Backdoor.Win32.Fynloski_55e73c2d92

by malwarelabrobot on February 13th, 2016 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.665026 (B) (Emsisoft), Backdoor.Win32.Fynloski.FD, Trojan.Win32.Iconomon.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, BackdoorFynloski.YR, GenericDownloader.YR, GenericInjector.YR, TrojanDownloaderAndromeda.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Backdoor, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 55e73c2d921209ed9259b7ef1547a56a
SHA1: 0b837e6bc8d8223689967283632e6862024169dd
SHA256: 941a4cf7bfba5d62bc5a945e6119f2ff7ccefbc969aaf80a2c0a895d78d30cdc
SSDeep: 49152:32RImlm5xNNv0REzPbazR3xAdxgOvFmK:326mlm5BiiOR3xAdKaFmK
Size: 1641984 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Igor Pavlov
Created at: 2015-06-11 15:18:32
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

wscript.exe:1760
%original file name%.exe:1208

The Backdoor injects its code into the following process(es):

ntvdm.exe:236
tmp.exe:1320

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process ntvdm.exe:236 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

C:\DOCUMENTS AND SETTINGS (4 bytes)
C:\ (4 bytes)
%WinDir%\assembly (4 bytes)
%WinDir%\Microsoft.NET\Framework\V2.0.50727 (768 bytes)
%Program Files%\WIRESHARK (16 bytes)
%WinDir%\WinSxS (12 bytes)
%WinDir%\AppPatch (4 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319 (672 bytes)
%WinDir%\Microsoft.NET\Framework (96 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\All Users (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG (4 bytes)
%WinDir%\Prefetch\WSCRIPT.EXE-32960AB9.pf (28 bytes)
%WinDir%\REGISTRATION (4 bytes)
%Documents and Settings%\%current user%\MY DOCUMENTS (4 bytes)
%WinDir% (492 bytes)
C:\$Directory (2216 bytes)
%WinDir%\Temp\scs2.tmp (10145 bytes)
%System% (7472 bytes)
%System%\config\SysEvent.Evt (128 bytes)
C:\PROGRAM FILES (8 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773 (4 bytes)
%Program Files%\COMMON FILES (4 bytes)
%WinDir%\Prefetch\PROCMON.EXE-375B9EC2.pf (45 bytes)
%WinDir%\Prefetch\CMD.EXE-087B4001.pf (32 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%Documents and Settings%\All Users\DOCUMENTS (4 bytes)
%System%\wbem\Repository\FS\OBJECTS.DATA (16520 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
%System%\config (8 bytes)
%WinDir%\Prefetch\REG.EXE-0D2A95F7.pf (12 bytes)
%System%\wbem\Logs\wbemess.log (768 bytes)
%System%\wbem (1064 bytes)
%System%\drivers (32 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%WinDir%\Prefetch\55E73C2D921209ED9259B7EF1547A-280A5DCD.pf (53 bytes)
%System%\wbem\Logs\wbemcore.log (384 bytes)
%WinDir%\Temp\scs1.tmp (33880 bytes)
%Documents and Settings%\%current user%\Application Data\FolderName\file.exe (5374 bytes)
%WinDir%\MICROSOFT.NET (4 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)

The Backdoor deletes the following file(s):

%WinDir%\Temp\scs1.tmp (0 bytes)
%WinDir%\Temp\scs2.tmp (0 bytes)

The process %original file name%.exe:1208 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\tmp.exe (3908 bytes)
%Documents and Settings%\%current user%\Application Data\svhostf\svhostvbs.vbs (78 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bla2.exe (216 bytes)
%Documents and Settings%\%current user%\Application Data\svhostf\svhost1.bat (77 bytes)
%Documents and Settings%\%current user%\Application Data\svhostf\svhost2.bat (207 bytes)
%Documents and Settings%\%current user%\Application Data\svhost.exe (59 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\svhostf\svhostvbs.vbs (0 bytes)
%Documents and Settings%\%current user%\Application Data\svhostf\svhost1.bat (0 bytes)
%Documents and Settings%\%current user%\Application Data\svhostf\svhost2.bat (0 bytes)
%Documents and Settings%\%current user%\Application Data\svhostf (0 bytes)

