loan

subject: How to Detect and Rmove the TR/Crypt.ZPACK.Gen Trojan [print this page]

Emails regarding an attached resume contains atrojan

[removed][removed] [removed][removed]

1. Overview

A new trojan distribution campaign by email regarding a resume were intercepted by Ax3soft, the following subjects are possible:

1. Resume attached.

2. please find enclosed.

3. Please find attached.

4. Attached please find.

5. Here's the file you wanted.

6. I have attached the resume.

7. The new resume is attached

8. The resume document is attached

9. Please find my CV and cover letter attached.

10. You will find the resume attached to this email.

11. Please find attached my CV for your attention.

12. I've attched..I'm encoding..the latest figures for you.

13. Replace the old resume with the new one which is attached.

The email is send from the spoofed address and has the following body:

Attached please find.

Please take a look at the attached resume.

Resume attached

Replace the old resume with the new one which is attached

Please find my attached CV for your attention

Please review the attached resume.

You will find the resume attached to this e-mail.

The attachedZIP file has the name 50443cv.zip and contains the 16 kB large file cv.exe.

The trojan is known as TR/Crypt.ZPACK.Gen (Antivir), Gen:Trojan.Heur.FU.auW@a8ibIek (F-Secure), FakeAlert-DefCnt.d (McAfee), a variant of Win32/Kryptik.AJD (NOD32).

Create files as followings:

%CommonFavorites%\_favdata.dat

%Temp%TMP35073.tmp

%Temp%TMP35042.tmp

%Temp%TMP34714.tmp

Created the registry key as following :

[HKEY_CURRENT_USERPrintersConnections] affid = "396

subid = "landing"

The following internet connections wil lbe established on port 80:

www.searchashamed.org

mediafullups.com

Two files will be downloaded from /a/ad that contains a malicious payload and here are the details.

The first file is known as Mal/EncPk-LZ (Sophos):

Create files as followings:

%Temp%dfrgsnapnt.exe

%Temp%eapp32hst.dll

%Temp%opwesitjh

%Temp%wscsvc32.exe

The following processed will be created or are affected:

dfrgsnapnt.exe

wscsvc32.exe

Several registry modifications will be done and the following URLs are used:

http://finderwid.org/readdatagateway.php?type=stats&affid=139&subid=1&version=4.0&adwareok

http://searchashamed.org/readdatagateway.php?type=stats&affid=139&subid=1&version=4.0&adwareok

http://mediafullunu.com/readdatagateway.php?type=stats&affid=139&subid=1&version=4.0&adwareok

http://searchashamed.org/any3/5-direct.ex

http://finderwid.org/any3/5-direct.ex

http://mediafullunu.com/any3/5-direct.ex

The second file is known asTrojan.FakeAV!gen31 (Symantec),Trojan.Win32.TDSS.beea (Kaspersky),Application.RogueAVPacker (PCTools).

Create files as followings:

%Temp%PRAGMA7e53.tmp

%Temp%PRAGMAab00.tmp

%Windir%PRAGMAvgobwwkuyuPRAGMAc.dll

%Windir%PRAGMAvgobwwkuyuPRAGMAcfg.ini

%Windir%PRAGMAvgobwwkuyuPRAGMAd.sys

%Windir%PRAGMAvgobwwkuyuPRAGMAsrcr.dat

Create directory as followings:

%Windir%PRAGMAvgobwwkuyu

The following Registry Keys were created: HKEY_LOCAL_MACHINESOFTWAREProgram Groups

HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_PRAGMAIBADSTIDXB

HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_PRAGMAIBADSTIDXB000

HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_PRAGMAIBADSTIDXB000Control

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_PRAGMAIBADSTIDXB

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_PRAGMAIBADSTIDXB000

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_PRAGMAIBADSTIDXB000Control

HKEY_USERS.DEFAULTSoftwareMicrosoftInternet ExplorerMainfeaturecontrol

HKEY_USERS.DEFAULTSoftwareMicrosoftInternet ExplorerMainfeaturecontrolfeature_enable_ie_compression

