Following a detailed report on the Malware:
[ General information ]
* File name: c:\documents and settings\administrator\desktop\image96523489.exe
* File length: 65024 bytes
* File signature: Microsoft Visual C++ 7.0
* MD5 hash: 085ecb8b600c3b4b105674ed27cdcbaf
* SHA1 hash: 5c20fe20a5f0a86d1b0455f8d20299dfe583b30b
* SHA256 hash: f2a17d30d9e921fdc9e0d7f927f20c8820869552d8ba1cfa5f7fbc68d64f970a
[ Changes to filesystem ]
* Creates file C:\windows\ndl.dl
* Creates file (hidden) C:\windows\nvsvc32.exe
* Creates file (hidden) C:\windows\wibrf.jpg
* Creates file (hidden) C:\windows\wiybr.png
* Creates file C:\Documents and Settings\Administrator\Cookies\administrator@facebook[1].txt
* Creates file C:\Documents and Settings\Administrator\Cookies\administrator@myspace[2].txt
* Creates file C:\Documents and Settings\Administrator\Cookies\administrator@www.myspace[1].txt
* Creates file C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012010121320101220\index.dat
* Creates file C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012010122020101221\index.dat
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\F7YBJYVW\bg_browserSection[1].jpg
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\F7YBJYVW\browserunsupported[1].htm
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JRQBGGX3\icon_information[1].gif
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JRQBGGX3\index[4].htm
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LPI195Q5\bg_infobox[1].jpg
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LPI195Q5\browserLogos_med[1].jpg
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZQFMUB46\cornersSheet[1].png
[ Changes to registry ]
* Creates value “FileTracingMask=0000FFFF” in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\FWCFG
* Creates value “ConsoleTracingMask=0000FFFF” in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\FWCFG
* Creates value “MaxFileSize=00001000” in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\FWCFG
* Creates value “FileDirectory=2500770069006E0064006900720025005C00740072006100630069006E0067000000” in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\FWCFG
* Creates value “NVIDIA driver monitor=c:\windows\nvsvc32.exe” in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
* Creates value “NVIDIA driver monitor=c:\windows\nvsvc32.exe” in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
* Creates value “LogSessionName=7300740064006F00750074000000” in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
* Creates value “Active=01000000” in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
* Creates value “ControlFlags=01000000” in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
* Creates value “Guid=710adbf0-ce88-40b4-a50d-231ada6593f0” in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
* Creates value “BitNames= NAP_TRACE_BASE NAP_TRACE_NETSH” in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
* Creates value “LogSessionName=7300740064006F00750074000000” in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
* Creates value “Active=01000000” in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
* Creates value “ControlFlags=01000000” in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
* Creates value “Guid=b0278a28-76f1-4e15-b1df-14b209a12613” in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
* Creates value “BitNames= Error Unusual Info Debug” in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
* Creates Registry key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\napagent\LocalConfig\Enroll\HcsGroups
* Creates Registry key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\napagent\LocalConfig\UI
* Creates value “image96523489.exe=c:\windows\nvsvc32.exe:*:Enabled:NVIDIA driver monitor” in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Desktop
* Modifies value “Start=00000004” in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\wuauserv
old value “Start=00000002”
* Modifies value “Window_Placement=2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF62000000920000005903000041030000” in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main
old value “Window_Placement=2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA00000000000000097030000AF020000”
* Deletes Registry key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
* Modifies value “HRZR_PGYFRFFVBA=10015D0E14000000” in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
old value “HRZR_PGYFRFFVBA=FDED5C0E13000000”
* Modifies value “Count=00000010” in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore
old value “Count=0000000F”
* Modifies value “Time=DA070C000100140008002A0022006C00” in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore
old value “Time=DA070C0005001100070037003000A802”
* Modifies value “Count=00000010” in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore
old value “Count=0000000F”
* Modifies value “Time=DA070C000100140008002A0022007C00” in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore
old value “Time=DA070C0005001100070037003000A802”
* Creates value “CachePath=25005500530045005200500052004F00460049004C00450025005C004C006F00630061006C002000530065007400740069006E00670073005C0048006900730074006F00720079005C0048006900730074006F00720079002E004900450035005C004D00530048006900730074003000310032003000310030003100320031003300320030003100300031003200320030005C000000” in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010121320101220
* Creates value “CachePrefix=:2010121320101220: ” in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010121320101220
* Creates value “CacheLimit=00200000” in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010121320101220
* Creates value “CacheOptions=0B000000” in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010121320101220
* Deletes Registry key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010121420101215
* Deletes Registry key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010121620101217
* Creates value “CachePath=25005500530045005200500052004F00460049004C00450025005C004C006F00630061006C002000530065007400740069006E00670073005C0048006900730074006F00720079005C0048006900730074006F00720079002E004900450035005C004D00530048006900730074003000310032003000310030003100320032003000320030003100300031003200320031005C000000” in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010122020101221
* Creates value “CachePrefix=:2010122020101221: ” in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010122020101221
* Creates value “CacheLimit=00200000” in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010122020101221
* Creates value “CacheOptions=0B000000” in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010122020101221
* Modifies value “SavedLegacySettings=3C00000020000000010000000000000000000000000000000400000000000000A0C4FAAF62D0CA0101000000AC10268B0000000000000000” in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value “SavedLegacySettings=3C0000001E000000010000000000000000000000000000000400000000000000A0C4FAAF62D0CA0101000000AC10268B0000000000000000”
* Creates value “NVIDIA driver monitor=c:\windows\nvsvc32.exe” in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
* Modifies value “MRUListEx=02000000010000000800000016000000170000000F0000000D0000001500000014000000130000001200000010000000110000000300000000000000050000000E0000000C0000000B0000000A00000009000000070000000600000004000000FFFFFFFF” in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\BagMRU
old value “MRUListEx=01000000020000000800000016000000170000000F0000000D0000001500000014000000130000001200000010000000110000000300000000000000050000000E0000000C0000000B0000000A00000009000000070000000600000004000000FFFFFFFF”
* Modifies value “WinPos1286x734(1).left=00000062” in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell
old value “WinPos1286x734(1).left=000000A0”
* Modifies value “WinPos1286x734(1).top=00000092” in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell
old value empty
* Modifies value “WinPos1286x734(1).right=00000359” in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell
old value “WinPos1286x734(1).right=00000397”
* Modifies value “WinPos1286x734(1).bottom=00000341” in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell
old value “WinPos1286x734(1).bottom=000002AF”
* Deletes Registry key HKEY_CURRENT_USER\software\classes\*\shell\sandbox
[ Network services ]
* Looks for an Internet connection.
* Backdoor functionality on port 0.
* Queries DNS astro.ic.ac.uk
* Queries DNS ale.pakibili.com
* Queries DNS versatek.com
* Queries DNS journalofaccountancy.com
* Queries DNS transnationale.org
* Queries DNS browseusers.myspace.com
* Queries DNS mas.0730ip.com
* Queries DNS http://www.myspace.com
* Queries DNS ds.phoenix-cc.net
* Queries DNS stayontime.info
* Queries DNS http://www.shearman.com
* Queries DNS insidehighered.com
* Queries DNS ate.lacoctelera.net
* Queries DNS websitetrafficspy.com
* Queries DNS qun.51.com
* Queries DNS x.myspacecdn.com
* Queries DNS http://www.facebook.com
* Queries DNS summer-uni-sw.eesp.ch
* Queries DNS shopstyle.com
* Queries DNS xxx.stopklatka.pl
* Queries DNS xxx.stopklatka.pl.localdomain
* Connects to “63.135.80.224” on port 80 (TCP – HTTP).
* Connects to “63.135.80.46” on port 80 (TCP – HTTP).
* Connects to “205.234.253.15” on port 1234 (TCP).
* Connects to “46.40.191.11” on port 80 (TCP – HTTP).
* Connects to “66.220.158.18” on port 80 (TCP – HTTP).
* Connects to “174.37.200.82” on port 80 (TCP – HTTP).
* Opens next URLs:
http://174.37.200.82/index.php
[ Process/window information ]
* Keylogger functionality.
* Creates process “(null),net stop ,(null)”.
* Injects code into process “net.exe”.
* Creates a mutex “SHIMLIB_LOG_MUTEX”.
* Creates an event named “DINPUTWINMM”.
* Creates an event named “Global\userenv: User Profile setup event”.
* Creates process “(null),net1 stop ,(null)”.
* Injects code into process “net1.exe”.
