[INFO] AnalystName=Sonia Iuliana Botezatu AnalystEMailID=botezatus@comodo.com Team=Romania Date=19-JAN-2010 Type=TrojWare Platform=Win32 SubType= Family=CDur Variant= [OVERVIEW] This trojan creates a dll and launches it as a service.It may download aditional malware to the computer. The original file also deteles itself after run. [TECHNICAL_DESCRIPTION] Creates and registers a DLL ([random-8-characters].dll) that connects to an url of http://[acount-that-varies].3322.org as a backdoor service. It may also download aditional malware file to %system% or %temp% directory and launch them. It also creates [random-characters].ini and a [random-characters].del file to delete itself after run. Registry keys present: HKLM\SYSTEM\[CurrentControlSet & ControlSet001]\Enum\Root\LEGACY_[varies] HKLM\SYSTEM\[CurrentControlSet & ControlSet001]\Services\[varies] Examples of registry data: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_77169 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_77169\0000 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_77169\0000\Control HKLM\SYSTEM\ControlSet001\Services\77169 HKLM\SYSTEM\ControlSet001\Services\77169\Parameters HKLM\SYSTEM\ControlSet001\Services\77169\Security HKLM\SYSTEM\ControlSet001\Services\77169\Enum HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_77169 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_77169\0000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_77169\0000\Control HKLM\SYSTEM\CurrentControlSet\Services\77169 HKLM\SYSTEM\CurrentControlSet\Services\77169\Parameters HKLM\SYSTEM\CurrentControlSet\Services\77169\Security HKLM\SYSTEM\CurrentControlSet\Services\77169\Enum or HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_HUAHUA HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_HUAHUA\0000 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_HUAHUA\0000\Control HKLM\SYSTEM\ControlSet001\Services\huahua HKLM\SYSTEM\ControlSet001\Services\huahua\Parameters HKLM\SYSTEM\ControlSet001\Services\huahua\Security HKLM\SYSTEM\ControlSet001\Services\huahua\Enum HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HUAHUA HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HUAHUA\0000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HUAHUA\0000\Control HKLM\SYSTEM\CurrentControlSet\Services\huahua HKLM\SYSTEM\CurrentControlSet\Services\huahua\Parameters HKLM\SYSTEM\CurrentControlSet\Services\huahua\Security HKLM\SYSTEM\CurrentControlSet\Services\huahua\Enum Values Added: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_77169\0000\Control\*NewlyCreated*: 0x00000000 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_77169\0000\Control\ActiveService: "77169" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_77169\0000\Service: "77169" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_77169\0000\Legacy: 0x00000001 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_77169\0000\ConfigFlags: 0x00000000 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_77169\0000\Class: "LegacyDriver" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_77169\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_77169\0000\DeviceDesc: "77169" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_77169\NextInstance: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\77169\Enum\0: "Root\LEGACY_77169\0000" HKLM\SYSTEM\ControlSet001\Services\77169\Enum\Count: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\77169\Enum\NextInstance: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\77169\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 HKLM\SYSTEM\ControlSet001\Services\77169\Parameters\ServiceDLL: "%SystemRoot%\system32\drivers\etc\c7WKzvbV.dll" HKLM\SYSTEM\ControlSet001\Services\77169\Type: 0x00000110 HKLM\SYSTEM\ControlSet001\Services\77169\Start: 0x00000002 HKLM\SYSTEM\ControlSet001\Services\77169\ErrorControl: 0x00000000 HKLM\SYSTEM\ControlSet001\Services\77169\ImagePath: "%SystemRoot%\System32\svchost.exe -k netsvcs" HKLM\SYSTEM\ControlSet001\Services\77169\DisplayName: "77169" HKLM\SYSTEM\ControlSet001\Services\77169\ObjectName: "LocalSystem" HKLM\SYSTEM\ControlSet001\Services\77169\Description: "华夏黑客同盟远控免杀更新" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_77169\0000\Control\*NewlyCreated*: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_77169\0000\Control\ActiveService: "77169" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_77169\0000\Service: "77169" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_77169\0000\Legacy: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_77169\0000\ConfigFlags: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_77169\0000\Class: "LegacyDriver" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_77169\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_77169\0000\DeviceDesc: "77169" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_77169\NextInstance: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\77169\Enum\0: "Root\LEGACY_77169\0000" HKLM\SYSTEM\CurrentControlSet\Services\77169\Enum\Count: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\77169\Enum\NextInstance: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\77169\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 HKLM\SYSTEM\CurrentControlSet\Services\77169\Parameters\ServiceDLL: "%SystemRoot%\system32\drivers\etc\c7WKzvbV.dll" HKLM\SYSTEM\CurrentControlSet\Services\77169\Type: 0x00000110 HKLM\SYSTEM\CurrentControlSet\Services\77169\Start: 0x00000002 HKLM\SYSTEM\CurrentControlSet\Services\77169\ErrorControl: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Services\77169\ImagePath: "%SystemRoot%\System32\svchost.exe -k netsvcs" HKLM\SYSTEM\CurrentControlSet\Services\77169\DisplayName: "77169" HKLM\SYSTEM\CurrentControlSet\Services\77169\ObjectName: "LocalSystem" HKLM\SYSTEM\CurrentControlSet\Services\77169\Description: "华夏黑客同盟远控免杀更新" or HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_HUAHUA\0000\Control\*NewlyCreated*: 0x00000000 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_HUAHUA\0000\Control\ActiveService: "huahua" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_HUAHUA\0000\Service: "huahua" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_HUAHUA\0000\Legacy: 0x00000001 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_HUAHUA\0000\ConfigFlags: 0x00000000 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_HUAHUA\0000\Class: "LegacyDriver" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_HUAHUA\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_HUAHUA\0000\DeviceDesc: "huahua" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_HUAHUA\NextInstance: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\huahua\Enum\0: "Root\LEGACY_HUAHUA\0000" HKLM\SYSTEM\ControlSet001\Services\huahua\Enum\Count: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\huahua\Enum\NextInstance: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\huahua\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 HKLM\SYSTEM\ControlSet001\Services\huahua\Parameters\ServiceDLL: "%SystemRoot%\system32\drivers\etc\kXAdWZGV.dll" HKLM\SYSTEM\ControlSet001\Services\huahua\Type: 0x00000110 HKLM\SYSTEM\ControlSet001\Services\huahua\Start: 0x00000002 HKLM\SYSTEM\ControlSet001\Services\huahua\ErrorControl: 0x00000000 HKLM\SYSTEM\ControlSet001\Services\huahua\ImagePath: "%SystemRoot%\System32\svchost.exe -k netsvcs" HKLM\SYSTEM\ControlSet001\Services\huahua\DisplayName: "huahua" HKLM\SYSTEM\ControlSet001\Services\huahua\ObjectName: "LocalSystem" HKLM\SYSTEM\ControlSet001\Services\huahua\Description: "SRAT花花" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HUAHUA\0000\Control\*NewlyCreated*: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HUAHUA\0000\Control\ActiveService: "huahua" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HUAHUA\0000\Service: "huahua" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HUAHUA\0000\Legacy: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HUAHUA\0000\ConfigFlags: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HUAHUA\0000\Class: "LegacyDriver" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HUAHUA\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HUAHUA\0000\DeviceDesc: "huahua" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HUAHUA\NextInstance: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\huahua\Enum\0: "Root\LEGACY_HUAHUA\0000" HKLM\SYSTEM\CurrentControlSet\Services\huahua\Enum\Count: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\huahua\Enum\NextInstance: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\huahua\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 HKLM\SYSTEM\CurrentControlSet\Services\huahua\Parameters\ServiceDLL: "%SystemRoot%\system32\drivers\etc\kXAdWZGV.dll" HKLM\SYSTEM\CurrentControlSet\Services\huahua\Type: 0x00000110 HKLM\SYSTEM\CurrentControlSet\Services\huahua\Start: 0x00000002 HKLM\SYSTEM\CurrentControlSet\Services\huahua\ErrorControl: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Services\huahua\ImagePath: "%SystemRoot%\System32\svchost.exe -k netsvcs" HKLM\SYSTEM\CurrentControlSet\Services\huahua\DisplayName: "huahua" HKLM\SYSTEM\CurrentControlSet\Services\huahua\ObjectName: "LocalSystem" HKLM\SYSTEM\CurrentControlSet\Services\huahua\Description: "SRAT花花" Files created: %systemroot%\system32\drivers\etc\[random-8].dll %systemroot%\system32\[random-10].ini [SYMPTOMS] The presence of the [random-8].dll in your %systemroot%\system32\drivers\etc\ folder. Connections to an url odf similar template: [various].3322.org Possible other malware files infections appearing, such as Parite or various bots. [DISINFECTION] Remove the dll file and the related registry keys. Download and instal Comodo Internet Security for a safe removal of the malicious application.