Trojan.Win32.Delphi_10de9d1686
Gen:Variant.Barys.752 (BitDefender), VirTool:Win32/DelfInject (Microsoft), Trojan.Win32.Buzus.mfno (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.DownLoader5.51467 (DrWeb), Gen:Variant.Barys.1067 (B) (Emsisoft), Artemis!10DE9D1686ED (McAfee), Trojan.Gen (Symantec), Virus.Win32.DelfInject (Ikarus), Gen:Variant.Barys.752 (FSecure), Generic27.ZBQ (AVG), Win32:Inject-ARZ [Trj] (Avast), TROJ_SPNR.11B713 (TrendMicro), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Virus, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 10de9d1686ed85efff2c76435f98179f
SHA1: 92941590ef7683ec9a10423028002208ad732737
SHA256: 42bc05ae1fd022d4d77c2bb7ebd7032d31a888ab28a435d826868c5257611100
SSDeep: 24576:tWrJpitnKSwFkgUB2ezittqchJhVLDmOMw X7t7C RlVa5BNFI:YrJpBF02Minh3RDqtWqlVa5BXI
Size: 1507328 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, BorlandDelphi30, BorlandDelphiv30, ACProtect141
Company: no certificate found
Created at: 1992-06-20 01:22:17
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:2636
0yun.exe:2832
rundll.exe:2776
The Trojan injects its code into the following process(es):
rundll.exe:2800
File activity
The process %original file name%.exe:2636 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\0yun.exe (81 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\rundll.exe (11493 bytes)
The process 0yun.exe:2832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013113020131201\index.dat (16 bytes)
%Documents and Settings%\%current user%\Cookies\D8JLKPH4.txt (585 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\smalloutline[1].gif (439 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\uGFy9lAuh_c[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\0[1].php (96 bytes)
%Documents and Settings%\%current user%\Cookies\FT0ZOQCS.txt (309 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\dgz5oiBlJrI[1].js (83343 bytes)
%Documents and Settings%\%current user%\Cookies\AIBNNX96.txt (585 bytes)
%Documents and Settings%\%current user%\Cookies\WE9DEHK6.txt (618 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\ga[1].js (22939 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\alcazer[1].js (73 bytes)
%Documents and Settings%\%current user%\Cookies\FJ9XL1JE.txt (92 bytes)
%Documents and Settings%\%current user%\Cookies\S9WMVLCP.txt (585 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\alcazer[1].css (25 bytes)
%Documents and Settings%\%current user%\Cookies\9SJK5KNE.txt (936 bytes)
%Documents and Settings%\%current user%\Cookies\N2WL4RGB.txt (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\ILWE64UA.txt (1096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\like[1].php (2075 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\AA5WRSFF.txt (585 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\pingjs[1] (30 bytes)
%Documents and Settings%\%current user%\Cookies\PW25V2U9.txt (123 bytes)
%Documents and Settings%\%current user%\Cookies\YC5GEKMM.txt (276 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\js15_as[1].js (3934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\e[1].php (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\PUCQCED8.txt (776 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\N2WL4RGB.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415 (0 bytes)
%Documents and Settings%\%current user%\Cookies\AIBNNX96.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\AA5WRSFF.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\WE9DEHK6.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\FJ9XL1JE.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\PUCQCED8.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\S9WMVLCP.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\9SJK5KNE.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\PW25V2U9.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\YC5GEKMM.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\FT0ZOQCS.txt (0 bytes)
The process rundll.exe:2800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\appdata.jpg (23 bytes)
Registry activity
The process %original file name%.exe:2636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 5D EF 09 18 DB B4 AC C7 A9 88 28 AB B3 3E EC"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data]
"0yun.exe" = "0yun"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process 0yun.exe:2832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013113020131201]
"CacheLimit" = "8192"
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013113020131201"
"CacheRepair" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013113020131201]
