Trojan.Generic.KD.666683_41c6327c84

by malwarelabrobot on June 16th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.KD.666683 (B) (Emsisoft), Trojan.Generic.KD.666683 (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 41c6327c8494bb31bdf528a134f0748f
SHA1: d24b030fe3ce7efffc15b37ef1ab4ee62e85575c
SHA256: 7dd219a33af5811111f732f3bf3254ede79fbf98f31048f862d9880286bdf1f8
SSDeep: 3072:SdBaooypxo jhGHIQkN/rpQVm71HCdbnoWnuITGLLg:SdBaoNPl1zNGbnoWn3TGg
Size: 136240 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: setupprocess
Created at: 2012-07-05 11:10:26
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:1772

The Trojan injects its code into the following process(es):

%original file name%.exe:1140

File activity

The process %original file name%.exe:1140 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MSASCui.exe (673 bytes)
%System%\drivers\etc\hosts (120 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@ssl.bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@money.ca.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msnportal.112.2o7[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@auto.search.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky.122.2o7[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.ca.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hm.baidu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@insurance[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)

Registry activity

The process %original file name%.exe:1140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 38 80 0F 2E 76 4C 98 68 DA 37 31 2F E2 14 1D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender" = "%Documents and Settings%\%current user%\Local Settings\Temp\MSASCui.exe"

The process %original file name%.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 02 D6 C0 56 C9 B8 CC 0C 19 3B 5A 88 69 20 41"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 120 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 74.53.201.162
127.0.0.1 66.66.132.220.30
127.0.0.1 66.35.241.92
127.0.0.1 94.23.199.60


Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United Kingdom)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 54708 54784 4.15879 b437937a3f64a4421f52d38bc19e458d
.rsrc 65536 79380 79872 5.52285 b21838d515898380cebe7a4b96df2dbc
.reloc 147456 12 512 0.056519 59c3604ecede181673268c214e6a6c89

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 3
25df01e07564849f04bf4074b994d04a
3437b1300ddf77d3511f915f7721f9c8
5467b1b4dc1ae6f02793446173c3bd0c

URLs

URL IP
smtp.gmail.com 173.194.68.108


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1140:

