Home » Virus List
Trojan.Agent
Risk Level 1
 
File Size : 60184 KB
File Type : Portable Executable 32
File Name

zmmiwn.scr

MD5

023997733d7d970d4c0709f465ce1640

SHA1

cdfc0763b92270e9f68fec6398a18bb24de272a3

SHA256

ef4d7b9850262b8256b3abed23fbd9fde11ae4ae4cf6814afe

General information:

* File name: C:\Users\cognus\Desktop\Analyzed Viruses\8 June 2016\New folder\Sample\023997733d7d970d4c0709f465ce1640.exe

Changes to registry :

* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\023997733d7d970d4c0709f465ce1640_RASAPI32
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\023997733d7d970d4c0709f465ce1640_RASAPI32
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\023997733d7d970d4c0709f465ce1640_RASAPI32
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\023997733d7d970d4c0709f465ce1640_RASAPI32
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\023997733d7d970d4c0709f465ce1640_RASMANCS
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\023997733d7d970d4c0709f465ce1640_RASMANCS
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\023997733d7d970d4c0709f465ce1640_RASMANCS
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\023997733d7d970d4c0709f465ce1640_RASMANCS
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\POSIX
* Creates value "Traybar=C:\Windows\lsass.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
binary data=43003A005C00570069006E0064006F00770073005C006C0073006100730073002E006500780065000000
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d04f3b-1c7e-11e6-979c-806e6f6e6963}
old value empty
* Modifies value "SavedLegacySettings=4600000027000000090000000000000000000000000000000400000000000000909F87AE2BBED101000000000000000000000000020000001700000000000000FE800000000000001466833CA0278AEB0B00000020CFAA0FB8CDAA0FB8CDAA0F18CEAA0F18CEAA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0F10CDAA0F10CDAA0F10D9AA0F10D9AA0F28D3AA0F28D3AA0FB8CDAA0FB8CDAA0F98CFAA0F98CFAA0F90CEAA0F90CEAA0F08CFAA0F08CFAA0FB8CDAA0FB8CDAA0F02000000C0A8BA80000000000000000000B3AA0F00B3AA0F40CDAA0F40CDAA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0FA0B8AA0FA0B8AA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0F78CEAA0F78CEAA0FB8CDAA0FB8CDAA0F00CEAA0F00CEAA0F60CEAA0F60CEAA0FB8CDAA0FB8CDAA0F48CEAA0F48CEAA0FB8CDAA0FB8CDAA0F" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=4600000026000000090000000000000000000000000000000400000000000000909F87AE2BBED101000000000000000000000000020000001700000000000000FE800000000000001466833CA0278AEB0B00000020CFAA0FB8CDAA0FB8CDAA0F18CEAA0F18CEAA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0F10CDAA0F10CDAA0F10D9AA0F10D9AA0F28D3AA0F28D3AA0FB8CDAA0FB8CDAA0F98CFAA0F98CFAA0F90CEAA0F90CEAA0F08CFAA0F08CFAA0FB8CDAA0FB8CDAA0F02000000C0A8BA80000000000000000000B3AA0F00B3AA0F40CDAA0F40CDAA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0FA0B8AA0FA0B8AA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0F78CEAA0F78CEAA0FB8CDAA0FB8CDAA0F00CEAA0F00CEAA0F60CEAA0F60CEAA0FB8CDAA0FB8CDAA0F48CEAA0F48CEAA0FB8CDAA0FB8CDAA0F"
* Creates Registry key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\POSIX
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000

Changes to filesystem:

* Creates file C:\Windows\lsass.exe
* Creates file C:\ProgramData\Microsoft\Network\Downloader\index.com
* Creates file C:\ProgramData\Microsoft\Network\Downloader\Kazaa Lite.exe
* Creates file C:\ProgramData\Microsoft\Network\Downloader\Winamp 5.0 (en) Crack.com
* Creates file C:\ProgramData\Microsoft\Network\Downloader\Winamp 5.0 (en) Crack.ShareReactor.com
* Creates file C:\ProgramData\Microsoft\Network\Downloader\Winamp 5.0 (en).com
* Creates file C:\ProgramData\Microsoft\Network\Downloader\Winamp 5.0 (en).ShareReactor.com
* Creates file C:\ProgramData\Microsoft\Network\Downloader\WinRAR.v.3.2.and.key.ShareReactor.com
* Creates file C:\Users\cognus\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\Harry Potter.exe
* Creates file C:\Users\cognus\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\ICQ 4 Lite.exe
* Creates file C:\Users\cognus\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\P7B9D5JT\icicibank.com\WinRAR.v.3.2.and.key.ShareReactor.com
* Creates file C:\Users\cognus\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\P7B9D5JT\ICQ 4 Lite.exe
* Creates file C:\Users\cognus\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\P7B9D5JT\infinity.icicibank.com\Harry Potter.exe
* Creates file C:\Users\cognus\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\P7B9D5JT\macromedia.com\index.com
* Creates file C:\Users\cognus\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\P7B9D5JT\player.vzaar.com\WinRAR.v.3.2.and.key.exe
* Creates file C:\Users\cognus\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\P7B9D5JT\qsf.is.quoracdn.net\Winamp 5.0 (en) Crack.exe
* Creates file C:\Users\cognus\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\P7B9D5JT\vidtech.cbsinteractive.com\ICQ 4 Lite.ShareReactor.com
* Creates file C:\Users\cognus\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\P7B9D5JT\WinRAR.v.3.2.and.key.ShareReactor.com
* Modifies file (hidden) C:\Users\cognus\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
* Creates file C:\Users\cognus\AppData\Local\Temp\uzewdaxug.txt
* Creates file C:\Users\cognus\Desktop\Analysis\Trojan.Downloader.MSIL\Dropped Files\No Files Dropped\index.exe
* Creates file C:\Users\cognus\Desktop\Analysis\Trojan.Downloader.MSIL\Dropped Files\Winamp 5.0 (en) Crack.exe
* Creates file C:\Users\cognus\Desktop\Analysis\Trojan.Downloader.MSIL\Reports\WinRAR.v.3.2.and.key.com
* Creates file C:\Users\cognus\Desktop\Analysis\Trojan.Downloader.MSIL\Sample\index.exe
* Creates file C:\Users\cognus\Desktop\Analysis\Trojan.Downloader.MSIL\Winamp 5.0 (en).exe

