Gen.Variant.Barys.54169_64dd515e0b
Trojan.Win32.DelfiDelfi.bpu (Kaspersky), Gen:Variant.Barys.54169 (B) (Emsisoft), Gen:Variant.Barys.54169 (AdAware), Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 64dd515e0b07acb0ef4c86176bdd25cf
SHA1: 55d3cd99d5280f1d894cb20e2cedc38d6aefca77
SHA256: 108e3650cd59c4cbefedd8873f0a4cd4248ad6ef1cf52b67499c9766f5be3259
SSDeep: 12288:dcztD6zoHWuxIifYIYKtFcMo8UHYvPZkHiAsVgg Inonro3NRbSFLXWlPzX B9Nb:dotkifYIntFw8nn6HiEX8vbuEzXUWhs
Size: 806400 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: Mindspark
Created at: 2017-07-09 03:35:15
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
filename.exe:3732
%original file name%.exe:3576
The Trojan injects its code into the following process(es):
vbc.exe:4000
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:3576 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\Desktop\filename.exe (6679 bytes)
Registry activity
The process filename.exe:3732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Update" = "C:\Users\"%CurrentUserName%"\Desktop\filename.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Update" = "C:\Users\"%CurrentUserName%"\Desktop\filename.exe"
The process %original file name%.exe:3576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name:
Product Name:
Product Version: 0.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: solid.exe
Internal Name: solid.exe
File Version: 0.0.0.0
File Description:
Comments:
Language: English (United Kingdom)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 605188 | 605696 | 5.38751 | c6698eb7cea58f8f2f37878405c58f95 |
| .rsrc | 614400 | 199284 | 199680 | 5.52992 | 732f1b4c1ad6216ed8f64e0bb13d742c |
| .reloc | 819200 | 12 | 512 | 0.056519 | f8b40db6b11e7623912a10866174bd53 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| teredo.ipv6.microsoft.com |  |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
The Trojan connects to the servers at the folowing location(s):
vbc.exe_4000:
`.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
%s, ProgID: "%s"
ole32.dll
EInvalidOperation
EInvalidGraphicOperation
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
VBoxService.exe
SbieDll.dll
dbghelp.dll
Software\Microsoft\Windows\CurrentVersion
55274-640-2673064-23950
76487-644-3177037-23510
76487-337-8429955-22614
\\.\Syser
\\.\SyserDbgMsg
\\.\SyserBoot
\\.\SICE
\\.\NTICE
user32.dll
Software\Microsoft\Windows\CurrentVersion\Run\
10.211.55.20
notepad.exe
1.0.4
PSAPI.dll
C:\Users\gurkanarkas\Desktop\Dtback\AlienEdition\Server\SuperObject.pas
SOFTWARE\Mozilla\Mozilla Firefox
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox
SOFTWARE\Mozilla\Mozilla Firefox\
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
nss3.dll
PK11_GetInternalKeySlot
mozglue.dll
msvcr120.dll
msvcp120.dll
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\
logins.json
Mozilla Firefox
logins[
].hostname
].encryptedUsername
].encryptedPassword
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
sqlite3_open
sqlite3_close
sqlite3_exec
sqlite3_version
sqlite3_errmsg
sqlite3_errcode
sqlite3_free
sqlite3_get_table
sqlite3_free_table
sqlite3_complete
sqlite3_last_insert_rowid
sqlite3_interrupt
sqlite3_busy_Handler
sqlite3_busy_timeout
sqlite3_changes
sqlite3_total_changes
sqlite3_prepare
sqlite3_prepare_v2
sqlite3_column_count
sqlite3_column_name
sqlite3_column_decltype
sqlite3_step
sqlite3_data_count
