Gen.Heur.MSIL.Krypt.2_83da69d3f8
Trojan.MSIL.Agent.eqw (Kaspersky), Gen:Heur.MSIL.Krypt.2 (B) (Emsisoft), Gen:Heur.MSIL.Krypt.2 (AdAware), Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, VirTool, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 83da69d3f8f03b6bfd3b329d0d2768a4
SHA1: 7996323522da63eaa2e68a26e29534967a844fd7
SHA256: fc27a43a37361b25403d09a5cb175dfa211f29ef61ee13d81e0c19daf7b1fb60
SSDeep: 49152:dMgIjOkXvsCauuraeHgoGLBcKm6umruWV355FXw/ 1uWV355FXw/ q4wCu 2GV3u:OJjpXvsCatrFHgF6Fm4
Size: 2439354 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: Mindspark
Created at: 2009-10-02 18:40:19
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:2712
BFile1.exe:264
The Trojan injects its code into the following process(es):
BFile2.exe:1480
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:2712 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFile1.exe (17404 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFile2.exe (269798 bytes)
The process BFile1.exe:264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\svchost.exe (601 bytes)
Registry activity
The process %original file name%.exe:2712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process BFile1.exe:264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\svchost.exe"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
Dropped PE files
| MD5 | File path |
|---|---|
| 2c0ca8417e19794a8eeba54c663cb7c6 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFile1.exe |
| a4972293885774abf36e7604f854aceb | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFile2.exe |
| 2c0ca8417e19794a8eeba54c663cb7c6 | c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\svchost.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
Company Name:
Product Name:
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: Stub.exe
Internal Name: Stub.exe
File Version: 1.0.0.0
File Description:
Comments:
Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 11300 | 11776 | 3.86383 | 39fb29d6d9a97c63c83b6f2302d1661d |
| .sdata | 24576 | 185 | 512 | 1.81301 | 570f8480dd76b2c0577dadf72f74b12c |
| .rsrc | 32768 | 2504 | 2560 | 2.76377 | b58e8de45b6ba7f229c7200cbce8a074 |
| .reloc | 40960 | 12 | 512 | 0.056519 | d5fca02368c7d43724a8bbb7baa21682 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
3e8007e02dd5b7fdc37e24ec2f2df216
URLs
| URL | IP |
|---|---|
| bn41.no-ip.info |  |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
The Trojan connects to the servers at the folowing location(s):
BFile2.exe_1480:
`.rsrc
FtPQW
~.SSW
SPSSSSSSSh
PQSSh
u.jhh
hu2.iuiMiu
mscoree.dll
.mixcrt
KERNEL32.DLL
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
kernel32.dll
GetProcessWindowStation
USER32.DLL
operator
..\..\..\..\Common\application.cpp
c:\RB\Universal\StringMap.h
..\..\..\..\Common\array.cpp
..\..\..\..\Common\basicstr.cpp
ptr - out.CString() == totalLen
theStr.Encoding() == kEncodingUTF8 or theStr.Encoding() == kEncodingUTF16 or theStr.Encoding() == kEncodingASCII
..\..\..\..\Common\BlowFish.cpp
ewcKeyDown
KeyDown
..\..\..\..\Common\Canvas.cpp
..\..\..\..\Common\CommonListbox.cpp
MinWidthExpression doesn't support the Asterisk ('*') format.MaxWidthExpression doesn't support the Asterisk ('*') format...\..\..\..\Common\commonruntime.cpp
trace.log
..\..\..\..\Common\CommonRunView.cpp
We weren't passed in a control, we got nil.
..\..\..\..\Universal\CommonWinFunctions.cpp
Operator_Convert
..\..\..\..\Common\ConsoleApplication.cpp
msvcrt.dll
..\..\..\..\Universal\DataFile.cpp
Operator_Compare
dateSQLDateTimeSetter
dateSQLDateTimeGetter
SQLDateTime
dateSQLDateSetter
dateSQLDateGetter
SQLDate
..\..\..\..\Common\DateCommon.cpp
..\..\..\..\Universal\DateImp\DateImpWin32.cpp
Password
SQLSelect
databaseSQLExecute
SQLExecute
sqlString
databaseSQLSelect
..\..\..\..\Common\dbInterface.cpp
00:00:00
00:00:00
Invalid operator
Quotes expected after LIKE operation
Only COUNT(*) supported
Unsupported SELECT function
Only single GROUP BY columns currently supported
Expecting 'KEY'
Dropping columns is not supported for this database
Dropping tables from this database is not currently supported.
..\..\..\..\Common\DebuggerConnection.cpp
0000000000000000
127.0.0.1
c:\RB\Compiler\SmartRef.h
..\..\..\..\Common\DebuggerSupport.cpp
00000000
The debug application cannot connect back to the REALbasic IDE. This is mostly likely due to a software firewall or packet filter not allowing localhost network traffic on ports 13897 or 60554. You should reconfigure your software firewall or packet filter to allow the debug application to connect to REALbasic.
