Trojan.GenericKD.1648545_a395049ad5
Trojan.MSIL.Agent.eflo (Kaspersky), Trojan.GenericKD.1648545 (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: a395049ad5f67cc5d195943acc91bd0d
SHA1: c9be909ca1cbdbcf840f9578e383f699826c1e14
SHA256: 272124105d9ba277d57d1d2dd37d143cb23f7f0cb8fb779a7f0888eba7116765
SSDeep: 1536:PWvVwlKfOuAKCEp7xRyhuggZZXIzvfWdSxEW:PWvV8KFAJK7xRyJgZZXIvfWdSt
Size: 70656 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: *Rapiddown*
Created at: 2014-04-15 22:10:37
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
netsh.exe:1492
Server.exe:1348
%original file name%.exe:2024
%original file name%.exe:1356
The Trojan injects its code into the following process(es):
Server.exe:1832
File activity
The process Server.exe:1832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\Update.exe (9015 bytes)
The process %original file name%.exe:2024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Server.exe (601 bytes)
Registry activity
The process netsh.exe:1492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F ED 04 63 CE 71 E8 5A 3A 1E 44 15 62 4B 48 24"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%]
"server.exe" = "%Documents and Settings%\%current user%\Server.exe:*:Enabled:Server.exe"
The process Server.exe:1348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 72 19 0A 25 B5 5F 3A 5E 2C F8 80 F1 E2 CA 9A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process Server.exe:1832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 D5 E3 4B 56 E5 8C 1E DA 06 7A C0 69 E8 98 B9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Update" = "%Documents and Settings%\%current user%\Server.exe .."
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Update" = "%Documents and Settings%\%current user%\Server.exe .."
The process %original file name%.exe:2024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 10 AB 80 DA 47 C9 8C F4 DD EC 3B 28 A3 02 96"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%]
"server.exe" = "CmdExt"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\update]
"US" = "!"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Environment]
"SEE_MASK_NOZONECHECKS" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process %original file name%.exe:1356 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 03 8F 36 73 60 A3 33 D0 DD A1 D9 73 34 94 95"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.2.9200.16384
Legal Copyright: ?(c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: crypted.exe
Internal Name: crypted.exe
File Version: 6.2.9200.16384
File Description: CmdExt
Comments: cmd.exe Extension DLL
Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 68052 | 68096 | 5.20809 | 27ad5eb512ff811a685ddb57c435561e |
| .rsrc | 81920 | 1080 | 1536 | 1.80504 | 1763fc84a2d8aeb7a3a6ebf1742c62ee |
| .reloc | 90112 | 12 | 512 | 0.070639 | 992c3a0dad24454af9eed0c573f27df0 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| applle.sytes.net |  173.254.223.86 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
The Trojan connects to the servers at the folowing location(s):
.text
`.rsrc
@.reloc
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
v2.0.50727
DRSTUB.exe
Microsoft.VisualBasic
System.Windows.Forms
System.Drawing
avicap32.dll
user32.dll
kernel32.dll
DRSTUB.Resources.resources
DRSTUB.My
Microsoft.VisualBasic.ApplicationServices
.ctor
System.Diagnostics
System.CodeDom.Compiler
System.ComponentModel
Microsoft.VisualBasic.Devices
m_MyWebServicesObjectProvider
.cctor
get_WebServices
HelpKeywordAttribute
System.ComponentModel.Design
WebServices
Microsoft.VisualBasic.CompilerServices
MyWebServices
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Threading
SPREXE
get_ExecutablePath
System.IO
Operators
Microsoft.Win32
Microsoft.VisualBasic.MyServices
wolf_usb_exe
System.Collections
OperatingSystem
System.Text
System.Collections.Generic
System.IO.Compression
System.Reflection
ProcessWindowStyle
WebClient
System.Net
CopyPixelOperation
System.Drawing.Imaging
RegistryKey
GetKey
System.Net.Sockets
TcpClient
lastKey
Keys
keyboard
Keyboard
GetExecutingAssembly
wVirtKey
lpKeyState
GetKeyboardState
MapVirtualKey
GetKeyboardLayout
GetAsyncKeyState
vKey
OpenSubKey
DRSTUB.My.Resources
System.Resources
System.Globalization
System.Configuration
8.0.0.0
My.Computer
My.Application
My.User
My.WebServices
4System.Web.Services.Protocols.SoapHttpClientProtocol
3System.Resources.Tools.StronglyTypedResourceBuilder
4.0.0.0
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
11.0.0.0
My.Settings
1.0.0.0
$721aff54-84bf-4dd4-9947-d32d266b77f6
_CorExeMain
mscoree.dll
If you want to change the Windows User Account Control level replace the
requestedExecutionLevel node with one of the following.
