Gen.Variant.Midie.6956_449f67c96f

by malwarelabrobot on May 26th, 2017 in Malware Descriptions.

Gen:Variant.Midie.6956 (BitDefender), Trojan:Win32/Toga!rfn (Microsoft), Trojan-Dropper.Win32.Sysn.bpvb (Kaspersky), Trojan-Dropper.Win32.Daws.awfy (v) (not malicious) (VIPRE), Trojan.Inject1.10883 (DrWeb), Gen:Variant.Midie.6956 (B) (Emsisoft), Downloader-FYZ!449F67C96FCC (McAfee), W32.Faedevour!inf (Symantec), Trojan-Spy.Agent (Ikarus), Gen:Variant.Midie.6956 (FSecure), SHeur4.ALPI (AVG), Win32:Agent-PRR [Trj] (Avast), PE_WINDEX.A (TrendMicro), Gen:Variant.Midie.6956 (AdAware), Virus.Win32.Sality.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan-Spy, Trojan, Worm, Virus, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 449f67c96fcc78c8e155f9dab166376a
SHA1: 1d5c6532c99b2bb8615040e20b25d7045cc20ff4
SHA256: e776908d1e2ae9d914f80ee1ad52882430142a89d812737317b480f35c46d05c
SSDeep: 49152:rZxRGVbTCqxKCnFnQXBbrtgb/iQvu0UHOZTQ:rP8V6qxvWbrtUTrUHOG
Size: 1988271 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: Am
Created at: 2012-03-05 10:37:55
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

mscaps.exe:2980
wtmps.exe:3092
@AEF6BD.tmp.exe:3188
launch.exe:1216
WdExt.exe:1856
%original file name%.exe:3684

The Trojan injects its code into the following process(es):

sysmgr.exe:3144
%original file name%.exe:3108
conhost.exe:3776
taskhost.exe:252
Explorer.EXE:284
Dwm.exe:528
TPAutoConnect.exe:2068
conhost.exe:2076
conhost.exe:3448

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process mscaps.exe:2980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\wtime32.dll (27976 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\A746.tmp (406 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wtmps.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\A746.tmp (0 bytes)

The process wtmps.exe:3092 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\mscaps.exe (26272 bytes)

The process sysmgr.exe:3144 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\conf.dat (76 bytes)

The process @AEF6BD.tmp.exe:3188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Temp\mydll.dll (1489 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Sp6F95.tmp (1388 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Se6F96.tmp (1792 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Temp\adm0.bat (127 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmpF9A9.tmp (435354 bytes)
C:\Windows\sysmgr.exe (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp6F97.tmp (907 bytes)
C:\Windows\svc.dat (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe (231621 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Temp\adm1.bat (192 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmpF9A9.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Sp6F95.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Se6F96.tmp (0 bytes)

The process launch.exe:1216 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Temp\adm0.bat (100 bytes)

The process WdExt.exe:1856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp99D6.tmp (55476 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Common\Shared\dis.dll (10077 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Identities\"%CurrentUserName%"\arc.dll (103749 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Temp\adm1.bat (124 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp9993.tmp (28924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wtmps.exe (31581 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp99A5.tmp (21164 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp99B5.tmp (36444 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp9962.tmp (48916 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Shared\Modules\fil.dll (10805 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Defender\launch.exe (18077 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp99A4.tmp (18508 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Caches\Files\usd.dll (7933 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp9933.tmp (200332 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Temp\mydll.dll (26868 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp9973.tmp (26548 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Repairs\sha.dll (7589 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Addins\att.dll (18829 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp99D6.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp99A4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Temp\mydll.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp9993.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp99A5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp99B5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp9962.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp9933.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp9973.tmp (0 bytes)

The process %original file name%.exe:3108 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\system.ini (72 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (20 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\reader_sl.exe (744 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (688 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winkoht.exe (561 bytes)
C:\autorun.inf (338 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\otftf.exe (561 bytes)
C:\cimc.exe (99 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winkoht.exe (0 bytes)
C:\Windows\13f9f7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\otftf.exe (0 bytes)

