Backdoor.Generic.755288_bc300064f2
Susp_Dropper (Kaspersky), Backdoor.Generic.755288 (B) (Emsisoft), Backdoor.Generic.755288 (AdAware), Trojan.Win32.Ceatrg.FD, TrojanDropperPolymorph1.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: bc300064f2fa40755eb60141c166d530
SHA1: 5b1b61146b675fac08ca39f3fc4e080577e1da14
SHA256: 3858cd9ba46994112ef54a06081f177c43212fa004eeaefdf6d9eef7eaa3d8b9
SSDeep: 49152:bEYCFEvlmOmTgtFM3uK5m3imrHuiff puWV355FXw/ zuWV355FXw/ DuWV355Fp:bEYzEFTgtFM3ukm3imPntO
Size: 4128768 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2012-12-15 08:05:29
Analyzed on: WindowsXP SP3 32-bit
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
FB_2.tmp.exe:1796
AdobeUpdate.exe:1072
AdobeUpdate.exe:1056
%original file name%.exe:1016
calc.exe:1716
FB_1.tmp.exe:616
netsh.exe:1432
The Backdoor injects its code into the following process(es):
DriverUpdate.exe:516
FB_3.tmp.exe:1040
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process FB_2.tmp.exe:1796 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\DriverUpdate.exe (29 bytes)
The process AdobeUpdate.exe:1072 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\WinNT.tmp (36 bytes)
The process %original file name%.exe:1016 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\FB_3.tmp.exe (28502 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FB_1.tmp.exe (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FB_2.tmp.exe (29 bytes)
The process DriverUpdate.exe:516 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\67b50313b3610dbbe66e30f19a1dbd14.exe (29 bytes)
The process FB_1.tmp.exe:616 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\AdobeUpdate.exe (36 bytes)
Registry activity
The process FB_2.tmp.exe:1796 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 8D 89 84 B1 0E EF D0 5F 70 70 A8 35 9F 02 72"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"DriverUpdate.exe" = "DriverUpdate"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process AdobeUpdate.exe:1072 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 67 A7 4D 96 30 1F 83 CF DF 92 C1 3C 6C 76 99"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"adobeupdate" = "%Documents and Settings%\%current user%\Application Data\AdobeUpdate.exe"
The process AdobeUpdate.exe:1056 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB E4 94 91 68 CF 31 AF FB F1 16 CB 32 D7 32 9F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"adobeupdate" = "%Documents and Settings%\%current user%\Application Data\AdobeUpdate.exe"
The process %original file name%.exe:1016 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E DF 9C E2 E7 95 AF CD C8 7D B5 4C E5 78 C7 F2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"FB_1.tmp.exe" = "FB_1.tmp"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"FB_3.tmp.exe" = "FB_3.tmp"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"FB_2.tmp.exe" = "FB_2.tmp"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process DriverUpdate.exe:516 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 31 CA B1 40 9E D1 1C F4 56 4F 85 50 1A E8 74"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Environment]
"SEE_MASK_NOZONECHECKS" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"67b50313b3610dbbe66e30f19a1dbd14" = "%Documents and Settings%\%current user%\Local Settings\Temp\DriverUpdate.exe .."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"67b50313b3610dbbe66e30f19a1dbd14" = "%Documents and Settings%\%current user%\Local Settings\Temp\DriverUpdate.exe .."
The process calc.exe:1716 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 47 13 0F 3B 69 F7 98 07 D9 28 C7 F0 E2 01 06"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process FB_1.tmp.exe:616 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 6B BD F3 07 5E 46 D0 31 80 17 3C E8 30 99 57"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"adobeupdate.exe" = "AdobeUpdate"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process netsh.exe:1432 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE E6 50 39 00 1D 73 02 B8 1E BD F4 EE 32 81 53"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"DriverUpdate.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\DriverUpdate.exe:*:Enabled:DriverUpdate.exe"
The process FB_3.tmp.exe:1040 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 3D AC CA F3 EC 97 4F 22 78 FA 89 7A 9D FB 04"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The Backdoor deletes the following registry key(s):
[HKLM\HARDWARE\DESCRIPTION\System\BIOS]
Dropped PE files
| MD5 | File path |
|---|---|
| 02e3455a225769363b39e2bd6b3b420d | c:\Documents and Settings\"%CurrentUserName%"\Application Data\AdobeUpdate.exe |
| 02e3455a225769363b39e2bd6b3b420d | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\WinNT.tmp |
| 6600b3656cd7071be31a2b0630e563ee | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\DriverUpdate.exe |
| 02e3455a225769363b39e2bd6b3b420d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\FB_1.tmp.exe |
| 6600b3656cd7071be31a2b0630e563ee | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\FB_2.tmp.exe |
| 323c0fd51071400b51eedb1be90a8188 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\FB_3.tmp.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name:
Product Name: BindStub
Product Version: 1, 0, 0, 1
Legal Copyright: Copyright ? 2012
Legal Trademarks:
Original Filename: BindStub.exe
Internal Name: BindStub
File Version: 1, 0, 0, 1
File Description: BindStub
Comments:
Language: English (United Kingdom)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 796 | 4096 | 1.11565 | 4379eb4853c8b1bb4513db50d6997472 |
| .rdata | 8192 | 822 | 4096 | 0.930187 | 2f1aabb6617ff8136ed129a4721a87c8 |
| .data | 12288 | 76 | 4096 | 0.034908 | 9a1067c760bc211bd6646c8feedced16 |
| .rsrc | 16384 | 4109612 | 4112384 | 4.67038 | b954ba820f19eca06198aa5a93441276 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| younameonyourhost1.no-ip.biz |  204.95.99.109 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
ET TROJAN Bladabindi/njrat CnC Checkin
Traffic
The Backdoor connects to the servers at the folowing location(s):
.idata
.rdata
P.reloc
P.rsrc
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows 2000
Windows XP
Windows Server 2003
Windows Server 2003 R2
Windows Vista
Windows Server 2008
Windows Server 2008 R2
Windows 7
Windows 8
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14 (.NET CLR 3.5.30729)
Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.0.2) Gecko/2008092313 Ubuntu/9.25 (jaunty) Firefox/3.8
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.5 Safari/534.55.3
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8)
Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)
Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.56.5 (KHTML, like Gecko) Version/5.1.6 Safari/534.56.5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.2 (KHTML, like Gecko) Chrome/4.0.221.7 Safari/532.2
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.0) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.168 Safari/535.19
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)
Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3
Mozilla/5.0 (Windows NT 6.0; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.168 Safari/535.19
co.uk
POST / HTTP/1.
