Backdoor.Win32.Farfli_26845db271

by malwarelabrobot on September 30th, 2015 in Malware Descriptions.

Trojan.Win32.Scar.lohr (Kaspersky), Backdoor.Win32.Farfli.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 26845db2719e5d66fb69fd452bcb2a32
SHA1: aa773e85a0d244b4fa0aab6d73a73ba4bf9f5c7d
SHA256: d595f818a33b11aa9d2f60d40a1288040c50a114624eee49750f18f9ad1715d3
SSDeep: 3072:nMaMwO /mcnyrwRsN0phhFDWOc5ZlPPl24Ubr/pFUxKKJuttWumTly6:nMaMxImcFsN0/DAZlPPl2n/LUx3gtIuU
Size: 178776 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2007-02-18 15:36:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

wckPeutRr.exe:1772
%original file name%.exe:228

The Backdoor injects its code into the following process(es):

svchost.exe:1748
Explorer.EXE:1572

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process wckPeutRr.exe:1772 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (50 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (50 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (54 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (0 bytes)

The process %original file name%.exe:228 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\VvFmmxrW\WmpWEhZT\rzdFAMqe\wckPeutRr.exe (178 bytes)
%WinDir%\Tasks\{E0B66E97-D187-7610-206B-A37DD5B86800}.job (434 bytes)

Registry activity

The process wckPeutRr.exe:1772 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Classes\CLSID\{E0B66E97-D187-7610-206B-A37DD5B86800}]
"2" = "5F 6C 14 E5 5B 55 CE A2 C6 4F 06 50 80 B1 04 10"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Classes\CLSID\{E0B66E97-D187-7610-206B-A37DD5B86800}\1]
"0" = "3E 10 C2 C2 0F 91 DF B0 38 0D 26 A1 88 68 70 5A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 5A 34 2D 47 24 CB 43 83 A1 6B DC F8 DF 40 CC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:228 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 87 DF 7E 94 02 A4 EB F3 0C A1 42 49 11 4E F8"

[HKCU\Software\Classes\CLSID\{E0B66E97-D187-7610-206B-A37DD5B86800}]
"1" = "78 72 DC 8D 3F 70 F0 45 77 64 F6 F2 AF F6 BF 29"
"0" = "9B 94 E7 FB 7F DC 0F D9 55 8D 25 8B FE F7 10 59"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Classes\CLSID\{E0B66E97-D187-7610-206B-A37DD5B86800}]
"(Default)" = "55 D7 8A 8A F4 01 9C 05 29 C7 0D F8 7F FE 9A EC"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{E0B66E97-D187-7610-206B-A37DD5B86800}" = "%Documents and Settings%\%current user%\Application Data\VvFmmxrW\WmpWEhZT\rzdFAMqe\wckPeutRr.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 32876 36864 3.59405 6cefe5df36da04617c30bae1d52eb2d0
.rdata 40960 5790 8192 2.96369 87dae61b6308cb4951e74e2046f85fa2
.data 49152 1237748 12288 3.72631 495d187a2ab14e73f648d097031c1040
.rsrc 1290240 107272 110592 5.2573 d9dcec3993ce302dc5ff785e863a1049

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 212.30.134.176
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt 212.30.134.176
securityrealnet.com 62.75.195.209
blizorsysdate.com 188.138.71.69


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: text/plain
Last-Modified: Thu, 20 Aug 2015 18:11:19 GMT
Accept-Ranges: bytes
ETag: "803dac9c73dbd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Date: Tue, 29 Sep 2015 04:23:30 GMT
Connection: keep-alive
X-CCC: RU
X-CID: 2
1401D0DB739CEE64E9....


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Thu, 20 Aug 2015 19:08:01 GMT
Accept-Ranges: bytes
ETag: "803e6c887bdbd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 50006
Date: Tue, 29 Sep 2015 04:23:30 GMT
Connection: keep-alive
X-CCC: RU
X-CID: 2
MSCF....V.......,...................I..................G.` .authroot.s
tl.W....8..CK...<T.....c.5(..=..!Ev"..d'..c-iTBWI.H%..V.........E.%
)...f....uo...~/.3..s..y>...=..l...dbUH4M...1....&J.}<...#.L..\.
x!F.t.^......q..l8p.i.J'3.........J.5v....z-...A4U.T.E...h...}$.....5.
=.....VnU..E.[.[a(.."..G..P..k.m.3.....EP>.g..?.kY|..L.v...qDz...T.
&p.&..:.f....T.b..\...Af\..J..I.....tN09.......|,[r._..x..Y.e.(d..o...
`3........(... .$...V..e.y.s$p...u...........W..~...A.B....GoOV.....JT
.."VF.<.A....3...r.......addf`.....ph.J:r.E..[\L.X.:....?.. .....b.
..l....St...U.N;..a.h-W....4.Uqb.MbF=.X.C..DX..............V.U..P.....
'[email protected]:...5..j7[.!Yb|.....l...G.
F.E..?lg..m-n.(/6I..........._......5........n.t.<.'....Nim..;.!{..
......N.h...u.....x`... gR..B..V{.'..=}..=|.hg.9.6....j..w.[P`.G.....d
..............!..t./..........*.@(8(v1....'..Z. ....R.r....1Jn.j.[p..A
t..W;F.(..a...N...X....=.[..'.r.....^$B.a...9....,v-...%.2...:...[..6.
j...1..!{.....n..={.U....%...y,.....>a`..0..6..SJda.)9x...zqc..X..V
q.1z.....'^.....^sU|$.u...~.Lgf...Y...V..(f.(...m...-..-&,..c&z...-...
..fGO..6...N.y<.z..,...g|.....!..$....<....q......q8.<t.k.p.=
......z.}.Q.U....&J..-T......[...........}u...T.......>.y.e..CF".VX
$;&T.>..].3.H....7k..w.m...(..#[email protected]....[..l..w.e.2..3..(y. ...
|K9>...o..Uz.....V..W|.k.|...,..V.xPmV...X......!.........Jj.%.N_.9
T.~...v...C.!.4.5a.!...(..../[email protected]....
......D~...%y.....i....a.$vu.7...{.6.{Y3....5.YD.d>,.....b...H.
<<< skipped >>>

