Gen.Variant.Kazy.699500_bb6c854056

by malwarelabrobot on July 11th, 2017 in Malware Descriptions.

Gen:Variant.Kazy.699500 (BitDefender), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.PWS.Panda.2401 (DrWeb), Gen:Variant.Kazy.699500 (B) (Emsisoft), Artemis!BB6C8540565E (McAfee), Trojan.Gen.2 (Symantec), Trojan.MSIL.Injector (Ikarus), Gen:Variant.Kazy.699500 (FSecure), MSIL8.BKNX (AVG), MSIL:Agent-DCH [Trj] (Avast), TSPY_FAREIT.YYSLJ (TrendMicro), Gen:Variant.Kazy.699500 (AdAware), Trojan-PSW.Win32.Zbot.6.FD, Sinowal.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: bb6c8540565e29c2c49018717300301b
SHA1: d4f4961c994302b6fa6c56f5e771f03af7f887d0
SHA256: 1ca010349705b4747d0b498b20ac5583d09026710594067d5ae4eacdb2d90717
SSDeep: 24576:/N35mAvsqb4gICnEaz19ynH8iaA6Kc55VK/0xvMhI3:/GAvnMCnOvaAL4Lc0diQ
Size: 1006688 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: StdLib
Created at: 2015-08-01 16:51:06
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

soft.exe:2748
Pony.exe:956
%original file name%.exe:3776
%original file name%.exe:2736
WinMail.exe:2460

The Trojan injects its code into the following process(es):

taskhost.exe:252
Explorer.EXE:284
Dwm.exe:528
conhost.exe:1068
TPAutoConnect.exe:2068
conhost.exe:2076

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process soft.exe:2748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp7f44b81e.bat (175 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Ezud\teogc.exe (455 bytes)

The process Pony.exe:956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1371061.bat (98 bytes)

The process %original file name%.exe:3776 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Quotation.jar (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Pony.exe (185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\soft.exe (455 bytes)

The process %original file name%.exe:2736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp7f44b81e.bat (179 bytes)

The process WinMail.exe:2460 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (49600 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (31400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\608E13E3-00000001.eml (1924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2460_2 (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (3466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3E6.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol (608 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\608E13E3-00000001.eml:OECustomProperty (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3E7.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol (560 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\WindowsMail.pat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2460_2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb00001.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\WindowsMail.MSMessageStore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2460_2.ui (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3E6.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3E7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\edb00001.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old (0 bytes)

Registry activity

The process soft.exe:2748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Uqxam]
"Orofm" = "F4 63 8B 45 91 61 85 EB 5C EC 08 E7 9B 7A 1B E1"

The process Pony.exe:956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\WinRAR]
"HWID" = "7B 36 33 46 39 36 34 32 37 2D 33 43 31 38 2D 34"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:3776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process %original file name%.exe:2736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Uqxam]
"Orofm" = "F4 63 8B 45 91 61 85 EB 5C EC 08 E7 9B 7A 1B E1"

The process WinMail.exe:2460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\IdentityCRL\Dynamic Salt]
"Size" = "330"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows Mail]
"Compact Check Count" = "2"
"Settings Upgraded" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows Mail\Junk Mail\Block Senders List]
"Version" = "327680"

[HKCU\Identities\{C692FCB0-9162-422E-94A4-4CD072B19CA9}]
"Identity Ordinal" = "1"

[HKCU\Software\Microsoft\Windows Mail]
"LastBackup" = "E1 07 07 00 01 00 0A 00 01 00 1C 00 39 00 45 03"
"Running" = "1"
"V7StoreMigDone" = "01 00 00 00"
"StoreMigratedV5" = "1"

[HKCU\Software\Microsoft\Windows Mail\Junk Mail\Safe Senders List]
"Version" = "327680"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Welcome Message" = "0"

[HKCU\Software\Microsoft\Windows Mail]
"SpoolerDlgPos" = "2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\IdentityCRL\Dynamic Salt]
"Value" = "01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0"

[HKCU\Identities]
"Identity Ordinal" = "2"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Secure Safe Attachments" = "1"
"Default_CodePage" = "28591"

[HKCU\Software\Microsoft\WAB]
"NamedPropCount" = "1"

[HKCU\Software\Microsoft\IAM\Accounts]
"ConnectionSettingsMigrated" = "1"

[HKCU\Software\Microsoft\Windows Mail]
"SpoolerTack" = "0"

[HKCU\Software\Microsoft\IAM]
"Default News Account" = "account{CE54EE8F-8454-4E11-A69C-0E6F9BED6C0A}.oeaccount"
"Default LDAP Account" = "account{5F33D8D7-3326-4E0C-969F-F201824EF068}.oeaccount"

[HKCU\Software\Microsoft\Windows Mail]
"lastrun" = "32 75 33 ED 1B F9 D2 01"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Safe Attachments" = "1"

[HKCU\Software\Microsoft\IAM]
"Server ID" = "2"