HEAD / HTTP/1.
/ HTTP/1.
Content-Type: application/x-www-form-urlencoded
Microsoft\WinNT.tmp
calc.exe
127.0.0.1
encpassword
%Documents and Settings%\%current user%\Application Data\AdobeUpdate.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\WinNT.tmp
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
wsock32.dll
shfolder.dll
shell32.dll
ShellExecuteA
urlmon.dll
URLDownloadToFileA
MPHTTP
KWindows
MPUDP
FB_3.tmp.exe_1040:
`.rsrc
FtPQW
~.SSW
SPSSSSSSSh
PQSSh
u.jhh
mscoree.dll
.mixcrt
KERNEL32.DLL
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
kernel32.dll
GetProcessWindowStation
USER32.DLL
operator
..\..\..\..\Common\application.cpp
c:\RB\Universal\StringMap.h
..\..\..\..\Common\array.cpp
..\..\..\..\Common\basicstr.cpp
ptr - out.CString() == totalLen
theStr.Encoding() == kEncodingUTF8 or theStr.Encoding() == kEncodingUTF16 or theStr.Encoding() == kEncodingASCII
..\..\..\..\Common\BlowFish.cpp
ewcKeyDown
KeyDown
..\..\..\..\Common\Canvas.cpp
..\..\..\..\Common\CommonListbox.cpp
MinWidthExpression doesn't support the Asterisk ('*') format.MaxWidthExpression doesn't support the Asterisk ('*') format...\..\..\..\Common\commonruntime.cpp
trace.log
..\..\..\..\Common\CommonRunView.cpp
We weren't passed in a control, we got nil.
..\..\..\..\Universal\CommonWinFunctions.cpp
Operator_Convert
..\..\..\..\Common\ConsoleApplication.cpp
msvcrt.dll
..\..\..\..\Universal\DataFile.cpp
Operator_Compare
dateSQLDateTimeSetter
dateSQLDateTimeGetter
SQLDateTime
dateSQLDateSetter
dateSQLDateGetter
SQLDate
..\..\..\..\Common\DateCommon.cpp
..\..\..\..\Universal\DateImp\DateImpWin32.cpp
Password
SQLSelect
databaseSQLExecute
SQLExecute
sqlString
databaseSQLSelect
..\..\..\..\Common\dbInterface.cpp
00:00:00
00:00:00
Invalid operator
Quotes expected after LIKE operation
Only COUNT(*) supported
Unsupported SELECT function
Only single GROUP BY columns currently supported
Expecting 'KEY'
Dropping columns is not supported for this database
Dropping tables from this database is not currently supported.
..\..\..\..\Common\DebuggerConnection.cpp
0000000000000000
127.0.0.1
c:\RB\Compiler\SmartRef.h
..\..\..\..\Common\DebuggerSupport.cpp
00000000
The debug application cannot connect back to the REALbasic IDE. This is mostly likely due to a software firewall or packet filter not allowing localhost network traffic on ports 13897 or 60554. You should reconfigure your software firewall or packet filter to allow the debug application to connect to REALbasic.
DebuggerSupport.cpp
dictionaryHasKey
HasKey
2147483647
..\..\..\..\Common\Dictionary.cpp
dictionaryKeys
Keys
dictionaryKey
..\..\..\..\Common\DockItem.cpp
..\..\..\..\Common\DragItem.cpp
Could not lock the BITMAPINFO structure passsed to the DrawableBitmap constructor
..\..\..\..\Common\drawable.cpp
..\..\..\..\Common\fileTypes.cpp
..\..\..\..\Common\FolderItemDialog.cpp
Shell32.dll
FolderItemDialogInitializer
OpenDialogInitializer
SaveAsDialogInitializer
SelectFolderDialogInitializer
..\..\..\..\Universal\FolderItemImp\FolderItemImpVirtual.cpp
..\..\..\..\Universal\FolderItemImp\FolderItemImpWin32.cpp
Kernel32.dll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
in Windows
OpenAsPicture doesn't support format
in Windows.
