Gen.Variant.Symmi.2054_be349a56e9

Gen:Variant.Symmi.2054 (BitDefender), Gen:Variant.Symmi.2054 (B) (Emsisoft), ML.Attribute.HighConfidence (Symantec), Gen:Variant.Symmi.2054 (FSecure), Win32:Evo-gen [Susp] (Avast), Gen:Variant.Symmi.2...
Blog rating:2 out of5 with1 ratings

Gen.Variant.Symmi.2054_be349a56e9

by malwarelabrobot on May 22nd, 2017 in Malware Descriptions.

Gen:Variant.Symmi.2054 (BitDefender), Gen:Variant.Symmi.2054 (B) (Emsisoft), ML.Attribute.HighConfidence (Symantec), Gen:Variant.Symmi.2054 (FSecure), Win32:Evo-gen [Susp] (Avast), Gen:Variant.Symmi.2054 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: be349a56e9b788f5fc9fa6db19052bf7
SHA1: f2e466a00f085453def2e2f8b9e4588077910573
SHA256: eca07b97ccc4f37669c6021c0f4c401da0eba07d1f06952454c0f748d54c091c
SSDeep: 49152:wD29w7nRlG4m/kDq4fgWCsVb6KUpZ hDg1F2d6XYVk:PK7nRlG4m/OBg5SbWf YFCWYVk
Size: 2412544 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC50, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2017-04-29 06:39:05
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

Regsvr32.exe:2544

The Trojan injects its code into the following process(es):

%original file name%.exe:2920

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Regsvr32.exe:2544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\ys.dll (823 bytes)

The process %original file name%.exe:2920 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\¿Í»§¶Ë×ÊÁÏ\imgk\ÐéÄâ»ú2.bmp (788 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\ÐéÄâ»ú1.bmp (788 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\×Ö¿â.txt (11344 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\λÖÃ.bmp (3 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\Ò»¼ü¼ÓËÙ.bmp (10 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\ÐéÄâ»ú.bmp (1 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\λÖÃ3.bmp (1 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\´ò¿ªµçÔ´.bmp (2 bytes)
C:\Windows\ys.dll (823 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\¿Ë¡ÐéÄâ»ú.bmp (376 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\λÖÃ7.bmp (3 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\¿ìÕÕ1a.bmp (4 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\ԭʼÐéÄâ»ú.bmp (500 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\λÖÃ5.bmp (1 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\λÖÃ1.bmp (2 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\ԭʼÐéÄâ»ú1.bmp (596 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\¿ìÕÕ1b.bmp (3 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\λÖÃ4.bmp (2 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\¿Ë¡ÐéÄâ»ú1.bmp (428 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\¿ªÊ¼ÓÎÏ·.bmp (10 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\¸´ÖƸÃÐéÄâ»ú.bmp (5 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\ÉèÖÃ.ini (226 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\¿ìÕÕ1c.bmp (3 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\ÐéÄâ»ú3.bmp (452 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\λÖÃ2.bmp (2 bytes)
C:\ÊÖ¶¯×¢²á²å¼þ.bat (26 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\±³¾°.bmp (870 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk.zip (131 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\λÖÃ6.bmp (1 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\´ò¿ªµçÔ´1.bmp (1 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\¿ìÕÕ1d.bmp (4 bytes)
C:\¿Í»§¶Ë×ÊÁÏ\imgk\¿ìÕÕÏêϸÐÅÏ¢.bmp (3 bytes)

The Trojan deletes the following file(s):

C:\¿Í»§¶Ë×ÊÁÏ\imgk.zip (0 bytes)
C:\ÊÖ¶¯×¢²á²å¼þ.bat (0 bytes)

Registry activity

The process Regsvr32.exe:2544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib]
"(Default)" = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"

[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"

[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR]
"(Default)" = "c:\windows\"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"

[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}]
"(Default)" = "Idmsoft"

[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\windows\ys.dll"

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32]
"(Default)" = "c:\windows\ys.dll"

[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0]
"(Default)" = "Dm"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib]
"Version" = "1.0"

The process %original file name%.exe:2920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\be349a56e9b788f5fc9fa6db19052bf7_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"%original file name%.exe - ¿ì½Ý·½Ê½"

