by malwarelabrobot on January 3rd, 2014 in Malware Descriptions.

Backdoor.Hupigon.AAAH (BitDefender), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Packer.KBySV0.28 (ep) (VIPRE), Tool.Siggen.8267 (DrWeb), Backdoor.Hupigon.AAAH (B) (Emsisoft), Generic Malware.gv (McAfee), Backdoor.Trojan (Symantec), Virus.Win32.Delf (Ikarus), Backdoor.Hupigon.AAAH (FSecure), Win32/Delf.2.K (AVG), Win32:Malware-gen (Avast), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericInjector.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Backdoor, Worm, EmailWorm, Virus

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Technical Details
Removal Recommendations

MD5: dc4a096481a5d274fec42ee017c61da7
SHA1: 4c2b2549337a11229e7d3f1ba049ff888f58032b
SHA256: 567a5a3772e28dfc6fa9aedcf0c9478b29d90876c75ab216e768af20b26af5cf
SSDeep: 49152:rE4KBZoJ2fQn0qgw91H8OoLAdzc/eK K5:rE4KBZ7I0qg41H8OkAdzcmn
Size: 2025472 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-12-05 14:23:54
Analyzed on: WindowsXP SP3 32-bit


Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).


Behaviour Description
EmailWorm Worm can send e-mails.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1044

File activity

The process %original file name%.exe:1044 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\SkinH_EL.dll (88 bytes)
%System%\drivers\etc\hosts (368 bytes)

Registry activity

The process %original file name%.exe:1044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

"Seed" = "FA 08 15 FD C3 32 2B 55 F6 9C D8 A9 31 00 76 C4"

"vga.drv 1024x768x32(BGR 0)" = "31,31,31,31"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 368 bytes in size. The following strings are added to the hosts file listed below: WWW.DNFXM2012.COM

Rootkit activity

No anomalies have been detected.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\SkinH_EL.dll (88 bytes)
    %System%\drivers\etc\hosts (368 bytes)

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): localhost
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.