Gen.Variant.Zusy.56672_5b7320c6d2

by malwarelabrobot on November 30th, 2016 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.56672 (B) (Emsisoft), Gen:Variant.Zusy.56672 (AdAware), Trojan-PSW.Win32.Zbot.6.FD, Sinowal.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 5b7320c6d2d52a5ef583629039992cb0
SHA1: d1e03317f4c74ae5e74de97f6a75758f4960baed
SHA256: 875add1febce4eb54bb88bd40e9733002c12e13b090d303fa746ee715ba6a323
SSDeep: 3072:QrPMU0j0SQ5wgbq1SRJFlZaGxbtOu/ZYpmX8jk8tmh3 ugmHZOOQf/Vo:MPMUcHEwgcSRCGxbBBi469kMsZOV/q
Size: 223232 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-07-23 20:11:19
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

WinMail.exe:2428
%original file name%.exe:2956

The Trojan injects its code into the following process(es):

conhost.exe:1456
taskhost.exe:1940
Dwm.exe:2008
Explorer.EXE:2024

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process WinMail.exe:2428 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (52136 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\0F9B3CE3-00000001.eml (1924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2428_2 (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol (608 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\0F9B3CE3-00000001.eml:OECustomProperty (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (29200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (300 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 (558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 (968 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabAA61.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (3466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarAA62.tmp (2712 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\WindowsMail.pat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2428_2.ui (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb00001.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabAA61.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\WindowsMail.MSMessageStore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarAA62.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\edb00001.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2428_2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old (0 bytes)

The process %original file name%.exe:2956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Bobey\asymf.exe (448 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmpa03e9146.bat (179 bytes)

Registry activity

The process WinMail.exe:2428 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\IdentityCRL\Dynamic Salt]
"Size" = "330"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows Mail]
"Compact Check Count" = "2"
"Settings Upgraded" = "10"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows Mail\Junk Mail\Block Senders List]
"Version" = "327680"

[HKCU\Identities\{C692FCB0-9162-422E-94A4-4CD072B19CA9}]
"Identity Ordinal" = "1"

[HKCU\Software\Microsoft\Windows Mail]
"LastBackup" = "E0 07 0B 00 02 00 1D 00 08 00 11 00 17 00 57 03"
"Running" = "1"
"V7StoreMigDone" = "01 00 00 00"
"StoreMigratedV5" = "1"

[HKCU\Software\Microsoft\Windows Mail\Junk Mail\Safe Senders List]
"Version" = "327680"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Welcome Message" = "0"

[HKCU\Software\Microsoft\Windows Mail]
"SpoolerDlgPos" = "2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF"

[HKCU\Software\Microsoft\IdentityCRL\Dynamic Salt]
"Value" = "01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0"

[HKCU\Identities]
"Identity Ordinal" = "2"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Secure Safe Attachments" = "1"
"Default_CodePage" = "28591"

[HKCU\Software\Microsoft\WAB]
"NamedPropCount" = "1"

[HKCU\Software\Microsoft\IAM\Accounts]
"ConnectionSettingsMigrated" = "1"

[HKCU\Software\Microsoft\Windows Mail]
"SpoolerTack" = "0"

[HKCU\Software\Microsoft\IAM]
"Default News Account" = "account{CE54EE8F-8454-4E11-A69C-0E6F9BED6C0A}.oeaccount"
"Default LDAP Account" = "account{5F33D8D7-3326-4E0C-969F-F201824EF068}.oeaccount"

[HKCU\Software\Microsoft\Windows Mail]
"lastrun" = "D6 30 C3 07 19 4A D2 01"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Safe Attachments" = "1"

[HKCU\Software\Microsoft\IAM]
"Server ID" = "2"

[HKCU\Software\Microsoft\WAB]
"NamedProps" = "04 20 06 00 00 00 00 00 C0 00 00 00 00 00 00 46"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\WAB]
"NamedPropCount"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Identities]
"Changing"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Identities]
"IncomingID"
"OutgoingID"

[HKCU\Software\Microsoft\WAB]
"NamedProps"

The process %original file name%.exe:2956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Ybavg]
"Uzwueglyo" = "64 A0 47 83 79 53 EF 2D 12 D6 48 0C 9A EF 72 F9"

