Backdoor.Generic.938360_0eacaa42de
Backdoor.Generic.938360 (BitDefender), Trojan.Win32.Generic!BT (VIPRE), Backdoor.Generic.938360 (B) (Emsisoft), Artemis!0EACAA42DE09 (McAfee), Trojan.ADH.2 (Symantec), Trojan-Downloader.Win32.Injecter (Ikarus), Backdoor.Generic.938360 (FSecure), BackDoor.Generic18.AMLU (AVG), Win32:Agent-AMXG [Trj] (Avast), TROJ_GEN.R047C0EI114 (TrendMicro), Backdoor.Generic.938360 (AdAware), Installer.Win32.InnoSetup.FD, Installer.Win32.InnoSetup.2.FD, InstallerInnoSetup.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Backdoor, Installer
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 0eacaa42de095bf9d6ff0e875ffba66d
SHA1: a9154ddb2ce8604b4a3f890de047af668d88872f
SHA256: e9b78c159e84272b5cb84f4886d552044a10b136492b0adff1a14d0e1a78598d
SSDeep: 12288:3BJFcRdNOmZTkFvZ7PJDA8tiY/b8NnNGEH4kudJT/sXu5tdNOmDTkgoa:3/FWykgFvlR1tjbeevT/s 3ywgY
Size: 622313 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Crawler.Com
Created at: 2008-10-10 11:06:22
Analyzed on: Windows7 SP1 32-bit
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
setup.exe:2668
%original file name%.exe:2692
The Backdoor injects its code into the following process(es):
is-TA0F3.tmp:4000
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process setup.exe:2668 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-OPKFR.tmp\is-TA0F3.tmp (1259 bytes)
The process is-TA0F3.tmp:4000 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-684J7.tmp\_shfoldr.dll (47 bytes)
The process %original file name%.exe:2692 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SB666F1.tmp (2511 bytes)
C:\Windows\System32\drivers\etc\hosts (1689 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\LSB66BF.tmp (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\LSB66C0.tmp (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SB666F4.tmp (1853 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\LSB66E0.tmp (2658 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SB666F2.tmp (6017 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SB666F5.tmp (2195 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\java_is2.exe (1209 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SB666F3.tmp (2416 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SB666F6.tmp (26144 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\setup.exe (3605 bytes)
C:\Windows\Tasks\SunMicro Java Update.job (240 bytes)
The Backdoor deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SB666F1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\LSB66BF.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\LSB66C0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SB666F4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\LSB66E0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SB666F2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SB666F5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SB666F3.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SB666F6.tmp (0 bytes)
Registry activity
Dropped PE files
| MD5 | File path |
|---|---|
| 92dc6ef532fbb4a5c3201469a5b5eb63 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-684J7.tmp\_shfoldr.dll |
| 667555fc8d80c030ed5de256404df5c5 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-OPKFR.tmp\is-TA0F3.tmp |
| 8d73892318fd8d3fd11671216294ffff | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\java_is2.exe |
| 7274f3da93705133dab50f1e4b57a15e | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\setup.exe |
HOSTS file anomalies
The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1689 bytes in size. The following strings are added to the hosts file listed below:
| 213.203.216.114 | marketsamurai.com |
| 204.9.178.11 | typepad.com |
| 74.113.152.32 | istockphoto.com |
| 208.94.0.38 | yfrog.com |
| 63.309.5.102 | virustotal.com |
