Trojan.Win32.Agent_ca350589f8

by malwarelabrobot on October 15th, 2013 in Malware Descriptions.

Trojan.Win32.Agent!IK (Emsisoft), GenericPhysicalDrive0.YR, GenericInjector.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: ca350589f85f9e42218bfd13df23a9dd
SHA1: be7cd88dec41e1fe18937d217c8a60f53e0b7622
SHA256: bb017c14da96e43e2ef3f4f616727228be274ac53aba9e7dfe73f2f6926cd47d
SSDeep: 24576:hri3B yEmgFLqcxuH8qgy4TT7JdRi494oS/CXIG:A4xqydVdR794sIG
Size: 1179312 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, MicrosoftVisualCv60SPx, UPolyXv05_v6
Company: no certificate found
Created at: 2012-09-13 14:07:29


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

LMI_Rescue_srv.exe:1760
ca350589f85f9e42218bfd13df23a9dd.exe:1844
lmi_rescue.exe:1496

File activity

The process LMI_Rescue_srv.exe:1760 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat (154 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt (936 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log (10001 bytes)

The process ca350589f85f9e42218bfd13df23a9dd.exe:1844 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt (477 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll (177 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe (17072 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe (15801 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\ra64app.exe (213 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\script (0 bytes)
C:\ca350589f85f9e42218bfd13df23a9dd.exe (0 bytes)

The process lmi_rescue.exe:1496 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt (936 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log (6900 bytes)

Registry activity

The process LMI_Rescue_srv.exe:1760 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}]
"AppID" = "{359471F8-E218-4b08-8D1E-8DFBF2F0F700}"

[HKCR\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}]
"(Default)" = "LogMeIn Rescue Service"

[HKCR\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}]
"(Default)" = "LogMeIn Rescue Service"

[HKCR\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib]
"(Default)" = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"

[HKCR\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKCR\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue.exe"

[HKCR\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib]
"(Default)" = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}"

[HKLM\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters]
"TrapPollTimeMilliSecs" = "15000"

[HKCR\AppID\LMI_Rescue.exe]
"AppID" = "{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\E5215D3460C2C20BBE2D9FE5FB665DAA2C0E225C]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 6F 7E 74 A3"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKCR\Wow6432Node\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}]
"(Default)" = "LMI_Rescue.exe"

[HKCR\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\LMI_Rescue_srv.exe]
"AppID" = "{359471F8-E218-4b08-8D1E-8DFBF2F0F700}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCR\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCR\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib]
"Version" = "1.0"

[HKCR\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}]
"LocalServer32" = "LMI_Rescue.exe"

[HKCR\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\FLAGS]
"(Default)" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKCR\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}]
"LocalService" = "LMIRescue_311759d0-3610-49e8-84e8-01c61c034c1b"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKCR\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}]
"AppID" = "{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}]
"(Default)" = "IRescueSvc"

[HKCR\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}]
"(Default)" = "IRescueUser"

[HKCR\Wow6432Node\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}]
"LocalService" = "LMIRescue_311759d0-3610-49e8-84e8-01c61c034c1b"

[HKCR\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}]
"AppID" = "{359471F8-E218-4b08-8D1E-8DFBF2F0F700}"

[HKCR\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}]
"LocalService" = "LMIRescue_311759d0-3610-49e8-84e8-01c61c034c1b"

[HKCR\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}]
"AppID" = "{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}"

[HKCR\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0]
"(Default)" = "Rescue Com library"

[HKCR\Wow6432Node\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}]
"(Default)" = "LMI_Rescue_srv.exe"

[HKCR\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0\win32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue.exe"

[HKCR\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}]
"RunAs" = "Interactive User"

[HKCR\Wow6432Node\AppID\LMI_Rescue_srv.exe]
"AppID" = "{359471F8-E218-4b08-8D1E-8DFBF2F0F700}"

[HKCR\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}]
"(Default)" = "LogMeIn Rescue GUI"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCR\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib]
"(Default)" = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}"

[HKCR\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib]
"(Default)" = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}"

[HKCR\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}]
"(Default)" = "LMI_Rescue_srv.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}\TypeLib]
"(Default)" = "{0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56}"

