Backdoor.Win32.Farfli_29a5d87b84
Trojan.Win32.Bublik.vzq (Kaspersky), Backdoor.Win32.Farfli.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 29a5d87b8443a7316afba58a7e7a84d6
SHA1: e0888fa74c1c994fe39c1fa10ff0e9a294216b56
SHA256: ec5daf37e9829d36cdb8b0b9f43a1cc21cd6528bd8254fff7fd75e921706b27d
SSDeep: 6144:FxJsGLnm7oxDNT/xQphU jrlgzfuzt91C9NDyWId98HhqbxtHGZ4:XJsG674h/xQp6 tqOYy9zo09
Size: 289280 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
java.exe:1748
%original file name%.exe:464
The Backdoor injects its code into the following process(es):
svchost.exe:1296
Explorer.EXE:1140
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:464 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\java\java.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (227 bytes)
Registry activity
The process java.exe:1748 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 0A 34 50 BA 4F 7E C4 B3 3D 36 3D 9A C3 F3 E4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process %original file name%.exe:464 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 E9 C4 98 2C 24 68 26 C7 7B 58 58 B4 0C 17 6C"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{0005S230-303Y-7J48-X2O4-66PTT8S5LQ5F}]
"StubPath" = "%WinDir%\java\java.exe Restart"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Policies" = "%WinDir%\java\java.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"Policies" = "%WinDir%\java\java.exe"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Java" = "%WinDir%\java\java.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Java" = "%WinDir%\java\java.exe"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| CODE | 4096 | 45508 | 45568 | 4.44203 | 2aed597ed3f1d9c73b53d0cc76618a3e |
| DATA | 53248 | 544 | 1024 | 1.91655 | b5ac768607e898646b124b41079543de |
| BSS | 57344 | 4589 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 65536 | 3044 | 3072 | 3.30697 | 4f982c9b59dc3fc83ad5a7c9912faa66 |
| .tls | 69632 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 73728 | 24 | 512 | 0.142404 | a270a5e1f4f71f9ddb31027f913842a2 |
| .reloc | 77824 | 2660 | 3072 | 4.32141 | 3691e8124ad3af927727297ca9788233 |
| .rsrc | 81920 | 234800 | 235008 | 5.51423 | 86a463d4259c774be0496fa613f349b0 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 16
3ef2b446794378aa973ad9cfdc91a7cd
5148c50e6523a7aad329cbe8ac4c4984
7158df9b294df46e18c8354920b2618d
38ec2944663c7e64c927209b1a754136
3c5b072312312787641783cf88f58a58
61152b2a9abb9ec7e7566c6d5f9d0600
afad53411348d0d00eaab8c309d85541
3381457b505704901a97f317e159cf48
841397524414370f1851dcf8caff41e0
8fb1ecb04fd2ad321ebcf43bb39e7c37
a7b9f7155e4011911db3112fc1a5e1b5
0f90491af4224cf84fad6844542bca81
a2aa9200dbc87e22113672fab2c943c1
79dbdca3a114acafeaede5bbca3ccafe
6632158297b4fd362a42b6b8ca4a983a
fa50026669f530b94435680123dde670
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Backdoor connects to the servers at the folowing location(s):
.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512
svchost.exe_1296_rwx_00090000_00001000:
KERNEL32.DLL
svchost.exe_1296_rwx_001D0000_00001000:
KERNEL32.DLL
svchost.exe_1296_rwx_00210000_00001000:
KERNEL32.DLL
svchost.exe_1296_rwx_00250000_00001000:
KERNEL32.DLL
svchost.exe_1296_rwx_00290000_00001000:
KERNEL32.DLL
svchost.exe_1296_rwx_002D0000_00001000:
KERNEL32.DLL
svchost.exe_1296_rwx_00AA0000_00001000:
