Trojan.Win32.Nedsym_8d3b36d94a
Trojan.Generic.KD.792054 (BitDefender), VirTool:Win32/CeeInject.gen!ID (Microsoft), Trojan-Dropper.Win32.Dapato.bxfe (Kaspersky), Trojan.Win32.Encpk_afnc (v) (VIPRE), Trojan.DownLoader6.56603 (DrWeb), PWS-Zbot.gen.anm (McAfee), Trojan.Gen (Symantec), Trojan.Crypt (Ikarus), Trojan.Generic.KD.792054 (FSecure), Dropper.Generic7.MRJ (AVG), Win32:Injector-AWW [Trj] (Avast), TROJ_SPNR.15L712 (TrendMicro), Trojan.Win32.Nedsym.FD, TrojanNedsym.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 8d3b36d94a1fb93db2d19bf8e08c2446
SHA1: 404ee2d63b559d167b3cf15e8f09e10345a510c8
SHA256: 11e60b58f1d8697b84e178ee28b8e64f051ab55e848bb88f6dfcda6cf38e8844
SSDeep: 3072:bMbTOMnP9vDTXRQo4xR8rrCTk6x4/qEj7kleab:bMfOMPoL2aP2yEXk7
Size: 102759 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: NBIZ Corp.
Created at: 2012-11-19 18:00:23
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
svcnost.exe:496
%original file name%.exe:1124
The Trojan injects its code into the following process(es):
svcnost.exe:1704
File activity
The process svcnost.exe:1704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\ntuser.dat (55 bytes)
%Documents and Settings%\%current user%\Application Data\desktop.ini (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\desktop.ini (0 bytes)
The process %original file name%.exe:1124 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\drivers\etc\hosts (5 bytes)
The Trojan deletes the following file(s):
%System%\drivers\etc\hosts (0 bytes)
Registry activity
The process svcnost.exe:1704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 74 91 A1 39 20 7B 13 88 1D AB E4 B5 4E 83 26"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"SavedLegacySettingsML" = "35 36 37 31 34 38 36 39 37"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\documents and settings\"%CurrentUserName%"\application data\xojskzqqqecai1ym3ooro13acex3efbw2]
"svcnost.exe" = "c:\documents and settings\"%CurrentUserName%"\application data\xojskzqqqecai1ym3ooro13acex3efbw2\svcnost.exe:*:Enabled:ldrsoft"
The process %original file name%.exe:1124 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Init" = "%Documents and Settings%\%current user%\Application Data\xojskzqqqecai1ym3ooro13acex3efbw2\svcnost.exe"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 5915 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | downloads4.kaspersky-labs.com |
| 127.0.0.1 | downloads3.kaspersky-labs.com |
| 127.0.0.1 | downloads2.kaspersky-labs.com |
| 127.0.0.1 | downloads1.kaspersky-labs.com |
| 127.0.0.1 | downloads-us1.kaspersky-labs.com |
| 127.0.0.1 | rads.mcafee.com |
| 127.0.0.1 | www.secuser.com |
| 127.0.0.1 | a188.x.akamai.net |
| 127.0.0.1 | liveupdate.symantecliveupdate.com |
| 127.0.0.1 | liveupdate.symantec.com |
| 127.0.0.1 | liveupdate.symantec.d4p.net |
| 127.0.0.1 | update.symantec.com |
| 127.0.0.1 | ftp.nai.com |
| 127.0.0.1 | www.grisoft.cz |
| 127.0.0.1 | www.grisoft.com |
| 127.0.0.1 | free.grisoft.cz |
| 127.0.0.1 | tds.diamondcs.com.au |
| 127.0.0.1 | ieupdate.gdata.de |
| 127.0.0.1 | ieupdate6.gdata.de |
| 127.0.0.1 | ieupdate5.gdata.de |
| 127.0.0.1 | ieupdate4.gdata.de |
| 127.0.0.1 | ieupdate3.gdata.de |
| 127.0.0.1 | ieupdate2.gdata.de |
