MD5: 75dbbd8467ccac69bf5ff049c3938f49
SHA1: 33929b00e7ca93b9e79b1d00378a286e28044c64
SHA256: 836f9a8bd0a1fbad3670ed7a0ccb655f7277daf7cfaf7f22105a052e998d109d
SSDeep: 6144:faSyRwnN0diGGoy26DnMgqCYT3IvU2KU0pep1/8 2951vJ USIGbAZ:fabGnKdiGG79qlp28pw/W951RSIG
Size: 304128 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2006-04-18 12:18:53

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

oleb.exe:2896
75dbbd8467ccac69bf5ff049c3938f49.exe:2608

The Trojan injects its code into the following process(es):

ctfmon.exe:252

File activity

The process oleb.exe:2896 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\ntuser.dat.LOG (2208 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (540 bytes)

The process 75dbbd8467ccac69bf5ff049c3938f49.exe:2608 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\FUH46D7.bat (173 bytes)
%Documents and Settings%\%current user%\Application Data\Dila\oleb.exe (1729 bytes)

The process ctfmon.exe:252 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\ntuser.dat.LOG (3120 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (2428 bytes)

Registry activity

The process oleb.exe:2896 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 42 E7 F0 E2 A9 35 94 46 46 4E 5A 2F 4D 1E D0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Yxasihoq]
"27jdb841" = "wA4epcP8fnzwoA==ÇŽ"

The process 75dbbd8467ccac69bf5ff049c3938f49.exe:2608 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 A1 82 2C 35 87 AD DC 47 84 BC 9B CA 39 3A CC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process ctfmon.exe:252 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 2A 41 32 A4 64 EA 8A 44 D1 91 9A 19 EC 97 BC"

[HKCU\Identities]
"Last User ID" = "{6855BFC2-9E4A-4896-A11D-74388FBABDC2}"

[HKCU\Identities]
"Last Username" = "Main Identity"

[HKCU\Software\Microsoft\WAB\WAB4]
"OlkFolderRefresh" = "0"

[HKCU\Software\Microsoft\WAB\WAB4]
"FirstRun" = "1"

[HKCU\Identities]
"Identity Login" = "622675"

[HKCU\Software\Microsoft\Yxasihoq]
"238jdg33" = "E4 0E 75 A5"

[HKCU\Software\Microsoft\Internet Account Manager]
"Server ID" = "4"

[HKCU\Identities]
"Identity Ordinal" = "2"

[HKCU\Software\Microsoft\WAB\WAB4]
"OlkContactRefresh" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Identities]
"Changing"

[HKCU\Identities]
"OutgoingID"

[HKCU\Identities]
"IncomingID"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

Network activity (URLs)

No activity has been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExW
HttpSendRequestExA
InternetWriteFile
InternetReadFileExA
InternetReadFileExW
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
HttpQueryInfoW
InternetCloseHandle
HttpQueryInfoA
InternetReadFile

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan installs the following user-mode hooks in Secur32.dll:

UnsealMessage
SealMessage
DeleteSecurityContext

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   oleb.exe:2896
   75dbbd8467ccac69bf5ff049c3938f49.exe:2608
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\ntuser.dat.LOG (2208 bytes)
   %Documents and Settings%\%current user%\NTUSER.DAT (540 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\FUH46D7.bat (173 bytes)
   %Documents and Settings%\%current user%\Application Data\Dila\oleb.exe (1729 bytes)
   

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.