| 123.125.50.22 | 126.com |
| 24.29.138.10 | telegraph.co.uk |
| 174.36.28.11 | SlideShare.com |
| 213.238.60.190 | xing.com |
| 59.106.98.139 | seesaa.net |
| 184.72.253.170 | hootsuite.com |
| 211.151.146.16 | soku.com |
| 74.208.73.101 | qvc.com |
| 67.221.174.30 | tagged.com |
| 72.32.120.222 | metacafe.com |
| 89.105.6.98 | bitdefender.com |
| 204.11.109.133 | tribalfusion.com |
| 207.154.14.31 | tripadvisor.com |
| 216.52.240.133 | ustream.tv |
| 174.36.244.132 | linkwithin.com |
| 80.82.137.230 | thefreedictionary.com |
| 121.67.203.61 | scan.novirusthanks.org |
| 209.172.34.139 | imagevenue.com |
| 91.206.232.220 | booking.com |
| 118.69.251.6 | vnexpress.net |
| 64.34.110.174 | plentyoffish.com |
| 140.211.166.21 | drupal.org |
| 103.67.101.13 | trendmicro.com |
| 208.85.40.80 | pandora.com |
| 194.116.241.57 | softonic.com |
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name: Sobolsoft
Product Name: Sobolsoft Utility
Product Version:
Legal Copyright: Sobolsoft Copyright 2001-2007
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description: Sobolsoft Utility
Comments:
Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 2544 | 2560 | 4.09431 | e090701d5042416b1fe256ffafbcfe85 |
| .rdata | 8192 | 1474 | 1536 | 3.41226 | 8abdf45c514191bfbb55a9005b8a1722 |
| .data | 12288 | 1700 | 1024 | 0.77514 | 2a832b050b9791bb1012048baa959097 |
| .rsrc | 16384 | 6944 | 7168 | 3.13015 | 3be65e14bf2745017b9f6e24d36b1226 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| teredo.ipv6.microsoft.com |  |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
The Backdoor connects to the servers at the folowing location(s):
.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
.DEFAULT\Control Panel\International
File I/O error %d
lzma: Compressed data is corrupted (%d)
LzmaDecoderInit failed (%d)
LzmaDecode failed (%d)
/SL4 $%x %s %d %d %s
Inno Setup Setup Data (5.0.4)
Inno Setup Messages (4.1.4)
l2.iu
user32.dll
oleaut32.dll
advapi32.dll
RegOpenKeyExA
RegCloseKey
GetWindowsDirectoryA
MsgWaitForMultipleObjects
ExitWindowsEx
comctl32.dll
name="JR.Inno.Setup"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
!'%s' is not a valid integer value('%s' is not a valid floating point value'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
External exception %x
This installation was built with Inno Setup: hXXp://VVV.innosetup.com
is-TA0F3.tmp_4000:
.idata
.rdata
P.reloc
P.rsrc
%s_%d
EInvalidOperation
TKeyEvent
TKeyPressEvent
crSQLWait
t.HtR
EInvalidGraphicOperation
TWindowState
poProportional
KeyPreview
WindowState
OnKeyDown
OnKeyPressP.A
OnKeyUp
CTL3D32.DLL
PasswordChar
ssHorizontal
Software\Microsoft\Windows\CurrentVersion
advapi32.dll
kernel32.dll
.DEFAULT\Control Panel\International
user32.dll
TPSExec
TPSRuntimeClassImporter
TPSExportedVar
Cannot Import
Interface not supported
TPSCustomDebugExec
TPSDebugExec
uxtheme.dll
oleacc.dll
RICHED20.DLL
RICHED32.DLL
File I/O error %d
Messages file "%s" is missing. Please correct the problem or obtain a new copy of the program.
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
WININIT.INI
t.Htb
Software\Microsoft\Windows\CurrentVersion\SharedDLLs
RegCreateKeyEx
RegOpenKeyEx
sfc.dll
cmd.exe" /C "
COMMAND.COM" /C
PendingFileRenameOperations
PendingFileRenameOperations2
Software\Microsoft\Windows\CurrentVersion\Fonts
OLEAUT32.DLL
%s Log %s #%.3u.txt
Deleting directory: %s
Failed to delete directory (%d). Will retry later.
Failed to delete directory (%d). Will delete on restart (if empty).
MoveFileEx failed (%d).
Failed to delete directory (%d).
Deleting file: %s
Failed to delete the file; it may be in use (%d).
The file appears to be in use (%d). Will delete on restart.
Running Exec filename:
CreateProcess failed (%d).
Running ShellExec filename:
ShellExecuteEx failed (%d).