SaveAsPicture doesn't support format
Gdiplus.dll
not other.IsVirtual()
SHFileOperationW
SHFileOperationA
%%.ß
%%.Þ
..\..\..\..\Common\Graphics.cpp
..\..\..\..\Common\GraphicsGDI.cpp
..\..\..\..\Common\GroupBox.cpp
..\..\..\..\Common\intrinsicClass.cpp
NULL == defn->initializer.toc
NULL == defn->finalizer.toc
OpenURLMovie
PortType
comparisonKey
OrdinalKey
StringJoin
Join
RuntimeCompleteParamScriptExecute
_CompleteParamScriptExecute
RuntimeScriptExecute
_ScriptExecute
getKeyboardObject
Keyboard
GlobalShowURL
ShowURL
getApplicationSupportFolder
ApplicationSupportFolder
VB_RuntimeMsgBox
RuntimeMsgBox
MsgBox
exportPicture
ExportPicture
getIndexedObjectDescriptor
GetIndexedObjectDescriptor
openURLMovie
..\..\..\..\Common\intrinsicFunction.cpp
keyboardKeyName
KeyName
keyboardAsyncKeyDown
AsyncKeyDown
KeyCode
AsyncAlternateMenuShortcutKey
AsyncMenuShortcutKey
AlternateMenuShortcutKey
MenuShortcutKey
AsyncAltKey
AsyncOptionKey
AsyncControlKey
AsyncOSKey
AsyncCommandKey
asyncModifierKeyGetter
AsyncShiftKey
AltKey
OptionKey
ControlKey
OSKey
CommandKey
modifierKeyGetter
ShiftKey
_Keyboard
..\..\..\..\Common\LineControl.cpp
Windows
Operator_AddRight
Operator_Add
' was not exported
..\..\..\..\Common\loaderX86.cpp
import.dat
code.dat
data.dat
rsrc.dat
options.dat
symbols.dat
MemoryBlockCompareOperator
MemoryBlockAddOperator
MemoryBlockFromStringOperator
MemoryBlockToStringOperator
..\..\..\..\Common\MemoryBlock.cpp
..\..\..\..\Universal\MemoryManager.cpp
c:\rb\universal\SimpleVector.h
..\..\..\..\Common\Menu.cpp
..\..\..\..\Common\menubar.cpp
KeyboardShortcut
RuntimeMenuItemCommandKeySetter
RuntimeMenuItemCommandKeyGetter
TaskDialogIndirect
..\..\..\..\Common\MessageDialog.cpp
MessageDialogInitializer
..\..\..\..\Common\mouseCursor.cpp
SensApi.dll
..\..\..\..\Common\NuListbox.cpp
..\..\..\..\Common\Object Model\ObjectDefinition.cpp
..\..\..\..\Common\Object Model\ObjectDefinitionConverter.cpp
propertyCtr < out->properties.count
..\..\..\..\Common\objects.cpp
KeyPress
KeyUp
LicenseKey
PassByref
Does not support a collection
Invalid/Unsupported OLE Parameter Type
ole32.dll
oleaut32.dll
OLEObjectOperatorNot
Operator_Not
Operator_OrRight
OLEObjectOperatorOr
Operator_Or
Operator_AndRight
OLEObjectOperatorAnd
Operator_And
OLEObjectOperatorNegate
Operator_Negate
OLEObjectOperatorModuloRight
Operator_ModuloRight
OLEObjectOperatorModulo
Operator_Modulo
OLEObjectOperatorIntegerDivideRight
Operator_IntegerDivideRight
OLEObjectOperatorIntegerDivide
Operator_IntegerDivide
OLEObjectOperatorDivideRight
Operator_DivideRight
OLEObjectOperatorDivide
Operator_Divide
OLEObjectOperatorMultiplyRight
Operator_MultiplyRight
OLEObjectOperatorMultiply
Operator_Multiply
OLEObjectOperatorSubtractRight
Operator_SubtractRight
OLEObjectOperatorSubtract
Operator_Subtract
OLEObjectOperatorAddRight
OLEObjectOperatorAdd
OLEObjectOperatorCompare
OLEObjectOperatorConvert
OLEObjectOperatorLookupSetterWithParameters
OLEObjectOperatorLookup
OLEObjectNoReturnOperatorLookup
Operator_Lookup
..\..\..\..\Common\ClassLib\pane.cpp
..\..\..\..\Common\pictutil.cpp
Export Image As:
Bitmap (*.bmp)
..\..\..\..\Common\Graphics2D\PixMapRotate.cpp
..\..\..\..\Common\plugin.cpp
iface.super
.Events.
