Worm.Win32.AutoItGen_006adda3e6

by malwarelabrobot on October 28th, 2017 in Malware Descriptions.

Trojan.Win32.Swrort.3.FD, Worm.Win32.AutoIt.FD, WormAutoItGen.YR (Lavasoft MAS)
Behaviour: Trojan, Worm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 006adda3e6706c1dd62d88997824f17f
SHA1: eb362571138541d6990970735a06ff7222baff81
SHA256: 0374b1019053bf1d8c2d9e74bdb31aded8368f8ad4ecef9fe8994a0d5dd93c32
SSDeep: 49152:0w80cTsjkWaTKkVAU20UiULN/oDJL2oIf2fKWilBDswHe:l8sjkDBAUVVULNQtCo6IiTs
Size: 2492928 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Gemius
Created at: 2017-06-16 11:20:38
Analyzed on: Windows7 SP1 32-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

svcr.exe:1692
%original file name%.exe:3148
ConnectionClient.exe:2848

The Worm injects its code into the following process(es):

mstsc.exe:3712

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process mstsc.exe:3712 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarFF4B.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabFF4A.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabE9C4.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarE9C5.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1368 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Terminal Server Client\Cache\bcache22.bmc (65668 bytes)
C:\Windows\System32\spool\drivers\w32x86\3\mxdwdui.BUD (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarE9C7.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabE9C6.tmp (53 bytes)

The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabFF4A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarFF4B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabE9C4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarE9C5.tmp (0 bytes)
C:\Windows\System32\spool\drivers\w32x86\3\mxdwdui.BUD (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarE9C7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabE9C6.tmp (0 bytes)

The process svcr.exe:1692 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\RDP6\bkgsc.bmp (14 bytes)
C:\Users\"%CurrentUserName%"\RDP6\Session.rdp (1698 bytes)
C:\Users\"%CurrentUserName%"\RDP6\MyPDFprinting\alreadyprinted.ini (18 bytes)
C:\webtmp\alreadyopen.ini (15 bytes)
C:\Users\"%CurrentUserName%"\RDP6\MyPDFprinting\clientenvironment.ini (913 bytes)
C:\webtmp\webprint.txt (31 bytes)

The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\RDP6\bkgsc.bmp (0 bytes)

The process %original file name%.exe:3148 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD899.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\RDP6\ConnectionClient.exe (3129 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD8AC.tmp (100 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD8BE.tmp (102 bytes)
C:\Users\"%CurrentUserName%"\RDP6\006adda3e6706c1dd62d88997824f17f.txt (914 bytes)
C:\Users\"%CurrentUserName%"\RDP6\bkgscgreen.bmp (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD8AD.tmp (100 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD85A.tmp (7001 bytes)
C:\Users\"%CurrentUserName%"\RDP6\TsCredentials.exe (353 bytes)
C:\Users\"%CurrentUserName%"\RDP6\ConnectionClient.bin (2321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD89A.tmp (1825 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD80B.tmp (3929 bytes)
C:\Users\"%CurrentUserName%"\RDP6\mstsc.exe (3969 bytes)
C:\Users\"%CurrentUserName%"\RDP6\bkgsc.bmp (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD7F9.tmp (914 bytes)
C:\Users\"%CurrentUserName%"\RDP6\svcr.exe (9324 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD8BF.tmp (1372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD7FA.tmp (1473 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD8AB.tmp (100 bytes)
C:\Users\"%CurrentUserName%"\RDP6\bkgscpink.bmp (196 bytes)
C:\Users\"%CurrentUserName%"\RDP6\languk.ini (196 bytes)
C:\Users\"%CurrentUserName%"\RDP6\ico2.ico (2049 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD7E9.tmp (1665 bytes)
C:\Users\"%CurrentUserName%"\RDP6\bkgscblue.bmp (196 bytes)

The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD899.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD8AC.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD8BE.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD89A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD80B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD8BF.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD8AB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD7FA.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD8AD.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD85A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD7E9.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD7F9.tmp (0 bytes)

