MD5: 7120d98d23064732c7e129616e7cdb43
SHA1: 28cfe42ce602742fffc6c9c790cc6a359bbcfc7c
SHA256: 9265ca927ea16594647f1c95e60832961ffe42b87869db207158f20117065517
SSDeep: 12288:Ngn/7/q6c7nANGe9WhzBXhGRTo7n7Cme5JDwItYc1FIt4kF58Pi4ma5X3XwzQ8:M/7GU59Whtx To77Je5JccEHxa5As8
Size: 565248 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: Apps installer
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

iexplore.exe:308
%original file name%.exe:464
%original file name%.exe:828

The Trojan injects its code into the following process(es):

iexplore.exe:508
Explorer.EXE:1572

File activity

The process iexplore.exe:508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\drivers\etc\hosts.sam (734 bytes)

The Trojan deletes the following file(s):

%System%\drivers\etc\hosts (0 bytes)

The process %original file name%.exe:828 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\techload.dll (3361 bytes)
%WinDir%\wmiapsrv.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~tm1.tmp.bat (76 bytes)

The Trojan deletes the following file(s):

C:\techload.dll (0 bytes)

Registry activity

The process iexplore.exe:308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B DE 01 A3 54 35 84 BB 34 88 49 D2 05 44 E9 B8"

The process iexplore.exe:508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 64 95 FF 92 84 A1 8D 26 D6 F9 0B A5 04 A4 92"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 45 93 82 03 C4 16 E2 44 FD 6C 87 95 F5 72 9B"

The process %original file name%.exe:828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 7F 0E A6 D0 66 B6 3E 61 A7 77 2C E1 2F C1 90"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\Intel Physical Address Extention 1.1]
"StubPath" = "%WinDir%\wmiapsrv.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"Intel Physical Address Extention 1.1" = "²¨¬¤µ¶·³ë ½ ¹Œ«± ©å•­¼¶¬¦¤©å„¡¡· ¶¶å€½± «±¬ª«åôëô¹"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"wmiapsrv.exe" = "wmiapsrv"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"~tm1.tmp.bat" = "~tm1.tmp"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Intel Physical Address Extention 1.1" = "%WinDir%\wmiapsrv.exe"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

iexplore.exe_508_rwx_00150000_00001000:

%System%\fxsocm32.dll

iexplore.exe_508_rwx_00B30000_0004B000:

Portions Copyright (c) 1983,99 Borland

kernel32.dll

\\.\Scsi

\\.\SMARTVSD

OuDpffRmwqsgkJmef{s

TMPPool.Cache: Invalid pointer

TMPPool.Obtain: Out of memory

174 (blacklisted key)

Keys

Passwords

LastKey

...NLK

Incorrect Password!

Please, contact ASProtect support!

Windows

NT 3.%u

NT 4.%u

\SYSTEM\CurrentControlSet\Control\Windows\

P6 (Model %d)

%dx86

%d.%d.%d.%d

HELO User.With.Error

Eip: %x

Eax: %x

Ecx: %x

Edx: %x

Ebx: %x

Esi: %x

Edi: %x

Ebp: %x

Esp: %x

Code = [%d]

- [%s]

08:,50*65=(450

KERNEL32.DLL

NTDLL.DLL

ADVAPI32.DLL

\\.\SICE

\\.\NTICE

\\.\SIWVID

MyKeys

Software\ASProtect\Key

aspr_keys.ini

WebX

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

oleaut32.dll

RegQueryInfoKeyA

RegEnumKeyExA

RegCreateKeyExA

GetCPInfo

version.dll

gdi32.dll

ole32.dll

wsock32.dll

5 5$5(5,5

: :$:(:;;

4#4#5?5\5

6$6(6,6064686<6@6

="=&=*=.=2=6= ?$?(?,?0?4?8?

|kernel32.dll

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

Enter Mode Password:

Submit Report

iexplore.exe_508_rwx_00CF0000_00002000:

%SWVU

\\.\SICE

\\.\NTICE

The procedure %s could not be located in the DLL %s.

The ordinal %d could not be located in the DLL %s.

iexplore.exe_508_rwx_00EF0000_00001000:

73|$(3|$

iexplore.exe_508_rwx_13101000_00013000:

kernel32.dll

HTTP/1.1

Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322)

00000000

wininet.dll

DeleteUrlCacheEntry

drivers\etc\hosts.sam

http://www.google.com

&status=1&version=3.0&build=beta3.0.3&task=notify&servu=1&oid=1&cmd=xray&uptime=

webyatom

switch.inf

wmiapsrv.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

KWindows

%SWVU

5^6.CgR

\\.\SICE4Y

dur%s

iexplore.exe_508_rwx_13115000_00001000:

|kernel32.dll

kernel32.dll

advapi32.dll

user32.dll

wsock32.dll

msvcrt.dll

oleaut32.dll

GetKeyboardType

y9FRÀ

Explorer.EXE_1572_rwx_00FF0000_00001000:

%System%\trnsprov32.dll

Explorer.EXE_1572_rwx_01EA0000_00001000:

%System%\trnsprov32.dll

Explorer.EXE_1572_rwx_01FA1000_0000C000:

autorun.inf

autorun.bat

autorun.vbs

open=autorun.bat

shellexecute=autorun.bat

shell\Auto\command=autorun.bat

shell\explore\Command=autorun.bat

%~d0\autorun.vbs

Set objFSO = CreateObject("Scripting.FileSystemObject")

If objFSO.FileExists("

set WshShell = CreateObject("WScript.Shell")

WshShell.Run "

WSCript.Quit

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

wmiapsrv.exe

webyatom

KWindows

%SWVU

\\.\SICE

%suldw

26/26/26

Explorer.EXE_1572_rwx_01FB1000_00001000:

kernel32.dll

Explorer.EXE_1572_rwx_01FD0000_00002000:

%SWVU

\\.\SICE

\\.\NTICE

The procedure %s could not be located in the DLL %s.

The ordinal %d could not be located in the DLL %s.

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   iexplore.exe:308
   %original file name%.exe:464
   %original file name%.exe:828
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %System%\drivers\etc\hosts.sam (734 bytes)
   C:\techload.dll (3361 bytes)
   %WinDir%\wmiapsrv.exe (3361 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\~tm1.tmp.bat (76 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Intel Physical Address Extention 1.1" = "%WinDir%\wmiapsrv.exe"
   
   

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.