MD5: 64e4119e991986c9e9329648543bc912
SHA1: 9e4696ba7bd168f380f53c46dc1bb33ee59dd3c1
SHA256: d1f6d22c88f0fe4390025c792a4c8de6b824ffd3fdcfafd534a2c7f60168abfe
SSDeep: 12288:S3TD4DnRfwKl 9MhK 9fja6zC bpRHxGKUQPUP3jdSXA xp4HYyj8m:OTQuKl 9MhKGG6G b9tLC3j4J4nl
Size: 967516 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-02-03 21:38:25
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3832

The Trojan injects its code into the following process(es):

PrismaWinUpdater.exe:3776

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process PrismaWinUpdater.exe:3776 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\megasoft\Update\version.txt (91 bytes)

The process %original file name%.exe:3832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\megasoft\Update\PrismaWinUpdater.exe (16636 bytes)

The Trojan deletes the following file(s):

%Program Files%\megasoft\Update\__tmp_rar_sfx_access_check_1477906 (0 bytes)

Registry activity

The process %original file name%.exe:3832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://megasoft.gr/downloads/latest/version.txt
hxxp://www.megasoft.gr/downloads/latest/version.txt	46.252.192.152
teredo.ipv6.microsoft.com	157.56.120.207
dns.msftncsi.com	131.107.255.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /downloads/latest/version.txt HTTP/1.1

Host: VVV.megasoft.gr

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: identity

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 200 OK

Cache-Control: max-age=864000

Content-Type: text/plain

Last-Modified: Wed, 03 May 2017 11:46:30 GMT

Accept-Ranges: bytes

ETag: "0ef7ee72c4d21:0"

Vary: Accept-Encoding

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

X-Powered-By-Plesk: PleskWin

Date: Fri, 04 Aug 2017 05:45:34 GMT

Content-Length: 91
1<100012>..2<100011>..3<100006>..4<100012>..1-
emporiko..2-logistiki..3-pos..4-misthodosia..

The Trojan connects to the servers at the folowing location(s):

.idata

.edata

P.tls

.rdata

P.reloc

P.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

Try to replaced the Memory Manager used with the last FastMM4 Memory Manager (hXXp://fastmm.sourceforge.net).

DELPHI32.EXE

ELeaks.pas unit Error

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

EMsgsRec

Support message

Login message

Operating System Header

Invalid login

An error has occurred during program execution.

Go to the Support Page

We have created an error report that you can send to us. We will treat this report as confidential and anonymous.

To see what data the error report contains,

&Send Error Report

Operating System

Login...

Contact the program support to obtain an update.

Invalid login request.

Operating System|Type

Operating System|Build #

Operating System|Update

Operating System|Language

Operating System|Charset

_BugReport | Full EurekaLog bug report

_ExceptMsg | Last exception message

SystemDrive | The drive containing the Windows root directory

SystemRoot | The Windows root directory

WinDir | Windows directory

shfolder.dll

Uh.tB

1111111

eurekalog@email.com

%s (Address: %s)

Critical error at: "%s"

Error: "%s".

ECore.Done

ECore.Init

TELVftPathSymbolInfo

.jdbg

%Program Files% (x86)\EurekaLog 6\Delphi7\EDebug.pas

Cannot hook a null procedure ("%s").

Cannot hook the module "%s" located into the shared-area.

Cannot hook the procedure "%s".

EHook.Done

EHook.Init

TEurekaClientSMTP

Cannot close the socket: "%s"

Invalid socket: "%s".

Connection error: "%s"

Connected to %d.%d.%d.%d port %d

Error into "send": "%s"

Error into "recv": "%s"

0.0.0.0

IPHLPAPI.DLL

193.121.171.135

Cannot resolve the "%s" MX record.