The process tmp.exe:1320 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\My Documents\MSDCSC\msdcsc.exe (5873 bytes)

Registry activity

The process wscript.exe:1760 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 6F 2F 09 D9 F3 A8 3B A6 94 86 B0 8F E3 0A 09"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\svhostf]
"svhost2.bat" = "svhost2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:1208 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E D8 90 FC 83 7F D8 05 30 08 14 02 01 7C 4F 97"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"tmp.exe" = "Remote Service Application"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process tmp.exe:1320 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 FA 57 A1 6B 53 03 AA 20 BE 22 35 C8 0A 54 CA"

The Backdoor adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\%current user%\My Documents\MSDCSC\msdcsc.exe"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "%Documents and Settings%\%current user%\My Documents\MSDCSC\msdcsc.exe"

Dropped PE files

MD5 File path
170d73be3fe846e9070cfae530f5a31c c:\Documents and Settings\"%CurrentUserName%"\Application Data\svhost.exe
ecd91ae0e888b7bb409e5b41c9c8d9c1 c:\Documents and Settings\"%CurrentUserName%"\Application Data\tmp.exe
ecd91ae0e888b7bb409e5b41c9c8d9c1 c:\Documents and Settings\"%CurrentUserName%"\My Documents\MSDCSC\msdcsc.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Pidgin
Product Version: 2.10.9
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.10.9
File Description: Pidgin Installer
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 1477092 1477120 5.53066 89a192aaeb67bad531899d044e7893a7
.sdata 1490944 1316 1536 2.89469 9c424cc920bc3b61bba36369791186c3
.rsrc 1499136 161652 161792 4.39366 6958b3fc6ff938fe65589b12b41119a3
.reloc 1662976 12 512 0.070639 a21baf6fcc0891fc60980ee95d908a9a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Backdoor connects to the servers at the folowing location(s):

tmp.exe_1320:

.text
`.itext
`.data
.idata
.rdata
@.reloc
B.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
%s_%d
EInvalidGraphicOperation
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
%s, ClassID: %s
%s, ProgID: "%s"
ole32.dll
USER32.DLL
uxtheme.dll
DWMAPI.DLL
clWebSnow
clWebFloralWhite
clWebLavenderBlush
clWebOldLace
clWebIvory
clWebCornSilk
clWebBeige
clWebAntiqueWhite
clWebWheat
clWebAliceBlue
clWebGhostWhite
clWebLavender
clWebSeashell
clWebLightYellow
clWebPapayaWhip
clWebNavajoWhite
clWebMoccasin
clWebBurlywood
clWebAzure
clWebMintcream
clWebHoneydew
clWebLinen
clWebLemonChiffon
clWebBlanchedAlmond
clWebBisque
clWebPeachPuff
clWebTan
clWebYellow
clWebDarkOrange
clWebRed
clWebDarkRed
clWebMaroon
clWebIndianRed
clWebSalmon
clWebCoral
clWebGold
clWebTomato
clWebCrimson
clWebBrown
clWebChocolate
clWebSandyBrown
clWebLightSalmon
clWebLightCoral
clWebOrange
clWebOrangeRed
clWebFirebrick
clWebSaddleBrown
clWebSienna
clWebPeru
clWebDarkSalmon
clWebRosyBrown
clWebPaleGoldenrod
clWebLightGoldenrodYellow
clWebOlive
clWebForestGreen
clWebGreenYellow
clWebChartreuse
clWebLightGreen
clWebAquamarine
clWebSeaGreen
clWebGoldenRod
clWebKhaki
clWebOliveDrab
clWebGreen
clWebYellowGreen
clWebLawnGreen
clWebPaleGreen
clWebMediumAquamarine
clWebMediumSeaGreen
clWebDarkGoldenRod
clWebDarkKhaki
clWebDarkOliveGreen
clWebDarkgreen
clWebLimeGreen
clWebLime
clWebSpringGreen
clWebMediumSpringGreen
clWebDarkSeaGreen
clWebLightSeaGreen
clWebPaleTurquoise
clWebLightCyan
clWebLightBlue
clWebLightSkyBlue
clWebCornFlowerBlue
clWebDarkBlue
clWebIndigo
clWebMediumTurquoise
clWebTurquoise
clWebCyan
clWebPowderBlue
clWebSkyBlue
clWebRoyalBlue
clWebMediumBlue
clWebMidnightBlue
clWebDarkTurquoise
clWebCadetBlue
clWebDarkCyan
clWebTeal
clWebDeepskyBlue
clWebDodgerBlue
clWebBlue
clWebNavy
clWebDarkViolet
clWebDarkOrchid
clWebMagenta
clWebDarkMagenta
clWebMediumVioletRed
clWebPaleVioletRed
clWebBlueViolet
clWebMediumOrchid
clWebMediumPurple
clWebPurple
clWebDeepPink
clWebLightPink
clWebViolet
clWebOrchid
clWebPlum
clWebThistle
clWebHotPink
clWebPink
clWebLightSteelBlue
clWebMediumSlateBlue
clWebLightSlateGray
clWebWhite
clWebLightgrey
clWebGray
clWebSteelBlue
clWebSlateBlue
clWebSlateGray
clWebWhiteSmoke
clWebSilver
clWebDimGray
clWebMistyRose
clWebDarkSlateBlue
clWebDarkSlategray
clWebGainsboro
clWebDarkGray
clWebBlack
comctl32.dll
AutoHotkeysd-C
AutoHotkeys
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
OnKeyDownL
OnKeyPress
OnKeyUpH
GlassFrame.Bottom
GlassFrame.Enabled
GlassFrame.Left
GlassFrame.Right
GlassFrame.SheetOfGlass
GlassFrame.Top
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
Uh.ID
User32.dll
TKeyEvent
TKeyPressEvent
HelpKeyword nA
crSQLWait
%s (%s)
imm32.dll
TSocketPort
%d.%d.%d.%d
0.0.0.0
PSAPI.dll
TDCWebCam
127.0.0.1
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
1.2.3
127.0.0.1:1604
#KCMDDC51#-
5.3.0
cmd.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hkey
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
*.torrent
\Internet Explorer\iexplore.exe
explorer.exe
wlanapi.dll
80211_SHARED_KEY
user32.dll
TUploadFTP
notepad.exe
KEYNAME
%ShortCut#
RELATEDCMD
ping 127.0.0.1 -n 4 > NUL && "
DRKey
CRKey