Skipping RunOnceId "%s" filename: %s
Decrementing shared count: %s
Unregistering server: %s
Unregistering type library: %s
Unregistering font: %s
zlib: Internal error. Code %d
1.2.1
bzlib: Internal error. Code %d
lzma: Compressed data is corrupted (%d)
LzmaDecoderInit failed (%d)
LzmaDecode failed (%d)
TPasswordEdit
PasswordEdit(
Password
c:\directory
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
PasswordPage
PasswordLabel
PasswordEdit
PasswordEditLabel
Could not find page with ID %d
Software\Microsoft\Windows\CurrentVersion\Uninstall
%s\%s_is1
CheckPassword
/:*?"<>|
\/:*?"<>|
%s-%d.bin
%s-%d%s.bin
..\DISK%d\
Asking user for new disk containing "%s".
Cannot read an encrypted file before the key has been set
LoggedMsgBox returned an unexpected value. Assuming Abort.
Software\Microsoft\Windows\CurrentVersion\Uninstall\
5.0.7
URLInfoAbout
URLUpdateInfo
Creating directory: %s
Setting permissions on directory: %s
IMsg
Failed to create [Fonts] entry in WIN.INI. (%d)
Failed to set value in Fonts registry key.
Failed to open Fonts registry key.
Setting permissions on file: %s
Dest filename: %s
Dest file is protected by Windows File Protection.
Time stamp of our file: %s
Time stamp of existing file: %s
Version of our file: %u.%u.%u.%u
Version of existing file: %u.%u.%u.%u
Existing file is protected by Windows File Protection. Skipping.
The existing file appears to be in use (%d). Will replace on restart.
The existing file appears to be in use (%d). Retrying.
Registering file as a font ("%s")Filename: %s
target.lnk
Desktop.ini
Software\Microsoft\Windows\CurrentVersion\App Paths\
Setting permissions on registry key: %s\%s
Failed to set permissions on registry key.
Software\Microsoft\Windows\CurrentVersion\RunOnce
Registering DLL/OCX: %s
Registering type library: %s
LoggedMsgBox returned an unexpected value. Assuming Cancel.
Fatal exception during installation process (%s):
ExtractTemporaryFile: The file "%s" was not found
Invalid symbol '%s' found
Invalid token '%s' found
FormKeyDown
PasswordCheckHash
Expression error '%s'
Cannot evaluate "%s" constant during Uninstall
Unknown custom message name "%s" in "cm" constant
srcexe
uninstallexe
Failed to expand shell folder constant "%s"
Unknown constant "%s"
SOFTWARE\Microsoft\Windows NT\CurrentVersion
cmd.exe
COMMAND.COM
_shfoldr.dll
Failed to get version numbers of _shfoldr.dll
shfolder.dll
shell32.dll
Failed to load DLL "%s"
Found pending rename or delete that matches one of our files: %s
Windows version: %u.%.2u.%u%s (NT platform: %s)
Defaulting to %s for suppressed message box (%s):
Message box (%s):
User chose %s.
MsgBox failed.
%d.%.*d
_isdecmp.dll
_iscrypt.dll
/Password=
/SuppressMsgBoxes
/DETACHEDMSG
Setup version: Inno Setup version 5.0.7
Original Setup EXE:
-0.bin
Windows NT
Windows
Not restarting Windows because Setup is being run from the debugger.
Restarting Windows.
Inno Setup version 5.0.7
Portions Copyright (C) 2000-2005 Martijn Laan
hXXp://VVV.innosetup.com/
hXXp://VVV.remobjects.com/?ps
Process exit code: %u
ShellExec filename:
ShellExecuteEx
Need to restart Windows? %s
Will not restart Windows automatically.
