Trojan.Win32.Nedsym_4589fed610
HEUR:Trojan.Win32.Generic (Kaspersky), TrojanPWS.Win32.Fareit.aa (v) (VIPRE), Trojan-PWS.Win32.Fareit!IK (Emsisoft), Trojan.Win32.Nedsym.FD, TrojanNedsym.YR (Lavasoft MAS)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 4589fed6107b01617c4b2f5e40d3f240
SHA1: 73b9c0df367896b5008f4acc295d138edd7ee8ee
SHA256: 776a73ad30fd761456389a359f4cc4bac93a24aca46e8a1868c63e73573f9f77
SSDeep: 1536:pzqc7h/pJL27akkoVAeflhbfmmiostHCCOWE3DIhxd8yveRd35HSjXQiiYHmejbO:FkUqldRcOrIzlvGFSbTiqbmQs01wh
Size: 120448 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-07-31 14:30:59
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:544
svcnost.exe:1136
The Trojan injects its code into the following process(es):
svcnost.exe:1060
File activity
The process %original file name%.exe:544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\drivers\etc\hosts (5 bytes)
The Trojan deletes the following file(s):
%System%\drivers\etc\hosts (0 bytes)
The process svcnost.exe:1060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\ntuser.dat (55 bytes)
%Documents and Settings%\%current user%\Application Data\desktop.ini (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\desktop.ini (0 bytes)
Registry activity
The process %original file name%.exe:544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Init" = "%Documents and Settings%\%current user%\Application Data\xkwigjfwbqfvadqegkccyi3tqrn3hmpr2\svcnost.exe"
The process svcnost.exe:1060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 1C 13 C2 62 21 70 3C 27 0D EB 70 6F 18 97 CB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"SavedLegacySettingsML" = "36 34 39 39 36 33 31 34 33"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\documents and settings\"%CurrentUserName%"\application data\xkwigjfwbqfvadqegkccyi3tqrn3hmpr2]
"svcnost.exe" = "c:\documents and settings\"%CurrentUserName%"\application data\xkwigjfwbqfvadqegkccyi3tqrn3hmpr2\svcnost.exe:*:Enabled:ldrsoft"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://yjrdv.ru/stat1.php (Malicious) |  46.17.57.182 |
| gateway-f1.isp.att.net |  204.127.217.16 |
| mailin-01.mx.aol.com | 205.188.59.194 |
| mxmta.sympatico.ca |  67.69.240.24 |
| mailin-04.mx.aol.com | 205.188.146.194 |
| mailin-02.mx.aol.com | 205.188.155.110 |
| mx4.hotmail.com | 65.55.37.88 |
| mx00.t-online.de |  194.25.134.8 |
| extmail.bigpond.com |  61.9.168.122 |
| mail2.suburbancollection.com | 206.245.132.67 |
| mail.pontuswidenmaskin.se |  217.78.28.227 |
| mx2.sbcglobal.am0.yahoodns.net | 98.138.206.39 |
| mta5.am0.yahoodns.net | 66.196.118.33 |
| mx3.me.com.akadns.net | 17.158.8.61 |
| mx3.hotmail.com | 65.55.92.168 |
| mx-1.mercury.net | 64.7.161.17 |
| relay.verizon.net | 206.46.232.11 |
| mta6.am0.yahoodns.net | 98.138.112.38 |
| mail2.ainweb.net | 54.208.119.129 |
| mxzhb.bluewin.ch |  195.186.99.50 |
| gmail-smtp-in.l.google.com | 74.125.142.27 |
