MD5: 9f3014207f527d2b336d12ef97cfe9dc
SHA1: 01f0c714e05afb7088688dcef2be1ad2f1cefde6
SHA256: 2320b80a3633786fd06ecdd33ae8b4158145d2c129ab9100359103dcdfa2a257
SSDeep: 24576:9N47SP/Sajmt/RhpAVGXPJ9Is6AK4ZAdA98h/vcxi:9O0Sajmt5hpAK9t6b4ZAdHsxi
Size: 1040801 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: Armadillov171, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, UPolyXv05_v6
Company: no certificate found
Created at: 2013-11-23 16:46:55

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

FB_2.tmp.exe:520
%original file name%.exe:540
%original file name%.exe:332

The Trojan injects its code into the following process(es):

FB_1.tmp.exe:1160

File activity

The process FB_2.tmp.exe:520 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Start Menu\Programs\Startup\lsass.exe (95 bytes)

The process %original file name%.exe:540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\FB_1.tmp.exe (3720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FB_2.tmp.exe (95 bytes)

The process %original file name%.exe:332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\InstallDir\help.exe (7385 bytes)

Registry activity

The process FB_2.tmp.exe:520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

The process FB_1.tmp.exe:1160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 CC 52 52 48 05 09 82 07 75 5B C0 D6 A6 9B C1"

The process %original file name%.exe:540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 3C 2C 78 A5 BE EA 75 3C F9 FF 9A 6A 63 83 F7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"FB_1.tmp.exe" = "FB_1.tmp"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"FB_2.tmp.exe" = "FB_2.tmp"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D B1 7A A0 59 46 4C DD 6C 84 89 63 BB 25 50 86"

[HKCR\PPT_Test.Application]
"(Default)" = "PPT_Test.Application"

[HKCR\CLSID\{DE7CBE17-0368-40E2-8357-1639DA027BAB}\ProgID]
"(Default)" = "PPT_Test.Application"

[HKCR\PPT_Test.Application\CLSID]
"(Default)" = "{DE7CBE17-0368-40E2-8357-1639DA027BAB}"

[HKCR\CLSID\{DE7CBE17-0368-40E2-8357-1639DA027BAB}\LocalServer32]
"(Default)" = "c:\9F3014~1.EXE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\CLSID\{DE7CBE17-0368-40E2-8357-1639DA027BAB}]
"(Default)" = "PPT_Test.Application"

[HKCR\CLSID\{DE7CBE17-0368-40E2-8357-1639DA027BAB}\InprocHandler32]
"(Default)" = "ole32.dll"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"windows" = "%Documents and Settings%\%current user%\Application Data\InstallDir\help.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"windows" = "%Documents and Settings%\%current user%\Application Data\InstallDir\help.exe"

Network activity (URLs)

URL	IP
hxxp://46.7.117.248/solar/

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   FB_2.tmp.exe:520
   %original file name%.exe:540
   %original file name%.exe:332

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Start Menu\Programs\Startup\lsass.exe (95 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\FB_1.tmp.exe (3720 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\FB_2.tmp.exe (95 bytes)
   %Documents and Settings%\%current user%\Application Data\InstallDir\help.exe (7385 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "windows" = "%Documents and Settings%\%current user%\Application Data\InstallDir\help.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "windows" = "%Documents and Settings%\%current user%\Application Data\InstallDir\help.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.