MD5: df86900ec566e13b2a8b7fd9cfac5969
SHA1: 634fe11039b26b72997dee0cf083f1785b2f5b0a
SHA256: 1b0831b61818568eb1072129f6ccf076c0867c95c87a28edbcd168134d270a63
SSDeep: 768:eV7DGAi2clMvPPhAG oKjxDO5ZtqctdgI2MyzNtRQtONlIwoHNV2XBFV72B4lA7V:eFDGTPeej94LtdgI2MyzNtRQtONlIwoP
Size: 37376 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2003-09-15 20:33:39

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):

%original file name%.exe:1196
lwemvemvdlud.exe:2032
anweoc.exe:1484

The Trojan-PSW injects its code into the following process(es):

ctfmon.exe:536

File activity

The process %original file name%.exe:1196 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lwemvemvdlud.exe (702976 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\slide1[1].exe (702976 bytes)

The process lwemvemvdlud.exe:2032 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Lioh\anweoc.exe (883200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ECGD1CA.bat (190 bytes)
%Documents and Settings%\%current user%\Application Data\Lioh (4096 bytes)

The process anweoc.exe:1484 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\NTUSER.DAT (180224 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (62976 bytes)
%Documents and Settings%\%current user% (28672 bytes)

Registry activity

The process %original file name%.exe:1196 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E FF 04 CC 08 31 03 6C D7 32 A7 D8 95 92 3E 84"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ctfmon.exe:536 makes changes in the system registry.
The Trojan-PSW deletes the following value(s) in system registry:
The Trojan-PSW disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

The process lwemvemvdlud.exe:2032 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 22 15 22 BC C6 AE 82 4C C8 8F 55 EA 75 85 D8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process anweoc.exe:1484 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 43 34 58 51 1D F2 80 CE 62 24 2C FB 45 05 46"

[HKCU\Software\Microsoft\Bigedaymywzu]
"i17369d" = "96 84 A7 EB 7B 97"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

Network activity (URLs)

URL	IP
hxxp://ciistudies.com/templates/themza_j25_13/images/green/logo.exe	103.6.196.152
hxxp://ciistudies.com/wp-content/uploads/2013/04/ourgoals.exe
hxxp://ciistudies.com/wp-content/uploads/2013/08/saniteq-jet-hand-dryer-thumb-1.exe
hxxp://dominionthe.com/images/slide1.exe	69.64.39.215
asfitness.com	103.6.196.152
saniteq.com	103.6.196.152

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan-PSW installs the following user-mode hooks in Secur32.dll:

DecryptMessage
SealMessage
DeleteSecurityContext

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1196
   lwemvemvdlud.exe:2032
   anweoc.exe:1484

3. Delete the original Trojan-PSW file.
   
4. Delete or disinfect the following files created/modified by the Trojan-PSW:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\lwemvemvdlud.exe (702976 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\slide1[1].exe (702976 bytes)
   %Documents and Settings%\%current user%\Application Data\Lioh\anweoc.exe (883200 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ECGD1CA.bat (190 bytes)
   %Documents and Settings%\%current user%\NTUSER.DAT (180224 bytes)
   %Documents and Settings%\%current user%\NTUSER.DAT.LOG (62976 bytes)
   

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.