MemScan.Backdoor.Agent.ZQA_b07a2f3507

by malwarelabrobot on March 7th, 2014 in Malware Descriptions.

MemScan:Backdoor.Agent.ZQA (BitDefender), Virus:Win32/Duel.A@mm (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), LooksLike.Win32.Malware!B (v) (VIPRE), Win32.HLLM.Dref (DrWeb), MemScan:Backdoor.Agent.ZQA (B) (Emsisoft), Generic-FAGI!B07A2F35078A (McAfee), W32.Mixor (Symantec), Email-Worm.Win32.LoveLetter (Ikarus), MemScan:Backdoor.Agent.ZQA (FSecure), I-Worm/Loveletter.A (AVG), Win32:LoveLetter-BE [Wrm] (Avast), Mal_Xed-3 (TrendMicro), GenericEmailWorm.YR, GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Worm, Email-Worm, EmailWorm, Virus, IRCBot


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: b07a2f35078a63688868160bc7766361
SHA1: cd78b3a0e20f69d2d6f43102a2f6694b49821dc8
SHA256: 5efe096995285e41d4ce12577cac04811390d63bfbd7c38afd703800354b07c2
SSDeep: 1536:bNWS0A 3czeCrNSLDjrctX/6bG3w 6MIfT:bNWSn 3geCx0DctKG3wMw
Size: 61952 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1978-02-13 06:48:27
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.
IRCBot A bot can communicate with command and control servers via IRC channel.


Process activity

The MemScan creates the following process(es):

dwwin.exe:392
%original file name%.exe:1296

The MemScan injects its code into the following process(es):

iryyjzz.cmd:952

File activity

The process dwwin.exe:392 makes changes in the file system.
The MemScan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\759B6.dmp (78587 bytes)

The process iryyjzz.cmd:952 makes changes in the file system.
The MemScan creates and/or writes to the following file(s):

%System%\WindowsUpdt.exe (19 bytes)

The process %original file name%.exe:1296 makes changes in the file system.
The MemScan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jjjryb.yzir.azj (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\54d7_appcompat.txt (6214 bytes)
%WinDir%\xwrm.exe (61 bytes)

Registry activity

The process dwwin.exe:392 makes changes in the system registry.
The MemScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 00 AB 67 C9 26 92 8C 6D 4F 94 1F 30 E5 66 8F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 12 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The MemScan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process iryyjzz.cmd:952 makes changes in the system registry.
The MemScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 14 C1 5F EC 3B 0D 92 EC A4 88 51 38 56 73 BC"

To automatically run itself each time Windows is booted, the MemScan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WihdowsUpdate" = "%System%\WindowsUpdt.exe"

The process %original file name%.exe:1296 makes changes in the system registry.
The MemScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 73 32 B6 6C B7 66 A5 7F 14 C6 7D 41 2C 77 18"

To automatically run itself each time Windows is booted, the MemScan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x32x" = "%WinDir%\xwrm.exe"

The MemScan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The MemScan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    dwwin.exe:392
    %original file name%.exe:1296

  2. Delete the original MemScan file.
  3. Delete or disinfect the following files created/modified by the MemScan:

    %Documents and Settings%\%current user%\Local Settings\Temp\759B6.dmp (78587 bytes)
    %System%\WindowsUpdt.exe (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jjjryb.yzir.azj (61 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\54d7_appcompat.txt (6214 bytes)
    %WinDir%\xwrm.exe (61 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WihdowsUpdate" = "%System%\WindowsUpdt.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "x32x" = "%WinDir%\xwrm.exe"

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.