[HKCU\Software\Microsoft\WAB]
"NamedProps" = "04 20 06 00 00 00 00 00 C0 00 00 00 00 00 00 46"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\WAB]
"NamedPropCount"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Identities]
"Changing"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Identities]
"IncomingID"
"OutgoingID"

[HKCU\Software\Microsoft\WAB]
"NamedProps"

Dropped PE files

MD5	File path
c8909cca13d61346b9d30c4f4f6632b7	c:\Users\"%CurrentUserName%"\AppData\Roaming\Ezud\teogc.exe
c2a2223687a6384b33e63b40d03ec17f	c:\Users\"%CurrentUserName%"\AppData\Roaming\soft.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WINMM.dll:

PlaySoundW

The Trojan installs the following user-mode hooks in WININET.dll:

HttpEndRequestW
HttpSendRequestExA
HttpSendRequestA
InternetSetFilePointer
HttpSendRequestW
HttpOpenRequestW
HttpOpenRequestA
HttpEndRequestA
HttpSendRequestExW
InternetReadFileExA
InternetQueryDataAvailable
InternetReadFile
HttpQueryInfoA
InternetCloseHandle

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

SetCursorPos
ReleaseCapture
SetCapture
GetMessagePos
DefDlgProcW
CallWindowProcA
DefMDIChildProcA
DefFrameProcA
GetUpdateRgn
DefFrameProcW
DefMDIChildProcW
DefDlgProcA
GetClipboardData
GetMessageW
TranslateMessage
PeekMessageW
EndPaint
BeginPaint
GetDC
ReleaseDC
DefWindowProcW
GetWindowDC
GetDCEx
CallWindowProcW
PeekMessageA
GetMessageA
RegisterClassExW
RegisterClassW
RegisterClassA
DefWindowProcA
GetUpdateRect
GetCursorPos
GetCapture
RegisterClassExA
OpenInputDesktop
SwitchDesktop

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CreateProcessAsUserA
CreateProcessAsUserW

The Trojan installs the following user-mode hooks in WS2_32.dll:

gethostbyname
send
WSASend
getaddrinfo
closesocket

The Trojan installs the following user-mode hooks in kernel32.dll:

ExitProcess
GetFileAttributesExW

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
ZwCreateUserProcess

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: f11.exe
Internal Name: f11.exe
File Version: 1.0.0.0
File Description:
Comments:
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	8192	983076	987136	5.51667	b7b958903d7dff19395bb009b86d4734
.rsrc	999424	656	4096	0.459257	0ded9be24b696c0e028c4b90088ca7b7
.reloc	1007616	12	4096	0.011035	dfd232206393b933aa295ffeea2c2b49

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
www.trfordsworking.in
crl.microsoft.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

taskhost.exe_252_rwx_00290000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

update.exe

config.bin

PR_OpenTCPSocket

cit_ffcookie.module

cit_video.module

%ds~U;MM

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

6;:5;66"

,1;(,; = 1

<! 8< ;-;

'472%9,{

F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika

8/3.xae4LOa

6 !26!1'1!

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

hXXp://VVV.google.com/webhp

SSShD

SSShXe*

SSShye*

GetProcessHeap

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

ExitWindowsEx

GetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

HttpAddRequestHeadersW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

3$3*30383

6|7k7u7

9 :1:::@:

42>204:4

sXXXX

nspr4.dll

chrome.dll

\StringFileInfo\xx\%s

ntdll.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

SysShadow

Chrome

Firefox

C:\Users\"%CurrentUserName%"\AppData\Roaming

{D0533C3D-9B29-7BBF-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Xakihy\kaix.bay

C:\Users\"%CurrentUserName%"\AppData\Roaming\Xakihy

kaix.bay

Global\{46288E18-290C-EDC4-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Tecyap\ykad.ynu

C:\Users\"%CurrentUserName%"\AppData\Roaming\Tecyap

ykad.ynu

Explorer.EXE_284_rwx_039E0000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

update.exe

config.bin

PR_OpenTCPSocket

cit_ffcookie.module

cit_video.module

%ds~U;MM

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

6;:5;66"

,1;(,; = 1

<! 8< ;-;

'472%9,{

F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika

8/3.xae4LOa

6 !26!1'1!

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

hXXp://VVV.google.com/webhp

SSShD

SSShXe

SSShye

GetProcessHeap

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

ExitWindowsEx

GetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

HttpAddRequestHeadersW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

3$3*30383

6|7k7u7

9 :1:::@:

42>204:4

sXXXX

nspr4.dll

chrome.dll

\StringFileInfo\xx\%s

ntdll.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

SysShadow

Chrome

Firefox

C:\Users\"%CurrentUserName%"\AppData\Roaming

{D0533C3D-9B29-7BBF-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Xakihy\kaix.bay

C:\Users\"%CurrentUserName%"\AppData\Roaming\Xakihy

kaix.bay

Global\{46288E18-290C-EDC4-EA58-3B1738311F09}

Dwm.exe_528_rwx_010A0000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

update.exe

config.bin

PR_OpenTCPSocket

cit_ffcookie.module

cit_video.module

%ds~U;MM

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

6;:5;66"

,1;(,; = 1

<! 8< ;-;

'472%9,{

F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika

8/3.xae4LOa

6 !26!1'1!

