Trojan.Microfake.D_9527b3e6d4
Trojan.Win32.MicroFake.ba (Kaspersky), Trojan.Microfake.D (B) (Emsisoft), Trojan.Microfake.D (AdAware), DDoSNitol.YR (Lavasoft MAS)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 9527b3e6d4a908f7292ebe43d19e190c
SHA1: 0ed4ffcc2548f8c3795d0ff290d6946f9203f04a
SHA256: 390eff5b08ddda7cebc9278c7393918d65f43cde06b6848780285664f1474218
SSDeep: 1536:LmrJdMmJyDl tVZpoWyHjmg8MgiAFam0PGf PWw69:LKJuIyDAZRyHj98MgiHm0P8gz6
Size: 71680 bytes
File type: DLL
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-06-08 12:59:36
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
regsvr32.exe:704
hrl1.tmp:396
The Trojan injects its code into the following process(es):
tgzdgk.exe:1532
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process regsvr32.exe:704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (64 bytes)
The process hrl1.tmp:396 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\tgzdgk.exe (64 bytes)
The process tgzdgk.exe:1532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\RCX2.tmp (18276 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\lpk.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\lpk.dll (601 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\lpk.dll (601 bytes)
%System%\hra33.dll (7 bytes)
The Trojan deletes the following file(s):
%System%\hra33.dll (0 bytes)
Registry activity
The process regsvr32.exe:704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE FB B6 86 69 E9 89 F2 CA 0A 44 6A 47 CE B7 70"
Dropped PE files
| MD5 | File path |
|---|---|
| da758ba44bc460af24b11342491d4d32 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SOFTWARE.LOG |
| da758ba44bc460af24b11342491d4d32 | c:\WINDOWS\system32\tgzdgk.exe |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | www.Brenz.pl |
Rootkit activity
The Trojan installs the following user-mode hooks in ntdll.dll:
NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 2860 | 3072 | 3.84485 | c9b6b9fbded3d4764666702b145428d1 |
| .rdata | 8192 | 2505 | 2560 | 3.36056 | 6951ee1a0ff3a7f5a44727b4713506a3 |
| .data | 12288 | 672 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 16384 | 64148 | 64512 | 4.84296 | 0f5da974f43607b1245ff65ca6ff21a4 |
| .reloc | 81920 | 494 | 512 | 3.52939 | cfa8d04dd000bb30ab126902176ed40d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
ET CURRENT_EVENTS Known Hostile Domain ilo.brenz.pl Lookup
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
`.data
.rsrc
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
ole32.dll
regsvr32.pdb
_wcmdln
RegCloseKey
RegOpenKeyExW
Excessive # of DLL's on cmdline
5.1.2600.5512 (xpsp.080413-2105)
REGSVR32.EXE
Windows
Operating System
5.1.2600.5512
Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.
LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.
OleUninitialize failed.["%1" is not an executable file and no registration
tgzdgk.exe_1532:
.text
`.rdata
@.data
.rsrc
USER32.dll
ADVAPI32.dll
SHELL32.dll
WS2_32.dll
WINMM.dll
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm
RegCloseKey
RegOpenKeyExA
RegOpenKeyA
ShellExecuteA
MFC42.DLL
MSVCRT.dll
_acmdln
WinExec
KERNEL32.dll
fei9988.3322.org:8080
564528578564528578
%u.%u.%u.%u
hra%u.dll
iexplore.exe
stf%c%c%c%c%c.exe
PlusCtrl.dll
kernel32.dll
SOFTWARE.LOG
%c%c%c%c%c%c.exe
%u MB
%u MHz
Windows NT
Windows 7
Windows 2008
Windows Vista
Windows 2003
Windows XP
Windows 2000
SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Program Files\Internet Explorer\iexplore.exe
#0%s!
%s/%s
GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
Host: %s:%d
Host: %s
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
Referer: hXXp://%s:80/hXXp://%s
%s %s%s
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
%d.%d.%d.%d
192.168.1.244
@.reloc
SHLWAPI.dll
lpk.dll
cmd /c RD /s /q "%s"
"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"
"%s" x "%s" *.exe "%s\"
cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"
rar.exe
1, 0, 0, 1
server.EXE
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regsvr32.exe:704
hrl1.tmp:396 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (64 bytes)
%System%\tgzdgk.exe (64 bytes)
C:\RCX2.tmp (18276 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\lpk.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\lpk.dll (601 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\lpk.dll (601 bytes)
%System%\hra33.dll (7 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
