Trojan.Win32.Alureon_4089cce099
Gen:Variant.Kazy.43312 (BitDefender), Backdoor:Win32/Cycbot.B (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.FakeAV.IS (v) (VIPRE), BackDoor.Gbot.1500 (DrWeb), Gen:Variant.Kazy.43312 (B) (Emsisoft), BackDoor-EXI.gen.aa (McAfee), Backdoor.Cycbot!gen9 (Symantec), Backdoor.Win32.Agent (Ikarus), Gen:Variant.Kazy.43312 (FSecure), Win32/Cryptor (AVG), Win32:Cybota [Trj] (Avast), TROJ_GEN.F0C2C00KO13 (TrendMicro), Trojan.Win32.Alureon.FD, Trojan.Win32.Swrort.3.FD, BackdoorCycbot.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Fake-AV
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 4089cce0994929b4649eb2e5a6ce4bcc
SHA1: 39529392ca28a55f051ed2fc334684720ca54183
SHA256: 8324fa41cdd9ac19733b02ce3df7c838cd266ea53c172fd314d025bb0e007fe9
SSDeep: 6144:8l6Xz5Cb7Vwxm30G1wYG vdA AfpBuxpWF9W4VzZ2gOiEA:8l6Oxw030GCpMAHpBUQF9W4b2gOiEA
Size: 283648 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Typing Innovation Group Ltd
Created at: 2005-10-13 21:45:01
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
7.tmp:496
msiexec.exe:1948
%original file name%.exe:1160
The Trojan injects its code into the following process(es):
%original file name%.exe:1768
File activity
The process 7.tmp:496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6L4ZORMH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8LARCP2V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0T29MLY7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CP6NWPQB\desktop.ini (67 bytes)
The process %original file name%.exe:1768 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (913 bytes)
%Program Files%\LP\1365\7.tmp (12588 bytes)
%System%\config\software (963 bytes)
%System%\config\SOFTWARE.LOG (2467 bytes)
%Program Files%\LP\1365\C29.exe (271362 bytes)
Registry activity
The process 7.tmp:496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E DA 50 DD 62 DE 10 8F 07 39 14 E8 29 C2 7F E3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\WinRAR]
"HWID" = "7B 31 34 46 30 31 41 43 45 2D 30 35 42 45 2D 34"
The process msiexec.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 CF F9 A2 14 10 96 0A 1B 17 B8 2C 3E AB 96 CE"
The process %original file name%.exe:1768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 86 3D 2D 1B 59 D7 4E 8D 6C BF 71 D8 65 64 18"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\1365\C29.exe"
Automatic startup of the following service is disabled:
[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "3"
The process %original file name%.exe:1160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 42 27 23 73 B5 86 B6 59 69 AF B0 6F 24 01 9D"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://e6845.ce.akamaiedge.net/pca3-g2.crl |  |
| hxxp://e6845.ce.akamaiedge.net/CSC3-2009.crl | |
| hxxp://e6845.ce.akamaiedge.net/pca3.crl | |
| hxxp://e6845.ce.akamaiedge.net/CSC3-2009-2.crl | |
| hxxp://tri-countymech.com/g/134.jpg?pr=gHZutDyMv5rJfyG1J8K+1MWCJbP4lltXIA== | 184.168.221.25 |
| hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt | |
| hxxp://seeworldonlines.com/logo.png?tq=gL5HtzoYwLzEpUb5fU3HxcW3A/U6EsazybMRtyFa0umG8Ar0SsSA/gSoSEU=&pr=41 | 69.43.161.170 |
| hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab | |
| hxxp://webhomefordomains.com/logo.png?tq=gKZEtzoYwLzEvUb5dQzRsrCqA/AtTca3l74EgC5OjrPGpgfib1XGp5zpRPksUt+A/gSoSEU=&pr=41 |  195.22.26.254 |
| hxxp://ourdatatransfers.com/gate.php (ET RBN Known Russian Business Network IP (296) ) | 69.43.161.179 |
| hxxp://www.google.com/ | 173.194.43.81 |
| hxxp://www.google.ca/?gws_rd=cr&ei=eZ6RUpeaLLGA2QXJyIGQAQ | 173.194.43.87 |
| csc3-2009-2-crl.verisign.com | 23.61.69.163 |
| crl.verisign.com | 23.61.69.163 |
| www.download.windowsupdate.com | 23.3.98.8 |
| csc3-2009-crl.verisign.com | 23.61.69.163 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
7.tmp:496
%original file name%.exe:1160 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6L4ZORMH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8LARCP2V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0T29MLY7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CP6NWPQB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (913 bytes)
%Program Files%\LP\1365\7.tmp (12588 bytes)
%System%\config\software (963 bytes)
%System%\config\SOFTWARE.LOG (2467 bytes)
%Program Files%\LP\1365\C29.exe (271362 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\1365\C29.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
