For Consumer

Virus Profile: Generic Dropper.p

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 10/11/2005
Date Added: 10/11/2005
Origin: N/A
Length: varies
Type: Trojan
Subtype: Dropper
DAT Required: 7374
Removal Instructions
   
 
 
   

Description

Droppers are files which contain other binaries within their body. They act like a self-extracting ZIP file - taking the files stored inside and then installing them on the affected machine.

The types of files which are dropped by many droppers include other Trojans (such as Downloaders to download yet more files from the remote machine, BackDoors to allow the hacker remote access to the client machine as well as Dialers to change the dial-up settings of the client's Internet connection, normally to a premium rate number.

Indication of Infection

These symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

   

Virus Characteristics

 -----------------------------------------------------------Upadated on March 13th 2014---------------------------------------------

Aliases -

  • Kaspersky    -     Trojan.Win32.Cutwail.clu


"Generic Dropper.p"
is detection for this Trojan that downloads other payloads. It also receives commands from an attacker to access the infected machine. Once the Trojan executes successfully it deletes itself. It may communicate with remote SMTP server and sent out mail to infect other computer.

Upon execution the Trojan connects to the below IP Address and Domain:

  • mta5.[Removed].net
  • mta6.[Removed].net
  • mta7.[Removed].net
  • mx1.[Removed].com
  • mx2.[Removed].com
  • mx4.[Removed].com
  • mx-ha02.[Removed].de
  • mx-ha03.[Removed].de
  • ns-biz.[Removed].de
  • ns-webde.[Removed].biz
  • ns-webde.[Removed].org
  • 146.[Removed].122
  • 146. [Removed].121
  • 1.[Removed].199
  • 10.[Removed].216
  • 107.[Removed].64
  • 12.[Removed].192
  • 120.[Removed].213
  • 121.[Removed].146
  • 122.[Removed].146
  • 129.[Removed].193
  • 131.[Removed].64
  • 140.[Removed].65
  • 15.[Removed].68
  • 15.[Removed].68
  • 173.[Removed].64
  • 193.[Removed].217
  • 196.[Removed].217
  • 2.[Removed].192
  • 201.[Removed].192
  • 254.[Removed].192
  • 255.[Removed].192
  • 26.[Removed].195
  • 27.[Removed].74
  • 30.[Removed].192
  • 30.[Removed].192
  • 30.[Removed].192
  • 30.[Removed].192
  • 30.[Removed].192
  • 30.[Removed].192
  • 4.[Removed].198
  • 44.[Removed].91
  • 46.[Removed].63
  • 5.[Removed].81
  • 5.[Removed].188
  • 53.[Removed].213
  • 53.[Removed].128
  • 53.[Removed].203
  • 65.[Removed].156
  • 72.[Removed].65
  • 90.[Removed].128
  • 213.[Removed].104
  •  213.[Removed].120
  • 217.[Removed].195
  • 217.[Removed].198
  • 217.[Removed].198
  • 44.[Removed].91.[Removed].com
  • b.[Removed].net
  • b2.[Removed].org
  • bay0-mc1-f.[Removed].com
  • bellakvinta1.com
  • c.[Removed].net
  • d.[Removed].net
  • d.[Removed].net
  • dns-07.[Removed].com
  • e.[Removed].net
  • f.[Removed].net
  • f.[Removed].de
  • i.[Removed].net
  • ig-in-f27.[Removed].net
  • j.[Removed].net
  • k.[Removed].net
  • l.[Removed].net
  • mtain-a-mtc-a.[Removed].com
  • mta-v6.[Removed].gq1.[Removed].com
  • mx-ha02.[Removed].de
  • ns1.[Removed].com
  • ns2.[Removed].net
  • ns3.[Removed].net
  • ns3.[Removed].com
  • ns5.[Removed].net
  • ns-de.[Removed].de
  • ns-org.[Removed].org
  • yf1.[Removed].com
  • yf2.[Removed].com
  • 146.[Removed].121
  • 146.[Removed].122
  • 188.[Removed].5
  • 91.[Removed].44
  • 63.[Removed].46
  • 74.[Removed].27
  • 64.[Removed].131
  • 213.[Removed].120
  • 65.[Removed].72
  • 198.[Removed].4
  • 202.[Removed].33
  • 128.[Removed].90
  • 192.[Removed].12
  • 128.[Removed].53
  • 81.[Removed].5
  • 192.[Removed].30
  • 192.[Removed].30
  • 193.[Removed].129
  • 199.[Removed].1
  • 192.[Removed].30
  • 192.[Removed].30
  • 192.[Removed].30
  • 192.[Removed].30
  • 203.[Removed].53
  • 192.[Removed].201
  • 156.[Removed].65
  • 195.[Removed].26
  • 217.[Removed].193
  • 217.[Removed].196
  • 213.[Removed].53
  • 64.[Removed].173
  • 68.[Removed].15
  • 68.[Removed].15
  • 64.[Removed].107
  • 216.[Removed].10
  • 65.[Removed].140

Upon Execution, the Trojan drops file into the following location:

  • %userprofile%\mgpvgqva.exe
  • %Windir%\system32\mgpvgqva.exe


The following registry key has been added to the system.