DebuggerSupport.cpp
dictionaryHasKey
HasKey
2147483647
..\..\..\..\Common\Dictionary.cpp
dictionaryKeys
Keys
dictionaryKey
..\..\..\..\Common\DockItem.cpp
..\..\..\..\Common\DragItem.cpp
Could not lock the BITMAPINFO structure passsed to the DrawableBitmap constructor
..\..\..\..\Common\drawable.cpp
..\..\..\..\Common\fileTypes.cpp
..\..\..\..\Common\FolderItemDialog.cpp
Shell32.dll
FolderItemDialogInitializer
OpenDialogInitializer
SaveAsDialogInitializer
SelectFolderDialogInitializer
..\..\..\..\Universal\FolderItemImp\FolderItemImpVirtual.cpp
..\..\..\..\Universal\FolderItemImp\FolderItemImpWin32.cpp
Kernel32.dll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
in Windows
OpenAsPicture doesn't support format
in Windows.
SaveAsPicture doesn't support format
Gdiplus.dll
not other.IsVirtual()
SHFileOperationW
SHFileOperationA
%%.ß
%%.Þ
..\..\..\..\Common\Graphics.cpp
..\..\..\..\Common\GraphicsGDI.cpp
..\..\..\..\Common\GroupBox.cpp
..\..\..\..\Common\intrinsicClass.cpp
NULL == defn->initializer.toc
NULL == defn->finalizer.toc
OpenURLMovie
PortType
comparisonKey
OrdinalKey
StringJoin
Join
RuntimeCompleteParamScriptExecute
_CompleteParamScriptExecute
RuntimeScriptExecute
_ScriptExecute
getKeyboardObject
Keyboard
GlobalShowURL
ShowURL
getApplicationSupportFolder
ApplicationSupportFolder
VB_RuntimeMsgBox
RuntimeMsgBox
MsgBox
exportPicture
ExportPicture
getIndexedObjectDescriptor
GetIndexedObjectDescriptor
openURLMovie
..\..\..\..\Common\intrinsicFunction.cpp
keyboardKeyName
KeyName
keyboardAsyncKeyDown
AsyncKeyDown
KeyCode
AsyncAlternateMenuShortcutKey
AsyncMenuShortcutKey
AlternateMenuShortcutKey
MenuShortcutKey
AsyncAltKey
AsyncOptionKey
AsyncControlKey
AsyncOSKey
AsyncCommandKey
asyncModifierKeyGetter
AsyncShiftKey
AltKey
OptionKey
ControlKey
OSKey
CommandKey
modifierKeyGetter
ShiftKey
_Keyboard
..\..\..\..\Common\LineControl.cpp
Windows
Operator_AddRight
Operator_Add
' was not exported
..\..\..\..\Common\loaderX86.cpp
import.dat
code.dat
data.dat
rsrc.dat
options.dat
symbols.dat
MemoryBlockCompareOperator
MemoryBlockAddOperator
MemoryBlockFromStringOperator
MemoryBlockToStringOperator
..\..\..\..\Common\MemoryBlock.cpp
..\..\..\..\Universal\MemoryManager.cpp
c:\rb\universal\SimpleVector.h
..\..\..\..\Common\Menu.cpp
..\..\..\..\Common\menubar.cpp
KeyboardShortcut
RuntimeMenuItemCommandKeySetter
RuntimeMenuItemCommandKeyGetter
TaskDialogIndirect
..\..\..\..\Common\MessageDialog.cpp
MessageDialogInitializer
..\..\..\..\Common\mouseCursor.cpp
SensApi.dll
..\..\..\..\Common\NuListbox.cpp
..\..\..\..\Common\Object Model\ObjectDefinition.cpp
..\..\..\..\Common\Object Model\ObjectDefinitionConverter.cpp
propertyCtr < out->properties.count
..\..\..\..\Common\objects.cpp
KeyPress
KeyUp
LicenseKey
PassByref
Does not support a collection
Invalid/Unsupported OLE Parameter Type
ole32.dll
oleaut32.dll
OLEObjectOperatorNot
Operator_Not
Operator_OrRight
OLEObjectOperatorOr
Operator_Or
Operator_AndRight
OLEObjectOperatorAnd
Operator_And
OLEObjectOperatorNegate
Operator_Negate
OLEObjectOperatorModuloRight
Operator_ModuloRight
OLEObjectOperatorModulo
Operator_Modulo
OLEObjectOperatorIntegerDivideRight
Operator_IntegerDivideRight
OLEObjectOperatorIntegerDivide
Operator_IntegerDivide
OLEObjectOperatorDivideRight
Operator_DivideRight
OLEObjectOperatorDivide
Operator_Divide
OLEObjectOperatorMultiplyRight
Operator_MultiplyRight
OLEObjectOperatorMultiply
Operator_Multiply
OLEObjectOperatorSubtractRight
Operator_SubtractRight
OLEObjectOperatorSubtract
Operator_Subtract
OLEObjectOperatorAddRight
OLEObjectOperatorAdd
OLEObjectOperatorCompare
OLEObjectOperatorConvert
OLEObjectOperatorLookupSetterWithParameters
OLEObjectOperatorLookup
OLEObjectNoReturnOperatorLookup
Operator_Lookup
..\..\..\..\Common\ClassLib\pane.cpp
..\..\..\..\Common\pictutil.cpp
Export Image As:
Bitmap (*.bmp)
..\..\..\..\Common\Graphics2D\PixMapRotate.cpp
..\..\..\..\Common\plugin.cpp
iface.super
.Events.
