lsass.exe – trojan Bumat

March 24, 2011 by NightWatcher
Filed under: Malware 
: Solved!

You should Download Removal Tool here...

The file lsass.exe is identified as the Trojan Program that is used for stealing bank information and users passwords.
To delete lsass.exe we recommend you to use UnHackMe:
http://www.unhackme.com

Malware Analysis of lsass.exe
Executed: Sons of anarchy.exe
Removed: lsass.exe. Full path: C:\WINDOWS\CIDD_P\lsass.exe

—————————————————————————————————————————-
Detected by UnHackMe:

Item Name: configuration
Author: Unknown
Related File: C:\WINDOWS\CONFIGURATION\CONFIGURATION.EXE
Type: Registry Run

Item Name: lsass.exe
Author: Unknown
Related File: C:\WINDOWS\CIDD_P\LSASS.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

—————————————————————————————————————————-
How to quickly detect malware presence?

Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\configuration
Value: “C:\WINDOWS\configuration\configuration.exe”

Folders:
C:\WINDOWS\CIDD_P\
C:\WINDOWS\configuration\
Files:
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\10.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\11.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\12.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\13.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\br.dll
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\clm.dll
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\nam.dll
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\nfie.dll
C:\WINDOWS\CIDD_P\lsass.exe
C:\WINDOWS\configuration\configuration.exe
—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.16160.0 2011.02.28 -
Kaspersky 7.0.0.125 2011.02.28 Trojan-Spy.Win32.AutoIt.h
Microsoft 1.6603 2011.02.28 Trojan:Win32/Bumat!rts
NOD32 5913 2011.02.28 Win32/Autoit.HF

—————————————————————————————————————————-

MD5 a53e5adcabc6456a00af6806cb9b99da

SHA1 c3359fbc2addfd4d21a623388a477fd0a846d255

SHA256 1913fc81c94b5e224437ca7c29e393da0340c0a635e40e79b1ee60463798bbc4

—————————————————————————————————————————-


Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:5
———————————-
HKCU\Software\Microsoft\Internet Explorer\TypedURLs
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\3\0
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell

———————————-
Values added:14
———————————-
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\configuration: “C:\WINDOWS\configuration\configuration.exe”
HKCU\Software\Microsoft\Internet Explorer\Main\Use FormSuggest: “no”
HKCU\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords: “no”
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline: 0×00000000
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\3\0: 4E 00 31 00 00 00 00 00 73 3E 22 1A 17 00 53 4F 4E 53 4F 46 7E 31 00 00 36 00 03 00 04 00 EF BE 73 3E 22 1A 73 3E 22 1A 14 00 00 00 53 00 6F 00 6E 00 73 00 20 00 6F 00 66 00 20 00 61 00 6E 00 61 00 72 00 63 00 68 00 79 00 00 00 18 00 00 00
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\3\0\NodeSlot: 0×00000026
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\3\0\MRUListEx: FF FF FF FF
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell\Mode: 0×00000006
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell\ScrollPos1024x768(1).x: 0×00000000
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell\ScrollPos1024x768(1).y: 0×00000000
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell\Sort: 0×00000000
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell\SortDir: 0×00000001
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell\Col: 0xFFFFFFFF
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell\ColInfo: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FD DF DF FD 0F 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

———————————-
Values modified:6
———————————-
(-) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
(+) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
(-) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\MRUListEx: 00 00 00 00 04 00 00 00 05 00 00 00 03 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF
(+) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\MRUListEx: 03 00 00 00 00 00 00 00 04 00 00 00 05 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF
(-) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\3\MRUListEx: FF FF FF FF
(+) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\3\MRUListEx: 00 00 00 00 FF FF FF FF

———————————-
Files added:10
———————————-
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\10.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\11.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\12.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\13.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\br.dll
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\clm.dll
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\nam.dll
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\nfie.dll
C:\WINDOWS\CIDD_P\lsass.exe
C:\WINDOWS\configuration\configuration.exe

———————————-
Files deleted:4
———————————-
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gi17c3pt.default\cookies.sqlite
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gi17c3pt.default\formhistory.sqlite
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gi17c3pt.default\key3.db
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gi17c3pt.default\urlclassifierkey3.txt

———————————-
Folders added:4
———————————-
C:\sand-box\Sons of anarchy
C:\WINDOWS\CIDD_P
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72
C:\WINDOWS\configuration

———————————-
Total changes:43
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com


Recommended: UnHackMe anti-rootkit and anti-malware

Premium software: RegRun Security Suite (Good choice for removal and protection)

Written by

Malware Hunter.

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.