| 127.0.0.1 | ieupdate1.gdata.de |
| 127.0.0.1 | www.iavs.cz |
| 127.0.0.1 | download7.avast.com |
| 127.0.0.1 | download6.avast.com |
| 127.0.0.1 | download5.avast.com |
| 127.0.0.1 | download4.avast.com |
| 127.0.0.1 | download3.avast.com |
| 127.0.0.1 | download2.avast.com |
| 127.0.0.1 | download1.avast.com |
| 127.0.0.1 | upgrade.bitdefender.com |
| 127.0.0.1 | windowsupdate.microsoft.com |
| 127.0.0.1 | www.lavasoftusa.com |
| 127.0.0.1 | www.a-2.org |
| 127.0.0.1 | updates.a-2.org |
| 127.0.0.1 | niuone.norman.no |
| 127.0.0.1 | www.diamondcs.com.au |
| 127.0.0.1 | www.attechnical.com |
| 127.0.0.1 | www.zeylstra.nl |
| 127.0.0.1 | fractus.mat.uson.mx |
| 127.0.0.1 | www.toonbox.de |
| 127.0.0.1 | radius.turvamies.com |
| 127.0.0.1 | diamondcs.fileburst.com |
| 127.0.0.1 | downloads.My-eTrust.com |
| 127.0.0.1 | acs.pandasoftware.com |
| 127.0.0.1 | v4.windowsupdate.microsoft.com |
| 127.0.0.1 | www.NoAdware.net |
| 127.0.0.1 | www.nod32.com |
| 127.0.0.1 | www.eset.sk |
| 127.0.0.1 | avu.zonelabs.com |
| 127.0.0.1 | retail.sp.f-secure.com |
| 127.0.0.1 | retail01.sp.f-secure.com |
| 127.0.0.1 | retail02.sp.f-secure.com |
| 127.0.0.1 | www.moosoft.com |
| 127.0.0.1 | secuser.model-fx.com |
| 127.0.0.1 | secuser.com |
| 127.0.0.1 | downloads-eu1.kaspersky-labs.com |
| 127.0.0.1 | downloads2.kaspersky-labs.com |
| 127.0.0.1 | downloads4.kaspersky-labs.com |
| 127.0.0.1 | downloads1.kaspersky-labs.com |
| 127.0.0.1 | pccreg.antivirus.com |
| 127.0.0.1 | dl1.antivir.de |
| 127.0.0.1 | dl2.antivir.de |
| 127.0.0.1 | dl3.antivir.de |
| 127.0.0.1 | dl4.antivir.de |
| 127.0.0.1 | ad.doubleclick.net |
| 127.0.0.1 | ad.fastclick.net |
| 127.0.0.1 | ads.fastclick.net |
| 127.0.0.1 | ar.atwola.com |
| 127.0.0.1 | atdmt.com |
| 127.0.0.1 | avp.ch |
| 127.0.0.1 | avp.com |
| 127.0.0.1 | avp.com |
| 127.0.0.1 | avp.ru |
| 127.0.0.1 | awaps.net |
| 127.0.0.1 | banner.fastclick.net |
| 127.0.0.1 | banners.fastclick.net |
| 127.0.0.1 | ca.com |
| 127.0.0.1 | ca.com |
| 127.0.0.1 | click.atdmt.com |
| 127.0.0.1 | clicks.atdmt.com |
| 127.0.0.1 | customer.symantec.com |
| 127.0.0.1 | dispatch.mcafee.com |
| 127.0.0.1 | dispatch.mcafee.com |
| 127.0.0.1 | download.mcafee.com |
| 127.0.0.1 | download.mcafee.com |
| 127.0.0.1 | download.mcafee.com |
| 127.0.0.1 | download.microsoft.com |
| 127.0.0.1 | downloads.microsoft.com |
| 127.0.0.1 | downloads1.kaspersky-labs.com |
| 127.0.0.1 | downloads1.kaspersky-labs.com |
| 127.0.0.1 | downloads1.kaspersky-labs.com |
| 127.0.0.1 | downloads2.kaspersky-labs.com |
| 127.0.0.1 | downloads3.kaspersky-labs.com |
| 127.0.0.1 | downloads4.kaspersky-labs.com |
| 127.0.0.1 | downloads-us1.kaspersky-labs.com |
| 127.0.0.1 | downloads-us2.kaspersky-labs.com |
| 127.0.0.1 | downloads-us3.kaspersky-labs.com |
| 127.0.0.1 | engine.awaps.net |
| 127.0.0.1 | fastclick.net |
| 127.0.0.1 | f-secure.com |
| 127.0.0.1 | f-secure.com |
| 127.0.0.1 | ftp.avp.ch |
| 127.0.0.1 | ftp.downloads2.kaspersky-labs.com |
| 127.0.0.1 | ftp.f-secure.com |
| 127.0.0.1 | ftp.kasperskylab.ru |
| 127.0.0.1 | ftp.sophos.com |
| 127.0.0.1 | go.microsoft.com |
| 127.0.0.1 | ids.kaspersky-labs.com |
| 127.0.0.1 | kaspersky.com |
| 127.0.0.1 | kaspersky-labs.com |
| 127.0.0.1 | liveupdate.symantec.com |