.text
`.sdata
.rsrc
@.reloc
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
v2.0.50727
Microsoft.VisualBasic
Syslogger_Stub.My
MyWebServices
SQLiteDataTypes
Keyboard
KeyStructure
CMSNMessengerPasswords
MSNPass
CMSNMessengerPassword
Syslogger_Stub.My.Resources
SQLiteHandler
sqlite_master_entry
Microsoft.VisualBasic.ApplicationServices
WindowsFormsApplicationBase
.ctor
Microsoft.VisualBasic.Devices
.cctor
get_WebServices
m_MyWebServicesObjectProvider
WebServices
System.Windows.Forms
System.Collections
loadCerts
System.Text
GetProcessHeap
sqlite3_open
sqlite3_close
sqlite3_exec
sqlite3_errmsg
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_count
sqlite3_column_name
sqlite3_column_type
sqlite3_column_int
sqlite3_column_double
sqlite3_column_text
sqlite3_column_blob
sqlite3_column_table_name
sqlite3_finalize
SQL_OK
SQL_ROW
SQL_DONE
System.Data
System.ComponentModel
smtp
port
ftpuser
ftppass
ftpurl
ftpst
DeleteMozillaCookies
DeleteMozillaSignons
user32.dll
AntiKeyscrambler
SetWindowsHookEx
KeyDelegate
SetWindowsHookExA
UnhookWindowsHookEx
Keys
System.Collections.Generic
HKEY_CURRENT_USER
KEY_QUERY_VALUE
KEY_ENUMERATE_SUB_KEYS
KEY_NOTIFY
KEY_SET_VALUE
KEY_CREATE_SUB_KEY
KEY_READ
KEY_WRITE
kernel32.dll
advapi32.dll
crypt32.dll
RegOpenKeyEx
hKey
lpSubKey
RegOpenKeyExA
RegEnumKeyEx
RegEnumKeyExA
RegCloseKey
shell32.dll
msidcrl.dll
PassportFreeMemory
m_MSNPass
getMSN75Passwords
DOMAIN_PASSWORD
DOMAIN_CERTIFICATE
DOMAIN_VISIBLE_PASSWORD
lpstrKeyword
strLogin
strPass
m_szLogin
m_szPassword
szLogin
szPassword
get_Password
get_Login
Password
Login
System.Resources
System.Globalization
System.Configuration
opera_salt
key_size
sUrlTemp
sPassTemp
sUrl
sPass
lasturl
LoginData
SQLDataTypeSize
sql_statement
System.CodeDom.Compiler
System.Diagnostics
Microsoft.VisualBasic.CompilerServices
System.ComponentModel.Design
HelpKeywordAttribute
System.Reflection
ContainsKey
InvalidOperationException
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.IO
DllImportAttribute
Crypt32.dll
System.Threading
System.Text.RegularExpressions
mozsqlite3
System.Drawing
get_ExecutablePath
MsgBoxResult
MsgBoxStyle
MsgBox
System.Net.Mail
SmtpClient
System.Net
set_Port
Operators
FtpWebRequest
WebRequest
Microsoft.Win32
Microsoft.VisualBasic.MyServices
System.Collections.ObjectModel
Microsoft.VisualBasic.FileIO
System.Security.Cryptography
set_Key
RegistryKey
OpenSubKey
GetExecutingAssembly
IsKeyLocked
get_ModifierKeys
Syslogger Stub.exe
Syslogger_Stub.Resources.resources
Syslogger_Stub.Form1.resources
8.0.0.0
My.Application
My.Forms
My.Computer
My.WebServices
My.User
System.Windows.Forms.Form
My.MyProject.Forms
4System.Web.Services.Protocols.SoapHttpClientProtocol
3System.Resources.Tools.StronglyTypedResourceBuilder
4.0.0.0
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
10.0.0.0
My.Settings
4.3.2.1
$92cfe5a8-c556-4a58-8735-4e19116a1afa
_CorExeMain
mscoree.dll
C:\Users\Public\Documents\Visual Studio 2010\Projects\SysLogger Stub\SysLogger Stub\obj\x86\Release\Syslogger Stub.pdb
\Google\Chrome\User Data\Default\Login Data
logins
origin_url
password_value
|----------------------------------------|Google Chrome|--------------------------------------------|
Password:
\Mozilla Firefox\
Password:
Mozilla Firefox
---Firefox---
mozcrt19.dll
nspr4.dll
plc4.dll
plds4.dll
ssutil3.dll
sqlite3.dll
mozsqlite3.dll
nssutil3.dll
softokn3.dll
nss3.dll
PK11_GetInternalKeySlot
SELECT name FROM sqlite_master WHERE type IN (
System.Int32
System.Single
System.String
icheck.txt
st.txt
stcheck.txt
|-----------------------------------|Windows Live Messenger|-----------------------------------|
Login:
127.0.0.1 74.53.201.162
127.0.0.1 66.66.132.220.30
127.0.0.1 66.35.241.92
127.0.0.1 94.23.199.60
\Steam\config\SteamAppData.vdf
HKEY_LOCAL_MACHINE\SOFTWARE\Valve\Steam
ClientRegistry.blob
%Documents and Settings%\All Users\Start Menu\Programs\Startup\MSASCui.exe
Windows Defender
MSASCui.exe
errorchecker.txt
\Mozilla\Firefox\Profiles
svchost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HDDFile.com
autorun.inf
shellexecute=
Software\Microsoft\Windows\CurrentVersion\Run
keyscrambler
npfmsg
lo.txt
\MSN Messenger\msidcrl.dll
ps:password
PasswordMSN Messenger Service
Password.NET Messenger Service
User.NET Messenger Service
Passport.Net\*
82BD0E67-9FEA-4748-8672-D5EFE5B779B0
Syslogger_Stub.Resources
\Opera\Opera\wand.dat
\Opera\Opera\profile\wand.dat
http://
https://
ftp://
---Opera---
SQLite format 3
Not a valid SQLite 3 Database File
Auto-vacuum capable database is not supported
No supported Schema layer file-format
1.2.3.4


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1772

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\MSASCui.exe (673 bytes)
    %System%\drivers\etc\hosts (120 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender" = "%Documents and Settings%\%current user%\Local Settings\Temp\MSASCui.exe"

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  8. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.