Trojan.Win32.Swrort_123b636b78

by malwarelabrobot on December 27th, 2013 in Malware Descriptions.

Trojan.Win32.Pasta.nsq (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Backdoor.Win32.Turkojan!IK (Emsisoft), Trojan.Win32.Bumat.FD, Trojan.Win32.Swrort.4.FD, TrojanSwrort.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 123b636b7861377da8d7acef0f01281b
SHA1: 0e0391b6986f670cfb297be7d2a384b2009f1e46
SHA256: 19d9b6e1671b7572f6713cdbea704c46e6c075452b4d6ec966e67f58fa8ea0fb
SSDeep: 12288:ZqTObLwuBbVzcWTydBbg4hLRC5o8GYRvdS28IAzDrbrPRIF3x/jZ3pe9RJyyh8FJ:IT0ZV3TynbJaogu28IurbrPcF3poR6
Size: 1080844 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: BorlandCDLL, ACProtect141, UPolyXv05_v6, BorlandCforWin321999
Company: no certificate found
Created at: 2010-06-13 18:00:56
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

md.exe:2600

The Trojan injects its code into the following process(es):

%original file name%.exe:1496
ctfmon.exe:244

File activity

The process md.exe:2600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Drv12\svchost.exe (2500 bytes)
%WinDir%\RLT6987\services.exe (6988 bytes)

The process %original file name%.exe:1496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmpt.exe (275736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\md.exe (52744 bytes)
%WinDir%\ctfmon.exe (5442 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\md.exe (0 bytes)

Registry activity

The process md.exe:2600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 99 1B A2 24 0D 2A F5 55 68 8F 47 63 8B A4 C1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\Drv12]
"svchost.exe" = "%WinDir%\Drv12\svchost.exe:*:Enabled:msnmsg"

The process %original file name%.exe:1496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"md.exe" = "md"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"tmpt.exe" = "tmpt"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"ctfmon.exe" = "ctfmon"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 33 7D E7 41 0B D6 25 06 9F AD B2 65 C5 6F EC"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://gooogle.atwebpages.com/"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\S-1-5-21-1177238915-436374069-1957994488-1003\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://gooogle.atwebpages.com/"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%]
"ctfmon.exe" = "%WinDir%\ctfmon.exe:*:Enabled:UI"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UI" = "%WinDir%\ctfmon.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The process ctfmon.exe:244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D B4 06 64 96 06 CD CF 94 46 7F 4B E5 FD 54 FD"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    md.exe:2600

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %WinDir%\Drv12\svchost.exe (2500 bytes)
    %WinDir%\RLT6987\services.exe (6988 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpt.exe (275736 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\md.exe (52744 bytes)
    %WinDir%\ctfmon.exe (5442 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UI" = "%WinDir%\ctfmon.exe"

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now