DelMSKey
InstallHKEY
ActiveOnlineKeylogger
UnActiveOnlineKeylogger
KeylogOn
ActiveOfflineKeylogger
UnActiveOfflineKeylogger
ActiveOnlineKeyStrokes
UnActiveOnlineKeyStrokes
OpenWebPage
tmpprint.txt
URLUpdate
MSGBOX
#BOT#VisitUrl
#BOT#OpenUrl
HTTP://
hXXp://
BTRESULTOpen URL|
Command successfully executed!|
#BOT#URLUpdate
BTERRORUpdate from URL| Error on downloading file check if you type the correct url...|
BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|
#BOT#URLDownload
GetActivePorts
out.txt
tmp.txt
DDOSHTTPFLOOD
DDOSUDPFLOOD
%IPPORTSCAN
SAPI.SpVoice
WEBCAMLIVE
WEBCAMSTOP
PASSWORD
FTPFILEUPLOAD
URLDOWNLOADTOFILE
UPLOADEXEC
UPANDEXEC
FTPPORT
FTPPASS
FTPUSER
FTPHOST
FTPROOT
FTPUPLOADK
FTPSIZE
BTRESULTUDP Flood|UDP Flood task finished!|
PortScanAdd
BTRESULTVisit URL|finished to visit
BTERRORVisit URL|An exception occured in the thread|
POST /index.php/1.0
BTRESULTHTTP Flood|Http Flood task finished!|
Mozilla
BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|
BTERRORDownload File| Error on downloading file check if you type the correct url...|
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
ERR|Cannot listen to port, try another one..|
TCaptureWebcam
taskmgr.exe
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
DC3_FEXEC
Windows NT 4.0
Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Windows 7
Windows 95
Windows 98
Windows Me
S-%u-
FAKEMSG
MSGICON
MSGTITLE
MSGCORE
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
advapi32.dll
RegOpenKeyExA
RegCloseKey
GetKeyboardType
keybd_event
VkKeyScanA
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutNameA
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
ExitWindowsEx
EnumWindows
EnumThreadWindows
EnumChildWindows
ActivateKeyboardLayout
gdi32.dll
SetViewportOrgEx
version.dll
WinExec
PeekNamedPipe
GetWindowsDirectoryA
GetProcessHeap
GetCPInfo
CreatePipe
RegQueryInfoKeyA
RegOpenKeyA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
wsock32.dll
shell32.dll
ShellExecuteExA
ShellExecuteA
SHFileOperationA
URLMON.DLL
URLDownloadToFileA
wininet.dll
InternetOpenUrlA
HttpQueryInfoA
FtpPutFileA
winmm.dll
netapi32.dll
gdiplus.dll
GdiplusShutdown
msacm32.dll
ntdll.dll
WS2_32.DLL
SHFolder.dll
SHELL32.DLL
AVICAP32.DLL
1!1,1=1|1
6 6$6(6,606
=!=$=)=-=1=
01m1
0 0$0(0,0004080<0@0
<!=$=)=-=4=
;"<?<_<|<
; ;$;(;,;0;4;8;<;@;
7 8$888<8
= =$=(=,=0=4=8=
B|.aK
$QÄI
W;1.fH=
S6.MW:2
]?5.jK@
UntKeylogger
KWindows
UntActivePorts
UntControlKey
UntCaptureWebcam
UntWebCam
UrlMon
(UntUploadFTPThread
UntFTP
_UntUDPFlood
YUntScanPorts
0UntPasswordAndData
XUntHTTPFlood
UntCPU
66006666
No help found for %s#No context-sensitive help installed
No help found for context$No topic-based help system installedNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Invalid clipboard format Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Unsupported clipboard format
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
No argument for format '%s'"Variant method calls not supported
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
!'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time
'%s' is not a valid GUID value
I/O error %d
1, 0, 0, 1
MSRSAAP.EXE
4, 0, 0, 0