advapi32.dll
svchost.exe_1296_rwx_00AD0000_00001000:
RegOpenKeyA
svchost.exe_1296_rwx_00AE0000_00001000:
advapi32.dll
svchost.exe_1296_rwx_00B10000_00001000:
AVICAP32.DLL
svchost.exe_1296_rwx_00D60000_00001000:
AVICAP32.DLL
svchost.exe_1296_rwx_00D90000_00001000:
gdi32.dll
svchost.exe_1296_rwx_00ED0000_00001000:
gdi32.dll
svchost.exe_1296_rwx_00F00000_00001000:
gdiplus.dll
svchost.exe_1296_rwx_00F40000_00001000:
gdiplus.dll
svchost.exe_1296_rwx_00F80000_00001000:
mpr.dll
svchost.exe_1296_rwx_00FC0000_00001000:
mpr.dll
svchost.exe_1296_rwx_00FF0000_00001000:
msacm32.dll
svchost.exe_1296_rwx_01340000_00001000:
msacm32.dll
svchost.exe_1296_rwx_01370000_00001000:
ntdll.dll
svchost.exe_1296_rwx_014B0000_00001000:
ntdll.dll
svchost.exe_1296_rwx_014E0000_00001000:
ole32.dll
svchost.exe_1296_rwx_01620000_00001000:
ole32.dll
svchost.exe_1296_rwx_01650000_00001000:
oleaut32.dll
svchost.exe_1296_rwx_01790000_00001000:
oleaut32.dll
svchost.exe_1296_rwx_017C0000_00001000:
powrprof.dll
svchost.exe_1296_rwx_01900000_00001000:
powrprof.dll
svchost.exe_1296_rwx_01930000_00001000:
shell32.dll
svchost.exe_1296_rwx_01A70000_00001000:
shell32.dll
svchost.exe_1296_rwx_01AA0000_00001000:
user32.dll
svchost.exe_1296_rwx_01BE0000_00001000:
user32.dll
svchost.exe_1296_rwx_01C10000_00001000:
wininet.dll
svchost.exe_1296_rwx_01D40000_00001000:
FtpOpenFileA
svchost.exe_1296_rwx_01D50000_00001000:
wininet.dll
svchost.exe_1296_rwx_01D80000_00001000:
winmm.dll
svchost.exe_1296_rwx_01EC0000_00001000:
winmm.dll
svchost.exe_1296_rwx_01EF0000_00001000:
wsock32.dll
svchost.exe_1296_rwx_02040000_00001000:
wsock32.dll
svchost.exe_1296_rwx_24070000_00060000:
`.rsrc
kernel32.dll
Portions Copyright (c) 1999,2003 Avenger by NhT
SHFileOperationA
shell32.dll
URLDownloadToFileA
urlmon.dll
ShellExecuteA
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
GetWindowsDirectoryA
SOFTWARE\Microsoft\Windows\CurrentVersion
http\shell\open\command
\Internet Explorer\iexplore.exe
####@####
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
Portugal
Turkey
Windows 3.1
Windows 95 (Release 2)
Windows 95
Windows 98 SE
Windows 98
Windows ME
Windows 7
Windows Vista
%s %s
Windows XP Professional x64
Windows XP Home
Windows XP Professional
Windows 2000 Professional
Windows NT %d.%d
Windows 2008
%s %s Server
Windows 2003 Server Datacenter
Windows 2003 Server Enterprise
Windows 2003 Server Web Edition
Windows 2003 Server
Windows Home Server
Windows 2003 Server (Release 2)
Windows 2000 Server Datacenter
Windows 2000 Server Enterprise
Windows 2000 Server Web Edition
Windows 2000 Server
Windows NT 4.0 Server Datacenter
Windows NT 4.0 Server Enterprise
Windows NT 4.0 Server Web Edition
Windows NT 4.0 Server
Unknown Platform ID (%d)
%d.%d
%s (Build: %d
- Service Pack: %s
KERNEL32.DLL
teste.vbs
teste.txt
Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)Set objFileSystem = CreateObject("Scripting.fileSystemObject")Set objFile = objFileSystem.CreateTextFile("Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter
Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter
objFile.WriteLine(Info)
objFile.Close
cscript.exe
AVICAP32.dll
tFtpAccess
v1.01.8
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
SetupApi.dll
SetupDiOpenClassRegKey
SetupDiOpenClassRegKeyExA
SetupDiOpenClassRegKeyExW
SetupDiCreateDeviceInterfaceRegKeyA
SetupDiCreateDeviceInterfaceRegKeyW
