Trojan.Win32.Sasfis_daadb87033
Gen:Variant.Midie.36101 (BitDefender), Gen:Variant.Midie.36101 (B) (Emsisoft), ML.Attribute.HighConfidence (Symantec), Gen:Variant.Midie.36101 (FSecure), Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: daadb87033a60b5bf638c395fefbf8dc
SHA1: 6671db72a5352e39394b9c0c47e6720de73e794b
SHA256: 7b955f4f76ec8e6c64540f587170765b41af6263f09fe24ec0700b97847a34d7
SSDeep: 12288:YxaVAh64U5lojEzZMMPNl61P6badhvSndc/1wl/HYfFiUpH:YxaVxr5ajENMMPD6XnvKd2wl6FiUd
Size: 725784 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-12-15 08:38:30
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:3852
csc.exe:140
rundll32.exe:2072
rundll32.exe:2608
WScript.exe:2224
WScript.exe:2536
The Trojan injects its code into the following process(es):
csc.exe:812
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:3852 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\wgTQxcbbhf\ezxf.dll (2216 bytes)
C:\Users\"%CurrentUserName%"\wgTQxcbbhf\BapbWO.vbs (107 bytes)
C:\Users\"%CurrentUserName%"\wgTQxcbbhf\x (1 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\wgTQxcbbhf\__tmp_rar_sfx_access_check_2096887 (0 bytes)
The process rundll32.exe:2072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\wgTQxcbbhfwgTQxcbbhf\wgTQxcbbhf.vbs (191 bytes)
Registry activity
The process %original file name%.exe:3852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process rundll32.exe:2072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"wgTQxcbbhf" = "C:\wgTQxcbbhfwgTQxcbbhf\wgTQxcbbhf.vbs"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process rundll32.exe:2608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"wgTQxcbbhf" = "C:\wgTQxcbbhfwgTQxcbbhf\wgTQxcbbhf.vbs"
The process WScript.exe:2224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process WScript.exe:2536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
Dropped PE files
| MD5 | File path |
|---|---|
| 64fdca18735e064b290ce9fbd796c8e6 | c:\Users\"%CurrentUserName%"\wgTQxcbbhf\ezxf.dll |
| 64fdca18735e064b290ce9fbd796c8e6 | c:\wgTQxcbbhfwgTQxcbbhf\ezxf.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 72304 | 72704 | 4.54311 | 9d50bd275bd9457c2545684909acf686 |
| .rdata | 77824 | 7173 | 7680 | 3.37549 | 78f96759fd9aea6b3294d6c884999928 |
| .data | 86016 | 87804 | 512 | 2.48002 | a566dd921c6cc5661521181078e1f6e4 |
| .CRT | 176128 | 16 | 512 | 0.147711 | a9fee2fc6f0133462280048b950df4e3 |
| .rsrc | 180224 | 78704 | 78848 | 3.21502 | 3499baf74628c1e548e7544070feea2f |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| teredo.ipv6.microsoft.com |  157.56.106.189 |
| taker2.redirectme.net |  93.184.238.19 |
| dns.msftncsi.com | 131.107.255.255 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
The Trojan connects to the servers at the folowing location(s):
`.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
%s, ProgID: "%s"
ole32.dll
EInvalidOperation
EInvalidGraphicOperation
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
VBoxService.exe
SbieDll.dll
dbghelp.dll
Software\Microsoft\Windows\CurrentVersion
55274-640-2673064-23950
76487-644-3177037-23510
76487-337-8429955-22614
\\.\Syser
\\.\SyserDbgMsg
\\.\SyserBoot
\\.\SICE
\\.\NTICE
user32.dll
Software\Microsoft\Windows\CurrentVersion\Run\
10.211.55.20
notepad.exe
1.0.4
PSAPI.dll
C:\Users\gurkanarkas\Desktop\Dtback\AlienEdition\Server\SuperObject.pas
SOFTWARE\Mozilla\Mozilla Firefox