pluginEntryTable.GetEntry( entrypointName, out )
RasApi32.dll
RasDlg.dll
..\..\..\..\Common\New Socket Code\PPPSocketWin.cpp
HKEY_LOCAL_MACHINE\Software\Apple Computer, Inc.\QuickTime
because an unsupported column type was used
because an unsupported type was used
..\..\..\..\Common\rbdbThumb.cpp
offset == keyLen
Insert failed: primary key violation
KeyChainItemAttributeSetter
KeyChainItemAttributeGetter
KeyChainItemDelete
KeyChainFindPassword
FindPassword
KeyChainAddPassword
AddPassword
KeyChainLock
KeyChainUnlock
KeyChainConstructor
KeyChain
KeyChainItem
KeyChainItemConstructor
KeyChainItemDestructor
..\..\..\..\Common\RBStyledText.cpp
..\..\..\..\Universal\REALstring.cpp
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_USERS
SHDeleteKeyA
RegistryItemKeyCountGetter
KeyCount
..\..\..\..\Common\Win32\RegistryAccessors.cpp
RegistryItemKeyTypeGetter
KeyType
HKEY_LOCAL_MACHINE\Software\Made With REALbasic\
REALGetDBPassword
RegisterPluginExports
systemSetKeyScript
systemGetKeyScript
editPasswordSetter
editPasswordGetter
eWindowStringPassThroughGetter
eWindowBoolPassThroughSetter
eWindowBoolPassThroughGetter
eWindowIntPassThroughGetter
listColumnPressHeader
pictureIndexedImage
systemGetKeyChainCount
systemSetDefaultKeyChain
systemGetDefaultKeyChain
aeTargetPortTypeGetter
SerialPortDestructor
ServerSocketPortSetter
ServerSocketPortGetter
UDPSocketPacketsLeftToSend
UDPSocketGetBroadcast
UDPSocketSetLoopback
UDPSocketRouterHops
UDPReadDatagram
UDPSocketWriteDatagram
UDPSocketWrite
SocketJoinMulticastGroup
RuntimeUDPSocketConstructor
RuntimeUDPSocketDestructor
TCPSocketBytesLeftToSend
TCPSocketFlush
TCPSocketEof
SocketPortSetter
SocketPortGetter
FileURLGetter
FolderItemImpMakeFileExecutable
collectionKeyRemove
getSerialPortCount
getSerialPortByPath
getSerialPort
..\..\..\..\Common\relocentry.cpp
..\..\..\..\Common\ResourceManagerCommon.cpp
Keyword
..\..\..\..\Common\runcmm.cpp
Key As String
..\..\..\..\Common\runctl.cpp
NULL == target->eventTable[ctr].vector
SQLQuery
kEncodingUTF8 == s1.Encoding()
..\..\..\..\Common\runEditControl.cpp
kEncodingUTF8 == s2.Encoding()
..\..\..\..\Common\runFileAccess.cpp
OthersExecute
GroupExecute
OwnerExecute
..\..\..\..\Common\runFolderItem.cpp
Passing non-absolute shell paths is not currently supported
The path passed into new FolderItem was invalid
URLPath
_MakeFileExecutable
..\..\..\..\Common\RunIPCSocket.cpp
..\..\..\..\Common\runListbox.cpp
sCondemnedRows.size() > 0
sCondemnedRows.peek_back() == p
c:\RB\Universal\SimpleVector.h
..\..\..\..\Common\runMedia.cpp
IndexedImage
..\..\..\..\Common\runPicture.cpp
key as String
..\..\..\..\Common\runprint.cpp
SerialPort
Port
..\..\..\..\Common\runSerial.cpp
KeyScript
SerialPortCount
..\..\..\..\Common\RunSystem.cpp
KeyChainCount
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
AdvApi32.dll
ReportEventW
VVV.google.com
..\..\..\..\Common\RuntimeArrayFoundation.cpp
as the number of bits is not supported
..\..\..\..\Common\RuntimeDebug.cpp
Runtime Error %d: %s
Please report what caused this error
%s: %d
Failure Condition: %s
..\..\..\..\Common\Object Model\RuntimeExceptionFoundation.cpp
NoOpenTransportException
KeyNotFoundException
UnsupportedFormatException
KeyChainException
row as Integer, column as Integer, key as String
CellKeyDown
..\..\..\..\Common\RuntimeListboxAccessors.cpp
PressHeader
..\..\..\..\Common\RuntimeMain.cpp
MsgPumpWaiter
..\..\..\..\Common\Object Model\RuntimeObjectFoundation.cpp
out->methods.count >= base->methods.count
out->events.count >= base->events.count
out->properties.count >= base->properties.count
..\..\..\..\Common\RunTimer.cpp
JoinMulticastGroup
TCPSocket
UDPSocket
..\..\..\..\Common\New Socket Code\RuntimeSocketAccessors.cpp
..\..\..\..\Common\RuntimeStringFoundation.cpp
..\..\..\..\Common\ClassLib\RuntimeThread.cpp
Called Semaphore.Release too many times.
..\..\..\..\Common\ClassLib\RuntimeWindow.cpp
..\..\..\..\Common\Graphics2D\ShapePlotter.cpp
points.size() == 4
..\..\..\..\Common\Graphics2D\Shapes2D.cpp
wsock32.dll
ws2_32.dll
AcceleratorKey
..\..\..\..\Common\StaticText.cpp
c:\rb\universal\StringMap.h
..\..\..\..\Universal\StringUtils.cpp
..\..\..\..\Common\StyledTextBaseImp.cpp
..\..\..\..\Common\SubPane.cpp
..\..\..\..\Common\New Socket Code\TCPSocket.cpp
Made a new TCPSocketPosix
Destroying a TCPSocketPosix
from port
Starting the listening process on port
Shutting the TCPSocketPosix down
Resetting the TCPSocketPosix
Making a TCP socket
..\..\..\..\Common\New Socket Code\TCPSocketWin.cpp
windows-1258
windows-1257
