3b0463597ea99360a6 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Ymivko\imapcy.exe |
| 1d179412925ed071ad22a8db947297f8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\budha.exe |
| 0a9f857c21c8a574702104c6d452a956 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\E2OSCB5T\img_05[1].exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following user-mode hooks in WININET.dll:
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
The Trojan installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan installs the following user-mode hooks in USER32.dll:
GetClipboardData
TranslateMessage
The Trojan installs the following user-mode hooks in Secur32.dll:
DecryptMessage
SealMessage
DeleteSecurityContext
The Trojan installs the following user-mode hooks in WS2_32.dll:
WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW
The Trojan installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtCreateThread
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .code | 4096 | 116 | 512 | 1.18637 | d2f98aee00bac87dc5de3fdde7f4c6e8 |
| .text | 8192 | 3566 | 3584 | 4.73408 | 2bda0c17e458ed09f64f87e6f0c0caef |
| .data | 12288 | 4262 | 4608 | 2.87695 | 5777c0b2787736df21f100adfcf6b70a |
| .idata | 20480 | 1430 | 1536 | 2.90403 | a2d9a61e82589d798094f20bf7b1b96c |
| .rsrc | 24576 | 14350 | 14848 | 4.20379 | 22d33b6d3a031949354bb9728302445e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 14
29ac9e619bff2bacc14870cc2fd336c4
1ef6fb54bcae600ceafd08b5084a760f
92d44e74a8cd751239de335b46c3026c
c658f55037b7ac9353405f21b12c8a5e
c8c83b662ad3c7c1c4aafdf1b8eb9b35
f44c85a05d0352881ac4167d7631e010
e59798fa7c735cfe6fd0ebfb3be3bb50
0a5b1d3ba29ac913c6ca7b86703d4ae8
801c628196f596118d705a89070b8eed
07b6c3ff428196be3f8253432aa86490
26fea39701ab2b0ad53b45426e3f02dd
e3ca580148bf303f9d5d0d26f69a13c4
5340421e87aa56f5a9753ab55a28e5bd
202853a46e9449aba9614a11b017d71c
URLs
| URL | IP |
|---|---|
| hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt |  |
| hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt | 72.247.8.48 |
| bwcaffebar.com |  103.6.196.152 |
| activateyourcareerlife.com | 103.6.196.152 |
| getappsforpc.com | 184.154.15.188 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
budha.exe:596
kilf.exe:1748
%original file name%.exe:1272
imapcy.exe:1668
mscorsvw.exe:172 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB7.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8J2SIGQ3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RXRLBLM5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3FC5CUEG\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\E2OSCB5T\img_05[1].exe (1720 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabB6.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\E2OSCB5T\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@getappsforpc[1].txt (171 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabB4.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB5.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kilf.exe (1720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BCVC86F.bat (171 bytes)
%Documents and Settings%\%current user%\Application Data\Ymivko\imapcy.exe (2760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\budha.exe (26 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (6096 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