  • HKEY_LOCAL_MACHINE\SOFTWARE\WinNTData


The following registry key values have been added to the system.


  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mgpvgqva: "%windir%\System32\mgpvgqva.exe"


  • HKEY_USERS\S-1-5-21-1844237615-1085031214-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Run\mgpvgqva: "%userprofile%\mgpvgqva.exe"


The above mentioned registry values ensures that the Trojan gets executed whenever the System starts.


  • HKEY_LOCAL_MACHINE\SOFTWARE\WinNTData\prx: 04 02 0D 1B 06 06 1B 03 0C 1B 0D 06 0F 01 01 06 16 04 01 03 1B 04 07 05 1B 04 04 05 1B 04 07 05 0F 01 01 06 16 04 0D 0D 1B 04 07 05 1B 07 06 01 1B 00 0F 01 01 06 16 0D 07 1B 04 01 03 1B 06 0D 1B 0D 01 0F 01 01 06 16 0C 04 1B 07 06 02 1B 04 0C 0D 1B 0C 06 0F 01 01 06 16 04 01 0D 1B 07 00 04 1B 02 04 1B 04 05 04 0F 01 01 06 35


-------------------------------------------------------------------Updated on March13th 2014------------------------------------------------------------------------------

Aliases -

  • Rising        -     PE:Malware.XPACK-HIE/Heur!1.9C48

"Generic Dropper.p" is the generic detection for the Trojan which belongs to Ransom Cryptolocker. Cryptolocker is a ransom-ware that on execution locks the user's system thereby leaving the system in an unusable state. It also encrypts the list of file types present in the user system. The compromised user has to pay the attacker with ransom to unlock the system and to get the files decrypted.

Trojan encrypts the files with following extension:

*. Odt, *. Ods, *. Odp, *. MDGs *. Odc, *. ODB, *. Doc, *. Docx, *. Docm, *. WPS *. xls, *. xlsx, *. xlsm, *. xlsb, *. XLK, *. ppt, *. pptx, *. pptm, *. mdb, *. accdb, *. pst, *. dwg, *. dxf, *. DXG, *. wpd, *. rtf, *. wb2, *. mdf, *. dbf, *. psd, *. PDD, *. pdf, *. eps, *. ai, *. indd, *. cdr *. jpg, *. jpe, *. jpg, *. dng, *. 3fr, *. ARW, *. SRF *. sr2, *. bay, *. crw, *. cr2, *. dcr, *. KDC, *. erf, *. mef, *. MRW, *. nef, *. nrw, *. orf, *. raf, *. raw, *. RWL, *. rw2, *. r3d, *. PTX, *. PEF, *. SRW, *. x3f, *. der, *. heaven *. crt, *. pem, *. pfx, *. p12, *. p7b, *. p7c

Upon execution the Trojan injects into the windows explorer (Explorer.exe) and connects to the below IP Address


  • 93.170. [Removed].189

Upon Execution, the Trojan drops file into the following location:


  • %AppData%\Zkauhxfbmpubhr.exe

The following registry key values have been added to the system.


  • HKEY_USER\S-1-5-21-[Varies]\Software\CryptoLocker_0388
  • HKEY_USER\S-1-5-21-[Varies]\Software\CryptoLocker_0388\Files

The above mentioned registry key ensures that the Trojan performs encryption on the infected system.

The following registry key values have been added to the system.


  • HKEY_USER\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker: ""%Appdata%\Zkauhxfbmpubhr.exe\Zkauhxfbmpubhr.exe""


  • HKEY_USER\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\RunOnce\*CryptoLocker: ""%AppData%\Zkauhxfbmpubhr.exe\Zkauhxfbmpubhr.exe""

The above mentioned registry values ensures that the Trojan gets executed whenever the System starts.

The following registry key values have been added to the system.

