Gen.Variant.Barys.55417_9dafaf3065

by malwarelabrobot on February 14th, 2017 in Malware Descriptions.

Susp_Dropper (Kaspersky), Gen:Variant.Barys.55417 (B) (Emsisoft), Gen:Variant.Barys.55417 (AdAware), Backdoor.Win32.Xtrat.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Backdoor, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 9dafaf306524b6d33da40a287366e8ae
SHA1: 34a4f15b46a8dd390f725115d34b2aaaf80e530f
SHA256: c9f99dd5aae6927ecbca828c4e87d004cf3dba4f3cac55dc03df5acd0c14118f
SSDeep: 6144:jfKWJ/GCke4mSJ1nCqtoDMHK44 GwXhJ3nDZV J6P3a0xwUax4:jSo/GTeXQ1CSwML8XhVnDZVA6y01O4
Size: 457728 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-01-29 02:31:56
Analyzed on: Windows7 SP1 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Backdoor creates the following process(es):

%original file name%.exe:3408
%original file name%.exe:2952

The Backdoor injects its code into the following process(es):

svchost.exe:992
iexplore.exe:2316

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3408 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe (2321 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (768 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (768 bytes)

The process %original file name%.exe:2952 makes changes in the file system.
The Backdoor deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\x.html (0 bytes)

Registry activity

The process %original file name%.exe:3408 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
"WindowClassName" = "DDEMLMom"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"18.exe" = "C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"18.exe" = "C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe"

The process %original file name%.exe:2952 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\XtremeRAT]
"Mutex" = "JXNFWf0bB8"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: i7MLr01Sx
Product Name: Hk2c7Y5S
Product Version: 29.36.12.1
Legal Copyright: y2MXe8m4R
Legal Trademarks: k1F5RjXb9t
Original Filename: 2icn0y4b.exe
Internal Name: 2icn0y4b.exe
File Version: 29.36.12.1
File Description: Bq4w2H8ZnE
Comments: t9T8Nkp1
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 397316 397824 4.83594 2ffaca0da181307e2e7320e50e749b8c
.rsrc 409600 4096 4096 0.693965 2745400ec70f547c8e2bfeab3efdc654
.reloc 417792 12 512 0.053811 2bd7604eb7c8b85297468a52bb3a0601
GPWAE/V/ 425984 53800 54272 5.31781 6a7d9fbe66de9ce1308ce839c42813dc

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.google.com/ 173.194.113.212
hxxp://www.google.com.ua/?gfe_rd=cr&ei=flqhWPOHJtTDNNXwi-AM 173.194.113.212
hxxp://e6845.dscb1.akamaiedge.net/crls/secureca.crl
hxxp://e8218.dscb1.akamaiedge.net/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg==
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCGn0AHsoGslw
hxxp://www3.l.google.com/GIAG2.crl
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAa1FcpWF3k+
hxxp://www3.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAa1FcpWF3k+
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://a1158.b.akamai.net/MFUwUzBRME8wTTAJBgUrDgMCGgUABBTkLVLomfJQOu5CFIgPOR73ljBRHAQU+L36r3N3xscb+UtNEafRM6+vchECFEOZrYpYgDwxeWGj/HetMtWiXvU/
hxxp://crl.geotrust.com/crls/secureca.crl 23.46.117.163
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAa1FcpWF3k+ 172.217.20.206
hxxp://vassg142.ocsp.omniroot.com/MFUwUzBRME8wTTAJBgUrDgMCGgUABBTkLVLomfJQOu5CFIgPOR73ljBRHAQU+L36r3N3xscb+UtNEafRM6+vchECFEOZrYpYgDwxeWGj/HetMtWiXvU/ 2.21.89.26
hxxp://g.symcd.com/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg== 23.55.155.27
hxxp://pki.google.com/GIAG2.crl 172.217.20.206
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl 212.30.134.166
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCGn0AHsoGslw 172.217.20.206
ssl.gstatic.com 172.217.20.195
clients1.google.com.ua 216.58.209.35


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /crls/secureca.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 09:30:22 GMT
If-None-Match: "b6a46da3cf1aa70c10b101b12c9733f4:1476351022"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.geotrust.com