pluginEntryTable.GetEntry( entrypointName, out )
RasApi32.dll
RasDlg.dll
..\..\..\..\Common\New Socket Code\PPPSocketWin.cpp
HKEY_LOCAL_MACHINE\Software\Apple Computer, Inc.\QuickTime
because an unsupported column type was used
because an unsupported type was used
..\..\..\..\Common\rbdbThumb.cpp
offset == keyLen
Insert failed: primary key violation
KeyChainItemAttributeSetter
KeyChainItemAttributeGetter
KeyChainItemDelete
KeyChainFindPassword
FindPassword
KeyChainAddPassword
AddPassword
KeyChainLock
KeyChainUnlock
KeyChainConstructor
KeyChain
KeyChainItem
KeyChainItemConstructor
KeyChainItemDestructor
..\..\..\..\Common\RBStyledText.cpp
..\..\..\..\Universal\REALstring.cpp
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_USERS
SHDeleteKeyA
RegistryItemKeyCountGetter
KeyCount
..\..\..\..\Common\Win32\RegistryAccessors.cpp
RegistryItemKeyTypeGetter
KeyType
HKEY_LOCAL_MACHINE\Software\Made With REALbasic\
REALGetDBPassword
RegisterPluginExports
systemSetKeyScript
systemGetKeyScript
editPasswordSetter
editPasswordGetter
eWindowStringPassThroughGetter
eWindowBoolPassThroughSetter
eWindowBoolPassThroughGetter
eWindowIntPassThroughGetter
listColumnPressHeader
pictureIndexedImage
systemGetKeyChainCount
systemSetDefaultKeyChain
systemGetDefaultKeyChain
aeTargetPortTypeGetter
SerialPortDestructor
ServerSocketPortSetter
ServerSocketPortGetter
UDPSocketPacketsLeftToSend
UDPSocketGetBroadcast
UDPSocketSetLoopback
UDPSocketRouterHops
UDPReadDatagram
UDPSocketWriteDatagram
UDPSocketWrite
SocketJoinMulticastGroup
RuntimeUDPSocketConstructor
RuntimeUDPSocketDestructor
TCPSocketBytesLeftToSend
TCPSocketFlush
TCPSocketEof
SocketPortSetter
SocketPortGetter
FileURLGetter
FolderItemImpMakeFileExecutable
collectionKeyRemove
getSerialPortCount
getSerialPortByPath
getSerialPort
..\..\..\..\Common\relocentry.cpp
..\..\..\..\Common\ResourceManagerCommon.cpp
Keyword
..\..\..\..\Common\runcmm.cpp
Key As String
..\..\..\..\Common\runctl.cpp
NULL == target->eventTable[ctr].vector
SQLQuery
kEncodingUTF8 == s1.Encoding()
..\..\..\..\Common\runEditControl.cpp
kEncodingUTF8 == s2.Encoding()
..\..\..\..\Common\runFileAccess.cpp
OthersExecute
GroupExecute
OwnerExecute
..\..\..\..\Common\runFolderItem.cpp
Passing non-absolute shell paths is not currently supported
The path passed into new FolderItem was invalid
URLPath
_MakeFileExecutable
..\..\..\..\Common\RunIPCSocket.cpp
..\..\..\..\Common\runListbox.cpp
sCondemnedRows.size() > 0
sCondemnedRows.peek_back() == p
c:\RB\Universal\SimpleVector.h
..\..\..\..\Common\runMedia.cpp
IndexedImage
..\..\..\..\Common\runPicture.cpp
key as String
..\..\..\..\Common\runprint.cpp
SerialPort
Port
..\..\..\..\Common\runSerial.cpp
KeyScript
SerialPortCount
..\..\..\..\Common\RunSystem.cpp
KeyChainCount
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
AdvApi32.dll
ReportEventW
VVV.google.com
..\..\..\..\Common\RuntimeArrayFoundation.cpp
as the number of bits is not supported
..\..\..\..\Common\RuntimeDebug.cpp
Runtime Error %d: %s
Please report what caused this error
%s: %d
Failure Condition: %s
..\..\..\..\Common\Object Model\RuntimeExceptionFoundation.cpp
NoOpenTransportException
KeyNotFoundException
UnsupportedFormatException
KeyChainException
row as Integer, column as Integer, key as String
CellKeyDown
..\..\..\..\Common\RuntimeListboxAccessors.cpp
PressHeader
..\..\..\..\Common\RuntimeMain.cpp
MsgPumpWaiter
..\..\..\..\Common\Object Model\RuntimeObjectFoundation.cpp
out->methods.count >= base->methods.count
out->events.count >= base->events.count
out->properties.count >= base->properties.count
..\..\..\..\Common\RunTimer.cpp
JoinMulticastGroup
TCPSocket
UDPSocket
..\..\..\..\Common\New Socket Code\RuntimeSocketAccessors.cpp
..\..\..\..\Common\RuntimeStringFoundation.cpp
..\..\..\..\Common\ClassLib\RuntimeThread.cpp
Called Semaphore.Release too many times.