ntvdm.exe_236:

.text
`.data
.rsrc
KERNEL32.dll
NTDLL.DLL
ADVAPI32.dll
GDI32.dll
USER32.dll
SoftPC
mscoree.dll
Please contact the application's support team for more information.
GetProcessWindowStation
user32.dll
BIOS keyboard buffer overflow
hardware keyboard buffer overflow
%s Mouse %d.01 already installed
%s Mouse %d.01 installed
d:\xpsp\base\mvdm\softpc.new\host\src\nt_timer.c
d:\xpsp\base\mvdm\softpc.new\host\src\nt_eoi.c
C:\IBMBIO.SYS
C:\IO.SYS
C:\IBMDOS.SYS
C:\MSDOS.SYS
\ntio404.sys
\ntio411.sys
\ntio412.sys
\ntio804.sys
\ntio.sys
VJOY.DLL
%s %lxh
d:\xpsp\base\mvdm\softpc.new\host\src\nt_com.c
d:\xpsp\base\mvdm\softpc.new\host\src\config.c
Software\Microsoft\Windows NT\CurrentVersion\WOW\Console
\\.\$VDMLPT2
\\.\$VDMLPT3
\\.\$VDMLPT1
FONT.NT
\ega.cpi
d:\xpsp\base\mvdm\softpc.new\host\src\nt_fulsc.c
Drive %c:
Incompatible DOS diskette, C H R N = %d %d %d %d
\\.\A:
\\.\?:
d:\xpsp\base\mvdm\softpc.new\host\src\nt_event.c
WINDOWS VMM 4.0
WINDOWS NT 3.1
WINDOWS 386 3.0
WINDOWS 286 3.0
\_default.pif
d:\xpsp\base\mvdm\softpc.new\host\src\nt_det.c
VrRemoveOpenNamedPipeInfo
VrConvertLocalNtPipeName
VrAddOpenNamedPipeInfo
VrIsNamedPipeHandle
VrIsNamedPipeName
VrWriteNamedPipe
VrReadNamedPipe
midiOutShortMsg
midiOutLongMsg
WINMM.DLL
d:\xpsp\base\mvdm\softpc.new\host\src\nt_hosts.c
NtDeviceIoControlFile failed %x
d:\xpsp\base\mvdm\softpc.new\host\src\nt_sec.c
SoftPc: NtDeCommitVirtualMemory failed !!!! Status = %lx
NTVDMD.DLL
Check Keyboard Status
\ntdos404.sys
\ntdos411.sys
\ntdos412.sys
\ntdos804.sys
\ntdos.sys
demDosDispCall %s
config.nt
PIPE
%c:%sNUL
Software\Microsoft\Windows\CurrentVersion\Setup
Unimplemented SVC %d
Software\Microsoft\Windows NT\CurrentVersion\WOW\CmdLine
%s=%s%s /p %s\system32
%s=%3.3u,%3.3u,%s\system32\%s.sys%s
KEYB
\KEYBOARD.SYS
\KEYJ31.SYS
\KEY02.SYS
\KEY01.SYS
\KEYAX.SYS
%s,%d,%s
\KB16.COM
DosKeybIDs
System\CurrentControlSet\Control\Keyboard Layout\
DosKeybCodes
00000409
Software\Microsoft\Windows NT\CurrentVersion\WOW\Compatibility
Broken pipe
Inappropriate I/O control operation
Operation not permitted
ega.rom
vga.rom
v7vga.rom
bios4.rom
bios1.rom
profile.spc
.spcprofile
d:\xpsp\base\mvdm\softpc.new\host\src\x86_emm.c
CS:x IP:x OP:x x x x x
ntvdm.pdb
Ut.Ht$Ht
ItKIt9It.IIt
tK<%uAj
HHt7Ht.Ht
YYt%F
SSSSSh
s*f;O%s$
V<%ue
t.HtHHt(Ht
GetCPInfo
NtEnumerateValueKey
NtOpenKey
ntdll.dll
RegCloseKey
RegQueryInfoKeyA
RegOpenKeyExA
GetConsoleOutputCP
GetSystemWindowsDirectoryA
GetWindowsDirectoryA
SetConsoleKeyShortcuts
VDMConsoleOperation
GetConsoleKeyboardLayoutNameA
EnumWindows
GetKeyState
VkKeyScanW
MapVirtualKeyA
GetKeyboardType
NtQueryValueKey
GetProcessHeap
ntvdm.exe
SoftPcEoi
cmdCheckTemp
cmdCheckTempInit
demIsShortPathName
'?--?1-?6-?:-??-??-:?-6?-1?--?1-?6-?:-??-:?-6?-1?--?--?1-?6-?:-??-:?-6?-1?
$$$(((---222888???
!"#$%&'( 
SoftPC-AT Version 3
89:;<=>?
autoexec.nt
00030<0?0
30333<3?3
<0<3<<<?<
?0?3?<???
!"#$%&'()
Userenv.dll
Software\Microsoft\Windows NT\CurrentVersion\Terminal Server
%SystemRoot%
\System32\command.com
%System%\ntvdm.exe
\\.\B:
COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
%WinDir%
NTVDM.EXE
5.1.2600.5512 (xpsp.080413-2111)
Windows
Operating System
5.1.2600.5512
5The NTVDM CPU has encountered an illegal instruction."Internal error in NTVDM procedure.#NTVDM does not support a ROM BASIC.BFailure to allocate the requested number of Expanded Memory pages.*A continuous RESET state has been entered.,The CMOS file cmos.ram could not be created.,The CMOS file cmos.ram could not be updated.<The memory resources needed by NTVDM could not be allocated.
LAn installation file required by NTVDM is missing, execution must terminate.
Insufficient memory resources.=The NTVDM CPU has encountered an unsupported 386 instruction.TThe EMM command line in your config.nt contains invalid parameters or syntax errors.5The NTVDM CPU has encountered an unhandled exception.t
MS-DOS program files must end with the extension .EXE, .COM, or .BAT.
vAn application has attempted to %s, which cannot be supported. This may cause the application to function incorrectly./directly access an incompatible diskette format
16 bit Windows Subsystem
VThe system file is not suitable for running MS-DOS and Microsoft Windows applications."Memory error during intialization.
Unable to lock for exclusive access. Another application may be using the drive. When the other application has finished using the drive you may retry the operation.
Drive %c: ZThe Application attempted to enable DOS graphics mode. DOS graphics mode is not supported.
Function failed$NTVDM has encountered a System Error*Driver does not support selected Baud Rate<The system cannot open %s port requested by the application.