HTTP/1.1 200 OK
Server: Apache
ETag: "1dcc2adde806333e252c79ce22cadc8b:1486969223"
Last-Modified: Mon, 13 Feb 2017 07:00:23 GMT
Date: Mon, 13 Feb 2017 07:04:36 GMT
Content-Length: 325
Connection: keep-alive
Content-Type: application/pkix-crl
0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equi
fax Secure Certificate Authority..170213064300Z..170223064300Z0,0....%
...020514181157Z0.....3..020515130611Z0...*.H............hL\V].X..v...
K..@.Mu8v...\K|J...C..^....@.........uL...E^<......{....Q.KAW..~...
ivy....)R..........-ch....f.....`%..............HTTP/1.1 200 OK..Serve
r: Apache..ETag: "1dcc2adde806333e252c79ce22cadc8b:1486969223"..Last-M
odified: Mon, 13 Feb 2017 07:00:23 GMT..Date: Mon, 13 Feb 2017 07:04:3
6 GMT..Content-Length: 325..Connection: keep-alive..Content-Type: appl
ication/pkix-crl..0..A0..0...*.H........0N1.0...U....US1.0...U....Equi
fax1-0 ..U...$Equifax Secure Certificate Authority..170213064300Z..170
223064300Z0,0....%...020514181157Z0.....3..020515130611Z0...*.H.......
.....hL\V].X..v...K..@.Mu8v...\K|J...C..^....@.........uL...E^<....
..{....Q.KAW..~...ivy....)R..........-ch....f.....`%................



GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 29 Oct 2013 05:02:50 GMT
If-None-Match: "b8b5df1d64d4ce1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Mon, 12 Dec 2016 06:00:18 GMT
Accept-Ranges: bytes
ETag: "7254ef33d54d21:0"
Server: Microsoft-IIS/8.5
VTag: 791177757300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Mon, 13 Feb 2017 07:05:24 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..161211173324Z..170312055324Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......b0... .....7......170311174324Z0.
..*.H..................)........j<.........G"...X..7y.1.s...vaE..'0
3.l......Q.*....M...$.._.:$...Ky$..`.>#..v...pLI<".1e.....0QK.#&
lt;#]v......x.d&..........@...{...K.gx1&...l.......R...>h.....$....
.........C..|M....WT..[.-.b.$)....v(....v._....'.p....a.)..j...oC....z
C:$.8....HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Mod
ified: Mon, 12 Dec 2016 06:00:18 GMT..Accept-Ranges: bytes..ETag: "725
4ef33d54d21:0"..Server: Microsoft-IIS/8.5..VTag: 791177757300000000..P
3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo O
UR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..C
ontent-Length: 554..Cache-Control: max-age=900..Date: Mon, 13 Feb 2017
 07:05:24 GMT..Connection: keep-alive..0..&0......0...*.H........0y1.0
...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft 
Corporation1#0!..U....Microsoft Code Signing PCA..161211173324Z..17031
2055324Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U
......b0... .....7......170311174324Z0...*.H..................).......
.j<.........G"...X..7y.1.s...vaE..'03.l......Q.*....M...$.._.:$...K
y$..`.>#..v...pLI<".1e.....0QK.#<#]v......x.d&..........@...{
...K.gx1&...l.......R...>h.....$.............C..|M....WT..[.-.b
<<< skipped >>>


GET / HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.google.com
Connection: Keep-Alive
Cookie: NID=88=C6CEKO82itAhdU0twN6URqunh6Sn9EPCs-teRRQ4QRgNCJP-EG6VgSTOkC7BafUzPUi-GjuRAoRi6F4Sx78Gd_cLieG7apk740DNnT0oV6phUdJTT3H8MUyjxWiFq3Dm


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=flqhWPOHJtTDNNXwi-AM
Content-Length: 260
Date: Mon, 13 Feb 2017 07:04:30 GMT
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=flqhWPOHJtTD
NNXwi-AM">here</A>...</BODY></HTML>..HTTP/1.1 302
 Found..Cache-Control: private..Content-Type: text/html; charset=UTF-8
..Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=flqhWPOHJtTDNNXwi-A
M..Content-Length: 260..Date: Mon, 13 Feb 2017 07:04:30 GMT..<HTML&
gt;<HEAD><meta http-equiv="content-type" content="text/html;c
harset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><
;BODY>.<H1>302 Moved</H1>.The document has moved.<A 
HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=flqhWPOHJtTDNNXwi-AM"
>here</A>...</BODY></HTML>....