System\CurrentControlSet\Control\Windows
TOutputMsgWizardPage
TOutputMsgWizardPageTQG
TOutputMsgMemoWizardPage
PASSWORDLABEL
PASSWORDEDIT
PASSWORDEDITLABEL
MsgLabel
Msg1Label
Msg2Label
function CreateOutputMsgPage(const AfterID: Integer; const ACaption, ADescription, AMsg: String): TOutputMsgWizardPage;
function CreateOutputMsgMemoPage(const AfterID: Integer; const ACaption, ADescription, ASubCaption, AMsg: String): TOutputMsgMemoWizardPage;
function MsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons: Integer): Integer;
function GetIniString(const Section, Key, Default, Filename: String): String;
function GetIniInt(const Section, Key: String; const Default, Min, Max: Longint; const Filename: String): Longint;
function GetIniBool(const Section, Key: String; const Default: Boolean; const Filename: String): Boolean;
function IniKeyExists(const Section, Key, Filename: String): Boolean;
function SetIniString(const Section, Key, Value, Filename: String): Boolean;
function SetIniInt(const Section, Key: String; const Value: Longint; const Filename: String): Boolean;
function SetIniBool(const Section, Key: String; const Value: Boolean; const Filename: String): Boolean;
procedure DeleteIniEntry(const Section, Key, Filename: String);
function GetCmdTail: String;
function RegValueExists(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;
function RegQueryStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;
function RegQueryMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;
function RegDeleteKeyIncludingSubkeys(const RootKey: Integer; const SubkeyName: String): Boolean;
function RegDeleteKeyIfEmpty(const RootKey: Integer; const SubkeyName: String): Boolean;
function RegKeyExists(const RootKey: Integer; const SubKeyName: String): Boolean;
function RegDeleteValue(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;
function RegGetSubkeyNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;
function RegGetValueNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;
function RegQueryDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultDWord: Cardinal): Boolean;
function RegQueryBinaryValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;
function RegWriteStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function RegWriteExpandStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function RegWriteMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function RegWriteDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; const Data: Cardinal): Boolean;
function RegWriteBinaryValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function CheckForMutexes(Mutexes: String): Boolean;
function Exec(const Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ResultCode: Integer): Boolean;
function ShellExec(const Verb, Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ErrorCode: Integer): Boolean;
function MakePendingFileRenameOperationsChecksum: String;
function CreateShellLink(const Filename, Description, ShortcutTo, Parameters, WorkingDir, IconFilename: String; const IconIndex, ShowCmd: Integer): String;
function ExitSetupMsgBox: Boolean;
function GetWindowsVersion: Cardinal;
function GetWindowsVersionString: String;
function SuppressibleMsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons, Default: Integer): Integer;
function SendMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Longint;
function PostMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;
function SendNotifyMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;
function SendBroadcastMessage(const Msg, WParam, LParam: Longint): Longint;
function PostBroadcastMessage(const Msg, WParam, LParam: Longint): Boolean;
function SendBroadcastNotifyMessage(const Msg, WParam, LParam: Longint): Boolean;
procedure RaiseException(const Msg: String);
function SetPreviousData(const PreviousDataKey: Integer; const ValueName, ValueData: String): Boolean;
Cannot call "%s" function during Setup
Cannot call "%s" function during Uninstall
CREATEOUTPUTMSGPAGE
CREATEOUTPUTMSGMEMOPAGE
MSGBOX
INIKEYEXISTS
GETCMDTAIL
REGKEYEXISTS
REGDELETEKEYINCLUDINGSUBKEYS
REGDELETEKEYIFEMPTY
REGGETSUBKEYNAMES
CHECKFORMUTEXES
SHELLEXEC
MAKEPENDINGFILERENAMEOPERATIONSCHECKSUM
EXITSETUPMSGBOX
GETWINDOWSVERSION
GETWINDOWSVERSIONSTRING
%u.%.2u.%u
SUPPRESSIBLEMSGBOX
%u.%u.%u.%u
Runtime Error (at %d:%d):
Exception "%s" at address %p
TScriptRunner.SetPSExecParameters: Invalid type
TScriptRunner.LoadScript failed
Remove shared file %s? User chose %s%s
/SECONDPHASE="%s" /FIRSTPHASEWND=$%x
Original Uninstall EXE:
Detached uninstall MSG:
Removed all? %s
IMsgt-
isRS-???.tmp
isRS-%.3u.tmp
DisableProcessWindowsGhosting
FTPF0P
0123456789abcdefInno Setup Setup Data (5.0.4)
Inno Setup Messages (4.1.4)
0ku2.iu
oleaut32.dll
RegQueryInfoKeyA
RegOpenKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
GetWindowsDirectoryA
