Win32.Sality.3_f5e3e44223
Trojan.NSIS.GoogUpdate.dq (Kaspersky), Win32.Sality.3 (B) (Emsisoft), Win32.Sality.3 (AdAware), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: f5e3e44223ed5f6dedb681d13553b4df
SHA1: d546b9e20a2e8f349da9f74aa00b9db3ce6a49e5
SHA256: 18a46524829f3038290decda0861f576521604e89c76f0a414b56896636d796b
SSDeep: 24576:gEwf6L/1hxU10ucFy6pDuXGtS3jhBapSvOT6h7gp:gEwf8UmFbD9ABapSvOT6he
Size: 1025952 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-10-31 22:41:14
Analyzed on: WindowsXPESX SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1072
The Trojan injects its code into the following process(es):
Explorer.EXE:1852
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:1072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\system.ini (72 bytes)
Registry activity
The process %original file name%.exe:1072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_0" = "1126387021"
[HKCU\Software\Aas\695404737]
"35845605" = "279"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Aas\695404737]
"50183847" = "5E8F4F62667CCCACEB781E90A37BB0A8ADFF5D0207CECC747614EAA681F1DF0F00D65B17772A9DACB325D1E7C4AC55E9F9253BF5993C7E62952C57DF62A6E5FDC9B8A5299A8DBED1FB5A9EB34E350D6061885163CFAE9F1D1D0ECFBA99B9BDAEB650B55175FC1C2A965481E15E9A3CAD71726D65F3CDA5637BF0BE3BC8E374C3"
"43014726" = "0800687474703A2F2F3230322E3134332E3135392E3133352F696D616765732F6C6F676F2E67696600687474703A2F2F62656D2E646B2F696D616765732F6C6F676F662E67696600687474703A2F2F62616E626F6F6E2E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6264622E636F6D2E6D792F6C6F676F2E67696600687474703A2F2F6261756C61756E672E6F72672F696D616765732F6C6F676F2E67696600687474703A2F2F62617A7961722D617279612E636F6D2F6C6F676F2E67696600687474703A2F2F6261726C696B696E736161742E636F6D2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F626173616D616B68616C6973692E636F6D2F6C6F676F2E676966"
[HKCU\Software\Aas]
"a3_0" = "17001001"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "157"
"21507363" = "0"
"28676484" = "35"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 B8 D7 9B F2 39 E2 55 AA 63 3E EC 78 14 93 7E"
[HKCU\Software\Aas]
"a2_0" = "6545"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_0" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Dropped PE files
| MD5 | File path |
|---|---|
| 8a53255d965908a910a6444f8c609472 | c:\xipkx.pif |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
Company Name: Object Browser
Product Name: Sense
Product Version: 1000.1000.1000.1000
Legal Copyright: Copyright 2011
Legal Trademarks:
Original Filename: Sense.exe
Internal Name: Sense
File Version: 1000.1000.1000.1000
File Description: Sense exe
Comments:
Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 671470 | 671744 | 4.60484 | 3f0d7cc0cdc8638d78f02586b57c5610 |
| .rdata | 675840 | 239970 | 240128 | 3.91787 | 9a374e141e548ca71045c14e59112f0c |
| .data | 917504 | 49796 | 28160 | 3.52796 | d09e2d3ca08ae14742c5828cc31c1955 |
| .tls | 970752 | 9 | 512 | 0 | bf619eac0cdf3f68d496ea9344137e8b |
| .rsrc | 974848 | 81920 | 79872 | 5.52222 | c63e5bcd477cbc4c9cc34ef16c52fe15 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text
Explorer.EXE_1852_rwx_00E40000_00001000:
|explorer.exeM_1852_
Explorer.EXE_1852_rwx_03010000_0108E000:
c:\windows
hXXp://202.143.159.135/images/logo.gif
hXXp://bem.dk/images/logof.gif
hXXp://banboon.com/images/logo.gif
hXXp://bdb.com.my/logo.gif
hXXp://baulaung.org/images/logo.gif
hXXp://bazyar-arya.com/logo.gif
hXXp://barlikinsaat.com.tr/images/logo.gif
hXXp://basamakhalisi.com/logo.gif
%System%\drivers\jjdeon.sys
24420001477
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
KERNEL32.dll
USER32.dll
h.rdata
H.data
.reloc
ntoskrnl.exe
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
hXXp://
ipfltdrv.sys
VVV.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
.adata
M_%d_
%c%d_%d
?456789:;<=
!"#$%&'()* ,-./0123
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
&3&3&3&389
.rdata
.data
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1072
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\system.ini (72 bytes)
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
