lsass.exe – trojan Bumat

The file lsass.exe is identified as the Trojan Program that is used for stealing bank information and users passwords.
To delete lsass.exe we recommend you to use UnHackMe:
http://www.unhackme.com

Malware Analysis of lsass.exe
Executed: Sons of anarchy.exe
Removed: lsass.exe. Full path: C:\WINDOWS\CIDD_P\lsass.exe

—————————————————————————————————————————-
Detected by UnHackMe:

Item Name: configuration
Author: Unknown
Related File: C:\WINDOWS\CONFIGURATION\CONFIGURATION.EXE
Type: Registry Run

Item Name: lsass.exe
Author: Unknown
Related File: C:\WINDOWS\CIDD_P\LSASS.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

—————————————————————————————————————————-
How to quickly detect malware presence?

Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\configuration
Value: “C:\WINDOWS\configuration\configuration.exe”

Folders:
C:\WINDOWS\CIDD_P\
C:\WINDOWS\configuration\
Files:
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\10.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\11.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\12.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\13.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\br.dll
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\clm.dll
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\nam.dll
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\nfie.dll
C:\WINDOWS\CIDD_P\lsass.exe
C:\WINDOWS\configuration\configuration.exe
—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.16160.0 2011.02.28 -
Kaspersky 7.0.0.125 2011.02.28 Trojan-Spy.Win32.AutoIt.h
Microsoft 1.6603 2011.02.28 Trojan:Win32/Bumat!rts
NOD32 5913 2011.02.28 Win32/Autoit.HF

—————————————————————————————————————————-

MD5 a53e5adcabc6456a00af6806cb9b99da

SHA1 c3359fbc2addfd4d21a623388a477fd0a846d255

SHA256 1913fc81c94b5e224437ca7c29e393da0340c0a635e40e79b1ee60463798bbc4

—————————————————————————————————————————-


Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:5
———————————-
HKCU\Software\Microsoft\Internet Explorer\TypedURLs
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\3\0
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell

———————————-
Values added:14
———————————-
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\configuration: “C:\WINDOWS\configuration\configuration.exe”
HKCU\Software\Microsoft\Internet Explorer\Main\Use FormSuggest: “no”
HKCU\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords: “no”
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline: 0×00000000
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\3\0: 4E 00 31 00 00 00 00 00 73 3E 22 1A 17 00 53 4F 4E 53 4F 46 7E 31 00 00 36 00 03 00 04 00 EF BE 73 3E 22 1A 73 3E 22 1A 14 00 00 00 53 00 6F 00 6E 00 73 00 20 00 6F 00 66 00 20 00 61 00 6E 00 61 00 72 00 63 00 68 00 79 00 00 00 18 00 00 00
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\3\0\NodeSlot: 0×00000026
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\3\0\MRUListEx: FF FF FF FF
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell\Mode: 0×00000006
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell\ScrollPos1024x768(1).x: 0×00000000
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell\ScrollPos1024x768(1).y: 0×00000000
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell\Sort: 0×00000000
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell\SortDir: 0×00000001
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell\Col: 0xFFFFFFFF
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell\ColInfo: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FD DF DF FD 0F 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

———————————-
Values modified:6
———————————-
(-) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
(+) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
(-) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\MRUListEx: 00 00 00 00 04 00 00 00 05 00 00 00 03 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF
(+) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\MRUListEx: 03 00 00 00 00 00 00 00 04 00 00 00 05 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF
(-) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\3\MRUListEx: FF FF FF FF
(+) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\3\MRUListEx: 00 00 00 00 FF FF FF FF

———————————-
Files added:10
———————————-
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\10.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\11.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\12.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\13.exe
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\br.dll
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\clm.dll
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\nam.dll
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72\nfie.dll
C:\WINDOWS\CIDD_P\lsass.exe
C:\WINDOWS\configuration\configuration.exe

———————————-
Files deleted:4
———————————-
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gi17c3pt.default\cookies.sqlite
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gi17c3pt.default\formhistory.sqlite
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gi17c3pt.default\key3.db
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gi17c3pt.default\urlclassifierkey3.txt

———————————-
Folders added:4
———————————-
C:\sand-box\Sons of anarchy
C:\WINDOWS\CIDD_P
C:\WINDOWS\CIDD_P\41646D696E6973747261746F72
C:\WINDOWS\configuration

———————————-
Total changes:43
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com

Fix it immediately!

Free Download

UnHackMe removes malware invisible for your antivirus!

Leave a Reply