MD5: 54acd130afe3631b2a523eacf36932dc
SHA1: c28b0322da61c3e4f5492d9edc73534450dc2b5b
SHA256: e073b93b9248a294e221cdd5c0e04ca807bafc4494c913be7d2405bbfbf998cc
SSDeep: 6144:8nYKAwWdjH8dzOBQCnmycQllfZCgEEocmx3b gxe0TFXkZSku gVxr3Q:UAwWdLJTWMDgEoco gXk8rA
Size: 284160 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-08-12 15:45:11
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

beby.exe:376
%original file name%.exe:1616

The Trojan injects its code into the following process(es):

Explorer.EXE:1572

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1616 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Joik\beby.exe (284 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp64d8621a.bat (177 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Joik\beby.exe (0 bytes)

Registry activity

The process beby.exe:376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 1A CF CF EB 57 1D 17 78 D5 03 D5 8D 28 25 61"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Idbeem]
"2ba7d4dh" = "wwBd9KRVKrhWHS4KoQ5UpA=="

The process %original file name%.exe:1616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 8B 51 54 60 A0 E6 2C 2B C3 3F C5 21 EC 22 A8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan installs the following user-mode hooks in Secur32.dll:

DecryptMessage
SealMessage
DeleteSecurityContext

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
WSARecv
send
closesocket

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.reloc

Invalid parameter passed to C runtime function.

0123456789

%xNv]

gdiplus.dll

GdiplusShutdown

REPORT

/962<>?7

jmtbLbgqq> {nix~fzx.tcwjXp

:&:8)-4.

,127!' ./9

hXXp://VVV.google.com/

hXXp://VVV.bing.com/

HTTP/1.1

urlmon.dll

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

m9.td

t.Ht$HHt

ntdll.dll

GetProcessHeap

KERNEL32.dll

GetKeyboardState

ExitWindowsEx

MsgWaitForMultipleObjects

USER32.dll

RegCreateKeyExW

RegCloseKey

RegOpenKeyExW

CryptGetKeyParam

CryptImportKey

CryptDestroyKey

ADVAPI32.dll

SHDeleteKeyW

PathIsURLW

UrlUnescapeA

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

ole32.dll

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

PFXImportCertStore

CRYPT32.dll

InternetCrackUrlA

HttpQueryInfoA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

IPHLPAPI.DLL

msvcrt.dll

VERSION.dll

zcÁ

2(7,70747

8 8$8(8,80848

4(4,4044484<4@4

3%4u4

<$<2<`<|<

5(6.6@6]6

cabinet.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s

\StringFileInfo\xx\%s

kernel32.dll

"%s" %s

kshell32.dll

/c "%s"

%sx.%s

%sx

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Local Settings\Application Data

{AB15A9C8-BA17-D6F3-F013-F140DE00D252}

Global\{3D6E1BE3-083C-4088-F013-F140DE00D252}

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   beby.exe:376
   %original file name%.exe:1616
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Application Data\Joik\beby.exe (284 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmp64d8621a.bat (177 bytes)

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.