MD5: 2c14e1f89eeca5d48c1d3f6199683363
SHA1: 876cd1732fdf4dd92b1bdee75158e4832b18bd52
SHA256: 800df19290209f158bd96132b49233253ca831b449dccb404caa551567276f78
SSDeep: 6144:QZ8Bb8h vI3s4h7bnoS1OKjzbItqKUDManZumFhTnEM6HHGi0 lv1H3:Mobe vIce7bnAcbIteYanZumv77fK3
Size: 321490 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: LLC Pentagon
Created at: 2015-08-15 18:11:26
Analyzed on: WindowsXP SP3 32-bit

Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

No specific payload has been found.

Process activity

The Virus creates the following process(es):

%original file name%.exe:856

The Virus injects its code into the following process(es):

Explorer.EXE:1572

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:856 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WT2N852Z\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YTW81N8N\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uda1.tmp (11010 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HKR9E6W\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CLQV4DMV\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:856 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 AF E6 0B 04 CB 41 6A 88 8D E5 24 4F 39 1D 5E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/	174.129.23.198

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers

Traffic

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 148

Cache-Control: no-cache

{"data":"{\"channel_id\":\"\",\"event_event_id\":\"5482\",\"utm_addition\":\"&v=37\",\"guid\":\"\",\"browser_name\":\"\"}","table":"event_has_user"}
HTTP/1.1 200 OK

Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE

Access-Control-Allow-Origin: *

Content-Type: application/json; charset=utf-8

Date: Sun, 21 Feb 2016 08:56:12 GMT

Content-Length: 15

Connection: keep-alive
{"Status":"OK"}....


POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 148

Cache-Control: no-cache

{"data":"{\"channel_id\":\"\",\"event_event_id\":\"5504\",\"utm_addition\":\"&v=37\",\"guid\":\"\",\"browser_name\":\"\"}","table":"event_has_user"}
HTTP/1.1 200 OK

Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE

Access-Control-Allow-Origin: *

Content-Type: application/json; charset=utf-8

Date: Sun, 21 Feb 2016 08:56:12 GMT

Content-Length: 15

Connection: keep-alive
{"Status":"OK"}....


POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 161

Cache-Control: no-cache

{"data":"{\"channel_id\":\"\",\"event_event_id\":\"5483\",\"utm_addition\":\"reason=2&cmd=&v=37\",\"guid\":\"\",\"browser_name\":\"\"}","table":"event_has_user"}
HTTP/1.1 200 OK

Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE

Access-Control-Allow-Origin: *

Content-Type: application/json; charset=utf-8

Date: Sun, 21 Feb 2016 08:56:12 GMT

Content-Length: 15

Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD
,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: applic
ation/json; charset=utf-8..Date: Sun, 21 Feb 2016 08:56:12 GMT..Conten
t-Length: 15..Connection: keep-alive..{"Status":"OK"}..

The Virus connects to the servers at the folowing location(s):

UDPSockError

NMUDP

Errmsg

Port

TNMUDP

RemotePort

LocalPort

ReportLevelLk

0.0.0.0

%d.%d.%d.%d

AutoHotkeys

:].tJ

EInvalidGraphicOperation,0

EInvalidGraphicOperation

KeyPreview,

WindowState

OnKeyDown

OnKeyPressdz

OnKeyUp

ssHotTrack

TWindowState

poProportional

TWMKey

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

TDragOperation

TKeyEvent

TKeyPressEvent

crSQLWait

%s (%s)

IMM32.DLL

EInvalidOperation

%s[%d]

%s_%d

USER32.DLL

comctl32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

kernel32.dll

Portions Copyright (c) 1983,99 Borland

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Explorer

*.TMP

Kernel32.dll

ADVAPI32.dll

RegOpenKeyExA

RegCloseKey

readbook.exe

rundll32.exe

*.exe

*.scr

UdpT

UdpOnDataReceived

xxtype.cpp

derv->tpClass.tpcFlags & CF_HAS_BASES

Inappropriate I/O control operation

Broken pipe

Operation not permitted

%H:%M:%S

%m/%d/%y

%A, %B %d, %Y

d/d/d d:d:d.d

An exception (X) occurred during DllEntryPoint or DllMain in module:

xx.cpp

varType->tpClass.tpcFlags & CF_HAS_DTOR

varType->tpClass.tpcDtorAddr

(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags

memType->tpClass.tpcFlags & CF_HAS_DTOR

varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR

dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR

IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)

elemType->tpClass.tpcFlags & CF_HAS_DTOR

ReportLevel

GetCPInfo

GetProcessHeap

GetWindowsDirectoryA

RegCreateKeyExA

RegFlushKey

SetViewportOrgEx

ActivateKeyboardLayout

EnumThreadWindows

EnumWindows

GetKeyNameTextA

GetKeyState

GetKeyboardLayout

GetKeyboardLayoutList

GetKeyboardState

GetKeyboardType

LoadKeyboardLayoutA

MapVirtualKeyA

MsgWaitForMultipleObjects

SetWindowsHookExA

UnhookWindowsHookEx

VprK|%Ud

€00404

8 @ @ @ @ @

.text

`.data

.idata

@.edata

@.rsrc

@.reloc

70"!(&&$

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Win32 Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

Invalid data type for '%s'

Failed to set data for '%s'

Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'

Asynchronous socket error %d

- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value

Alt  Clipboard does not support Icons

!Control '%s' has no parent window

Error reading %s%s%s: %s

Ancestor for '%s' not found

Unsupported clipboard format

Class %s not found

Resource %s not found

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name

A class named %s already exists

Cannot assign a %s to a %s

Cannot create file %s

Cannot open file %s

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:856
   

2. Delete the original Virus file.
   
3. Delete or disinfect the following files created/modified by the Virus:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WT2N852Z\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YTW81N8N\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\uda1.tmp (11010 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HKR9E6W\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CLQV4DMV\desktop.ini (67 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.