Systweak Spyware Library
Systweak Spyware Library text
More than 1126248 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Trojan-Downloader.vb.gdl Analysis Report
Threat Submitted On: 9/15/2008 10:59:04 AM
Threat Analysed On: 9/15/2008 3:59:04 PM
Threat Updated On: 10/7/2009 5:20:04 AM
Type : Trojan-Downloader
Symptoms of vb.gdl
  • Connects to remote websites or FTP as and when there is an internet connection
  • Downloads and installs malicious files.
Information
Alias : trojan-downloader.win32.vb.gdl
Md5 Hash : [9f1e3f7c4c247b795e14c58e430d6c73]
File Size : (1256415 bytes)

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: desktop.ini
Path : %systemdrive%
Md5Hash :de60378398a67067d8ef67dc51e70f2a ( 212 bytes)
File: com.run
Path : %temp%\e_4
Md5Hash :ce2f773275d3fe8b78f4cf067d5e6a0f ( 266240 bytes)
File: dp1.fne
Path : %temp%\e_4
Md5Hash :6d4b2e73f6f8ecff02f19f7e8ef9a8c7 ( 114688 bytes)
File: eapi.fne
Path : %temp%\e_4
Md5Hash :25b794b18bd8d03dc9530111cbce4173 ( 323584 bytes)
File: internet.fne
Path : %temp%\e_4
Md5Hash :56e9e121d68b5631a360d56b2ef4777f ( 184320 bytes)
File: krnln.fnr
Path : %temp%\e_4
Md5Hash :1081d7eb7a17faedfa588b93fc85365e ( 1097728 bytes)
File: regex.fnr
Path : %temp%\e_4
Md5Hash :a67daddcb30335163cf7d99f282f5ae0 ( 217088 bytes)
File: shell.fne
Path : %temp%\e_4
Md5Hash :d54753e7fc3ea03aec0181447969c0e8 ( 40960 bytes)
File: spec.fne
Path : %temp%\e_4
Md5Hash :1518651c682109e9b9c304c9c109d777 ( 69632 bytes)
File: ¡¡¡¡¡¡.lnk
Path : %userprofile%\start menu\programs\startup
Md5Hash :6f7c94a153875b455abd5d07c32a4595 ( 666 bytes)
File: com.run
Path : %windir%\system32
Md5Hash :ce2f773275d3fe8b78f4cf067d5e6a0f ( 266240 bytes)
File: dp1.fne
Path : %windir%\system32
Md5Hash :6d4b2e73f6f8ecff02f19f7e8ef9a8c7 ( 114688 bytes)
File: eapi.fne
Path : %windir%\system32
Md5Hash :25b794b18bd8d03dc9530111cbce4173 ( 323584 bytes)
File: internet.fne
Path : %windir%\system32
Md5Hash :56e9e121d68b5631a360d56b2ef4777f ( 184320 bytes)
File: krnln.fnr
Path : %windir%\system32
Md5Hash :1081d7eb7a17faedfa588b93fc85365e ( 1097728 bytes)
File: og.dll
Path : %windir%\system32
Md5Hash :922552c96378fa1501de30c82c706389 ( 827 bytes)
File: og.edt
Path : %windir%\system32
Md5Hash :0acc89347d12022cf0609e32f3217e06 ( 2048 bytes)
File: regex.fnr
Path : %windir%\system32
Md5Hash :a67daddcb30335163cf7d99f282f5ae0 ( 217088 bytes)
File: shell.fne
Path : %windir%\system32
Md5Hash :d54753e7fc3ea03aec0181447969c0e8 ( 40960 bytes)
File: spec.fne
Path : %windir%\system32
Md5Hash :1518651c682109e9b9c304c9c109d777 ( 69632 bytes)
File: ul.dll
Path : %windir%\system32
Md5Hash :91e656013f5df3bc0ad5c0bcd7dfb168 ( 2404 bytes)
File: xp-542ade6b.exe
Path : %windir%\system32
Md5Hash :9f1e3f7c4c247b795e14c58e430d6c73 ( 1256415 bytes)
File: xp-6baa581d.exe
Path : %windir%\system32
Md5Hash :9f1e3f7c4c247b795e14c58e430d6c73 ( bytes)
File: [randomname].exe
Path : %workingdir%
Md5Hash :9f1e3f7c4c247b795e14c58e430d6c73 ( 1256415 bytes)
Also creates the following files on user's System which are also created by Genuine Software :-
Note:
These file(s) can be kept as they are also created by genuine Software.
File : desktop.ini
Path : %homepath%\my documents
Md5Hash :869cba0364c55b0c6524419a8b86df88 ( 83 bytes)
File : desktop.ini
Path : %homepath%\my documents\my pictures
Md5Hash :f958dc73dc27ae8589bc1b1dfbd18e4a ( 190 bytes)
File : desktop.ini
Path : %userprofile%\application data
Md5Hash :88cf0ff92a4a9fa7bd9b7513b2e9e22b ( 62 bytes)
File : desktop.ini
Path : %userprofile%\start menu
Md5Hash :87f8888e1d77d9cef69e901a97d40d73 ( 62 bytes)
The following Registry Values are added to the provided Registry Keys :-
Note:
Delete the added Values from the Key to remove Infection
|__ Value Added :
filename0 = "%windir%\system32\rsaci.rat"
|__ Value Added :
xp-542ade6b = "%windir%\system32\xp-542ade6b.exe"
Also creates the following legitmate Registries on user's Systems which are also created by Genuine Software :-
Note:
These Keys can be kept as they are also created by genuine Software
The following Registry Values are added to the provided Registry Keys which are also created by Genuine Software :-
Note:
These Values can be left as they are also created by legitimate Software :-
Creates the following child process(s) on execution:

explorer %workingdir%\9f1e3f7c4c247b795e14c58e430d6c73

%windir%\system32\xp-542ade6b.exe

services.exe

%windir%\system32\xp-6baa581d.exe 4|-|software\microsoft\windows\currentversion\run\xp-542ade6b|-|%windir%\system32\xp-542ade6b.exe|-|0

Creates the Following MUTEX(s) on user's System:-
msratingmutex
ctf.lbes.mutexdefaults-1-5-21-289085736-2271787734-4103687552-1010
ctf.compart.mutexdefaults-1-5-21-289085736-2271787734-4103687552-1010
ctf.asm.mutexdefaults-1-5-21-289085736-2271787734-4103687552-1010
ctf.layouts.mutexdefaults-1-5-21-289085736-2271787734-4103687552-1010
ctf.tmd.mutexdefaults-1-5-21-289085736-2271787734-4103687552-1010
raspbfile
Tries To Connect to The Following Urls:-
Http_Version :http/1.1
207.46.193.254/
Http_Version :http/1.1
207.46.193.254/en/us/default.aspx
Http_Version :http/1.1
202.108.23.231/siletoyou
Http_Version :http/1.1
61.135.132.20/?pn=m080616
Tries To Connect's to the following IP Address(s) through UDP(User DataGram Protocal) :-

127.0.0.1

Copies the Following Files to Given Location :-

Copies :%systemdrive%\docume~1\antisp~1\locals~1\temp\e_4\com.run

To : %windir%\system32\com.run

Copies :%systemdrive%\docume~1\antisp~1\locals~1\temp\e_4\dp1.fne

To : %windir%\system32\dp1.fne

Copies :%systemdrive%\docume~1\antisp~1\locals~1\temp\e_4\eapi.fne

To : %windir%\system32\eapi.fne

Copies :%systemdrive%\docume~1\antisp~1\locals~1\temp\e_4\internet.fne

To : %windir%\system32\internet.fne

Copies :%systemdrive%\docume~1\antisp~1\locals~1\temp\e_4\krnln.fnr

To : %windir%\system32\krnln.fnr

Copies :%systemdrive%\docume~1\antisp~1\locals~1\temp\e_4\regex.fnr

To : %windir%\system32\regex.fnr

Copies :%systemdrive%\docume~1\antisp~1\locals~1\temp\e_4\shell.fne

To : %windir%\system32\shell.fne

Copies :%systemdrive%\docume~1\antisp~1\locals~1\temp\e_4\spec.fne

To : %windir%\system32\spec.fne

NOTE:

1. %systemdrive% Refers to the windows System drive folder. By default it is 'C:\'
2. %temp% Refers to the windows temp folder. By default it is 'C:\Documents and Settings\[user]\Local Settings\Temp'
3. %userprofile% Refers to the windows current user's profile folder. By default it is 'C:\Documents and Settings\[user]'
4. %windir% Refers to the windows root folder. By default it is 'C:\Windows'
5. %workingdir% Refers to the current directory in which user is working.
6. %homepath% Refers to the windows current user's profile folder. By default it is 'C:\Documents and Settings\[user]'

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.

Microsoft Gold Certified Partner

© Systweak Inc., 1999-2009 All rights reserved.