windows-1256
windows-1255
windows-1254
windows-1253
windows-1251
windows-1250
windows-1252
DOSPortugese
WindowsKoreanJohab
WindowsVietnamese
WindowsBalticRim
WindowsArabic
WindowsHebrew
WindowsLatin5
WindowsGreek
WindowsCyrillic
WindowsLatin2
WindowsANSI
WindowsLatin1
DOSPortuguese
..\..\..\..\Universal\TextEncodingUtil.cpp
..\..\..\..\Common\Toolbar\ToolbarImpWin32.cpp
SHQueryRecycleBin requires Windows 95/NT4 with IE greater than 4.0
Shlwapi.dll
..\..\..\..\Common\TrayItem.cpp
Making a new UDPSocketPosix
Destroying a UDPSocketPosix
Unable to bind the udp socket
Unable to set the broadcast option on the UDP socket
udp socket is bound and ready
Trying to join the multicast group:
Could not join the multicast group
Joined the multicast group successfully
on port
01234567
..\..\..\..\Common\variant.cpp
Operator_PowerRight
Operator_Power
Operator_Hash
Operator_Hash%i4%o<
Operator_Convert%
..\..\..\..\Common\VariantConversions.cpp
..\..\..\..\Universal\VirtualVolumes\VFSCore.cpp
finfo->mPosWithinBlock >= kBlockHeaderSize and finfo->mPosWithinBlock < finfo->mBlockStart finfo->mBlockHeader.mBlockLength - 4
..\..\..\..\Universal\VirtualVolumes\VHFS.cpp
..\..\..\..\Common\Win32\win32cmm.cpp
..\..\..\..\Common\Win32\win32Control.cpp
RICHED32.DLL
RICHED20.DLL
..\..\..\..\Common\Win32\win32EditControl.cpp
Styled text printer passed in to DrawBlock was nil
..\..\..\..\Common\Win32\win32Folderitem.cpp
..\..\..\..\Common\Win32\Win32Menu.cpp
..\..\..\..\Common\Win32\win32popupmenu.cpp
ComCtl32.dll
..\..\..\..\Common\Win32\win32progress.cpp
\\.\COM
..\..\..\..\Common\Win32\win32serial.cpp
..\..\..\..\Common\Win32\win32windows.cpp
..\..\..\..\Common\ClassLib\window.cpp
WMPlayer.OCX
{22D6F312-B0F6-11D0-94AB-0080C74C7E95}..\..\..\..\Common\Win32\WindowsMediaPlayer.cpp
Can't load library %s
..\..\..\..\Common\Win32\WinPrinter.cpp
Could not get the default printer settings because a nil structure was passed in
Someone passed in a bogus value for getting printer information
uxtheme.dll
?#%X.y
c:\RB\REALbasic\REALbasic Visual Studio\REALbasic\release\X86RunHoudini.pdb
QuickTime.qts
zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\FB_3.tmp.exe
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryA
GetCPInfo
GetConsoleOutputCP
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegQueryInfoKeyA
SetViewportOrgEx
SetViewportExtEx
ShellExecuteA
ShellExecuteW
EnumChildWindows
VkKeyScanA
MsgWaitForMultipleObjectsEx
GetKeyNameTextA
MapVirtualKeyA
GetKeyNameTextW
EnumWindows
GetKeyState
GetAsyncKeyState
midiOutShortMsg
.text
`.rdata
@.data
.rsrc
|}{yN,--Rw}../.Sw}}
||}wYzyyO**...QQRvww}
.ww}}}
.www}}
..RRRRSSSw}w}
).RQ,,QRv||ww}}}
|||vv|RRS.RQQQ-'...-&,,,QQR||vR}}|}
version="1.0.0.0"
name="Windows Loader.exe"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
iphlpapi.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
VERSION.dll
WINMM.dll
2.2.2.0
Windows Loader.exe
FB_3.tmp.exe_1040_rwx_00401000_00219000:
FtPQW
~.SSW
SPSSSSSSSh
PQSSh
u.jhh
mscoree.dll
.mixcrt
KERNEL32.DLL
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
kernel32.dll
GetProcessWindowStation
USER32.DLL
operator
..\..\..\..\Common\application.cpp
c:\RB\Universal\StringMap.h
..\..\..\..\Common\array.cpp
..\..\..\..\Common\basicstr.cpp
ptr - out.CString() == totalLen
theStr.Encoding() == kEncodingUTF8 or theStr.Encoding() == kEncodingUTF16 or theStr.Encoding() == kEncodingASCII
..\..\..\..\Common\BlowFish.cpp
ewcKeyDown
KeyDown
..\..\..\..\Common\Canvas.cpp
..\..\..\..\Common\CommonListbox.cpp
MinWidthExpression doesn't support the Asterisk ('*') format.MaxWidthExpression doesn't support the Asterisk ('*') format...\..\..\..\Common\commonruntime.cpp
trace.log
..\..\..\..\Common\CommonRunView.cpp
We weren't passed in a control, we got nil.
..\..\..\..\Universal\CommonWinFunctions.cpp
Operator_Convert
..\..\..\..\Common\ConsoleApplication.cpp
msvcrt.dll
..\..\..\..\Universal\DataFile.cpp
Operator_Compare
dateSQLDateTimeSetter
dateSQLDateTimeGetter
SQLDateTime
dateSQLDateSetter
dateSQLDateGetter
SQLDate
..\..\..\..\Common\DateCommon.cpp
..\..\..\..\Universal\DateImp\DateImpWin32.cpp
Password
SQLSelect
databaseSQLExecute
SQLExecute
sqlString
databaseSQLSelect
..\..\..\..\Common\dbInterface.cpp
00:00:00
00:00:00
Invalid operator
Quotes expected after LIKE operation
Only COUNT(*) supported
Unsupported SELECT function
Only single GROUP BY columns currently supported
Expecting 'KEY'
Dropping columns is not supported for this database
Dropping tables from this database is not currently supported.