Registry activity

The process mstsc.exe:3712 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Terminal Server Client\Servers\178.214.195.246]
"UsernameHint" = "RVTRANS\smarina"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The process svcr.exe:1692 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Control Panel\Desktop]
"ScreenSaveActive" = "0"
"PowerOffActive" = "0"
"LowPowerActive" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fTurnOffSingleAppMode" = "0"

[HKCU\Software\Microsoft\Terminal Server Client\Servers\178.214.195.246]
"CertHash" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Control\Terminal Server]
"HonorLegacySettings" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\System\CurrentControlSet\Control\Terminal Server]
"SessionDirectoryActive" = "0"

[HKCU\Control Panel\Desktop]
"ScreenSaverIsSecure" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"EnableBalloonTips" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKU\.DEFAULT\Control Panel\Desktop]
"ScreenSaveTimeOut" = "1200000"

[HKCU\Software\Microsoft\Terminal Server Client\LocalDevices]
"178.214.195.246" = "205"

[HKCU\Control Panel\Desktop]
"PowerOffTimeOut" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fAllowUnlistedRemotePrograms" = "1"

[HKCU\Control Panel\Desktop]
"LowPowerTimeOut" = "0"

[HKCU\Software\Microsoft\Terminal Server Client\Servers\178.214.195.246]
"UsernameHint" = ""

[HKCU\Control Panel\Desktop]
"SCRNSAVE.EXE" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:3148 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process ConnectionClient.exe:2848 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
7127dbccbc04c7355bf54b11232162b5 c:\Users\"%CurrentUserName%"\RDP6\ConnectionClient.exe
ac3d8b170061863f0f6d3aea52a2b35c c:\Users\"%CurrentUserName%"\RDP6\TsCredentials.exe
8148d865276c330ed47160728816bf12 c:\Users\"%CurrentUserName%"\RDP6\mstsc.exe
6229e495cd7857d2ad9d0117337232c1 c:\Users\"%CurrentUserName%"\RDP6\svcr.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 580910 581120 4.62736 c2c2260508750422d20cd5cbb116b146
.rdata 585728 188686 188928 3.99304 4513b58651e3d8d87c81a396e5b2f1d1
.data 778240 36724 20992 0.830952 c2de4a3d214eae7e87c7bfc06bd79775
.rsrc 815104 1671336 1671680 5.50622 299a2f3857152091c2efeb103abc1a35
.reloc 2490368 28976 29184 4.70119 1254908a9a03d2bcf12045d49cd572b9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 62.140.236.163


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86402
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Fri, 22 Sep 2017 22:03:52 GMT
If-None-Match: "014e8acee33d31:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: VVV.download.windowsupdate.com


HTTP/1.1 304 Not Modified
Content-Type: application/vnd.ms-cab-compressed
Last-Modified: Fri, 22 Sep 2017 22:03:52 GMT
ETag: "014e8acee33d31:0"
Cache-Control: max-age=604800
Date: Fri, 27 Oct 2017 00:34:46 GMT
Connection: keep-alive
X-CCC: UA
X-CID: 2
HTTP/1.1 304 Not Modified..Content-Type: application/vnd.ms-cab-compre
ssed..Last-Modified: Fri, 22 Sep 2017 22:03:52 GMT..ETag: "014e8acee33
d31:0"..Cache-Control: max-age=604800..Date: Fri, 27 Oct 2017 00:34:46
 GMT..Connection: keep-alive..X-CCC: UA..X-CID: 2..



GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86402
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Fri, 06 Apr 2012 21:14:57 GMT
If-None-Match: "805e67513a14cd1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: VVV.download.windowsupdate.com


HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/vnd.ms-cab-compressed
Last-Modified: Fri, 22 Sep 2017 22:03:52 GMT
Accept-Ranges: bytes
ETag: "014e8acee33d31:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 53978
Date: Fri, 27 Oct 2017 00:34:52 GMT
Connection: keep-alive
X-CCC: UA
X-CID: 2
MSCF............,...................I.................6K.u .authroot.s
tl.~.F..6..CK...8........i.g.B.A....%.k..5d.NI..RR".nTB.i/.].DQJ.,..".
X.g....N.......u...<.....{ .."'=..x..16...q.;.&'.4....a...e....#M..
.3..c`L.*3..|1.&_L ..._.i.h....J7.k..x.p..jEE....8d#......`....Mo.9AE.
...r<B.v'R....p"....e...f..g.t.<. Bs.x.8a.9;P..AD.._...9..h...g.
..<..!wj..........E1Nx ..^..S...-.l_.!..U.81X$..o.2..iz.a.Ez..S....
^._.<3}.S...l......x.....B..?....P0$....?y....w.`.f.:g0v..ZP..y.U.`
>... ..Z.cy..LU2..N..(......i........ ..`..y..c.Y.fzF0CG.@..Fe2.j.0
......{...]..4;dX..........a...T.0..]....Utv..!..p.M...'T_ b.;.#.\-..]
.T*......d.....`..#_2..........xKB.E.B...y...d.s..lP.;..?#._..#./.L|..
h!......R.....e_o."V..v.......Js.../E..1......3..3..G.8...........lZ.?
.B.)dW...7....?..MhZm.k......iO.....5.....{l.....t}...g..h.C.....v...{
..F.C)vO.3y...wX.M....V.....T......#..q..B.........V...r..H.B .x.tX`l.
<.P...JY...h).e...Z...Z...ku.B.....^.=.`D..|.-...U/l;r.......{-h..g
._B.Y.a.[l..l..'.h.[2.4.\u.....(R8..,.....i....x....w..z..%.=.@#a....!
./....>...g...-.,>..6!.K..e..z..kh.0.n4....9.l2u.C..'.]Nh..c<
.......KM...k.....e......./...F4hn:....u.\.C.M....OI.ZmT..co......C.).
....c...v.r.u....5./...\.....l....7=.`..{....`..>.bUQ..I.........n.
.f.hf..*......M.:[S.W....e_.........c'..A'.$..9.,p..0...... .b0.....k1
.Z.........u4d.....]..p.f......Vk.'z:....f9}8.6...].D6P.....z.).C.-BF.
.F...P.......$..d....c0Z0.......3..K........... .. k....._.:..x.F.C...
.7.P.l..1.%.lCJ.N.."...w... .%?;xT.&_Ew.s.......e.k&..^#.. ..U?.9.
<<< skipped >>>

The Worm connects to the servers at the folowing location(s):

ConnectionClient.exe_2848:

.text
`.rdata
@.data
.rsrc
@.reloc
GetProcessWindowStation
C:\Users\adrien\Documents\JWTS\workbench-release\c  \UniversalLauncher\Release\UniversalLauncher.pdb
KERNEL32.dll
USER32.dll
ShellExecuteExW
SHELL32.dll
GetCPInfo
C:\Users\"%CurrentUserName%"\RDP6\ConnectionClient.exe
k.nim=
y.zYJ
.byJ5G
f.FD]
s)urleyA
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
KERNEL32.DLL
WUSER32.DLL
svcr.exe

svcr.exe_1692:

.text
`.rdata
@.data
.rsrc
@.reloc
j.Yf;
r%f;M
j.Xf;
j.Zf;
PSSSSSSh
Gt.Ht$
kernel32.dll
?#%X.y
GetProcessWindowStation
operator
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
erroffset passed as NULL
POSIX collating elements are not supported
this version of PCRE is compiled without UTF support
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with Unicode property support
\N is not supported in a class
RegDeleteKeyExW
advapi32.dll
Error text not found (please report)
WSOCK32.dll
VERSION.dll
WINMM.dll
COMCTL32.dll
MPR.dll
InternetCrackUrlW
HttpQueryInfoW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
WININET.dll
PSAPI.DLL
IPHLPAPI.DLL
USERENV.dll
UxTheme.dll
GetProcessHeap
CreatePipe
GetWindowsDirectoryW
KERNEL32.dll
OpenWindowStationW
SetProcessWindowStation
CloseWindowStation
MapVirtualKeyW
EnumChildWindows
EnumWindows
VkKeyScanW
GetKeyState
GetKeyboardState
SetKeyboardState
GetAsyncKeyState
keybd_event
EnumThreadWindows
ExitWindowsEx
UnregisterHotKey
RegisterHotKey
GetKeyboardLayoutNameW
USER32.dll
SetViewportOrgEx
GDI32.dll
COMDLG32.dll
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
RegEnumKeyExW
RegDeleteKeyW
ADVAPI32.dll
ShellExecuteW
SHFileOperationW
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
GetCPInfo
zcÁ
k.nim=
y.zYJ
.byJ5G
f.FD]
s)urleyA
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
? ?$?(?,?0?4?8?
2 2$2(2,2024282
<#<'< </<
4F4s4
4D4C4R4e4u4
2!2%2)2-2125292=2
01s1
2=22393@3[3
?&?-?4?:?
8Ÿ94:
8!9*919<9
> >$>(>,>
? ?$?(?,?0?
/AutoIt3ExecuteScript
/AutoIt3ExecuteLine
CMDLINE
CMDLINERAW
FTPSETPROXY
GUICTRLRECVMSG
GUICTRLSENDMSG
GUIGETMSG
GUIREGISTERMSG
HOTKEYSET
HTTPSETPROXY
HTTPSETUSERAGENT
ISKEYWORD
MAPKEYS
MSGBOX
REGENUMKEY
SHELLEXECUTE
SHELLEXECUTEWAIT
TCPACCEPT
TCPCLOSESOCKET
TCPCONNECT
TCPLISTEN
TCPNAMETOIP
TCPRECV
TCPSEND
TCPSHUTDOWN
TCPSTARTUP
TRAYGETMSG
UDPBIND
UDPCLOSESOCKET
UDPOPEN
UDPRECV
UDPSEND
UDPSHUTDOWN
UDPSTARTUP
SendKeyDownDelay
SendKeyDelay
TCPTimeout
mscoree.dll
combase.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
789:;<=>?
APPSKEY
WINDOWSDIR
AUTOITEXE
HOTKEYPRESSED
%s (%d) : ==> %s.:
Line %d:
Line %d (File "%s"):
%s (%d) : ==> %s:
AutoIt script files (*.au3, *.a3x)
*.au3;*.a3x
All files (*.*)
KEYS
Line %d:
\\?\UNC\
04090000
%u.%u.%u.%u
0.0.0.0
Mddddd
"%s" (%d) : ==> %s:
\??\%s
GUI_RUNDEFMSG
AUTOITCALLVARIABLE%d
255.255.255.255
Keyword
AUTOIT.ERROR
Null Object assignment in FOR..IN loop
Incorrect Object type in FOR..IN loop
3, 3, 14, 2
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_USERS
%d/d/d
C:\Users\"%CurrentUserName%"\RDP6\svcr.exe
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
Missing operator in expression."Unbalanced brackets in expression.
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.
0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.
8, 6, 14, 2
svcr.exe
Modified by an unpaid evaluation copy of Resource Tuner 2 (VVV.heaventools.com)