ESockets.Done

ESockets.Init

1.2.3

THTTPResponse

THTTPConnectionBase

THTTPSendReport

THTTPMantisSendReport

THTTPBugzillaSendReport`

THTTPFogBugzSendReport

wininet.dll

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpSendRequestExA

HttpEndRequestA

HttpQueryInfoA

FtpOpenFileA

InternetOpenUrlA

https

Cannot create an HTTP connection with the host: %s

Cannot close the HTTP connection with the host: %s

Content-Disposition: form-data; name="%s";

Content-Disposition: form-data; name="%s"; filename="%s";

Content-Disposition: form-data; name="%s"; filename="";

Content-Type: application/x-www-form-urlencoded

[v%s - 1]: %s (%s)

%s (%s)

login.php

login_select_proj_page.php

password

set_project.php

my_view_page.php

view_all_set.php?f=3

view_all_bug_page.php

bug_update_page.php?bug_id=

bug_update_advanced_page.php?bug_id=

bug_report_advanced_page.php

bug_report.php

report_stay

href="view.php?id=

bug_update_page.php

bug_update.php

reporter_id

enter_bug.cgi

Bugzilla_login

Bugzilla_password

relogin.cgi

buglist.cgi

href="query.cgi?

show_bug.cgi?id=

action="post_bug.cgi"

post_bug.cgi

keywords

attachment.cgi

show_bug.cgi

process_bug.cgi

default.asp

sPassword

fRememberPassword

default.asp?pg=pgeditbug

default.asp?pgx=EV&ixBug=

default.asp?pre=preSubmitBug

default.asp?pg=pgEditReleaseNotes

Content-Disposition: form-data; name="el_upload_file_%d"; filename="%s";

%Program Files% (x86)\EurekaLog 6\Delphi7\EWebTools.pas

Cannot assign a THTTPResponse class to a NIL value.

%c les #Gv , #Mp

%c punpcklbw #Pq , #Qd

%c punpcklwd #Pq , #Qd

%c punpckldq #Pq , #Qd

%c packusdw #Pq , #Qd

%c pcmpgtb #Pq , #Qd

%c pcmpgtw #Pq , #Qd

%c pcmpgtd #Pq , #Qd

%c packsswb #Pq , #Qd

%c punpckhbw #Pq , #Qd

%c punpckhwd #Pq , #Qd

%c punpckhdq #Pq , #Qd

%c packssdw #Pq , #Qd

eeEmailSMTPError

eeWebHTTPError

eeWebHTTPSError

eeWebFTPError

eeWebTrakerError

THTTPConnection

TActiveXException

%d %s,

%d %s

{\rtf1\ansi\ansicpg1252\deff0\deflang1040{\fonttbl{\f0\fmodern\fprq1\fcharset%d %s;}}

\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION

\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION

Microsoft Windows

%s, %d %s %d %0.2d:%0.2d:%0.2d %s

- %s - %s - %s - %s[%s]

%s $%8.8x - [%8.8x] %s %s

$%8.8x - [%8.8x] %s - %s - %s - %s - %s[%s]

[ERROR] - Section: %s - Address: %s - Message: "%s"

6.0.10

Version : %s

Date : %s

OS : %s

RAD : %s

Dump : %s

Section : %s

LastExcept: %s

Address : %s

Exception : %s

Message : %s

Call Stack: %s

Error: '%s'

EurekaLog 6.0.10 critical bug.

support@eurekalog.com

Send manually the "%s" file to the support@eurekalog.com email address, after click on OK button to close this box.

[WARNING] - Code: %s - Address: %s - Message: "%s"

[%s] %s

General '%s' error.

PSAPI.DLL

PSAPI.dll

Kernel32.dll

HttpExtensionProc

Content-Length: %d

<title>%s</title>

<!-- EurekaLog ID: %s -->

<br><input type=button value="Ok" OnClick="history.go(-1)" style="width:75;height:25;z-index:100;font-style:normal;font-size:10pt;text-decoration:none;">

EurekaLog_IWShowMessage.html

IntraWeb: Cannot show the error page.

IntraWeb: Cannot create the "%s" template.

IntraWeb

IntraWeb: IntraWebApplication e/o IntraWebServerController are set to nil.

Screenshot.png

BugReport.zip

LastHTMLPage.html

EurekaLog_CustomWebFieldsRequestEvent

EurekaLog_PasswordRequestEventEx

EurekaLog_PasswordRequestEvent

%s=%d; %s=%s

; %s=%s

%s: %s=%s; %s=%d; %s=%d

user32.dll

EurekaLog.ini

WindowsState

\\.\mailslot\

RICHED32.DLL

mapi32.dll

SMTP:

%s %d/%d:

AUTH LOGIN

@localhost.com>

SMTP

\*.zip

- Cannot find the "%s" library.

