Virus Profile: GenericTRA-AW!9130B7D1E99A

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 5/31/2012
Date Added: 5/31/2012
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Win32
DAT Required: 6729
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

   

Virus Characteristics

------------Updated on June 6th,2012--------------------


This is a Trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Avast             - Win32:Agent-AMKQ [Trj]
  • NOD32             - Win32:VB-ACFY [Trj]
  • Ikarus            - Virus.Win32.DelfInject
  • Microsoft         - VirTool: Win32/DelfInject.gen!CP

"GenericTRA-AW!9130B7D1E99A” is detection for this Trojan that downloads other malicious files.

Upon execution, it copies itself into the below location

  • %AppData%\svchost.exe

And it creates the following files to the system

  • %temp%\ ~DF4F05.tmp
  • %AppData%\Plug.bat

The following Registry keys has been added

  • HKEY_LOCAL_MACHINE\SOFTWARE\mdlwe42dgd
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mshost Manager
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mshost Manager\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mshost Manager
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mshost Manager\Security
  • HKEY_USER\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions
  • HKEY_USER\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
  • HKEY_USER\.DEFAULT\Software\Microsoft\Internet Explorer\Security
  • HKEY_USER\.DEFAULT\Software\Microsoft\Internet Explorer\Security\P3Global
  • HKEY_USER\.DEFAULT\Software\Microsoft\Internet Explorer\Security\P3Sites
  • HKEY_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Internet Explorer\Extensions
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Internet Explorer\Security
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Internet Explorer\Security\P3Global
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Internet Explorer\Security\P3Sites
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

The Following registry values has been added

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest: "yes"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    "Mshost Manager" = "%AppData%\svchost.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Auto: 0x00000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\mdlwe42dgd\mdlwe42dgdpath: "%AppData%\"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mshost Manager\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mshost Manager\
    Type = 0x00000110
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mshost Manager\
    Start = 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mshost Manager\
    ErrorControl = 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mshost Manager\
    "ImagePath" = "%AppData%\Plug.bat"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mshost Manager\
    DisplayName = "Mshost Manager"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mshost Manager\
    ObjectName = "LocalSystem"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mshost Manager\
    "Description" = "Provides network host signaling and local traffic control setup functionality for network programs and control applets."
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows NT\CurrentVersion\Windows\
    "win" = "%AppData%\svchost.exe"
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows NT\CurrentVersion\Windows\
    "init" = "%AppData%\svchost.exe"
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Internet Explorer\Main\Use FormSuggest: "yes"
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE: "yes"
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error: "no"
  • HKEY_USER\S-1-[varies]\Software\Microsoft\InternetExplorer\Extensions\CmdMapping\{c95fe080-8f5d-11d2-a20b-00aa003c157a}: 0x00002000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\NextId: 0x00002001
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Internet Explorer\Security\P3Global\Enabled: 0x00000001
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000002
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden: 0x00000001
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonZoneCrossing: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect: 0x00000000

And the following registry values has been modified to the system

  • HKEY_USER\.DEFAULT\AppEvents\Schemes\Apps\Explorer\Navigating\.Current\: "%SystemRoot%\media\Windows XP Start.wav"
  • HKEY_USER\.DEFAULT\AppEvents\Schemes\Apps\Explorer\Navigating\.Current\: ""
  • HKEY_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData: "%windir%\system32\config\systemprofile\Application Data"
  • HKEY_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData: "%Appdata%"
  • HKEY_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies: "%windir%\system32\config\systemprofile\Cookies"
  • HKEY_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies: "%userprofile%\Cookies"
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000001
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000002
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden: 0x00000000
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden: 0x00000001
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000001
  • HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000000

The below mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    "Mshost Manager" = "%AppData%\svchost.exe" 
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mshost Manager\
    "ImagePath" = "%AppData%\Plug.bat"

---------------------------------------------------------------------------------

This is a Trojan

File Properties Property Values
McAfee Detection GenericTRA-AW!9130B7D1E99A
Length 338944 bytes
MD5 9130b7d1e99a84e76488021d1e8f1cc9
SHA1 023c9e230bf01167cce5fd69046cd3d85754b8d7


