MD5: dea76138635e82dc579a8042f153c1b0
SHA1: 3ec06a23b6cc35dfe0b5d7004233dc34708ea741
SHA256: b5a4ef175bdcab9e5e34d7079f75bef1cafd28696fa7156067bddadf7078d8f2
SSDeep: 6144:zYjSj5yHDhu6wpADax48AAcYnerQxLWtubVYH:zYjSshuFp4aaztkxL88qH
Size: 251392 bytes
File type: DLL
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-06-08 12:59:36
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

regsvr32.exe:1236
imeumw.exe:468
hrl1.tmp:1164

The Trojan injects its code into the following process(es):

Explorer.EXE:880

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process regsvr32.exe:1236 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (243 bytes)

The process imeumw.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\buc3.tmp (11010 bytes)

The process hrl1.tmp:1164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsb2.tmp (11010 bytes)
%System%\imeumw.exe (1281 bytes)

Registry activity

The process regsvr32.exe:1236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E F5 30 FB 21 81 1F D9 CE 65 4A 5B F4 EB 8E A1"

The process hrl1.tmp:1164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 59 0E 2F 1D 89 B0 E9 67 7B 83 5F 6C 64 B9 40"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

ole32.dll

regsvr32.pdb

_wcmdln

RegCloseKey

RegOpenKeyExW

Excessive # of DLL's on cmdline

5.1.2600.5512 (xpsp.080413-2105)

REGSVR32.EXE

Windows

Operating System

5.1.2600.5512

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

OleUninitialize failed.["%1" is not an executable file and no registration

Explorer.EXE_880_rwx_01F71000_00071000:

UDPSockError

NMUDP

Errmsg

Port

TNMUDP

RemotePort

LocalPort

ReportLevelLk

0.0.0.0

%d.%d.%d.%d

AutoHotkeys

:].tJ

EInvalidGraphicOperation,0

EInvalidGraphicOperation

KeyPreview,

WindowState

OnKeyDown

OnKeyPressdz

OnKeyUp

ssHotTrack

TWindowState

poProportional

TWMKey

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

TDragOperation

TKeyEvent

TKeyPressEvent

crSQLWait

%s (%s)

IMM32.DLL

EInvalidOperation

%s[%d]

%s_%d

USER32.DLL

comctl32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

kernel32.dll

Portions Copyright (c) 1983,99 Borland

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Explorer

*.TMP

Kernel32.dll

ADVAPI32.dll

RegOpenKeyExA

RegCloseKey

readbook.exe

rundll32.exe

*.exe

*.scr

UdpT

UdpOnDataReceived

xxtype.cpp

derv->tpClass.tpcFlags & CF_HAS_BASES

Inappropriate I/O control operation

Broken pipe

Operation not permitted

%H:%M:%S

%m/%d/%y

%A, %B %d, %Y

d/d/d d:d:d.d

An exception (X) occurred during DllEntryPoint or DllMain in module:

xx.cpp

varType->tpClass.tpcFlags & CF_HAS_DTOR

varType->tpClass.tpcDtorAddr

(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags

memType->tpClass.tpcFlags & CF_HAS_DTOR

varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR

dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR

IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)

elemType->tpClass.tpcFlags & CF_HAS_DTOR

ReportLevel

GetCPInfo

GetProcessHeap

GetWindowsDirectoryA

RegCreateKeyExA

RegFlushKey

SetViewportOrgEx

ActivateKeyboardLayout

EnumThreadWindows

EnumWindows

GetKeyNameTextA

GetKeyState

GetKeyboardLayout

GetKeyboardLayoutList

GetKeyboardState

GetKeyboardType

LoadKeyboardLayoutA

MapVirtualKeyA

MsgWaitForMultipleObjects

SetWindowsHookExA

UnhookWindowsHookEx

VprK|%Ud

€00404

8 @ @ @ @ @

.text

`.data

.idata

@.edata

@.rsrc

@.reloc

70"!(&&$

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Win32 Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

Invalid data type for '%s'

Failed to set data for '%s'

Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'

Asynchronous socket error %d

- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value

Alt  Clipboard does not support Icons

!Control '%s' has no parent window

Error reading %s%s%s: %s

Ancestor for '%s' not found

Unsupported clipboard format

Class %s not found

Resource %s not found

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name

A class named %s already exists

Cannot assign a %s to a %s

Cannot create file %s

Cannot open file %s

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   regsvr32.exe:1236
   imeumw.exe:468
   hrl1.tmp:1164
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (243 bytes)
   %WinDir%\Temp\buc3.tmp (11010 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsb2.tmp (11010 bytes)
   %System%\imeumw.exe (1281 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.