Dropped PE files

MD5 File path
c578b6820bda5689940560147c6e5ffc c:\Windows\ys.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Tencent
Product Name: Tencent Game Platform
Product Version: 1.16.10.2570
Legal Copyright: Copyright 2015 Tencent
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.16.10.2570
File Description: ??????
Comments: Tencent Game Platform
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 837470 839680 4.50039 78112334b609a4a6695b1acc55c34bfb
.rdata 843776 1273454 1273856 5.00014 a6463a6ca5e04b727921e075e12c00c5
.data 2117632 359370 81920 3.47629 b6d076ee192206e535b3538ebeb03f06
.rsrc 2478080 208908 212992 3.07029 ca8c13dd0e6fecb0f40725fa3cd8eec8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://aladdin.a.shifen.com/special/time/
hxxp://open.baidu.com/special/time/ 220.181.111.157


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /special/time/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Language: zh-cn
Referer: hXXp://open.baidu.com/special/time/
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: open.baidu.com


HTTP/1.1 302 Found
Date: Sun, 21 May 2017 04:07:46 GMT
Server: Apache
Location: hXXp://VVV.baidu.com/search/error.html
Content-Length: 222
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://VVV.baidu.com/search/error.html">here</a>.</p
>.</body></html>.HTTP/1.1 302 Found..Date: Sun, 21 May 
2017 04:07:46 GMT..Server: Apache..Location: hXXp://VVV.baidu.com/sear
ch/error.html..Content-Length: 222..Connection: Keep-Alive..Content-Ty
pe: text/html; charset=iso-8859..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2920:

.text
`.rdata
@.data
.rsrc
t%SVh
t$(SSh
|$D.tm
~%UVW
u$SShe
Bv=kAv.SCv
kernel32.dll
shlwapi.dll
gdiplus.dll
Ole32.dll
ole32.dll
user32.dll
advapi32.dll
Kernel32.dll
dbghelp.dll
rasapi32.dll
ADVAPI32.DLL
shell32.dll
wininet.dll
oleaut32.dll
ws2_32.dll
Ws2_32.dll
MsgWaitForMultipleObjects
GetWindowsDirectoryA
GdiplusShutdown
keybd_event
ExitWindowsEx
UnhookWindowsHookEx
SetWindowsHookExA
EnumChildWindows
ShellExecuteEx
InternetOpenUrlA
GetProcessHeap
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
CreateIoCompletionPort
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
42305932-06E6-47a5-AC79-8BDCDC58DF61
1024*768
shell32.dll,Control_RunDLL sysdm.cpl,,3
rundll32.exe
.lnkup'
.lnkPK
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
.tiff
{557CF406-1A04-11D3-9A73-0000F81EF32E}
.bmp|
1.bmp|
2.bmp|
3.bmp
1.bmp
3.bmp|
4.bmp|
5.bmp|
6.bmp|
7.bmp
1a.bmp|
1b.bmp|
1c.bmp|
1d.bmp
SetWindowState
KeyPress
KeyDown
KeyUp
00-00-00-00-00-00
vmware.exe
\data\setsoft.ini
\imgk.zip
.bmpup
.bmps
1.bmpup
I.WSp
2.bmpup
2.bmp
3.bmpup
3.bmps
4.bmpup
4.bmp
5.bmpup
5.bmps
6.bmpup
6.bmps
7.bmpup
7.bmps
1.bmps
.bmpup
.txtup
 iC.Mk
$%x{p
`hQE_
,V.uD
6.qbk
tI%F,
aI%Sj
%cGsC
U.qYE[:&,
<;u.nM
r3%d!
.oxJl
1a.bmpup
1a.bmp
1b.bmpup
1b.bmp
1c.bmpup
1c.bmp
1d.bmpup
1.bmp}
.BPZS!
2.bmpe
.bmpPK
1.bmpPK
2.bmpPK
3.bmpPK
4.bmpPK
5.bmp
5.bmpPK
6.bmp
6.bmpPK
7.bmpPK
.txtPK
1a.bmpPK
1b.bmpPK
1c.bmpPK
1d.bmpPK
!!"#$%&'())?
%C%]uSj
Ha.QE
xCmD$L
s.Nd)
A_%.ID,
n.Nn0 b
.hh=@-
T8.Sz
.dTR0
.PWh=j
nL.nP?
webH
NQt%F
.XV LV#
PGPus(.Gz
.ROH=
]v%UO
uù u
0k00[ `.kh#
.scwX
?456789:;<=
!"#$%&'()* ,-./0123
CxImage 6.0.0
deflate 1.2.3 Copyright 1995-200d
a .WO<t
e processors when executed
>support g
X:
UxTheme.dll
;9HttpCli
7.PAVCExcep=^
.1.2600.441~
PSAPI.DLLU%f
%u%x-
88.185.3
20 4.49.
0.4.10n
129.6.15.29
202.120.
\.\%c
g%s#$A
"LuCBy%d
./*.bmp
log.tx
cpublic.inject.type.54
LL keypadput
k.ap*
.=.minmax
x.cfake`?
defense.szX
.sel/O
on.Leve
mp7%ss
tCPo
wKeyboardD
Scsi%d:
H%d_%
1.2.24
%ct t
: %s=
= (%d/10
gx=%f, gy
%ld, pass
xkey
'%ds=
3%u B
orm.de6
`O%dhx%dv qV
FD=%u, "
'z %4u
iY;kUnkeY
%ld%c$
-t.SSSj
MSVCRT
ntoskrnl.exQ
8)939@9|9
#&$&@'!?
9}%U}
3(Ýd
6,?-.7?`
SAPI.DLLK04e
506:6?6[
8(83888?
>,?0?4?8?<?
.net4x7
.Crz03
hÕ@e
:;.ofSb
R.of'z
B{.zS,y
6o.ob#
Ftpf
PIpE
.Sj_^
.vCb'PK
WlCmd
l%u$}0
Jy%s2;J
x-d}X
_~.SO
'.Sj?
.Increm
WinExe&Copy
.DIBi
uDPtoLPNq`n
fo@@UAE@XZ.on
ad.boa
.DD-?J8
1,//2/,/
7G#V%F
(.text
@.tp0
{43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A} = s 'Dm'
'Dm.EXE'
val AppID = s {43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A}
dm.dmsoft = s 'dm.dmsoft'
CLSID = s '{26037A0E-7CBD-4FFF-9C63-56F2D0770214}'
CurVer = s 'dm.dmsoft'
ForceRemove {26037A0E-7CBD-4FFF-9C63-56F2D0770214} = s 'dm.dmsoft'
ProgID = s 'dm.dmsoft'
stdole2.tlbWWW
~cmdWd
.aKeyDownWd
MKeyUpWWWd
ShowScrMsgWW
msgWd
SetShowErrorMsgW
>SGetWindowStateWW
U@SetWindowSizeWWWd
SetWindowStateWWd
iRSetKeypadDelayWWd
BkeypadWW
SetExportDictWWWd
keyWd
FindWindowSuperW
qHKeyDownCharW
pOkey_strWd
KeyUpCharWWWd
KeyPressChard
KeyPressStrWd
EnableKeypadPatchWWWd
=PEnableKeypadSyncd
EnableRealKeypadd
GetKeyStateWd
[.ReadFiled
WaitKeyW
!key_coded
joEnumWindowSuperW
urlW
=EnableKeypadMsgWd
EnableMouseMsgWWd
method KeyPressWWW
method KeyDown
method KeyUpWW
method ShowScrMsgW
method SetShowErrorMsg
method GetWindowStateW
method SetWindowSizeWW
method SetWindowStateW
method SetKeypadDelayW
method SetExportDictWW
method FindWindowSuper
method KeyDownChar
method KeyUpCharWW
method KeyPressCharWWW
method KeyPressStr
method EnableKeypadPatchWW
method EnableKeypadSyncWWW
method EnableRealKeypadWWW
method GetKeyState
method WaitKey
method EnumWindowSuper
method EnableKeypadMsg
method EnableMouseMsgW
KERNEL32.DLL
ADVAPI32.dll
GDI32.dll
IMM32.dll
MFC42.DLL
MSVCRT.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
VERSION.dll
WINMM.dll
WS2_32.dll
RegCloseKey
dm.dll
c:\windows\ys.dll
Regsvr32 c:\windows\ys.dll /s
dm.dmsoft
Regsvr32 c:\windows\ys.dll
\Microsoft\Network\Connections\pbk\rasphone.pbk
1970-01-01 08:00:00
Microsoft.XMLHTTP
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
application/x-www-form-urlencoded
@hXXp://whois.pconline.com.cn/ipJson.jsp
hXXps://VVV.baidu.com/s?wd=ip
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Content-Type: application/x-www-form-urlencoded
hXXp://open.baidu.com/special/time/
window.baidu_time(
1970.01.01 08:00:00
function timea(){var d,s;d=new Date();d.setTime('
hXXp://VVV.yeshen520.com/zz/zz.php
hXXp://VVV.ip138.com
hXXps://
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
hXXp://
https
127.0.0.0
H@shlwapi.dll
(((&$$$1"""9
000.$%%D
UU.exe
192.168.1.100
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
SHLWAPI.dll
MPR.dll
RASAPI32.dll
WinExec
KERNEL32.dll
GetKeyState
GetViewportOrgEx
WINSPOOL.DRV
RegOpenKeyExA
RegOpenKeyA
RegCreateKeyExA
ShellExecuteA
COMCTL32.dll
WSOCK32.dll
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
X-X-X-X-X-X
%s\%s.lnk
Software\Microsoft\Windows\CurrentVersion\Run
;3 #>6.&
'2, / 0&7!4-)1#
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
3, 1233, 0, 0
(*.*)
1.16.10.2570

%original file name%.exe_2920_rwx_10001000_00167000:

T8.Sz
%XEXa
SSSSSh
9^ u%f
~%UVW
uù u f9k
?456789:;<=
!"#$%&'()* ,-./0123
CxImage 6.0.0
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
1.2.3
inflate 1.2.3 Copyright 1995-2005 Mark Adler
LOCK CMPXCHG8B may crash some processors when executed
Win95/98 may crash when VxD call is executed in user mode
Win95/98 may crash when NOT ESP is executed
Win95/98 may crash when NEG ESP is executed
Relative jump out of range, use %s LONG form
Constant does not fit into operand
Different size of operands
Bad operand size
Please specify operand size
Wrong number of operands
Command does not support given operands
Too many operands
Too few operands
Extra input after operand
REPNE %s
REPE %s
REP %s
FPU registers have indexes 0 to 7
Too long import name
Unterminated import name
Sorry, 16-bit addressing is not supported
Unrecognized operand
Unaligned stack operation
PREFIX %s:
X:
%s(%i)
(%i-BYTE) %s
%s %s
%s X:X
UxTheme.dll
psapi.dll
7265677376723332
xx
oleaut32.dll
mov ecx,x
push x|
HttpClient
ntdll.dll
RegCreateKeyA
advapi32.dll
\Registry\Machine\System\CurrentControlSet\Services\%s
System\CurrentControlSet\Services\%s
System\CurrentControlSet\Services\%s\Enum
System32\Drivers\%s
.PAVCException@@
%d.%d.%d.%d
5.1.2600.4414
%s\Drivers\%s
5.1.2600.5582
5.1.2200.3385
phide %d
d3d9.dll
SELECT * FROM %s
PSAPI.DLL
x x
x x x x
x x x x x x x x
x x
%x-%x
205.188.185.33
207.200.81.113
207.126.98.204
208.184.49.9
216.200.93.8
66.243.43.21
131.107.1.10
128.138.140.44
132.163.4.103
132.163.4.102
132.163.4.101
129.6.15.29
129.6.15.28
192.43.244.18
202.120.2.101
\\.\%c%d
kernel32.dll
= %s>
%d,%d
%d.%d.%d
%[0-9,A-F]$%s
%s$%s$%d.%d.%d$%d
%d.%d.%d-%d.%d.%d
|%d,%d
%d,%d,%d
%d|%d|%d
%s,%d,%d
%s|%s
./*.bmp
*.bmp
%d|%d|%x-%x
%d|%d|-%x-%x
xxx
log.txt
c:\*.log
c:\test_dx.txt
c:\test_debug.txt
user32.dll
dx.public.inject.type.5
windows
dx.keypad.input.lock.api
dx.keypad.api
dx.keypad.state.api
dx.mouse.input.lock.api
dx.mouse.cursor
dx.mouse.clip.lock.api
dx.mouse.focus.input.message
dx.mouse.focus.input.api
dx.mouse.api
dx.mouse.state.api
dx.public.active.message
dx.public.active.api
dx.mouse.state.message
dx.mouse.position.lock.message
dx.mouse.position.lock.api
windows2
dx.graphic.3d
dx.graphic.2d
dx.public.disable.window.minmax
dx.public.disable.window.size
dx.public.fake.window.min
dx.public.disable.window.position
dx.public.anti.api
dx.public.ori.proc
dx.public.km.protect
dx.public.graphic.protect
dx.public.inject.type.6
dx.public.hide.dll
dx.public.prevent.block
dx.mouse.input.lock.api3
dx.mouse.input.lock.api2
dx.public.disable.window.show
dx.public.memory
dx.keypad.raw.input
dx.mouse.raw.input
dx.public.input.ime
dx.public.active.api2
dx.public.defense.sh
dx.public.defense.ny4
dx.public.defense.ny3
dx.public.defense.ny2
dx.public.defense.ny
dx.public.defense.memory.self2
dx.public.defense.memory2
dx.public.defense.sj
dx.public.defense.memory.self
dx.public.defense.memory
dx.graphic.2d.2
dx.graphic.3d.8
dx.public.inject.type.0
,public[%s]
,keypad[%s]
,mouse[%s]
windows3
,display[%s]
[%s],
d-d-d d:d:d
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Acceleration.Level
user32.DLL
Shell32.dll
0,%d,%d
5.1.2600.5519
%d|%d
imm32.dll
%d,%d,%d,%d,%d
c%d%d
Global\share%s
Global\share_file_input_flag_%d
%s\%s
imesample.ime
1, 0, 0, 26