Registry activity

The process mscaps.exe:2980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{ef2b00e3-19da-4e78-b118-6b6451b719f2}]
"Locale" = "*"
"StubPath" = "C:\Windows\system32\mscaps.exe /s /n /i:U shell32.dll"
"Version" = "1,125,2406,1"
"ComponentID" = "DirectShow"

The process sysmgr.exe:3144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"SfcDisable" = "4"

[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection]
"SfcDisable" = "4"

The process @AEF6BD.tmp.exe:3188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\@AEF6BD_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\@AEF6BD_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\@AEF6BD_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\@AEF6BD_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\@AEF6BD_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\@AEF6BD_RASMANCS]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\@AEF6BD_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\@AEF6BD_RASMANCS]
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process launch.exe:1216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender Extension" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Defender\launch.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process WdExt.exe:1856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:3108 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Stvncyfrlda]
"m4_0" = "0"
"m3_0" = "17001001"

[HKCU\Software\Stvncyfrlda\168128873]
"-1648771660" = "30"

[HKCU\Software\Stvncyfrlda]
"m2_0" = "5517"

[HKCU\Software\Stvncyfrlda\168128873]
"-737866757" = "9C5540656BD2B6DAF1E0A8E341A1439835C8C5315B192FAEC0FA667EC7240662D4AE6E86E482DDFB2CA1F7DAD8CE8D8F6B6EE1CEFF4EDF0DE34F403523AB89BCBF921B7E1D1009D880EC7D27C5957C36816B56685EC791013F7BBFA38B4D4E561506CB28600DD326F411FB3B086EA00AE6425AF27D3D69EB86DC60570F09992AC296483680049D5AA94451FD394613F95BAB9E34446434BB46D1261CF39D64B65F31C672862C9D4826A48F47E08014C6D08BD127120D6C600EA05FBC7C73C801C9E1814D10B6F3A03AAAED66A31E20A37AF911E97AA304F0FF7EFB6ACBD166B80631AFA274E81F0D70DED413C2031C0ECF991E7423FBE1C93E0135AD7AD325BF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Stvncyfrlda\168128873]
"1735290733" = "12"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
"FirewallOverride" = "1"

[HKCU\Software\Stvncyfrlda]
"m1_0" = "1431655765"

[HKCU\Software\Stvncyfrlda\168128873]
"-824385830" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Stvncyfrlda\168128873]
"910904903" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKCU\Software\Stvncyfrlda\168128873]
"1821809806" = "0200687474703A2F2F7061647275702E636F6D2F736F62616B61312E67696600687474703A2F2F3139302E3132302E3232372E39313A383038302F736F62616B61766F6C6F732E676966"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Stvncyfrlda\168128873]
"86519073" = "75"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

A firewall is disabled:

"EnableFirewall" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

Dropped PE files

MD5 File path
f1cb224b6c0606999ffea4ce1b23e201 c:\%original file name%.exe
f1c9f4a1f92588aeb82be5d2d4c2c730 c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Caches\Files\usd.dll
1fcc5b3ed6bc76d70cfa49d051e0dff6 c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Common\Shared\dis.dll
daac1781c9d22f5743ade0cb41feaebf c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Defender\launch.exe
2d9df706d1857434fcaa014df70d1c66 c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Identities\"%CurrentUserName%"\arc.dll
668a69ee830a297bf4d8ece4783ba888 c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
6a9461f260ebb2556b8ae1d0ba93858a c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Repairs\sha.dll
d0c9ada173da923efabb53d5a9b28d54 c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Shared\Modules\fil.dll
fffa05401511ad2a89283c52d0c86472 c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Addins\att.dll
78d3c8705f8baf7d34e6a6737d1cfa18 c:\Windows\System32\mscaps.exe
978888892a1ed13e94d2fcb832a2a6b5 c:\Windows\System32\wtime32.dll
2373dfbdba70b54164d4fe163f7f59f1 c:\Windows\sysmgr.exe
b72e29dc453dd5fe52cf0865d878b37d c:\cimc.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Mediatek
Product Name: USBSwitchTool Application
Product Version: 2, 13, 10, 0
Legal Copyright: Copyright (C) 2011
Legal Trademarks:
Original Filename: USBSwitcTool.exe
Internal Name: USBSwitchTool
File Version: 2, 13, 10, 0
File Description: USBSwitchTool Application
Comments:
Language: English (United Kingdom)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 2108 2560 3.76997 6dbb11cce72cc16b887018dd4c34d252
.rdata 8192 1478 1536 3.36814 838666d924e8b6e9dfc84f930bd16733
.data 12288 94208 512 0.377955 7d6dcdf3bcb22dca4957ddb77c1c8cbf
.rsrc 106496 69632 67072 5.53169 439da9a6271ba2f8f6540aa3d6e34916