GET /MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg== HTTP/1.1
Cache-Control: max-age = 564348
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Oct 2016 22:33:53 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: g.symcd.com


HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1377
content-transfer-encoding: binary
Cache-Control: max-age=534944, public, no-transform, must-revalidate
Last-Modified: Sun, 12 Feb 2017 11:39:44 GMT
Expires: Sun, 19 Feb 2017 11:39:44 GMT
Date: Mon, 13 Feb 2017 07:04:41 GMT
Connection: keep-alive
0..]......V0..R.. .....0.....C0..?0......V.T'S...q..."...zr.*..2017021
2113944Z0f0d0<0... ..........9.....yP..`...<.......*.A.....>U
....... ...:.....20170212113944Z....20170219113944Z0...*.H............
........8...........<..$.*5...y.*...-!..3..fG3e~ ...k...Y..........
...i.>ZMkF....<.j.[.?.Rmt......{3...<.$|.P..._...&.E4iq.&4a..
\.N."..7.h....*.C.......S............Ta~..........)k.5.4...s$]....`...
.Y;.......;..F5.kyT.....%..F...J<..CZ...B......,..q.I.n.n>.....0
...0...0..s............ ...y..^..g0...*.H........0B1.0...U....US1.0...
U....GeoTrust Inc.1.0...U....GeoTrust Global CA0...161208112535Z..1712
14112535Z02100...U...'GeoTrust Global CA TGV OCSP Responder 50.."0...*
.H.............0...............S....!....,.t.?....d...M@.._.=.S..,."..
....Gdv._c..D1..N'E.:.....a2.......{/rD. .c.2..P...!.....Xn..}....{{.z
I9.Y....../.....;.......fu..,...B._o..B..g....o........?Y\.?...y.H*..]
yi.....3.......F.6.....Q.........{B..19..Kz...\z...P..._...-!.....'.Ym
........0..0...U.#..0....z.h.....d..}.}e...N0... .....0......0...U.%..
0... .......0...U...........0...U.......0.0"..U....0...0.1.0...U....TG
V-OFF-570...*.H..............md.....yV{......y:5..@l#..5.......o..X...
.,r}......i..3..o.e...e5..@..H/Q..;.vd..?.j.m....../hv..A.......g.....
..a.....G..\.'*.b..>.....L.Y.To<.@>...&1..9.w.....N*Au.e.....
b..K...PO47.J.....{.C\....G..0/.a.Eo.`z.<;IA...  #.''.CG..K@7z..7.\
_..'.]q.f._.WN....
<<< skipped >>>


GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCGn0AHsoGslw HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com


HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Sun, 12 Feb 2017 17:34:13 GMT
Expires: Thu, 16 Feb 2017 17:34:13 GMT
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Cache-Control: public, max-age=345600
Age: 48634
0..........0..... .....0......0...0......J......h.v....b..Z./..2017021
2131759Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.i..{(..p....20170212131759Z....20170219131759Z0...*.H.............0,.
....ed....FT..l.dK...L.^..... ....4.l...F.]v...wH.XC..[..?.l.[..7 ..
&...<....>.3.....>.EX...!...(.;@.%....-......... D"8PP]..?B.p
..t.l..sNL.>xZ>.Z.&Gg*...|?.F3..Dht.....`..&.*.3D\..\..1..p.0..)
.[m.......U.D.xE,m..w.2l.... .|^^...~R."VT.:.,i[....}.....HTTP/1.1 200
 OK..Content-Type: application/ocsp-response..Date: Sun, 12 Feb 2017 1
7:34:13 GMT..Expires: Thu, 16 Feb 2017 17:34:13 GMT..Server: ocsp_resp
onder..Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-O
ptions: SAMEORIGIN..Cache-Control: public, max-age=345600..Age: 48634.
.0..........0..... .....0......0...0......J......h.v....b..Z./..201702
12131759Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./
..i..{(..p....20170212131759Z....20170219131759Z0...*.H.............0,
.....ed....FT..l.dK...L.^..... ....4.l...F.]v...wH.XC..[..?.l.[..7 .
.&...<....>.3.....>.EX...!...(.;@.%....-......... D"8PP]..?B.
p..t.l..sNL.>xZ>.Z.&Gg*...|?.F3..Dht.....`..&.*.3D\..\..1..p.0..
).[m.......U.D.xE,m..w.2l.... .|^^...~R."VT.:.,i[....}.........
<<< skipped >>>

