How to Prevent and Remove the Packed.Generic.307
 

Bookmark and Share

 

1. What is the Packed.Generic.307
 

HeurEngine.MaliciousPacker is a malware infection that is used to port other malicious files or application onto an infected system. HeurEngine.MaliciousPacker can infect a computer through a backdoor or browser security hole usually without notification to the computer user. HeurEngine.MaliciousPacker should be removed immediatley and not have the freedom to infect other systems.

Alias: Mal/EncPk-IY (Sophos) ,  Trojan:Win32/Malagent (Microsoft) ,  P2P-Worm.Win32.Palevo (Ikarus) ,  Win-Trojan/MalCrypted.Gen (AhnLab),  

 

2.Technical Details:

 

a. The following files were created in the system:

 

No. Filename Size
1 c:\bbotxxxxxx.exe\bbotxxxxxx.exe
[file and pathname of the sample #1] 		152,064 bytes
2 c:\bbotxxxxxx.exe\cleansweepupd.exe 136,192 bytes
3 c:\bbotxxxxxx.exe\config.bin 12,184 bytes
  • The following directory was created:
    • c:\bbotxxxxxx.exe

b. Memory Modifications

  • There were new memory pages created in the address space of the system process(es):
Process Name Process Filename Allocated Size
lsass.exe %System%\lsass.exe 286,720 bytes
svchost.exe %System%\svchost.exe 286,720 bytes
alg.exe %System%\alg.exe 286,720 bytes
  • Note:
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

c.  Registry Modifications

    • The newly created Registry Values are:
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
        • ProxyHttp1.1 = 0x00000000
        • WarnOnPostRedirect = 0x00000000
        • WarnOnIntranet = 0x00000000
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
        • 1409 = 0x00000003
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
        • 1409 = 0x00000003
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
        • 1409 = 0x00000003
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
        • 1409 = 0x00000003
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
        • 1409 = 0x00000003
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
        • bbotxxxxxx.exe = "C:\bbotxxxxxx.exe\bbotxxxxxx.exe"

        so that bbotxxxxxx.exe runs every time Windows starts
         
    • The following Registry Values were modified:
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
        • WarnOnPost =
        • EnableHttp1_1 =
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1]
        • 1406 =
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3]
        • 1406 =
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4]
        • 1406 =
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
        • 1609 =
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
        • 1406 =
        • 1609 =
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
        • 1609 =
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
        • 1406 =
        • 1609 =
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
        • 1406 =
        • 1609 =

    d. Other details

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    200.164.228.252 80
    194.247.12.39 443

    • The data identified by the following URLs was then requested from the remote web server:

      • http://www.galichina.zaporizhzhe.ua/maincp/gate.php?guid=UserName!COMPUTERNAME!00CD1A40&ver=10280&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=81&ccrc=642DA10E&md5=26777262638fd96a5bb8998800fcee0a
      • http://193.169.188.3/maincp/bin/gal.exe
      • http://www.galichina.zaporizhzhe.ua/maincp/gate.php?guid=UserName!COMPUTERNAME!00CD1A40&ver=10280&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=69&ccrc=642DA10E&md5=26777262638fd96a5bb8998800fcee0a
      • http://www.galichina.zaporizhzhe.ua/maincp/gate.php?guid=UserName!COMPUTERNAME!00CD1A40&ver=10280&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=63&ccrc=642DA10E&md5=26777262638fd96a5bb8998800fcee0a

     

    3. How-to's

    a. How to prevent the  Packed.Generic.307 ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Packed.Generic.307 Manually?

    Step 1 : Use Windows Task Manager to Remove Packed.Generic.307 Processes

    cleansweepupd.exe

    Step 2 : Use Registry Editor to Remove Packed.Generic.307 Registry Values
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    ProxyHttp1.1 = 0x00000000
    WarnOnPostRedirect = 0x00000000
    WarnOnIntranet = 0x00000000
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
    1409 = 0x00000003
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
    1409 = 0x00000003
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
    1409 = 0x00000003
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    1409 = 0x00000003
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
    1409 = 0x00000003
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    bbotxxxxxx.exe = "C:\bbotxxxxxx.exe\bbotxxxxxx.exe"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    WarnOnPost =
    EnableHttp1_1 =
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1]
    1406 =
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3]
    1406 =
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4]
    1406 =
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
    1609 =
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
    1406 =
    1609 =
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
    1609 =
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    1406 =

    Step3: Detect and Delete Other Packed.Generic.307 Files

    c:\bbotxxxxxx.exe\bbotxxxxxx.exe
    [file and pathname of the sample #1]
    c:\bbotxxxxxx.exe\cleansweepupd.exe
    c:\bbotxxxxxx.exe\config.bin
     

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•