MD5: 14dbeadd9b9dfce8b2c8ce77738c7aea
SHA1: ec43aa35f6214ea4c5e739903633739e8847721c
SHA256: aeccbd5d329f0a25503cd1a42044898bbb8148e18389bd3d79ff4496f4e496ad
SSDeep: 1536:ympJdMmJyDl SVZloWyHjmgthJG1NeByF34TH:yAJuIyDvZFyHj9t3ZgKTH
Size: 77824 bytes
File type: DLL
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-06-08 12:59:36
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

regsvr32.exe:1532
hrl1.tmp:984

The Trojan injects its code into the following process(es):

xoldok.exe:988

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process regsvr32.exe:1532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (66 bytes)

The process xoldok.exe:988 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\RCX2.tmp (19444 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\lpk.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\lpk.dll (601 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\lpk.dll (601 bytes)
%System%\hra33.dll (7 bytes)

The Trojan deletes the following file(s):

%System%\hra33.dll (0 bytes)

The process hrl1.tmp:984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\xoldok.exe (601 bytes)

Registry activity

The process regsvr32.exe:1532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 51 B0 F2 60 B3 E1 F5 8C 17 25 BE B0 2D 9D 0D"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

ole32.dll

regsvr32.pdb

_wcmdln

RegCloseKey

RegOpenKeyExW

Excessive # of DLL's on cmdline

5.1.2600.5512 (xpsp.080413-2105)

REGSVR32.EXE

Windows

Operating System

5.1.2600.5512

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

OleUninitialize failed.["%1" is not an executable file and no registration

xoldok.exe_988:

.text

.rdata

@.data

.rsrc

USER32.dll

ADVAPI32.dll

SHELL32.dll

WS2_32.dll

WINMM.dll

GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm

RegCloseKey

RegOpenKeyExA

RegOpenKeyA

ShellExecuteA

MFC42.DLL

MSVCRT.dll

_acmdln

WinExec

KERNEL32.dll

tutwl.3322.org:8899

674703625674703625

%u.%u.%u.%u

hra%u.dll

iexplore.exe

stf%c%c%c%c%c.exe

PlusCtrl.dll

kernel32.dll

SOFTWARE.LOG

%c%c%c%c%c%c.exe

%u MB

%u MHz

Windows NT

Windows 7

Windows 2008

Windows Vista

Windows 2003

Windows XP

Windows 2000

SOFTWARE\Microsoft\Windows NT\CurrentVersion

\Program Files\Internet Explorer\iexplore.exe

#0%s!

%s/%s

GET %s HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)

Host: %s:%d

Host: %s

User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0

Referer: hXXp://%s:80/hXXp://%s

%s %s%s

User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)

User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

%d.%d.%d.%d

192.168.1.244

`.rdata

@.reloc

SHLWAPI.dll

lpk.dll

x].IvX,

fJd.RpxR

*.cTSQ}3

I{M.gpw

.lu..Pj

cmd /c RD /s /q "%s"

"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"

"%s" x "%s" *.exe "%s\"

cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"

rar.exe

1, 0, 0, 1

server.EXE

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   regsvr32.exe:1532
   hrl1.tmp:984

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (66 bytes)
   C:\RCX2.tmp (19444 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\lpk.dll (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\lpk.dll (601 bytes)
   %Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\lpk.dll (601 bytes)
   %System%\hra33.dll (7 bytes)
   %System%\xoldok.exe (601 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.