Network services:

* Backdoor functionality on port 1042.
* Queries DNS "mail.revouninstaller.com".
* Queries DNS "dns.msftncsi.com".
* C:\Users\cognus\Desktop\Analyzed Viruses\8 June 2016\New folder\Sample\023997733d7d970d4c0709f465ce1640.exe Connects to "104.130.54.195" on port 25 (TCP - SMTP).
* Downloads file from "blog.chosun.com/rss/freebirdf1".
* Downloads file from "blog.daum.net/xml/rss/opaoxf2".
* Downloads file from "opaoxf112.blog.163.com/rss/".
* Downloads file from "www.ezyeconomy.com/xml/20110714/o5.gif?".
* Downloads file from "redir.metaservices.microsoft.com/redir/allservices/?sv=5&version=12.0.7600.16385&locale=409&userlocale=409&geoid=f4&parch=x86&arch=x86".
* Downloads file from "onlinestores.metaservices.microsoft.com/serviceswitching/AllServices.aspx?sv=5&version=12.0.7600.16385&locale=409&userlocale=409&geoid=f4&parch=x86&arch=x86".
* Downloads file from "images.windowsmedia.com/svcswitch/MG_en-us.xml".
* Downloads file from "info.music.metaservices.microsoft.com/cdinfo/GetMDRCDPOSTURL.aspx?locale=409&geoid=f4&version=12.0.7600.16385&userlocale=409&requestID=1BDA2316-44C8-4FE2-8CBF-C4DCDDF6AA9F".
* Downloads file from "info.music.metaservices.microsoft.com /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.7600.16385&userlocale=409&requestID=1BDA2316-44C8-4FE2-8CBF-C4DCDDF6AA9F".
* Downloads file from "info.music.metaservices.microsoft.com/cdinfo/GetMDRCDPOSTURL.aspx?locale=409&geoid=f4&version=12.0.7600.16385&userlocale=409&requestID=6C6B6C58-8B03-4AF3-99A2-84418F242609".
* Downloads file from "info.music.metaservices.microsoft.com /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.7600.16385&userlocale=409&requestID=6C6B6C58-8B03-4AF3-99A2-84418F242609".
* Downloads file from "redir.metaservices.microsoft.com/redir/allservices/?sv=5&locale=409&geoid=f4&version=12.0.7600.16385&userlocale=409".
* Downloads file from "onlinestores.metaservices.microsoft.com/serviceswitching/AllServices.aspx?sv=5&locale=409&geoid=f4&version=12.0.7600.16385&userlocale=409".
* Downloads file from "xml12es.farolatino.com/wmp/IMAGES/icon-orange-16.png".
* Downloads file from "wmp.audible.com/serviceInfo/wmp_16x16.png".
* Downloads file from "redir.metaservices.microsoft.com/redir/getmdrcdbackground/?locale=409&geoid=f4&version=12.0.7600.16385&userlocale=409&wmid=5FA05D35-A682-4AF6-96F7-0773E42D4D16".
* Downloads file from "toc.music.metaservices.microsoft.com/cdinfo/GetMDRCD.aspx?locale=409&geoid=f4&version=12.0.7600.16385&userlocale=409&wmid=5FA05D35-A682-4AF6-96F7-0773E42D4D16".
* Downloads file from "images.metaservices.microsoft.com/cover/075/drW900/W931/W93170JS3DC.jpg".
* Downloads file from "images.metaservices.microsoft.com/cover/200/drW900/W931/W93170JS3DC.jpg".
* Uses POST methods in HTTP.

Process/window/string information:

* Gets user name information.
* Opens a service named "rasman".
* Opens a service named "Sens".
* Sleeps 542 seconds.

Additional Information:

How To Remove zmmiwn.scr

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where zmmiwn.scr located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top