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_double
sqlite3_column_Int
sqlite3_column_text
sqlite3_column_type
sqlite3_column_int64
sqlite3_finalize
sqlite3_reset
sqlite3_bind_blob
sqlite3_bind_text
sqlite3_bind_double
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_null
sqlite3_bind_parameter_index
sqlite3_enable_shared_cache
sqlite3_create_collation
TSQLiteDatabase8
TSQLiteTable
Error executing SQL
Could not prepare SQL statement
Error executing SQL statement
SELECT * FROM logins
password_value
origin_url
\Scream.dll
WbemScripting.SWbemLocator
%s\%s
SELECT * FROM %s
displayName %s
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
IMAP Password
POP3 Password
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
127.0.0.1
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
SetTcpEntry
GetExtendedTcpTable
GetExtendedUdpTable
\print.txt
Skype.exe
main.db
\Yandex\YandexBrowser\User Data\Default\Login Data
\Comodo\Dragon\User Data\Default\Login Data
\Google\Chrome\User Data\Default\Login Data
Google Chrome
TUnicodeKeyboard
Klog.dat
\Klog.dat
cmd.exe
SAPI.SpVoice
Windows 2000
Windows XP
Windows Server 2003
Windows Server 2003 R2
Windows Vista
Windows Server 2008
Windows Server 2008 R2
Windows 7
Windows 8
Windows Server 2012
Windows 8.1
Windows Server 2012 R2
Windows 10
Windows Server 2016 Technical Preview
%s|%s@%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|
Can't get the Windows version
deflate 1.0.4 Copyright 1995-1996 Jean-loup Gailly
<8%u=
9.VNf
I.PXQP
.EF$q
XaP.uFP4
%xTPO
AURl
LP%CT
Dg_SYÒR^
W(.KgSi
7,%X\:p
.AbF P
.yBBo
<v)3P%f
ÞAI
!"#$%&'()* ,-./
SQLite forma
CHECKEYCO
3.5.9{ED/MSVCRTgr
<Key/
685477580
lFk .AGc5N
!*&6.qos]
zcÁ
KERNEL32.DLL
Sqlite3.dll
sqlite3_aggregate_context
sqlite3_aggregate_count
sqlite3_auto_extension
sqlite3_bind_parameter_count
sqlite3_bind_parameter_name
sqlite3_bind_text16
sqlite3_bind_value
sqlite3_bind_zeroblob
sqlite3_blob_bytes
sqlite3_blob_close
sqlite3_blob_open
sqlite3_blob_read
sqlite3_blob_write
sqlite3_busy_handler
sqlite3_clear_bindings
sqlite3_collation_needed
sqlite3_collation_needed16
sqlite3_column_bytes16
sqlite3_column_decltype16
sqlite3_column_int
sqlite3_column_name16
sqlite3_column_text16
sqlite3_column_value
sqlite3_commit_hook
sqlite3_complete16
sqlite3_context_db_handle
sqlite3_create_collation16
sqlite3_create_collation_v2
sqlite3_create_function
sqlite3_create_function16
sqlite3_create_module
sqlite3_create_module_v2
sqlite3_db_handle
sqlite3_declare_vtab
sqlite3_enable_load_extension
sqlite3_errmsg16
sqlite3_expired
sqlite3_extended_result_codes
sqlite3_file_control
sqlite3_get_autocommit
sqlite3_get_auxdata
sqlite3_global_recover
sqlite3_libversion
sqlite3_libversion_number
sqlite3_limit
sqlite3_load_extension
sqlite3_malloc
sqlite3_memory_alarm
sqlite3_memory_highwater
sqlite3_memory_used
sqlite3_mprintf
sqlite3_mutex_alloc
sqlite3_mutex_enter
sqlite3_mutex_free
sqlite3_mutex_held
sqlite3_mutex_leave
sqlite3_mutex_notheld
sqlite3_mutex_try
sqlite3_open16
sqlite3_open_v2
sqlite3_overload_function
sqlite3_prepare16
sqlite3_prepare16_v2
sqlite3_profile
sqlite3_progress_handler
sqlite3_randomness
sqlite3_realloc
sqlite3_release_memory
sqlite3_reset_auto_extension
sqlite3_result_blob
sqlite3_result_double
sqlite3_result_error
sqlite3_result_error16
sqlite3_result_error_code
sqlite3_result_error_nomem
sqlite3_result_error_toobig
sqlite3_result_int
