Trojan.Win32.Sasfis_a1155573bb

by malwarelabrobot on July 11th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Worm.Generic.294759 (B) (Emsisoft), Worm.Generic.294759 (AdAware), Trojan.Win32.Sasfis.FD, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a1155573bb7398fdf486feae5453ba12
SHA1: 0e46ce8f5eacaf4a6a7147aca1c13ede8b0208e8
SHA256: 61b21fb69fae0c5f23a6d41c08bb5e02e427be0c945b1849d524e831aee54ec6
SSDeep: 3072:M1abGWGT2TK1dbzlF9OVtSZjCw8geIr/QAuCgNVfpxICuQsKUIZn:9bpGtfoVtScw2RCgrzItQB
Size: 173492 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPXv0896v102v105v122Delphistub, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:1096

The Trojan injects its code into the following process(es):

HKF.EXE:800

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1096 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\OAG.EXE (173 bytes)
%Documents and Settings%\HNV.EXE (173 bytes)
C:\filedebug (633 bytes)
C:\System Volume Information\GRTSH.EXE (174 bytes)
C:\totalcmd\OWIKOI.EXE (173 bytes)
%Documents and Settings%\ACZ.EXE (173 bytes)
C:\System Volume Information\ZEHPN.EXE (174 bytes)
C:\totalcmd\VKTNIL.EXE (174 bytes)
%Documents and Settings%\ZFP.EXE (173 bytes)
C:\System Volume Information\OCOJF.EXE (174 bytes)

The process HKF.EXE:800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\filedebug (80 bytes)
C:\System Volume Information\UGASK.EXE (174 bytes)

Registry activity

The process %original file name%.exe:1096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 07 EA 5D 48 54 8B EC D9 58 24 FF 0A 16 F9 44"

[HKCR\QQQ.file\shell\open\command]
"(Default)" = "%Documents and Settings%\HNV.EXE %1"

[HKCR\txtfile\shell\open\command]
"(Default)" = "C:\totalcmd\VKTNIL.EXE %1"

[HKCR\inffile\shell\open\command]
"(Default)" = "C:\System Volume Information\ZEHPN.EXE %1"

[HKCR\QQQfile\shell\open\command]
"(Default)" = "%Documents and Settings%\ACZ.EXE %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"workfile" = "QzpcUGVybFxIS0YuRVhF"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GRTSH.EXE" = "%Documents and Settings%\ZFP.EXE"

The process HKF.EXE:800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 06 96 C4 9E 4A C6 39 4E FD 43 BD CE 5E 71 2C"

[HKCR\exefile\shell\open\command]
"(Default)" = "C:\System Volume Information\UGASK.EXE %1 %*"

Dropped PE files

MD5 File path
a5701a767e684ef3789e63cd92ec6442 c:\Documents and Settings\ACZ.EXE
25bfde10311ee8d106eed8b23402f790 c:\Documents and Settings\HNV.EXE
473c522a37a498a481f0c3ea0b571f07 c:\Documents and Settings\OAG.EXE
043c2d9687c985d17b8f9dc9070d504a c:\Documents and Settings\ZFP.EXE
c62fb84659bd703dd8fb6fe73a4f4fe7 c:\Perl\HKF.EXE
679b573c798eee4c0b6c01739fe07908 c:\System Volume Information\GRTSH.EXE
e9312e46311bf601d0c692b2eb8986ea c:\System Volume Information\OCOJF.EXE
ba0241f25e639a97dcddc545787834de c:\System Volume Information\UGASK.EXE
fe92098dd79eec6c613e312f6ae4fa59 c:\System Volume Information\ZEHPN.EXE
64485d6b0ee01da93aa27f71debb8ff9 c:\totalcmd\OWIKOI.EXE
10843d9d366d6ac131d4abf980d9b853 c:\totalcmd\VKTNIL.EXE

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 282624 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 286720 159744 159744 5.48724 c548a5f876acea2455592813a0ae6bcf
.rsrc 446464 4096 2560 2.04725 954ae2d3ba2d2c5b5bc9c8da95e79ac6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

HKF.EXE_800:

