Shiz_8aa6912076

by malwarelabrobot on March 7th, 2014 in Malware Descriptions.

Gen:Variant.Kazy.74321 (BitDefender), VirTool:Win32/Obfuscator.ZV (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Encpk.afk (v) (VIPRE), Trojan.PWS.Ibank.456 (DrWeb), Gen:Variant.Kazy.74321 (B) (Emsisoft), RDN/Generic BackDoor!sg (McAfee), Trojan.Gen (Symantec), Backdoor.Win32.Shiz (Ikarus), Gen:Variant.Kazy.74321 (FSecure), BackDoor.Generic15.BDLK (AVG), Win32:MalOb-KM [Trj] (Avast), TROJ_SPNR.30II12 (TrendMicro), Backdoor.Win32.Shiz.FD, Shiz.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 8aa691207646cc5e17b9bd2f3576f190
SHA1: ff55bfa473408cf8b885611b45f82edf5a784922
SHA256: 77cae36b132d608813e49894bc496b8f6cda24dc0724ec9f1e552bc3bf46ef43
SSDeep: 6144:B08n1pZ51ZDbYERBO1hebgc0n89fR0LIUr/V3Sh8gCFS8cJ:BPfXzXbf0q ImE8gCDs
Size: 267264 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2000-08-11 22:18:35
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1308

The Trojan injects its code into the following process(es):
No processes have been created.

File activity

The process %original file name%.exe:1308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\AppPatch\vgwpcg.exe (1959 bytes)
%System%\config\software (2315 bytes)
%System%\config\SOFTWARE.LOG (4483 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 12 2E 73 22 5F 5E B3 91 0D 1C 25 24 4B A3 DE"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\vgwpcg.exe_, \??\%WinDir%\apppatch\vgwpcg.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"a8a67a25" = "pEìX£bÀ¸¬qÄHF‡KöTþd#°¥oD¬<»¹œ³ŒQ\´òd¼Œ¤Kô1,Å $ë›ÛÌ«”¹l}Ë {Å“zΙC%é[qñl4ì;û´[Ã’#»Û:ÑU„„ԝ\±ª²DÆ’uÅ“¡Ü¼); ¼\Æ’tµ2”kDù”a”*›cü$}Sô|ë$¤ô {¬q³#sÃ…Ã¥\yuJÛËu©|ù ¢rKã!$’‹‹b±ÃÄ £ãÍ‚ “ÉUcdÁÄZ¡r»ô”)Û©Š ]“QlYÛl]$$D´ƒÌ£Q$aŒ‚*â„¢ü›ÙóÍÁ=éÔÑщ¬ q9|áíù’‘íÁ©šÄR"

Network activity (URLs)

URL IP
hxxp://digivehusyd.eu/login.php 69.195.129.70
hxxp://gadufiwabim.eu/login.php 50.116.56.144
hxxp://kefuwidijyp.eu/login.php (ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server (group 3) , Malicious) 173.230.133.99
hxxp://vofozymufok.eu/login.php 209.160.22.9
jefapexytar.eu 50.116.56.144
fokyxazolar.eu 50.116.56.144
xuqohyxeqak.eu 50.116.56.144
cihunemyror.eu 50.116.56.144
lyruxyxaxaw.eu 50.116.56.144
www.bing.com 204.79.197.200
foxivusozuc.eu 50.116.56.144
ryqecolijet.eu 50.116.56.144
puregivytoh.eu Unresolvable
gahihezenal.eu Unresolvable
qegytuvufoq.eu Unresolvable
vojacikigep.eu Unresolvable
makagucyraj.eu Unresolvable
tucyguqaciq.eu Unresolvable
nozoxucavaq.eu Unresolvable
puvopalywet.eu Unresolvable
ciliqikytec.eu Unresolvable
tunujolavez.eu Unresolvable
xutekidywyp.eu Unresolvable
dikoniwudim.eu Unresolvable
divywysigud.eu Unresolvable
lyvejujolec.eu Unresolvable
puzutuqeqij.eu Unresolvable
fobonobaxog.eu Unresolvable
rydinivoloh.eu Unresolvable
lysovidacyx.eu Unresolvable
qeqinuqypoq.eu Unresolvable
magofetequb.eu Unresolvable
tupazivenom.eu Unresolvable
rytuvepokuv.eu Unresolvable
qetoqolusex.eu Unresolvable
masisokemep.eu Unresolvable
gatedyhavyd.eu Unresolvable
fodakyhijyv.eu Unresolvable
cicaratupig.eu Unresolvable
vocumucokaj.eu Unresolvable
nofyjikoxex.eu Unresolvable
tuwikypabud.eu Unresolvable
kepymexihak.eu Unresolvable
xuxusujenes.eu Unresolvable
lymylorozig.eu Unresolvable
jepororyrih.eu Unresolvable
xubifaremin.eu Unresolvable
dimutobihom.eu Unresolvable
voniqofolyt.eu Unresolvable
fogeliwokih.eu Unresolvable
dixemazufel.eu Unresolvable
qederepuduf.eu Unresolvable
kemocujufys.eu Unresolvable
nojuletacuf.eu Unresolvable
rynazuqihoj.eu Unresolvable
marytymenok.eu Unresolvable
jejedudupuc.eu Unresolvable
volebatijub.eu Unresolvable
ciqydofudyx.eu Unresolvable
cinepycusaw.eu Unresolvable
keraborigin.eu Unresolvable
pumadypyruv.eu Unresolvable
nopegymozow.eu Unresolvable
galokusemus.eu Unresolvable
jewuqyjywyv.eu Unresolvable


HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in CRYPT32.dll:

CertVerifyCertificateChainPolicy

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFileExA
InternetQueryDataAvailable
HttpSendRequestExW
InternetReadFile
HttpSendRequestA
InternetCloseHandle

The Trojan installs the following user-mode hooks in USER32.dll:

GetWindowTextA
GetClipboardData
SendInput
GetMessageA
GetMessageW
TranslateMessage

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CryptEncrypt

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSASend
recv
gethostbyname
WSARecv
send

The Trojan installs the following user-mode hooks in kernel32.dll:

CreateFileW

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1308

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %WinDir%\AppPatch\vgwpcg.exe (1959 bytes)
    %System%\config\software (2315 bytes)
    %System%\config\SOFTWARE.LOG (4483 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.