Trojan.GenericKDZ.13200_a6d3d363eb

by malwarelabrobot on August 7th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.GenericKDZ.13200 (B) (Emsisoft), Trojan.GenericKDZ.13200 (AdAware), Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, VirTool, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a6d3d363ebf36ab17c56fcfb41c44fdf
SHA1: f2c561207446b3a206c76aaac852a5d02e4f3878
SHA256: 2cc20100a9972dc255ee801100601bff3a6df14552d5835f183cab1120bd3fff
SSDeep: 12288:8DGRiH1V4JjBGZRInpoFkJIK4ydUikLm2ynUlRrRIHzXKt1JmRfaFJ:8SpRrm8dk61Ul9RqrKg J
Size: 743512 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Firseria
Created at: 2013-04-05 03:54:25
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

winlog.exe:1580
winlog.exe:936
winlog.exe:1576
%original file name%.exe:1684

The Trojan injects its code into the following process(es):

winlog.exe:496

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process winlog.exe:496 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\winlog.exe (0 bytes)

The process %original file name%.exe:1684 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\winlog.exe (5441 bytes)

Registry activity

The process winlog.exe:496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 5C 6E FA B8 BB DB 0E 1B 96 44 C5 AF 0A F1 37"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"winlog.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\winlog.exe"

The process %original file name%.exe:1684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C B8 F2 05 99 6A 66 51 2B 02 00 36 C6 1E E3 A8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Microsoft]
"winlog.exe" = "Opera Internet Browser"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Opera Software
Product Name: Opera Internet Browser
Product Version: 12.14
Legal Copyright: Copyright (c) Opera Software 1995-2012
Legal Trademarks:
Original Filename: Opera.exe
Internal Name: Opera
File Version: 1738
File Description: Opera Internet Browser
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 62052 62464 4.54124 036599d50e758e2b3b4585f1083c7917
.rdata 69632 7518 7680 3.83355 e3d268f90d2a4f97cbbacd86fcecddf4
.data 77824 13180 10240 2.14862 c3b443ece25fb59d5f9b51f23848f3ee
.rsrc 94208 660468 660480 5.33524 8fa7e0950a06ebd70de1577886a21e22

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

winlog.exe_496:

.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
u%CNu
TSocketPort
TUdpSocket
TUdpSocketd
LocalPort4
RemotePort0
%d.%d.%d.%d
0.0.0.0
PSAPI.dll
Windows
Urlmon.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
:\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
\Mozilla Firefox\
nss3.dll
mozcrt19.dll
sqlite3.dll
nspr4.dll
plc4.dll
plds4.dll
nssutil3.dll
softokn3.dll
PK11_GetInternalKeySlot
userenv.dll
\Mozilla\Firefox\
profiles.ini
\signons3.txt
MSGBOX
Firefox
windows
Windows|
WebDL
URLDownloadToFileA
StUDP|
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegCreateKeyExA
GetCPInfo
version.dll
MsgWaitForMultipleObjects
EnumWindows
wsock32.dll
shell32.dll
ShellExecuteA
SHFolder.dll
1#101[1`1
KWindows
UrlMon
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to set data for '%s'
Ancestor for '%s' not found
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation

winlog.exe_496_rwx_11490000_0002A000:

.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
u%CNu
TSocketPort
TUdpSocket
TUdpSocketd
LocalPort4
RemotePort0
%d.%d.%d.%d
0.0.0.0
PSAPI.dll
Windows
Urlmon.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
:\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
\Mozilla Firefox\
nss3.dll
mozcrt19.dll
sqlite3.dll
nspr4.dll
plc4.dll
plds4.dll
nssutil3.dll
softokn3.dll
PK11_GetInternalKeySlot
userenv.dll
\Mozilla\Firefox\
profiles.ini
\signons3.txt
MSGBOX
Firefox
windows
Windows|
WebDL
URLDownloadToFileA
StUDP|
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegCreateKeyExA
GetCPInfo
version.dll
MsgWaitForMultipleObjects
EnumWindows
wsock32.dll
shell32.dll
ShellExecuteA
SHFolder.dll
1#101[1`1
KWindows
UrlMon
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to set data for '%s'
Ancestor for '%s' not found
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    winlog.exe:1580
    winlog.exe:936
    winlog.exe:1576
    %original file name%.exe:1684

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Application Data\Microsoft\winlog.exe (5441 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "winlog.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\winlog.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.