How to Prevent and Remove the Packed.Win32.Black.a

Bookmark and Share

 

1. What is the Packed.Win32.Black.a

Packed.Win32.Black.a is a harmful backdoor Trojan that stealthily remains undetected on an infected computer or network. Packed.Win32.Black.a spreads via computer vulnerabilities or contaminated email attachments. Packed.Win32.Black.a is often packed with a dangerous rogue anti-spyware application that produces excessive pop-ups and false virus alert messages. Packed.Win32.Black.a also changes the settings of windows for the active desktop to show malicious web content. Packed.Win32.Black.a is usually installed in conjunction with a rogue anti-spyware application and should be removed immediately once detected.

 

2.Technical Details:

 

a. The following files were created in the system:

 

No. Filename Size
1 %Windir%\wuaucpl.exe 415,232 bytes
  • Note:
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • There was a new process created in the system:

b. Memory Modifications

  • There was a new process created in the system:
Process Name Process Filename Main Module Size
wuaucpl.exe %Windir%\wuaucpl.exe 3,268,608 bytes

  • There was a new service created in the system:

Service Name Display Name Status Service Filename
Local Service Local Service "Running" "%Windir%\wuaucpl.exe"

  • The following system services were modified:

Service Name Display Name New Status Service Filename
ALG Application Layer Gateway Service "Stopped" %System%\alg.exe
RemoteRegistry Remote Registry "Stopped" %System%\svchost.exe -k LocalService
SharedAccess Windows Firewall/Internet Connection Sharing (ICS) "Stopped" %System%\svchost.exe -k netsvcs
wscsvc Security Center "Stopped" %System%\svchost.exe -k netsvcs
  • Notes:
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

c.  Registry Modifications

    • The following Registry Keys were created:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
      • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT
      • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection
      • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall
      • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
      • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LOCAL_SERVICE
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LOCAL_SERVICE\0000
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LOCAL_SERVICE\0000\Control
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Local Service
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Local Service\Security
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Local Service\Enum
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LOCAL_SERVICE
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LOCAL_SERVICE\0000
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LOCAL_SERVICE\0000\Control
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Local Service
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Local Service\Security
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Local Service\Enum
    • The newly created Registry Values are:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions]
        • ITime = "10/24/2010, 01:09 AM"
        • RuP = 0x0001DCAF
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
        • DoNotAllowXPSP2 = 0x00000001
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection]
        • SFCDisable = 0xFFFFFF9D
        • SFCScan = 0x00000000
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
        • EnableFirewall = 0x00000000
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
        • EnableFirewall = 0x00000000
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control]
        • WaitToKillServiceT = "5000"
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LOCAL_SERVICE\0000\Control]
        • *NewlyCreated* = 0x00000000
        • ActiveService = "Local Service"
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LOCAL_SERVICE\0000]
        • Service = "Local Service"
        • Legacy = 0x00000001
        • ConfigFlags = 0x00000000
        • Class = "LegacyDriver"
        • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
        • DeviceDesc = "Local Service"
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LOCAL_SERVICE]
        • NextInstance = 0x00000001
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Local Service\Enum]
        • 0 = "Root\LEGACY_LOCAL_SERVICE\0000"
        • Count = 0x00000001
        • NextInstance = 0x00000001
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Local Service\Security]
        • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Local Service]
        • Type = 0x00000110
        • Start = 0x00000002
        • ErrorControl = 0x00000000
        • ImagePath = ""%Windir%\wuaucpl.exe""
        • DisplayName = "Local Service"
        • ObjectName = "LocalSystem"
        • FailureActions = 0A 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 B8 0B 00 00
        • Description = "Enables service messages issued by Windows-based programs and components. This service cannot be stopped."
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
        • WaitToKillServiceT = "5000"
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LOCAL_SERVICE\0000\Control]
        • *NewlyCreated* = 0x00000000
        • ActiveService = "Local Service"
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LOCAL_SERVICE\0000]
        • Service = "Local Service"
        • Legacy = 0x00000001
        • ConfigFlags = 0x00000000
        • Class = "LegacyDriver"
        • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
        • DeviceDesc = "Local Service"
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LOCAL_SERVICE]
        • NextInstance = 0x00000001
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Local Service\Enum]
        • 0 = "Root\LEGACY_LOCAL_SERVICE\0000"
        • Count = 0x00000001
        • NextInstance = 0x00000001
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Local Service\Security]
        • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Local Service]
        • Type = 0x00000110
        • Start = 0x00000002
        • ErrorControl = 0x00000000
        • ImagePath = ""%Windir%\wuaucpl.exe""
        • DisplayName = "Local Service"
        • ObjectName = "LocalSystem"
        • FailureActions = 0A 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 B8 0B 00 00
        • Description = "Enables service messages issued by Windows-based programs and components. This service cannot be stopped."
      • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
        • ProxyEnable = 0x00000000
    • The following Registry Values were modified:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
        • EnableDCOM =
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
        • AntiVirusOverride =
        • FirewallOverride =
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]
        • restrictanonymous =
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
        • (Default) =
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
        • restrictanonymous =
      • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
        • (Default) =
      • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
        • Cookies =
        • History =