%s error code: %d%s

HTTPS

Error Code: %d

Error Message: "%s"

%d x %d, %d bit

000.000.000.000

iphlpapi.dll

HardwareInformation.MemorySize

HardwareInformation.AdapterString

windows

winspool.drv

EurekaLog 6.0.10

%s: %s %s:

EAX: %s EDI: %s

EBX: %s ESI: %s

ECX: %s ESP: %s

EDX: %s EIP: %s

%s%s:

|%s|%s|%s|%s|%s|%s|

|%s|%s|%s|%s|%s|%s|%s|

|%s|%s|%s|%s|%s|%s|%s|%s|

_ExceptMsg

_BugReport

Cannot use 'CurrentEurekaLogOptions' function in module "%s" without activate EurekaLog.

%Program Files% (x86)\EurekaLog 6\Delphi7\ExceptionLog.pas

C:\StackTrace.txt

5.0.0

7.2.32

%s: %s=%d - %s=%d

Intraweb_

VCL70.BPL

VISUALCLX70.BPL

INDY70.BPL

INDYCORE70.BPL

ExceptionLog.Done

ExceptionLog.Init

EInvalidGraphicOperation

comctl32.dll

USER32.DLL

uxtheme.dll

PasswordChard

OnKeyDown

OnKeyPress\

OnKeyUp

Proportional

%s%s%s%s%s%s%s%s%s%s

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword

crSQLWait

imm32.dll

AutoHotkeys

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreviewx

WindowState

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

EIdCanNotBindPortInRange

EIdInvalidPortRange

C:\Indy10\Lib\System\IdStreamVCL.pas

C:\Indy10\Lib\System\IdGlobal.pas

%s, %.2d %s %.4d %s %s

%s, %.2d%s%s%s%.4d %s %s

gdiplus.dll

GdiplusShutdown

%Program Files% (x86)\DeveloperExpressVCL\ExpressGDI  Library\Sources\dxGDIPlusApi.pas

WS2_32.DLL

MSWSOCK.DLL

getservbyport

WSAAsyncGetServByPort

WSAJoinLeaf

WSARecvMsg

WSASendMsg

Wship6.dll

Fwpuclnt.dll

TIdSocketListWindows

TIdStackWindowsU

EIdIPVersionUnsupported

127.0.0.1

C:\Indy10\Lib\System\IdStack.pas

EIdPortRequired

EIdTCPConnectionError

EIdObjectTypeNotSupported

ISO_646.irv:1991

ISO_646.basic:1983

ISO_646.irv:1983

csISO16Portuguese

csISO84Portuguese2

windows-936

csShiftJIS

windows-874

ISO-8859-1-Windows-3.0-Latin-1

csWindows30Latin1

ISO-8859-1-Windows-3.1-Latin-1

csWindows31Latin1

ISO-8859-2-Windows-Latin-2

csWindows31Latin2

ISO-8859-9-Windows-Latin-5

csWindows31Latin5

csMicrosoftPublishing

Windows-31J

csWindows31J

PTCP154

csPTCP154

windows-1250

windows-1251

windows-1252

windows-1253

windows-1254

windows-1255

windows-1256

windows-1257

windows-1258

!"#$%&'()* ,-./;<=>?@[\]^_`{|}~

HTTP-EQUIV

()<>@,;:\"./

()<>@,;:\"/[]?=

()<>@,;:\"/[]?={}

TIdEncoder3to4.Encode: Calculated length exceeded (expected

C:\Indy10\Lib\Protocols\IdCoder3to4.pas

TIdEncoder3to4.Encode: Calculated length not met (expected

Password

IdHTTPHeaderInfo

ProxyPasswordT

ProxyPort

TIdMetaHTTPEquiv

X-HTTP-Method-Override

Mozilla/3.0 (compatible; Indy Library)

