Trojan-Dropper.Win32.Pincher.amk

Bookmark and Share

 

1. What is the Trojan-Dropper.Win32.Pincher.amk

Trojan-Dropper.Win32.Pincher.amk is a malicious spyware virus which uses malignant tricks to download malicious malware from the Internet. Trojan-Dropper.Win32.Pincher.amk opens up firewalls and collects confidential information such as personal financial information. Trojan-Dropper.Win32.Pincher.amk also downloads additional components before the hackers get the remote access to the infected PC. Trojan-Dropper.Win32.Pincher.amk definitely has an identified security risk and you need to remove Trojan-Dropper.Win32.Pincher.amk immediately while you detect it.

 

2.Technical Details:

 

a. The following files were created in the system:

 

No. Filename Size
1 %Temp%\464176326.exe 21,632 bytes
2 %Temp%\avp.exe
%Temp%\hexdump.exe
%Temp%\iexplarer.exe
%Temp%\spoolsv.exe
%Temp%\svchost.exe
%Windir%\csrss.exe
%Windir%\drweb.exe
%Windir%\spoolsv.exe
%Windir%\taskmgr.exe
%Windir%\user.exe		 21,636 bytes
3 %Temp%\hse87ejdjfhiw3dfdfd.tmp 12 bytes
4 %Temp%\iexplorer.exe 2,112 bytes
5 %Temp%\yawghd72y7huhd.tmp 4 bytes
6 [file and pathname of the sample #1] 30,000 bytes
  • Notes:
    • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

b. Memory Modifications

  • There were new processes created in the system:

Process Name Process Filename Main Module Size
[generic host process] [generic host process filename] 20,480 bytes
avp.exe %Temp%\avp.exe 208,896 bytes
spoolsv.exe %Temp%\spoolsv.exe 208,896 bytes
hexdump.exe %Temp%\hexdump.exe 208,896 bytes
svchost.exe %Temp%\svchost.exe 208,896 bytes
user.exe %Windir%\user.exe 208,896 bytes
iexplorer.exe %Temp%\iexplorer.exe 53,248 bytes
drweb.exe %Windir%\drweb.exe 208,896 bytes
spoolsv.exe %Windir%\spoolsv.exe 208,896 bytes
iexplarer.exe %Temp%\iexplarer.exe 208,896 bytes
csrss.exe %Windir%\csrss.exe 208,896 bytes
taskmgr.exe %Windir%\taskmgr.exe 208,896 bytes
  • Notes:
    • [generic host process filename] is a full path filename of [generic host process].
  • The following modules were loaded into the address space of other process(es):
Module Name Module Filename Address Space Details
[filename of the sample #1] [file and pathname of the sample #1] Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0x10000000 - 0x1001B000
[filename of the sample #1] [file and pathname of the sample #1] Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0x10000000 - 0x1001B000
[filename of the sample #1] [file and pathname of the sample #1] Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0x10000000 - 0x1001B000
  • Notes:
    • %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

c. Registry Modifications

    • The following Registry Keys were created:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6BA40A1-A502-59BD-F413-04B03A2C8953}
      • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6BA40A1-A502-59BD-F413-04B03A2C8953}\InProcServer32
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D6BA40A1-A502-59BD-F413-04B03A2C8953}
      • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT
      • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • The following Registry Key was deleted:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    • The newly created Registry Values are:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6BA40A1-A502-59BD-F413-04B03A2C8953}\InProcServer32]
        • (Default) = "[file and pathname of the sample #1]"
        • ThreadingModel = "Apartment"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6BA40A1-A502-59BD-F413-04B03A2C8953}]
        • (Default) = "[file and pathname of the sample #1]"
        • ThreadingModel = "Apartment"
      • [[pathname with a string SHARE]\SharedTaskScheduler]
        • {D6BA40A1-A502-59BD-F413-04B03A2C8953} = "iskjsfuwajiduhf87sfydudhnf"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        • HNUngOXRme = "%Temp%\avp.exe"
        • HNUngOXRruf = "%Temp%\spoolsv.exe"
        • HNUngOXRotc = "%Temp%\hexdump.exe"
        • HNUngOXRrse = "%Temp%\svchost.exe"
        • MKee = "%Windir%\user.exe"
        • XtuUbstpmnbsqotc = "%Temp%\hexdump.exe"
        • XtuUbstpmnbsqruf = "%Temp%\spoolsv.exe"
        • XtuUbstpmnbsqme = "%Temp%\avp.exe"
        • MKeuf = "%Windir%\spoolsv.exe"
        • MKasc = "%Windir%\drweb.exe"
        • MKayc = "%Windir%\csrss.exe"
        • HNUngOXRouqc = "%Temp%\iexplarer.exe"
        • MKerb = "%Windir%\taskmgr.exe"

        so that avp.exe runs every time Windows starts
        so that spoolsv.exe runs every time Windows starts
        so that hexdump.exe runs every time Windows starts
        so that svchost.exe runs every time Windows starts
        so that user.exe runs every time Windows starts
        so that drweb.exe runs every time Windows starts
        so that csrss.exe runs every time Windows starts
        so that iexplarer.exe runs every time Windows starts
        so that taskmgr.exe runs every time Windows starts
         
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
        • DisableSR = 0x00000001

        to disable the System Restore tools on the Start menu
         
      • [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows]
        • PopupMgr = "yes"
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
        • NoFolderOptions = 0x00000001

        to remove the Folder Options item from all Windows Explorer menus and from Control Panel
         