..\..\..\..\Common\ClassLib\RuntimeWindow.cpp
..\..\..\..\Common\Graphics2D\ShapePlotter.cpp
points.size() == 4
..\..\..\..\Common\Graphics2D\Shapes2D.cpp
wsock32.dll
ws2_32.dll
AcceleratorKey
..\..\..\..\Common\StaticText.cpp
c:\rb\universal\StringMap.h
..\..\..\..\Universal\StringUtils.cpp
..\..\..\..\Common\StyledTextBaseImp.cpp
..\..\..\..\Common\SubPane.cpp
..\..\..\..\Common\New Socket Code\TCPSocket.cpp
Made a new TCPSocketPosix
Destroying a TCPSocketPosix
from port
Starting the listening process on port
Shutting the TCPSocketPosix down
Resetting the TCPSocketPosix
Making a TCP socket
..\..\..\..\Common\New Socket Code\TCPSocketWin.cpp
windows-1258
windows-1257
windows-1256
windows-1255
windows-1254
windows-1253
windows-1251
windows-1250
windows-1252
DOSPortugese
WindowsKoreanJohab
WindowsVietnamese
WindowsBalticRim
WindowsArabic
WindowsHebrew
WindowsLatin5
WindowsGreek
WindowsCyrillic
WindowsLatin2
WindowsANSI
WindowsLatin1
DOSPortuguese
..\..\..\..\Universal\TextEncodingUtil.cpp
..\..\..\..\Common\Toolbar\ToolbarImpWin32.cpp
SHQueryRecycleBin requires Windows 95/NT4 with IE greater than 4.0
Shlwapi.dll
..\..\..\..\Common\TrayItem.cpp
Making a new UDPSocketPosix
Destroying a UDPSocketPosix
Unable to bind the udp socket
Unable to set the broadcast option on the UDP socket
udp socket is bound and ready
Trying to join the multicast group:
Could not join the multicast group
Joined the multicast group successfully
on port
01234567
..\..\..\..\Common\variant.cpp
Operator_PowerRight
Operator_Power
Operator_Hash
Operator_Hash%i4%o<
Operator_Convert%
..\..\..\..\Common\VariantConversions.cpp
..\..\..\..\Universal\VirtualVolumes\VFSCore.cpp
finfo->mPosWithinBlock >= kBlockHeaderSize and finfo->mPosWithinBlock < finfo->mBlockStart finfo->mBlockHeader.mBlockLength - 4
..\..\..\..\Universal\VirtualVolumes\VHFS.cpp
..\..\..\..\Common\Win32\win32cmm.cpp
..\..\..\..\Common\Win32\win32Control.cpp
RICHED32.DLL
RICHED20.DLL
..\..\..\..\Common\Win32\win32EditControl.cpp
Styled text printer passed in to DrawBlock was nil
..\..\..\..\Common\Win32\win32Folderitem.cpp
..\..\..\..\Common\Win32\Win32Menu.cpp
..\..\..\..\Common\Win32\win32popupmenu.cpp
ComCtl32.dll
..\..\..\..\Common\Win32\win32progress.cpp
\\.\COM
..\..\..\..\Common\Win32\win32serial.cpp
..\..\..\..\Common\Win32\win32windows.cpp
..\..\..\..\Common\ClassLib\window.cpp
WMPlayer.OCX
{22D6F312-B0F6-11D0-94AB-0080C74C7E95}..\..\..\..\Common\Win32\WindowsMediaPlayer.cpp
Can't load library %s
..\..\..\..\Common\Win32\WinPrinter.cpp
Could not get the default printer settings because a nil structure was passed in
Someone passed in a bogus value for getting printer information
uxtheme.dll
?#%X.y
c:\RB\REALbasic\REALbasic Visual Studio\REALbasic\release\X86RunHoudini.pdb
QuickTime.qts
zcÁ
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFile2.exe
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryA
GetCPInfo
GetConsoleOutputCP
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegQueryInfoKeyA
SetViewportOrgEx
SetViewportExtEx
ShellExecuteA
ShellExecuteW
EnumChildWindows
VkKeyScanA
MsgWaitForMultipleObjectsEx
GetKeyNameTextA
MapVirtualKeyA
GetKeyNameTextW
EnumWindows
GetKeyState
GetAsyncKeyState
midiOutShortMsg
.text
`.rdata
@.data
.rsrc
l8q.LD
}wE.DS(M
version="1.0.0.0"
name="Windows 7 Loader.exe"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
iphlpapi.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
VERSION.dll
WINMM.dll
1.7.2.0
Windows 7 Loader.exe
BFile2.exe_1480_rwx_00401000_00219000:
FtPQW
~.SSW
SPSSSSSSSh
PQSSh
u.jhh
hu2.iuiMiu
mscoree.dll
.mixcrt
KERNEL32.DLL
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
kernel32.dll
GetProcessWindowStation
USER32.DLL
operator
..\..\..\..\Common\application.cpp
c:\RB\Universal\StringMap.h
..\..\..\..\Common\array.cpp
..\..\..\..\Common\basicstr.cpp
ptr - out.CString() == totalLen
theStr.Encoding() == kEncodingUTF8 or theStr.Encoding() == kEncodingUTF16 or theStr.Encoding() == kEncodingASCII
..\..\..\..\Common\BlowFish.cpp
ewcKeyDown
KeyDown
..\..\..\..\Common\Canvas.cpp
..\..\..\..\Common\CommonListbox.cpp
MinWidthExpression doesn't support the Asterisk ('*') format.MaxWidthExpression doesn't support the Asterisk ('*') format...\..\..\..\Common\commonruntime.cpp
trace.log
..\..\..\..\Common\CommonRunView.cpp
We weren't passed in a control, we got nil.