%d-%d

ftpTransfer

ftpReady

ftpAborted

PortT

C:\Indy10\Lib\Core\IdIOHandler.pas

ClientPortMin

ClientPortMax

Port

"EIdTransparentProxyUDPNotSupported

Uh.nM

C:\Indy10\Lib\Core\IdIOHandlerStack.pas

TIdTCPConnection

TIdTCPConnectionlxM

IdTCPConnection

TIdTCPClientCustom

IdTCPClient

TIdTCPClient

TIdTCPClient<

BoundPortT

%EIdSocksUDPNotSupportedBySOCKSVersion

saUsernamePassword

0.0.0.1

BoundPort

DefaultPort

C:\Indy10\Lib\Protocols\IdZLibCompressorBase.pas

HttpOnly

HTTPONLY=

HTTPONLY

WINDOWS

()[]<>:;.,@\"

libeay32.dll

ssleay32.dll

libssl32.dll

C:\Indy10\Lib\Protocols\IdSSLOpenSSLHeaders.pas

SSL_CTX_use_PrivateKey_file

SSL_CTX_use_PrivateKey

SSL_CTX_use_certificate

SSL_CTX_use_certificate_file

SSL_get_peer_certificate

SSL_CTX_set_default_passwd_cb

SSL_CTX_set_default_passwd_cb_userdata

SSL_CTX_check_private_key

X509_STORE_add_cert

X509_STORE_CTX_get_current_cert

i2d_DSAPrivateKey

d2i_DSAPrivateKey

d2i_PrivateKey

d2i_PrivateKey_bio

DES_set_key

_ossl_old_des_set_key

RSA_generate_key

RSA_check_key

RSA_generate_key_ex

i2d_PrivateKey_bio

i2d_RSAPrivateKey

d2i_RSAPrivateKey

i2d_RSAPublicKey

d2i_RSAPublicKey

i2d_PrivateKey

i2d_NETSCAPE_CERT_SEQUENCE

X509_get_default_cert_file

X509_get_default_cert_file_env

X509_set_pubkey

X509_REQ_set_pubkey

PEM_read_bio_RSAPrivateKey

PEM_read_bio_RSAPublicKey

PEM_read_bio_DSAPrivateKey

PEM_read_bio_PrivateKey

PEM_read_bio_NETSCAPE_CERT_SEQUENCE

PEM_write_bio_RSAPublicKey

PEM_write_bio_DSAPrivateKey

PEM_write_bio_PrivateKey

PEM_write_bio_NETSCAPE_CERT_SEQUENCE

PEM_write_bio_PKCS8PrivateKey

EVP_PKEY_type

EVP_PKEY_new

EVP_PKEY_free

EVP_PKEY_assign

sslvrfFailIfNoPeerCert

AMsg

TCallbackExEvent

TPasswordEvent

TPasswordEventEx

VPassword

Certificate

RootCertFile

CertFile

KeyFile

OnGetPassword

OnGetPasswordEx

EIdOSSLLoadingRootCertError4cN

EIdOSSLLoadingCertError

EIdOSSLLoadingKeyError

C:\Indy10\Lib\Protocols\IdSSLOpenSSL.pas

Open SSL Support DLL Delphi and C  Builder interface

hXXp://VVV.indyproject.org/

1993 - 2009

secur32.dll

security.dll

TIdHTTPOption

hoNoParseMetaHTTPEquiv

IdHTTP

TIdHTTPOptions

TIdHTTPProtocolVersion

TIdHTTPOnRedirectEvent

TIdHTTPOnHeadersAvailable

TIdHTTPResponse

TIdHTTPRequest

TIdHTTPRequesth

TIdHTTPProtocol

TIdCustomHTTP

TIdHTTP

HTTPOptions

EIdHTTPProtocolException

C:\Indy10\Lib\Protocols\IdHTTP.pas

HTTP/1.0 200 OK

HTTP/

MAPI32.DLL

ole32.dll

Windows-1252

SOFTWARE\Microsoft\Windows NT\CurrentVersion

ccIDSBinaryOperator

ccIDSTrinaryOperator

ccJoinControl

Mathematical Operators

Supplemental Mathematical Operators

Transport And Map Symbols

TRootKey

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

TIdHTTPProgress

IdHTTPProgressU

PRISMA_Win_Update.exe

hXXp://VVV.megasoft.gr//downloads/latest/PRISMA_Win_Update.exe

HTTP/1.0 500 Internal Server Error

PRISMA_Win_POS_update.exe

hXXp://VVV.megasoft.gr//downloads/latest/PRISMA_Win_POS_update.exe

\version.txt

\LocalVersion.ini

hXXp://VVV.megasoft.gr//downloads/latest/version.txt

version.txt

hXXp://VVV.megasoft.gr/downloads/latest/version.txt

Prisma.exe

prisma.exe

Prisma_App_Srv.exe

Prisma_App_Srv.exe

Misthodosia.exe

Misthodosia.exe

Logistiki.exe

Logistiki.exe

EsoExo.exe

EsoExo.exe

Entypa.exe

Entypa.exe

POSManager.exe

POSManager.exe

POSKeepAlive.exe

POSKeepAlive.exe

POS.exe

POS.exe

POSDeliveryRegistry.exe