    d. Other details

    • The following ports were open in the system:

    Port Protocol Process
    1055 TCP wuaucpl.exe (%Windir%\wuaucpl.exe)
    17572 TCP wuaucpl.exe (%Windir%\wuaucpl.exe)

    • There was registered attempt to establish connection with the remote host. The connection details are:

    Remote Host Port Number
    75.118.123.95 8080

     

    3. How-to's

    a. How to prevent the  Packed.Win32.Black.a ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Packed.Win32.Black.a   Manually?

    Step 1 : Stop the following Trojan.Win32.Refroso.cxc processes
    %Windir%\wuaucpl.exe

    Step 2 : Remove the following Trojan.Win32.Refroso.cxc registry keys
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions]
    ITime = "10/24/2010, 01:09 AM"
    RuP = 0x0001DCAF
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
    DoNotAllowXPSP2 = 0x00000001
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection]
    SFCDisable = 0xFFFFFF9D
    SFCScan = 0x00000000
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
    EnableFirewall = 0x00000000
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
    EnableFirewall = 0x00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control]
    WaitToKillServiceT = "5000"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LOCAL_SERVICE\0000\Control]
    *NewlyCreated* = 0x00000000
    ActiveService = "Local Service"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LOCAL_SERVICE\0000]
    Service = "Local Service"
    Legacy = 0x00000001
    ConfigFlags = 0x00000000
    Class = "LegacyDriver"
    ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    DeviceDesc = "Local Service"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LOCAL_SERVICE]
    NextInstance = 0x00000001
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Local Service\Enum]
    0 = "Root\LEGACY_LOCAL_SERVICE\0000"
    Count = 0x00000001
    NextInstance = 0x00000001
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Local Service\Security]
    Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Local Service]
    Type = 0x00000110
    Start = 0x00000002
    ErrorControl = 0x00000000
    ImagePath = ""%Windir%\wuaucpl.exe""
    DisplayName = "Local Service"
    ObjectName = "LocalSystem"
    FailureActions = 0A 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 B8 0B 00 00
    Description = "Enables service messages issued by Windows-based programs and components. This service cannot be stopped."
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
    WaitToKillServiceT = "5000"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LOCAL_SERVICE\0000\Control]
    *NewlyCreated* = 0x00000000
    ActiveService = "Local Service"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LOCAL_SERVICE\0000]
    Service = "Local Service"
    Legacy = 0x00000001
    ConfigFlags = 0x00000000
    Class = "LegacyDriver"
    ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    DeviceDesc = "Local Service"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LOCAL_SERVICE]
    NextInstance = 0x00000001
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Local Service\Enum]
    0 = "Root\LEGACY_LOCAL_SERVICE\0000"
    Count = 0x00000001
    NextInstance = 0x00000001
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Local Service\Security]
    Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Local Service]
    Type = 0x00000110
    Start = 0x00000002
    ErrorControl = 0x00000000
    ImagePath = ""%Windir%\wuaucpl.exe""
    DisplayName = "Local Service"
    ObjectName = "LocalSystem"
    FailureActions = 0A 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 B8 0B 00 00
    Description = "Enables service messages issued by Windows-based programs and components. This service cannot be stopped."
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    ProxyEnable = 0x00000000

    Step3: Locate and delete the following Trojan.Win32.Refroso.cxc files

    %Windir%\wuaucpl.exe

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•