Trojan.Win32.Beaugrit.gen!AAA_6f8f5d6b51
Dropped:Trojan.GenericKDV.1254340 (BitDefender), Trojan:Win32/Beaugrit.gen!AAA (Microsoft), Trojan.Win32.Sfuzuan.fv (Kaspersky), Trojan.Win32.Sfuzuan.c (v) (VIPRE), Trojan.PWS.Spy.17881 (DrWeb), Dropped:Trojan.GenericKDV.1254340 (B) (Emsisoft), RDN/Generic PWS.y!wf (McAfee), Win32.SuspectCrc (Ikarus), Dropped:Trojan.GenericKDV.1254340 (FSecure), Crypt2.AEAV.dropper (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R02LC0DKT13 (TrendMicro), GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 6f8f5d6b51088a7a322c6830f7dbca12
SHA1: bee1939f76470d0c3cd5a818dd634fe44b570e5d
SHA256: 0b34ae907cffd8b4930ed1fb10fd59fd50bf26b165fcbb81a40c02a615fc4ebe
SSDeep: 12288:8fHAVek1hFJtsu0ECsrLk5QzXGkDgQH9OKIQEZR9l:0gVjbQE3sizt9H9OKIQEZR9l
Size: 790528 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-11-19 14:01:25
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1488
The Trojan injects its code into the following process(es):
No processes have been created.
File activity
The process %original file name%.exe:1488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\%original file name%.exe_BaseT.dll (72704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\desktop.ini (67 bytes)
%WinDir%\win.ini (189 bytes)
C:\log.dat (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\vpp[1].ini (1352 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (12288 bytes)
C:\%original file name%.exe_Tmp0F1.dll (1126912 bytes)
%WinDir%\LQJVmD5lOK.dll (602624 bytes)
%System%\drivers\UsbWlan.sys (8704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\api[1].php (378 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\getip[1].htm (33 bytes)
C:\%original file name%.exe_Tmp0F1.dlllog.dat (10519 bytes)
The Trojan deletes the following file(s):
%System%\drivers\UsbWlan.sys (0 bytes)
Registry activity
The process %original file name%.exe:1488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 0C 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 C3 B6 4C 4D 7A 99 7B E2 2B 36 A7 F7 7C 9B 6A"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://cc00087.f.cncssr.chinacache.net/ux/getip.aspx?username=abcdefg&agname=58wangwei&pb=0 |  |
| hxxp://nbapp2.n.shifen.com/api.php?query=91.200.159.131&co=&resource_id=6006&t=134505189768&ie=utf8&oe=gbk&cb=bd__cbs__at8rwp&format=json | |
| hxxp://cc00087.f.cncssr.chinacache.net/ux/getip.aspx?localip=91.200.159.131&ip=91.200.159.131&addr=316332277313300274 | |
| hxxp://download012.rdb.cncssr.chinacache.net/soft/vpp.ini | |
| opendata.baidu.com | 123.125.115.59 |
| ini.egkj.com | 112.253.37.218 |
| www.58wangwei.com | 182.118.23.188 |
| up.jkc8.com | 218.59.215.196 |
| ini.588b.com |  |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following kernel-mode hooks:
ZwQuerySystemInformation
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1488
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\%original file name%.exe_BaseT.dll (72704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\desktop.ini (67 bytes)
%WinDir%\win.ini (189 bytes)
C:\log.dat (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\vpp[1].ini (1352 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (12288 bytes)
C:\%original file name%.exe_Tmp0F1.dll (1126912 bytes)
%WinDir%\LQJVmD5lOK.dll (602624 bytes)
%System%\drivers\UsbWlan.sys (8704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\api[1].php (378 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\getip[1].htm (33 bytes)
C:\%original file name%.exe_Tmp0F1.dlllog.dat (10519 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
