Trojan.Win32.Swrort.3_1c848dcaf4

by malwarelabrobot on January 20th, 2014 in Malware Descriptions.

Gen:Variant.Kazy.7226 (BitDefender), Backdoor:Win32/Cycbot.G (Microsoft), Trojan.Win32.Pakes.qvc (Kaspersky), Trojan.Win32.FakeAV.IS (v) (VIPRE), BackDoor.Gbot.1591 (DrWeb), Gen:Variant.Kazy.7226 (B) (Emsisoft), BackDoor-EXI.gen.ab (McAfee), Backdoor.Cycbot!gen9 (Symantec), Backdoor.Win32.Agent (Ikarus), Win32/Cryptor (AVG), Win32:Cybota [Trj] (Avast), BKDR_CYCBOT.SME3 (TrendMicro), Trojan.Win32.Swrort.3.FD, BackdoorCycbot.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Fake-AV


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 1c848dcaf45329c5545bd1e74fe1349c
SHA1: c20e9be118d70af6950859b78e8fa42a5cfd752b
SHA256: 5f0b33132b97e1bd2fe8b9d60ed724868c04bdb600e4f65fd329fd2a4eb1c326
SSDeep: 3072:6X07TD3LaVFhiUyb RGsEQobBnP6F39C/rtLi8Y4goQipNXQnkiNgHo7:6XgTvaPhryKOQew49QAXNG
Size: 174080 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2005-09-01 20:31:30
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1600
%original file name%.exe:856

The Trojan injects its code into the following process(es):

%original file name%.exe:984

File activity

The process %original file name%.exe:984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\507CF\3708F.exe (84697 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (2668 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (2808 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (1332 bytes)

Registry activity

The process %original file name%.exe:1600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 6E 17 9C CE 5F 17 31 2C 85 BA 79 BA BA E4 C4"

The process %original file name%.exe:856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 DD E2 3D F9 22 82 93 76 80 E0 B8 1E F2 E8 40"

The process %original file name%.exe:984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 12 00 00 00 03 00 00 00 14 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:56545"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 75 53 D8 E9 74 E5 C2 80 B3 26 B4 73 3F 1A 29"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,%Documents and Settings%\%current user%\Application Data\507CF\3708F.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyOverride"

Network activity (URLs)

URL IP
hxxp://rumperstumprs.com/logo.png?tq=gKZEtzoYwLzEvUb5dQzRsrCqD/cvTca3l74EgC9OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU=&pr=467 69.43.161.170
hxxp://www.google.com/ 173.194.43.80
hxxp://www.google.ca/?gfe_rd=cr&ei=61DbUvSEI6qC8QeUqoGQCw 173.194.43.88


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1600
    %original file name%.exe:856

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Application Data\507CF\3708F.exe (84697 bytes)
    %Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (2668 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (2808 bytes)

  4. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "explorer.exe,%Documents and Settings%\%current user%\Application Data\507CF\3708F.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.