Backdoor.Win32.Cycbot_e5c578da57

by malwarelabrobot on December 2nd, 2013 in Malware Descriptions.

Gen:Heur.Conjar.9 (BitDefender), Backdoor:Win32/Cycbot.B (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Backdoor.Win32.Cycbot.ga (v) (VIPRE), BackDoor.Gbot.2017 (DrWeb), Gen:Heur.Conjar.9 (B) (Emsisoft), BackDoor-EXI.gen.aa (McAfee), Backdoor.Trojan (Symantec), Backdoor.Win32.Agent (Ikarus), Gen:Heur.Conjar.9 (FSecure), Win32/Cryptor (AVG), Win32:Cybota [Trj] (Avast), BKDR_CYCBOT.SMEE (TrendMicro), Backdoor.Win32.Cycbot.FD, Trojan.Win32.Alureon.FD, Trojan.Win32.Swrort.3.FD, BackdoorCycbot.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: e5c578da5791c78ecd6f45c37e529dd7
SHA1: fe3ad2fa663270374643d531f315712f2cc67e98
SHA256: 49c58e87f94c929bae1e18251a3a3b3a8a03a0b9ed5321751791d59a904061c6
SSDeep: 6144:PkAM60 lCvF/FlI9RqclbyD6aP9Wm7mf YvOM6Eb21kPZLgnl7ziol:PRM6HQF9lI9RqybkkEm2evZ0nl7ziol
Size: 293376 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2005-10-26 18:55:52


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:1132
%original file name%.exe:1548
Reader_sl.exe:1064
wuauclt.exe:344
jusched.exe:1056
msiexec.exe:468

The Backdoor injects its code into the following process(es):

7.tmp:524
%original file name%.exe:1896

File activity

The process 7.tmp:524 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YZ6XI5Y7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AX43K14N\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IDAHU5IX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MTCHIDSF\desktop.ini (67 bytes)

The process %original file name%.exe:1896 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\LP\0205\7.tmp (12988 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (2656 bytes)
%Program Files%\LP\0205\C29.exe (285938 bytes)
%System%\config\software (949 bytes)
%System%\config\SOFTWARE.LOG (1987 bytes)

The process wuauclt.exe:344 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Backdoor deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process jusched.exe:1056 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)

Registry activity

The process 7.tmp:524 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 A7 EC 6C AE CA 9D 9B 36 29 4E 18 2A 08 27 49"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\WinRAR]
"HWID" = "7B 34 46 42 41 33 35 43 39 2D 33 46 41 35 2D 34"

The process %original file name%.exe:1132 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 7A AF 84 F4 08 BC E1 31 FF 5E 8D 26 FB 30 B2"

The process %original file name%.exe:1896 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 85 6F FA 56 F0 92 9C E0 68 99 B4 CF 13 AA DF"

Automatic startup of the following service is disabled:

[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "3"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\0205\C29.exe"

The process %original file name%.exe:1548 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 64 A9 52 B9 F4 AB 19 FF 84 E2 EB 03 69 AC C2"

The process Reader_sl.exe:1064 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process msiexec.exe:468 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 F3 BE 5E 21 5C 6C EA 61 F4 3C 11 42 00 3C D5"

Network activity (URLs)

URL IP
hxxp://e6845.ce.akamaiedge.net/pca3-g2.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2009.crl
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2009-2.crl
hxxp://freedownload3.com/screenshot/4/s/89_3278.gif?sv=869&tq=gwY92w4AEqFCUxLaKTaMUXv0sa7JApuPRP1NZsBCwHLUwmVJYby5ugIDomVANrw1YLSNdYUGus6qA+xBK0VFu42WbOcvylIZos9erm/BIBbsMknqpHLWcHBUN6Y+3A/hIaAqL/LbEt1Cb+As97dWA0vkGRSWjjc3C+jXEL/8rZQV30DvO5SrhoKwN7Rd/2nCcAsPgxjMFs1Lmv5ckoy/JLZfrhd9TjpqfH 114.207.112.26
hxxp://767113.parkingcrew.net/logo.png?sv=346&tq=gL5HtzoYwLzEpUb5fU3HxcW3A/U6EsazybMRtyFa0umG8Ar0SsSA/gSoSEU=
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://767113.parkingcrew.net/logo.png?sv=86&tq=gKZEtzoYwLzEvUb5dQzRsrCqA/AtTca3l74EgC5OjrPGpgfib1XGp5zpRPksUt+A/gSoSEU=
hxxp://TRANSERSDATAFORME.COM/gate.php (ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server (group 6) , Malicious)
csc3-2009-2-crl.verisign.com 23.61.69.163
transersdataforme.com 192.155.89.148
crl.verisign.com 23.61.69.163
www.download.windowsupdate.com 23.3.98.8
csc3-2009-crl.verisign.com 23.61.69.163
ntgiqxfw8.imbirsupport.com 62.116.143.18
mqm6yuym5y.kolabatory.com 69.43.161.176
uk2ndc9r9.imbirsupport.com 62.116.143.18


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1132
    %original file name%.exe:1548
    wuauclt.exe:344

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YZ6XI5Y7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AX43K14N\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IDAHU5IX\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MTCHIDSF\desktop.ini (67 bytes)
    %Program Files%\LP\0205\7.tmp (12988 bytes)
    %Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (2656 bytes)
    %Program Files%\LP\0205\C29.exe (285938 bytes)
    %System%\config\software (949 bytes)
    %System%\config\SOFTWARE.LOG (1987 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "C29.exe" = "%Program Files%\LP\0205\C29.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.