* Creates process “(null),C:\Documents and Settings\Administrator\Desktop\image96523489.exe,(null)”.
* Injects code into process “image96523489.exe”.
* Creates an event named “Global\crypt32LogoffEvent”.
* Creates a mutex “Nvidia Drive Mon”.
* Creates a mutex “_!MSFTHISTORY!_”.
* Creates a mutex “c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!”.
* Creates a mutex “c:!documents and settings!administrator!cookies!”.
* Creates a mutex “c:!documents and settings!administrator!local settings!history!history.ie5!”.
* Creates process “(null),netsh firewall add allowedprogram 1.exe 1 ENABLE,(null)”.
* Creates process “c:\windows\nvsvc32.exe,(null),c:\windows”.
* Creates process “(null),explorer.exe http://browseusers.myspace.com/Browse/Browse.aspx,(null)”.
* Injects code into process “explorer.exe”.
* Opens a service named “ShellHWDetection”.
* Creates process “(null),C:\windows\nvsvc32.exe,(null)”.
* Injects code into process “nvsvc32.exe”.
* Injects code into process “iexplore.exe”.
* Creates a mutex “Shell.CMruPidlList”.
* Creates process “(null),net stop wuauserv,(null)”.
* Creates a mutex “RasPbFile”.
* Creates a mutex “ZonesCounterMutex”.
* Creates a mutex “ZonesCacheCounterMutex”.
* Creates a mutex “ZonesLockedCacheCounterMutex”.
* Creates a mutex “oleacc-msaa-loaded”.
* Creates process “(null),net stop MsMpSvc,(null)”.
* Enumerates running processes.
* Creates process “(null),sc config wuauserv start= disabled,(null)”.
* Opens a service named “RASMAN”.
* Creates process “(null),sc config MsMpSvc start= disabled,(null)”.
* Injects code into process “sc.exe”.
* Creates process “(null),net1 stop wuauserv,(null)”.
* Creates process “(null),net1 stop MsMpSvc,(null)”.
* Opens a service named “wuauserv”.
* Opens a service named “MsMpSvc”.
* Lists all entry names in a remote access phone book.
* Injects code into process “netsh.exe”.
* Creates a mutex “CTF.LBES.MutexDefaultS-1-5-21-1078081533-1677128483-1801674531-500”.
* Creates a mutex “CTF.Compart.MutexDefaultS-1-5-21-1078081533-1677128483-1801674531-500”.
* Creates a mutex “CTF.Asm.MutexDefaultS-1-5-21-1078081533-1677128483-1801674531-500”.
* Creates a mutex “CTF.Layouts.MutexDefaultS-1-5-21-1078081533-1677128483-1801674531-500”.
* Creates a mutex “CTF.TMD.MutexDefaultS-1-5-21-1078081533-1677128483-1801674531-500”.
* Opens a service named “NapAgent”.
* Creates a mutex “_!SHMSFTHISTORY!_”.
* Creates a mutex “c:!documents and settings!administrator!local settings!history!history.ie5!mshist012010121420101215!”.
* Creates a mutex “c:!documents and settings!administrator!local settings!history!history.ie5!mshist012010121320101220!”.
* Creates a mutex “c:!documents and settings!administrator!local settings!history!history.ie5!mshist012010121620101217!”.
* Creates a mutex “c:!documents and settings!administrator!local settings!history!history.ie5!mshist012010122020101221!”.
* Creates a mutex “HGFSMUTEX”.
* Opens a service named “WebClient”.
* Creates a mutex “Global\winlogon: Logon UserProfileMapping Mutex”.
* Creates a mutex “_SHuassist.mtx”.
* Opens a service named “AudioSrv”.
* Creates a mutex “MidiMapper_modLongMessage_RefCnt”.
* Creates a mutex “MidiMapper_Configure”.
thx a lot for yr help.
Hi niki, did you try with normal AVs ? From my analysis it seems a really “normal” keylogger; PC-Tool free AV (threatfire: http://www.threatfire.com/) shouldn't have problem in detecting it. Another good one is Avira Free ( http://www.free-av.com/ ). if they did catch it, you should delete the at least the files listed into [Changes to filesystem] section of the above report.
I hope to have been useful
i got this virus,,what should I do? How can I get rid of it? Do I have to follow your instructions above?
Hi Anonymous, what do you mean ?
how can i make it out?