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem

HKEY_CURRENT_USERSoftwareClassesSoftwareMicrosoftPreferences

HKEY_CURRENT_USERSoftwareClasses.exe

HKEY_CURRENT_USERSoftwareClasses.exeDefaultIcon

HKEY_CURRENT_USERSoftwareClasses.exeshell

HKEY_CURRENT_USERSoftwareClasses.exeshellopen

HKEY_CURRENT_USERSoftwareClasses.exeshellopencommand

HKEY_CURRENT_USERSoftwareClasses.exeshell

unas

HKEY_CURRENT_USERSoftwareClasses.exeshell

unascommand

HKEY_CURRENT_USERSoftwareClasses.exeshellstart

HKEY_CURRENT_USERSoftwareClasses.exeshellstartcommand

HKEY_CURRENT_USERSoftwareClassessecfile

HKEY_CURRENT_USERSoftwareClassessecfileDefaultIcon

HKEY_CURRENT_USERSoftwareClassessecfileshell

HKEY_CURRENT_USERSoftwareClassessecfileshellopen

HKEY_CURRENT_USERSoftwareClassessecfileshellopencommand

HKEY_CURRENT_USERSoftwareClassessecfileshell

unas

HKEY_CURRENT_USERSoftwareClassessecfileshell

unascommand

HKEY_CURRENT_USERSoftwareClassessecfileshellstart

HKEY_CURRENT_USERSoftwareClassessecfileshellstartcommand

HKEY_LOCAL_MACHINESOFTWAREPRAGMA

HKEY_LOCAL_MACHINESOFTWAREPRAGMAinjector

HKEY_LOCAL_MACHINESOFTWAREPRAGMAversions

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPRAGMAibadstidxb

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPRAGMAibadstidxbmodules

The newly created Registry Values are: [HKEY_LOCAL_MACHINESOFTWARE] f7c5da73-b4a5-4947-8f40-08f2871eb36b = ""

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem] DisableTaskMgr = 0x00000001

[HKEY_LOCAL_MACHINESOFTWAREProgram Groups] ConvertedToLinks = 0x00000001

[HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_PRAGMAIBADSTIDXB000Control] *NewlyCreated* = 0x00000000

ActiveService = "PRAGMAibadstidxb"

[HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_PRAGMAIBADSTIDXB000] Service = "PRAGMAibadstidxb"

Legacy = 0x00000001

ConfigFlags = 0x00000000

Class = "LegacyDriver"

ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"

DeviceDesc = "PRAGMAibadstidxb"

[HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_PRAGMAIBADSTIDXB] NextInstance = 0x00000001

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_PRAGMAIBADSTIDXB000Control] *NewlyCreated* = 0x00000000

ActiveService = "PRAGMAibadstidxb"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_PRAGMAIBADSTIDXB000] Service = "PRAGMAibadstidxb"

Legacy = 0x00000001

ConfigFlags = 0x00000000

Class = "LegacyDriver"

ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"

DeviceDesc = "PRAGMAibadstidxb"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_PRAGMAIBADSTIDXB] NextInstance = 0x00000001

[HKEY_USERS.DEFAULTSoftwareMicrosoftInternet ExplorerMainfeaturecontrolfeature_enable_ie_compression] svchost.exe = 0x00000001

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet Settings] ProxyEnable = 0x00000000

[HKEY_CURRENT_USERPrintersConnections] time = 0x00000001

[HKEY_CURRENT_USERSoftware] 24d1ca9a-a864-4f7b-86fe-495eb56529d8 = ""

7bde84a2-f58f-46ec-9eac-f1f90fead080 = ""

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem] DisableTaskMgr = 0x00000001

to prevent users from starting Task Manager (Taskmgr.exe)

[HKEY_CURRENT_USERSoftwareClasses.exeshellopencommand] (Default) = ""%Temp%mscdexnt.exe" /START "%1" %*"

IsolatedCommand = ""%1" %*"

[HKEY_CURRENT_USERSoftwareClasses.exeshell

unascommand] (Default) = ""%1" %*"

IsolatedCommand = ""%1" %*"

[HKEY_CURRENT_USERSoftwareClasses.exeshellstartcommand] (Default) = ""%1" %*"

IsolatedCommand = ""%1" %*"

[HKEY_CURRENT_USERSoftwareClasses.exeDefaultIcon] (Default) = "%1"

[HKEY_CURRENT_USERSoftwareClasses.exe] (Default) = "secfile"

Content Type = "application/x-msdownload"

[HKEY_CURRENT_USERSoftwareClassessecfileshellopencommand] (Default) = ""%Temp%mscdexnt.exe" /START "%1" %*"

IsolatedCommand = ""%1" %*"

[HKEY_CURRENT_USERSoftwareClassessecfileshell

unascommand] (Default) = ""%1" %*"

IsolatedCommand = ""%1" %*"

[HKEY_CURRENT_USERSoftwareClassessecfileshellstartcommand] (Default) = ""%1" %*"