dx.public.defense.memory2|dx.public.defense.memory.self2
dx.public.defense.ny3|dx.public.defense.ny4
dx.public.defense.memory|dx.public.defense.memory.self|dx.public.defense.sj
dx.public.defense.ny|dx.public.defense.ny2
dx.mouse.input.lock.api|dx.keypad.input.lock.api
dx.mouse.input.lock.api|dx.mouse.input.lock.api3
keybd_event
gdi32.dll
d3d8.dll
ddraw.dll
dinput8.dll
dx.graphic.2d|dx.graphic.2d.2
dx.mouse.api|dx.keypad.api
dx.keypad.state.api|dx.mouse.state.api
dx.mouse.raw.input|dx.keypad.raw.input
GetKeyboardState
GetKeyState
GetAsyncKeyState
\\.\PhysicalDrive%d
\\.\Scsi%d:
System\CurrentControlSet\Control\Keyboard Layouts\
Keyboard Layout\Preload
System\CurrentControlSet\Control\Keyboard Layouts
Iphlpapi.dll
\StringFileInfo\xx\%s
.tmpt
%d_%%d_%%d
%d_%%d
Multipage Encode, Unsupported operation for this format
1.2.24
compression type not supported
libpng error: %s
libpng error: %s, offset=%d
libpng error no. %s: %s
libpng warning: %s
libpng warning no. %s: %s
iTXt chunk not supported.
Unknown zTXt compression type %d
Incomplete compressed datastream in %s chunk
Data error in compressed datastream in %s chunk
Buffer error in compressed datastream in %s chunk
gamma = (%d/100000)
gx=%f, gy=%f, bx=%f, by=%f
wx=%f, wy=%f, rx=%f, ry=%f
incorrect gamma=(%d/100000)
NULL row buffer for row %ld, pass %d
Empty keyword in iCCP chunk
Unknown compression type %d
Empty keyword in sPLT chunk
white_x=%f, white_y=%f
zero length keyword
keyword length must be 1 - 79 characters
Zero length keyword
extra interior spaces removed from keyword
leading spaces removed from keyword
trailing spaces removed from keyword
invalid keyword character 0xX
Out of memory while procesing keyword
Empty keyword in tEXt chunk
Empty keyword in zTXt chunk
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
RST%d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
Obtained EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC index %d
Unsupported color conversion request
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
IDCT output block size %d not supported
Invalid component ID %d in SOS
Bogus message code %d
%ld%c
Global\Protected.60_%d
Global\Protected.61_%d
Global\Protected.62_%d
Global\Protected.63_%d
Global\Protected.64_%d_%d
Global\Protected.65_%d
Global\Protected.66_%d
Global\Protected.64_%d
Global\Protected.66_%d_%d
Global\Protected.67_%d
Global\Protected.68_%d
.text
`.rdata
@.data
.rsrc
@.reloc
t.SSSj
GetProcessHeap
KERNEL32.dll
ActivateKeyboardLayout
USER32.dll
RegCloseKey
RegOpenKeyA
ADVAPI32.dll
MSVCRT.dll
imesample.dll
ImeProcessKey
h.rdata
H.data
B.reloc
ntoskrnl.exe
HAL.dll
8)939@9|9
.reloc
MapVirtualKeyA
EnumWindows
MapVirtualKeyExA
GetKeyboardLayout
GDI32.dll
User32Kernel32.dll
506:6?6[6
.WB563
hÕ@e
:;.ofSb
,-VL}
{.of'z
k5pu %F
B{.zS,y
6o.ob#
Ftpf
PIpE
.Sj_^
.vCb'PKV
WlCmd
l%u$}0
Jy%s2;J
x-d}X
_~.SO
'.Sj?
.oxc~?^wZ{:{^
WinExec
SetThreadExecutionState
GetWindowsDirectoryA
RegDeleteKeyA
RegOpenKeyExA
SetWindowsHookExA
UnhookWindowsHookEx
UnloadKeyboardLayout
MsgWaitForMultipleObjects
ExitWindowsEx
7G#V%F
"('98(0((
0 000 @ (
@00 0((0 (
( 0(( ((8@ ( 0008((8
(0((( (@
88 000 0@0 08
800000000000800000
@.tp0
`.tp1
`.reloc
run_dlg_%d
\Device\%c%d
\DosDevices\%c%d
csrss.exe
\SystemRoot\System32\win32k.sys
\SystemRoot\system32\win32k.sys
\Device\KeyboardClass0
Microsoft(R) Windows(R) Operating System
\SystemRoot\system32\%s