..\..\..\..\Universal\CommonWinFunctions.cpp
Operator_Convert
..\..\..\..\Common\ConsoleApplication.cpp
msvcrt.dll
..\..\..\..\Universal\DataFile.cpp
Operator_Compare
dateSQLDateTimeSetter
dateSQLDateTimeGetter
SQLDateTime
dateSQLDateSetter
dateSQLDateGetter
SQLDate
..\..\..\..\Common\DateCommon.cpp
..\..\..\..\Universal\DateImp\DateImpWin32.cpp
Password
SQLSelect
databaseSQLExecute
SQLExecute
sqlString
databaseSQLSelect
..\..\..\..\Common\dbInterface.cpp
00:00:00
00:00:00
Invalid operator
Quotes expected after LIKE operation
Only COUNT(*) supported
Unsupported SELECT function
Only single GROUP BY columns currently supported
Expecting 'KEY'
Dropping columns is not supported for this database
Dropping tables from this database is not currently supported.
..\..\..\..\Common\DebuggerConnection.cpp
0000000000000000
127.0.0.1
c:\RB\Compiler\SmartRef.h
..\..\..\..\Common\DebuggerSupport.cpp
00000000
The debug application cannot connect back to the REALbasic IDE. This is mostly likely due to a software firewall or packet filter not allowing localhost network traffic on ports 13897 or 60554. You should reconfigure your software firewall or packet filter to allow the debug application to connect to REALbasic.
DebuggerSupport.cpp
dictionaryHasKey
HasKey
2147483647
..\..\..\..\Common\Dictionary.cpp
dictionaryKeys
Keys
dictionaryKey
..\..\..\..\Common\DockItem.cpp
..\..\..\..\Common\DragItem.cpp
Could not lock the BITMAPINFO structure passsed to the DrawableBitmap constructor
..\..\..\..\Common\drawable.cpp
..\..\..\..\Common\fileTypes.cpp
..\..\..\..\Common\FolderItemDialog.cpp
Shell32.dll
FolderItemDialogInitializer
OpenDialogInitializer
SaveAsDialogInitializer
SelectFolderDialogInitializer
..\..\..\..\Universal\FolderItemImp\FolderItemImpVirtual.cpp
..\..\..\..\Universal\FolderItemImp\FolderItemImpWin32.cpp
Kernel32.dll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
in Windows
OpenAsPicture doesn't support format
in Windows.
SaveAsPicture doesn't support format
Gdiplus.dll
not other.IsVirtual()
SHFileOperationW
SHFileOperationA
%%.ß
%%.Þ
..\..\..\..\Common\Graphics.cpp
..\..\..\..\Common\GraphicsGDI.cpp
..\..\..\..\Common\GroupBox.cpp
..\..\..\..\Common\intrinsicClass.cpp
NULL == defn->initializer.toc
NULL == defn->finalizer.toc
OpenURLMovie
PortType
comparisonKey
OrdinalKey
StringJoin
Join
RuntimeCompleteParamScriptExecute
_CompleteParamScriptExecute
RuntimeScriptExecute
_ScriptExecute
getKeyboardObject
Keyboard
GlobalShowURL
ShowURL
getApplicationSupportFolder
ApplicationSupportFolder
VB_RuntimeMsgBox
RuntimeMsgBox
MsgBox
exportPicture
ExportPicture
getIndexedObjectDescriptor
GetIndexedObjectDescriptor
openURLMovie
..\..\..\..\Common\intrinsicFunction.cpp
keyboardKeyName
KeyName
keyboardAsyncKeyDown
AsyncKeyDown
KeyCode
AsyncAlternateMenuShortcutKey
AsyncMenuShortcutKey
AlternateMenuShortcutKey
MenuShortcutKey
AsyncAltKey
AsyncOptionKey
AsyncControlKey
AsyncOSKey
AsyncCommandKey
asyncModifierKeyGetter
AsyncShiftKey
AltKey
OptionKey
ControlKey
OSKey
CommandKey
modifierKeyGetter
ShiftKey
_Keyboard
..\..\..\..\Common\LineControl.cpp
Windows
Operator_AddRight
Operator_Add
' was not exported
..\..\..\..\Common\loaderX86.cpp
import.dat
code.dat
data.dat
rsrc.dat
options.dat
symbols.dat
MemoryBlockCompareOperator
MemoryBlockAddOperator
MemoryBlockFromStringOperator
MemoryBlockToStringOperator
..\..\..\..\Common\MemoryBlock.cpp
..\..\..\..\Universal\MemoryManager.cpp
c:\rb\universal\SimpleVector.h
..\..\..\..\Common\Menu.cpp
..\..\..\..\Common\menubar.cpp
KeyboardShortcut
RuntimeMenuItemCommandKeySetter
RuntimeMenuItemCommandKeyGetter
TaskDialogIndirect
..\..\..\..\Common\MessageDialog.cpp
MessageDialogInitializer
..\..\..\..\Common\mouseCursor.cpp
SensApi.dll
..\..\..\..\Common\NuListbox.cpp
..\..\..\..\Common\Object Model\ObjectDefinition.cpp