SetupDiOpenDeviceInterfaceRegKey
SetupDiDeleteDeviceInterfaceRegKey
SetupDiCreateDevRegKeyA
SetupDiCreateDevRegKeyW
SetupDiOpenDevRegKey
SetupDiDeleteDevRegKey
CM_DEVCAP_LOCKSUPPORTED
CM_DEVCAP_EJECTSUPPORTED
PDCAP_D0_SUPPORTED
PDCAP_D1_SUPPORTED
PDCAP_D2_SUPPORTED
PDCAP_D3_SUPPORTED
PDCAP_WAKE_FROM_D0_SUPPORTED
PDCAP_WAKE_FROM_D1_SUPPORTED
PDCAP_WAKE_FROM_D2_SUPPORTED
PDCAP_WAKE_FROM_D3_SUPPORTED
PDCAP_WARM_EJECT_SUPPORTED
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
127.0.0.1
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
SetTcpEntry
GetExtendedTcpTable
GetExtendedUdpTable
Mozilla3_5Password
GetChromePass
StartHttpProxy
1.2.3
XxX.xXx
UuU.uUu
keyboardkey
webcaminactive
webcamgetbuffer
webcam
enviarexecnormal
enviarexechidden
openweb
downexec
sendftp
keylogger
keyloggergetlog
keyloggereraselog
keyloggerativar
keyloggerdesativar
renamekey
windowsfechar
windowsmax
windowsmin
windowsmostrar
windowsocultar
windowsmintodas
windowscaption
listarportas
listarportasdns
finalizarprocessoportas
webcamsettings
chatmsg
getpassword
updateservidorweb
keyloggersearch
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
PSAPI.dll
\config\SteamAppData.vdf
AutoLoginUser
/ClientRegistry.Blob
\ClientRegistry.blob
\steam.dll
%SYS%
ÞSKTOP%
FirstExecution
chatmsg|
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
listarjanelas|windowsfechar|
listarjanelas|windowsmax|
listarjanelas|windowsmin|
listarjanelas|windowsmostrar|
listarjanelas|windowsocultar|
listarjanelas|windowsmintodas|
listarjanelas|windowscaption|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
listarportas|listadeportaspronta|
listarportas|finalizarconexao|
listarportas|finalizarprocessoportas|Y|
listarportas|finalizarprocessoportas|N|
registro|renamekey|
keylogger|keylogger|keyloggerativar|
keylogger|keylogger|keyloggerdesativar|
keylogger|keyloggergetlog|
keylogger|keylogger|keyloggervazio|
keyloggersearchok|
webcam|webcaminactive|
webcam|webcamactive|
_x_X_PASSWORDLIST_X_x_
NOIP.abc
MSN.abc
FIREFOX.abc
IELOGIN.abc
IEPASS.abc
IEAUTO.abc
IEWEB.abc
SOFTWARE\Mozilla\Mozilla Firefox
getfirefox
getielogin
getiepass
getieweb
getchrome
getpassword|getpasswordlist|
getpassword|getpassworderror|
ntdll.dll
XX--XX--XX.txt
logs.dat
SQLite3.dll
$1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
KWindows
UnitExecutarComandos
uftp
UrlMon
.UnitBytesSize
UnitListarPortasAtivas
UnitWebcam
UnitKeylogger
WinExec
SetNamedPipeHandleState
GetProcessHeap
CreatePipe
RegOpenKeyExA
RegOpenKeyA
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyA
RegCloseKey
GdiplusShutdown
keybd_event
MapVirtualKeyA
GetKeyboardState
GetKeyboardLayoutNameA
GetKeyState
GetAsyncKeyState
ExitWindowsEx
EnumWindows
FtpGetFileSize
FtpSetCurrentDirectoryA
FtpOpenFileA
%( % & % % % ]
.idata
.reloc
P.rsrc
advapi32.dll
AVICAP32.DLL
gdi32.dll
gdiplus.dll
mpr.dll
msacm32.dll
ole32.dll
oleaut32.dll
powrprof.dll
user32.dll
wininet.dll
winmm.dll
wsock32.dll
Explorer.EXE_1140_rwx_00FF0000_00001000:
KERNEL32.DLL
Explorer.EXE_1140_rwx_01E80000_00001000:
KERNEL32.DLL
Explorer.EXE_1140_rwx_01F70000_00001000:
KERNEL32.DLL
Explorer.EXE_1140_rwx_02110000_00001000:
KERNEL32.DLL
Explorer.EXE_1140_rwx_02150000_00001000:
KERNEL32.DLL
Explorer.EXE_1140_rwx_021C0000_00001000:
KERNEL32.DLL
Explorer.EXE_1140_rwx_02230000_00001000:
advapi32.dll
Explorer.EXE_1140_rwx_02270000_00001000:
RegOpenKeyA