POSDeliveryRegistry.exe

POSNotificationServer.exe

POSNotificationServer.exe

POSRecipeUpdater.exe

POSRecipeUpdater.exe

PosTerminalManager.exe

PosTerminalManager.exe

PrismaWinMobileServer.exe

PrismaWinMobileServer.exe

POSIncomingCallServer.exe

POSIncomingCallServer.exe

Software\Microsoft\Windows\CurrentVersion\Uninstall

Software\Microsoft\Windows\CurrentVersion\Uninstall\

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

?456789:;<=

!"#$%&'()* ,-./0123

12005 The URL is invalid.

B12006 The URL scheme could not be recognized, or is not supported.

12014 Password incorrect.

)12016 The requested operation is invalid.

"12037 SSL certificate date is bad.

312038 SSL certificate host name field is incorrect.

h12045 The function is unfamiliar with the Certificate Authority that generated the server's certificate.

*12055 The SSL certificate contains errors.

12111 FTP session aborted.

212112 Passive mode is not available on the server.

*12160 The HTTP request was not redirected.

,12161 The HTTP cookie requires confirmation.

112162 The HTTP cookie was declined by the server.

612164 The Web site or server indicated is unreachable.

!12169 SSL certificate is invalid.

"12170 SSL certificate was revoked.

EAbout.pas

EBase64.pas

EBaseModule.pas

EBorlandDebug.pas

ECheck.pas

ECmdLine.pas

ECommon.pas

EConsts.pas

ECore.pas

ECrc32.pas

EDebug.pas

EDesign.pas

EDisAsm.pas

EEncrypt.pas

EHash.pas

EHook.pas

EIDEOptions.pas

ELang.pas

ELeaks.pas

EListView.pas

ELogManager.pas

EMain.pas

EMessages.pas

ENagScreen.pas

EOption.pas

EParser.pas

EResource.pas

ESockets.pas

EToolsAPI.pas

EToolServices.pas

ETypes.pas

EVariables.pas

EWait.pas

EWebTools.pas

ExceptionLog.pas

EXMLBuilder.pas

EZip.pas

EZlib.pas

#!V!W!"!&!r%!%#%%%'%)%c%e%g%C%<!"%$%&%(%*% %-%/%1%3%5%7%9%;$=%?%A%D%F%H%J%K%L%M%N%O%R%U%X%[%^%_%`%a%b%d%f%h%i%j%k%l%m%o%s% !,!

P%S%V%Y%\%

0123456789

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00000EC000400000.bin

1Hw2.HwB

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

RegQueryInfoKeyA

RegOpenKeyExW

RegFlushKey

RegEnumKeyExA

RegCreateKeyExA

GetWindowsDirectoryA

GetCPInfo

version.dll

gdi32.dll

SetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

ActivateKeyboardLayout

shell32.dll

ShellExecuteA

wsock32.dll

PrismaWinUpdater.exe

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

3333333

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

<<9876$8

>=<9887$8

E(.Fcn

S]t.wGd

qcsz.rk

k.OOO

KWindows

UrlMon

?HTTPApp

>WebConst

IdStackWindows

 IdTCPServer

IdCustomTCPServer

0IdHTTPHeaderInfo

EWebTools

Constraints.MaxHeight

Constraints.MaxWidth

Constraints.MinHeight

Constraints.MinWidth

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

Picture.Data

*<>#%"{}|\^[]`

To see what data this error report contains,

Send Error Report

128-Byte PrefetchingeCPUID leaf 2 does not report cache descriptor information, use CPUID leaf 4 to query cache parameters

Windows 8.1

Windows Server 2012 R2

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

0Unable to open key "%s\%s" and access value "%s"#"%s\%s\%s" is of wrong kind or size

"%s" does not match RootKey

Menu Highlight(Failed to get ANSI replacement character#Unable to open key "%s\%s" for read

%s Read Alert

%s Write Alert

Error creating SSL context. Could not load root certificate.