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox
SOFTWARE\Mozilla\Mozilla Firefox\
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
nss3.dll
PK11_GetInternalKeySlot
mozglue.dll
msvcr120.dll
msvcp120.dll
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\
logins.json
Mozilla Firefox
logins[
].hostname
].encryptedUsername
].encryptedPassword
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
sqlite3_open
sqlite3_close
sqlite3_exec
sqlite3_version
sqlite3_errmsg
sqlite3_errcode
sqlite3_free
sqlite3_get_table
sqlite3_free_table
sqlite3_complete
sqlite3_last_insert_rowid
sqlite3_interrupt
sqlite3_busy_Handler
sqlite3_busy_timeout
sqlite3_changes
sqlite3_total_changes
sqlite3_prepare
sqlite3_prepare_v2
sqlite3_column_count
sqlite3_column_name
sqlite3_column_decltype
sqlite3_step
sqlite3_data_count
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_double
sqlite3_column_Int
sqlite3_column_text
sqlite3_column_type
sqlite3_column_int64
sqlite3_finalize
sqlite3_reset
sqlite3_bind_blob
sqlite3_bind_text
sqlite3_bind_double
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_null
sqlite3_bind_parameter_index
sqlite3_enable_shared_cache
sqlite3_create_collation
TSQLiteDatabase8
TSQLiteTable
Error executing SQL
Could not prepare SQL statement
Error executing SQL statement
SELECT * FROM logins
password_value
origin_url
\Scream.dll
WbemScripting.SWbemLocator
%s\%s
SELECT * FROM %s
displayName %s
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
IMAP Password
POP3 Password
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
127.0.0.1
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
SetTcpEntry
GetExtendedTcpTable
GetExtendedUdpTable
\print.txt
Skype.exe
main.db
\Yandex\YandexBrowser\User Data\Default\Login Data
\Comodo\Dragon\User Data\Default\Login Data
\Google\Chrome\User Data\Default\Login Data
Google Chrome
TUnicodeKeyboard
Klog.dat
\Klog.dat
cmd.exe
SAPI.SpVoice
Windows 2000
Windows XP
Windows Server 2003
Windows Server 2003 R2
Windows Vista
Windows Server 2008
Windows Server 2008 R2
Windows 7
Windows 8
Windows Server 2012
Windows 8.1
Windows Server 2012 R2
Windows 10
Windows Server 2016 Technical Preview
%s|%s@%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|
Can't get the Windows version
deflate 1.0.4 Copyright 1995-1996 Jean-loup Gailly
<8%u=
9.VNf
I.PXQP
.EF$q
XaP.uFP4
%xTPO
AURl
LP%CT
Dg_SYÒR^
W(.KgSi
7,%X\:p
.AbF P
.yBBo
<v)3P%f
ÞAI
!"#$%&'()* ,-./
SQLite forma
CHECKEYCO
3.5.9{ED/MSVCRTgr
<Key/
685477580
lFk .AGc5N
!*&6.qos]
zcÁ
KERNEL32.DLL
Sqlite3.dll
sqlite3_aggregate_context
sqlite3_aggregate_count
sqlite3_auto_extension
sqlite3_bind_parameter_count
sqlite3_bind_parameter_name
sqlite3_bind_text16
sqlite3_bind_value
sqlite3_bind_zeroblob
sqlite3_blob_bytes
sqlite3_blob_close
sqlite3_blob_open
sqlite3_blob_read
sqlite3_blob_write
sqlite3_busy_handler
sqlite3_clear_bindings
sqlite3_collation_needed
sqlite3_collation_needed16
sqlite3_column_bytes16
sqlite3_column_decltype16
sqlite3_column_int
sqlite3_column_name16
sqlite3_column_text16
sqlite3_column_value
sqlite3_commit_hook
sqlite3_complete16
sqlite3_context_db_handle
sqlite3_create_collation16
sqlite3_create_collation_v2
sqlite3_create_function
sqlite3_create_function16
sqlite3_create_module
sqlite3_create_module_v2
sqlite3_db_handle
sqlite3_declare_vtab
sqlite3_enable_load_extension
sqlite3_errmsg16
sqlite3_expired
sqlite3_extended_result_codes