Explorer.EXE_1140_rwx_02280000_00001000:
advapi32.dll
Explorer.EXE_1140_rwx_022B0000_00001000:
AVICAP32.DLL
Explorer.EXE_1140_rwx_022F0000_00001000:
AVICAP32.DLL
Explorer.EXE_1140_rwx_02530000_00001000:
gdi32.dll
Explorer.EXE_1140_rwx_02570000_00001000:
gdi32.dll
Explorer.EXE_1140_rwx_029E0000_00001000:
gdiplus.dll
Explorer.EXE_1140_rwx_02B90000_00001000:
gdiplus.dll
Explorer.EXE_1140_rwx_02BD0000_00001000:
mpr.dll
Explorer.EXE_1140_rwx_03130000_00001000:
mpr.dll
Explorer.EXE_1140_rwx_03160000_00001000:
msacm32.dll
Explorer.EXE_1140_rwx_031E0000_00001000:
msacm32.dll
Explorer.EXE_1140_rwx_03510000_00001000:
ntdll.dll
Explorer.EXE_1140_rwx_03550000_00001000:
ntdll.dll
Explorer.EXE_1140_rwx_03580000_00001000:
ole32.dll
Explorer.EXE_1140_rwx_035C0000_00001000:
ole32.dll
Explorer.EXE_1140_rwx_035F0000_00001000:
oleaut32.dll
Explorer.EXE_1140_rwx_03D30000_00001000:
oleaut32.dll
Explorer.EXE_1140_rwx_03D60000_00001000:
powrprof.dll
Explorer.EXE_1140_rwx_03EA0000_00001000:
powrprof.dll
Explorer.EXE_1140_rwx_03ED0000_00001000:
shell32.dll
Explorer.EXE_1140_rwx_04010000_00001000:
shell32.dll
Explorer.EXE_1140_rwx_04040000_00001000:
user32.dll
Explorer.EXE_1140_rwx_04180000_00001000:
user32.dll
Explorer.EXE_1140_rwx_041B0000_00001000:
wininet.dll
Explorer.EXE_1140_rwx_042E0000_00001000:
FtpOpenFileA
Explorer.EXE_1140_rwx_042F0000_00001000:
wininet.dll
Explorer.EXE_1140_rwx_04320000_00001000:
winmm.dll
Explorer.EXE_1140_rwx_04460000_00001000:
winmm.dll
Explorer.EXE_1140_rwx_04490000_00001000:
wsock32.dll
Explorer.EXE_1140_rwx_045D0000_00001000:
wsock32.dll
Explorer.EXE_1140_rwx_24010000_00060000:
`.rsrc
kernel32.dll
Portions Copyright (c) 1999,2003 Avenger by NhT
SHFileOperationA
shell32.dll
URLDownloadToFileA
urlmon.dll
ShellExecuteA
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
GetWindowsDirectoryA
SOFTWARE\Microsoft\Windows\CurrentVersion
http\shell\open\command
\Internet Explorer\iexplore.exe
####@####
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
Portugal
Turkey
Windows 3.1
Windows 95 (Release 2)
Windows 95
Windows 98 SE
Windows 98
Windows ME
Windows 7
Windows Vista
%s %s
Windows XP Professional x64
Windows XP Home
Windows XP Professional
Windows 2000 Professional
Windows NT %d.%d
Windows 2008
%s %s Server
Windows 2003 Server Datacenter
Windows 2003 Server Enterprise
Windows 2003 Server Web Edition
Windows 2003 Server
Windows Home Server
Windows 2003 Server (Release 2)
Windows 2000 Server Datacenter
Windows 2000 Server Enterprise
Windows 2000 Server Web Edition
Windows 2000 Server
Windows NT 4.0 Server Datacenter
Windows NT 4.0 Server Enterprise
Windows NT 4.0 Server Web Edition
Windows NT 4.0 Server
Unknown Platform ID (%d)
%d.%d
%s (Build: %d
- Service Pack: %s
KERNEL32.DLL
teste.vbs
teste.txt
Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)Set objFileSystem = CreateObject("Scripting.fileSystemObject")Set objFile = objFileSystem.CreateTextFile("Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter
Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter
objFile.WriteLine(Info)
objFile.Close
cscript.exe
AVICAP32.dll
tFtpAccess
v1.01.8
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
SetupApi.dll
SetupDiOpenClassRegKey
SetupDiOpenClassRegKeyExA
SetupDiOpenClassRegKeyExW
SetupDiCreateDeviceInterfaceRegKeyA
SetupDiCreateDeviceInterfaceRegKeyW
SetupDiOpenDeviceInterfaceRegKey