Specifying requestedExecutionLevel node will disable file and registry virtualization.
compatibility then delete the requestedExecutionLevel node.
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
0.7.1
Server.exe
Applle.sytes.net
Software\Microsoft\Windows\CurrentVersion\Run
autorun.inf
install.exe
%System%\dllcache
%System%\dllcache\recycled.exe
%System%\dllcache\myporn.scr
%System%\dllcache\doc.pif
C:\windows\system32\drivers\svchost.exe
ShellExecute=install.exe
shell\open\command=install.exe
shell\explore\command=install.exe
shell\Open\command=install.exe
C:\windows\system32\winlogon.scr
desktop.ini
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}CreateSubKey
Windows
cmd.exe
UseShellExecute
WindowStyle
GetSubKeyNames
DeleteSubKeyTree
DeleteSubKey
cmd.exe /k ping 0 & del "
??/??/??
ShiftKeyDown
WScript.Shell
&explorer /root,"Í%
DRSTUB.Resources
Server.exe_1832_rwx_00400000_00012000:
.text
`.rsrc
@.reloc
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
v2.0.50727
DRSTUB.exe
Microsoft.VisualBasic
System.Windows.Forms
System.Drawing
avicap32.dll
user32.dll
kernel32.dll
DRSTUB.Resources.resources
DRSTUB.My
Microsoft.VisualBasic.ApplicationServices
.ctor
System.Diagnostics
System.CodeDom.Compiler
System.ComponentModel
Microsoft.VisualBasic.Devices
m_MyWebServicesObjectProvider
.cctor
get_WebServices
HelpKeywordAttribute
System.ComponentModel.Design
WebServices
Microsoft.VisualBasic.CompilerServices
MyWebServices
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Threading
SPREXE
get_ExecutablePath
System.IO
Operators
Microsoft.Win32
Microsoft.VisualBasic.MyServices
wolf_usb_exe
System.Collections
OperatingSystem
System.Text
System.Collections.Generic
System.IO.Compression
System.Reflection
ProcessWindowStyle
WebClient
System.Net
CopyPixelOperation
System.Drawing.Imaging
RegistryKey
GetKey
System.Net.Sockets
TcpClient
lastKey
Keys
keyboard
Keyboard
GetExecutingAssembly
wVirtKey
lpKeyState
GetKeyboardState
MapVirtualKey
GetKeyboardLayout
GetAsyncKeyState
vKey
OpenSubKey
DRSTUB.My.Resources
System.Resources
System.Globalization
System.Configuration
8.0.0.0
My.Computer
My.Application
My.User
My.WebServices
4System.Web.Services.Protocols.SoapHttpClientProtocol
3System.Resources.Tools.StronglyTypedResourceBuilder
4.0.0.0
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
11.0.0.0
My.Settings
1.0.0.0
$721aff54-84bf-4dd4-9947-d32d266b77f6
_CorExeMain
mscoree.dll
If you want to change the Windows User Account Control level replace the
requestedExecutionLevel node with one of the following.
Specifying requestedExecutionLevel node will disable file and registry virtualization.
compatibility then delete the requestedExecutionLevel node.
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
0.7.1
Server.exe
Applle.sytes.net
Software\Microsoft\Windows\CurrentVersion\Run
autorun.inf
install.exe
%System%\dllcache
%System%\dllcache\recycled.exe
%System%\dllcache\myporn.scr
%System%\dllcache\doc.pif
C:\windows\system32\drivers\svchost.exe
ShellExecute=install.exe
shell\open\command=install.exe
shell\explore\command=install.exe
shell\Open\command=install.exe
C:\windows\system32\winlogon.scr
desktop.ini
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}CreateSubKey
Windows
cmd.exe
UseShellExecute
WindowStyle
GetSubKeyNames
DeleteSubKeyTree
DeleteSubKey
cmd.exe /k ping 0 & del "
??/??/??
ShiftKeyDown
WScript.Shell
&explorer /root,"Í%
DRSTUB.Resources
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
netsh.exe:1492
Server.exe:1348
%original file name%.exe:2024
%original file name%.exe:1356 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\Update.exe (9015 bytes)
%Documents and Settings%\%current user%\Server.exe (601 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Update" = "%Documents and Settings%\%current user%\Server.exe .."
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Update" = "%Documents and Settings%\%current user%\Server.exe .." - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