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
a.gwas.perl.sh 151.80.13.35
update.microsoft.com 157.55.240.94
www.google.com 216.58.214.228
dns.msftncsi.com
windowsupdate.microsoft.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3108:

.text
.rdata
.data
.rsrc
PSSSh
PWSSh
[error] write failed: <%s>
[txd] %s
[error] WriteFile failed: %d
[rxd] %s
[switcher] opened COM%d
[error] failed to open COM%d
\\.\HCD0
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
operator
KERNEL32.dll
USER32.dll
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
SHELL32.dll
SETUPAPI.dll
GetCPInfo
GetConsoleOutputCP
C:\%original file name%.exe
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
hXXp://padrup.com/sobaka1.gif
hXXp://190.120.227.91:8080/sobakavolos.gif
hXXp://89.11
.info/home.gifIh
bW.text
JKERNEL32.dll
%x.exe
h.rdla&
mH.MN8
T4.At%
S.twa
.klkjw:9fqwiBumW
.sysa
Zc.pBTa
~%s:*:yd:
.!.VF*
.d&?%x=
GUrlA'
"\'Web%w}
HTTP)s'PS
2GUARDCMD
o.ENHCDM
wWEBWUPD
MM.PF
%xn'[
>>?456789:;
!"#$%&'()* ,-./4
qn%CXf
UP*dB.PPd@.
%FoAN-x
ÄEW
%F" *" a
MSVCRT.dll
WS2_32.dll
SHFileOperationA
\\.\COM%d
USBSwitchTool.ini
[DevMgr] error: failed to open key <%s>, error code = <%d>
[DevMgr] error: failed to query reg <%s>, error code = <%d>
COM%d
[Switcher]HID = %s
DisableComPortScan
[Switcher] Failed to send SCSI Command!!! Error = %d!
[Switcher] Succeed to send SCSI Command![0xx][0xx][0xx]
[Switcher] GetLastError() = %d!
USB\VID_x&PID_x&REV_x&MI_x
SYSTEM\CurrentControlSet\Enum\%s
[Switcher] error: failed to get port list
PortName
SYSTEM\CurrentControlSet\Enum\%s\Device Parameters
[Switcher] info: com port is invisible
USB\VID_x&PID_x
Found vid_0x%4x_pid_0x%4x and then send request 0xFE to it
Found vid_0x%4x_pid_0x%4x and then send request 0xFF to it
[Switcher] Error(%d): mutex has already existed !!!
[Switcher] Create mutex (0xX) ...
[Switcher] Error(%d): Failed to release Mutex !!!
[Switcher] Release mutex (0xX) ...
[Switcher] error: GetMessage err = %d
[Switcher] Arglist contents %s
mscoree.dll
Ports
C:\USBSwitchTool.ini
55f9dab166376a.exe
2, 13, 10, 0
USBSwitcTool.exe

%original file name%.exe_3108_rwx_00230000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

%original file name%.exe_3108_rwx_00240000_00001000:

u%original file name%.exeM_3108_

sysmgr.exe_3144:

.text
`.rdata
@.data
RPSSh
user32.dll
MPR.dll
WS2_32.dll
KERNEL32.dll
USER32.dll
RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
GetCPInfo
kernel32.dll
*.exe
conf.dat
svc.dat
Software\Policies\Microsoft\Windows NT\Windows File Protection
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
sfc.dll
C:\Windows\conf.dat
C:\Windows\sysmgr.exe