..\..\..\..\Common\Object Model\ObjectDefinitionConverter.cpp
propertyCtr < out->properties.count
..\..\..\..\Common\objects.cpp
KeyPress
KeyUp
LicenseKey
PassByref
Does not support a collection
Invalid/Unsupported OLE Parameter Type
ole32.dll
oleaut32.dll
OLEObjectOperatorNot
Operator_Not
Operator_OrRight
OLEObjectOperatorOr
Operator_Or
Operator_AndRight
OLEObjectOperatorAnd
Operator_And
OLEObjectOperatorNegate
Operator_Negate
OLEObjectOperatorModuloRight
Operator_ModuloRight
OLEObjectOperatorModulo
Operator_Modulo
OLEObjectOperatorIntegerDivideRight
Operator_IntegerDivideRight
OLEObjectOperatorIntegerDivide
Operator_IntegerDivide
OLEObjectOperatorDivideRight
Operator_DivideRight
OLEObjectOperatorDivide
Operator_Divide
OLEObjectOperatorMultiplyRight
Operator_MultiplyRight
OLEObjectOperatorMultiply
Operator_Multiply
OLEObjectOperatorSubtractRight
Operator_SubtractRight
OLEObjectOperatorSubtract
Operator_Subtract
OLEObjectOperatorAddRight
OLEObjectOperatorAdd
OLEObjectOperatorCompare
OLEObjectOperatorConvert
OLEObjectOperatorLookupSetterWithParameters
OLEObjectOperatorLookup
OLEObjectNoReturnOperatorLookup
Operator_Lookup
..\..\..\..\Common\ClassLib\pane.cpp
..\..\..\..\Common\pictutil.cpp
Export Image As:
Bitmap (*.bmp)
..\..\..\..\Common\Graphics2D\PixMapRotate.cpp
..\..\..\..\Common\plugin.cpp
iface.super
.Events.
pluginEntryTable.GetEntry( entrypointName, out )
RasApi32.dll
RasDlg.dll
..\..\..\..\Common\New Socket Code\PPPSocketWin.cpp
HKEY_LOCAL_MACHINE\Software\Apple Computer, Inc.\QuickTime
because an unsupported column type was used
because an unsupported type was used
..\..\..\..\Common\rbdbThumb.cpp
offset == keyLen
Insert failed: primary key violation
KeyChainItemAttributeSetter
KeyChainItemAttributeGetter
KeyChainItemDelete
KeyChainFindPassword
FindPassword
KeyChainAddPassword
AddPassword
KeyChainLock
KeyChainUnlock
KeyChainConstructor
KeyChain
KeyChainItem
KeyChainItemConstructor
KeyChainItemDestructor
..\..\..\..\Common\RBStyledText.cpp
..\..\..\..\Universal\REALstring.cpp
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_USERS
SHDeleteKeyA
RegistryItemKeyCountGetter
KeyCount
..\..\..\..\Common\Win32\RegistryAccessors.cpp
RegistryItemKeyTypeGetter
KeyType
HKEY_LOCAL_MACHINE\Software\Made With REALbasic\
REALGetDBPassword
RegisterPluginExports
systemSetKeyScript
systemGetKeyScript
editPasswordSetter
editPasswordGetter
eWindowStringPassThroughGetter
eWindowBoolPassThroughSetter
eWindowBoolPassThroughGetter
eWindowIntPassThroughGetter
listColumnPressHeader
pictureIndexedImage
systemGetKeyChainCount
systemSetDefaultKeyChain
systemGetDefaultKeyChain
aeTargetPortTypeGetter
SerialPortDestructor
ServerSocketPortSetter
ServerSocketPortGetter
UDPSocketPacketsLeftToSend
UDPSocketGetBroadcast
UDPSocketSetLoopback
UDPSocketRouterHops
UDPReadDatagram
UDPSocketWriteDatagram
UDPSocketWrite
SocketJoinMulticastGroup
RuntimeUDPSocketConstructor
RuntimeUDPSocketDestructor
TCPSocketBytesLeftToSend
TCPSocketFlush
TCPSocketEof
SocketPortSetter
SocketPortGetter
FileURLGetter
FolderItemImpMakeFileExecutable
collectionKeyRemove
getSerialPortCount
getSerialPortByPath
getSerialPort
..\..\..\..\Common\relocentry.cpp
..\..\..\..\Common\ResourceManagerCommon.cpp
Keyword
..\..\..\..\Common\runcmm.cpp
Key As String
..\..\..\..\Common\runctl.cpp
NULL == target->eventTable[ctr].vector
SQLQuery
kEncodingUTF8 == s1.Encoding()
..\..\..\..\Common\runEditControl.cpp
kEncodingUTF8 == s2.Encoding()
..\..\..\..\Common\runFileAccess.cpp
OthersExecute
GroupExecute
OwnerExecute
..\..\..\..\Common\runFolderItem.cpp
Passing non-absolute shell paths is not currently supported
The path passed into new FolderItem was invalid
URLPath
_MakeFileExecutable
..\..\..\..\Common\RunIPCSocket.cpp
..\..\..\..\Common\runListbox.cpp
sCondemnedRows.size() > 0
