Trojan.Win32.FlyStudio_ef193e1517
Trojan.Generic.20733800 (BitDefender), Virus:Win32/Virut.BN (Microsoft), HEUR:Virus.Win32.Generic (Kaspersky), Trojan.Generic.20733800 (B) (Emsisoft), W32.Virut.CF (Symantec), Virus.Win32.Virut (Ikarus), Trojan.Generic.20733800 (FSecure), FileRepMalware (AVG), FileRepMalware (Avast), PE_VIRUX.A (TrendMicro), GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm, Virus, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: ef193e15172da416b9a2fed792be3b4a
SHA1: 49bc30c530713a18739c9d129f87ab431f6bc6e2
SHA256: 07a4c38ce47ba161991f58a197f6021ad07502bb21d3ce491c2022b4af9a406c
SSDeep: 12288:apxlOhdNfBBBT1DQTFdFINsG14RsehppelNBPyspQmlVuzB o:ashRTdIFdF0sXb15mlVuzBp
Size: 600064 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-03-20 11:24:14
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):
%original file name%.exe:2052
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
No files have been created.
Registry activity
The process %original file name%.exe:2052 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 864 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | ZieF.pl |
| 127.0.0.1 | validation.sls.microsoft.com |
Rootkit activity
The Trojan installs the following user-mode hooks in ntdll.dll:
NtQueryInformationProcess
ZwOpenFile
ZwCreateUserProcess
ZwCreateProcessEx
NtCreateProcess
ZwCreateFile
Propagation
VersionInfo
Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 1056768 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 1060864 | 528384 | 525824 | 5.48935 | 9372dd3e8927c6dc31bf0845d1ea638c |
| .rsrc | 1589248 | 73728 | 73216 | 1.69558 | e05be5e10d97c6af88a1e70d7d54d84a |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| irc.zief.pl |  148.81.111.121 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
ET TROJAN IRC Nick change on non-standard port
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
