MD5: 786e673232111dc9e0c0b969243de977
SHA1: 06f7d769ed439d2d950bbf191a718a7e7626a1d1
SHA256: c90e2235a54c4551fd4cfde1c1730913826ac067ceb86daea66d7a86ac863089
SSDeep: 6144:OSfge2xgbrPqWmMogRgJsNhk302nURsbO1Gh XsFKzwTCqcFohzzi7F:db2xgbL5og0ukk URZ1GYyKzsMoh/i7F
Size: 315392 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: SetupManager
Created at: 2003-11-14 01:15:40

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.
Ransom. Disables the compromised computer or restricts access to certain data so that the victim can no longer use it. The victim is expected to send payment to the hijacker to restore access to the blocked data or re-enable the system.

Process activity

The Trojan-PSW creates the following process(es):

keigaw.exe:2924
786e673232111dc9e0c0b969243de977.exe:2432

The Trojan-PSW injects its code into the following process(es):

ctfmon.exe:252

File activity

The process keigaw.exe:2924 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\ntuser.dat.LOG (2208 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (540 bytes)

The process 786e673232111dc9e0c0b969243de977.exe:2432 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XLY6026.bat (173 bytes)
%Documents and Settings%\%current user%\Application Data\Ywtaqo\keigaw.exe (1740 bytes)

The process ctfmon.exe:252 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\ntuser.dat.LOG (3120 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (2428 bytes)

Registry activity

The process keigaw.exe:2924 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 A3 CD 69 F1 28 B8 44 46 0E 2D 22 E1 7F 18 C5"

[HKCU\Software\Microsoft\Iwicvuuwjas]
"ae38451" = "MTejC54QeeKl9V4Lc"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process 786e673232111dc9e0c0b969243de977.exe:2432 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 4A D4 CE CB CD FC 12 81 69 D4 6A EA 2D D7 61"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process ctfmon.exe:252 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 8B E7 1D 21 C2 B7 A8 E9 E8 89 A8 47 F4 99 86"

[HKCU\Identities]
"Last User ID" = "{6855BFC2-9E4A-4896-A11D-74388FBABDC2}"

[HKCU\Identities]
"Last Username" = "Main Identity"

[HKCU\Software\Microsoft\WAB\WAB4]
"OlkFolderRefresh" = "0"

[HKCU\Software\Microsoft\WAB\WAB4]
"FirstRun" = "1"

[HKCU\Identities]
"Identity Login" = "622675"

[HKCU\Software\Microsoft\Iwicvuuwjas]
"f660e57" = "14 37 C6 0B"

[HKCU\Software\Microsoft\Internet Account Manager]
"Server ID" = "4"

[HKCU\Identities]
"Identity Ordinal" = "2"

[HKCU\Software\Microsoft\WAB\WAB4]
"OlkContactRefresh" = "0"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Identities]
"Changing"

[HKCU\Identities]
"OutgoingID"

[HKCU\Identities]
"IncomingID"

The Trojan-PSW disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

Network activity (URLs)

No activity has been detected.

Rootkit activity

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpSendRequestExW
HttpSendRequestExA
InternetWriteFile
InternetReadFileExA
InternetReadFileExW
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
HttpQueryInfoW
InternetCloseHandle
HttpQueryInfoA
InternetReadFile

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan-PSW installs the following user-mode hooks in Secur32.dll:

UnsealMessage
SealMessage
DeleteSecurityContext

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   keigaw.exe:2924
   786e673232111dc9e0c0b969243de977.exe:2432
   

3. Delete the original Trojan-PSW file.
   
4. Delete or disinfect the following files created/modified by the Trojan-PSW:
   

   %Documents and Settings%\%current user%\ntuser.dat.LOG (2208 bytes)
   %Documents and Settings%\%current user%\NTUSER.DAT (540 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\XLY6026.bat (173 bytes)
   %Documents and Settings%\%current user%\Application Data\Ywtaqo\keigaw.exe (1740 bytes)
   

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.