Trojan.GenericKD.1968926_f122ec41bf

by malwarelabrobot on December 19th, 2014 in Malware Descriptions.

UDS:DangerousObject.Multi.Generic (Kaspersky), Trojan.GenericKD.1968926 (AdAware), Trojan-PSW.Win32.Zbot.6.FD, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: f122ec41bf22584c5c61cc72b44ece12
SHA1: 2c6d69122b259cd33cc28ca6f1527b27cdfccee0
SHA256: a898734154138674e98e5766ff1ca7e69f985fcd8a0f014326de11e6be66a3c0
SSDeep: 6144:VwHys2XXq04L6oFITkQG3Y/o2P7XMxhjMvj: 2n94wl8/jmj
Size: 208366 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-05-11 23:03:30
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

unyd.exe:3216
unyd.exe:3096
%original file name%.exe:216
%original file name%.exe:2492

The Trojan injects its code into the following process(es):

Explorer.EXE:1948

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process unyd.exe:3096 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsdB5.tmp\Verne.dll (2516 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\atamans\Verne.ucg (2784 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nspB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB5.tmp\Verne.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB5.tmp (0 bytes)

The process %original file name%.exe:216 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Verne.dll (2516 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\atamans\Verne.ucg (2784 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Verne.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp (0 bytes)

The process %original file name%.exe:2492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Heirin\unyd.exe (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp28357e96.bat (177 bytes)

Registry activity

The process unyd.exe:3216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 A1 0E EA 58 41 0D 7B 8B 0C CF 23 E6 E9 4C 1B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process unyd.exe:3096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB 21 8E F0 45 D3 48 43 72 8B 82 2F 4F C4 9F 76"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:2492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 70 2B 7A C1 6B 66 ED C1 28 D4 8D C0 23 AE D6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

Dropped PE files

MD5	File path
ce8ada3a6fe12df87cfc4557f512ff06	c:\Documents and Settings\"%CurrentUserName%"\Application Data\Heirin\unyd.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExW
HttpSendRequestExA
InternetReadFileExA
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
InternetCloseHandle
HttpQueryInfoA
InternetReadFile

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

SetCursorPos
DefMDIChildProcA
DefFrameProcA
DefDlgProcA
GetClipboardData
DefMDIChildProcW
DefFrameProcW
GetUpdateRgn
RegisterClassA
GetDCEx
ReleaseCapture
SetCapture
DefWindowProcA
CallWindowProcA
GetUpdateRect
PeekMessageA
CallWindowProcW
GetMessagePos
GetCursorPos
EndPaint
BeginPaint
DefWindowProcW
RegisterClassExA
GetMessageA
DefDlgProcW
SwitchDesktop
OpenInputDesktop
RegisterClassExW
RegisterClassW
GetCapture
PeekMessageW
GetMessageW
GetWindowDC
TranslateMessage
GetDC
ReleaseDC

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSASend
send
closesocket

The Trojan installs the following user-mode hooks in kernel32.dll:

GetFileAttributesExW

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

VersionInfo

Company Name: NVIDIA Corporation
Product Name: Capture .NET
Product Version: 12.8.5310.52
Legal Copyright: Copyright (c) 2003-2014 by fish
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 12.8.5310.52
File Description: Capture .NET
Comments:
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23144	23552	4.4491	e50f4a1111bafdc813b1f7ec153b8ea9
.rdata	28672	4558	4608	3.62903	640f709ec19b4ed0455a4c64e5934d5e
.data	36864	108472	1024	3.37648	54c75104a38a6f79dc7a8d3b020a9139
.ndata	147456	32768	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	180224	7368	7680	2.61105	eb505c025a6b899a3fedbf9d019243f1

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Explorer.EXE_1948_rwx_01100000_00027000:

.text

`.data

.reloc

hXXp://VVV.google.com/webhp

PR_OpenTCPSocket

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

: ;2*8.>

3.#70!2)

x#m`a`cmddt-

6 !26!1'1

7"52),,>

;<)?$*%,

71.(5;4=

(203,2$0

/?./,5 <

:>(<<44=3%

8%/<8/?)?/

%/><!8?>!

HTTP/1.1

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://

hXXps://

HTTP/1.

SSSh,4

GetProcessHeap

KERNEL32.dll

SetKeyboardState

ExitWindowsEx

MsgWaitForMultipleObjects

MapVirtualKeyW

GetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

USER32.dll

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpSendRequestA

InternetCrackUrlA

HttpOpenRequestA

HttpAddRequestHeadersA

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

6 6&6/656{6

cGlobal\XXX

nspr4.dll

nss3.dll

SysShadow

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

%Documents and Settings%\%current user%\Application Data\Urati\osbi.ymf

%Documents and Settings%\%current user%\Application Data\Urati

osbi.ymf

Global\{FD8517FB-7B33-56B0-7D62-622F79A06DB2}

%Documents and Settings%\%current user%\Application Data

{6BFEA5DE-C916-C0CB-7D62-622F79A06DB2}

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

unyd.exe:3216
unyd.exe:3096
%original file name%.exe:216
%original file name%.exe:2492
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Local Settings\Temp\nsdB5.tmp\Verne.dll (2516 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\atamans\Verne.ucg (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Verne.dll (2516 bytes)
%Documents and Settings%\%current user%\Application Data\Heirin\unyd.exe (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp28357e96.bat (177 bytes)
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.GenericKD.1968926_f122ec41bf

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.GenericKD.1968926_f122ec41bf

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet