MD5: 8494a1780e2af05475e1146169f65820
SHA1: 416716e8bc104d83443588b4c6fb9f8d071159bd
SHA256: 823576a5800cde279376aeac2e5920839109e3770758fa573b603a7e70d3a5b1
SSDeep: 24576:3MNWtb4aUOu/rGey23YiO0mhXRQaayk4ye5/zwttHhm25h2lAw98X:UTOCGQIImhXRjasZra/2f9I
Size: 1057792 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2004-08-04 09:01:37
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1756

The Trojan injects its code into the following process(es):

INJETO~1.EXE:1628

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\INJETO~1.EXE (14600 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\server.exe (15045 bytes)

Registry activity

The process INJETO~1.EXE:1628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 B5 B8 28 1C 01 DC 94 A4 D0 1D 8F 1B 2E 90 0C"

The process %original file name%.exe:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 3F C9 1B 36 2F 51 F8 10 C4 C6 10 CF 83 01 A6"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.00.2900.2180
Legal Copyright: (c) Microsoft Corporation. Reservados todos los derechos.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

COMCTL32.dll

VERSION.dll

advapi32.dll

advpack.dll

wininit.ini

Software\Microsoft\Windows\CurrentVersion\App Paths

setupapi.dll

setupx.dll

IXPd.TMP

TMP4351$.TMP

FINISHMSG

USRQCMD

ADMQCMD

msdownld.tmp

wextract.pdb

PSSSSSSh

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

RegQueryInfoKeyA

GetWindowsDirectoryA

ExitWindowsEx

MsgWaitForMultipleObjects

rundll32.exe %s,InstallHinfSection %s 128 %s

SHELL32.DLL

Software\Microsoft\Windows\CurrentVersion\RunOnce

PendingFileRenameOperations

System\CurrentControlSet\Control\Session Manager\FileRenameOperations

wextract_cleanup%d

%s /D:%s

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"

Command.com /c %s

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\

pr.JY

.BXXY

.qr1H

D8.df

v.NFte8^

,.MS[

).cUrH

P.FJJ

!Q?.rN!

Xp%X|

R=%1S

3%FKu

F.ESy

%FUUbHNF

INJETO~1.EXE

server.exe

;=%7Ui

'H%xO

p%S%K

3ÖD

].Ah4U`66

`iP.FK

Qd.ee

2#(%D

KS<%F

8w.MN

B,.to|

_<.Rf

z.EY]

 %Xc!

n<.HH

&.KxRb

%xHeO

xT

Á?a

)(Y%D

*$~%d{

tFc.Af6

[X.Li

o#.nx

`P.kl

.EJYi

p1A.Rzz

.bm=`8

l.lBl

.Df4^

qG%SP

'%CSw

).qqY1d

LL.gnR

LAkEy'

zX.NLk

.SicH

%FO>~

ghd%d

H)%C_

tp.Pp

^O{.bR

(hx&.byl#K

#'q%s?@

xmsG

:.uk3KY

'L%S`

.LM8BV

Sql"C

H.swr

.rb3T

.ERx@X[^b

O)%6X

/n-n}

ª&.Xha>b"

&.fx;3E F

m%sw%

$Öu

n de espacio en: %s.

Mensaje de sistema: %s.5No se puede encontrar uno de los recursos necesarios.#

n del sistema operativo./Error en la solicitud de asignaci

n no pudo encontrar una unidad con %s KB de espacio en disco libres para instalar el programa. Libere un poco de espacio primero y presione Reintentar, o presione Cancelar para salir del programa de instalaci

n.XLa carpeta no es v

rese de que la carpeta existe y se puede escribir en ella.DDebe especificar una carpeta con la ruta completa o elegir Cancelar.

n de carpeta.DNo se puede cargar las funciones requeridas por el di

logo Examinar.\No se pudo cargar el archivo Shell32.dll, requerido por el cuadro de di

n del proceso <%s>. Causa: %s5El tama

ster en este sistema no es soportado.3Uno de los recursos necesarios parece estar da

ado.[Es necesario Windows 95 o Windows NT 4.0 Beta 2 o posterior para realizar esta instalaci

Error al cargar %s]Error de GetProcAddress() en funci

n "%s". Causa posible: versi

n incorrecta de advpack.dll.@Es necesario Windows 95 o Windows NT para instalar este producto No se pudo crear la carpeta "%s"

Para instalar este programa, necesita %s KB disponibles en la unidad %s. Es recomendable que libere la cantidad necesaria de espacio en disco antes de continuar.

n de la carpeta de Windows

)Apagar NT: Error en token de OpenProcess.*Apagar NT: Error en AdjustTokenPrivileges."Apagar NT: Error en ExitWindowsEx.

n del archivo. Probablemente se deba a un problema de memoria baja (poco espacio en disco para el intercambio de archivos) o un archivo .CAB da

ado.wEl programa de instalaci

n del volumen para la unidad (%s) .

Mensaje del sistema: %s.

n no pudo encontrar una unidad con %s KB de espacio en disco libres para instalar el programa. Libere un poco de espacio e int

ntelo de nuevo.hEl programa de instalaci

[Otra copia del paquete "%s" ya est

Desea ejecutar otra copia?$No se pudo encontrar el archivo: %s.

 No existe la carpeta "%s".

Desea crearla?lOtra copia del paquete "%s" ya est

lo es posible ejecutar una copia a la vez.OEl paquete "%s" no es compatible con la versi

n de Windows que est

ejecutando.^El paquete "%s" no es compatible con la versi

n del archivo %s que se encuentra en su sistema.

6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

WEXTRACT.EXE

Sistema operativo Microsoft

Windows

6.00.2900.2180

INJETO~1.EXE_1628:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s_%d

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

uxtheme.dll

%s%s%s%s%s%s%s%s%s%s

Proportional

MAPI32.DLL

PasswordChar

OnKeyDown

OnKeyPress

OnKeyUp

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword

crSQLWait

%s (%s)

imm32.dll

AutoHotkeys$&D

OnDrawItem<%D

AutoHotkeysl&D

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowStateP(D

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetCPInfo

version.dll

gdi32.dll

SetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

ActivateKeyboardLayout

comdlg32.dll

4 4$4(4,4044484<4

3)303^3{3

7r7F7X7b7

6-6165696O6W6u6}6

4 4 484_4

9):-:1:5:<:|:

4 5/575<5

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

3333333

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

KWindows

UrlMon

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

Icon.Data

DLL|*.dll

No help keyword specified.

Alt  Clipboard does not support Icons

Cannot open clipboard/Menu '%s' is already being used by another form

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Unsupported clipboard format

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Invalid property value List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Interface not supported

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

1.0.0.0

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1756

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\INJETO~1.EXE (14600 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\server.exe (15045 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.