.rsrc
Portions Copyright (c) 1983,99 Borland
kernel32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
EInvalidOperation
%s[%d]
%s_%d
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
PasswordCharXSC
OnKeyDown
OnKeyPress
OnKeyUp
OnKeyUpx
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
TContainedActionh%C
AutoHotkeys
:].tJ
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreviewxPC
WindowState
UhG%D
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
Password
OnExecute
Port<
ReportLevel
Max Udp pack size=
Initializaton of windows sockets failed
Invalid seek origin = %d
NMsmtp
TNMSMTP
NMSMTP1
NMSMTP1Connect
NMSMTP1SendStart
AUTH LOGIN
PassWord_ThreadU
Kernel32.dll
Software\Microsoft\Windows\CurrentVersion\Setup
qqpass7
Msread.dt
smtp_fuwuqi
kav9x.exe
kavsvc9x.exe
kavsvcui.exe
kav32.exe
smenu.exe
ravmon.exe
passwordguard.exe
vpc32.exe
watcher.exe
autorun.inf
QQQ.file\shell\open\command
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Notepad.exe
HH.exe
regedit.exe "
c:\filedebug
netapi32.dll
svrapi.dll
FTPF0
Operation would block
Operation now in progress
Operation already in progress
Socket operation on non-socket
Protocol not supported
Socket type not supported
!Operation not supported on socket
Protocol family not supported
/Address family not supported by protocol family
#Incompatible version of WINSOCK.DLL
KWindows
.ScktComp
UrlMon
.StopFireW_Thread
getpass_Thread
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Port
%Copyright ?1996-1998 NetMasters L.L.C
1-888-2-GET-WEB (In USA)
E-mail info@netmastersllc.com
http://www.netmastersllc.com
! Obtain Support and Source Code
,Version: 5.3.0 Build:1055 Date:5/26/99
Submit Bug Report
WinExec
GetCPInfo
RegOpenKeyExA
RegCloseKey
ReportEventA
RegFlushKey
RegCreateKeyExA
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
GetKeyboardType
.idata
.rdata
P.reloc
P.rsrc
Web }
bu%sA&4u
KERNEL32.DLL
advapi32.dll
gdi32.dll
ole32.dll
oleaut32.dll
user32.dll
wsock32.dll
- Dock zone has no control%List does not allow duplicates ($0%x)
Failed to get data for '%s'/Menu '%s' is already being used by another form
Service failed on %s: %s
shutdown(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Unable to insert a line Clipboard does not support Icons
Invalid data type for '%s'
Failed to set data for '%s'
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Error reading %s%s%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation

HKF.EXE_800_rwx_00401000_0006B000:

Portions Copyright (c) 1983,99 Borland
kernel32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
EInvalidOperation
%s[%d]
%s_%d
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
PasswordCharXSC
OnKeyDown
OnKeyPress
OnKeyUp
OnKeyUpx
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
TContainedActionh%C
AutoHotkeys
:].tJ
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreviewxPC
WindowState
UhG%D
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
Password
OnExecute
Port<
ReportLevel
Max Udp pack size=
Initializaton of windows sockets failed
Invalid seek origin = %d
NMsmtp
TNMSMTP
NMSMTP1
NMSMTP1Connect
NMSMTP1SendStart
AUTH LOGIN
PassWord_ThreadU
Kernel32.dll
Software\Microsoft\Windows\CurrentVersion\Setup
qqpass7
Msread.dt
smtp_fuwuqi
kav9x.exe
kavsvc9x.exe
kavsvcui.exe
kav32.exe
smenu.exe
ravmon.exe
passwordguard.exe
vpc32.exe
watcher.exe
autorun.inf
QQQ.file\shell\open\command
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Notepad.exe
HH.exe
regedit.exe "
c:\filedebug
netapi32.dll
svrapi.dll
FTPF0
Operation would block
Operation now in progress
Operation already in progress
Socket operation on non-socket
Protocol not supported
Socket type not supported
!Operation not supported on socket
Protocol family not supported
/Address family not supported by protocol family
#Incompatible version of WINSOCK.DLL
KWindows
.ScktComp
UrlMon
.StopFireW_Thread
getpass_Thread
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Port
%Copyright ?1996-1998 NetMasters L.L.C
1-888-2-GET-WEB (In USA)
E-mail info@netmastersllc.com
http://www.netmastersllc.com
! Obtain Support and Source Code
,Version: 5.3.0 Build:1055 Date:5/26/99
Submit Bug Report
WinExec
GetCPInfo
RegOpenKeyExA
RegCloseKey
ReportEventA
RegFlushKey
RegCreateKeyExA
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
GetKeyboardType
.idata
.rdata
P.reloc
P.rsrc
- Dock zone has no control%List does not allow duplicates ($0%x)
Failed to get data for '%s'/Menu '%s' is already being used by another form
Service failed on %s: %s
shutdown(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Unable to insert a line Clipboard does not support Icons
Invalid data type for '%s'
Failed to set data for '%s'
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Error reading %s%s%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1096

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\OAG.EXE (173 bytes)
    %Documents and Settings%\HNV.EXE (173 bytes)
    C:\filedebug (633 bytes)
    C:\System Volume Information\GRTSH.EXE (174 bytes)
    C:\totalcmd\OWIKOI.EXE (173 bytes)
    %Documents and Settings%\ACZ.EXE (173 bytes)
    C:\System Volume Information\ZEHPN.EXE (174 bytes)
    C:\totalcmd\VKTNIL.EXE (174 bytes)
    %Documents and Settings%\ZFP.EXE (173 bytes)
    C:\System Volume Information\OCOJF.EXE (174 bytes)
    C:\System Volume Information\UGASK.EXE (174 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "GRTSH.EXE" = "%Documents and Settings%\ZFP.EXE"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.