Trojan.Win32.Alureon_c6a0ca6941
Gen:Trojan.Hibbit.1 (BitDefender), Rogue:Win32/FakeScanti (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.FakeAV.IS (v) (VIPRE), Trojan.FakeAV.10503 (DrWeb), Gen:Trojan.Hibbit.1 (B) (Emsisoft), BackDoor-EXI.gen.ad (McAfee), Backdoor.Cycbot!gen9 (Symantec), Trojan.Win32.FakeAV (Ikarus), Gen:Trojan.Hibbit.1 (FSecure), Generic25.CDRC (AVG), Win32:Cybota [Trj] (Avast), TROJ_FORUCON.BMC (TrendMicro), Trojan.Win32.Alureon.FD, Trojan.Win32.Swrort.3.FD, BackdoorCycbot.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Backdoor, Fake-AV
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: c6a0ca6941a8fc3f7a17665c87978402
SHA1: 1e5c85a2dab2894141e04ee9605dc10b03da687e
SHA256: acd89f1b4d77e62ac69547625ecfa3d1e80efe527149fa12511f6faee20aba00
SSDeep: 49152:U/lOMVurTbEz0t4eohYuUaJNVKaHjA2GQBs18F:6OMV6TbE oqaJvQ2G4
Size: 2012672 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2005-09-09 14:01:29
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
dwme.exe:556
dwme.exe:1532
dwme.exe:360
%original file name%.exe:1744
2.tmp:220
msiexec.exe:496
The Trojan injects its code into the following process(es):
AV Security 2012v121.exe:492
dwme.exe:584
File activity
The process AV Security 2012v121.exe:492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\BxA1uvS2oFpGsJd\AV Security 2012.ico (676 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\AV Security 2012\AV Security 2012.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\ldr.ini (1668 bytes)
%Documents and Settings%\%current user%\Desktop\AV Security 2012.lnk (1 bytes)
%System%\drivers\etc\hosts (3191 bytes)
The Trojan deletes the following file(s):
C:\%original file name%.exe (0 bytes)
The process dwme.exe:584 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\config\software (729 bytes)
%Program Files%\LP\8FBA\2.tmp (12588 bytes)
%Program Files%\LP\8FBA\C29.exe (279122 bytes)
%System%\config\SOFTWARE.LOG (1603 bytes)
%Documents and Settings%\%current user%\Application Data\A8A67\7A25.8A6 (2656 bytes)
The process %original file name%.exe:1744 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\dwme.exe (289 bytes)
%System%\AV Security 2012v121.exe (12289 bytes)
%Documents and Settings%\%current user%\Application Data\dwme.exe (289 bytes)
%System%\config\software (2975 bytes)
%System%\config\SOFTWARE.LOG (6950 bytes)
Registry activity
The process AV Security 2012v121.exe:492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 6C DC F5 57 0D 2D CE 39 9F D9 BF CF 39 F0 3A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
The process dwme.exe:584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 2D D7 26 8D D6 EC 9C 4D 0C 28 5C 92 5A BD 28"
Automatic startup of the following service is disabled:
[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "3"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\8FBA\C29.exe"
The process dwme.exe:556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 67 5E 12 CC 07 9D 12 7E 25 AA 5B D5 42 A4 87"
The process dwme.exe:1532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD B7 9B 02 63 39 8B 91 52 47 FB CB F6 91 E0 DD"
The process dwme.exe:360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 3A 1C 33 73 F2 A2 2B D2 50 52 C9 5B FF 21 86"
The process %original file name%.exe:1744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C CF CF 89 B9 D1 26 1B AB AC B9 C2 D4 89 E9 B3"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"I8RLhTXwjClBzNc" = "%Documents and Settings%\%current user%\Application Data\dwme.exe"
"OXqjUCekIrPyAuD8234A" = "%System%\AV Security 2012v121.exe"
The process 2.tmp:220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 68 7B 26 41 88 F6 10 CC 04 FC 3A AE D9 C0 DC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\WinRAR]
"HWID" = "7B 31 33 41 30 38 41 44 30 2D 44 35 36 38 2D 34"
The process msiexec.exe:496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 FA 58 C0 90 F4 2B 48 24 04 A7 11 0C BF DC C6"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://23.60.133.163/pca3.crl |  |
| hxxp://e6845.ce.akamaiedge.net/CSC3-2009-2.crl | |
| hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt | |
| hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab | |
| hxxp://www.google.com/ | 173.194.43.81 |
| hxxp://www.google.ca/?gfe_rd=cr&ei=bzXqUqKvEqyC8QeR9IGwBg | 173.194.43.87 |
| www.download.windowsupdate.com | 65.172.31.48 |
| csc3-2009-2-crl.verisign.com | 23.60.133.163 |
| ourdatatransfers.com |  Unresolvable |
| worldorderlive.com | Unresolvable |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 837 bytes in size. The following strings are added to the hosts file listed below:
| 46.4.179.109 | google.com |
| 46.4.179.109 | yahoo.com |
| 46.4.179.109 | bing.com |
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
dwme.exe:556
dwme.exe:1532
dwme.exe:360
%original file name%.exe:1744
2.tmp:220 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\BxA1uvS2oFpGsJd\AV Security 2012.ico (676 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\AV Security 2012\AV Security 2012.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\ldr.ini (1668 bytes)
%Documents and Settings%\%current user%\Desktop\AV Security 2012.lnk (1 bytes)
%System%\drivers\etc\hosts (3191 bytes)
%System%\config\software (729 bytes)
%Program Files%\LP\8FBA\2.tmp (12588 bytes)
%Program Files%\LP\8FBA\C29.exe (279122 bytes)
%System%\config\SOFTWARE.LOG (1603 bytes)
%Documents and Settings%\%current user%\Application Data\A8A67\7A25.8A6 (2656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dwme.exe (289 bytes)
%System%\AV Security 2012v121.exe (12289 bytes)
%Documents and Settings%\%current user%\Application Data\dwme.exe (289 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\8FBA\C29.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"I8RLhTXwjClBzNc" = "%Documents and Settings%\%current user%\Application Data\dwme.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OXqjUCekIrPyAuD8234A" = "%System%\AV Security 2012v121.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
