DDoS.Win32.Nitol_008e5af534

by malwarelabrobot on January 4th, 2014 in Malware Descriptions.

Trojan.Win32.MicroFake.ba (Kaspersky), Trojan.Win32.Ramnit.d (v) (VIPRE), Trojan.Win32.ServStart!IK (Emsisoft), DDoS.Win32.Nitol.FD, Trojan.Win32.Sasfis.FD, DDoSNitol.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 008e5af53492190dbb29e8e44e9052ec
SHA1: 2a68e661a348dba2312c7e79b3979c1d1ec92be3
SHA256: 43d9192fb52f7f1bfee8b4c5a9bfd023017d5ae4d71b5ec079eb2ad18dd722c0
SSDeep: 3072:aleHE uyH2IVLQ4biwEAHkc6RQ 4Uh2edczsfKth3lT:alek uyH24nHCRQ vlizsfKtJ
Size: 162304 bytes
File type: DLL
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-06-08 12:59:36
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The DDoS creates the following process(es):

regsvr32.exe:464
hrl1.tmp:2044

The DDoS injects its code into the following process(es):
No processes have been created.

File activity

The process regsvr32.exe:464 makes changes in the file system.
The DDoS creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (154 bytes)

The process hrl1.tmp:2044 makes changes in the file system.
The DDoS creates and/or writes to the following file(s):

%System%\ycemck.exe (673 bytes)

Registry activity

The process regsvr32.exe:464 makes changes in the system registry.
The DDoS creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 58 BF 55 26 AA 5A FF AF C0 CE 81 C4 2C C1 03"

Network activity (URLs)

URL IP
www.mojimojimojimoji.com 69.46.84.61
ilo.brenz.pl 148.81.111.111


HOSTS file anomalies

The DDoS modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 www.Trenz.pl


Rootkit activity

The DDoS installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    regsvr32.exe:464
    hrl1.tmp:2044

  3. Delete the original DDoS file.
  4. Delete or disinfect the following files created/modified by the DDoS:

    %Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (154 bytes)
    %System%\ycemck.exe (673 bytes)

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.