Trojan-Downloader.Win32.Torcohost_21f8b9d9a6

by malwarelabrobot on December 19th, 2013 in Malware Descriptions.

Trojan:Win32/Malex.gen!J (Microsoft), Trojan.Win32.Fsysna.fej (Kaspersky), Artemis!21F8B9D9A6FA (McAfee), Win32/DH{IANhDx4kIiUtexM} (AVG), Trojan-Downloader.Win32.Torcohost.FD (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 21f8b9d9a6fa3a0cd3a3f0644636bf09
SHA1: 0392f25130ce88fdee482b771e38a3eaae90f3e2
SHA256: 31d4e1b2e67706fda51633b450b280554c0c4eb595b3a0606ef4ab8421a04dc9
SSDeep: 98304:/9 taUtxVN7lLB9KpK5V Ahe9skiVNiQ/RkrEdElxYheKpUw1bVc:ItaU7lLB9KpK58oe9skUNiQKrEdkYIKW
Size: 5224645 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1970-01-01 03:00:00
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan-Downloader creates the following process(es):

spoolsv.exe:2000
%original file name%.exe:208

The Trojan-Downloader injects its code into the following process(es):
No processes have been created.

File activity

The process spoolsv.exe:2000 makes changes in the file system.
The Trojan-Downloader deletes the following file(s):

C:\%original file name%.exe (0 bytes)

The process %original file name%.exe:208 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\Startup\spoolsv.exe (5224645 bytes)

Registry activity

The process spoolsv.exe:2000 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE B8 3B 3E C2 8B 9D DD 27 AC 31 97 79 2E 3F 70"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

The process %original file name%.exe:208 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB DE B4 B9 4D EE FC BF 12 E2 E3 7D 16 D8 24 F3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

Network activity (URLs)

URL IP
hxxp://ekiga.net/ip/ 86.64.162.35
hxxp://5ji235jysrvwfgmb.onion/sendlog.php Tor

hxxp://5ji235jysrvwfgmb.onion/recvdata.php Tor


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:208

  2. Delete the original Trojan-Downloader file.
  3. Delete or disinfect the following files created/modified by the Trojan-Downloader:

    %Documents and Settings%\All Users\Start Menu\Programs\Startup\spoolsv.exe (5224645 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.