Virus RDN/Generic Dropper!qu!2045E78FE8B5 low risk trojan

Virus Trojan Characteristics

 

File Properties Property Values
Detection RDN/Generic Dropper!qu
Length 241664 bytes
MD5 2045e78fe8b561ede611cf02b93b67e1
SHA1 d765a60b076e652dcd636ee9e9e0167290fe9fdb

Other Common Detection Aliases

Company Names Detection Names
EMSI Software Gen:Trojan.Heur.FU.ouW@aivxvEni (B)
ahnlab Dropper/Win32.Agent
avast Win32:Agent-ZDZ [Trj]
AVG (GriSoft) Dropper.Agent.BDHV (Trojan horse)
Kaspersky Trojan-Dropper.Win32.Agent.hzub
BitDefender Gen:Trojan.Heur.FU.ouW@aivxvEni
panda Suspicious

Other brands and names may be claimed as the property of others.

Activities
Enumerates many system files and directories.
Adds or modifies Internet Explorer cookies
No digital signature is present
McAfee Scans Scan Detections
McAfee Beta RDN/Generic Dropper!qu
McAfee Supported RDN/Generic Dropper!qu

System Changes

Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files

The following files were analyzed:

D765A60B076E652DCD636EE9E9E0167290FE9FDB

The following files have been deleted:
  • %TEMP%\ArmUI.ini
  • %TEMP%\BakuTechPreviewInstallLog.txt
  • %TEMP%\Microsoft Office 2003 Setup(0001)_Task(0001).txt
  • %TEMP%\Microsoft Office 2003 Setup(0001).txt
  • %TEMP%\offcln11.log
  • %TEMP%\Perflib_Perfdata_61c.dat
 

Virus Profile: BackDoor Trojan Removal FAFB!2C8CB3D1155C

Upon execution the Trojan drop a files in the below location

%system32\drivers\oreans32.sys

The following registry key have been added to the system

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32\Enum


The following registry key values have been added to the system

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control\

  • *NewlyCreated*: 0×00000000
  •  ActiveService: “oreans32″


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\

  • Service: “oreans32″
  •  Legacy: 0×00000001
  • ConfigFlags: 0×00000000
  •  Class: “LegacyDriver”
  • ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
  • DeviceDesc: “oreans32″
  • NextInstance: 0×00000001


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32\Enum\0: “Root\LEGACY_OREANS32\0000″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32\Enum\Count: 0×00000001 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32\Enum\NextInstance: 0×0000000 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32\

  • Type: 0×00000001
  •  Start: 0×00000001
  •   ErrorControl: 0×00000001
  •   ImagePath: “\??\C:\WINDOWS\system32\drivers\oreans32.sys”
  •   DisplayName: “oreans32″

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_OREANS32\0000\Control\

  • *NewlyCreated*: 0×00000000
  •  ActiveService: “oreans32″
  •  Service: “oreans32″
  •   Legacy: 0×00000001
  •   ConfigFlags: 0×00000000
  •  Class: “LegacyDriver”
  •  ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
  • DeviceDesc: “oreans32″


HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_OREANS32\NextInstance: 0×00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32\Enum\0: “Root\LEGACY_OREANS32\0000″ HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32\Enum\Count: 0×00000001 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32\Enum\NextInstance: 0×00000001 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32\

  • Type: 0×00000001
  • Start: 0×00000001
  •  ErrorControl: 0×00000001
  •   ImagePath: “\??\C:\WINDOWS\system32\drivers\oreans32.sys”
  •   DisplayName: “oreans32″

The above registry entry ensures that it creates a service with name” oreans32” and it starts automatically whenever the system restarts.

 
 
 
Softe.org Virus Spyware Protection Help