ntvdm.exe_236_rwx_00000000_00010000:

C:\DOCUME~1\ADM\LOCALS~1\TEMP\BLA2.EXE
BLA2 EXE
."/\[]:|<> =;,
c:\wina20.386
%WinDir%\SYSTEM32\COUNTRY.SYS
89:;<=>?
1234567890-=
!@#$%^&*()_ 
789-456 1230.
!"#$%&,-./012
%WinDir%\SYSTEM32\COMMAND.COM
%File allocation table bad, drive %1
Invalid COMMAND.COM
!Press any key to continue . . .
Cannot execute %1
Error in EXE file
%WinDir%\TEMP\scs2.tmp
arameter vaCOMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
OS=Windows_NT
PATH=C:\Perl\site\bin;C:\Perl\bin;%System%;%WinDir%;%WinDir%\System32\Wbem;c:\PROGRA~1\WIRESH~1
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
SYSTEMROOT=%WinDir%
TEMP=%WinDir%\TEMP
TMP=%WinDir%\TEMP
COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
<p>The document has moved <a href="hXXp://error404.000webhost.com/?">here</a>.</p>
\COMMAND.COM
COMSPEC=\COMMAND.COM
BMicrosoft(R) Windows DOS
/E:nnnnn] [/P] [/C string] [/MSG]
H [drive:]path Specifies the directory containing COMMAND.COM file.
N /MSG Specifies that all error messages be stored in memory. You
%Intermediate file error during pipe
Switches may be preset in the DIRCMD environment variable. Override
>Quits the COMMAND.COM program (command interpreter).
]Displays or sets a search path for executable files.
$B | (pipe)
%Displays the MS-DOS version.
LRecords comments (remarks) in a batch file or CONFIG.SYS.
key to continue...."
PATH=PROMPT=COMSPEC=DIRCMD=
.COM.EXE.BAT?VBAPWRHSvDANEDSG
%WinDir%\SYSTEM32
[]|<> =;"

ntvdm.exe_236_rwx_00010000_00090000:

COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
%WinDir%\TEMP\scs2.tmp
89:;<=>?
0WINDOWS MS-DOS STARTUP FILE
0CONFIG.SYS VS CONFIG.NT
0CONFIG.SYS IS NOT USED TO INITIALIZE THE MS-DOS ENVIRONMENT.
0CONFIG.NT IS USED TO INITIALIZE THE MS-DOS ENVIRONMENT UNLESS A
0IS INITIALIZED. TO DISPLAY CONFIG.NT/AUTOEXEC.NT INFORMATION, ADD
0THE COMMAND ECHOCONFIG TO CONFIG.NT OR OTHER STARTUP FILE.
0NTCMDPROMPT
0MS-DOS-BASED APPLICATION, WINDOWS RUNS COMMAND.COM. THIS ALLOWS THE
0TSR TO REMAIN ACTIVE. TO RUN CMD.EXE, THE WINDOWS COMMAND PROMPT,
0RATHER THAN COMMAND.COM, ADD THE COMMAND NTCMDPROMPT TO CONFIG.NT OR
0COMMAND.COM. IF YOU START AN APPLICATION OTHER THAN AN MS-DOS-BASED
0CONFIG.NT OR OTHER STARTUP FILE.
0WANT THE SYSTEM TO SUPPORT. 1 <= ALTREGSETS <= 255. THE
0AND LEAVE THE RESTS(IF AVAILABLE) TO BE USED BY DOS TO SUPPORT
0WITH YOUR APPLICATION OR _DEFAULT.PIF). IF THE SIZE FROM PIF FILE
D%WinDir%\SYSTEM32\HIMEM.SYS
Q001,437,%WinDir%\SYSTEM32\COUNTRY.SYS
S%WinDir%\SYSTEM32\COMMAND.COM
/P %WinDir%\SYSTEM32
ATION OR _DEFAULT.PIF). IF THE SIZE FROM PIF FILE
DEVICE=%WinDir%\SYSTEM32\HIMEM.SYS
COUNTRY=001,437,%WinDir%\SYSTEM32\COUNTRY.SYS
SHELL=%WinDir%\SYSTEM32\COMMAND.COM /P %WinDir%\SYSTEM32
%WinDir%\SYSTEM32\COUNTRY.SYS
[]|<> =;"
%WinDir%\TEMP\scs1.tmp
%WinDir%\SYSTEM32\COMMAND.COM
NTCMDPROMPTT
Unrecognized command in CONFIG.SYS
Insufficient memory for COUNTRY.SYS file
Incorrect order in CONFIG.SYS line $Error in CONFIG.SYS line $WARNING! Logical drives past Z: exist and will be ignored
1234567890-=
!@#$%^&*()_ 
789-456 1230.
!"#$%&,-./012
00030<0?0
30333<3?3
<0<3<<<?<
?0?3?<???
Windows NT MS-DOS subsystem Mouse Driver
/)()(00)(
/@%}-{.Nb#b
!Press any key to continue . . .
%Intermediate file error during pipe
Switches may be preset in the DIRCMD environment variable. Override
>Quits the COMMAND.COM program (command interpreter).
]Displays or sets a search path for executable files.
$B | (pipe)
%Displays the MS-DOS version.
LRecords comments (remarks) in a batch file or CONFIG.SYS.
key to continue...."
PATH=PROMPT=COMSPEC=DIRCMD=
.COM.EXE.BAT?VBAPWRHSvDANEDSG
%WinDir%\SYSTEM32\DOSX
NT.EXE
C:\DOCUME~1\ADM\LOCALS~1\TEMP\BLA2.EXE
nt.exe
DOSX.EXE

ntvdm.exe_236_rwx_000A0000_00020000:

66666666
6666666
6666666666666666
6666666676666666
6666667076666666

ntvdm.exe_236_rwx_000C9000_00013000:

COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
OS=Windows_NT
PATH=C:\Perl\site\bin;C:\Perl\bin;%System%;%WinDir%;%WinDir%\System32\Wbem;c:\PROGRA~1\WIRESH~1
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
SYSTEMROOT=%WinDir%
TEMP=%WinDir%\TEMP
TMP=%WinDir%\TEMP
%System%\DOSX.EXE
%System%\mscdexnt.exe
VCDEX.DLL
%System%\redir
(load before dosx.exe)
C:\LANMAN.DOS
%System%\dosx
%System%\krnl386.exe
krnl386.exe
SYSTEM.INI

ntvdm.exe_236_rwx_000E8000_00008000:

00030<0?0
30333<3?3
<0<3<<<?<
?0?3?<???
Windows NT MS-DOS subsystem Mouse Driver

ntvdm.exe_236_rwx_00100000_00010000:

C:\DOCUME~1\ADM\LOCALS~1\TEMP\BLA2.EXE
BLA2 EXE
."/\[]:|<> =;,
c:\wina20.386
%WinDir%\SYSTEM32\COUNTRY.SYS
89:;<=>?
1234567890-=
!@#$%^&*()_ 
789-456 1230.
!"#$%&,-./012
%WinDir%\SYSTEM32\COMMAND.COM
%File allocation table bad, drive %1
Invalid COMMAND.COM
!Press any key to continue . . .
Cannot execute %1
Error in EXE file
%WinDir%\TEMP\scs2.tmp
arameter vaCOMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
OS=Windows_NT
PATH=C:\Perl\site\bin;C:\Perl\bin;%System%;%WinDir%;%WinDir%\System32\Wbem;c:\PROGRA~1\WIRESH~1
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
SYSTEMROOT=%WinDir%
TEMP=%WinDir%\TEMP
TMP=%WinDir%\TEMP
COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
<p>The document has moved <a href="hXXp://error404.000webhost.com/?">here</a>.</p>
\COMMAND.COM
COMSPEC=\COMMAND.COM
BMicrosoft(R) Windows DOS
/E:nnnnn] [/P] [/C string] [/MSG]
H [drive:]path Specifies the directory containing COMMAND.COM file.
N /MSG Specifies that all error messages be stored in memory. You
%Intermediate file error during pipe
Switches may be preset in the DIRCMD environment variable. Override
>Quits the COMMAND.COM program (command interpreter).
]Displays or sets a search path for executable files.
$B | (pipe)
%Displays the MS-DOS version.
LRecords comments (remarks) in a batch file or CONFIG.SYS.
key to continue...."
PATH=PROMPT=COMSPEC=DIRCMD=
.COM.EXE.BAT?VBAPWRHSvDANEDSG
%WinDir%\SYSTEM32
[]|<> =;"