mstsc.exe_3712:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
GDI32.dll
USER32.dll
msvcrt.dll
ole32.dll
OLEAUT32.dll
SHELL32.dll
COMCTL32.dll
COMDLG32.dll
SHLWAPI.dll
CRYPT32.dll
credui.dll
Secur32.dll
CRYPTUI.dll
CFGMGR32.dll
WINHTTP.dll
WINMM.dll
NETAPI32.dll
FRegDeleteKeyW
RegDeleteKeyExW
Invalid parameter passed to C runtime function.
deed047e-a3cb-11d1-b96c-00c04fb15601
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
CredUIPromptForWindowsCredentialsW
1.3.14.3.2.26
2.5.29.37
1.3.6.1.4.1.311.54.1.1
1.3.6.1.5.5.7.3.3
1.3.6.1.5.5.7.3.1
mstsc.pdb
8%urP
PSSSSSSSht!'
tLSSh#
t.Ph<7'
t.PVj)
SShPO'
tSShL
SSh43
tIHHt.HHt
j%Xf;
>%u[f
tCPh
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
CreateDialogIndirectParamW
_acmdln
_amsg_exit
ShellExecuteExW
CertFreeCertificateContext
CertFreeCertificateChain
CryptUIDlgViewCertificateW
ntdll.dll
RegOpenKeyExA
GetProcessHeap
CertDuplicateCertificateContext
CertDuplicateCertificateChain
CertGetCertificateContextProperty
CertVerifyCertificateChainPolicy
CryptMsgClose
CertOpenStore
CryptMsgUpdate
CryptMsgOpenToDecode
CertCloseStore
CertFindExtension
CertGetEnhancedKeyUsage
CertGetCertificateChain
WinHttpCloseHandle
WinHttpQueryOption
WinHttpSendRequest
WinHttpOpenRequest
WinHttpConnect
WinHttpOpen
RegCreateKeyExA
NetGetJoinInformation
zcÁ
<assemblyIdentity name="Microsoft.Windows.RemoteDesktopConnection" version="1.0.0.0" type="win32" processorArchitecture="x86"/>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" publicKeyToken="6595b64144ccf1df" language="*" processorArchitecture="x86"/>
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
<requestedExecutionLevel
k.nim=
y.zYJ
.byJ5G
f.FD]
s)urleyA
.AG ,,H,a
 $ $ $$ $*$'%
.)***'***
jjk%xxy
jjk`jjk%xxy
____^^^___
_```__^^_
//.(%&&''
]797700 !
kkk.www
#%'''<[[^^\\]
"%<aabm^^m
$-8GGhnsrr}
$-9GGggs}s
%Mgr.RhY4RfE5Qd:f
""$$%)),
2##(|(%))())%"|
---..///.-2
7HH/.Jcihhi}
130.HJG^VYT
,,%%%&&&&#
CCC.NNM
u,-344FHG}
333333ssHstE=NOLN
534444::<;;==
=;<<<6665$9
WEXe[s
.QZ \
.HNa3QY2?js
>><<<:::
55544411...
&&%%%$$##
#$$%%&&&
..111444
'MSTSC.EXE'
ForceRemove {1B462D7B-72D8-4544-ACC1-D84E5B9A8A14} = s 'MsRdpSessionManager Class'
'TypeLib' = s '{9C757116-4367-4DA9-AC0E-6C6577AD5560}'
stdole2.tlbWWW
>$>(>,>0>4>8><>
7 7$7(7,7074787<7
$5(5,5054585<5@5
2(3-3:3\3
6-6O6Q7Z7i7o7}7
0 0080
6$6)6$7)767;7
= >'>,>1>>>
2,2i2
7%7*7:7?7
9!:,:2:{:
8'8,898>8
9&: :9:>:
{6B1DE8B3-DFB1-4C0E-9D9A-89CA730DE93F}
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Mscoree.dll
"CAtlExeModuleT::PreMessageLoop failed!"
"Params.Attach failed!"
"Creds.Attach failed!"
NULL psaParams passed.
(%s%s
%s%s%s%s
"Failed to launch remote app login UI!"
"Failed to initialize remote app login UI!"
"m_cs.Init failed"
'Ntdll.dll
mshelp://windows/?id=f55326fa-e629-423b-abba-b30f76cc61e6
CAdminServiceMsgClientDialog
"Failed put_CLXCmdLine"
"GetServerNamePortion failed!"
Microsoft.Windows.RemoteApp.SecureDesktop
wshell32.dll
rmstscax.dll
uxtheme.dll
%s\%s
::{450d8fba-ad25-11d0-98a8-0800361b1103}
%s::/%s
mstsc.chm
Default.rdp
RegOpenKeyEx failed!
"put_PublisherCertificateChain failed"
Password 51
"IMsRdpDevice::get_CmDeviceInstance failed"
WriteInt TSCSETTING_TRANSPORT_CRED_SHARING failed
WriteInt TSCSETTING_TRANSPORT_PROXYPROFILEMETHOD failed
WriteInt TSCSETTING_TRANSPORT_PROXYCREDSSOURCE failed
WriteInt TSCSETTING_TRANSPORT_PROXYUSAGEMETHOD failed