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAa1FcpWF3k+ HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com


HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Fri, 10 Feb 2017 01:34:00 GMT
Expires: Tue, 14 Feb 2017 01:34:00 GMT
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Cache-Control: public, max-age=345600
Age: 279054
0..........0..... .....0......0...0......J......h.v....b..Z./..2017020
9190518Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.....V.y>....20170209190518Z....20170216190518Z0...*.H.............
z..j.P..P..@A.....k....;.f}...[..}".EMq.0....R..A..l..[..c.....D.....n
s..........4xl$.....p.........G.......w`R..J......... `......&.i.....s
..*.....h]...Xb[....:.....D}lJ....6.... ...(d...}...:..E..Q......o5...
....tC.... .*.?.7.[M1g..^....p]A....l]....$...HTTP/1.1 200 OK..Content
-Type: application/ocsp-response..Date: Fri, 10 Feb 2017 01:34:00 GMT.
.Expires: Tue, 14 Feb 2017 01:34:00 GMT..Server: ocsp_responder..Conte
nt-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAME
ORIGIN..Cache-Control: public, max-age=345600..Age: 279054..0.........
.0..... .....0......0...0......J......h.v....b..Z./..20170209190518Z0k
0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./......V.y&g
t;....20170209190518Z....20170216190518Z0...*.H.............z..j.P..P.
.@A.....k....;.f}...[..}".EMq.0....R..A..l..[..c.....D.....ns.........
.4xl$.....p.........G.......w`R..J......... `......&.i.....s..*.....h]
...Xb[....:.....D}lJ....6.... ...(d...}...:..E..Q......o5.......tC....
 .*.?.7.[M1g..^....p]A....l]....$.....



GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAa1FcpWF3k+ HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com


HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Sun, 12 Feb 2017 20:09:37 GMT
Expires: Thu, 16 Feb 2017 20:09:37 GMT
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Cache-Control: public, max-age=345600
Age: 39317
0..........0..... .....0......0...0......J......h.v....b..Z./..2017021
2130518Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.....V.y>....20170212130518Z....20170219130518Z0...*.H.............
.V...~.ENk{.z....^..n...B..M...&.1a..J..8E..S......0w.H.7..p.h..b.xqr.
.M....g4....].y..d=y.."V..\T.Y5.5.......~`S7.Y....rD.`...}..o.Vkd.xg.S
....iQ....Y^g.V..y..$..[...J9.....e.....@....}.q.Y....C ._..B.v\A....[
.,....esp..........W..p..2*.......u..........rHTTP/1.1 200 OK..Content
-Type: application/ocsp-response..Date: Sun, 12 Feb 2017 20:09:37 GMT.
.Expires: Thu, 16 Feb 2017 20:09:37 GMT..Server: ocsp_responder..Conte
nt-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAME
ORIGIN..Cache-Control: public, max-age=345600..Age: 39317..0..........
0..... .....0......0...0......J......h.v....b..Z./..20170212130518Z0k0
i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./......V.y>
;....20170212130518Z....20170219130518Z0...*.H..............V...~.ENk{
.z....^..n...B..M...&.1a..J..8E..S......0w.H.7..p.h..b.xqr..M....g4...
.].y..d=y.."V..\T.Y5.5.......~`S7.Y....rD.`...}..o.Vkd.xg.S....iQ....Y
^g.V..y..$..[...J9.....e.....@....}.q.Y....C ._..B.v\A....[.,....esp..
........W..p..2*.......u..........r..



