sxe6.tmp – trojan Banload

March 31, 2011 by NightWatcher
Filed under: Malware 
: Solved!

You should Download Removal Tool here...

Is the file sxe6.tmp located on your computer? Then your computer is infected.
We highly recommend you to remove sxe6.tmp from your computer as soon as possible.
sxe6.tmp is Trojan/Backdoor.
Kill the process sxe6.tmp and remove sxe6.tmp from the Windows startup.

Malware Analysis of sxe6.tmp
Executed: FOTOS_DSC03764_JPG.exe
Removed: sxe6.tmp Full path: C:\sxe6.tmp

—————————————————————————————————————————-
Detected by UnHackMe:

Item Name: trs.sys
Author: Unknown
Related File: C:\WINDOWS\SYSTEM32\DRIVERS\TRS.SYS
Type: Drivers

Item Name: sxe6.tmp
Author: USB_2011
Related File: C:\SXE6.TMP
Type: Registry Run

Item Name: ctfmonn.exe
Author: USB_2011
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\CTFMONN.EXE
Type: Registry Run

Item Name:
Author:
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\CTFMONN.EXE
Type: Registry Run

Removal Results: Success
Number of reboot: 1

—————————————————————————————————————————-
How to quickly detect malware presence?

Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmonn.exe
Value:
“C:\Documents and Settings\Administrator\Local Settings\Application Data\ctfmonn.exe”

Registry:
HKLM\System\CurrentControlSet\Services\pelodlo\ImagePath
Value:
“system32\drivers\trs.sys”

Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\sxe6.tmp
Value:
“c:\sxe6.tmp”

Folders:
Files:
C:\Documents and Settings\Administrator\Local Settings\Application Data\ctfmonn.exe
C:\WINDOWS\system32\drivers\trs.sys
C:\DSC00657.JPG
C:\sxe6.tmp
—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.16440.0 2011.03.23 -
Microsoft 1.6702 2011.03.25 TrojanDownloader:Win32/Delf.ZWQ
NOD32 5985 2011.03.25 probably a variant of Win32/TrojanDownloader.Banload.ORL

—————————————————————————————————————————-

MD5 4c8cf2434cfc6aee9bfbd53cc082edc1

SHA1 b43e6e31c099d59f0227f087e6fbe52f410cacc3

SHA256 228cfa532b5a2dd0a0d12911b782e38b8a90ff386288b78ff28486b92aa45d16

—————————————————————————————————————————-


Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:6
———————————-
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000
HKLM\System\CurrentControlSet\Services\pelodlo
HKLM\System\CurrentControlSet\Services\pelodlo\Security
HKCU\ctfmonn
HKCU\EnableLUA

———————————-
Values added:19
———————————-
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA: 0×00000000
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: “C:\Documents and Settings\Administrator\Local Settings\Application Data\ctfmonn.exe”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\Service: “pelodlo”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\Legacy: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\ConfigFlags: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\Class: “LegacyDriver”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\DeviceDesc: “putit”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\0000\Capabilities: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PELODLO\NextInstance: 0×00000001
HKLM\System\CurrentControlSet\Services\pelodlo\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\System\CurrentControlSet\Services\pelodlo\Type: 0×00000001
HKLM\System\CurrentControlSet\Services\pelodlo\Start: 0×00000001
HKLM\System\CurrentControlSet\Services\pelodlo\ErrorControl: 0×00000001
HKLM\System\CurrentControlSet\Services\pelodlo\ImagePath: “system32\drivers\trs.sys”
HKLM\System\CurrentControlSet\Services\pelodlo\DisplayName: “putit”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\sxe6.tmp: “c:\sxe6.tmp”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmonn.exe: “C:\Documents and Settings\Administrator\Local Settings\Application Data\ctfmonn.exe”
HKCU\EnableLUA\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System: 0×00000000

———————————-
Files added:4
———————————-
C:\Documents and Settings\Administrator\Local Settings\Application Data\ctfmonn.exe
C:\WINDOWS\system32\drivers\trs.sys
C:\DSC00657.JPG
C:\sxe6.tmp

———————————-
Total changes:29
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com


Recommended: UnHackMe anti-rootkit and anti-malware

Premium software: RegRun Security Suite (Good choice for removal and protection)

Written by

Malware Hunter.

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.