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
        • DisableRegistryTools = 0x00000001

        to disable the Windows registry editors (Regedt32.exe and Regedit.exe)
         
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
        • HNUngOXRme = "%Temp%\avp.exe"
        • HNUngOXRruf = "%Temp%\spoolsv.exe"
        • HNUngOXRotc = "%Temp%\hexdump.exe"
        • HNUngOXRrse = "%Temp%\svchost.exe"
        • MKee = "%Windir%\user.exe"
        • XtuUbstpmnbsqotc = "%Temp%\hexdump.exe"
        • XtuUbstpmnbsqruf = "%Temp%\spoolsv.exe"
        • XtuUbstpmnbsqme = "%Temp%\avp.exe"
        • MKeuf = "%Windir%\spoolsv.exe"
        • MKasc = "%Windir%\drweb.exe"
        • MKayc = "%Windir%\csrss.exe"
        • HNUngOXRouqc = "%Temp%\iexplarer.exe"
        • MKerb = "%Windir%\taskmgr.exe"

        so that avp.exe runs every time Windows starts
        so that spoolsv.exe runs every time Windows starts
        so that hexdump.exe runs every time Windows starts
        so that svchost.exe runs every time Windows starts
        so that user.exe runs every time Windows starts
        so that drweb.exe runs every time Windows starts
        so that csrss.exe runs every time Windows starts
        so that iexplarer.exe runs every time Windows starts
        so that taskmgr.exe runs every time Windows starts

    d. Other details

    • There were registered attempts to establish connection with the remote hosts. The connection details are:
    Remote Host Port Number
    207.7.158.57 80
    208.94.233.34 80
    64.211.162.73 80
    64.211.162.75 80
    66.197.216.104 80
    66.246.72.42 80
    67.207.71.246 80
    75.101.162.246 80
    85.17.239.44 80
    94.75.233.241 80
    • The data identified by the following URLs was then requested from the remote web server:
      • http://www.searchnext.com/click.php?query=keyword&adgroupid=sn-4b756d04d33b9&source=nb&param1=0ad78846634f3759821a1456cf6f9069
      • http://www.dotellall.com/results.php?query=keyword&did=sn-4b756d04d33b9&ds=nb&param1=0ad78846634f3759821a1456cf6f9069&sn_uuid=671cb7fd-976d-4639-b4d9-4bee300b255c
      • http://www.dotellall.com/includes/css/style.css
      • http://www.dotellall.com/includes/css/jquery.thickbox.css
      • http://www.dotellall.com/includes/css/jquery.theme.css
      • http://www.dotellall.com/includes/js/jquery.js
      • http://www.dotellall.com/includes/css/ie.css
      • http://www.dotellall.com/includes/js/jquery.ui.js
      • http://www.dotellall.com/includes/js/jquery.thickbox.js
      • http://www.dotellall.com/includes/js/results.js
      • http://www.dotellall.com/images/logo-dotellall-ie6.png
      • http://www.dotellall.com/images/bt-go.gif
      • http://www.dotellall.com/images/arrow.gif
      • http://www.dotellall.com/images/homebody-bg.gif
      • http://www.dotellall.com/click/ping.php?r=1287534444&phpsessionid=iin5tt96fd9ht6610tal32f976&ww=1030&wh=1000&sw=640&sh=480&scd=32&hl=3&tz=7&np=Win32&nl=en-us
      • http://www.dotellall.com/images/loadingAnimation.gif
      • http://wellconserved.com/search/images/ct_bg.gif
      • http://wellconserved.com/search/images/hd.jpg
      • http://wellconserved.com/search/index.php?said=dm&q=john+derosa
      • http://wellconserved.com/search/images/img3.gif
      • http://wellconserved.com/search/style.css
      • http://wellconserved.com/search/images/bg.gif
      • http://searchtu.com/search/index.php?said=dm&q=anvil+lopper
      • http://searchtu.com/style.css
      • http://searchtu.com/img/bg_main.jpg
      • http://wellconserved.com/search/index.php?said=dm&q=information+on+buying+a+house
      • http://www.myonlypage.com/search.php?sid=3152-B65F4A24&k=john+derosa&cp=188
      • http://www.myonlypage.com/q.php?sid=MzE1Mi1CNjVGNEEyNA--&k=john+derosa&cp=MTg4
      • http://adcenter.kabazi.com/clickheat/js/clickheat.js
      • http://nupilo.com/rz/mn.php?ver=H1
      • http://acromd.com/dw/dw.php?id=1-1CB6FFE1B122E46&ver=d01

     

    3. How-to's

    a. How to prevent the  Trojan-Dropper.Win32.Pincher.amk ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Trojan-Dropper.Win32.Pincher.amk   Manually?

    Step 1 : Remove the registry entries hidden by Trojan-Dropper.Win32.Pincher.amk.
    The followings are registry entries that may have been modified by Trojan-Dropper.Win32.Pincher.amk.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

    Step 2 : Remove all the files associated with Trojan-Dropper.Win32.Pincher.amk.
    The followings are folders where Trojan-Dropper.Win32.Pincher.amk related files may locate:
    C:\Windows\System32
    C:\WINDOWS\
    C:\Documents and Settings\All Users\Application Data\
    C:\Documents and Settings\[UserName]\Local Settings\Temp\

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•