GET /?gfe_rd=cr&ei=flqhWPOHJtTDNNXwi-AM HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: VVV.google.com.ua


HTTP/1.1 302 Found
Location: hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=flqhWPOHJtTDNNXwi-AM&gws_rd=ssl
Cache-Control: private
Content-Type: text/html; charset=UTF-8
P3P: CP="This is not a P3P policy! See hXXps://VVV.google.com/support/accounts/answer/151657?hl=en for more info."
Date: Mon, 13 Feb 2017 07:04:30 GMT
Server: gws
Content-Length: 276
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: NID=96=RNYCZf4YzYwgNdo3X9IGFnG0fS1UqmiMn0-BxPzmSuuJ7aXbK34ye6kYC_f7bV9YFKddm9r_PK8vpVhtXbe5pCYsatgF_Cr1xdJ4rU7TufAoTV3q5s_Kr7DrYB5HwBlq; expires=Tue, 15-Aug-2017 07:04:30 GMT; path=/; domain=.google.com.ua; HttpOnly
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=flqhWPOHJtT
DNNXwi-AM&gws_rd=ssl">here</A>...</BODY></HTML&g
t;..HTTP/1.1 302 Found..Location: hXXps://VVV.google.com.ua/?gfe_rd=cr
&ei=flqhWPOHJtTDNNXwi-AM&gws_rd=ssl..Cache-Control: private..Content-T
ype: text/html; charset=UTF-8..P3P: CP="This is not a P3P policy! See 
hXXps://VVV.google.com/support/accounts/answer/151657?hl=en for more i
nfo."..Date: Mon, 13 Feb 2017 07:04:30 GMT..Server: gws..Content-Lengt
h: 276..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..
Set-Cookie: NID=96=RNYCZf4YzYwgNdo3X9IGFnG0fS1UqmiMn0-BxPzmSuuJ7aXbK34
ye6kYC_f7bV9YFKddm9r_PK8vpVhtXbe5pCYsatgF_Cr1xdJ4rU7TufAoTV3q5s_Kr7DrY
B5HwBlq; expires=Tue, 15-Aug-2017 07:04:30 GMT; path=/; domain=.google
.com.ua; HttpOnly..<HTML><HEAD><meta http-equiv="conten
t-type" content="text/html;charset=utf-8">.<TITLE>302 Moved&l
t;/TITLE></HEAD><BODY>.<H1>302 Moved</H1>.T
he document has moved.<A HREF="hXXps://VVV.google.com.ua/?gfe_rd=cr
&ei=flqhWPOHJtTDNNXwi-AM&gws_rd=ssl">here</A>...</
BODY></HTML>....
<<< skipped >>>


GET /GIAG2.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: pki.google.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Date: Mon, 13 Feb 2017 06:13:10 GMT
Expires: Mon, 13 Feb 2017 07:13:10 GMT
Last-Modified: Mon, 13 Feb 2017 02:15:00 GMT
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 541
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=3600
Age: 3101
0...0......0...*.H........0I1.0...U....US1.0...U....Google Inc1%0#..U.
...Google Internet Authority G2..170213010003Z..170223010003Z0R0'..vK.
...Q...170113141858Z0.0...U.......0'..1.3..*....160915202213Z0.0...U..
......00.0...U.#..0...J......h.v....b..Z./0...U........0...*.H........
......}.......J...~........:k.......wFN.....sz.N3<.....Z.......\..A
.{...z9....x)\.ju.]N.......h7s.P.*.......a......=j.......[/:(...WJ.C@.
...s..,.X..p.wI;.H2.d6.w4..m......E?0u.*.....`.#....S".N..~.......X~_.
.K.. .N?..UUH&.......X...g......UR.9.u.H8.-.LX.u.Gs...HTTP/1.1 200 OK.
.Content-Type: application/pkix-crl..Date: Mon, 13 Feb 2017 06:13:10 G
MT..Expires: Mon, 13 Feb 2017 07:13:10 GMT..Last-Modified: Mon, 13 Feb
 2017 02:15:00 GMT..X-Content-Type-Options: nosniff..Server: sffe..Con
tent-Length: 541..X-XSS-Protection: 1; mode=block..Cache-Control: publ
ic, max-age=3600..Age: 3101..0...0......0...*.H........0I1.0...U....US
1.0...U....Google Inc1%0#..U....Google Internet Authority G2..17021301
0003Z..170223010003Z0R0'..vK....Q...170113141858Z0.0...U.......0'..1.3
..*....160915202213Z0.0...U........00.0...U.#..0...J......h.v....b..Z.
/0...U........0...*.H..............}.......J...~........:k.......wFN..
...sz.N3<.....Z.......\..A.{...z9....x)\.ju.]N.......h7s.P.*.......
a......=j.......[/:(...WJ.C@....s..,.X..p.wI;.H2.d6.w4..m......E?0u.*.
....`.#....S".N..~.......X~_..K.. .N?..UUH&.......X...g......UR.9.u.H8
.-.LX.u.Gs.....
<<< skipped >>>