Could not load certificate.#Could not load key, check password.

SSL status: "%s"

%s Alert

DClient policy does not allow credential delegation to target server.bClient policy does not allow credential delegation to target server with NLTM only authentication.1The recipient rejected the renegotiation request.-The required security context does not exist.`The PKU2U protocol encountered an error while attempting to utilize the associated certificates.:The identity of the server computer could not be verified.

Unknown error#SSPI %s returns error #%d(0x%x): %s0SSPI interface has failed to initialise properly

Unknown credentials use!Do AcquireCredentialsHandle first"CompleteAuthToken is not supported$Error accepting connection with SSL.

SEC_E_NO_KERB_KEY5The certificate is not valid for the requested usage.

The smartcard certificate used for authentication has been revoked. Please contact your system administrator. There may be additional information in the event log.

An untrusted certificate authority was detected While processing the smartcard certificate used for authentication. Please contact your system administrator.

The revocation status of the smartcard certificate used for authentication could not be determined. Please contact your system administrator.lThe smartcard certificate used for authentication was not trusted. Please contact your system administrator.hThe smartcard certificate used for authentication has expired. Please contact your system administrator.

The Kerberos subsystem encountered an error. A service for user protocol request was made against a domain controller which does not support service for user.

An attempt was made by this server to make a Kerberos constrained delegation request for a target outside of the server's realm. This is not supported, and indicates a misconfiguration on this server's allowed to delegate to list. Please contact your administrator.

The revocation status of the domain controller certificate used for smartcard authentication could not be determined. There is additional information in the system event log. Please contact your system administrator.

An untrusted certificate authority was detected while processing the domain controller certificate used for authentication. There is additional information in the system event log. Please contact your system administrator.

The domain controller certificate used for smartcard logon has expired. Please contact your system administrator with the contents of your system event log.

The domain controller certificate used for smartcard logon has been revoked. Please contact your system administrator with the contents of your system event log.IA signature operation must be performed before the user can authenticate.AOne or more of the parameters passed to the function was invalid.

]The crypto system or checksum function is invalid because a required function is unavailable.9The number of maximum ticket referrals has been exceeded.KThe local machine must be a Kerberos KDC (domain controller) and it is not.qThe other end of the security negotiation is requires strong crypto but it is not supported on the local machine.5The KDC reply contained more than one principal name.OExpected to find PA data for a hint of what etype to use, but it was not found.

The client certificate does not contain a valid UPN, or does not match the client name in the logon request. Please contact your administrator.-Smartcard logon is required and was not used.!A system shutdown is in progress.'An invalid request was sent to the KDC.DThe KDC was unable to generate a referral for the service requested.:The encryption type requested is not supported by the KDC.QAn unsupported preauthentication mechanism was presented to the Kerberos package.

The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation.7Client's supplied SSPI channel bindings were incorrect.9The received certificate was mapped to multiple accounts.

4The context data must be renegotiated with the peer.'The target principal name is incorrect.:There is no LSA mode context associated with this context.8The clocks on the client and server machines are skewed.;The certificate chain was issued by an untrusted authority.7The message received was unexpected or badly formatted.;An unknown error occurred while processing the certificate.%The received certificate has expired.*The specified data could not be encrypted.*The specified data could not be decrypted.YThe client and server cannot communicate, because they do not possess a common algorithm.

The security context could not be established due to a failure in the requested quality of service (e.g. mutual authentication or delegation).dA security context was deleted before the context was completed. This is considered a logon failure.mThe client is trying to negotiate a context and the server requires user-to-user but didn't send a TGT reply.aUnable to accomplish the requested task because the local machine does not have any IP addresses.bThe supplied credential handle does not match the credential associated with the security context.

The logon attempt failed;The credentials supplied to the package were not recognized4No credentials are available in the security packageCThe message or signature supplied for verification has been altered8The message supplied for verification is out of sequence3No authority could be contacted for authentication.UThe function completed successfully, but must be called again to complete the contextEThe function completed successfully, but CompleteToken must be calledtThe function completed successfully, but both CompleteToken and this function must be called to complete the contextsThe logon was completed, but no network authority was available. The logon was made using locally known information-The requested security package does not exist2The context has expired and can no longer be used.DThe supplied message is incomplete. The signature was not verified.lThe credentials supplied were not complete, and could not be verified. The context could not be initialized.1The buffers supplied to a function was too small.