sqlite3_result_int64
sqlite3_result_null
sqlite3_result_text
sqlite3_result_text16
sqlite3_result_text16be
sqlite3_result_text16le
sqlite3_result_value
sqlite3_result_zeroblob
sqlite3_rollback_hook
sqlite3_set_authorizer
sqlite3_set_auxdata
sqlite3_sleep
sqlite3_snprintf
sqlite3_soft_heap_limit
sqlite3_sql
sqlite3_test_control
sqlite3_thread_cleanup
sqlite3_threadsafe
sqlite3_trace
sqlite3_transfer_bindings
sqlite3_update_hook
sqlite3_user_data
sqlite3_value_blob
sqlite3_value_bytes
sqlite3_value_bytes16
sqlite3_value_double
sqlite3_value_int
sqlite3_value_int64
sqlite3_value_numeric_type
sqlite3_value_text
sqlite3_value_text16
sqlite3_value_text16be
sqlite3_value_text16le
sqlite3_value_type
sqlite3_vfs_find
sqlite3_vfs_register
sqlite3_vfs_unregister
sqlite3_vmprintf
)Iw2,Hw2.Hw
KWindows
yuActivePorts
FF_Passwords
UrlMon
UnitKeyboardStarter
UnitScriptExecuter
Usndkey32
GOutlookPasswords
UnitDownloadExec
UnitChrome
SQLiteTable3
SQLite3Dynamic
SQLite3DLL
DtServ32.exe
DtServ32sm.exe
kingsley4040.duckdns.org#PA
WinExec
SetNamedPipeHandleState
GetProcessHeap
GetCPInfo
CreatePipe
RegQueryInfoKeyA
RegOpenKeyExW
RegOpenKeyExA
RegOpenKeyW
RegOpenKeyA
RegFlushKey
RegEnumKeyExW
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
RegCloseKey
ShellExecuteA
SHFileOperationA
keybd_event
VkKeyScanA
SetKeyboardState
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects
MapVirtualKeyExA
MapVirtualKeyA
GetKeyboardState
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetAsyncKeyState
ExitWindowsEx
EnumWindows
GetKeyboardType
InternetOpenUrlA
.text
`.itext
`.data
.idata
.rdata
@.reloc
B.rsrc
-:.rG(
advapi32.dll
crypt32.dll
gdi32.dll
mpr.dll
msacm32.dll
msvcrt.dll
NetAPI32.dll
ntdll.dll
powrprof.dll
shell32.dll
shfolder.dll
wininet.dll
winmm.dll
wsock32.dll
logins
software\microsoft\windows\currentversion\uninstall\
66006666
Bitmaps Clipboard does not support Icons&Cannot change the size of a JPEG image
JPEG error #%d
Invalid stream operation
Failed to get data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
Thread creation error: %s
Thread Error: %s (%d)
Unsupported clipboard format
.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%List does not allow duplicates ($0%x)%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
"Variant method calls not supported
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'!'%s' is not a valid integer value('%s' is not a valid floating point valueI/O error %d
vbc.exe_4000_rwx_00400000_000A8000:
`.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
%s, ProgID: "%s"
ole32.dll
EInvalidOperation
EInvalidGraphicOperation
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
VBoxService.exe
SbieDll.dll
dbghelp.dll
Software\Microsoft\Windows\CurrentVersion
55274-640-2673064-23950
76487-644-3177037-23510
76487-337-8429955-22614
\\.\Syser
\\.\SyserDbgMsg
\\.\SyserBoot
\\.\SICE
\\.\NTICE
user32.dll
Software\Microsoft\Windows\CurrentVersion\Run\
10.211.55.20
notepad.exe
1.0.4
PSAPI.dll
C:\Users\gurkanarkas\Desktop\Dtback\AlienEdition\Server\SuperObject.pas
SOFTWARE\Mozilla\Mozilla Firefox
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox
SOFTWARE\Mozilla\Mozilla Firefox\
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
nss3.dll
PK11_GetInternalKeySlot
mozglue.dll
msvcr120.dll
msvcp120.dll
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\
logins.json
Mozilla Firefox
logins[
].hostname
].encryptedUsername