[HKCR\Wow6432Node\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}]
"LocalServer32" = "LMI_Rescue.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCR\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib]
"(Default)" = "{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB 18 EF 5B F7 C2 FA 88 28 81 E7 E0 C5 4A 12 13"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCR\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}]
"(Default)" = "IRescueUser"

[HKCR\Wow6432Node\AppID\LMI_Rescue.exe]
"AppID" = "{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}"

[HKCR\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue.exe"

[HKCR\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}]
"(Default)" = "LMI_Rescue.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}]
"RunAs" = "Interactive User"

[HKCR\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}]
"(Default)" = "IRescueSvc"

[HKCR\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}]
"(Default)" = "LogMeIn Rescue GUI"

[HKCR\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}]
"LocalService" = "LMIRescue_311759d0-3610-49e8-84e8-01c61c034c1b"

[HKCR\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\HELPDIR]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp"

[HKCR\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib]
"Version" = "1.0"

[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"

The Trojan deletes the following registry key(s):

[HKCR\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid]
[HKCR\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}]
[HKCR\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\ProxyStubClsid32]
[HKCR\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}\TypeLib]
[HKCR\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32]
[HKCR\Wow6432Node\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}]
[HKCR\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}]
[HKCR\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}]
[HKCR\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}]
[HKCR\AppID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}]
[HKCR\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid]
[HKCR\Wow6432Node\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}]
[HKCR\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32]
[HKCR\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\FLAGS]
[HKCR\AppID\LMI_Rescue.exe]
[HKCR\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib]
[HKCR\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\HELPDIR]
[HKCR\CLSID\{359471F8-E218-4b08-8D1E-8DFBF2F0F700}]
[HKCR\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}]
[HKCR\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}]
[HKCR\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid]
[HKCR\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\LocalServer32]
[HKCR\Wow6432Node\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\TypeLib]
[HKCR\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}\ProxyStubClsid32]
[HKCR\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib]
[HKCR\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0]
[HKCR\Interface\{6E3E7E55-C88E-4F28-B191-A6EC8801AB3B}\TypeLib]
[HKCR\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0\win32]
[HKCR\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}]
[HKCR\Wow6432Node\Interface\{6E3E7E55-C88E-4f28-B191-A6EC8801AB3B}\ProxyStubClsid]
[HKCR\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}\TypeLib]
[HKCR\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}]
[HKCR\TypeLib\{0C4DD08C-169A-4AE8-BBD4-AA8D5A398D56}\1.0\0]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LMIRescue_311759d0-3610-49e8-84e8-01c61c034c1b]
[HKCR\AppID\LMI_Rescue_srv.exe]
[HKCR\Interface\{C3B591B9-F663-4735-A908-D178DCFA38FC}\ProxyStubClsid32]
[HKCR\Wow6432Node\AppID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}]

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"

[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"LMIRReboot"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates]
"E5215D3460C2C20BBE2D9FE5FB665DAA2C0E225C"

The process ca350589f85f9e42218bfd13df23a9dd.exe:1844 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\c:\ca350589f85f9e42218bfd13df23a9dd.exe,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process lmi_rescue.exe:1496 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 03 75 A4 D1 84 97 7C 54 AE 95 C1 A9 6A 4E FA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters]
"TrapPollTimeMilliSecs" = "15000"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LMIRescue_311759d0-3610-49e8-84e8-01c61c034c1b]
"(Default)" = "Service"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"*LogMeInRescue_1275037584" = "%Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe -runonce reboot"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"*LogMeInRescue_1275037584"

Network activity (URLs)

URL IP
control.app04-15.logmeinrescue.com 64.74.103.183
dc.logmein-gateway.com 174.143.22.4


Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    LMI_Rescue_srv.exe:1760
    ca350589f85f9e42218bfd13df23a9dd.exe:1844
    lmi_rescue.exe:1496

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat (154 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt (936 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log (10001 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll (177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe (17072 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe (15801 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\ra64app.exe (213 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp (1 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "*LogMeInRescue_1275037584" = "%Documents and Settings%\%current user%\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe -runonce reboot"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.