| 127.0.0.1 | liveupdate.symantec.com |
| 127.0.0.1 | liveupdate.symantec.com |
| 127.0.0.1 | liveupdate.symantecliveupdate.com |
| 127.0.0.1 | liveupdate.symantecliveupdate.com |
| 127.0.0.1 | mast.mcafee.com |
| 127.0.0.1 | mast.mcafee.com |
| 127.0.0.1 | mcafee.com |
| 127.0.0.1 | mcafee.com |
| 127.0.0.1 | media.fastclick.net |
| 127.0.0.1 | msdn.microsoft.com |
| 127.0.0.1 | my-etrust.com |
| 127.0.0.1 | my-etrust.com |
| 127.0.0.1 | nai.com |
| 127.0.0.1 | nai.com |
| 127.0.0.1 | networkassociates.com |
| 127.0.0.1 | networkassociates.com |
| 127.0.0.1 | office.microsoft.com |
| 127.0.0.1 | phx.corporate-ir.net |
| 127.0.0.1 | rads.mcafee.com |
| 127.0.0.1 | secure.nai.com |
| 127.0.0.1 | secure.nai.com |
| 127.0.0.1 | securityresponse.symantec.com |
| 127.0.0.1 | securityresponse.symantec.com |
| 127.0.0.1 | service1.symantec.com |
| 127.0.0.1 | sophos.com |
| 127.0.0.1 | sophos.com |
| 127.0.0.1 | spd.atdmt.com |
| 127.0.0.1 | support.microsoft.com |
| 127.0.0.1 | symantec.com |
| 127.0.0.1 | symantec.com |
| 127.0.0.1 | trendmicro.com |
| 127.0.0.1 | update.symantec.com |
| 127.0.0.1 | update.symantec.com |
| 127.0.0.1 | update.symantec.com |
| 127.0.0.1 | updates.symantec.com |
| 127.0.0.1 | updates.symantec.com |
| 127.0.0.1 | updates1.kaspersky-labs.com |
| 127.0.0.1 | updates1.kaspersky-labs.com |
| 127.0.0.1 | updates2.kaspersky-labs.com |
| 127.0.0.1 | updates3.kaspersky-labs.com |
| 127.0.0.1 | updates3.kaspersky-labs.com |
| 127.0.0.1 | updates4.kaspersky-labs.com |
| 127.0.0.1 | updates5.kaspersky-labs.com |
| 127.0.0.1 | us.mcafee.com |
| 127.0.0.1 | us.mcafee.com |
| 127.0.0.1 | vil.nai.com |
| 127.0.0.1 | viruslist.com |
| 127.0.0.1 | viruslist.ru |
| 127.0.0.1 | windowsupdate.microsoft.com |
| 127.0.0.1 | www.avp.ch |
| 127.0.0.1 | www.avp.com |
| 127.0.0.1 | www.avp.com |
| 127.0.0.1 | www.avp.ru |
| 127.0.0.1 | www.awaps.net |
| 127.0.0.1 | www.ca.com |
| 127.0.0.1 | www.ca.com |
| 127.0.0.1 | www.fastclick.net |
| 127.0.0.1 | www.f-secure.com |
| 127.0.0.1 | www.f-secure.com |
| 127.0.0.1 | www.grisoft.com |
| 127.0.0.1 | www.kaspersky.com |
| 127.0.0.1 | www.kaspersky.ru |
| 127.0.0.1 | www.kaspersky.ru |
| 127.0.0.1 | www.kaspersky-labs.com |
| 127.0.0.1 | www.mcafee.com |
| 127.0.0.1 | www.mcafee.com |
| 127.0.0.1 | www.my-etrust.com |
| 127.0.0.1 | www.my-etrust.com |
| 127.0.0.1 | www.nai.com |
| 127.0.0.1 | www.nai.com |
| 127.0.0.1 | www.networkassociates.com |
| 127.0.0.1 | www.networkassociates.com |
| 127.0.0.1 | www.sophos.com |
| 127.0.0.1 | www.sophos.com |
| 127.0.0.1 | www.symantec.com |
| 127.0.0.1 | www.symantec.com |
| 127.0.0.1 | www.trendmicro.com |
| 127.0.0.1 | www.trendmicro.com |
| 127.0.0.1 | www.viruslist.com |
| 127.0.0.1 | www.viruslist.ru |
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
svcnost.exe:496
%original file name%.exe:1124 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\ntuser.dat (55 bytes)
%Documents and Settings%\%current user%\Application Data\desktop.ini (9 bytes)
%System%\drivers\etc\hosts (5 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Init" = "%Documents and Settings%\%current user%\Application Data\xojskzqqqecai1ym3ooro13acex3efbw2\svcnost.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
