Trojan.Win32.FlyStudio_3d4f193d9e

by malwarelabrobot on January 8th, 2014 in Malware Descriptions.

Gen:Variant.Strictor.32657 (BitDefender), VirTool:Win32/Obfuscator.XZ (Microsoft), HEUR:Trojan.Win32.StartPage (Kaspersky), Gen:Variant.Strictor.32657 (B) (Emsisoft), Artemis!3D4F193D9E6E (McAfee), Win32.SuspectCrc (Ikarus), Trojan:W32/DelfInject.R (FSecure), Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The sample has been submitted by Lavasoft customers.

Summary
Technical Details
Removal Recommendations

MD5: 3d4f193d9e6e54c4a22523f29720d1ef
SHA1: c69f399949490e5bf12b17ff00aa24d9da82c673
SHA256: 3858e97dde7873da187ca37f74668fd8a14dc3c4c169d18123318bec2129a059
SSDeep: 24576:mjmEXt8ZQZLiJtJbbOF7xokTZaqdiXSp0c02uFG6dAk3CMtwfPMKNcCWdg7:mK ZYiRTZaqdwk0c05HGiw1/J7
Size: 2068480 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2013-11-30 18:04:48
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:860

File activity

The process %original file name%.exe:860 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\360natmon.sys (134656 bytes)
C:\SkinH_EL.dll (88576 bytes)

The Trojan deletes the following file(s):

%System%\360natmon.sys (0 bytes)

Registry activity

The process %original file name%.exe:860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 7E A9 5E 22 48 F1 D0 82 5E 17 E3 D4 6D E6 B7"

[HKLM\SOFTWARE\Microsoft\InternetExplorer\Main]
"Start Page" = "www.2345.com/?k744606640"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "www.2345.com/?k744606640"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following kernel-mode hooks:

ZwQuerySystemInformation
ZwReadVirtualMemory
ZwWriteVirtualMemory

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %System%\360natmon.sys (134656 bytes)
    C:\SkinH_EL.dll (88576 bytes)

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now