WriteString TSCSETTING_TRANSPORT_PROXYHOSTNAME failed
RemoteApplicationExpandCmdLine
RemoteApplicationCmdLine
WriteBool TSCSETTING_REDIRECTCOMPORTS failed
RedirectCOMPorts
TrustedCertThumbprints
Software\Policies\Microsoft\Windows NT\Terminal Services\
DisablePasswordSaving
"GetServerNamePortionString failed!"
Password 50
WriteInt UTREG_UI_KEYBOARD_HOOK failed
KeyboardHook
0,3,0,0,800,600
%u,%u,%d,%d,%d,%d
"GetArgumentsPortion failed!"
"put_EnableCredSspSupport failed!"
"put_KeyBoardLayoutStr failed!"
"put_RDPPort failed!"
"GetServerPortion failed!"
"put_ClearTextPassword failed!"
"put_KeyboardHookMode failed!"
"put_RedirectPorts failed!"
"put_GatewayPassword failed!"
"GetProxyPasswordCch failed!"
"put_GatewayAuthLoginPage failed!"
"put_GatewaySupportUrl failed!"
"get_ProxyIsSupported failed!"
"get_TransportSettings failed!"
"CTsRdpCertSignature::GetCertificateChainContext failed"
"CTsRdpCertSignature::GetCertificateThumbPrint failed"
"StoreSupportedPnPDevices!"
"CTscSettings::LoadSupportedDevices failed!"
"CTscSettings::LoadSupportedUsbDevices failed!"
"CTscSettings::LoadSupportedPnPDevices failed!"
Login web page address
Support URL
Keyboard Layout
rdpinit.exe
Server Port
EnableCredSspSupport
Transport Type
_Set.szEncryptedAuthCookie
"ApplyCmdLineSettings failed"
_Set.szEncryptedOtpCookie
Password
%s%s.rdp
"Failed to initialize login UI"
"CTscRemoteSession.Initialize failed"
mshelp://windows/?id=e8a25c65-85a1-4031-a243-436a25dfe03b
mstsc_topnode.htm
mshelp://windows/?id=011fcc70-fdb7-43fc-ae08-b33169b3f696
mshelp://windows/?id=36528533-7b0a-44d1-912b-619fcc483571
mstsc_map_local_drives.htm
mshelp://windows/?id=7704b5cf-ddb8-4062-acb3-0da9b2b916d7
%s%s#%s.txt
%sLow\%s#%s.txt
REMOTECMDLINE
CLXCMDLINE
WEBFILENAME
"CryptUIDlgViewCertificate failed"
Microsoft.Windows.RemoteDesktop
mstsc.exe
"SetShowCmd failed!"
/v:"%s"
%s (%s)
kernel32.dll
%windir%\system32\mstsc.exe
"_AtlModule.PreMessageLoop failed!"
RegQueryValueEx for aaclient.dll failed
RegOpenKeyEx for TSclient failed
Software\Microsoft\Terminal Server Client\TransportExtensions\
hGPKey
Software\Policies\Microsoft\Windows NT\Terminal Services
pwszSupportUrl
pCredSharePassword
crypt32.dll
SOFTWARE\Microsoft\Terminal Server Client\%s
dwmapi.dll
CTsRdpCertSignature
"CTsRdpCertSignature::SetCertificate failed"
"CRdpSettingsStore::ApplyCertSignature failed"
 pCertArray
(CertDuplicateCertificateChain failed
CertDuplicateCertificateContext failed
"GetCertificate failed"
"GetCertificateChainContext failed"
CertGetCertificateContextProperty failed
"GetCertificateThumbPrint failed"
CertVerifyCertificateChainPolicy failed
"ConstructCertificateChain failed!"
RdpSignCertChainRevocationCheck
"ValidateCertificate failed"
CryptMsgUpdate failed
CryptMsgOpenToDecode failed
"CertChainContextToArray failed"
"Unable to construct cert chain for signing"
"attempt to sign with invalid signer certificate"
"attempt to sign with missing certificate/data"
"SetCertificate failed"
Software\Microsoft\Windows\CurrentVersion\Policies\CredUI
%s/%s
"DeleteSavedCreds(CRED_TYPE_DOMAIN_PASSWORD) failed"
"Params.SetAt failed!"
"saParams.Create failed!"
%p-%s
"WinHttpQueryOption failed"
"WinHttpOpenRequest failed"
"WinHttpConnect failed"
"WinHttpOpen failed"
SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation
(Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Windows
Operating System
6.1.7601.17514