..\..\..\..\Common\DebuggerConnection.cpp
0000000000000000
127.0.0.1
c:\RB\Compiler\SmartRef.h
..\..\..\..\Common\DebuggerSupport.cpp
00000000
The debug application cannot connect back to the REALbasic IDE. This is mostly likely due to a software firewall or packet filter not allowing localhost network traffic on ports 13897 or 60554. You should reconfigure your software firewall or packet filter to allow the debug application to connect to REALbasic.
DebuggerSupport.cpp
dictionaryHasKey
HasKey
2147483647
..\..\..\..\Common\Dictionary.cpp
dictionaryKeys
Keys
dictionaryKey
..\..\..\..\Common\DockItem.cpp
..\..\..\..\Common\DragItem.cpp
Could not lock the BITMAPINFO structure passsed to the DrawableBitmap constructor
..\..\..\..\Common\drawable.cpp
..\..\..\..\Common\fileTypes.cpp
..\..\..\..\Common\FolderItemDialog.cpp
Shell32.dll
FolderItemDialogInitializer
OpenDialogInitializer
SaveAsDialogInitializer
SelectFolderDialogInitializer
..\..\..\..\Universal\FolderItemImp\FolderItemImpVirtual.cpp
..\..\..\..\Universal\FolderItemImp\FolderItemImpWin32.cpp
Kernel32.dll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
in Windows
OpenAsPicture doesn't support format
in Windows.
SaveAsPicture doesn't support format
Gdiplus.dll
not other.IsVirtual()
SHFileOperationW
SHFileOperationA
%%.ß
%%.Þ
..\..\..\..\Common\Graphics.cpp
..\..\..\..\Common\GraphicsGDI.cpp
..\..\..\..\Common\GroupBox.cpp
..\..\..\..\Common\intrinsicClass.cpp
NULL == defn->initializer.toc
NULL == defn->finalizer.toc
OpenURLMovie
PortType
comparisonKey
OrdinalKey
StringJoin
Join
RuntimeCompleteParamScriptExecute
_CompleteParamScriptExecute
RuntimeScriptExecute
_ScriptExecute
getKeyboardObject
Keyboard
GlobalShowURL
ShowURL
getApplicationSupportFolder
ApplicationSupportFolder
VB_RuntimeMsgBox
RuntimeMsgBox
MsgBox
exportPicture
ExportPicture
getIndexedObjectDescriptor
GetIndexedObjectDescriptor
openURLMovie
..\..\..\..\Common\intrinsicFunction.cpp
keyboardKeyName
KeyName
keyboardAsyncKeyDown
AsyncKeyDown
KeyCode
AsyncAlternateMenuShortcutKey
AsyncMenuShortcutKey
AlternateMenuShortcutKey
MenuShortcutKey
AsyncAltKey
AsyncOptionKey
AsyncControlKey
AsyncOSKey
AsyncCommandKey
asyncModifierKeyGetter
AsyncShiftKey
AltKey
OptionKey
ControlKey
OSKey
CommandKey
modifierKeyGetter
ShiftKey
_Keyboard
..\..\..\..\Common\LineControl.cpp
Windows
Operator_AddRight
Operator_Add
' was not exported
..\..\..\..\Common\loaderX86.cpp
import.dat
code.dat
data.dat
rsrc.dat
options.dat
symbols.dat
MemoryBlockCompareOperator
MemoryBlockAddOperator
MemoryBlockFromStringOperator
MemoryBlockToStringOperator
..\..\..\..\Common\MemoryBlock.cpp
..\..\..\..\Universal\MemoryManager.cpp
c:\rb\universal\SimpleVector.h
..\..\..\..\Common\Menu.cpp
..\..\..\..\Common\menubar.cpp
KeyboardShortcut
RuntimeMenuItemCommandKeySetter
RuntimeMenuItemCommandKeyGetter
TaskDialogIndirect
..\..\..\..\Common\MessageDialog.cpp
MessageDialogInitializer
..\..\..\..\Common\mouseCursor.cpp
SensApi.dll
..\..\..\..\Common\NuListbox.cpp
..\..\..\..\Common\Object Model\ObjectDefinition.cpp
..\..\..\..\Common\Object Model\ObjectDefinitionConverter.cpp
propertyCtr < out->properties.count
..\..\..\..\Common\objects.cpp
KeyPress
KeyUp
LicenseKey
PassByref
Does not support a collection
Invalid/Unsupported OLE Parameter Type
ole32.dll
oleaut32.dll
OLEObjectOperatorNot
Operator_Not
Operator_OrRight
OLEObjectOperatorOr
Operator_Or
Operator_AndRight
OLEObjectOperatorAnd
Operator_And
OLEObjectOperatorNegate
Operator_Negate
OLEObjectOperatorModuloRight
Operator_ModuloRight
OLEObjectOperatorModulo
Operator_Modulo
OLEObjectOperatorIntegerDivideRight
Operator_IntegerDivideRight
OLEObjectOperatorIntegerDivide
Operator_IntegerDivide
OLEObjectOperatorDivideRight
Operator_DivideRight
OLEObjectOperatorDivide
Operator_Divide
OLEObjectOperatorMultiplyRight
Operator_MultiplyRight
OLEObjectOperatorMultiply
Operator_Multiply
OLEObjectOperatorSubtractRight
Operator_SubtractRight
OLEObjectOperatorSubtract
Operator_Subtract
OLEObjectOperatorAddRight
OLEObjectOperatorAdd
OLEObjectOperatorCompare
OLEObjectOperatorConvert
OLEObjectOperatorLookupSetterWithParameters
OLEObjectOperatorLookup
OLEObjectNoReturnOperatorLookup
Operator_Lookup
..\..\..\..\Common\ClassLib\pane.cpp
..\..\..\..\Common\pictutil.cpp
Export Image As:
Bitmap (*.bmp)
..\..\..\..\Common\Graphics2D\PixMapRotate.cpp
..\..\..\..\Common\plugin.cpp
iface.super
.Events.