Dropped PE files

MD5 File path
5bfb59b2b37cb927c879c6d1d4ce3825 c:\Users\"%CurrentUserName%"\AppData\Roaming\Bobey\asymf.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WINMM.dll:

PlaySoundW

The Trojan installs the following user-mode hooks in WININET.dll:

HttpEndRequestW
HttpSendRequestExA
HttpSendRequestA
InternetSetFilePointer
HttpSendRequestW
HttpOpenRequestW
HttpOpenRequestA
HttpEndRequestA
HttpSendRequestExW
InternetReadFileExA
InternetQueryDataAvailable
InternetReadFile
HttpQueryInfoA
InternetCloseHandle

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

SetCursorPos
ReleaseCapture
SetCapture
GetMessagePos
DefDlgProcW
CallWindowProcA
DefMDIChildProcA
DefFrameProcA
GetUpdateRgn
DefFrameProcW
DefMDIChildProcW
DefDlgProcA
GetClipboardData
GetMessageW
TranslateMessage
PeekMessageW
EndPaint
BeginPaint
GetDC
ReleaseDC
DefWindowProcW
GetWindowDC
GetDCEx
CallWindowProcW
PeekMessageA
GetMessageA
RegisterClassExW
RegisterClassW
RegisterClassA
DefWindowProcA
GetUpdateRect
GetCursorPos
GetCapture
RegisterClassExA
OpenInputDesktop
SwitchDesktop

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CreateProcessAsUserA
CreateProcessAsUserW

The Trojan installs the following user-mode hooks in WS2_32.dll:

gethostbyname
send
WSASend
getaddrinfo
closesocket

The Trojan installs the following user-mode hooks in kernel32.dll:

ExitProcess
GetFileAttributesExW

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
ZwCreateUserProcess

Propagation

VersionInfo

Company Name: ImDev Software Group
Product Name: MUI Manifest Generation And Editing Tool
Product Version: 3.2.1.1
Legal Copyright: Copyright (C) 2006-2012 - ImDev Software Group
Legal Trademarks:
Original Filename: muimnftool
Internal Name: mui manifest tool
File Version: 3.2.1.1
File Description: MUI Manifest Generation And Editing Tool
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 185898 186368 5.4211 0d776009b5e1424fcdc44ee7ec38ba22
.rdata 192512 13462 13824 3.44788 212a9f1003ee46a8bd837a53471aa2d6
.data 208896 18596 4608 2.97982 a73be21cb879cc77ca103ac853676379
.rsrc 229376 17280 17408 3.83327 f9ed7ba3135834a71230b1418f334d84

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://a1363.dscg.akamai.net/pki/crl/products/CodeSignPCA.crl
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY 173.194.44.67
hxxp://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl 212.30.134.167
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon 173.194.44.67
time.windows.com 40.118.103.7


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /pki/crl/products/CodeSignPCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Mon, 16 Apr 2012 23:49:48 GMT
Accept-Ranges: bytes
ETag: "0f6669b2b1ccd1:0"
Server: Microsoft-IIS/8.5
VTag: 438195957300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 558
Cache-Control: max-age=900
Date: Tue, 29 Nov 2016 08:17:31 GMT
Connection: keep-alive
0..*0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Copyright (c) 20
00 Microsoft Corp.1#0!..U....Microsoft Code Signing PCA..111110211944Z
..420416234935Z.7050...U.#..0...%. K].rT....*.....S.0... .....7.......
..0...*.H...............&..%PIu@.....\0KF....0..^.h9=.1jT,5.L....Ed ..
6.......i.6.xva....oX.^f'....s...!......O...h.1a..Ud);.?....J_...Fu...
.<v.zx..t..h.0JU%.nk;..B[4.?&Zm^..M.!.'...w.u.\T..Tr..Ch.[.z:....#.
..T.4Ct.......,...c..}F..U....:..7J...%.#..D6 . ....G..#....T..G;.....
.HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: M
on, 16 Apr 2012 23:49:48 GMT..Accept-Ranges: bytes..ETag: "0f6669b2b1c
cd1:0"..Server: Microsoft-IIS/8.5..VTag: 438195957300000000..P3P: CP="
ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo 
CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-L
ength: 558..Cache-Control: max-age=900..Date: Tue, 29 Nov 2016 08:17:3
1 GMT..Connection: keep-alive..0..*0......0...*.H........0..1.0...U...
.US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corpora
tion1 0)..U..."Copyright (c) 2000 Microsoft Corp.1#0!..U....Microsoft 
Code Signing PCA..111110211944Z..420416234935Z.7050...U.#..0...%. K].r
T....*.....S.0... .....7.........0...*.H...............&..%PIu@.....\0
KF....0..^.h9=.1jT,5.L....Ed ..6.......i.6.xva....oX.^f'....s...!.....
.O...h.1a..Ud);.?....J_...Fu....<v.zx..t..h.0JU%.nk;..B[4.?&Zm^..M.
!.'...w.u.\T..Tr..Ch.[.z:....#...T.4Ct.......,...c..}F..U....:..7J
<<< skipped >>>


GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon HTTP/1.1
Cache-Control: max-age = 345600
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com


HTTP/1.1 404 Not Found
Date: Tue, 29 Nov 2016 08:18:06 GMT
Content-Type: text/html; charset=UTF-8
Server: ocsp_responder
Content-Length: 1668
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
<!DOCTYPE html>.<html lang=en>.  <meta charset=utf-8>
;.  <meta name=viewport content="initial-scale=1, minimum-scale=1, 
width=device-width">.  <title>Error 404 (Not Found)!!1</ti
tle>.  <style>.    *{margin:0;padding:0}html,code{font:15px/2
2px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body
{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px
}* > body{background:url(//VVV.google.com/images/errors/robot.png) 
100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:h
idden}ins{color:#777;text-decoration:none}a img{border:0}@media screen
 and (max-width:772px){body{background:none;margin-top:0;max-width:non
e;padding-right:0}}#logo{background:url(//VVV.google.com/images/brandi
ng/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:
-5px}@media only screen and (min-resolution:192dpi){#logo{background:u
rl(//VVV.google.com/images/branding/googlelogo/2x/googlelogo_color_150
x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//VVV.googl
e.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}
@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{backgr
ound:url(//VVV.google.com/images/branding/googlelogo/2x/googlelogo_col
or_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{di
splay:inline-block;height:54px;width:150px}.  </style>.  <a h
ref=//VVV.google.com/><span id=logo aria-label=Google></sp
an></a>.  <p><b>404.</b> <ins>Tha
<<< skipped >>>

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY HTTP/1.1


Cache-Control: max-age = 345600
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com


HTTP/1.1 404 Not Found
Date: Tue, 29 Nov 2016 08:18:11 GMT
Content-Type: text/html; charset=UTF-8
Server: ocsp_responder
Content-Length: 1668
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
<!DOCTYPE html>.<html lang=en>.  <meta charset=utf-8>
;.  <meta name=viewport content="initial-scale=1, minimum-scale=1, 
width=device-width">.  <title>Error 404 (Not Found)!!1</ti
tle>.  <style>.    *{margin:0;padding:0}html,code{font:15px/2
2px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body
{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px
}* > body{background:url(//VVV.google.com/images/errors/robot.png) 
100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:h
idden}ins{color:#777;text-decoration:none}a img{border:0}@media screen
 and (max-width:772px){body{background:none;margin-top:0;max-width:non
e;padding-right:0}}#logo{background:url(//VVV.google.com/images/brandi
ng/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:
-5px}@media only screen and (min-resolution:192dpi){#logo{background:u
rl(//VVV.google.com/images/branding/googlelogo/2x/googlelogo_color_150
x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//VVV.googl
e.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}
@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{backgr
ound:url(//VVV.google.com/images/branding/googlelogo/2x/googlelogo_col
or_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{di
splay:inline-block;height:54px;width:150px}.  </style>.  <a h
ref=//VVV.google.com/><span id=logo aria-label=Google></sp
an></a>.  <p><b>404.</b> <ins>Tha
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

conhost.exe_1456_rwx_001D0000_0003C000:

.text
`.data
.reloc
Ew.AEw
.wb\-w1S-w*
$>&!5/5?
,61>2..&
=' /#??7
<8!;8<35
5( .8>976
:'->:-= =
()( %,,<
!&3%>0?6
&;1"&1!7!:
2/b%5#5
8%/<8/?)?$
*<7%1xea4||-~)WU
83%9&;->
<7!="?):
5>(4 6 3
k-j}a|*37f
gkml-g}a
40552&^^
8(>?)? <
%X1h hq
hXXp://VVV.google.com/webhp
_getFirefoxCookie
HTTP/1.1
HTTP/1.0
hXXp://
hXXps://
HTTP/1.
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
cit_ffcookie.module
cit_video.module
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
urlmon.dll
cabinet.dll
hXXp://xxxxxxxx.com/xxxx/xxxx.php
update.exe
config.bin
PR_OpenTCPSocket
facebook.com
Cookie: %s
Referer: %s
Accept: %s
Accept-Language: %s
Accept-Encoding: %s
%s, u %s %u u:u:u GMT
; charset=%s
HTTP/1.1 %u %s
Date: %s
Content-Length: %u
Expires: %s
Content-Type: %s%s
ID: %s
value_%s
value_%s_%s
%s = "%s";
%s%s%s
SSSh8
GetProcessHeap
CreatePipe
KERNEL32.dll
SetKeyboardState
MapVirtualKeyW
GetKeyboardState
GetKeyboardLayoutList
ExitWindowsEx
MsgWaitForMultipleObjects
OpenWindowStationW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
USER32.dll
RegCreateKeyW
RegQueryInfoKeyW
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
SetViewportOrgEx
GDI32.dll
WS2_32.dll
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
PFXImportCertStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpAddRequestHeadersA
HttpSendRequestA
HttpEndRequestW
InternetCrackUrlA
WININET.dll
OLEAUT32.dll
NETAPI32.dll
VERSION.dll
WINMM.dll
PSSSSSSh
SSSh,
=.>9>_>~>
42>204:4
Process: %s
Input: %s
kernel32.dll
SysShadow
Global\XXX
nspr4.dll
\StringFileInfo\xx\%s
ntdll.dll
"%s" %s
/c "%s"
%sx.%s
%sx
SELECT * FROM %s
chrome.dll
Chrome
Firefox
sXXXX
Company: %s
Product: %s
Version: %s
Software\Microsoft\Windows\CurrentVersion\Uninstall
%u: %s | %s | %s
C:\Users\"%CurrentUserName%"\AppData\Roaming\Awkyso\izobf.ylw
C:\Users\"%CurrentUserName%"\AppData\Roaming\Awkyso
izobf.ylw
Global\{DE1D7312-06F7-C8F1-C407-5455E1918637}
C:\Users\"%CurrentUserName%"\AppData\Roaming
{4866C137-B4D2-5E8A-C407-5455E1918637}

taskhost.exe_1940_rwx_00580000_0003C000:

.text
`.data
.reloc
Ew.AEw
.wb\-w1S-w*
$>&!5/5?
,61>2..&
=' /#??7
<8!;8<35
5( .8>976
:'->:-= =
()( %,,<
!&3%>0?6
&;1"&1!7!:
2/b%5#5
8%/<8/?)?$
*<7%1xea4||-~)WU
83%9&;->
<7!="?):
5>(4 6 3
k-j}a|*37f
gkml-g}a
40552&^^
8(>?)? <
%X1h hq
hXXp://VVV.google.com/webhp
_getFirefoxCookie
HTTP/1.1
HTTP/1.0
hXXp://
hXXps://
HTTP/1.
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
cit_ffcookie.module
cit_video.module
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
urlmon.dll
cabinet.dll
hXXp://xxxxxxxx.com/xxxx/xxxx.php
update.exe
config.bin
PR_OpenTCPSocket
facebook.com
Cookie: %s
Referer: %s
Accept: %s
Accept-Language: %s
Accept-Encoding: %s
%s, u %s %u u:u:u GMT
; charset=%s
HTTP/1.1 %u %s
Date: %s
Content-Length: %u
Expires: %s
Content-Type: %s%s
ID: %s
value_%s
value_%s_%s
%s = "%s";
%s%s%s
G:.YY
SSSh8
GetProcessHeap
CreatePipe
KERNEL32.dll
SetKeyboardState
MapVirtualKeyW
GetKeyboardState
GetKeyboardLayoutList
ExitWindowsEx
MsgWaitForMultipleObjects
OpenWindowStationW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
USER32.dll
RegCreateKeyW
RegQueryInfoKeyW
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
SetViewportOrgEx
GDI32.dll
WS2_32.dll
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
PFXImportCertStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpAddRequestHeadersA
HttpSendRequestA
HttpEndRequestW
InternetCrackUrlA
WININET.dll
OLEAUT32.dll
NETAPI32.dll
VERSION.dll
WINMM.dll
PSSSSSSh
SSSh,
Y-J}2
=.>9>_>~>
42>204:4
Process: %s
Input: %s
kernel32.dll
SysShadow
Global\XXX
nspr4.dll
\StringFileInfo\xx\%s
ntdll.dll
"%s" %s
/c "%s"
%sx.%s
%sx
SELECT * FROM %s
chrome.dll
Chrome
Firefox
sXXXX
Company: %s
Product: %s
Version: %s
Software\Microsoft\Windows\CurrentVersion\Uninstall
%u: %s | %s | %s
C:\Users\"%CurrentUserName%"\AppData\Roaming\Tunal\qiudu.vye
C:\Users\"%CurrentUserName%"\AppData\Roaming\Tunal
qiudu.vye
C:\Users\"%CurrentUserName%"\AppData\Roaming\Awkyso\izobf.ylw
C:\Users\"%CurrentUserName%"\AppData\Roaming\Awkyso
izobf.ylw
Global\{DE1D7312-06F7-C8F1-C407-5455E1918637}
C:\Users\"%CurrentUserName%"\AppData\Roaming
{4866C137-B4D2-5E8A-C407-5455E1918637}

Dwm.exe_2008_rwx_004C0000_0003C000:

.text
`.data
.reloc
Ew.AEw
.wb\-w1S-w*
$>&!5/5?
,61>2..&
=' /#??7
<8!;8<35
5( .8>976
:'->:-= =
()( %,,<
!&3%>0?6
&;1"&1!7!:
2/b%5#5
8%/<8/?)?$
*<7%1xea4||-~)WU
83%9&;->
<7!="?):
5>(4 6 3
k-j}a|*37f
gkml-g}a
40552&^^
8(>?)? <
%X1h hq
hXXp://VVV.google.com/webhp
_getFirefoxCookie
HTTP/1.1
HTTP/1.0
hXXp://
hXXps://
HTTP/1.
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
cit_ffcookie.module
cit_video.module
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
urlmon.dll
cabinet.dll
hXXp://xxxxxxxx.com/xxxx/xxxx.php
update.exe
config.bin
PR_OpenTCPSocket
facebook.com
Cookie: %s
Referer: %s
Accept: %s
Accept-Language: %s
Accept-Encoding: %s
%s, u %s %u u:u:u GMT
; charset=%s
HTTP/1.1 %u %s
Date: %s
Content-Length: %u
Expires: %s
Content-Type: %s%s
ID: %s
value_%s
value_%s_%s
%s = "%s";
%s%s%s
G:.YM
SSSh8
GetProcessHeap
CreatePipe
KERNEL32.dll
SetKeyboardState
MapVirtualKeyW
GetKeyboardState
GetKeyboardLayoutList
ExitWindowsEx
MsgWaitForMultipleObjects
OpenWindowStationW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
USER32.dll
RegCreateKeyW
RegQueryInfoKeyW
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
SetViewportOrgEx
GDI32.dll
WS2_32.dll
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
PFXImportCertStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpAddRequestHeadersA
HttpSendRequestA
HttpEndRequestW
InternetCrackUrlA
WININET.dll
OLEAUT32.dll
NETAPI32.dll
VERSION.dll
WINMM.dll
PSSSSSSh
SSSh,
=.>9>_>~>
42>204:4
Process: %s
Input: %s
kernel32.dll
SysShadow
Global\XXX
nspr4.dll
\StringFileInfo\xx\%s
ntdll.dll
"%s" %s
/c "%s"
%sx.%s
%sx
SELECT * FROM %s
chrome.dll
Chrome
Firefox
sXXXX
Company: %s
Product: %s
Version: %s
Software\Microsoft\Windows\CurrentVersion\Uninstall
%u: %s | %s | %s
:\Users\"%CurrentUserName%"\AppData\Roaming\Tunal\qiudu.vye
C:\Users\"%CurrentUserName%"\AppData\Roaming\Tunal
qiudu.vye
C:\Users\"%CurrentUserName%"\AppData\Roaming\Awkyso\izobf.ylw
C:\Users\"%CurrentUserName%"\AppData\Roaming\Awkyso
izobf.ylw
Global\{DE1D7312-06F7-C8F1-C407-5455E1918637}
C:\Users\"%CurrentUserName%"\AppData\Roaming
{4866C137-B4D2-5E8A-C407-5455E1918637}