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    svcr.exe:1692
    %original file name%.exe:3148
    ConnectionClient.exe:2848

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarFF4B.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabFF4A.tmp (53 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabE9C4.tmp (53 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarE9C5.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1368 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Terminal Server Client\Cache\bcache22.bmc (65668 bytes)
    C:\Windows\System32\spool\drivers\w32x86\3\mxdwdui.BUD (57 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarE9C7.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabE9C6.tmp (53 bytes)
    C:\Users\"%CurrentUserName%"\RDP6\bkgsc.bmp (14 bytes)
    C:\Users\"%CurrentUserName%"\RDP6\Session.rdp (1698 bytes)
    C:\Users\"%CurrentUserName%"\RDP6\MyPDFprinting\alreadyprinted.ini (18 bytes)
    C:\webtmp\alreadyopen.ini (15 bytes)
    C:\Users\"%CurrentUserName%"\RDP6\MyPDFprinting\clientenvironment.ini (913 bytes)
    C:\webtmp\webprint.txt (31 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD899.tmp (2 bytes)
    C:\Users\"%CurrentUserName%"\RDP6\ConnectionClient.exe (3129 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD8AC.tmp (100 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD8BE.tmp (102 bytes)
    C:\Users\"%CurrentUserName%"\RDP6\006adda3e6706c1dd62d88997824f17f.txt (914 bytes)
    C:\Users\"%CurrentUserName%"\RDP6\bkgscgreen.bmp (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD8AD.tmp (100 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD85A.tmp (7001 bytes)
    C:\Users\"%CurrentUserName%"\RDP6\TsCredentials.exe (353 bytes)
    C:\Users\"%CurrentUserName%"\RDP6\ConnectionClient.bin (2321 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD89A.tmp (1825 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD80B.tmp (3929 bytes)
    C:\Users\"%CurrentUserName%"\RDP6\mstsc.exe (3969 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD7F9.tmp (914 bytes)
    C:\Users\"%CurrentUserName%"\RDP6\svcr.exe (9324 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD8BF.tmp (1372 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD7FA.tmp (1473 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD8AB.tmp (100 bytes)
    C:\Users\"%CurrentUserName%"\RDP6\bkgscpink.bmp (196 bytes)
    C:\Users\"%CurrentUserName%"\RDP6\languk.ini (196 bytes)
    C:\Users\"%CurrentUserName%"\RDP6\ico2.ico (2049 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD7E9.tmp (1665 bytes)
    C:\Users\"%CurrentUserName%"\RDP6\bkgscblue.bmp (196 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now