Trojan.Win32.EyeStye_e4aed329e7
Trojan.Win32.Patched.md (Kaspersky), Virus.Win32.Ramnit.a!dam (v) (VIPRE), Virus.Win32.Zbot!IK (Emsisoft), Backdoor.Win32.Farfli.FD, Trojan.Win32.EyeStye.FD, TrojanEyeStye.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Virus
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: e4aed329e777253b486d829a394f270c
SHA1: 2afd3218d0c2a3b285ab121594dd61e98ca46d1e
SHA256: 710921b6a10a732cc0ec0d7d39e46179ff2d10ba7aed51031ea68a7fd959690b
SSDeep: 6144:yndj8E6S4u09FLx6WvbWdiWX7ht69qsiPNjYjdRFatrGaRdITAWr:yCE6S4Z9JkubIi2s9MVTiaRU9r
Size: 361374 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Express Install
Created at: 2011-07-01 12:25:08
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
e4aed329e777253:2704
02126517951.exe:668
%original file name%.exe:2412
ajvmmkjkbtsibwto.exe:3300
The Trojan injects its code into the following process(es):
ctfmon.exe:252
File activity
The process e4aed329e777253:2704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ajvmmkjkbtsibwto.exe (601 bytes)
The process 02126517951.exe:668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\hdwe2y7.bin\30849139C22EAD4 (5 bytes)
The process %original file name%.exe:2412 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\e4aed329e777253b486d829a394f270cmgr.exe (120 bytes)
The process ajvmmkjkbtsibwto.exe:3300 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\psyykfdm.sys (15 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\psyykfdm.sys (0 bytes)
Registry activity
The process e4aed329e777253:2704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 9A 9E A8 EB 36 72 03 51 C0 FF 00 F1 5A 60 8C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"ajvmmkjkbtsibwto.exe" = "ajvmmkjkbtsibwto"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process 02126517951.exe:668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 8F 2B 0D 96 4F AD EF 28 5E 7C 72 81 F3 D1 2E"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1309512308"
"Name" = "02126517951.exe"
The process ctfmon.exe:252 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
The process %original file name%.exe:2412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 6A CD 0E B0 F6 C6 ED A6 2C D6 23 0D FB 49 97"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1309512308"
"Name" = "%original file name%.exe"
The process ajvmmkjkbtsibwto.exe:3300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 16 A5 67 91 B8 85 C6 5F AD B6 66 95 AA E2 C9"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://199.2.137.140/nodf4b.php |  |
| hxxp://lb1.www.ms.akadns.net/ | |
| haqkwkokaigcdslnrlr.com |  195.22.26.231 |
| aguhlabfubbvek.com | 195.22.26.253 |
| awckeliqcherasntmin.com | 72.14.182.233 |
| sliokrvnkjenhwgpjl.com |  178.79.190.156 |
| uxlyihgvfnqcrfcf.com | 178.79.190.156 |
| jexgpprgph.com | 50.116.32.177 |
| mavjlatqkpuban.com | 50.116.32.177 |
| hxpgffdwbevww.com | 50.116.32.177 |
| prcgijpwvrl.com | 209.99.40.227 |
| adhcssvuayv.com | 195.22.26.231 |
| www.microsoft.com |  1.103.192.54 |
| dgrdrqkpmggukqo.com |  Unresolvable |
| rkxukunrgvpkgmc.com | Unresolvable |
| eijahjdmm.com | Unresolvable |
| nirxlosffmarpbp.com | Unresolvable |
| ebddteinurkortapgs.com | Unresolvable |
