MD5: 9199a713d03744909ca3f5bf13957327
SHA1: d3ef197cb9681caf2a500fcb3c8a0758bf9aea77
SHA256: 54c936d61796042f67149c2f522f4733518d5655f8fbeb30f76f635753b811c2
SSDeep: 6144:z IhFwMaUBhdoOPWUFqpa3rlSl49fpjPHuE9ZZsJ:ys7NBhdWgqpa3RY49ftuqZs
Size: 316928 bytes
File type:
Platform:
Entropy:
PEID: UPolyXv05_v6
Company: no certificate found
Created at: no data

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):

9199a713d03744909ca3f5bf13957327.exe:2392
saet.exe:2804

The Trojan-PSW injects its code into the following process(es):

ctfmon.exe:252

File activity

The process ctfmon.exe:252 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\ntuser.dat.LOG (5400 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (4484 bytes)

The process 9199a713d03744909ca3f5bf13957327.exe:2392 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\HEM473C.bat (173 bytes)
%Documents and Settings%\%current user%\Application Data\Xizy\saet.exe (1741 bytes)

The process saet.exe:2804 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\ntuser.dat.LOG (2208 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (540 bytes)

Registry activity

The process ctfmon.exe:252 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 70 55 C5 A4 19 95 5F 1A 9F 21 8A 88 74 1E 3F"

[HKCU\Identities]
"Last User ID" = "{6855BFC2-9E4A-4896-A11D-74388FBABDC2}"

[HKCU\Identities]
"Last Username" = "Main Identity"

[HKCU\Software\Microsoft\Ewinjetykozi]
"j3g8hdg" = "931556421"

[HKCU\Software\Microsoft\WAB\WAB4]
"OlkFolderRefresh" = "0"

[HKCU\Software\Microsoft\WAB\WAB4]
"FirstRun" = "1"

[HKCU\Identities]
"Identity Login" = "622675"

[HKCU\Software\Microsoft\Internet Account Manager]
"Server ID" = "4"

[HKCU\Identities]
"Identity Ordinal" = "2"

[HKCU\Software\Microsoft\WAB\WAB4]
"OlkContactRefresh" = "0"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Identities]
"Changing"

[HKCU\Identities]
"OutgoingID"

[HKCU\Identities]
"IncomingID"

The Trojan-PSW disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

The process 9199a713d03744909ca3f5bf13957327.exe:2392 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 0F 2A 07 9E D9 25 20 C6 AC C0 7D 8A 8E 0B 8C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process saet.exe:2804 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 54 26 E2 98 78 34 57 51 74 8C 9F 13 8F BF A5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Ewinjetykozi]
"13jehai2" = "Z2z2NxJWOY6q8qbWi4g=y"

Network activity (URLs)

No activity has been detected.

Rootkit activity

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpSendRequestExW
HttpSendRequestExA
InternetWriteFile
InternetReadFileExA
InternetReadFileExW
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
HttpQueryInfoW
InternetCloseHandle
HttpQueryInfoA
InternetReadFile

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan-PSW installs the following user-mode hooks in Secur32.dll:

UnsealMessage
SealMessage
DeleteSecurityContext

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   9199a713d03744909ca3f5bf13957327.exe:2392
   saet.exe:2804

3. Delete the original Trojan-PSW file.
   
4. Delete or disinfect the following files created/modified by the Trojan-PSW:
   

   %Documents and Settings%\%current user%\ntuser.dat.LOG (5400 bytes)
   %Documents and Settings%\%current user%\NTUSER.DAT (4484 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\HEM473C.bat (173 bytes)
   %Documents and Settings%\%current user%\Application Data\Xizy\saet.exe (1741 bytes)
   

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.