Trojan.Win32.Zpevdo.A_44be20f381
Trojan.GenericKD.30981062 (BitDefender), Trojan:Win32/Zpevdo.A (Microsoft), Trojan.Win32.Bicololo.bifo (Kaspersky), Trojan.DownLoader26.49573 (DrWeb), Trojan.GenericKD.30981062 (B) (Emsisoft), Artemis!44BE20F381B5 (McAfee), ML.Attribute.HighConfidence (Symantec), Trojan.SuspectCRC (Ikarus), Trojan.GenericKD.30981062 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast)
Behaviour: Trojan, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 44be20f381b5adf35f80b7f450ca053f
SHA1: 4177ab2fb10633e98f096b5f2399d9d7da9f33fa
SHA256: aca8ff514ba5ba00e4ec12a3c10e9c68711c505df047101a5b92004488c9ae8c
SSDeep: 12288:lLo9y90GhA3JAgsXV5uU9C8EvW17f4R8K9bf0rPxp/e2nCS3p2ahEp:yyrauRuU9HEvW17fC8KFf0rPx4Op23p
Size: 885248 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: BitTorrent Inc.
Created at: 2009-07-14 02:42:43
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
certutil.exe:3628
certutil.exe:2696
certutil.exe:1800
%original file name%.exe:1776
run.exe:1064
dist.exe:3452
regedit.exe:536
2dREb.exe:3544
The Trojan injects its code into the following process(es):
No processes have been created.
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process certutil.exe:3628 makes changes in the file system.
The Trojan deletes the following file(s):
C:\Windows\cer62E9.tmp (0 bytes)
The process certutil.exe:2696 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\2dREb.exe (36 bytes)
The Trojan deletes the following file(s):
C:\Windows\cer63A5.tmp (0 bytes)
The process certutil.exe:1800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\iIgxIX4.pfx (2 bytes)
The Trojan deletes the following file(s):
C:\Windows\cer6337.tmp (0 bytes)
The process %original file name%.exe:1776 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\run.exe (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\dist.exe (31604 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ww.exe (22079 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\dist.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\run.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP (0 bytes)
The process run.exe:1064 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\dist.exe (49 bytes)
The process dist.exe:3452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YGxlSXPtL.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rpMCARCr.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rr.vbe (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\BPh71Ye.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\B6kzM.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\QF69AzB.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MeAjSWf.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\EDNhm3so.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ww.bat (62 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\hVOfo.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\F6cI6NX8.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ax3CF.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YdD3ojxS.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\Tiizs2t.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\xRrJBdT.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\k8R6BEuZM.reg (633 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\DCdJOyapn.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\crgRY.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ww.json (201 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\qPTGfRyil.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\hoZYFYZ.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\2dREb.txt (7071 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YFOGK.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\sa1xVPfv.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\BDKsMla.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\TXC1O.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SqWy6yhK.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\zdGc81.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\uieao.crt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rAQBc8.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\iIgxIX4.txt (4 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YGxlSXPtL.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rpMCARCr.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\crgRY.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\BPh71Ye.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\B6kzM.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\QF69AzB.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MeAjSWf.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\EDNhm3so.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\hVOfo.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\F6cI6NX8.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ax3CF.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YdD3ojxS.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\Tiizs2t.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\xRrJBdT.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\k8R6BEuZM.reg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\DCdJOyapn.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\BDKsMla.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\qPTGfRyil.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\hoZYFYZ.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\2dREb.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YFOGK.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\sa1xVPfv.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\2dREb.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\TXC1O.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SqWy6yhK.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\zdGc81.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\uieao.crt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rAQBc8.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\iIgxIX4.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\iIgxIX4.pfx (0 bytes)
The process 2dREb.exe:3544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\4d6629d6a7d5185ca5557446b928cfd8_88dcd395-b062-45b3-a6cd-79f37c0eba08 (87 bytes)
Registry activity
The process certutil.exe:3628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\620AD32A386853E5BC0F76E7EFA86444DB4E0129]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 62 0A D3 2A"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates]
"620AD32A386853E5BC0F76E7EFA86444DB4E0129"
The process %original file name%.exe:1776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\"
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"
The process regedit.exe:536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForceList]
"1" = "ocinjdjondmhheihhgkbmjkofmomnppd;https://clients2.google.com/service/update2/crx"
[HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallWhitelist]
"1" = "ocinjdjondmhheihhgkbmjkofmomnppd"
[HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.ww.fm]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\ww.fm\ww.json"
The process 2dREb.exe:3544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\D4A090F7C4B9D22E9BFD1D2E991CF938A79458E4]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 D4 A0 90 F7"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates]
"D4A090F7C4B9D22E9BFD1D2E991CF938A79458E4"
Dropped PE files
| MD5 | File path |
|---|---|
| aeea9d090117d63ad4d63bcc2c3e0b9c | c:\Users\"%CurrentUserName%"\AppData\Roaming\ww.fm\ww.exe |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 905 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | validation.sls.microsoft.com |
| 104.251.211.173 | clients2.google.com |
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 8.00.7600.16385
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE .MUI
Internal Name: Wextract
File Version: 8.00.7600.16385 (win7_rtm.090713-1255)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 43748 | 44032 | 4.53606 | 3aeb6fb8fe8ab95f2462e3afb8b8acd3 |
| .data | 49152 | 8796 | 1536 | 4.57321 | f3764284f4d25ed35f75b9c16e1ab608 |
| .rsrc | 61440 | 835584 | 835072 | 5.50589 | 6499b658b20ef0e8785d898aa9d59e6f |
| .reloc | 897024 | 3480 | 3584 | 3.33168 | bc74eb2a181cf1029262828db6ac5b5d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| hxxp://185.148.147.134/trk/e0 |  |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
certutil.exe:3628
certutil.exe:2696
certutil.exe:1800
%original file name%.exe:1776
run.exe:1064
dist.exe:3452
regedit.exe:536
2dREb.exe:3544 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\2dREb.exe (36 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\iIgxIX4.pfx (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\run.exe (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\dist.exe (31604 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ww.exe (22079 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YGxlSXPtL.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rpMCARCr.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rr.vbe (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\BPh71Ye.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\B6kzM.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\QF69AzB.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MeAjSWf.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\EDNhm3so.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ww.bat (62 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\hVOfo.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\F6cI6NX8.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ax3CF.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YdD3ojxS.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\Tiizs2t.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\xRrJBdT.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\k8R6BEuZM.reg (633 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\DCdJOyapn.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\crgRY.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ww.json (201 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\qPTGfRyil.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\hoZYFYZ.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\2dREb.txt (7071 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YFOGK.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\sa1xVPfv.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\BDKsMla.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\TXC1O.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SqWy6yhK.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\zdGc81.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\uieao.crt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rAQBc8.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\iIgxIX4.txt (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\4d6629d6a7d5185ca5557446b928cfd8_88dcd395-b062-45b3-a6cd-79f37c0eba08 (87 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