IsolatedCommand = ""%1" %*"

[HKEY_CURRENT_USERSoftwareClassessecfileDefaultIcon] (Default) = "%1"

[HKEY_CURRENT_USERSoftwareClassessecfile] (Default) = "Application"

Content Type = "application/x-msdownload"

[HKEY_LOCAL_MACHINESOFTWAREPRAGMAversions] /css/pragma/crcmds/install = "3.0"

[HKEY_LOCAL_MACHINESOFTWAREPRAGMAinjector] explorer.exe = "pragmaserf"

iexplore.exe = "pragmaserf;pragmabbr"

firefox.exe = "pragmabbr"

safari.exe = "pragmabbr"

chrome.exe = "pragmabbr"

opera.exe = "pragmabbr"

[HKEY_LOCAL_MACHINESOFTWAREPRAGMA] affid = "391"

type = "no"

build = "no"

subid = "direct"

cmddelay = 0x00015180

[HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPRAGMAibadstidxbmodules] PRAGMAd = "systemrootPRAGMAibadstidxbPRAGMAd.sys"

PRAGMAc = "systemrootPRAGMAibadstidxbPRAGMAc.dll"

pragmaserf = "pragmaserf"

pragmabbr = "pragmabbr"

[HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPRAGMAibadstidxb] start = 0x00000001

type = 0x00000001

imagepath = "systemrootPRAGMAibadstidxbPRAGMAd.sys"

The following Registry Values were modified: [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlServiceCurrent] (Default) =

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlServiceCurrent] (Default) =

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders] Cache =

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host Port Number 62.122.73.242 80 91.213.157.69 80 91.213.157.72 80

The data identified by the following URLs was then requested from the remote web server: http://searchdisup.org/css/pragma/knock.php

http://finderwid.org/readdatagateway.php?type=stats&affid=391&subid=new02&version=4.0&adwareok

http://finderwid.org/any/391-direct.ex

http://finderunt.org/css/pragma/crcmds/main

http://finderunt.org/css/pragma/knock.php

http://finderunt.org/css/pragma/srcr.dat

http://finderunt.org/css/pragma/crcmds/install

http://finderunt.org/css/pragma/crfiles/serf

http://finderunt.org/css/pragma/crfiles/bbr

2. How-to's

1. Please updatethe policy basic knowledge of Sax2 in time, Once sax2 detects the communication of these trojans, it will break them and ensure your network & business security. .

2. How to Remove TR.Crypt.ZPACK.Gen Manually?

Remove the registry entries hidden by TR.Crypt.ZPACK.Gen (Free online spyware scan)

If you notice that the programs on your computer are running abnormally, please check the following entries in the Registry, and directly delete the spyware-related registry entries if found.

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce

HKEY_LOCAL_MACHINE Software Microsoft Windows CurrentVersion RunServicesOnce

HKEY_CURRENT_USER/SoftwareMicrosoftWindowsCurrentVersionRun

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce

HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies ExplorerRun

HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion

Explorer/ShellFolders Startup="C:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\windows/start menu/programs\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\startup

It is possibly a way to load the "TR.Crypt.ZPACK.Gen" malicious programs, by hiding within the system WIN.INI file and the strings "run=" and "load=", so this must be carefully checked.

Clean up "IE Temporary File folder" where the original carrier of spyware threats is likely stored.

3. How to Remove Trojan.FakeAV!gen31 Manually?

Remove the registry entries hidden by Trojan.Win32.Tdss.beea [removed][removed] [removed][removed]

If you notice that the programs on your computer are running abnormally, please check the following entries in the Registry, and directly delete the spyware-related registry entries if found.

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce

HKEY_LOCAL_MACHINE Software Microsoft Windows CurrentVersion RunServicesOnce

HKEY_CURRENT_USER/SoftwareMicrosoftWindowsCurrentVersionRun

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce

HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies ExplorerRun

HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion

Explorer/ShellFolders Startup="C:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\windows/start menu/programs\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\startup

It is possibly a way to load the "Trojan.Win32.Tdss.beea" malicious programs, by hiding within the system WIN.INI file and the strings "run=" and "load=", so this must be carefully checked.

Clean up "IE Temporary File folder" where the original carrier of spyware threats is likely stored.

4. How to Remove these trojans Instantly?

Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

3. Appendix

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

How to Detect and Rmove the TR/Crypt.ZPACK.Gen Trojan

By: andy.J

welcome to loan (http://www.yloan.com/)