Trojan.Win32.FlyStudio_dc4a096481

by malwarelabrobot on January 3rd, 2014 in Malware Descriptions.

Backdoor.Hupigon.AAAH (BitDefender), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Packer.KBySV0.28 (ep) (VIPRE), Tool.Siggen.8267 (DrWeb), Backdoor.Hupigon.AAAH (B) (Emsisoft), Generic Malware.gv (McAfee), Backdoor.Trojan (Symantec), Virus.Win32.Delf (Ikarus), Backdoor.Hupigon.AAAH (FSecure), Win32/Delf.2.K (AVG), Win32:Malware-gen (Avast), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericInjector.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Backdoor, Worm, EmailWorm, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: dc4a096481a5d274fec42ee017c61da7
SHA1: 4c2b2549337a11229e7d3f1ba049ff888f58032b
SHA256: 567a5a3772e28dfc6fa9aedcf0c9478b29d90876c75ab216e768af20b26af5cf
SSDeep: 49152:rE4KBZoJ2fQn0qgw91H8OoLAdzc/eK K5:rE4KBZ7I0qg41H8OkAdzcmn
Size: 2025472 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-12-05 14:23:54
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1044

File activity

The process %original file name%.exe:1044 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\SkinH_EL.dll (88 bytes)
%System%\drivers\etc\hosts (368 bytes)

Registry activity

The process %original file name%.exe:1044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 08 15 FD C3 32 2B 55 F6 9C D8 A9 31 00 76 C4"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1024x768x32(BGR 0)" = "31,31,31,31"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 368 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 www.qqtz.com
127.0.0.1 www.tt336.com
127.0.0.1 www.dnfrufeng.com
127.0.0.1 www.xyhai.com
127.0.0.1 xyhai.com
127.0.0.1 WWW.DNFXM2012.COM
127.0.0.1 www.25zm.com
127.0.0.1 www.dnflangqun.com
127.0.0.1 a158421294.9000hk.info
127.0.0.1 nxyq.cccpan.com
127.0.0.1 wg68.cccpan.com


Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\SkinH_EL.dll (88 bytes)
    %System%\drivers\etc\hosts (368 bytes)

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.