| mx1.hotmail.com | 65.54.188.94 |
| mx2.free.fr |  212.27.42.59 |
| mxbw.bluewin.ch | 195.186.99.50 |
| mx3.earthlink.net | 209.86.93.228 |
| mx2.hotmail.com | 65.55.37.104 |
| mx.bt.lon5.cpcloud.co.uk | 65.20.0.49 |
| mymail.bright.net | 209.143.0.180 |
| mulgara.westnet.com.au | 203.10.1.146 |
| mx1.earthlink.net | 209.86.93.226 |
| idcmail.shaw.ca | 24.71.223.11 |
| inbound.localnet.com | 207.251.194.26 |
| mx2.comcast.net | 76.96.40.147 |
| alt1.gmail-smtp-in.l.google.com | 173.194.74.26 |
| mail.cvwrf.org | 173.8.90.131 |
| alt2.gmail-smtp-in.l.google.com | 173.194.75.26 |
| alt4.gmail-smtp-in.l.google.com | 173.194.65.27 |
| mx.dca.untd.com | 64.136.44.37 |
| mx1.comcast.net | 68.87.26.147 |
| mx-eu.mail.am0.yahoodns.net |  188.125.69.79 |
| alt3.gmail-smtp-in.l.google.com | 173.194.66.26 |
| mta7.am0.yahoodns.net | 66.196.118.35 |
| smtp.ciaccess.com | 209.216.133.240 |
| mail2.accuridecorp.com | 12.129.87.232 |
| mailin-03.mx.aol.com | 205.188.59.193 |
| postoffice03.mail-hub.dodo.com.au | 202.136.40.236 |
| extmail.bpbb.bigpond.com | 61.9.189.122 |
| smtp-in.orange.fr | 193.252.22.65 |
| jejrw.su |  Unresolvable |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 5915 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | downloads4.kaspersky-labs.com |
| 127.0.0.1 | downloads3.kaspersky-labs.com |
| 127.0.0.1 | downloads2.kaspersky-labs.com |
| 127.0.0.1 | downloads1.kaspersky-labs.com |
| 127.0.0.1 | downloads-us1.kaspersky-labs.com |
| 127.0.0.1 | rads.mcafee.com |
| 127.0.0.1 | www.secuser.com |
| 127.0.0.1 | a188.x.akamai.net |
| 127.0.0.1 | liveupdate.symantecliveupdate.com |
| 127.0.0.1 | liveupdate.symantec.com |
| 127.0.0.1 | liveupdate.symantec.d4p.net |
| 127.0.0.1 | update.symantec.com |
| 127.0.0.1 | ftp.nai.com |
| 127.0.0.1 | www.grisoft.cz |
| 127.0.0.1 | www.grisoft.com |
| 127.0.0.1 | free.grisoft.cz |
| 127.0.0.1 | tds.diamondcs.com.au |
| 127.0.0.1 | ieupdate.gdata.de |
| 127.0.0.1 | ieupdate6.gdata.de |
| 127.0.0.1 | ieupdate5.gdata.de |
| 127.0.0.1 | ieupdate4.gdata.de |
| 127.0.0.1 | ieupdate3.gdata.de |
| 127.0.0.1 | ieupdate2.gdata.de |
| 127.0.0.1 | ieupdate1.gdata.de |
| 127.0.0.1 | www.iavs.cz |
| 127.0.0.1 | download7.avast.com |
| 127.0.0.1 | download6.avast.com |
| 127.0.0.1 | download5.avast.com |
| 127.0.0.1 | download4.avast.com |
| 127.0.0.1 | download3.avast.com |
| 127.0.0.1 | download2.avast.com |
| 127.0.0.1 | download1.avast.com |
| 127.0.0.1 | upgrade.bitdefender.com |
| 127.0.0.1 | windowsupdate.microsoft.com |
| 127.0.0.1 | www.lavasoftusa.com |
| 127.0.0.1 | www.a-2.org |
| 127.0.0.1 | updates.a-2.org |
| 127.0.0.1 | niuone.norman.no |
| 127.0.0.1 | www.diamondcs.com.au |
| 127.0.0.1 | www.attechnical.com |
| 127.0.0.1 | www.zeylstra.nl |
| 127.0.0.1 | fractus.mat.uson.mx |
| 127.0.0.1 | www.toonbox.de |
| 127.0.0.1 | radius.turvamies.com |