%original file name%.exe_3108_rwx_0041B000_00010000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
.rsrc
.text
C:\%original file name%.exe
hXXp://padrup.com/sobaka1.gif
hXXp://190.120.227.91:8080/sobakavolos.gif
hXXp://89.11
.info/home.gifIh
bW.text
JKERNEL32.dll
%x.exe
h.rdla&
mH.MN8
T4.At%
S.twa
.klkjw:9fqwiBumW
.sysa
Zc.pBTa
~%s:*:yd:
.!.VF*
.d&?%x=
GUrlA'
"\'Web%w}
HTTP)s'PS
2GUARDCMD
o.ENHCDM
wWEBWUPD
MM.PF
%xn'[
>>?456789:;
!"#$%&'()* ,-./4
qn%CXf
UP*dB.PPd@.
%FoAN-x
ÄEW
%F" *" a
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA

%original file name%.exe_3108_rwx_01410000_010BA000:

hXXp://89.11
.info/home.gifIh
bW.text
JKERNEL32.dll
%x.exe
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
.text
KERNEL32.dll
.reloc
USER32.dll
h.rdata
H.data
ntoskrnl.exe
Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
hXXp://
ipfltdrv.sys
VVV.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
KERNEL32.DLL
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
%c%d_%d
purity_control_%x
.adata
M_%d_
?456789:;<=
!"#$%&'()* ,-./0123
mongC:\Windows\
C:\Windows\hywjfubtsnl.log
hXXp://padrup.com/sobaka1.gif
hXXp://190.120.227.91:8080/sobakavolos.gif
C:\Windows\system32\drivers\hmnfvn.sys
13091911990
SHELL32.DLL
ShellExecuteA
.rsrc
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
&3&3&3&389
%F" *" a
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll

sysmgr.exe_3144_rwx_00210000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

sysmgr.exe_3144_rwx_00250000_00001000:

usysmgr.exeM_3144_

conhost.exe_3776:

.text
`.data
.rsrc
@.reloc
GDI32.dll
USER32.dll
msvcrt.dll
ntdll.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
KERNEL32.dll
IMM32.dll
ole32.dll
OLEAUT32.dll
PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected
Invalid message 0x%x
InitExtendedEditKeys: Unsupported version number(%d)
Console init failed with status 0x%x
CreateWindowsWindow failed with status 0x%x, gle = 0x%x
InitWindowsStuff failed with status 0x%x (gle = 0x%x)
InitSideBySide failed create an activation context. Error: %d
GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.
GetModuleFileNameW failed %d.
Invalid EventType: 0x%x
Dup handle failed for %d of %d (Status = 0x%x)
Couldn't grow input buffer, Status == 0x%x
InitializeScrollBuffer failed, Status = 0x%x
CreateWindow failed with gle = 0x%x
Opening Font file failed with error 0x%x
\ega.cpi
NtReplyWaitReceivePort failed with Status 0x%x
ConsoleOpenWaitEvent failed with Status 0x%x
NtCreatePort failed with Status 0x%x
GetCharWidth32 failed with error 0x%x
GetTextMetricsW failed with error 0x%x
GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x
RtlStringCchCopy failed with Status 0x%x
Cannot allocate 0n%d bytes
|%SWj
O.fBf;
ReCreateDbcsScreenBuffer failed. Restoring to CP=%d
Invalid Parameter: 0x%x, 0x%x, 0x%x
ConsoleKeyInfo buffer is full
Invalid screen buffer size (0x%x, 0x%x)
SetROMFontCodePage: failed to memory allocation %d bytes
FONT.NT
Failed to set font image. wc=x, sz=(%x,%x)
Failed to set font image. wc=x sz=(%x, %x).
Failed to set font image. wc=x sz=(%x,%x)
FullscreenControlSetColors failed - Status = 0x%x
FullscreenControlSetPalette failed - Status = 0x%x
WriteCharsFromInput failed 0x%x
WriteCharsFromInput failed %x
RtlStringCchCopyW failed with Status 0x%x
CreateFontCache failed with Status 0x%x
FTPh
\>.Sj
GetKeyboardLayout
MapVirtualKeyW
VkKeyScanW
GetKeyboardState
UnhookWindowsHookEx
SetWindowsHookExW
GetKeyState
ActivateKeyboardLayout
GetKeyboardLayoutNameA
GetKeyboardLayoutNameW
_amsg_exit
_acmdln
ShipAssert
NtReplyWaitReceivePort
NtCreatePort
NtEnumerateValueKey
NtQueryValueKey
NtOpenKey
NtAcceptConnectPort
NtReplyPort
SetProcessShutdownParameters
GetCPInfo
conhost.pdb
%$%a%b%V%U%c%Q%W%]%\%[%
%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%
version="5.1.0.0"
name="Microsoft.Windows.ConsoleHost"
<requestedExecutionLevel
name="Microsoft.Windows.ConsoleHost.SystemDefault"
publicKeyToken="6595b64144ccf1df"
name="Microsoft.Windows.SystemCompatible"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
< =$>:>@>
2%2X2
%SystemRoot%
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen
WindowSize
ColorTableu
ExtendedEditkeyCustom
ExtendedEditKey
Software\Microsoft\Windows\CurrentVersion
\ !:=/.<>;|&
%d/%d
cmd.exe
desktop.ini
\console.dll
%d/%d
6.1.7601.17641 (win7sp1_gdr.110623-1503)
CONHOST.EXE
Windows
Operating System
6.1.7601.17641