pluginEntryTable.GetEntry( entrypointName, out )
RasApi32.dll
RasDlg.dll
..\..\..\..\Common\New Socket Code\PPPSocketWin.cpp
HKEY_LOCAL_MACHINE\Software\Apple Computer, Inc.\QuickTime
because an unsupported column type was used
because an unsupported type was used
..\..\..\..\Common\rbdbThumb.cpp
offset == keyLen
Insert failed: primary key violation
KeyChainItemAttributeSetter
KeyChainItemAttributeGetter
KeyChainItemDelete
KeyChainFindPassword
FindPassword
KeyChainAddPassword
AddPassword
KeyChainLock
KeyChainUnlock
KeyChainConstructor
KeyChain
KeyChainItem
KeyChainItemConstructor
KeyChainItemDestructor
..\..\..\..\Common\RBStyledText.cpp
..\..\..\..\Universal\REALstring.cpp
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_USERS
SHDeleteKeyA
RegistryItemKeyCountGetter
KeyCount
..\..\..\..\Common\Win32\RegistryAccessors.cpp
RegistryItemKeyTypeGetter
KeyType
HKEY_LOCAL_MACHINE\Software\Made With REALbasic\
REALGetDBPassword
RegisterPluginExports
systemSetKeyScript
systemGetKeyScript
editPasswordSetter
editPasswordGetter
eWindowStringPassThroughGetter
eWindowBoolPassThroughSetter
eWindowBoolPassThroughGetter
eWindowIntPassThroughGetter
listColumnPressHeader
pictureIndexedImage
systemGetKeyChainCount
systemSetDefaultKeyChain
systemGetDefaultKeyChain
aeTargetPortTypeGetter
SerialPortDestructor
ServerSocketPortSetter
ServerSocketPortGetter
UDPSocketPacketsLeftToSend
UDPSocketGetBroadcast
UDPSocketSetLoopback
UDPSocketRouterHops
UDPReadDatagram
UDPSocketWriteDatagram
UDPSocketWrite
SocketJoinMulticastGroup
RuntimeUDPSocketConstructor
RuntimeUDPSocketDestructor
TCPSocketBytesLeftToSend
TCPSocketFlush
TCPSocketEof
SocketPortSetter
SocketPortGetter
FileURLGetter
FolderItemImpMakeFileExecutable
collectionKeyRemove
getSerialPortCount
getSerialPortByPath
getSerialPort
..\..\..\..\Common\relocentry.cpp
..\..\..\..\Common\ResourceManagerCommon.cpp
Keyword
..\..\..\..\Common\runcmm.cpp
Key As String
..\..\..\..\Common\runctl.cpp
NULL == target->eventTable[ctr].vector
SQLQuery
kEncodingUTF8 == s1.Encoding()
..\..\..\..\Common\runEditControl.cpp
kEncodingUTF8 == s2.Encoding()
..\..\..\..\Common\runFileAccess.cpp
OthersExecute
GroupExecute
OwnerExecute
..\..\..\..\Common\runFolderItem.cpp
Passing non-absolute shell paths is not currently supported
The path passed into new FolderItem was invalid
URLPath
_MakeFileExecutable
..\..\..\..\Common\RunIPCSocket.cpp
..\..\..\..\Common\runListbox.cpp
sCondemnedRows.size() > 0
sCondemnedRows.peek_back() == p
c:\RB\Universal\SimpleVector.h
..\..\..\..\Common\runMedia.cpp
IndexedImage
..\..\..\..\Common\runPicture.cpp
key as String
..\..\..\..\Common\runprint.cpp
SerialPort
Port
..\..\..\..\Common\runSerial.cpp
KeyScript
SerialPortCount
..\..\..\..\Common\RunSystem.cpp
KeyChainCount
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
AdvApi32.dll
ReportEventW
VVV.google.com
..\..\..\..\Common\RuntimeArrayFoundation.cpp
as the number of bits is not supported
..\..\..\..\Common\RuntimeDebug.cpp
Runtime Error %d: %s
Please report what caused this error
%s: %d
Failure Condition: %s
..\..\..\..\Common\Object Model\RuntimeExceptionFoundation.cpp
NoOpenTransportException
KeyNotFoundException
UnsupportedFormatException
KeyChainException
row as Integer, column as Integer, key as String
CellKeyDown
..\..\..\..\Common\RuntimeListboxAccessors.cpp
PressHeader
..\..\..\..\Common\RuntimeMain.cpp
MsgPumpWaiter
..\..\..\..\Common\Object Model\RuntimeObjectFoundation.cpp
out->methods.count >= base->methods.count
out->events.count >= base->events.count
out->properties.count >= base->properties.count
..\..\..\..\Common\RunTimer.cpp
JoinMulticastGroup
TCPSocket
UDPSocket
..\..\..\..\Common\New Socket Code\RuntimeSocketAccessors.cpp
..\..\..\..\Common\RuntimeStringFoundation.cpp
..\..\..\..\Common\ClassLib\RuntimeThread.cpp
Called Semaphore.Release too many times.