].encryptedPassword
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
sqlite3_open
sqlite3_close
sqlite3_exec
sqlite3_version
sqlite3_errmsg
sqlite3_errcode
sqlite3_free
sqlite3_get_table
sqlite3_free_table
sqlite3_complete
sqlite3_last_insert_rowid
sqlite3_interrupt
sqlite3_busy_Handler
sqlite3_busy_timeout
sqlite3_changes
sqlite3_total_changes
sqlite3_prepare
sqlite3_prepare_v2
sqlite3_column_count
sqlite3_column_name
sqlite3_column_decltype
sqlite3_step
sqlite3_data_count
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_double
sqlite3_column_Int
sqlite3_column_text
sqlite3_column_type
sqlite3_column_int64
sqlite3_finalize
sqlite3_reset
sqlite3_bind_blob
sqlite3_bind_text
sqlite3_bind_double
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_null
sqlite3_bind_parameter_index
sqlite3_enable_shared_cache
sqlite3_create_collation
TSQLiteDatabase8
TSQLiteTable
Error executing SQL
Could not prepare SQL statement
Error executing SQL statement
SELECT * FROM logins
password_value
origin_url
\Scream.dll
WbemScripting.SWbemLocator
%s\%s
SELECT * FROM %s
displayName %s
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
IMAP Password
POP3 Password
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
127.0.0.1
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
SetTcpEntry
GetExtendedTcpTable
GetExtendedUdpTable
\print.txt
Skype.exe
main.db
\Yandex\YandexBrowser\User Data\Default\Login Data
\Comodo\Dragon\User Data\Default\Login Data
\Google\Chrome\User Data\Default\Login Data
Google Chrome
TUnicodeKeyboard
Klog.dat
\Klog.dat
cmd.exe
SAPI.SpVoice
Windows 2000
Windows XP
Windows Server 2003
Windows Server 2003 R2
Windows Vista
Windows Server 2008
Windows Server 2008 R2
Windows 7
Windows 8
Windows Server 2012
Windows 8.1
Windows Server 2012 R2
Windows 10
Windows Server 2016 Technical Preview
%s|%s@%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|
Can't get the Windows version
deflate 1.0.4 Copyright 1995-1996 Jean-loup Gailly
<8%u=
9.VNf
I.PXQP
.EF$q
XaP.uFP4
%xTPO
AURl
LP%CT
Dg_SYÒR^
W(.KgSi
7,%X\:p
.AbF P
.yBBo
<v)3P%f
ÞAI
!"#$%&'()* ,-./
SQLite forma
CHECKEYCO
3.5.9{ED/MSVCRTgr
<Key/
685477580
lFk .AGc5N
!*&6.qos]
zcÁ
KERNEL32.DLL
Sqlite3.dll
sqlite3_aggregate_context
sqlite3_aggregate_count
sqlite3_auto_extension
sqlite3_bind_parameter_count
sqlite3_bind_parameter_name
sqlite3_bind_text16
sqlite3_bind_value
sqlite3_bind_zeroblob
sqlite3_blob_bytes
sqlite3_blob_close
sqlite3_blob_open
sqlite3_blob_read
sqlite3_blob_write
sqlite3_busy_handler
sqlite3_clear_bindings
sqlite3_collation_needed
sqlite3_collation_needed16
sqlite3_column_bytes16
sqlite3_column_decltype16
sqlite3_column_int
sqlite3_column_name16
sqlite3_column_text16
sqlite3_column_value
sqlite3_commit_hook
sqlite3_complete16
sqlite3_context_db_handle
sqlite3_create_collation16
sqlite3_create_collation_v2
sqlite3_create_function
sqlite3_create_function16
sqlite3_create_module
sqlite3_create_module_v2
sqlite3_db_handle
sqlite3_declare_vtab
sqlite3_enable_load_extension
sqlite3_errmsg16
sqlite3_expired
sqlite3_extended_result_codes
sqlite3_file_control
sqlite3_get_autocommit
sqlite3_get_auxdata
sqlite3_global_recover
sqlite3_libversion
sqlite3_libversion_number
sqlite3_limit
sqlite3_load_extension
sqlite3_malloc
sqlite3_memory_alarm
sqlite3_memory_highwater
sqlite3_memory_used
sqlite3_mprintf
sqlite3_mutex_alloc
sqlite3_mutex_enter
sqlite3_mutex_free
