Trojan.Win32.Sasfis_e0b1d8c395

by malwarelabrobot on January 25th, 2014 in Malware Descriptions.

Gen:Variant.Kazy.317270 (BitDefender), Trojan.Win32.Crilock.c (v) (VIPRE), Trojan.PWS.Stealer.4118 (DrWeb), Gen:Variant.Kazy.317270 (B) (Emsisoft), Gen:Variant.Kazy.317270 (FSecure), PSW.Generic12.UOJ (AVG), Win32:Malware-gen (Avast), Trojan.Win32.Sasfis.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: e0b1d8c395c9484f021d6abd1fb4c44d
SHA1: 113c4e78bf10fd01fb91e6a63bc1a3bc4614a2e1
SHA256: 003b4868cb8e32a9c3b8ee44621e3a2f4a2beebd93ea7140d4495317ae06a434
SSDeep: 12288:YJr5HwbMnnyo/ht8DK1b34y5vCcWqg3ePCZ0Q53bwnBHNNEWKOtWQnQqc:Yv5nnrDbTvoOPCuQ53uHgWKOtWKQq
Size: 584704 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1988-02-24 03:51:46
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ping.exe:1088
m099.exe:1692
%original file name%.exe:1528
vxxxle.exe:1592
hiiin.exe:1936

The Trojan injects its code into the following process(es):

dllhost.exe:948
spoolsv.exe:1432
vxxxle.exe:1564

File activity

The process dllhost.exe:948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RHARKP2R\aa[1] (765 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RHARKP2R\aa[1] (0 bytes)

The process m099.exe:1692 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\9099[1].txt (2 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)

The process %original file name%.exe:1528 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\m099.exe (193 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vxxxle.exe (89 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hiiin.exe (177 bytes)

The process spoolsv.exe:1432 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\9099[1].txt (2 bytes)
%WinDir%\Temp\2.tmp (47 bytes)

The process hiiin.exe:1936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Opera\WIN5.exe (20820 bytes)

Registry activity

The process dllhost.exe:948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1A06" = "0"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Friendly http errors" = "no"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1A04" = "0"
"1A03" = "0"
"1A02" = "0"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER]
"iexplore.exe" = "16"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1604" = "3"
"1206" = "0"
"1200" = "0"
"1A05" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1605" = "3"
"1406" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"DisableScriptDebuggerIE" = "no"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"UseSWRender" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1809" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"WarnOnZoneCrossing" = "0"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER]
"iexplore.exe" = "16"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"2104" = "3"
"2105" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 05 00 00 00 01 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"2101" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"WarnOnPostRedirect" = "0"
"ConnectRetries" = "20"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"WarnOnPost" = "0"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Enable AutoImageResize" = "no"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"EnableHttp1_1" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"WarnOnBadCertRecving" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"2500" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"iexplore.exe" = "6000"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MaxHttpRedirects" = "50"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_INPUT_PROMPTS]
"iexplore.exe" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1C00" = "0"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Disable Script Debugger" = "no"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1A10" = "0"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Error Dlg Displayed On Every Error" = "no"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"CurrentLevel" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"KeepAliveTimeout" = "1200000"
"ServerInfoTimeout" = "600000"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1609" = "3"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\International]
"AcceptLanguage" = "en-US"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\NetworkService\Cookies"
"History" = "%Documents and Settings%\NetworkService\Local Settings\History"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MaxConnectionsPerServer" = "16"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Display Inline Images" = "yes"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1402" = "3"

"1400" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"EnableAlternativeCodec" = "no"
"PlaySounds" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 B5 00 93 33 E8 AC E7 13 B2 9E 26 80 1C A3 87"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1804" = "3"
"1803" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Play_Animations" = "no"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"CertificateRevocation" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Play_Background_Sounds" = "no"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ReceiveTimeout" = "1200000"
"MaxConnectionsPer1_0Server" = "16"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1607" = "0"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING]
"iexplore.exe" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"2300" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1608" = "0"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WARN_ON_SEC_CERT_REV_FAILED]
"iexplore.exe" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1601" = "0"
"1806" = "3"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "no"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process ping.exe:1088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 3A 9D 66 C4 67 5F E8 EF 17 1E 1C 50 4B FE 76"

The process m099.exe:1692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\3.tmp,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 9E D2 19 7C 6F 19 7F D9 F5 33 46 76 66 93 7A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1528 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 25 C8 E2 29 FF 0C 48 70 70 7F DB E3 E3 BB 76"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "572662306"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"hiiin.exe" = "hiiin"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"vxxxle.exe" = "vxxxle"
"m099.exe" = "m099"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process spoolsv.exe:1432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\405f6bc0]
"imagepath" = "\??\%WinDir%\TEMP\2.tmp"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\System\CurrentControlSet\Services\405f6bc0]
"type" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\3.tmp, , \??\%WinDir%\TEMP\4.tmp,"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\405f6bc0]
[HKLM\System\CurrentControlSet\Services\405f6bc0\Enum]

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process vxxxle.exe:1564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Yglsehhsrs]
"License" = "456"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Yglsehhsrs]
"License" = "456"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B AD 24 08 13 67 85 70 8C 57 61 BB ED 50 8C 6E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process vxxxle.exe:1592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 C5 10 1B 30 B4 F6 90 37 62 5F A3 76 80 0E E1"

The process hiiin.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 CF 41 FC 0B F8 6F 6E 2C AB B6 F0 16 6B A3 BF"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GameServer50E" = "%Documents and Settings%\%current user%\Application Data\Opera\WIN5.exe"

Network activity (URLs)

URL IP
hxxp://fistristy.com/aa/nn (ET RBN Known Russian Business Network IP group 397 , Malicious) 88.208.44.8
hxxp://fistristy.com/aa/
pap-tech.com Unresolvable
net-forwarding.com Unresolvable


HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "UNKNOWN" the Trojan controls loading executable images into a memory by installing the Load image notifier.

The Trojan intercepts DriverStartIO in a miniport driver of a hard drive controller (ATAPI) to handle request to its own files:

StartIo

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ping.exe:1088
    m099.exe:1692
    %original file name%.exe:1528
    vxxxle.exe:1592
    hiiin.exe:1936

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RHARKP2R\aa[1] (765 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\9099[1].txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\m099.exe (193 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vxxxle.exe (89 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hiiin.exe (177 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\9099[1].txt (2 bytes)
    %WinDir%\Temp\2.tmp (47 bytes)
    %Documents and Settings%\%current user%\Application Data\Opera\WIN5.exe (20820 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "GameServer50E" = "%Documents and Settings%\%current user%\Application Data\Opera\WIN5.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.