MD5: 3bba5c67ba2e6cac7ad50c0dc44a4555
SHA1: 343d50acfc56a719680be9a287c8cb425f3eb031
SHA256: c7cb412a23f94efb0b1ffdb99b49bab6bf51794d6a2af4bff35f6464e89f1b8c
SSDeep: 24576:OnhP8m4pDu30oxIcE3dDb4JCFoAiCBPqYUW3jJb8YUr xY2foP3L:OGm4Bu30oxqJqCUCBPNTFlS u2ib
Size: 1436363 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-07-13 05:24:25

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

3bba5c67ba2e6cac7ad50c0dc44a4555.exe:1848
3bba5c67ba2e6cac7ad50c0dc44a4555.exe:1844
notepad.exe:480

The Trojan injects its code into the following process(es):

iexplore.exe:276

File activity

The process 3bba5c67ba2e6cac7ad50c0dc44a4555.exe:1848 makes changes in a file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\xxx.html (0 bytes)

The process iexplore.exe:276 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft Office 2013\bupws.dll (26578 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft Office 2013\bmpl.dll (80169 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft Office 2013\bupl.dll (79191 bytes)

The process notepad.exe:480 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft Office 2013\MO2013.exe (7972 bytes)

Registry activity

The process 3bba5c67ba2e6cac7ad50c0dc44a4555.exe:1848 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E D0 53 9C 7D B4 E1 F9 2A 39 94 0A CE E7 97 8F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The Trojan deletes the following registry key(s):

[HKCU]

The process 3bba5c67ba2e6cac7ad50c0dc44a4555.exe:1844 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 96 01 B7 A4 61 79 1F 91 F3 17 72 8F 8C 65 89"

The process iexplore.exe:276 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 65 1A B8 2B 87 2C C1 74 0F 07 2E BD 66 C2 5E"

[HKCU\Software\Synaptics Pointing Device Driver]
"remove" = "an!"

The Trojan deletes the following registry key(s):

[HKCU]

The process notepad.exe:480 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 C0 4D 35 BB 3E 32 1F A5 A1 6E 58 9B 3C 99 1E"

[HKCU\Software\Synaptics Pointing Device Driver]
"IEST" = "1"

[HKCU\Software\Synaptics Pointing Device Driver]
"RI1" = "480"

[HKCU\Software\Synaptics Pointing Device Driver]
"inf" = "%Documents and Settings%\%current user%\Application Data\Microsoft Office 2013\"

[HKCU\Software\Synaptics Pointing Device Driver]
"ofk" = "1"

[HKCU\Software\Synaptics Pointing Device Driver]
"RDS" = "bnxodHRwOi8vd3d3LnlvdXJzaXRlLmNvbS91cGxvYWQucGhwfDYwfG58bnxufG5vdGhpbmd8bm90aGl="

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Synaptics Pointing Device Driver" = "%Documents and Settings%\%current user%\Application Data\Microsoft Office 2013\MO2013.exe"

Network activity (URLs)

URL	IP
danygh.myftp.org	108.62.211.142

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   3bba5c67ba2e6cac7ad50c0dc44a4555.exe:1848
   3bba5c67ba2e6cac7ad50c0dc44a4555.exe:1844
   notepad.exe:480

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Application Data\Microsoft Office 2013\bupws.dll (26578 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft Office 2013\bmpl.dll (80169 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft Office 2013\bupl.dll (79191 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft Office 2013\MO2013.exe (7972 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Synaptics Pointing Device Driver" = "%Documents and Settings%\%current user%\Application Data\Microsoft Office 2013\MO2013.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.