sqlite3_mutex_held
sqlite3_mutex_leave
sqlite3_mutex_notheld
sqlite3_mutex_try
sqlite3_open16
sqlite3_open_v2
sqlite3_overload_function
sqlite3_prepare16
sqlite3_prepare16_v2
sqlite3_profile
sqlite3_progress_handler
sqlite3_randomness
sqlite3_realloc
sqlite3_release_memory
sqlite3_reset_auto_extension
sqlite3_result_blob
sqlite3_result_double
sqlite3_result_error
sqlite3_result_error16
sqlite3_result_error_code
sqlite3_result_error_nomem
sqlite3_result_error_toobig
sqlite3_result_int
sqlite3_result_int64
sqlite3_result_null
sqlite3_result_text
sqlite3_result_text16
sqlite3_result_text16be
sqlite3_result_text16le
sqlite3_result_value
sqlite3_result_zeroblob
sqlite3_rollback_hook
sqlite3_set_authorizer
sqlite3_set_auxdata
sqlite3_sleep
sqlite3_snprintf
sqlite3_soft_heap_limit
sqlite3_sql
sqlite3_test_control
sqlite3_thread_cleanup
sqlite3_threadsafe
sqlite3_trace
sqlite3_transfer_bindings
sqlite3_update_hook
sqlite3_user_data
sqlite3_value_blob
sqlite3_value_bytes
sqlite3_value_bytes16
sqlite3_value_double
sqlite3_value_int
sqlite3_value_int64
sqlite3_value_numeric_type
sqlite3_value_text
sqlite3_value_text16
sqlite3_value_text16be
sqlite3_value_text16le
sqlite3_value_type
sqlite3_vfs_find
sqlite3_vfs_register
sqlite3_vfs_unregister
sqlite3_vmprintf
)Iw2,Hw2.Hw
KWindows
yuActivePorts
FF_Passwords
UrlMon
UnitKeyboardStarter
UnitScriptExecuter
Usndkey32
GOutlookPasswords
UnitDownloadExec
UnitChrome
SQLiteTable3
SQLite3Dynamic
SQLite3DLL
DtServ32.exe
DtServ32sm.exe
kingsley4040.duckdns.org#PA
WinExec
SetNamedPipeHandleState
GetProcessHeap
GetCPInfo
CreatePipe
RegQueryInfoKeyA
RegOpenKeyExW
RegOpenKeyExA
RegOpenKeyW
RegOpenKeyA
RegFlushKey
RegEnumKeyExW
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
RegCloseKey
ShellExecuteA
SHFileOperationA
keybd_event
VkKeyScanA
SetKeyboardState
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects
MapVirtualKeyExA
MapVirtualKeyA
GetKeyboardState
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetAsyncKeyState
ExitWindowsEx
EnumWindows
GetKeyboardType
InternetOpenUrlA
.text
`.itext
`.data
.idata
.rdata
@.reloc
B.rsrc
-:.rG(
advapi32.dll
crypt32.dll
gdi32.dll
mpr.dll
msacm32.dll
msvcrt.dll
NetAPI32.dll
ntdll.dll
powrprof.dll
shell32.dll
shfolder.dll
wininet.dll
winmm.dll
wsock32.dll
logins
software\microsoft\windows\currentversion\uninstall\
66006666
Bitmaps Clipboard does not support Icons&Cannot change the size of a JPEG image
JPEG error #%d
Invalid stream operation
Failed to get data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
Thread creation error: %s
Thread Error: %s (%d)
Unsupported clipboard format
.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%List does not allow duplicates ($0%x)%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
"Variant method calls not supported
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'!'%s' is not a valid integer value('%s' is not a valid floating point valueI/O error %d
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
filename.exe:3732
%original file name%.exe:3576 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\Desktop\filename.exe (6679 bytes)
- Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Update" = "C:\Users\"%CurrentUserName%"\Desktop\filename.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Update" = "C:\Users\"%CurrentUserName%"\Desktop\filename.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