| 127.0.0.1 | diamondcs.fileburst.com |
| 127.0.0.1 | downloads.My-eTrust.com |
| 127.0.0.1 | acs.pandasoftware.com |
| 127.0.0.1 | v4.windowsupdate.microsoft.com |
| 127.0.0.1 | www.NoAdware.net |
| 127.0.0.1 | www.nod32.com |
| 127.0.0.1 | www.eset.sk |
| 127.0.0.1 | avu.zonelabs.com |
| 127.0.0.1 | retail.sp.f-secure.com |
| 127.0.0.1 | retail01.sp.f-secure.com |
| 127.0.0.1 | retail02.sp.f-secure.com |
| 127.0.0.1 | www.moosoft.com |
| 127.0.0.1 | secuser.model-fx.com |
| 127.0.0.1 | secuser.com |
| 127.0.0.1 | downloads-eu1.kaspersky-labs.com |
| 127.0.0.1 | downloads2.kaspersky-labs.com |
| 127.0.0.1 | downloads4.kaspersky-labs.com |
| 127.0.0.1 | downloads1.kaspersky-labs.com |
| 127.0.0.1 | pccreg.antivirus.com |
| 127.0.0.1 | dl1.antivir.de |
| 127.0.0.1 | dl2.antivir.de |
| 127.0.0.1 | dl3.antivir.de |
| 127.0.0.1 | dl4.antivir.de |
| 127.0.0.1 | ad.doubleclick.net |
| 127.0.0.1 | ad.fastclick.net |
| 127.0.0.1 | ads.fastclick.net |
| 127.0.0.1 | ar.atwola.com |
| 127.0.0.1 | atdmt.com |
| 127.0.0.1 | avp.ch |
| 127.0.0.1 | avp.com |
| 127.0.0.1 | avp.com |
| 127.0.0.1 | avp.ru |
| 127.0.0.1 | awaps.net |
| 127.0.0.1 | banner.fastclick.net |
| 127.0.0.1 | banners.fastclick.net |
| 127.0.0.1 | ca.com |
| 127.0.0.1 | ca.com |
| 127.0.0.1 | click.atdmt.com |
| 127.0.0.1 | clicks.atdmt.com |
| 127.0.0.1 | customer.symantec.com |
| 127.0.0.1 | dispatch.mcafee.com |
| 127.0.0.1 | dispatch.mcafee.com |
| 127.0.0.1 | download.mcafee.com |
| 127.0.0.1 | download.mcafee.com |
| 127.0.0.1 | download.mcafee.com |
| 127.0.0.1 | download.microsoft.com |
| 127.0.0.1 | downloads.microsoft.com |
| 127.0.0.1 | downloads1.kaspersky-labs.com |
| 127.0.0.1 | downloads1.kaspersky-labs.com |
| 127.0.0.1 | downloads1.kaspersky-labs.com |
| 127.0.0.1 | downloads2.kaspersky-labs.com |
| 127.0.0.1 | downloads3.kaspersky-labs.com |
| 127.0.0.1 | downloads4.kaspersky-labs.com |
| 127.0.0.1 | downloads-us1.kaspersky-labs.com |
| 127.0.0.1 | downloads-us2.kaspersky-labs.com |
| 127.0.0.1 | downloads-us3.kaspersky-labs.com |
| 127.0.0.1 | engine.awaps.net |
| 127.0.0.1 | fastclick.net |
| 127.0.0.1 | f-secure.com |
| 127.0.0.1 | f-secure.com |
| 127.0.0.1 | ftp.avp.ch |
| 127.0.0.1 | ftp.downloads2.kaspersky-labs.com |
| 127.0.0.1 | ftp.f-secure.com |
| 127.0.0.1 | ftp.kasperskylab.ru |
| 127.0.0.1 | ftp.sophos.com |
| 127.0.0.1 | go.microsoft.com |
| 127.0.0.1 | ids.kaspersky-labs.com |
| 127.0.0.1 | kaspersky.com |
| 127.0.0.1 | kaspersky-labs.com |
| 127.0.0.1 | liveupdate.symantec.com |
| 127.0.0.1 | liveupdate.symantec.com |
| 127.0.0.1 | liveupdate.symantec.com |
| 127.0.0.1 | liveupdate.symantecliveupdate.com |
| 127.0.0.1 | liveupdate.symantecliveupdate.com |
| 127.0.0.1 | mast.mcafee.com |
| 127.0.0.1 | mast.mcafee.com |
| 127.0.0.1 | mcafee.com |
| 127.0.0.1 | mcafee.com |
| 127.0.0.1 | media.fastclick.net |
| 127.0.0.1 | msdn.microsoft.com |
| 127.0.0.1 | my-etrust.com |