"CachePrefix" = ":2013113020131201:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Internet Explorer\Main\WindowsSearch]
"Version" = "WS not installed"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 7D 37 8D 9A D9 47 1D 64 34 D3 5D 71 89 5C 93"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013113020131201]
"CacheOptions" = "11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041520130416]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013040820130415]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process rundll.exe:2800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F D6 DF A5 C2 F6 E6 5F A0 9F DC 05 7F 57 B0 77"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"usnscv.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\usnscv.exe /background"
The process rundll.exe:2776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA EF 2E 3F 69 EF 2F 67 96 9D 3C C4 61 2D 7F 55"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://95.170.95.63/alcazer.js |  |
| hxxp://95.170.95.63/alcazer.css | |
| hxxp://star.c10r.facebook.com/plugins/like.php?href=http://koxp.alcazer.com&send=false&layout=button_count&width=450&show_faces=false&action=like&colorscheme=light&font=verdana&height=21 |  |
| hxxp://www-google-analytics.l.google.com/ga.js |  |
| hxxp://s10.histats.com/js15_as.js | 184.173.167.107 |
| hxxp://95.170.95.63/smalloutline.gif | |
| hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=1&utmn=1059817989&utmhn=koxp.alcazer.com&utmcs=utf-8&utmsr=1176x885&utmvp=239x85&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=6.0 r88&utmdt=PRoBot Macro v1999 & PRoMaxBot v1863 | 1999 | Knight OnLine&utmhid=2007004314&utmr=-&utmp=/?v1.95.1-1951&utmht=1385780508795&utmac=UA-17031581-1&utmcc=__utma=248830040.1869363677.1385780507.1385780507.1385780507.1;+__utmz=248830040.1385780507.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=qB~ | |
| hxxp://s10.histats.com/stats/0.php?885135&@f16&@g1&@h1&@i1&@j1385780508889&@k0&@l1&@mPRoBot Macro v1999 & PRoMaxBot v1863 | 1999 | Knight OnLine&@n0&@o1000&@q0&@r0&@s0&@ten-us&@u1176&@vhttp://koxp.alcazer.com/?v1.95.1-1951&@w | |
| hxxp://c0.histats.12mlbe.com/jsx01/7/885135/134,127 |  50.22.243.52 |
| hxxp://a749.dsw4.akamai.net/rsrc.php/v2/yg/r/dgz5oiBlJrI.js | |
| hxxp://a749.dsw4.akamai.net/rsrc.php/v2/yK/r/uGFy9lAuh_c.png | |
| www.facebook.com | 31.13.74.96 |
| www.google-analytics.com | 173.194.43.70 |
| static.ak.fbcdn.net | 165.254.155.74 |
| whos.amung.us | 67.202.94.94 |
| s4.histats.com | 184.173.167.106 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2636
0yun.exe:2832
rundll.exe:2776 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Application Data\0yun.exe (81 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\rundll.exe (11493 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013113020131201\index.dat (16 bytes)
%Documents and Settings%\%current user%\Cookies\D8JLKPH4.txt (585 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\smalloutline[1].gif (439 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\uGFy9lAuh_c[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\0[1].php (96 bytes)
%Documents and Settings%\%current user%\Cookies\FT0ZOQCS.txt (309 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\dgz5oiBlJrI[1].js (83343 bytes)
%Documents and Settings%\%current user%\Cookies\AIBNNX96.txt (585 bytes)
%Documents and Settings%\%current user%\Cookies\WE9DEHK6.txt (618 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\ga[1].js (22939 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\alcazer[1].js (73 bytes)
%Documents and Settings%\%current user%\Cookies\FJ9XL1JE.txt (92 bytes)
%Documents and Settings%\%current user%\Cookies\S9WMVLCP.txt (585 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\alcazer[1].css (25 bytes)
%Documents and Settings%\%current user%\Cookies\9SJK5KNE.txt (936 bytes)
%Documents and Settings%\%current user%\Cookies\N2WL4RGB.txt (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\ILWE64UA.txt (1096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\like[1].php (2075 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\AA5WRSFF.txt (585 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\pingjs[1] (30 bytes)
%Documents and Settings%\%current user%\Cookies\PW25V2U9.txt (123 bytes)
%Documents and Settings%\%current user%\Cookies\YC5GEKMM.txt (276 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\js15_as[1].js (3934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\e[1].php (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\PUCQCED8.txt (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\appdata.jpg (23 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