The Backdoor connects to the servers at the folowing location(s):

svchost.exe_1748:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

svchost.exe_1748_rwx_00090000_00022000:

.text
`.rdata
@.data
.reloc
L$$QSSh
SSShmj
aPLib v1.1.1 - the smaller the better :)
More information: hXXp://VVV.ibsensoftware.com/
szURL
wUpdatePipe
szUpdatePipe
wReportPrefix
EVENT-PROCESS-%X-MODULE-%X
chrome.exe
iexplore.exe
firefox.exe
2.0.0.0
lpszWindowsVersion
Windows 8.1 SP
Windows Server 2012 R2 SP
Windows 8 SP
Windows Server 2012 SP
Windows 7 SP
Windows Server 2008 R2 SP
Windows Vista SP
Windows Server 2008 SP
Windows Server 2003 R2 SP
Windows Home Server SP
Windows Server 2003 SP
Windows XP Professional x64 Edition SP
Undetected (Windows 5.2) SP
Windows XP SP
Windows 2000 SP
Undetected (Windows %d.%d) SP
%d days %0.2d:%0.2d:%0.2d
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
bot_update_exe
bot_upload_exe
\Mozilla\Firefox\
%s\profiles.ini
%s%s\
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
prefs.js
spdy.enabled
C:\Soft\qadars\Release\modules\moduleMain_32.pdb
CreatePipe
GetWindowsDirectoryA
ConnectNamedPipe
CreateNamedPipeW
KERNEL32.dll
ExitWindowsEx
USER32.dll
RegCreateKeyExW
RegOpenKeyExA
RegOpenKeyExW
RegCloseKey
RegQueryInfoKeyW
RegQueryInfoKeyA
RegEnumKeyA
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
msvcrt.dll
ntdll.dll
WS2_32.dll
HttpQueryInfoA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
WININET.dll
SHLWAPI.dll
moduleMain_32.dll
bot_upload_url
bot_update_url
{E0B66E97-D187-7610-206B-A37DD5B86800}
4 4(40484
kernel32.dll
%s\%s%s
%s\%s
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\\lInJlXrttK7.tmp

svchost.exe_1748_rwx_01B70000_00012000:

.text
`.rdata
@.data
.reloc
wUpdatePipe
szUpdatePipe
wReportPrefix
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
%s\*.txt
%s\%s
Process: iexplore.exe, Path:
\Mozilla\Firefox\
%s\profiles.ini
%s%s\
firefox
%s\sqlite3.dll
%s\mozsqlite3.dll
%s\nss3.dll
\cookies.sqlite
Process: firefox.exe, Path:
reportSent
SMTP Password
HTTP Password
NNTP Password
IMAP Password
POP3 Password
SMTP Password2
HTTPMail Password2
NNTP Password2
IMAP Password2
POP3 Password2
IMAP Port
SMTP Port
POP3 Port
SMTP User
HTTPMail Server
HTTPMail User Name
HTTP Server URL
HTTP User
SMTP User Name
SMTP Server
SMTP Email Address
%s\Accounts
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
sqlite3_open
sqlite3_prepare
sqlite3_step
sqlite3_column_text
sqlite3_column_int
sqlite3_column_bytes
sqlite3_close
WaitNamedPipeW
KERNEL32.dll
USER32.dll
RegCreateKeyExW
RegOpenKeyExA
RegOpenKeyExW
RegCloseKey
RegOpenKeyA
RegEnumKeyA
RegEnumKeyExA
ADVAPI32.dll
SHELL32.dll
ole32.dll
msvcrt.dll
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
PFXExportCertStoreEx
CRYPT32.dll
moduleScript_32.dll
C:\Soft\qadars\Release\modules\moduleScript_32.pdb
{E0B66E97-D187-7610-206B-A37DD5B86800}
? ?(?1?^?}?
kernel32.dll

svchost.exe_1748_rwx_01C70000_00010000:

.text
`.rdata
@.data
.reloc
%s#%s
wUpdatePipe
szUpdatePipe
wReportPrefix
%u.%u.%u.%u
WaitNamedPipeW
KERNEL32.dll
USER32.dll
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
ole32.dll
WS2_32.dll
msvcrt.dll
moduleBC_32.dll
C:\Soft\qadars\Release\modules\moduleBC_32.pdb
{E0B66E97-D187-7610-206B-A37DD5B86800}
7#7(7-7A7T7e7k7w7}7
SOFTWARE\Microsoft\Windows NT\CurrentVersion
kernel32.dll

svchost.exe_1748_rwx_01D50000_0005D000:

.text
`.rdata
@.data
.reloc
SSShx
RFB d.d
%s (%s)
d/d/d d:d
1.2.6
password check failed!
zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
deflate 1.2.6 Copyright 1995-2012 Jean-loup Gailly and Mark Adler
inflate 1.2.6 Copyright 1995-2012 Mark Adler
%s#%s
wUpdatePipe
szUpdatePipe
wReportPrefix
%s\Google\Chrome\User Data\
%s\Default\
%s\User Data\
%s\User Data\Default
\Chrome\
google chrome
\Mozilla\Firefox\
%s\profiles.ini
%s%s\
user_pref("layers.acceleration.disabled", true);
layers.acceleration.disabled
\Firefox\
%sprefs.js
mozilla firefox
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings
notepad.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
kernel32.dll
winmm.dll
user32.dll
EVENT-PROCESS-%X-MODULE-%X
.NET CLR Networking_Perf_Library_Lock_PID_0
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0
ASP.NET_2.0.50727_Perf_Library_Lock_PID_0
SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d
iexplore.exe
\explorer.exe
C:\Soft\qadars\Release\modules\moduleVNC_32.pdb
GetTcpTable
IPHLPAPI.DLL
WaitNamedPipeW
GetProcessHeaps
SetThreadExecutionState
GetWindowsDirectoryA
KERNEL32.dll
MapVirtualKeyW
SetKeyboardState
GetKeyboardLayoutList
MapVirtualKeyExA
MapVirtualKeyA
GetAsyncKeyState
GetKeyboardLayout
GetKeyState
VkKeyScanExA
VkKeyScanExW
keybd_event
EnumChildWindows
USER32.dll
SetViewportOrgEx
GDI32.dll
RegCreateKeyExW
RegOpenKeyExA
RegOpenKeyExW
RegCloseKey
RegOpenKeyA
RegEnumKeyA
RegEnumKeyExA
RegQueryInfoKeyA
ADVAPI32.dll
SHFileOperationA
SHELL32.dll
ole32.dll
msvcrt.dll
PSAPI.DLL
WS2_32.dll
SHLWAPI.dll
moduleVNC_32.dll
;3 #>6.&
'2, / 0&7!4-)1#
MSCTF.Shared.MAPPING.x
MSCTF.Shared.EVENT.x
MSCTF.Shared.MUTEX.x
.Prev
.current
HighMemoryEvent_x
{E0B66E97-D187-7610-206B-A37DD5B86800}
9 9$9(9,9
1%1.161;1
7&7-7d7}7
<*<9<`<~<
666=6[6|6
(0,00040
0014181<1
:(;,;0;4;
;0<4<8<<<
SOFTWARE\Microsoft\Windows NT\CurrentVersion
\chrome.exe
"%ws" --no-sandbox --disable-gpu --disable-gpu-rasterization --disable-gpu-compositing --disable-gpu-vsync --user-data-dir="%S"
x\firefox.exe
"%ws" -profile "%S" -no-remote
\Internet Explorer\iexplore.exe
SOFTWARE\Microsoft\Avalon.Graphics
\notepad.exe
Chrome_RenderWidgetHostHWND
Chrome_WidgetWin_1
MozillaWindowClass
SysShadow
userinit.exe

Explorer.EXE_1572_rwx_00FF0000_0000F000:

.text
`.rdata
@.data
.reloc
%s#%s
\\.%s
wUpdatePipe
szUpdatePipe
wReportPrefix
user32.dll
keylogger
WaitNamedPipeW
KERNEL32.dll
GetKeyboardState
GetKeyState
USER32.dll
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
ole32.dll
msvcrt.dll
PSAPI.DLL
moduleKeylogger_32.dll
C:\Soft\qadars\Release\modules\moduleKeylogger_32.pdb
{E0B66E97-D187-7610-206B-A37DD5B86800}
: :$:(:,:
SOFTWARE\Microsoft\Windows NT\CurrentVersion
kernel32.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    wckPeutRr.exe:1772
    %original file name%.exe:228

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (50 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (50 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (54 bytes)
    %Documents and Settings%\%current user%\Application Data\VvFmmxrW\WmpWEhZT\rzdFAMqe\wckPeutRr.exe (178 bytes)
    %WinDir%\Tasks\{E0B66E97-D187-7610-206B-A37DD5B86800}.job (434 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "{E0B66E97-D187-7610-206B-A37DD5B86800}" = "%Documents and Settings%\%current user%\Application Data\VvFmmxrW\WmpWEhZT\rzdFAMqe\wckPeutRr.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now