GET /MFUwUzBRME8wTTAJBgUrDgMCGgUABBTkLVLomfJQOu5CFIgPOR73ljBRHAQU+L36r3N3xscb+UtNEafRM6+vchECFEOZrYpYgDwxeWGj/HetMtWiXvU/ HTTP/1.1
Cache-Control: max-age = 339923
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 09:41:21 GMT
If-None-Match: "c06e9a4e33eec9dd813b8faff15397229f914d2a"
User-Agent: Microsoft-CryptoAPI/6.1
Host: vassg142.ocsp.omniroot.com


HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 1746
Last-Modified: Mon, 13 Feb 2017 05:06:33 GMT
ETag: "b08796125e32084fd651058ef11f8168d3fd4805"
Cache-Control: public, no-transform, must-revalidate, max-age=332867
Expires: Fri, 17 Feb 2017 03:33:16 GMT
Date: Mon, 13 Feb 2017 07:05:29 GMT
Connection: keep-alive
0..........0..... .....0......0...0......\r...Ev.C..*....omJ...2017021
3050633Z0w0u0M0... .........-R...P:.B...9...0Q.......sw....KM...3..r..
.C...X.<1ya..w.2..^.?....20170213050633Z....20170217050633Z0...*.H.
..............4:.....u.v.*G:t.y......Q))....5.........:X..?#....y..p('
h..a\`.D.`...&..AG..S.... Lr..8']`5..r..1..6T.9D.;..=<z.;.......L.E
"!..p.#U.O-G..bx1@.|.U....[..H..8d....(...o..r../.._WN...o..a..P3-...r
.H~..K.... ..a....9)1.h.S..Q\.....i.b....n.-_A_...... )..#.|3....0...0
...0...........1....n.SsnC.K.]I.w90...*.H........0..1.0...U....NL1.0..
.U....Amsterdam1%0#..U....Verizon Enterprise Solutions1.0...U....Cyber
trust1.0,..U...%Verizon Akamai SureServer CA G14-SHA20...160407064154Z
..170407064154Z0..1.0...U....NL1.0...U....Amsterdam1%0#..U....Verizon 
Enterprise Solutions1.0...U....Cybertrust1%0#..U....vassg142-OCSP Resp
onder 20160.."0...*.H.............0.........w.;..Eu..'f.c^....Qe.O...U
.....d.\?.....S.r'g.d..ES.NA.t....<.....#?.."...*Pm.<..s........
v...<....8......A@.....7h...r$.T..8=......\....>......z=t3?(....
.i.>t.^.....]7.9..j.E. ....{.$w..Y,...hf..6......L._9,.....i...S...
)/.."^.K.O...bb^....V....'p...'V..........H0..D0... .....0......0L..U.
 .E0C0A.. .....>..0402.. ........&hXXps://secure.omniroot.com/repos
itory0~.. ........r0p06.. .....0..*hXXps://cacert.a.omniroot.com/vassg
142.crt06.. .....0..*hXXps://cacert.a.omniroot.com/vassg142.der0...U..
.........0...U.%..0... .......0...U.#..0.......sw....KM...3..r.0...U..
....\r...Ev.C..*....omJ.0...*.H.............l/0j.Z.z.......n-..2.?
<<< skipped >>>

The Backdoor connects to the servers at the folowing location(s):

iexplore.exe_3524:

.text
`.data
.rsrc
@.reloc
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
8user32.dll
Kernel32.DLL
8xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

iexplore.exe_1992:

.text
`.data
.rsrc
@.reloc
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
8user32.dll
Kernel32.DLL
8xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

svchost.exe_992:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385

svchost.exe_992_rwx_10000000_0004A000:

