Removal tool for Win32.Genome.aocx (outlook.exe, brazilian.exe, sysinternals.exe) Trojan-Downloader

Sample Submitted By diego

Severity Level : 9/10

Alias:

• Sus/Behav-1021 [Sophos]
• Artemis!0EA8741DD074 [McAfee]
• Trojan-Downloader.Win32.Genome.aocx [Kaspersky Lab]
• VirTool:Win32/VBInject.CB [Microsoft]

comprovanteEmail_Html.com VirusTotal Report : (Click Here)

File System Modifications

The following files were created in the system:

• %systemdrive%\driver.bat
  
• %systemroot%\ didulist
• %systemroot%\netconf\ brazilian.exe
• %systemroot%\netconf\ outlook.exe
• %systemroot%\netconf\ sysinternals.exe
• %systemroot%\netconf\ windriver.dll
• %systemroot%\netconf\ windriver.log
• %system%\init.ini
• %system%\nymdchtq.ttt
• %system%\nymdchtq2.ttt
• %system%\ofcb.dll
• %system%\regperm.exe
• %system%\windriver.exe
• %system%\drivers\dfawbr.sys

Note:

• %system% is a variable that refers to the System folder. By default, this is “C:\Windows\System” (Windows 95/98/Me), “C:\Winnt\System32″ (Windows NT/2000), or “C:\Windows\System32″ (Windows XP).
• ? = Random file name.

Memory Modifications

There were new processes created in the system:

Registry Modifications

The newly created or modified Registry Value is:

[HKEY_CLASSES_ROOT\.key]

[HKEY_CLASSES_ROOT\.key]
@=”regfile”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
“HRZR_EHACNGU:P:\\Qbphzragf naq Frggvatf\\Nqzvavfgengbe\\Qrfxgbc\\pbzcebinagrRznvy_Ugzy.pbz”=hex:01,00,00,00,06,00,00,00,e0,02,49,a1,f0,c5,ca,01,

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Serviço de Indexaçمo Windows”=”C:\\Windows\\System32\\windriver.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\Documents and Settings\\Administrator\\Desktop\\comprovanteEmail_Html.com”=”comprovanteEmail_Html”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key]
@=”regfile”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
“EnableLUA”=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
“LoadAppInit_DLLs”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
“RequireSignedAppInit_DLLs”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ykwf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ykwf]
“ImagePath”=hex(2):73,79,73,74,65,6d,33,32,5c,64,72,69,76,65,72,73,5c,64,66,61,77,62,72,2e,73,79,73,00,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ykwf]
“Start”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ykwf]
“Type”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ykwf]
“ErrorControl”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ykwf]
“zoppcan”=”\\??\\C:\\WINDOWS\\system32\\nymdchtq.ttt”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ykwf]
“upepf”=”C:\\WINDOWS”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ykwf]
“hwbh”=dword:0004c34d

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ykwf]
“Group”=”tumygjsq”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ykwf]
“laln”=hex(7):47,62,70,53,76,00,47,62,70,4b,6d,00,00,

[HKEY_USERS\S-1-5-21-790525478-789336058-1708537768-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
“HRZR_EHACNGU:P:\\Qbphzragf naq Frggvatf\\Nqzvavfgengbe\\Qrfxgbc\\pbzcebinagrRznvy_Ugzy.pbz”=hex:01,00,00,00,06,00,00,00,e0,02,49,a1,f0,c5,ca,01,

[HKEY_USERS\S-1-5-21-790525478-789336058-1708537768-500\Software\Microsoft\Windows\CurrentVersion\Run]
“Serviço de Indexaçمo Windows”=”C:\\Windows\\System32\\windriver.exe”

[HKEY_USERS\S-1-5-21-790525478-789336058-1708537768-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\Documents and Settings\\Administrator\\Desktop\\comprovanteEmail_Html.com”=”comprovanteEmail_Html”

Removal Tools :

Download Win32.Genome.aocx Trojan-Downloader removal tool that provided by VirusExperts.org  from Here.