sqlite3_file_control
sqlite3_get_autocommit
sqlite3_get_auxdata
sqlite3_global_recover
sqlite3_libversion
sqlite3_libversion_number
sqlite3_limit
sqlite3_load_extension
sqlite3_malloc
sqlite3_memory_alarm
sqlite3_memory_highwater
sqlite3_memory_used
sqlite3_mprintf
sqlite3_mutex_alloc
sqlite3_mutex_enter
sqlite3_mutex_free
sqlite3_mutex_held
sqlite3_mutex_leave
sqlite3_mutex_notheld
sqlite3_mutex_try
sqlite3_open16
sqlite3_open_v2
sqlite3_overload_function
sqlite3_prepare16
sqlite3_prepare16_v2
sqlite3_profile
sqlite3_progress_handler
sqlite3_randomness
sqlite3_realloc
sqlite3_release_memory
sqlite3_reset_auto_extension
sqlite3_result_blob
sqlite3_result_double
sqlite3_result_error
sqlite3_result_error16
sqlite3_result_error_code
sqlite3_result_error_nomem
sqlite3_result_error_toobig
sqlite3_result_int
sqlite3_result_int64
sqlite3_result_null
sqlite3_result_text
sqlite3_result_text16
sqlite3_result_text16be
sqlite3_result_text16le
sqlite3_result_value
sqlite3_result_zeroblob
sqlite3_rollback_hook
sqlite3_set_authorizer
sqlite3_set_auxdata
sqlite3_sleep
sqlite3_snprintf
sqlite3_soft_heap_limit
sqlite3_sql
sqlite3_test_control
sqlite3_thread_cleanup
sqlite3_threadsafe
sqlite3_trace
sqlite3_transfer_bindings
sqlite3_update_hook
sqlite3_user_data
sqlite3_value_blob
sqlite3_value_bytes
sqlite3_value_bytes16
sqlite3_value_double
sqlite3_value_int
sqlite3_value_int64
sqlite3_value_numeric_type
sqlite3_value_text
sqlite3_value_text16
sqlite3_value_text16be
sqlite3_value_text16le
sqlite3_value_type
sqlite3_vfs_find
sqlite3_vfs_register
sqlite3_vfs_unregister
sqlite3_vmprintf
CKv.AKv
KWindows
yuActivePorts
FF_Passwords
UrlMon
UnitKeyboardStarter
UnitScriptExecuter
Usndkey32
GOutlookPasswords
UnitDownloadExec
UnitChrome
SQLiteTable3
SQLite3Dynamic
SQLite3DLL
DtServ32.exe
DtServ32sm.exe
taker2.redirectme.net#P
WinExec
SetNamedPipeHandleState
GetProcessHeap
GetCPInfo
CreatePipe
RegQueryInfoKeyA
RegOpenKeyExW
RegOpenKeyExA
RegOpenKeyW
RegOpenKeyA
RegFlushKey
RegEnumKeyExW
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
RegCloseKey
ShellExecuteA
SHFileOperationA
keybd_event
VkKeyScanA
SetKeyboardState
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects
MapVirtualKeyExA
MapVirtualKeyA
GetKeyboardState
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetAsyncKeyState
ExitWindowsEx
EnumWindows
GetKeyboardType
InternetOpenUrlA
.text
`.itext
`.data
.idata
.rdata
@.reloc
B.rsrc
1Ü/
advapi32.dll
crypt32.dll
gdi32.dll
mpr.dll
msacm32.dll
msvcrt.dll
NetAPI32.dll
ntdll.dll
powrprof.dll
shell32.dll
shfolder.dll
wininet.dll
winmm.dll
wsock32.dll
logins
software\microsoft\windows\currentversion\uninstall\
66006666
Bitmaps Clipboard does not support Icons&Cannot change the size of a JPEG image
JPEG error #%d
Invalid stream operation
Failed to get data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
Thread creation error: %s
Thread Error: %s (%d)
Unsupported clipboard format
.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%List does not allow duplicates ($0%x)%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
"Variant method calls not supported
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'!'%s' is not a valid integer value('%s' is not a valid floating point valueI/O error %d
csc.exe_812_rwx_00400000_000A8000:
`.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
%s, ProgID: "%s"
ole32.dll
EInvalidOperation
EInvalidGraphicOperation
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
VBoxService.exe
SbieDll.dll
dbghelp.dll
Software\Microsoft\Windows\CurrentVersion
55274-640-2673064-23950
76487-644-3177037-23510
76487-337-8429955-22614
\\.\Syser
\\.\SyserDbgMsg
\\.\SyserBoot
\\.\SICE
\\.\NTICE
user32.dll
Software\Microsoft\Windows\CurrentVersion\Run\
10.211.55.20
notepad.exe
1.0.4
PSAPI.dll
C:\Users\gurkanarkas\Desktop\Dtback\AlienEdition\Server\SuperObject.pas
SOFTWARE\Mozilla\Mozilla Firefox
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox
SOFTWARE\Mozilla\Mozilla Firefox\
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
nss3.dll
PK11_GetInternalKeySlot
mozglue.dll
msvcr120.dll
msvcp120.dll
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\
logins.json
Mozilla Firefox
logins[
].hostname
].encryptedUsername
].encryptedPassword
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
sqlite3_open
sqlite3_close
sqlite3_exec
sqlite3_version
sqlite3_errmsg
sqlite3_errcode
sqlite3_free
sqlite3_get_table
sqlite3_free_table
sqlite3_complete
sqlite3_last_insert_rowid
sqlite3_interrupt
sqlite3_busy_Handler
sqlite3_busy_timeout
sqlite3_changes
sqlite3_total_changes
sqlite3_prepare
sqlite3_prepare_v2
sqlite3_column_count
sqlite3_column_name
sqlite3_column_decltype
sqlite3_step
sqlite3_data_count
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_double
sqlite3_column_Int
sqlite3_column_text
sqlite3_column_type
sqlite3_column_int64
sqlite3_finalize
sqlite3_reset
sqlite3_bind_blob
sqlite3_bind_text
sqlite3_bind_double
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_null
sqlite3_bind_parameter_index
sqlite3_enable_shared_cache
sqlite3_create_collation
TSQLiteDatabase8
TSQLiteTable
Error executing SQL
Could not prepare SQL statement
Error executing SQL statement
SELECT * FROM logins
password_value
origin_url
\Scream.dll
WbemScripting.SWbemLocator
%s\%s
SELECT * FROM %s
displayName %s
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
IMAP Password
POP3 Password
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
127.0.0.1
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
SetTcpEntry
GetExtendedTcpTable
GetExtendedUdpTable
\print.txt
Skype.exe
main.db
\Yandex\YandexBrowser\User Data\Default\Login Data
\Comodo\Dragon\User Data\Default\Login Data
\Google\Chrome\User Data\Default\Login Data
Google Chrome
TUnicodeKeyboard
Klog.dat
\Klog.dat
cmd.exe
SAPI.SpVoice
Windows 2000
Windows XP
Windows Server 2003
Windows Server 2003 R2
Windows Vista
Windows Server 2008
Windows Server 2008 R2
Windows 7
Windows 8
Windows Server 2012
Windows 8.1
Windows Server 2012 R2
Windows 10
Windows Server 2016 Technical Preview
%s|%s@%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|
Can't get the Windows version
deflate 1.0.4 Copyright 1995-1996 Jean-loup Gailly
<8%u=
9.VNf
I.PXQP
.EF$q
XaP.uFP4
%xTPO
AURl
LP%CT
Dg_SYÒR^
W(.KgSi
7,%X\:p
.AbF P
.yBBo
<v)3P%f
ÞAI
!"#$%&'()* ,-./
SQLite forma
CHECKEYCO
3.5.9{ED/MSVCRTgr
<Key/
685477580
lFk .AGc5N
!*&6.qos]
zcÁ
KERNEL32.DLL
Sqlite3.dll
sqlite3_aggregate_context
sqlite3_aggregate_count
sqlite3_auto_extension
sqlite3_bind_parameter_count
sqlite3_bind_parameter_name
sqlite3_bind_text16
sqlite3_bind_value
sqlite3_bind_zeroblob
sqlite3_blob_bytes
sqlite3_blob_close
sqlite3_blob_open
sqlite3_blob_read
sqlite3_blob_write
sqlite3_busy_handler
sqlite3_clear_bindings
sqlite3_collation_needed
sqlite3_collation_needed16
sqlite3_column_bytes16
sqlite3_column_decltype16
sqlite3_column_int
sqlite3_column_name16
sqlite3_column_text16
sqlite3_column_value
sqlite3_commit_hook
sqlite3_complete16
sqlite3_context_db_handle
sqlite3_create_collation16
sqlite3_create_collation_v2
sqlite3_create_function
sqlite3_create_function16
sqlite3_create_module
sqlite3_create_module_v2
sqlite3_db_handle
sqlite3_declare_vtab
sqlite3_enable_load_extension
sqlite3_errmsg16
sqlite3_expired
sqlite3_extended_result_codes
sqlite3_file_control
sqlite3_get_autocommit
sqlite3_get_auxdata
sqlite3_global_recover
sqlite3_libversion
sqlite3_libversion_number
sqlite3_limit
sqlite3_load_extension
sqlite3_malloc
sqlite3_memory_alarm
sqlite3_memory_highwater
sqlite3_memory_used
sqlite3_mprintf
sqlite3_mutex_alloc
sqlite3_mutex_enter
sqlite3_mutex_free
sqlite3_mutex_held
sqlite3_mutex_leave
sqlite3_mutex_notheld
sqlite3_mutex_try
sqlite3_open16
sqlite3_open_v2
sqlite3_overload_function
sqlite3_prepare16
sqlite3_prepare16_v2
sqlite3_profile
sqlite3_progress_handler
sqlite3_randomness
sqlite3_realloc
sqlite3_release_memory
sqlite3_reset_auto_extension
sqlite3_result_blob
sqlite3_result_double
sqlite3_result_error
sqlite3_result_error16
sqlite3_result_error_code
sqlite3_result_error_nomem
sqlite3_result_error_toobig
sqlite3_result_int
sqlite3_result_int64
sqlite3_result_null
sqlite3_result_text
sqlite3_result_text16
sqlite3_result_text16be
sqlite3_result_text16le
sqlite3_result_value
sqlite3_result_zeroblob
sqlite3_rollback_hook
sqlite3_set_authorizer
sqlite3_set_auxdata
sqlite3_sleep
sqlite3_snprintf
sqlite3_soft_heap_limit
sqlite3_sql
sqlite3_test_control
sqlite3_thread_cleanup
sqlite3_threadsafe
sqlite3_trace
sqlite3_transfer_bindings
sqlite3_update_hook
sqlite3_user_data
sqlite3_value_blob
sqlite3_value_bytes
sqlite3_value_bytes16
sqlite3_value_double
sqlite3_value_int
sqlite3_value_int64
sqlite3_value_numeric_type
sqlite3_value_text
sqlite3_value_text16
sqlite3_value_text16be
sqlite3_value_text16le
sqlite3_value_type
sqlite3_vfs_find
sqlite3_vfs_register
sqlite3_vfs_unregister
sqlite3_vmprintf
CKv.AKv
KWindows
yuActivePorts
FF_Passwords
UrlMon
UnitKeyboardStarter
UnitScriptExecuter
Usndkey32
GOutlookPasswords
UnitDownloadExec
UnitChrome
SQLiteTable3
SQLite3Dynamic
SQLite3DLL
DtServ32.exe
DtServ32sm.exe
taker2.redirectme.net#P
WinExec
SetNamedPipeHandleState
GetProcessHeap
GetCPInfo
CreatePipe
RegQueryInfoKeyA
RegOpenKeyExW
RegOpenKeyExA
RegOpenKeyW
RegOpenKeyA
RegFlushKey
RegEnumKeyExW
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
RegCloseKey
ShellExecuteA
SHFileOperationA
keybd_event
VkKeyScanA
SetKeyboardState
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects
MapVirtualKeyExA
MapVirtualKeyA
GetKeyboardState
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetAsyncKeyState
ExitWindowsEx
EnumWindows
GetKeyboardType
InternetOpenUrlA
.text
`.itext
`.data
.idata
.rdata
@.reloc
B.rsrc
1Ü/
advapi32.dll
crypt32.dll
gdi32.dll
mpr.dll
msacm32.dll
msvcrt.dll
NetAPI32.dll
ntdll.dll
powrprof.dll
shell32.dll
shfolder.dll
wininet.dll
winmm.dll
wsock32.dll
logins
software\microsoft\windows\currentversion\uninstall\
66006666
Bitmaps Clipboard does not support Icons&Cannot change the size of a JPEG image
JPEG error #%d
Invalid stream operation
Failed to get data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
Thread creation error: %s
Thread Error: %s (%d)
