Trojan.Microfake.D_02df4f68ff
Trojan.Win32.MicroFake.ba (Kaspersky), Trojan.Microfake.D (B) (Emsisoft), Trojan.Microfake.D (AdAware), DDoS.Win32.Nitol.FD, DDoSNitol.YR (Lavasoft MAS)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 02df4f68ff3dd6c51efabcd49714ca53
SHA1: c8f6f0d12a71690247b9ddb8f413e352b38c357e
SHA256: d22376c86ba5de1f386308c20f14defcaad456e84c70a05dddf0408a23b4caf8
SSDeep: 1536:Vmotq7WuHEqUExlayH2m9GDv6WKcNj5iywPoxp LjfLd4HW/:VneHE uyH21itcF5ZTcXxuW
Size: 71168 bytes
File type: DLL
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: Installer Pack
Created at: 2010-06-08 12:59:36
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
regsvr32.exe:1832
hrl1.tmp:1756
The Trojan injects its code into the following process(es):
svchost.exe:264
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process regsvr32.exe:1832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (63 bytes)
The process hrl1.tmp:1756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\cgoegm.exe (63 bytes)
Registry activity
The process regsvr32.exe:1832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 A5 87 AD C9 CA 62 87 7F AA 02 F2 FE 13 3E EA"
The process hrl1.tmp:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 85 B7 2E 70 C6 4F 86 54 32 EE B4 75 B0 29 0F"
[HKLM\System\CurrentControlSet\Services\Nationalreo]
"Description" = "Providesfht a domain server for NI security."
Dropped PE files
| MD5 | File path |
|---|---|
| 7496136dd50196f47d242373c274d9cf | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\hrl1.tmp |
| 7496136dd50196f47d242373c274d9cf | c:\WINDOWS\system32\cgoegm.exe |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | www.Brenz.pl |
Rootkit activity
The Trojan installs the following user-mode hooks in ntdll.dll:
NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 2860 | 3072 | 3.84485 | c9b6b9fbded3d4764666702b145428d1 |
| .rdata | 8192 | 2505 | 2560 | 3.36056 | 6951ee1a0ff3a7f5a44727b4713506a3 |
| .data | 12288 | 672 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 16384 | 63636 | 64000 | 4.94604 | 4f1a3441fb9ed2c21789c9e5237f78cb |
| .reloc | 81920 | 494 | 512 | 3.52939 | cfa8d04dd000bb30ab126902176ed40d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 2
aa896b641593457592570e991581a875
2bcaf6ca4200dfc8a15fde32019f896d
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
`.data
.rsrc
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
ole32.dll
regsvr32.pdb
_wcmdln
RegCloseKey
RegOpenKeyExW
Excessive # of DLL's on cmdline
5.1.2600.5512 (xpsp.080413-2105)
REGSVR32.EXE
Windows
Operating System
5.1.2600.5512
Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.
LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.
OleUninitialize failed.["%1" is not an executable file and no registration
svchost.exe_264:
.text
`.rdata
@.data
.rsrc
ADVAPI32.dll
USER32.dll
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm
RegCloseKey
RegOpenKeyExA
RegOpenKeyA
SHLWAPI.dll
ShellExecuteA
SHELL32.dll
WS2_32.dll
MSVCRT.dll
_acmdln
WinExec
KERNEL32.dll
0.0.0.0
hXXp://VVV.mojimojimojimoji.com/testq.html
VVV.mojimojimojimoji.com:8088
%u.%u.%u.%u
hra%u.dll
iexplore.exe
stf%c%c%c%c%c.exe
URLDownloadToFileA
urlmon.dll
%c%c%c%c%c.exe
PlusCtrl.dll
%c%c%c%c%c%c.exe
%u MB
%u MHz
Windows NT
Windows 7
Windows 2008
Windows Vista
Windows 2003
Windows XP
Windows 2000
SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Program Files\Internet Explorer\iexplore.exe
#0%s!
%s/%s
GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
Host: %s:%d
Host: %s
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
Referer: hXXp://%s:80/hXXp://%s
%s %s%s
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
%d.%d.%d.%d
192.168.1.244
svchost.exe
ntdll.dll
@.reloc
lpk.dll
ap.OO
3B.iL V
nXÞ
cmd /c RD /s /q "%s"
"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"
"%s" x "%s" *.exe "%s\"
cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"
rar.exe
svchost.exe_264_rwx_00400000_00014000:
.text
`.rdata
@.data
.rsrc
ADVAPI32.dll
USER32.dll
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm
RegCloseKey
RegOpenKeyExA
RegOpenKeyA
SHLWAPI.dll
ShellExecuteA
SHELL32.dll
WS2_32.dll
MSVCRT.dll
_acmdln
WinExec
KERNEL32.dll
0.0.0.0
hXXp://VVV.mojimojimojimoji.com/testq.html
VVV.mojimojimojimoji.com:8088
%u.%u.%u.%u
hra%u.dll
iexplore.exe
stf%c%c%c%c%c.exe
URLDownloadToFileA
urlmon.dll
%c%c%c%c%c.exe
PlusCtrl.dll
%c%c%c%c%c%c.exe
%u MB
%u MHz
Windows NT
Windows 7
Windows 2008
Windows Vista
Windows 2003
Windows XP
Windows 2000
SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Program Files\Internet Explorer\iexplore.exe
#0%s!
%s/%s
GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
Host: %s:%d
Host: %s
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
Referer: hXXp://%s:80/hXXp://%s
%s %s%s
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
%d.%d.%d.%d
192.168.1.244
svchost.exe
ntdll.dll
@.reloc
lpk.dll
ap.OO
3B.iL V
nXÞ
cmd /c RD /s /q "%s"
"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"
"%s" x "%s" *.exe "%s\"
cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"
rar.exe
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regsvr32.exe:1832
hrl1.tmp:1756 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (63 bytes)
%System%\cgoegm.exe (63 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