| sgjwptrfosjeico.com | Unresolvable |
| jfvxpfbgo.com | Unresolvable |
| hfegocufjkndwc.com | Unresolvable |
| oqayununxmqdxo.com | Unresolvable |
| dxovrcmyletmggxf.com | Unresolvable |
| kvoxyhnaggyqrcc.com | Unresolvable |
| sptihuxubpj.com | Unresolvable |
| vmdgwbenh.com | Unresolvable |
| ntnwcxtwgxwecrdxr.com | Unresolvable |
| ojmitlcyjsuyb.com | Unresolvable |
| obcjfjseku.com | Unresolvable |
| rxckgnatt.com | Unresolvable |
| wpaxdlstrs.com | Unresolvable |
| hijkitpq.com | Unresolvable |
| bllkuhftropiwymr.com | Unresolvable |
| dlsvfpmniphnmxnvoeo.com | Unresolvable |
| nwetlnpjovgxmj.com | Unresolvable |
| fdkasoupvgxigejgdfb.com | Unresolvable |
| pbwjbkgdo.com | Unresolvable |
| pdcdcwjwrqsq.com | Unresolvable |
| arhpgoeeasi.com | Unresolvable |
| rsmhdfgpgw.com | Unresolvable |
| fokvmmygnngm.com | Unresolvable |
| wvogkbbapujp.com | Unresolvable |
| fxkapveygtffbkv.com | Unresolvable |
| qxdfhujechixcrgdb.com | Unresolvable |
| drpfrkvdttdkhgpqi.com | Unresolvable |
| iljmekbkcukps.com | Unresolvable |
| xxkoixiiiqpyecxoaka.com | Unresolvable |
| ucwkkgbdxvjexa.com | Unresolvable |
| fkcxdfiv.com | Unresolvable |
| fksudkswknxd.com | Unresolvable |
| xeucibnop.com | Unresolvable |
| byraiyodqfdx.com | Unresolvable |
| hbwpvcnwwcdgfojuixm.com | Unresolvable |
| kgrrxfmyixossjmk.com | Unresolvable |
| kqrkegigdtjxxcrvl.com | Unresolvable |
| kmyxdodog.com | Unresolvable |
| oxjlrgepfnkvdprbr.com | Unresolvable |
| btfkjkqv.com | Unresolvable |
| hhowujyrcvdrwpdvsck.com | Unresolvable |
| ppwnhnvwnvtggifhbv.com | Unresolvable |
| lyghwyciguta.com | Unresolvable |
| edqmjbyjcxyjqnjjodh.com | Unresolvable |
| umiuqmrmvsuiscitx.com | Unresolvable |
| rtcocsaitmadupgl.com | Unresolvable |
| lvmrpvkyo.com | Unresolvable |
| kjjeuhhqiwvfnuvvtkd.com | Unresolvable |
| fsksblipt.com | Unresolvable |
| dpjbclufd.com | Unresolvable |
| nyyhahsslkflyhulcgl.com | Unresolvable |
| laiotlboxklvpcdfhu.com | Unresolvable |
| tuisyirhweflhvqyxh.com | Unresolvable |
| mjuqovvuruldy.com | Unresolvable |
| nwrqebry.com | Unresolvable |
| ixnaxrqn.com | Unresolvable |
| wiyqctbhe.com | Unresolvable |
| ojvpkaohbddmbfac.com | Unresolvable |
| qsrywodlwhorwibvy.com | Unresolvable |
| xsredbpaef.com | Unresolvable |
| yicgycrtyoxaiu.com | Unresolvable |
| amobragjgge.com | Unresolvable |
| pvbmlrybufe.com | Unresolvable |
| ykkcsanct.com | Unresolvable |
| relmyplngdrdxpyv.com | Unresolvable |
| bxnrxuyjcytf.com | Unresolvable |
| ntohnxgjijsgi.com | Unresolvable |
| wxurahlisqbmppqss.com | Unresolvable |
| mmmngmrhvvohfnv.com | Unresolvable |
| uigwsscasowqdiyp.com | Unresolvable |
| xqdrbrjiqwwpahhk.com | Unresolvable |
| rapbmprhwwm.com | Unresolvable |
| hugnnpnymbwnhtuh.com | Unresolvable |
| gwbdgrlikclhthyivym.com | Unresolvable |
| vnskyqlkrdfnnp.com | Unresolvable |
| ocnsfoyrdplmewnyx.com | Unresolvable |
| mcchphgndpadclga.com | Unresolvable |
| gkholyjchymn.com | Unresolvable |
| bklerdwiadlxxbjunwu.com | Unresolvable |
| cqlmxlukplhlfdo.com | Unresolvable |
| dykxkasesippbsjb.com | Unresolvable |
| ykesfabqxbvmns.com | Unresolvable |
| qqsvttcnvsigkh.com | Unresolvable |
| rgcdictp.com | Unresolvable |
| lgeohbboqpngfap.com | Unresolvable |
| qwfxemkbuee.com | Unresolvable |