Unknown Protocol(Request method requires HTTP version 1.1KUnsupported hash algorithm. This implementation supports only MD5 encoding.

The handle specified is invalid'The function requested is not supported.The specified target is unknown or unreachable0The Local Security Authority cannot be contacted-The requested security package does not exist6The caller is not the owner of the desired credentialsBThe security package failed to initialize, and cannot be installed-The token supplied to the function is invalid^The security package is not able to marshall the logon buffer, so the logon attempt has failedNThe per-message Quality of Protection is not supported by the security package?The security context does not allow impersonation of the client

Transparent proxy cannot bind. UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid.

Reply Code is not valid: %s

Reply Code already exists: %s

IOHandler value is not valid'Algorithm %s not permitted in FIPS mode

Command not supported.

Address type not supported."%d: Circular links are not allowed"Not enough data in buffer. (%d/%d)

File "%s" not found

Object type not supported.

%s is not a valid IPv6 address:The requested IPVersion / Address family is not supported.

Invalid operation in GDI )UDP is not support in this SOCKS version.

Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.

Stack already created.1Only one TIdAntiFreeze can exist per application.&Cannot change IPVersion when connected$Can not bind in port range (%d - %d)

Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.

Invalid Port Range (%d - %d)

%s is not a valid service.

Protocol family not supported.0Address family not supported by protocol family.

Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.

Operation would block.

Operation now in progress.

Operation already in progress.

Socket operation on non-socket.

Protocol not supported.

Socket type not supported."Operation not supported on socket.

"Character index out of bounds (%d)

Start index out of bounds (%d)

Invalid count (%d)

Invalid destination index (%d)

Invalid codepage (%d)4Failed attempting to retrieve time zone information.-Error on call to Winsock2 library function %s&Error on loading Winsock2 library (%s)

Resolving hostname %s.

Connecting to %s.

Socket Error # %d

No help keyword specified.

Value must be between %d and %d Clipboard does not support Icons

Cannot open clipboard/Menu '%s' is already being used by another form

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

%s property out of range

$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)

Unsupported clipboard format

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to get data for '%s'

Resource %s not found

%s.Seek not implemented

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Unable to write to %s

Operation not supported

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted(Exception %s in module %s at %p.

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

PrismaWinUpdater.exe_3776_rwx_004FE000_00002000:

er.exe

PosTerminalManager.exe

PosTerminalManager.exe

PrismaWinMobileServer.exe

PrismaWinMobileServer.exe

POSIncomingCallServer.exe

POSIncomingCallServer.exe

PRISMA_Win_Update.exe

hXXp://VVV.megasoft.gr//downloads/latest/PRISMA_Win_Update.exe

PRISMA_Win_POS_update.exe

hXXp://VVV.megasoft.gr//downloads/latest/PRISMA_Win_POS_update.exe

Software\Microsoft\Windows\CurrentVersion\Uninstall

Software\Microsoft\Windows\CurrentVersion\Uninstall\

PrismaWinUpdater.exe_3776_rwx_0078B000_00001000:

EAbout.pas

ECmdLine.pas

EBase64.pas

EBaseModule.pas

EBorlandDebug.pas

ECheck.pas

ECrc32.pas

EDebug.pas

ECommon.pas

EConsts.pas

ECore.pas

EEncrypt.pas

EHash.pas

EHook.pas

ELang.pas

EDesign.pas

EDisAsm.pas

EToolServices.pas

ETypes.pas

EVariables.pas

EWait.pas

EWebTools.pas

ExceptionLog.pas

EXMLBuilder.pas

EZip.pas

EIDEOptions.pas

ELeaks.pas

EListView.pas

ELogManager.pas

EMain.pas

EMessages.pas

ENagScreen.pas

EOption.pas

EParser.pas

EResource.pas

ESockets.pas

EToolsAPI.pas

EZlib.pas

kernel32.dll

Open SSL Support DLL Delphi and C  Builder interface

{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:3832

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Program Files%\megasoft\Update\version.txt (91 bytes)
   %Program Files%\megasoft\Update\PrismaWinUpdater.exe (16636 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.