| 127.0.0.1 | my-etrust.com |
| 127.0.0.1 | nai.com |
| 127.0.0.1 | nai.com |
| 127.0.0.1 | networkassociates.com |
| 127.0.0.1 | networkassociates.com |
| 127.0.0.1 | office.microsoft.com |
| 127.0.0.1 | phx.corporate-ir.net |
| 127.0.0.1 | rads.mcafee.com |
| 127.0.0.1 | secure.nai.com |
| 127.0.0.1 | secure.nai.com |
| 127.0.0.1 | securityresponse.symantec.com |
| 127.0.0.1 | securityresponse.symantec.com |
| 127.0.0.1 | service1.symantec.com |
| 127.0.0.1 | sophos.com |
| 127.0.0.1 | sophos.com |
| 127.0.0.1 | spd.atdmt.com |
| 127.0.0.1 | support.microsoft.com |
| 127.0.0.1 | symantec.com |
| 127.0.0.1 | symantec.com |
| 127.0.0.1 | trendmicro.com |
| 127.0.0.1 | update.symantec.com |
| 127.0.0.1 | update.symantec.com |
| 127.0.0.1 | update.symantec.com |
| 127.0.0.1 | updates.symantec.com |
| 127.0.0.1 | updates.symantec.com |
| 127.0.0.1 | updates1.kaspersky-labs.com |
| 127.0.0.1 | updates1.kaspersky-labs.com |
| 127.0.0.1 | updates2.kaspersky-labs.com |
| 127.0.0.1 | updates3.kaspersky-labs.com |
| 127.0.0.1 | updates3.kaspersky-labs.com |
| 127.0.0.1 | updates4.kaspersky-labs.com |
| 127.0.0.1 | updates5.kaspersky-labs.com |
| 127.0.0.1 | us.mcafee.com |
| 127.0.0.1 | us.mcafee.com |
| 127.0.0.1 | vil.nai.com |
| 127.0.0.1 | viruslist.com |
| 127.0.0.1 | viruslist.ru |
| 127.0.0.1 | windowsupdate.microsoft.com |
| 127.0.0.1 | www.avp.ch |
| 127.0.0.1 | www.avp.com |
| 127.0.0.1 | www.avp.com |
| 127.0.0.1 | www.avp.ru |
| 127.0.0.1 | www.awaps.net |
| 127.0.0.1 | www.ca.com |
| 127.0.0.1 | www.ca.com |
| 127.0.0.1 | www.fastclick.net |
| 127.0.0.1 | www.f-secure.com |
| 127.0.0.1 | www.f-secure.com |
| 127.0.0.1 | www.grisoft.com |
| 127.0.0.1 | www.kaspersky.com |
| 127.0.0.1 | www.kaspersky.ru |
| 127.0.0.1 | www.kaspersky.ru |
| 127.0.0.1 | www.kaspersky-labs.com |
| 127.0.0.1 | www.mcafee.com |
| 127.0.0.1 | www.mcafee.com |
| 127.0.0.1 | www.my-etrust.com |
| 127.0.0.1 | www.my-etrust.com |
| 127.0.0.1 | www.nai.com |
| 127.0.0.1 | www.nai.com |
| 127.0.0.1 | www.networkassociates.com |
| 127.0.0.1 | www.networkassociates.com |
| 127.0.0.1 | www.sophos.com |
| 127.0.0.1 | www.sophos.com |
| 127.0.0.1 | www.symantec.com |
| 127.0.0.1 | www.symantec.com |
| 127.0.0.1 | www.trendmicro.com |
| 127.0.0.1 | www.trendmicro.com |
| 127.0.0.1 | www.viruslist.com |
| 127.0.0.1 | www.viruslist.ru |
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:544
svcnost.exe:1136 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\drivers\etc\hosts (5 bytes)
%Documents and Settings%\%current user%\Application Data\ntuser.dat (55 bytes)
%Documents and Settings%\%current user%\Application Data\desktop.ini (9 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Init" = "%Documents and Settings%\%current user%\Application Data\xkwigjfwbqfvadqegkccyi3tqrn3hmpr2\svcnost.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