sCondemnedRows.peek_back() == p
c:\RB\Universal\SimpleVector.h
..\..\..\..\Common\runMedia.cpp
IndexedImage
..\..\..\..\Common\runPicture.cpp
key as String
..\..\..\..\Common\runprint.cpp
SerialPort
Port
..\..\..\..\Common\runSerial.cpp
KeyScript
SerialPortCount
..\..\..\..\Common\RunSystem.cpp
KeyChainCount
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
AdvApi32.dll
ReportEventW
VVV.google.com
..\..\..\..\Common\RuntimeArrayFoundation.cpp
as the number of bits is not supported
..\..\..\..\Common\RuntimeDebug.cpp
Runtime Error %d: %s
Please report what caused this error
%s: %d
Failure Condition: %s
..\..\..\..\Common\Object Model\RuntimeExceptionFoundation.cpp
NoOpenTransportException
KeyNotFoundException
UnsupportedFormatException
KeyChainException
row as Integer, column as Integer, key as String
CellKeyDown
..\..\..\..\Common\RuntimeListboxAccessors.cpp
PressHeader
..\..\..\..\Common\RuntimeMain.cpp
MsgPumpWaiter
..\..\..\..\Common\Object Model\RuntimeObjectFoundation.cpp
out->methods.count >= base->methods.count
out->events.count >= base->events.count
out->properties.count >= base->properties.count
..\..\..\..\Common\RunTimer.cpp
JoinMulticastGroup
TCPSocket
UDPSocket
..\..\..\..\Common\New Socket Code\RuntimeSocketAccessors.cpp
..\..\..\..\Common\RuntimeStringFoundation.cpp
..\..\..\..\Common\ClassLib\RuntimeThread.cpp
Called Semaphore.Release too many times.
..\..\..\..\Common\ClassLib\RuntimeWindow.cpp
..\..\..\..\Common\Graphics2D\ShapePlotter.cpp
points.size() == 4
..\..\..\..\Common\Graphics2D\Shapes2D.cpp
wsock32.dll
ws2_32.dll
AcceleratorKey
..\..\..\..\Common\StaticText.cpp
c:\rb\universal\StringMap.h
..\..\..\..\Universal\StringUtils.cpp
..\..\..\..\Common\StyledTextBaseImp.cpp
..\..\..\..\Common\SubPane.cpp
..\..\..\..\Common\New Socket Code\TCPSocket.cpp
Made a new TCPSocketPosix
Destroying a TCPSocketPosix
from port
Starting the listening process on port
Shutting the TCPSocketPosix down
Resetting the TCPSocketPosix
Making a TCP socket
..\..\..\..\Common\New Socket Code\TCPSocketWin.cpp
windows-1258
windows-1257
windows-1256
windows-1255
windows-1254
windows-1253
windows-1251
windows-1250
windows-1252
DOSPortugese
WindowsKoreanJohab
WindowsVietnamese
WindowsBalticRim
WindowsArabic
WindowsHebrew
WindowsLatin5
WindowsGreek
WindowsCyrillic
WindowsLatin2
WindowsANSI
WindowsLatin1
DOSPortuguese
..\..\..\..\Universal\TextEncodingUtil.cpp
..\..\..\..\Common\Toolbar\ToolbarImpWin32.cpp
SHQueryRecycleBin requires Windows 95/NT4 with IE greater than 4.0
Shlwapi.dll
..\..\..\..\Common\TrayItem.cpp
Making a new UDPSocketPosix
Destroying a UDPSocketPosix
Unable to bind the udp socket
Unable to set the broadcast option on the UDP socket
udp socket is bound and ready
Trying to join the multicast group:
Could not join the multicast group
Joined the multicast group successfully
on port
01234567
..\..\..\..\Common\variant.cpp
Operator_PowerRight
Operator_Power
Operator_Hash
Operator_Hash%i4%o<
Operator_Convert%
..\..\..\..\Common\VariantConversions.cpp
..\..\..\..\Universal\VirtualVolumes\VFSCore.cpp
finfo->mPosWithinBlock >= kBlockHeaderSize and finfo->mPosWithinBlock < finfo->mBlockStart finfo->mBlockHeader.mBlockLength - 4
..\..\..\..\Universal\VirtualVolumes\VHFS.cpp
..\..\..\..\Common\Win32\win32cmm.cpp
..\..\..\..\Common\Win32\win32Control.cpp
RICHED32.DLL
RICHED20.DLL
..\..\..\..\Common\Win32\win32EditControl.cpp
Styled text printer passed in to DrawBlock was nil
..\..\..\..\Common\Win32\win32Folderitem.cpp
..\..\..\..\Common\Win32\Win32Menu.cpp
..\..\..\..\Common\Win32\win32popupmenu.cpp
ComCtl32.dll
..\..\..\..\Common\Win32\win32progress.cpp
\\.\COM
..\..\..\..\Common\Win32\win32serial.cpp
..\..\..\..\Common\Win32\win32windows.cpp
..\..\..\..\Common\ClassLib\window.cpp
WMPlayer.OCX
