MD5: dfdb05db93a05ac2ae375a6be02025a9 SHA1: ae8cc95631e676f410a450ae79a7b35f1498823e SHA256: 0b6f44900b66b7a6b29095bfde59feb20cb67304867c9ee922e9ce8fe35b0425 SSDeep: 6144:tIvztllzdRarT Kg8LGTMJMu71vXdjkJOKVCwTow:tIJZRarm4GTYJvXdgJOv Size: 285696 bytes File type: EXE Platform: WIN32 Entropy: Packed PEID: UPolyXv05_v6 Company: to generous of Created at: 2013-01-02 16:20:41 Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3664
yhjyf.exe:3880

The Trojan injects its code into the following process(es): No processes have been created.

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process %original file name%.exe:3664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Oqygfi\yhjyf.exe (285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp8995d98c.bat (177 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Oqygfi\yhjyf.exe (0 bytes)

Registry activity

The process %original file name%.exe:3664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 97 5B 1E FD 61 51 45 FC 66 7B 7B B4 7F 0A 1D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process yhjyf.exe:3880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 19 0D 4C F6 2D C3 08 C3 F3 F9 93 1C 9D DC AE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Ryuka]
"24e32cg8" = "WvyfWrUXxsCPTQ7ohb84a9gJ"

Dropped PE files

MD5	File path
1d73a1fe0520083136525a0f94c71b0f	c:\Documents and Settings\"%CurrentUserName%"\Application Data\Oqygfi\yhjyf.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExW
HttpSendRequestExA
InternetWriteFile
InternetReadFileExA
InternetReadFileExW
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
HttpQueryInfoW
InternetCloseHandle
HttpQueryInfoA
InternetReadFile

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan installs the following user-mode hooks in Secur32.dll:

UnsealMessage
SealMessage
DeleteSecurityContext

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
WSARecv
send
closesocket

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	4828	5120	3.46414	bbcd388663e73caac18632b6cc780bab
.rdata	12288	1142	1536	2.78426	b8daa7ce830c059ae49e5159f21202bd
.data	16384	10	512	0	bf619eac0cdf3f68d496ea9344137e8b
.rsrc	20480	276674	276992	5.53581	27f93a716845189f336cb9ef16a46544
.reloc	299008	4096	512	0	bf619eac0cdf3f68d496ea9344137e8b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1 973d199c37dda094c08d5466b247b062

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):

   %original file name%.exe:3664
   yhjyf.exe:3880

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:

   %Documents and Settings%\%current user%\Application Data\Oqygfi\yhjyf.exe (285 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmp8995d98c.bat (177 bytes)

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.