.idata
.rdata
P.reloc
P.rsrc
ServerKeyloggerU
789:;<&'()* ,-./12345
%SERVER%
URLMON.DLL
shell32.dll
hXXp://
advapi32.dll
kernel32.dll
mpr.dll
version.dll
comctl32.dll
gdi32.dll
opengl32.dll
user32.dll
wintrust.dll
msimg32.dll
 juXqhu2.iu
GetKeyboardType
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
GetWindowsDirectoryW
UnhookWindowsHookEx
SetWindowsHookExW
MapVirtualKeyW
GetKeyboardLayout
GetKeyState
shlwapi.dll
SHDeleteKeyW
FindExecutableW
URLDownloadToCacheFileW
wininet.dll
FtpPutFileW
FtpSetCurrentDirectoryW
GetKeyboardState
ntdll.dll
ShellExecuteW
KWindows
TServerKeylogger
x.html
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
[Execute]
KeyDelBackspace
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
.html
XtremeKeylogger
Software\Microsoft\Windows\CurrentVersion\Run
.functions
icon=shell32.dll,4
shellexecute=
autorun.inf
\Microsoft\Windows
\Microsoft\Windows\
ÞFAULTBROWSER%
svchost.exe
mrx9.ddns.net
ftpuser
Microsoft.exe
PTF.ftpserver.com
{447530RG-31X6-7LTM-3G56-Q081BTIT4Y68}
pIcon.ico
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
C:\Users
2.8.1
C:\Prog

iexplore.exe_2316:

.text
`.data
.rsrc
@.reloc
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
8user32.dll
Kernel32.DLL
8xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

iexplore.exe_2316_rwx_10000000_0004A000:

.idata
.rdata
P.reloc
P.rsrc
ServerKeyloggerU
789:;<&'()* ,-./12345
%SERVER%
URLMON.DLL
shell32.dll
hXXp://
advapi32.dll
kernel32.dll
mpr.dll
version.dll
comctl32.dll
gdi32.dll
opengl32.dll
user32.dll
wintrust.dll
msimg32.dll
 juXqhu2.iu
GetKeyboardType
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
GetWindowsDirectoryW
UnhookWindowsHookEx
SetWindowsHookExW
MapVirtualKeyW
GetKeyboardLayout
GetKeyState
shlwapi.dll
SHDeleteKeyW
FindExecutableW
URLDownloadToCacheFileW
wininet.dll
FtpPutFileW
FtpSetCurrentDirectoryW
GetKeyboardState
ntdll.dll
ShellExecuteW
KWindows
TServerKeylogger
x.html
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
[Execute]
KeyDelBackspace
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
.html
XtremeKeylogger
Software\Microsoft\Windows\CurrentVersion\Run
.functions
icon=shell32.dll,4
shellexecute=
autorun.inf
\Microsoft\Windows
\Microsoft\Windows\
ÞFAULTBROWSER%
svchost.exe
mrx9.ddns.net
ftpuser
Microsoft.exe
PTF.ftpserver.com
{447530RG-31X6-7LTM-3G56-Q081BTIT4Y68}
pIcon.ico
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
C:\Users
2.8.1
C:\Prog
c:\%original file name%.exe
%Program Files%\Internet Explorer\iexplore.exe

SearchProtocolHost.exe_2188:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
MSSHooks.dll
IMM32.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSPortManager
SrchPHHttp
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerSchema
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
</MSG></TRC>
<MSG>
<ERR> 0xx=
<LOC> %s(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%s"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
PROPSYS.dll
ntdll.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
2 2(20282|2
4%5S5
Software\Microsoft\Windows Search
https
kernel32.dll
msTracer.dll
msfte.dll
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
tquery.dll
%s\%s
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<LOC> %S(%d) </LOC>
tagname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
Windows
7.00.7601.17610

SearchFilterHost.exe_296:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
IMM32.dll
MSSHooks.dll
mscoree.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
SearchFilterHost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
<requestedExecutionLevel
3 3(30383|3
kernel32.dll
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
tquery.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<ERR> 0xx=
<LOC> %S(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%S"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%S"
</MSG></TRC>
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
winhttp.dll
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
Windows
7.00.7601.17610


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3408
    %original file name%.exe:2952

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe (2321 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (768 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (768 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "18.exe" = "C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "18.exe" = "C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now