HKEY_USER\S-1-5-21-[Varies]\Software\CryptoLocker_0388\Files\C:?Documents and Settings?Default User?Templates?excel.xls: 0x003FDF13
HKEY_USER\S-1-5-21-[Varies]\Software\CryptoLocker_0388\Files\C:?Documents and Settings?Default User?Templates?excel4.xls: 0x003FDF41
HKEY_USER\S-1-5-21-[Varies]\Software\CryptoLocker_0388\Files\C:?Documents and Settings?Default User?Templates?powerpnt.ppt: 0x003FDF80
HKEY_USER\S-1-5-21-[Varies]\Software\CryptoLocker_0388\Files\C:?Documents and Settings?Default User?Templates?quattro.wb2: 0x003FDFCE
HKEY_USER\S-1-5-21-[Varies]\Software\CryptoLocker_0388\Files\C:?Documents and Settings?Default User?Templates?winword.doc: 0x003FDFED
HKEY_USER\S-1-5-21-[Varies]\Software\CryptoLocker_0388\Files\C:?Documents and Settings?Default User?Templates?winword2.doc: 0x003FE01C
HKEY_USER\S-1-5-21-[Varies]\Software\CryptoLocker_0388\VersionInfo: [Binary Value]
HKEY_USER\S-1-5-21-[Varies]\Software\CryptoLocker_0388\PublicKey: [Binary Value]

The above key values ensure that the Trojan search the file with different extension and encrypt files on the infected computer.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

----------------------------------------------------------------------------Updated on Feb 20th 2014------------------------------------------------------------------------------

“Generic Dropper.p” is a Trojan that drops the other payloads.

Upon execution, the Trojan creates folders in below location:

  • %AppData%\Microsoft\Windows
  • %AppData%\Microsoft\Windows\pdw0QWup4VR
  • %AppData%\ {4253-8547-4596-85}

After execution, it creates the following files in below location:

  • %AppData%\Microsoft\Windows\pdw0QWup4VR\pdw0QWup4VR.dat
  • %AppData%\Microsoft\Windows\pdw0QWup4VR\pdw0QWup4VR.nfo
  • %AppData%\Microsoft\Windows\pdw0QWup4VR\pdw0QWup4VR.svr
  • %AppData%\ {4253-8547-4596-85}\appinit.exe

Upon execution the Trojan tries to connect the below IP

  • 178.[Removed].138.205

The following keys are added to the system:

  • HKey_Local_Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
  • HKey_Local_Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
  • HKey_User\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  • HKey_User\S-1-5[Varies]\Software\pdw0QWup4VR

The following key values are added to the system:

  • HKey_Local_Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\systemappinit: "%AppData%\ {4253-8547-4596-85}\appinit.exe"
  • HKey_Local_Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKey_Local_Machine: "%AppData%\ {4253-8547-4596-85}\appinit.exe"
  • HKey_User\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\systemappinit: "%AppData%\ {4253-8547-4596-85}\appinit.exe"
  • HKey_User\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\HKCU: "%AppData%\ {4253-8547-4596-85}\appinit.exe"

The above registry entry makes sure that the malware gets executed on every time when the system startup

  • HKey_User\S-1-5[Varies]\Software\pdw0QWup4VR\ServerStarted: "Date Time"
  • HKey_User\S-1-5[Varies]\Software\pdw0QWup4VR\InstalledServer: "%AppData%\ {4253-8547-4596-85}\appinit.exe"

 

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------- -------------------Updated on February 18,  - 2014 ----------------------------

" Generic Dropper.p " is a Trojan that reduces the computer performance by dropping malicious components into the system. Once infected, it will download files from the web site designed by attackers.

Upon execution the trojan injects into the windows explorer (Explorer.exe) and connects to the below IP Address

  • 178.86.[Removed].32

Upon execution the Trojan drops the following files:

  • %Temp%\c
  • %Temp%\crnwypmp.exe
  • %Temp%\nsn2AE.tmp
  • %Temp%\Perflib_Perfdata_d2c.dat
  • %Temp%\setup.dat


The following are the registry key values added to the system

  • HKEY_USER\S-1-5-21-[Varies]-500\Software\Microsoft\Internet Explorer\Toolbar\Explorer
  • HKEY_USER\S-1-5-21-[Varies]-500\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
  • HKEY_USER\S-1-5-21-[Varies]-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.csv\OpenWithList
  • HKEY_USER\S-1-5-21-[Varies]-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32


The following are the registry key values added to the system

  • HKEY_USER\S-1-5-21-[Varies]-500\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383}: [Binary Values]
  • HKEY_USER\S-1-5-21-[Varies]-500\Software\Microsoft\Internet Explorer\Toolbar\Explorer\ITBarLayout: [Binary Values]
----------------------------------------------------------------------------------------------

---------- Updated on 8 Jan, 2014 -----------

“Generic Dropper.p” is detection for the Trojan which drops other malware.

The following file’s has been added to the system.

  • %temp%\140106.doc
  • %temp%\nvsvcv.exe
  • %userprofile%\Start Menu\Programs\Startup\nvvscv.exe

The following registry values have been modified to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "%windir%\system32\userinit.exe,"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "%windir%\system32\userinit.exe,%temp%\nvsvcv.exe,"

The above registry entry conforms that the trojan gets executed upon every system boot.

---------- Updated on 26 Sep, 2013 -----------