mpr.dll
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
GetKeyState
GetKeyNameTextA
ExitWindowsEx
EnumWindows
EnumThreadWindows
comctl32.dll
ole32.dll
ShellExecuteExA
ShellExecuteA
comdlg32.dll
.text
`.data
.rsrc
@.reloc
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
shlwapi.dll
SOFTWARE\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\ProfileReconciliation
RegKey
GetWindowsDirectoryW
KERNEL32.dll
RegOpenKeyA
ADVAPI32.dll
SHFOLDER.dll
dll\shfolder.dbg
Font.Color
Font.Height
Font.Name
Font.Style
PasswordEditLabel
name="JR.Inno.Setup"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s
Stream write error Out of memory while expanding memory stream*Can't write to a read-only resource stream.WriteObject called twice for the same instance
Class %s not found
Resource %s not found!Resource %s is of incorrect class
List index out of bounds Operation not allowed on sorted string list%String list does not allow duplicates
Tab index out of bounds#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists#''%s'' is not a valid integer value
Error reading %s.%s: %s
Ancestor for '%s' not found
Bitmap is empty!Cannot change the size of an icon$Unknown picture file extension (.%s)
Unsupported clipboard format
Error creating window Cannot focus a disabled or invisible window!Control '%s' has no parent window
%s property out of range
%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex2Cannot have more than one MDI form per application
Could not load CARDS.DLL
Duplicate CardId found"An error returned from DDE ($0%x)/DDE Error - conversation not established ($0%x)0Error occurred when DDE ran out of memory ($0%x)"Unable to connect DDE conversation
Grid too large for operation Too many rows or columns deleted
%s on line %d
''%s'' expected
%s expected
Invalid input value7Invalid input value. Use escape key to abandon changes
Value must be between %d and %d<Cannot create a default method name for an unnamed component
''%s'' is not a valid date
''%s'' is not a valid time#''%s'' is not a valid date and time
Invalid file name - %s
All files (*.*)|*.*
&Files: (*.*)
Invalid clipboard format Clipboard does not support Icons
Custom Colors Operation not supported on selected printer.There is no default printer currently selected
Unable to write to %s
Invalid data type for '%s'
Failed to create key %s
Failed to set data for '%s'
Failed to get data for '%s'9Synchronize called when main VCL thread in a WaitFor call0Unknown RichEdit conversion file extension (.%s)
/Menu '%s' is already being used by another form
Failed to Save Stream)StatusBar cannot have more than 64 panels!Error assigning Hot-Key to %s. %s
Hot-Key is invalid#Window is invalid or a child window%Hot-Key is assigned to another window %s is already associated with %s"'%s' is not a valid property value
OLE error %.8x(Variant does not reference an OLE object/Variant does not reference an automation object'Method '%s' not supported by OLE object
Link Properties!Cannot link to an invalid source.&Break link operation is not supported.
Linked %s/Operation not allowed on an empty OLE container
%s Properties
Invalid stream format%License information for %s is invalid
PLicense information for %s not found. You cannot use this control in design mode
!'%s' is not a valid integer value('%s' is not a valid floating point value'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
External exception %x
n%USERPROFILE%
r%SYSTEMROOT%
5.50.4807.2300
Microsoft(R) Windows (R) 2000 Operating System
Datos de programa%Configuraci
51.34.0.0
Copyright (C) 1997-2005 Jordan Russell. Portions Copyright (C) 2000-2005 Martijn Laan.
Inno Setup home page: hXXp://VVV.innosetup.com
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
setup.exe:2668
%original file name%.exe:2692 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-OPKFR.tmp\is-TA0F3.tmp (1259 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-684J7.tmp\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SB666F1.tmp (2511 bytes)
C:\Windows\System32\drivers\etc\hosts (1689 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\LSB66BF.tmp (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\LSB66C0.tmp (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SB666F4.tmp (1853 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\LSB66E0.tmp (2658 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SB666F2.tmp (6017 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SB666F5.tmp (2195 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\java_is2.exe (1209 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SB666F3.tmp (2416 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SB666F6.tmp (26144 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\setup.exe (3605 bytes)
C:\Windows\Tasks\SunMicro Java Update.job (240 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
