MD5: ef6d2e8148e99c80940770cb36116c46
SHA1: 46696a509a6d2bf5e72aa109ae7d220f0514d9f8
SHA256: e650808ba04d652f8f0cfc97138afa3ddb383bc789b9423fe1d4f8c3639ba84f
SSDeep: 393216:Ul0d3iPa0YRvQaitgdgas12vpy6YqNBNDOXK858ZP7:woG8vQa8SgX1IpyqhO685QP7
Size: 13159896 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-12-04 15:55:11
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

mscorsvw.exe:1912
svhost.exe:440
%original file name%.exe:1664
06.scr:404

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:

ShimCacheMutex

File activity

The process svhost.exe:440 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\drivers\sysdrv32.sys (392 bytes)

The process %original file name%.exe:1664 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsj7E.tmp (0 bytes)

The process 06.scr:404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\system\svhost.exe (46100 bytes)

Registry activity

The process mscorsvw.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "2340000"

The process svhost.exe:440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 F5 B9 DE EA C2 12 8A FE BE 71 24 62 B7 D2 77"

The process %original file name%.exe:1664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 0B 7D CE 73 1E FE 7F 6E 95 94 7F EB 16 7E F0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 06.scr:404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 F8 4F DD 14 B4 95 B4 63 87 77 15 F5 89 E4 9C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SVCWINSPOOL]
"(Default)" = "Service"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\NetworkService\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SVCWINSPOOL]
"(Default)" = "Service"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WSVCHO" = "%WinDir%\system\svhost.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

VersionInfo

Company Name: Ntbldqemvaxp & co.
Product Name: Id-Gmkvldejfjzlm
Product Version:
Legal Copyright: Copyright Dwfunfiwberc
Legal Trademarks: Gmkvldejfjzlm is a trademark of Eqxpthqkbbnc
Original Filename:
Internal Name:
File Version: 25.1.1.25
File Description: Mnlatwdy
Comments: comment on Oewcvwtgdqmdj
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
a.vspcord.com	195.22.26.252
ilo.brenz.pl	148.81.111.121

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CURRENT_EVENTS Known Hostile Domain ilo.brenz.pl Lookup
SURICATA STREAM ESTABLISHED packet out of window
SURICATA STREAM Packet with invalid ack
SURICATA STREAM ESTABLISHED invalid ack
ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (25)
ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15)

Traffic

The Trojan connects to the servers at the folowing location(s):

.text

0`.data

.rdata

[email protected]

.idata

.ndata

.rsrc

verifying installer: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

%u.%u%s%s

.DEFAULT\Control Panel\International

*?|<>/":

%s=%s

RegDeleteKeyExA

Software\Microsoft\Windows\CurrentVersion

>-"-*-&-6

.aJFKx

RegCloseKey

RegCreateKeyExA

RegDeleteKeyA

RegEnumKeyA

RegOpenKeyExA

GetWindowsDirectoryA

SHFileOperationA

ShellExecuteA

ExitWindowsEx

ADVAPI32.dll

COMCTL32.DLL

GDI32.dll

KERNEL32.dll

ole32.dll

SHELL32.DLL

USER32.dll

VERSION.dll

c:\%original file name%.exe

%original file name%.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj7E.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description> Laban answered and said unto J</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

25.1.1.25

81.scr_3472:

%Xw;=~

.COU$L7

KERNEL32.DLL

4 5. /."/6"7

: ;<=>"?

!9I%f

.uL2/

p/j/%c

81.scr_3472_rwx_299F5000_00001000:

KERNEL32.DLL

81.scr_3472_rwx_299F9000_00009000:

)KERNEL32.dll

)USER32.dll

)ADVAPI32.dll

RegCreateKeyExA

RegOpenKeyExA

RegCloseKey

)SHELL32.dll

ShellExecuteExA

ShellExecuteA

)WSOCK32.dll

)MPR.dll

)SHLWAPI.dll

)RPCRT4.dll

)COMCTL32.dll

)ntdll.dll

)MSVCRT.dll

_acmdln

EPSShSS

81.scr_3472_rwx_29A07000_00006000:

sysdrv32.sys

\sysdrv32.sys

Windows for Workgroups 3.1a

WORKGROUPlQPxf2ISQgEV1bGKWindows 2000 2195

Windows 2000 5.0

Windows 2000 2195

HTTP/1.0 200 OK

Content-Type: %s

Date: %s %s GMT

Last-Modified: %s %s GMT

Expires: %s %s GMT

Portuguese

\\%s\%s

onQhurlmT

PRIVMSG

s.start

s.stop

%s %s

%s\%s

dnsapi.dll

-;58<,;0

Windows NT Remote Printers

Impresoras remotas Windows NT

Impresoras remotas de Windows NT

Stampanti remote di Windows NT

Imprimantes distantes pour Windows NT

Impr. remotas Windows NT

Impressoras remotas do Windows NT

Imp. remotas do Windows NT

81.scr_3472_rwx_29AA4000_0050A000:

x"Œ

81.scr_3472_rwx_29FB5000_00007000:

4 5. /."/6"7

: ;<=>"?

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   mscorsvw.exe:1912
   svhost.exe:440
   %original file name%.exe:1664
   06.scr:404

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %System%\drivers\sysdrv32.sys (392 bytes)
   %WinDir%\system\svhost.exe (46100 bytes)

5. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "WSVCHO" = "%WinDir%\system\svhost.exe"

6. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
7. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
8. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.