MD5: b52e960c0401649a9a25ae5a4aa4c6b2
SHA1: 07b55737612c0d3e0f41ec63697509c487e21437
SHA256: 01ec6916783b352d631444e6853a3b93b413f89984b76807e43af511b21c0e55
SSDeep: 12288:UKIy6wz03W1U9 SvxeFPEsUDkL7uE7jgFu2HktVbK:UKbp6W69reFPxRvaVE
Size: 616448 bytes
File type: DLL
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: The PXJ Team
Created at: 2010-06-08 12:59:36
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

regsvr32.exe:580
hrlD.tmp:1640

The Trojan injects its code into the following process(es):

ycyacc.exe:1124

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process regsvr32.exe:580 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hrlD.tmp (3681 bytes)

The process hrlD.tmp:1640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ycyacc.exe (4185 bytes)

The process ycyacc.exe:1124 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\hra33.dll (7 bytes)
C:\RCXE.tmp (27484 bytes)

The Trojan deletes the following file(s):

%System%\hra33.dll (0 bytes)

Registry activity

The process regsvr32.exe:580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 F1 CD 91 FB E7 5B 2E 64 46 6A 25 F0 D0 FA F8"

The process hrlD.tmp:1640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 50 5B 95 90 C5 19 7C F0 72 DD D8 61 68 41 0F"

[HKLM\System\CurrentControlSet\Services\Distribuoyo]
"Description" = "Distribuajk Transaction Coordinator Service."

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SOFTWARE.LOG,"

The process ycyacc.exe:1124 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 32 3C CA B5 56 04 D9 F5 E7 D5 25 E3 3B 7F 57"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

ole32.dll

regsvr32.pdb

_wcmdln

RegCloseKey

RegOpenKeyExW

Excessive # of DLL's on cmdline

5.1.2600.5512 (xpsp.080413-2105)

REGSVR32.EXE

Windows

Operating System

5.1.2600.5512

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

OleUninitialize failed.["%1" is not an executable file and no registration

ycyacc.exe_1124:

.text

`.rdata

@.data

.rsrc

USER32.dll

ADVAPI32.dll

SHELL32.dll

WS2_32.dll

WINMM.dll

GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm

RegCloseKey

RegOpenKeyExA

RegOpenKeyA

ShellExecuteA

MFC42.DLL

MSVCRT.dll

_acmdln

WinExec

KERNEL32.dll

fei9988.3322.org:8080

564528578564528578

%u.%u.%u.%u

hra%u.dll

iexplore.exe

stf%c%c%c%c%c.exe

PlusCtrl.dll

kernel32.dll

SOFTWARE.LOG

%c%c%c%c%c%c.exe

%u MB

%u MHz

Windows NT

Windows 7

Windows 2008

Windows Vista

Windows 2003

Windows XP

Windows 2000

SOFTWARE\Microsoft\Windows NT\CurrentVersion

\Program Files\Internet Explorer\iexplore.exe

#0%s!

%s/%s

GET %s HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)

Host: %s:%d

Host: %s

User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0

Referer: hXXp://%s:80/hXXp://%s

%s %s%s

User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)

User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

%d.%d.%d.%d

192.168.1.244

@.reloc

SHLWAPI.dll

lpk.dll

7.DDQz

z%upZ

XG

.wv_<;

.dR/r

.IcqE

Q-.yLP5_

Kg.PC

o(.Rx

%0ulg

en.Xt

%F?L`

p|%uY

9lP.Jt

$^H.Lb

ÂRo

xkG.ig

^N.BZ?

q%D><%

.CHt@

.KQB]

uJ.Bv

FX !>%D

%UB !Q

.iaP9

B.uf,

%xBTPt

%6x]!V

.SqvP

X:\w5E

.ZR&/

%U5p,3

n[-P7mB.Olb

.OdUa%

I{m.kpw

.lt..Pk

GD.gh

X%Ui*

$u%dHBYR

4ma>%s

DK.AN

cmd /c RD /s /q "%s"

"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"

"%s" x "%s" *.exe "%s\"

cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"

rar.exe

1, 0, 0, 1

server.EXE

ycyacc.exe_1124_rwx_0041B000_00001000:

.dR/r

ycyacc.exe_1124_rwx_00425000_00001000:

Kg.PC

ycyacc.exe_1124_rwx_0042D000_00001000:

Q-.yLP5_

ycyacc.exe_1124_rwx_0044B000_00001000:

q%D><%

ycyacc.exe_1124_rwx_00469000_00002000:

B.uf,

%xBTPt

ycyacc.exe_1124_rwx_00470000_00002000:

X:\w5E

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   regsvr32.exe:580
   hrlD.tmp:1640
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\hrlD.tmp (3681 bytes)
   %System%\ycyacc.exe (4185 bytes)
   %System%\hra33.dll (7 bytes)
   C:\RCXE.tmp (27484 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.