MD5: 5b29acf9e68ab3b642466158adf418e3
SHA1: c935ade1d4227462eae3933f861c82439420fc6d
SHA256: ef27204c2b84ad0e6d0d039280dea36afc0a834748b1837ec0e1d81cc0cba6ea
SSDeep: 12288:evwckc2x3Vtg5eeFXJHES5yUwNjo2fBtb0op/z: V 3TgFHES5yUwNjoKtb
Size: 999424 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2005-06-03 03:07:18
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1988

The Trojan injects its code into the following process(es):

rundll32.exe:1392

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1988 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (3802 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\scandisk.lnk (685 bytes)

The process rundll32.exe:1392 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Start Menu\Programs\Startup\scandisk.lnk (1370 bytes)
%System%\tloadmA2.dll (3802 bytes)
%Documents and Settings%\%current user%\tloadmA2.dll (3802 bytes)

Registry activity

The process %original file name%.exe:1988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1400" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 8D 80 37 8B 6F 87 E2 57 CB A7 19 79 8D A0 10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"reg.exe" = "Registry Console Tool"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemonTool" = "rundll32.exe %System%\tloadmA2.dll,_IWMPEvents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemonTool" = "rundll32.exe C:\DOCUME~1\"%CurrentUserName%"\tloadmA2.dll,_IWMPEvents"

The process rundll32.exe:1392 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 B4 EA 70 AB 1C 68 A6 D8 CD C2 70 CF A4 14 9C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1400" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemonTool" = "rundll32.exe %System%\tloadmA2.dll,_IWMPEvents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemonTool" = "rundll32.exe C:\DOCUME~1\"%CurrentUserName%"\tloadmA2.dll,_IWMPEvents"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: Microsoft Multimedia Controls
Product Version: 6.03.01.0146
Legal Copyright: Copyright (c) Microsoft Corp. 1997-1999
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 6.03.01.0146
File Description: Microsoft Multimedia Controls Utilities
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://google.com/	173.194.113.192

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.0

Host: google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)

Connection: close

HTTP/1.0 302 Found

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=M5hgV4-BCPCEygWFqrqoCw

Content-Length: 262

Date: Tue, 14 Jun 2016 23:50:11 GMT
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=M5hgV4-BCPCE
ygWFqrqoCw">here</A>...</BODY></HTML>....

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1988
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (3802 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\Startup\scandisk.lnk (685 bytes)
   %System%\tloadmA2.dll (3802 bytes)
   %Documents and Settings%\%current user%\tloadmA2.dll (3802 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "NvCplDaemonTool" = "rundll32.exe %System%\tloadmA2.dll,_IWMPEvents"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "NvCplDaemonTool" = "rundll32.exe C:\DOCUME~1\"%CurrentUserName%"\tloadmA2.dll,_IWMPEvents"
   
   

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.