Unsupported clipboard format
.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%List does not allow duplicates ($0%x)%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
"Variant method calls not supported
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'!'%s' is not a valid integer value('%s' is not a valid floating point valueI/O error %d
taskeng.exe_3380:
.text
`.data
.rsrc
@.reloc
USER32.dll
msvcrt.dll
ntdll.dll
API-MS-Win-Core-Debug-L1-1-0.dll
API-MS-Win-Core-ErrorHandling-L1-1-0.dll
API-MS-Win-Core-File-L1-1-0.dll
API-MS-Win-Core-Handle-L1-1-0.dll
API-MS-Win-Core-Heap-L1-1-0.dll
API-MS-Win-Core-Interlocked-L1-1-0.dll
API-MS-Win-Core-LibraryLoader-L1-1-0.dll
API-MS-Win-Core-Misc-L1-1-0.dll
API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Core-Profile-L1-1-0.dll
API-MS-Win-Core-Synch-L1-1-0.dll
API-MS-Win-Core-SysInfo-L1-1-0.dll
API-MS-Win-Core-ThreadPool-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
ole32.dll
OLEAUT32.dll
RPCRT4.dll
KERNEL32.dll
d:\w7rtm\admin\wmi\jobs\server\session\session\main.cpp
Session::ChannelMsgReceived
d:\w7rtm\admin\wmi\jobs\server\session\session\session.cpp
d:\w7rtm\admin\wmi\jobs\server\session\session\clientchannel2.cpp
d:\w7rtm\admin\wmi\jobs\server\engine\task.cpp
d:\w7rtm\admin\wmi\jobs\server\engine\comhandlerbase.cpp
StopJobMsg
StartJobMsg
ClientPipeName
Invalid parameter passed to C runtime function.
d:\w7rtm\admin\wmi\jobs\common\xml\taskxmlreader.cpp
TaskScheduler.log
j%Xf;
d:\w7rtm\admin\wmi\jobs\server\engine\action.cpp
API-MS-WIN-Service-Management-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
SspiCli.dll
XmlLite.dll
MPR.dll
RegOpenKeyTransactedW
RegCloseKey
RegOpenKeyExW
RegNotifyChangeKeyValue
RegCreateKeyExW
FindExecutableW
MsgWaitForMultipleObjects
EnumThreadWindows
EnumWindows
GetProcessWindowStation
_wcmdln
_amsg_exit
GetProcessHeap
SetProcessShutdownParameters
TaskEng.pdb
version="5.1.0.0"
name="Microsoft.Windows.WMI.TaskScheduler.TaskEng"
<requestedExecutionLevel
8 8$8(878
3=4Z4w4
=!=(=0=4=?=>>
5 5U5_5
5b6u6
-131J1X1o1}1
=$=<=\=|=
Password
hXXp://schemas.microsoft.com/windows/2004/02/mit/task
ieframe.dll
%SystemRoot%\SYSTEM32\cmd.exe
%SystemRoot%\System32\Tasks
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake
WindowSeconds
InitializeCmdlineProcessing()
pCrimson provider registration failed for taskeng, hr=0x%x
CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]
InteractiveTokenOrPassword
%d.%d
%s, (%d)
hXXp://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout
hXXp://schemas.microsoft.com/cdo/configuration/smtpauthenticate
hXXp://schemas.microsoft.com/cdo/configuration/sendusing
hXXp://schemas.microsoft.com/cdo/configuration/smtpserver
201ef99a-7fa0-444c-9399-19ba84f12a1a
C:\Windows\SYSTEM32\cmd.exe
6.1.7601.17514 (win7sp1_rtm.101119-1850)
taskeng.exe
Windows
Operating System
6.1.7601.17514
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:3852
csc.exe:140
rundll32.exe:2072
rundll32.exe:2608
WScript.exe:2224
WScript.exe:2536 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\wgTQxcbbhf\ezxf.dll (2216 bytes)
C:\Users\"%CurrentUserName%"\wgTQxcbbhf\BapbWO.vbs (107 bytes)
C:\Users\"%CurrentUserName%"\wgTQxcbbhf\x (1 bytes)
C:\wgTQxcbbhfwgTQxcbbhf\wgTQxcbbhf.vbs (191 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"wgTQxcbbhf" = "C:\wgTQxcbbhfwgTQxcbbhf\wgTQxcbbhf.vbs" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