..\..\..\..\Common\ClassLib\RuntimeWindow.cpp
..\..\..\..\Common\Graphics2D\ShapePlotter.cpp
points.size() == 4
..\..\..\..\Common\Graphics2D\Shapes2D.cpp
wsock32.dll
ws2_32.dll
AcceleratorKey
..\..\..\..\Common\StaticText.cpp
c:\rb\universal\StringMap.h
..\..\..\..\Universal\StringUtils.cpp
..\..\..\..\Common\StyledTextBaseImp.cpp
..\..\..\..\Common\SubPane.cpp
..\..\..\..\Common\New Socket Code\TCPSocket.cpp
Made a new TCPSocketPosix
Destroying a TCPSocketPosix
from port
Starting the listening process on port
Shutting the TCPSocketPosix down
Resetting the TCPSocketPosix
Making a TCP socket
..\..\..\..\Common\New Socket Code\TCPSocketWin.cpp
windows-1258
windows-1257
windows-1256
windows-1255
windows-1254
windows-1253
windows-1251
windows-1250
windows-1252
DOSPortugese
WindowsKoreanJohab
WindowsVietnamese
WindowsBalticRim
WindowsArabic
WindowsHebrew
WindowsLatin5
WindowsGreek
WindowsCyrillic
WindowsLatin2
WindowsANSI
WindowsLatin1
DOSPortuguese
..\..\..\..\Universal\TextEncodingUtil.cpp
..\..\..\..\Common\Toolbar\ToolbarImpWin32.cpp
SHQueryRecycleBin requires Windows 95/NT4 with IE greater than 4.0
Shlwapi.dll
..\..\..\..\Common\TrayItem.cpp
Making a new UDPSocketPosix
Destroying a UDPSocketPosix
Unable to bind the udp socket
Unable to set the broadcast option on the UDP socket
udp socket is bound and ready
Trying to join the multicast group:
Could not join the multicast group
Joined the multicast group successfully
on port
01234567
..\..\..\..\Common\variant.cpp
Operator_PowerRight
Operator_Power
Operator_Hash
Operator_Hash%i4%o<
Operator_Convert%
..\..\..\..\Common\VariantConversions.cpp
..\..\..\..\Universal\VirtualVolumes\VFSCore.cpp
finfo->mPosWithinBlock >= kBlockHeaderSize and finfo->mPosWithinBlock < finfo->mBlockStart finfo->mBlockHeader.mBlockLength - 4
..\..\..\..\Universal\VirtualVolumes\VHFS.cpp
..\..\..\..\Common\Win32\win32cmm.cpp
..\..\..\..\Common\Win32\win32Control.cpp
RICHED32.DLL
RICHED20.DLL
..\..\..\..\Common\Win32\win32EditControl.cpp
Styled text printer passed in to DrawBlock was nil
..\..\..\..\Common\Win32\win32Folderitem.cpp
..\..\..\..\Common\Win32\Win32Menu.cpp
..\..\..\..\Common\Win32\win32popupmenu.cpp
ComCtl32.dll
..\..\..\..\Common\Win32\win32progress.cpp
\\.\COM
..\..\..\..\Common\Win32\win32serial.cpp
..\..\..\..\Common\Win32\win32windows.cpp
..\..\..\..\Common\ClassLib\window.cpp
WMPlayer.OCX
{22D6F312-B0F6-11D0-94AB-0080C74C7E95}..\..\..\..\Common\Win32\WindowsMediaPlayer.cpp
Can't load library %s
..\..\..\..\Common\Win32\WinPrinter.cpp
Could not get the default printer settings because a nil structure was passed in
Someone passed in a bogus value for getting printer information
uxtheme.dll
?#%X.y
c:\RB\REALbasic\REALbasic Visual Studio\REALbasic\release\X86RunHoudini.pdb
QuickTime.qts
zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\FB_3.tmp.exe
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryA
GetCPInfo
GetConsoleOutputCP
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegQueryInfoKeyA
SetViewportOrgEx
SetViewportExtEx
ShellExecuteA
ShellExecuteW
EnumChildWindows
VkKeyScanA
MsgWaitForMultipleObjectsEx
GetKeyNameTextA
MapVirtualKeyA
GetKeyNameTextW
EnumWindows
GetKeyState
GetAsyncKeyState
midiOutShortMsg
.text
`.rdata
@.data
.rsrc
DriverUpdate.exe_516_rwx_0098A000_00002000:
.cRyP
DriverUpdate.exe_516_rwx_675A6000_00003000:
.Qg<-Qg
*Rg`.Rg|)RgL Rg
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
FB_2.tmp.exe:1796
AdobeUpdate.exe:1072
AdobeUpdate.exe:1056
%original file name%.exe:1016
calc.exe:1716
FB_1.tmp.exe:616
netsh.exe:1432 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\DriverUpdate.exe (29 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\WinNT.tmp (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FB_3.tmp.exe (28502 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FB_1.tmp.exe (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FB_2.tmp.exe (29 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\67b50313b3610dbbe66e30f19a1dbd14.exe (29 bytes)
%Documents and Settings%\%current user%\Application Data\AdobeUpdate.exe (36 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"adobeupdate" = "%Documents and Settings%\%current user%\Application Data\AdobeUpdate.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"67b50313b3610dbbe66e30f19a1dbd14" = "%Documents and Settings%\%current user%\Local Settings\Temp\DriverUpdate.exe .."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"67b50313b3610dbbe66e30f19a1dbd14" = "%Documents and Settings%\%current user%\Local Settings\Temp\DriverUpdate.exe .." - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