{22D6F312-B0F6-11D0-94AB-0080C74C7E95}..\..\..\..\Common\Win32\WindowsMediaPlayer.cpp
Can't load library %s
..\..\..\..\Common\Win32\WinPrinter.cpp
Could not get the default printer settings because a nil structure was passed in
Someone passed in a bogus value for getting printer information
uxtheme.dll
?#%X.y
c:\RB\REALbasic\REALbasic Visual Studio\REALbasic\release\X86RunHoudini.pdb
QuickTime.qts
zcÁ
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFile2.exe
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryA
GetCPInfo
GetConsoleOutputCP
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegQueryInfoKeyA
SetViewportOrgEx
SetViewportExtEx
ShellExecuteA
ShellExecuteW
EnumChildWindows
VkKeyScanA
MsgWaitForMultipleObjectsEx
GetKeyNameTextA
MapVirtualKeyA
GetKeyNameTextW
EnumWindows
GetKeyState
GetAsyncKeyState
midiOutShortMsg
.text
`.rdata
@.data
.rsrc
l8q.LD
svchost.exe_3792:
.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
SQL error or missing database
An internal logic error in SQLite
Operation terminated by sqlite3_interrupt()
Uses OS features not supported on host
2nd parameter to sqlite3_bind out of range
sqlite3_step() has another row ready
sqlite3_step() has finished executing
Unknown SQLite Error Code "
ESQLiteException
TSQLiteDatabase
TSQLiteTable
sqlite3_open
sqlite3_errmsg
sqlite3_free
sqlite3_close
sqlite3_last_insert_rowid
sqlite3_total_changes
sqlite3_errcode
sqlite3_bind_text
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_double
sqlite3_bind_null
sqlite3_bind_blob
sqlite3_prepare_v2
sqlite3_step
sqlite3_reset
sqlite3_finalize
sqlite3_prepare
sqlite3_busy_timeout
sqlite3_libversion
sqlite3_create_collation
sqlite3_bind_parameter_index
sqlite3_changes
sqlite3_column_count
sqlite3_column_name
sqlite3_column_decltype
sqlite3_column_type
sqlite3_column_int64
sqlite3_column_double
sqlite3_column_bytes
sqlite3_column_blob
sqlite3_column_text
Failed to open database "%s" : %s
Failed to open database "%s" : unknown error
Error [%d]: %s.
"%s": %s
Error executing SQL
Could not prepare SQL statement
Error executing SQL statement
SQLite is Busy
udprec
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
:\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
\Mozilla Firefox\
nss3.dll
mozcrt19.dll
sqlite3.dll
nspr4.dll
plc4.dll
plds4.dll
nssutil3.dll
softokn3.dll
PK11_GetInternalKeySlot
userenv.dll
\Mozilla\Firefox\
profiles.ini
\signons3.txt
\Mozilla\Firefox\profiles.ini
signons.sqlite
SELECT * FROM moz_logins
encryptedPassword
Urlmon.dll
Shell32.dll
URLDownloadToFileA
ShellExecuteA
Future Windows version (unknown)
Windows
UDPPROG1|
UDPStart|
SOFTWARE\Mozilla\Mozilla Firefox\
WEBDL
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
svchost.exe
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegCreateKeyExA
GetCPInfo
MsgWaitForMultipleObjects
wsock32.dll
shell32.dll
5 5$5(5,5054585
>">*>2>:>
: :$:(:,:0:4:8:<:@:`:
SQLite3
KWindows
UrlMon
SQLiteTable3
Cannot open file "%s". %s
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Failed to get data for '%s'
Failed to set data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
Thread creation error: %s
Thread Error: %s (%d)
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%String list does not allow duplicates
Cannot create file "%s". %s
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point valueI/O error %d
Integer overflow Invalid floating point operation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2712
BFile1.exe:264 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFile1.exe (17404 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFile2.exe (269798 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\svchost.exe (601 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\svchost.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