Other Common Detection Aliases

Company Names Detection Names
avast Win32:VB-ACFY
AVG (GriSoft) Crypt.AWKY
avira TR/Delf.Inject.338944
BitDefender Gen:Trojan.Heur.uOWar58dKhdby
clamav PUA.Packed.ASPack
Dr.Web Trojan.DownLoader6.6853
FortiNet W32/Suspic
Microsoft VirTool:Win32/DelfInject.gen!CP
Symantec Trojan.Fakeav
Eset Win32/TrojanClicker.VB.NUE trojan
norman W32/Troj_Generic.BWLBK
panda Generic Malware
Sophos Sus/Behav-325
Trend Micro TROJ_GEN.RC1C8EO
V-Buster Trojan.CL.VB!FuRTMwu/mVg (trojan)

Other brands and names may be claimed as the property of others.


Activities Risk Levels
Attempts to write to a memory location of a protected process. High
Attempts to write to a memory location of a Windows system process High
Modifies Windows explorer file browser's Advanced settings. Sometimes used by malware to make executable files look like documents. Medium
Attempts to connect to a medium risk domain that may pose a minor security risk. Medium
Attempts to write to a memory location of a previously loaded process. Medium
Modifies Windows firewall settings. Medium
Enumerates many system files and directories. Low
Process attempts to call itself recursively Low
Adds or modifies Internet Explorer cookies Low
Attempts to write to a memory location of an unknown process Low
No digital signature is present Informational


McAfee Scans Scan Detections
McAfee Beta GenericTRA-AW!9130B7D1E99A
McAfee Supported GenericTRA-AW!9130B7D1E99A



System Changes

Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files


The following files were analyzed:

023c9e230bf01167cce5fd69046cd3d85754b8d7

The following files have been added to the system:
 

 

  • %APPDATA%\npXVzIG4.bat
  • %TEMP%\~DFB7A9.tmp
  • %APPDATA%\Plug.bat
  • %APPDATA%\svchost.exe

 

The following files have been changed:
 

 

  • %TEMP%orary Internet Files\Content.IE5\index.dat

 

The following files were temporarily written to disk then later removed:
 

 

  • %TEMP%\datafile1
  • %TEMP%\~DFDF66.tmp
  • %APPDATA%\driver.inf

 

The following registry elements have been created:
 

 

  • HKEY_LOCAL_MACHINE\SOFTWARE\MDLWE42DGD\

 

The following registry elements have been changed:
 

 

  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\DISABLE SCRIPT DEBUGGER = yes
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\DISABLESCRIPTDEBUGGERIE = yes
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\ERROR DLG DISPLAYED ON EVERY ERROR = no
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\USE FORMSUGGEST = yes
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\INIT = %APPDATA%\svchost.exe
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\WIN = %APPDATA%\svchost.exe
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED\HIDDEN = 2
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED\SHOWSUPERHIDDEN = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED\SUPERHIDDEN = 1
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\GRPCONV\LOG = Init Application.
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CERTIFICATEREVOCATION = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WARNONBADCERTRECVING = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WARNONPOSTREDIRECT = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WARNONZONECROSSING = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\3\1601 = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\MDLWE42DGD\MDLWE42DGDPATH = %APPDATA%\
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\USE FORMSUGGEST = yes
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG\AUTO = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\MSHOST MANAGER = %APPDATA%\svchost.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\GRPCONV
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\DONOTALLOWEXCEPTIONS = 0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST\%APPDATA%\SVCHOST.EXE = %APPDATA%\svchost.exe:*:Enabled:svchost.exe
  • HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING\{92780B25-18CC-41C8-B9BE-3C9C571A8263} = 8193
  • HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING\NEXTID = 8194
  • HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\3\1601 = 0

 

The applications attempted the following network connection(s):
 

 

  • 68.142.93.***:80
  • 216.57.2[private subnet]
  • hxxp://www.zzxml.com/*****

 

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95