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    Regsvr32.exe:2544

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Windows\ys.dll (823 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\ÐéÄâ»ú2.bmp (788 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\ÐéÄâ»ú1.bmp (788 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\×Ö¿â.txt (11344 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\λÖÃ.bmp (3 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\Ò»¼ü¼ÓËÙ.bmp (10 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\ÐéÄâ»ú.bmp (1 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\λÖÃ3.bmp (1 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\´ò¿ªµçÔ´.bmp (2 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\¿Ë¡ÐéÄâ»ú.bmp (376 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\λÖÃ7.bmp (3 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\¿ìÕÕ1a.bmp (4 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\ԭʼÐéÄâ»ú.bmp (500 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\λÖÃ5.bmp (1 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\λÖÃ1.bmp (2 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\ԭʼÐéÄâ»ú1.bmp (596 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\¿ìÕÕ1b.bmp (3 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\λÖÃ4.bmp (2 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\¿Ë¡ÐéÄâ»ú1.bmp (428 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\¿ªÊ¼ÓÎÏ·.bmp (10 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\¸´ÖƸÃÐéÄâ»ú.bmp (5 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\ÉèÖÃ.ini (226 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\¿ìÕÕ1c.bmp (3 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\ÐéÄâ»ú3.bmp (452 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\λÖÃ2.bmp (2 bytes)
    C:\ÊÖ¶¯×¢²á²å¼þ.bat (26 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\±³¾°.bmp (870 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk.zip (131 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\λÖÃ6.bmp (1 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\´ò¿ªµçÔ´1.bmp (1 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\¿ìÕÕ1d.bmp (4 bytes)
    C:\¿Í»§¶Ë×ÊÁÏ\imgk\¿ìÕÕÏêϸÐÅÏ¢.bmp (3 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 2 (1 vote)


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now