Blazebot_1e44492f69

by malwarelabrobot on December 11th, 2013 in Malware Descriptions.

Trojan.Win32.IRCbot.avx (Kaspersky), mzpefinder_pcap_file.YR, GenericMSNWorm.YR, GenericProxy.YR, GenericAutorunWorm.YR, GenericIRCBot.YR, Blazebot.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun, IRCBot, MSNWorm, Trojan-Proxy


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 1e44492f695c071c30ece328596ca520
SHA1: 34f7df2b0c140a019104cdd4ff9c8ebfaed8d53c
SHA256: 7c1a13ea0e18c372fc26cd76519c6e5c9fe94d9e59762850c60fbf9d3214bbbc
SSDeep: 12288:ehkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aNt Um8ukK 1NO6:uRmJkcoQricOIQxiZY1iabQ8V1NO6
Size: 808116 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-01-29 23:32:28


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
IRCBot A bot can communicate with command and control servers via IRC channel.
MSNWorm A worm can spread its copies through the MSN Messanger.
Trojan-Proxy This program can launch a proxy server (SOCKS4) on a designated TCP port.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:452
%original file name%.exe:1960
attrib.exe:1776
nircmd.exe:1792
nircmd.exe:1320
Reader_sl.exe:1064
erase_me895082.exe:2024
wuauclt.exe:344
system.exe:1936
za.exe:128
reg.exe:904
erase_me558122.exe:216
jusched.exe:1056

File activity

The process %original file name%.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (353 bytes)
%Documents and Settings%\%current user%\O20T17.GJ5 (49 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
%Documents and Settings%\%current user%\O20T17.GJ5 (0 bytes)

The process %original file name%.exe:1960 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\lsass.exe (5873 bytes)

The process erase_me895082.exe:2024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\syso\critical\libcurl-4.dll (1345 bytes)
%WinDir%\syso\critical\zlib1.dll (601 bytes)
%WinDir%\syso\critical\pthreadGC2.dll (2017 bytes)
%WinDir%\syso\critical\antivirus.bat (129 bytes)
%WinDir%\syso\critical\sys.bat (337 bytes)
%WinDir%\syso\critical\system.exe (1289 bytes)
%WinDir%\syso\critical\nircmd.exe (43 bytes)

The Trojan deletes the following file(s):

%WinDir%\syso\critical\__tmp_rar_sfx_access_check_347625 (0 bytes)

The process wuauclt.exe:344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Trojan deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process za.exe:128 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\G30D78.LA5 (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (941 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\G30D78.LA5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (0 bytes)

The process erase_me558122.exe:216 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\M33K\za.exe (10881 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\M33K\__tmp_rar_sfx_access_check_344531 (0 bytes)

The process jusched.exe:1056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)

Registry activity

The process %original file name%.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 DE BC 95 A6 68 66 43 F0 9D 58 CF 81 D3 32 0B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

The process %original file name%.exe:1960 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 7B DB 9D 57 57 9E AD 9E 4F 69 DD A3 47 B4 88"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Firewall" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\lsass.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Firewall" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\lsass.exe"

The process attrib.exe:1776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 6C 33 1E 46 50 53 1F B4 A8 95 E0 5E 77 56 10"

The process nircmd.exe:1792 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 6F A0 19 FA 23 22 2A 55 41 E0 F7 B6 F0 A4 3E"

The process nircmd.exe:1320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E A4 CE C1 94 08 4E 9A FC 34 E4 D9 38 7B B1 9D"

The process Reader_sl.exe:1064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process erase_me895082.exe:2024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 42 EA 53 D9 C3 1C 2C 54 BD 9D 5D 48 EB 70 B1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Windows\syso\critical]
"sys.bat" = "sys"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process system.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 98 E6 7D C9 89 07 BF 45 A1 F9 40 57 1F 36 13"

The process za.exe:128 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 F8 C9 7D 48 C5 5A 37 F4 23 F7 9C BD A7 0E D9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

The process reg.exe:904 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 40 58 F7 63 0F 31 34 DF 14 28 18 B5 80 62 14"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "C:\Windows\syso\critical\antivirus.bat"

The process erase_me558122.exe:216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B FD 2F 25 4E 2E 48 8F FB ED AE 7C 16 BE A4 23"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\M33K]
"za.exe" = "za"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Network activity (URLs)

URL IP
hxxp://directxex.com/uploads/64201707.ms1.exe?dl=1 108.162.199.96
hxxp://www.v.dropbox.com/s/axthqblc3my55od/critical.exe?dl=1
www.dropbox.com 108.160.166.13
dl.dropboxusercontent.com 107.21.114.158
mine.pool-x.eu 178.33.111.19


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

A worm can spread its copies through the MSN Messanger.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:452
    %original file name%.exe:1960
    attrib.exe:1776
    nircmd.exe:1792
    nircmd.exe:1320
    erase_me895082.exe:2024
    wuauclt.exe:344
    system.exe:1936
    za.exe:128
    reg.exe:904
    erase_me558122.exe:216

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (353 bytes)
    %Documents and Settings%\%current user%\O20T17.GJ5 (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lsass.exe (5873 bytes)
    %WinDir%\syso\critical\libcurl-4.dll (1345 bytes)
    %WinDir%\syso\critical\zlib1.dll (601 bytes)
    %WinDir%\syso\critical\pthreadGC2.dll (2017 bytes)
    %WinDir%\syso\critical\antivirus.bat (129 bytes)
    %WinDir%\syso\critical\sys.bat (337 bytes)
    %WinDir%\syso\critical\system.exe (1289 bytes)
    %WinDir%\syso\critical\nircmd.exe (43 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
    %Documents and Settings%\%current user%\G30D78.LA5 (61 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (941 bytes)
    %Documents and Settings%\%current user%\M33K\za.exe (10881 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Windows Firewall" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\lsass.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Firewall" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\lsass.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Update" = "C:\Windows\syso\critical\antivirus.bat"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.