SetupDiDeleteDeviceInterfaceRegKey
SetupDiCreateDevRegKeyA
SetupDiCreateDevRegKeyW
SetupDiOpenDevRegKey
SetupDiDeleteDevRegKey
CM_DEVCAP_LOCKSUPPORTED
CM_DEVCAP_EJECTSUPPORTED
PDCAP_D0_SUPPORTED
PDCAP_D1_SUPPORTED
PDCAP_D2_SUPPORTED
PDCAP_D3_SUPPORTED
PDCAP_WAKE_FROM_D0_SUPPORTED
PDCAP_WAKE_FROM_D1_SUPPORTED
PDCAP_WAKE_FROM_D2_SUPPORTED
PDCAP_WAKE_FROM_D3_SUPPORTED
PDCAP_WARM_EJECT_SUPPORTED
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
127.0.0.1
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
SetTcpEntry
GetExtendedTcpTable
GetExtendedUdpTable
Mozilla3_5Password
GetChromePass
StartHttpProxy
1.2.3
XxX.xXx
UuU.uUu
keyboardkey
webcaminactive
webcamgetbuffer
webcam
enviarexecnormal
enviarexechidden
openweb
downexec
sendftp
keylogger
keyloggergetlog
keyloggereraselog
keyloggerativar
keyloggerdesativar
renamekey
windowsfechar
windowsmax
windowsmin
windowsmostrar
windowsocultar
windowsmintodas
windowscaption
listarportas
listarportasdns
finalizarprocessoportas
webcamsettings
chatmsg
getpassword
updateservidorweb
keyloggersearch
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
PSAPI.dll
\config\SteamAppData.vdf
AutoLoginUser
/ClientRegistry.Blob
\ClientRegistry.blob
\steam.dll
%SYS%
ÞSKTOP%
FirstExecution
chatmsg|
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
listarjanelas|windowsfechar|
listarjanelas|windowsmax|
listarjanelas|windowsmin|
listarjanelas|windowsmostrar|
listarjanelas|windowsocultar|
listarjanelas|windowsmintodas|
listarjanelas|windowscaption|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
listarportas|listadeportaspronta|
listarportas|finalizarconexao|
listarportas|finalizarprocessoportas|Y|
listarportas|finalizarprocessoportas|N|
registro|renamekey|
keylogger|keylogger|keyloggerativar|
keylogger|keylogger|keyloggerdesativar|
keylogger|keyloggergetlog|
keylogger|keylogger|keyloggervazio|
keyloggersearchok|
webcam|webcaminactive|
webcam|webcamactive|
_x_X_PASSWORDLIST_X_x_
NOIP.abc
MSN.abc
FIREFOX.abc
IELOGIN.abc
IEPASS.abc
IEAUTO.abc
IEWEB.abc
SOFTWARE\Mozilla\Mozilla Firefox
getfirefox
getielogin
getiepass
getieweb
getchrome
getpassword|getpasswordlist|
getpassword|getpassworderror|
ntdll.dll
XX--XX--XX.txt
logs.dat
SQLite3.dll
$1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
KWindows
UnitExecutarComandos
uftp
UrlMon
.UnitBytesSize
UnitListarPortasAtivas
UnitWebcam
UnitKeylogger
WinExec
SetNamedPipeHandleState
GetProcessHeap
CreatePipe
RegOpenKeyExA
RegOpenKeyA
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyA
RegCloseKey
GdiplusShutdown
keybd_event
MapVirtualKeyA
GetKeyboardState
GetKeyboardLayoutNameA
GetKeyState
GetAsyncKeyState
ExitWindowsEx
EnumWindows
FtpGetFileSize
FtpSetCurrentDirectoryA
FtpOpenFileA
%( % & % % % ]
.idata
.reloc
P.rsrc
advapi32.dll
AVICAP32.DLL
gdi32.dll
gdiplus.dll
mpr.dll
msacm32.dll
ole32.dll
oleaut32.dll
powrprof.dll
user32.dll
wininet.dll
winmm.dll
wsock32.dll
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
java.exe:1748
%original file name%.exe:464 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%WinDir%\java\java.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (227 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Java" = "%WinDir%\java\java.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Java" = "%WinDir%\java\java.exe" - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