| xnttkdfunybxgn.com | Unresolvable |
| dypislng.com | Unresolvable |
| uilmabdaxqlaxuj.com | Unresolvable |
| ushfktptgmspn.com | Unresolvable |
| wqfmumga.com | Unresolvable |
| njqvexdhwhutar.com | Unresolvable |
| vgfsnrewuxeaoxoh.com | Unresolvable |
| wwgxwnil.com | Unresolvable |
| lnjrtxcjbiaov.com | Unresolvable |
| qbpcpmcijn.com | Unresolvable |
| kpkyaxyytagbk.com | Unresolvable |
| jxnbdfwh.com | Unresolvable |
| qadjgxayck.com | Unresolvable |
| irfldtfkhgyrpsarcje.com | Unresolvable |
| snpltixygwcpifp.com | Unresolvable |
| vvhvidpeog.com | Unresolvable |
| catvfmsxowehqvfahu.com | Unresolvable |
| tnueoqahys.com | Unresolvable |
| mefqtfwlxrfhguru.com | Unresolvable |
| ticfmjsce.com | Unresolvable |
| dfyxptqjxwtdkjjbiu.com | Unresolvable |
| ilasqwag.com | Unresolvable |
| omsilsdcpdsgpxm.com | Unresolvable |
| kiiwacbehxexixl.com | Unresolvable |
| uxqbewwdunihwscfl.com | Unresolvable |
| hgubujdad.com | Unresolvable |
| expecvmanfaydv.com | Unresolvable |
| fujosogkpsxthf.com | Unresolvable |
| ohpmyviumie.com | Unresolvable |
| ggpmcodfppkjirg.com | Unresolvable |
| pphxfntktjvhgti.com | Unresolvable |
| udvnniovrov.com | Unresolvable |
| yyeyutjgnsfrmswdygl.com | Unresolvable |
| vmhgbribbhm.com | Unresolvable |
| ejjogggfqcmc.com | Unresolvable |
| erfhytwpgitkpgudo.com | Unresolvable |
| bbmfswfgmljwj.com | Unresolvable |
| yqvndqgijbpmx.com | Unresolvable |
| tvxwdutxo.com | Unresolvable |
| oukicfldnvxhrtxvuqr.com | Unresolvable |
| suhfvuljuihmevldp.com | Unresolvable |
| nbvhroptghtmsydrfq.com | Unresolvable |
| mggtqypybfts.com | Unresolvable |
| qanmwnpvpcyqsa.com | Unresolvable |
| iedaagmofvk.com | Unresolvable |
| gjvhfiouvwiqvtewbu.com | Unresolvable |
| jabdfnuridle.com | Unresolvable |
| tfgixgmqhdowexm.com | Unresolvable |
| tfpohsjc.com | Unresolvable |
| egcftpguclkoi.com | Unresolvable |
| dpyeoipbso.com | Unresolvable |
| ynergdikorjg.com | Unresolvable |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following kernel-mode hooks:
ZwCreateKey
ZwOpenKey
The Trojan installs the following user-mode hooks in WININET.dll:
InternetWriteFile
InternetReadFileExA
HttpSendRequestA
HttpSendRequestW
HttpOpenRequestA
HttpAddRequestHeadersA
InternetQueryDataAvailable
InternetCloseHandle
HttpQueryInfoA
InternetReadFile
InternetQueryOptionA
The Trojan installs the following user-mode hooks in USER32.dll:
TranslateMessage
The Trojan installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan installs the following user-mode hooks in ADVAPI32.dll:
CryptEncrypt
The Trojan installs the following user-mode hooks in WS2_32.dll:
send
The Trojan installs the following user-mode hooks in ntdll.dll:
ZwVdmControl
ZwSetInformationFile
NtResumeThread
ZwQueryDirectoryFile
ZwEnumerateValueKey
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
e4aed329e777253:2704
02126517951.exe:668
%original file name%.exe:2412
ajvmmkjkbtsibwto.exe:3300 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\ajvmmkjkbtsibwto.exe (601 bytes)
C:\hdwe2y7.bin\30849139C22EAD4 (5 bytes)
C:\e4aed329e777253b486d829a394f270cmgr.exe (120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\psyykfdm.sys (15 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