Explorer.EXE_2024_rwx_02EE0000_0003C000:

.text
`.data
.reloc
Ew.AEw
.wb\-w1S-w*
$>&!5/5?
,61>2..&
=' /#??7
<8!;8<35
5( .8>976
:'->:-= =
()( %,,<
!&3%>0?6
&;1"&1!7!:
2/b%5#5
8%/<8/?)?$
*<7%1xea4||-~)WU
83%9&;->
<7!="?):
5>(4 6 3
k-j}a|*37f
gkml-g}a
40552&^^
8(>?)? <
%X1h hq
hXXp://VVV.google.com/webhp
_getFirefoxCookie
HTTP/1.1
HTTP/1.0
hXXp://
hXXps://
HTTP/1.
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
cit_ffcookie.module
cit_video.module
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
urlmon.dll
cabinet.dll
hXXp://xxxxxxxx.com/xxxx/xxxx.php
update.exe
config.bin
PR_OpenTCPSocket
facebook.com
Cookie: %s
Referer: %s
Accept: %s
Accept-Language: %s
Accept-Encoding: %s
%s, u %s %u u:u:u GMT
; charset=%s
HTTP/1.1 %u %s
Date: %s
Content-Length: %u
Expires: %s
Content-Type: %s%s
ID: %s
value_%s
value_%s_%s
%s = "%s";
%s%s%s
SSSh8
GetProcessHeap
CreatePipe
KERNEL32.dll
SetKeyboardState
MapVirtualKeyW
GetKeyboardState
GetKeyboardLayoutList
ExitWindowsEx
MsgWaitForMultipleObjects
OpenWindowStationW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
USER32.dll
RegCreateKeyW
RegQueryInfoKeyW
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
SetViewportOrgEx
GDI32.dll
WS2_32.dll
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
PFXImportCertStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpAddRequestHeadersA
HttpSendRequestA
HttpEndRequestW
InternetCrackUrlA
WININET.dll
OLEAUT32.dll
NETAPI32.dll
VERSION.dll
WINMM.dll
PSSSSSSh
SSSh,
=.>9>_>~>
42>204:4
Process: %s
Input: %s
kernel32.dll
SysShadow
Global\XXX
nspr4.dll
\StringFileInfo\xx\%s
ntdll.dll
"%s" %s
/c "%s"
%sx.%s
%sx
SELECT * FROM %s
chrome.dll
Chrome
Firefox
sXXXX
Company: %s
Product: %s
Version: %s
Software\Microsoft\Windows\CurrentVersion\Uninstall
%u: %s | %s | %s
C:\Users\"%CurrentUserName%"\AppData\Roaming\Awkyso\izobf.ylw
C:\Users\"%CurrentUserName%"\AppData\Roaming\Awkyso
izobf.ylw
Global\{DE1D7312-06F7-C8F1-C407-5455E1918637}
C:\Users\"%CurrentUserName%"\AppData\Roaming
{4866C137-B4D2-5E8A-C407-5455E1918637}


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    WinMail.exe:2428
    %original file name%.exe:2956

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (52136 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol (560 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\0F9B3CE3-00000001.eml (1924 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol (592 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol (592 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2428_2 (1281 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol (608 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\0F9B3CE3-00000001.eml:OECustomProperty (260 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol (560 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol (544 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (29200 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (300 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 (558 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore (99 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 (968 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabAA61.tmp (51 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat (400 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (3466 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarAA62.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Bobey\asymf.exe (448 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmpa03e9146.bat (179 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now