Trojan.SalityStub.F_b56d0f3cba
Trojan.Win32.Small.cox (Kaspersky), Trojan.SalityStub.F (B) (Emsisoft), Trojan.SalityStub.F (AdAware), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: b56d0f3cba20b0058cd3facf334beff8
SHA1: cfc2d4b0813f4e4d3023693650b0f6f38cbc4e97
SHA256: 7709dbba43c067410161ab4b140b44408353f05b8ce4290464483aa85a97a328
SSDeep: 1536:Q5ShKkVYSgx4ucCyH5fN4imykPFCV0qhibUVkIuZJUpkjgv5t/0Xc4bBX/:N8kVKxICS5WitMFCVtuZuuG5KXc4B
Size: 99328 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-11-05 02:25:00
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):
%original file name%.exe:312
Explorer.EXE:1684
Mutexes
The following mutexes were created/opened:
Ap1mutx7
%original file name%.exeM_312_
wmiprvse.exeM_2000_
vmupgradehelper.exeM_316_
vmtoolsd.exeM_128_
jqs.exeM_1972_
spoolsv.exeM_1448_
svchost.exeM_1116_
svchost.exeM_960_
vmacthlp.exeM_936_
lsass.exeM_776_
services.exeM_764_
winlogon.exeM_720_
csrss.exeM_696_
smss.exeM_624_
uxJLpe1m
File activity
The process %original file name%.exe:312 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\eboi.pif (99 bytes)
%WinDir%\system.ini (72 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winydme.exe (561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ngyxmt.exe (561 bytes)
C:\autorun.inf (301 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (856 bytes)
C:\totalcmd\TOTALCMD.EXE (858 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ngyxmt.exe (0 bytes)
%WinDir%\257887 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winydme.exe (0 bytes)
Registry activity
The process %original file name%.exe:312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Stvncyfrlda]
"m2_8" = "997420773"
"m2_9" = "2732719960"
[HKCU\Software\Stvncyfrlda\168128873]
"-1648771660" = "30"
[HKCU\Software\Stvncyfrlda]
"m2_2" = "3470576471"
"m2_3" = "910908362"
"m2_0" = "5517"
"m2_1" = "1735293664"
"m2_6" = "1821804803"
"m2_7" = "3557105270"
"m2_5" = "86522028"
"m4_12" = "3643619612"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m1_7" = "2820037032"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Stvncyfrlda]
"m4_11" = "1908328879"
[HKCU\Software\Stvncyfrlda\168128873]
"-737866757" = "7439D18CF99ADB97C70A1EA4EA1DDEB3A46AF9AF9995ACD22104A39789171EB3633818AD029260106FF7F47FE0DE6244028206B85FFFAD226E9742031F5914A424C8AAD11CCC09A683D5C288F7B6E1F47648BB6509895D8CEFEAA4FC96A6440B61FA7545CEB6A4B60F5D6273763CD021B75224603D4E837AD74FFC1C93A050D600"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Stvncyfrlda]
"m2_4" = "2646190137"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m4_0" = "0"
"m4_1" = "1735290733"
"m4_2" = "3470581466"
"m4_3" = "910904903"
"m4_4" = "2646195636"
"m4_5" = "86519073"
"m4_6" = "1821809806"
"m4_7" = "3557100539"
"m4_8" = "997423976"
"m4_9" = "2732714709"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda\168128873]
"910904903" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 6D 28 C0 BF 78 AF 63 90 C7 8E A8 B9 DB 78 A4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Stvncyfrlda]
"m3_3" = "927474798"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda\168128873]
"-824385830" = "0"
"1821809806" = "0400687474703A2F2F38392E3131392E36372E3135342F746573746F352F00687474703A2F2F6B756B7574727573746E65743737372E696E666F2F686F6D652E67696600687474703A2F2F6B756B7574727573746E65743838382E696E666F2F686F6D652E67696600687474703A2F2F6B756B7574727573746E65743938372E696E666F2F686F6D652E67696600"
[HKCU\Software\Stvncyfrlda]
"m2_10" = "173032746"
"m1_10" = "3127516927"
"m2_12" = "3643615808"
"m1_12" = "1954038609"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m3_2" = "3487544563"
"m3_1" = "1718420804"
"m3_0" = "17001001"
"m3_7" = "3573965266"
"m3_6" = "1838544551"
"m3_5" = "69945096"
"m3_4" = "2629490589"
"m3_9" = "2749530364"
"m3_8" = "980422977"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Stvncyfrlda\168128873]
"1735290733" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m1_5" = "990974441"
