Removed: PRAGMAd.sys (variant of TDSS trojan – Alureon/Olmarik)

May 11, 2010 by NightWatcher
Filed under: Malware 
: Solved!

Fix it immediately:

Malware: C:\sand-box\install01.exe

Removed: C:\WINDOWS\PRAGMAqipfvcxnqq\PRAGMAd.sys

—————————————————————————————————————————-
After first reboot detected by UnHackMe:

Item Name: PRAGMAqipfvcxnqq
Author:
Related File: C:\WINDOWS\PRAGMAQIPFVCXNQQ\PRAGMAD.SYS
Type: Services detected by Partizan

Removal Results: Success
Number of reboot: 2
—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.15370.0 2010.05.11 Gen:Variant.TDss.20
Kaspersky 7.0.0.125 2010.05.11 Trojan-Downloader.Win32.FraudLoad.xcxu
Microsoft 1.5703 2010.05.11 Trojan:Win32/Alureon.gen!J
NOD32 5105 2010.05.11 Win32/Olmarik.YX

—————————————————————————————————————————-
Additional information
File size: 88576 bytes
MD5 : 92f841a030057e645e71d0817cca0b8a
SHA1 : b7273df7d70b60dfcbc8fe6b3e1f0ac8679cd0fa
SHA256: a58cc1595d9e5b90b1f5f0fc53cb6ba7ed808c3aeea077d7c09f7c2d8c9c66cb
—————————————————————————————————————————-
Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:6
———————————-
HKLM\Software\PRAGMA
HKLM\Software\PRAGMA\versions
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAQIPFVCXNQQ
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAQIPFVCXNQQ\0000
HKLM\System\CurrentControlSet\Services\PRAGMAqipfvcxnqq
HKLM\System\CurrentControlSet\Services\PRAGMAqipfvcxnqq\modules

———————————-
Values added:17
———————————-
HKLM\Software\PRAGMA\affid: “traf”
HKLM\Software\PRAGMA\subid: “pragma”
HKLM\Software\PRAGMA\type: “no”
HKLM\Software\PRAGMA\build: “bbr”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAQIPFVCXNQQ\0000\Service: “PRAGMAqipfvcxnqq”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAQIPFVCXNQQ\0000\Legacy: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAQIPFVCXNQQ\0000\ConfigFlags: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAQIPFVCXNQQ\0000\Class: “LegacyDriver”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAQIPFVCXNQQ\0000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAQIPFVCXNQQ\0000\DeviceDesc: “PRAGMAqipfvcxnqq”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAQIPFVCXNQQ\0000\Capabilities: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PRAGMAQIPFVCXNQQ\NextInstance: 0×00000001
HKLM\System\CurrentControlSet\Services\PRAGMAqipfvcxnqq\modules\PRAGMAd: “\systemroot\PRAGMAqipfvcxnqq\PRAGMAd.sys”
HKLM\System\CurrentControlSet\Services\PRAGMAqipfvcxnqq\modules\PRAGMAc: “\systemroot\PRAGMAqipfvcxnqq\PRAGMAc.dll”
HKLM\System\CurrentControlSet\Services\PRAGMAqipfvcxnqq\start: 0×00000001
HKLM\System\CurrentControlSet\Services\PRAGMAqipfvcxnqq\type: 0×00000001
HKLM\System\CurrentControlSet\Services\PRAGMAqipfvcxnqq\imagepath: “\systemroot\PRAGMAqipfvcxnqq\PRAGMAd.sys”

———————————-
Values modified:2
———————————-
(-) HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable: 0×00000001
(+) HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable: 0×00000000
(-) HKLM\System\CurrentControlSet\Services\wscsvc\Start: 0×00000002
(+) HKLM\System\CurrentControlSet\Services\wscsvc\Start: 0×00000004

———————————-
Files added:5
———————————-
C:\Documents and Settings\Administrator\Local Settings\Temp\PRAGMA7d1f.tmp
C:\WINDOWS\PRAGMAqipfvcxnqq\PRAGMAc.dll
C:\WINDOWS\PRAGMAqipfvcxnqq\PRAGMAcfg.ini
C:\WINDOWS\PRAGMAqipfvcxnqq\PRAGMAd.sys
C:\WINDOWS\PRAGMAqipfvcxnqq\PRAGMAsrcr.dat

———————————-
Files deleted:1
———————————-
C:\sand-box\install01.exe

———————————-
Files [attributes?] modified:3
———————————-
C:\Documents and Settings\NetworkService\Cookies\index.dat
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat

———————————-
Folders added:1
———————————-
C:\WINDOWS\PRAGMAqipfvcxnqq

———————————-
Folders attributes changed:2
———————————-
C:\Documents and Settings\NetworkService\Local Settings\History
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files

———————————-
Total changes:37
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com


Recommended: UnHackMe anti-rootkit and anti-malware

Premium software: RegRun Security Suite (Good choice for removal and protection)

Written by

Malware Hunter.

Tags: Alureon, Olmarik, PRAGMAD.SYS, TDSS

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.