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    wscript.exe:1760
    %original file name%.exe:1208

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    C:\DOCUMENTS AND SETTINGS (4 bytes)
    %WinDir%\assembly (4 bytes)
    %WinDir%\Microsoft.NET\Framework\V2.0.50727 (768 bytes)
    %Program Files%\WIRESHARK (16 bytes)
    %WinDir%\WinSxS (12 bytes)
    %WinDir%\AppPatch (4 bytes)
    %Documents and Settings%\%current user%\Local Settings (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319 (672 bytes)
    %Documents and Settings%\All Users (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG (4 bytes)
    %WinDir%\Prefetch\WSCRIPT.EXE-32960AB9.pf (28 bytes)
    %WinDir%\REGISTRATION (4 bytes)
    %Documents and Settings%\%current user%\MY DOCUMENTS (4 bytes)
    C:\$Directory (2216 bytes)
    %WinDir%\Temp\scs2.tmp (10145 bytes)
    %System% (7472 bytes)
    %System%\config\SysEvent.Evt (128 bytes)
    C:\PROGRAM FILES (8 bytes)
    %WinDir%\WinSxS\Policies\x86_Policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773 (4 bytes)
    %Program Files%\COMMON FILES (4 bytes)
    %WinDir%\Prefetch\PROCMON.EXE-375B9EC2.pf (45 bytes)
    %WinDir%\Prefetch\CMD.EXE-087B4001.pf (32 bytes)
    %WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
    %Documents and Settings%\All Users\DOCUMENTS (4 bytes)
    %System%\wbem\Repository\FS\OBJECTS.DATA (16520 bytes)
    %Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
    %WinDir%\Prefetch\REG.EXE-0D2A95F7.pf (12 bytes)
    %System%\wbem\Logs\wbemess.log (768 bytes)
    %System%\drivers (32 bytes)
    %Documents and Settings%\All Users\Start Menu (4 bytes)
    %WinDir%\Prefetch\55E73C2D921209ED9259B7EF1547A-280A5DCD.pf (53 bytes)
    %System%\wbem\Logs\wbemcore.log (384 bytes)
    %WinDir%\Temp\scs1.tmp (33880 bytes)
    %Documents and Settings%\%current user%\Application Data\FolderName\file.exe (5374 bytes)
    %WinDir%\MICROSOFT.NET (4 bytes)
    %Program Files%\Common Files\VMware\Drivers (4 bytes)
    %Documents and Settings%\%current user%\Application Data\tmp.exe (3908 bytes)
    %Documents and Settings%\%current user%\Application Data\svhostf\svhostvbs.vbs (78 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bla2.exe (216 bytes)
    %Documents and Settings%\%current user%\Application Data\svhostf\svhost1.bat (77 bytes)
    %Documents and Settings%\%current user%\Application Data\svhostf\svhost2.bat (207 bytes)
    %Documents and Settings%\%current user%\Application Data\svhost.exe (59 bytes)
    %Documents and Settings%\%current user%\My Documents\MSDCSC\msdcsc.exe (5873 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "MicroUpdate" = "%Documents and Settings%\%current user%\My Documents\MSDCSC\msdcsc.exe"

  5. Remove the references to the Backdoor by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "UserInit" = "%System%\userinit.exe,%Documents and Settings%\%current user%\My Documents\MSDCSC\msdcsc.exe"

  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now