"m1_4" = "2043211597"
"m4_10" = "173038146"
"m1_6" = "942015960"
"m1_1" = "692605188"
"m1_0" = "1431655765"
"m1_3" = "553799287"
"m1_2" = "2322242303"
"m1_9" = "151879564"
"m1_8" = "3256253133"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m1_11" = "31487998"
"m2_11" = "1908331499"
[HKCU\Software\Stvncyfrlda\168128873]
"86519073" = "143"
[HKCU\Software\Stvncyfrlda]
"m3_12" = "3626914613"
"m3_11" = "1891476358"
"m3_10" = "190001259"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
A firewall is disabled:
"EnableFirewall" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
Dropped PE files
| MD5 | File path |
|---|---|
| 2347ad1ba11107a704936f09a69d6d99 | c:\eboi.pif |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 69632 | 66048 | 5.53414 | 993700aaf4548fd2b30e5eae2fba7840 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 14
83f3a045b4f1a35964eee1f074afa8e1
1b1acaad387ea5a74173104c3edc7dd6
4c0acecb86dc1b012a222c93b827c5bd
e95b311071ef50dccbee07323978a0ea
5826471d68fd6f363ff0a28be45a6598
496ce6b97c3c603aa33243cb35b1592f
7d0da22218ff1418cf17a132ddee5061
e173b8801b354715aec2e396eaf60f38
8c9252aa1a1c8f4aac1e7f688168c86e
24aa9ab92881e513d280f8f328cdd539
ce57aaf8fd60a0d01295d8783ef08b7a
94425997fc04e3eec566f6d6df88ffee
60ec7a0ac2132a3d32b793d381a5503e
065c95935a2a3949075962687908cfa0
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
KERNEL32.dll
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
56d0f3cba20b0058cd3facf334beff8.exe
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
hXXp://89.11
.info/home.gifIh
bW.text
JKERNEL32.dll
%x.exe
h.rdla&
mH.MN8
T4.At%
S.twa
.klkjw:9fqwiBumW
.sysa
Zc.pBTa
~%s:*:yd:
.!.VF*
.d&?%x=
GUrlA'
"\'Web%w}
HTTP)s'PS
2GUARDCMD
o.ENHCDM
wWEBWUPD
MM.PF
%xn'[
>>?456789:;
!"#$%&'()* ,-./4
qn%CXf
UP*dB.PPd@.
%FoAN-x
ÄEW
%F" *" a
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA
%original file name%.exe_312_rwx_00401000_00011000:
KERNEL32.dll
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
.text
56d0f3cba20b0058cd3facf334beff8.exe
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
hXXp://89.11
.info/home.gifIh
bW.text
JKERNEL32.dll
%x.exe
h.rdla&
mH.MN8
T4.At%
S.twa
.klkjw:9fqwiBumW
.sysa
Zc.pBTa
~%s:*:yd:
.!.VF*
.d&?%x=
GUrlA'
"\'Web%w}
HTTP)s'PS
2GUARDCMD
o.ENHCDM
wWEBWUPD
MM.PF
%xn'[
>>?456789:;
!"#$%&'()* ,-./4
qn%CXf
UP*dB.PPd@.
%FoAN-x
ÄEW
%F" *" a
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA
%original file name%.exe_312_rwx_00520000_010BA000:
hXXp://89.11
.info/home.gifIh
bW.text
JKERNEL32.dll
%x.exe
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
.text
KERNEL32.dll
.reloc
USER32.dll
h.rdata
H.data
ntoskrnl.exe
Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
hXXp://
ipfltdrv.sys
VVV.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
KERNEL32.DLL
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
%c%d_%d
purity_control_%x
.adata
M_%d_
?456789:;<=
!"#$%&'()* ,-./0123
mong%WinDir%\
%WinDir%\hywjfubtsnl.log
%System%\drivers\jnltgn.sys
24557188309
SHELL32.DLL
ShellExecuteA
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
&3&3&3&389
%F" *" a
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll
%original file name%.exe_312_rwx_01FC0000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
%original file name%.exe_312_rwx_020D0000_00001000:
|%original file name%.exeM_312_
Explorer.EXE_1684_rwx_00ED0000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
Explorer.EXE_1684_rwx_00EE0000_00001000:
|explorer.exeM_1684_
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\eboi.pif (99 bytes)
%WinDir%\system.ini (72 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winydme.exe (561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ngyxmt.exe (561 bytes)
C:\autorun.inf (301 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (856 bytes)
C:\totalcmd\TOTALCMD.EXE (858 bytes) - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