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

hXXp://VVV.google.com/webhp

SSShD

SSShXe

SSShye

GetProcessHeap

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

ExitWindowsEx

GetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

HttpAddRequestHeadersW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

3$3*30383

6|7k7u7

9 :1:::@:

42>204:4

sXXXX

nspr4.dll

chrome.dll

\StringFileInfo\xx\%s

ntdll.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

SysShadow

Chrome

Firefox

C:\Users\"%CurrentUserName%"\AppData\Roaming

{D0533C3D-9B29-7BBF-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Xakihy\kaix.bay

C:\Users\"%CurrentUserName%"\AppData\Roaming\Xakihy

kaix.bay

Global\{46288E18-290C-EDC4-EA58-3B1738311F09}

:\Users\"%CurrentUserName%"\AppData\Roaming\Tecyap\ykad.ynu

C:\Users\"%CurrentUserName%"\AppData\Roaming\Tecyap

ykad.ynu

conhost.exe_1068_rwx_002C0000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

update.exe

config.bin

PR_OpenTCPSocket

cit_ffcookie.module

cit_video.module

%ds~U;MM

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

6;:5;66"

,1;(,; = 1

<! 8< ;-;

'472%9,{

F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika

8/3.xae4LOa

6 !26!1'1!

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

hXXp://VVV.google.com/webhp

SSShD

SSShXe-

SSShye-

GetProcessHeap

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

ExitWindowsEx

GetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

HttpAddRequestHeadersW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

3$3*30383

6|7k7u7

9 :1:::@:

42>204:4

sXXXX

nspr4.dll

chrome.dll

\StringFileInfo\xx\%s

ntdll.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

SysShadow

Chrome

Firefox

C:\Users\"%CurrentUserName%"\AppData\Roaming

{D0533C3D-9B29-7BBF-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Xakihy\kaix.bay

C:\Users\"%CurrentUserName%"\AppData\Roaming\Xakihy

kaix.bay

Global\{46288E18-290C-EDC4-EA58-3B1738311F09}

TPAutoConnect.exe_2068_rwx_00550000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

update.exe

config.bin

PR_OpenTCPSocket

cit_ffcookie.module

cit_video.module

%ds~U;MM

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

6;:5;66"

,1;(,; = 1

<! 8< ;-;

'472%9,{

F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika

8/3.xae4LOa

6 !26!1'1!

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

hXXp://VVV.google.com/webhp

SSShD

SSShXeV

SSShyeV

GetProcessHeap

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

ExitWindowsEx

GetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

HttpAddRequestHeadersW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

3$3*30383

6|7k7u7

9 :1:::@:

42>204:4

sXXXX

nspr4.dll

chrome.dll

\StringFileInfo\xx\%s

ntdll.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

SysShadow

Chrome

Firefox

C:\Users\"%CurrentUserName%"\AppData\Roaming

{D0533C3D-9B29-7BBF-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Xakihy\kaix.bay

C:\Users\"%CurrentUserName%"\AppData\Roaming\Xakihy

kaix.bay

Global\{46288E18-290C-EDC4-EA58-3B1738311F09}

conhost.exe_2076_rwx_000D0000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

update.exe

config.bin

PR_OpenTCPSocket

cit_ffcookie.module

cit_video.module

%ds~U;MM

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

6;:5;66"

,1;(,; = 1

<! 8< ;-;

'472%9,{

F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika

8/3.xae4LOa

6 !26!1'1!

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

hXXp://VVV.google.com/webhp

SSShD

SSShXe

SSShye

GetProcessHeap

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

ExitWindowsEx

GetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

HttpAddRequestHeadersW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

3$3*30383

6|7k7u7

9 :1:::@:

42>204:4

sXXXX

nspr4.dll

chrome.dll

\StringFileInfo\xx\%s

ntdll.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

SysShadow

Chrome

Firefox

C:\Users\"%CurrentUserName%"\AppData\Roaming

{D0533C3D-9B29-7BBF-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Xakihy\kaix.bay

C:\Users\"%CurrentUserName%"\AppData\Roaming\Xakihy

kaix.bay

Global\{46288E18-290C-EDC4-EA58-3B1738311F09}

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

soft.exe:2748
Pony.exe:956
%original file name%.exe:3776
%original file name%.exe:2736
WinMail.exe:2460
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp7f44b81e.bat (175 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Ezud\teogc.exe (455 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1371061.bat (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Quotation.jar (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Pony.exe (185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\soft.exe (455 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (49600 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (31400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\608E13E3-00000001.eml (1924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2460_2 (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (3466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3E6.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol (608 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\608E13E3-00000001.eml:OECustomProperty (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3E7.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol (560 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Kazy.699500_bb6c854056

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet