DDoSNitol_f7a09f3251

by malwarelabrobot on March 7th, 2014 in Malware Descriptions.

Trojan.Rincux.AW (BitDefender), DDoS:Win32/Nitol.A (Microsoft), Trojan.Win32.MicroFake.pgu (Kaspersky), Trojan.Win32.Nitol.b (v) (VIPRE), Trojan.Inject1.247 (DrWeb), Trojan.Rincux.AW (B) (Emsisoft), Artemis!F7A09F3251B0 (McAfee), Trojan.Win32.MicroFake (Ikarus), Trojan.Rincux.AW (FSecure), Downloader.Generic12.VDR (AVG), Win32:Malware-gen (Avast), PE_VIRUX.R (TrendMicro), DDoSNitol.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: f7a09f3251b01fe135667af3b73bdc52
SHA1: bb103f63f1c8ad480899c1a422d0e5370a686565
SHA256: ad28f76bd242f11229ff79562e44f92f5b4a4d03220166c8ca22f2676c600f78
SSDeep: 3072:fl0M2hwxyHdlDap78fw/Fh4jsCsm8N3vtWqucSvO/msxfaTMLGQ3Y:flt4wxyHdlmhOwth4A3IcSvOHp3Y
Size: 155648 bytes
File type: DLL
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-07-18 17:52:28
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

regsvr32.exe:596
hrl1.tmp:1536

The Trojan injects its code into the following process(es):
No processes have been created.

File activity

The process regsvr32.exe:596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (147 bytes)

The process hrl1.tmp:1536 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\qusoue.exe (673 bytes)

Registry activity

The process regsvr32.exe:596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 69 5E 6A 35 BE FF 95 A3 51 14 33 BA 53 0C 80"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 www.Brenz.pl


Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    regsvr32.exe:596
    hrl1.tmp:1536

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (147 bytes)
    %System%\qusoue.exe (673 bytes)

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.