conhost.exe_3776_rwx_001A0000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

conhost.exe_3776_rwx_001D0000_00001000:

uconhost.exeM_3776_

taskhost.exe_252_rwx_003B0000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

taskhost.exe_252_rwx_01100000_00001000:

utaskhost.exeM_252_

Explorer.EXE_284_rwx_01DA0000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

Explorer.EXE_284_rwx_030D0000_00001000:

uexplorer.exeM_284_

Dwm.exe_528_rwx_01040000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

Dwm.exe_528_rwx_010C0000_00001000:

udwm.exeM_528_

TPAutoConnect.exe_2068_rwx_00260000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

TPAutoConnect.exe_2068_rwx_00570000_00001000:

utpautoconnect.exeM_2068_

conhost.exe_2076_rwx_000D0000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

conhost.exe_2076_rwx_00100000_00001000:

uconhost.exeM_2076_

conhost.exe_3448_rwx_001B0000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

conhost.exe_3448_rwx_001E0000_00001000:

uconhost.exeM_3448_


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    mscaps.exe:2980
    wtmps.exe:3092
    @AEF6BD.tmp.exe:3188
    launch.exe:1216
    WdExt.exe:1856
    %original file name%.exe:3684

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Windows\System32\wtime32.dll (27976 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\A746.tmp (406 bytes)
    C:\Windows\System32\mscaps.exe (26272 bytes)
    C:\Windows\conf.dat (76 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Temp\mydll.dll (1489 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Sp6F95.tmp (1388 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Se6F96.tmp (1792 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Temp\adm0.bat (127 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmpF9A9.tmp (435354 bytes)
    C:\Windows\sysmgr.exe (72 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp6F97.tmp (907 bytes)
    C:\Windows\svc.dat (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe (231621 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Temp\adm1.bat (192 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp99D6.tmp (55476 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Common\Shared\dis.dll (10077 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Identities\"%CurrentUserName%"\arc.dll (103749 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp9993.tmp (28924 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wtmps.exe (31581 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp99A5.tmp (21164 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp99B5.tmp (36444 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp9962.tmp (48916 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Shared\Modules\fil.dll (10805 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Defender\launch.exe (18077 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp99A4.tmp (18508 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Caches\Files\usd.dll (7933 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp9933.tmp (200332 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp9973.tmp (26548 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Repairs\sha.dll (7589 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Addins\att.dll (18829 bytes)
    C:\Windows\system.ini (72 bytes)
    %Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (20 bytes)
    %Program Files%\Adobe\Reader 9.0\Reader\reader_sl.exe (744 bytes)
    %Program Files%\Common Files\Java\Java Update\jusched.exe (688 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winkoht.exe (561 bytes)
    C:\autorun.inf (338 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\otftf.exe (561 bytes)
    C:\cimc.exe (99 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender Extension" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Defender\launch.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now