MD5: e7a3330b78419cb72f8a3b05281cfcd1
SHA1: cdfc94b3cbcfb8a23f2fd74ed03ce5e6e135ed13
SHA256: 3024b852d3e472edf4fe27b510f03645374ed1b7cdc525393d25bb8847176e47
SSDeep: 12288:ytb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgaJTaqg6A:ytb20pkaCqT5TBWgNQ7aNaqg6A
Size: 904704 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: PublicationBrowserApps
Created at: 2015-02-10 04:24:56
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

vbc.exe:1664
rundll32.exe:1804
%original file name%.exe:1288

The Trojan injects its code into the following process(es):

Explorer.EXE:1572

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1288 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\r2.oc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\s.c (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\r.oc (532 bytes)
%Documents and Settings%\%current user%\Application Data\svchost (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (1764 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (0 bytes)

Registry activity

The process vbc.exe:1664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 8B 54 F4 ED 81 14 74 CA 88 58 3C 8C 3E 48 B9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"apocsec" = "%Documents and Settings%\%current user%\Application Data\apocsec"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"apocsec" = "%Documents and Settings%\%current user%\Application Data\apocsec"

The process rundll32.exe:1804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 94 58 26 4A B9 4C 6B 4A 66 E9 71 60 41 C6 0D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Windows NT\Accessories]
"WORDPAD.EXE" = "WordPad"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"shimgvw.dll" = "Windows Picture and Fax Viewer"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Windows Media Player]
"wmplayer.exe" = "Windows Media Player"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"NOTEPAD.EXE" = "Notepad"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\VMware\VMware Tools]
"VMwareHostOpen.exe" = "Default Host Application"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"mspaint.exe" = "Paint"

The process %original file name%.exe:1288 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 9F 7F 89 25 BF 68 8E 99 89 60 64 A5 D0 33 07"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"shell32.dll" = "Windows Shell Common Dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe" = "c:\%original file name%.exe"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

Explorer.EXE_1572_rwx_00FF0000_0000E000:

.data

.idata

.rsrc

@.reloc

Successfully Killed And Removed Malicious File: "%s"

Usage: %s IP PORT DELAY LENGTH

Failed To Start Thread: "%d"

Failed: "%d"

Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]

Filed To Visit: "%s"

Successfully Visited: "%s"

%s #%s

%s %s

Running From: "%s"

[%s][%s] - "%s"

{%s}: %s

Successfully Executed Process: "%s"

Failed To Create Process: "%s", Reason: "%d"

Successfully Downloaded File To: "%s"

Downloading File: "%s"

hXXp://api.wipmania.com/

JOIN

NICK

PRIVMSG

AryaN{%s-%s-x%d}%s

New{%s-%s-x%d}%s

%s "" "%s" :%s

%s %s :[AryaN]: %s

%s %s %s

Finished Flooding "%s:%d"

Terminated UDP Flood Thread

%d%d%d%d%d%d%d%d

Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds

LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files

AutoRun Infected Removable Device: "%s\"

j[YPSSh

SSSSh

VSSSh

udp.stop

join

199.115.228.8

apocsec.net

MSVCRT.dll

GetProcessHeap

KERNEL32.dll

WS2_32.dll

SHLWAPI.dll

InternetOpenUrlA

WININET.dll

ole32.dll

PSAPI.DLL

ShellExecuteA

SHELL32.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegNotifyChangeKeyValue

ADVAPI32.dll

%userprofile%

%s\removethis_%d%d%d.exe

%temp%\oldfile.exe

Mozilla/5.0 (compatible)

%s\%d%d%d.exe

explorer.exe

Kernel32.dll

%s-deadlock

%s\SysWOW64

advapi32.dll

comsupp.dll

shell32.dll

wininet.dll

shlwapi.dll

dnsapi.dll

user32.dll

ws2_32.dll

psapi.dll

Ole32.dll

kernel32.dll

msvcrt.dll

dwm.exe

alg.exe

csrss.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

%s-readfile

cmd.exe

Software\Microsoft\Windows\CurrentVersion\Run

%temp%\deletethis.exe

Removable_Drive.exe

%s\{%s-%s}

/k "%s" Open %s

%windir%\System32\cmd.exe

%s\Removable_Drive.exe

%s\%s

%s\%s.lnk

icon=Shell32.dll,7

shell\open\Command=%s

open=%s

shell\explore\Command=%s

%s\autorun.inf

%Documents and Settings%\%current user%\Application Data\apocsec

%WinDir%\Microsoft.NET\Framework\v3.5\vbc.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   vbc.exe:1664
   rundll32.exe:1804
   %original file name%.exe:1288
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\r2.oc (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\s.c (39 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\r.oc (532 bytes)
   %Documents and Settings%\%current user%\Application Data\svchost (6841 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (1764 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (400 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (1 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "apocsec" = "%Documents and Settings%\%current user%\Application Data\apocsec"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "apocsec" = "%Documents and Settings%\%current user%\Application Data\apocsec"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "svchost.exe" = "c:\%original file name%.exe"

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.