Backdoor.Win32.Fynloski_97abf27c4b

by malwarelabrobot on March 9th, 2015 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), BackdoorFynloski.YR, GenericDownloader.YR, GenericInjector.YR, TrojanDownloaderAndromeda.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 97abf27c4b546e099c3725614a28ed88
SHA1: 98ff9fa3a28c31b3124cbfd983ad3cd4e65b1a8f
SHA256: f3c86b8549624649cdba866fff18233df3760c23d8fe663ed73dd36805141279
SSDeep: 12288:G/jH7vq62p8OF9aZDEqqwGEfyRKqpyNsQm5mL12mS4fKBoGSrSGAp5iPJPsMqRSV:O7vqTNF9aWqqwGEfycq0lx7SCaoGHx50
Size: 721288 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2015-02-22 13:34:30
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

csc.exe:1552
cvtres.exe:328

The Backdoor injects its code into the following process(es):

%original file name%.exe:1932
vbc.exe:1036

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process csc.exe:1552 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CSC8.tmp (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h8oyeawo.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h8oyeawo.dll (12735 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CSC8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES9.tmp (0 bytes)

The process cvtres.exe:328 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RES9.tmp (2912 bytes)

The process %original file name%.exe:1932 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (49 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h8oyeawo.out (292 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tWfleNOr.exe (5441 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h8oyeawo.cmdline (225 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp7.tmp.txt (90628 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h8oyeawo.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h8oyeawo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h8oyeawo.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h8oyeawo.out (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\h8oyeawo.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp7.tmp.txt (0 bytes)

The process vbc.exe:1036 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\My Documents\MSDCSC\msdcsc.exe (7547 bytes)

Registry activity

The process csc.exe:1552 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 BC 04 3C 32 BD 78 FC C2 32 CC 9E BA 2D A7 A8"

The process cvtres.exe:328 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 3A C1 33 12 A2 15 82 0E E6 4A 6F 45 38 00 FB"

The process %original file name%.exe:1932 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 81 CE 7B 1E 9B 7E 81 02 FA E1 93 0B 8B 53 F8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Temp\tWfleNOr.exe"

The process vbc.exe:1036 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 D9 AE 90 6D 9D EC 86 6F C3 13 61 CE E3 FA A1"

The Backdoor adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\%current user%\My Documents\MSDCSC\msdcsc.exe"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"FacebookUpdate" = "%Documents and Settings%\%current user%\My Documents\MSDCSC\msdcsc.exe"

Dropped PE files

MD5 File path
67f5238229333c061092f5a32e8c2ee1 c:\Documents and Settings\"%CurrentUserName%"\My Documents\MSDCSC\msdcsc.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Tomb Raider: Anniversary
Product Name: Tomb Raider: Anniversary
Product Version: 1.0.9
Legal Copyright: Copyright (C) 2007 Eidos Inc.
Legal Trademarks: Crystal Dynamics(R), the Crystal Dynamics(R) logo and the Eidos(R) logo are registered trademarks of the Eidos Group of Companies
Original Filename: FacebookAccHacker.exe
Internal Name: FacebookAccHacker.exe
File Version: 1.0.9
File Description: Tomb Raider: Anniversary
Comments: Tomb Raider: Anniversary
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 715012 715264 5.47605 4af83e9e843b32302f7670bcd9218add
.rsrc 729088 4096 4096 1.59782 86a730398540b9e1b9bd460a84c386f3
.reloc 737280 12 512 0.042395 9b7aa9c50a1cda47e34bfb5e422248c0

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://a767.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a767.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt 188.43.73.10
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 188.43.73.10


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT
Accept-Ranges: bytes
ETag: "05934e1494dd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=3293
Date: Sun, 08 Mar 2015 05:17:06 GMT
Connection: keep-alive
X-CCC: IT
X-CID: 2
1401D04D49E16F8687....


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Feb 2015 00:36:45 GMT
Accept-Ranges: bytes
ETag: "804c50f7c94fd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 49859
Cache-Control: max-age=8346
Date: Sun, 08 Mar 2015 05:17:06 GMT
Connection: keep-alive
X-CCC: IT
X-CID: 2
MSCF............,...................I.......#.........WFw. .authroot.s
tl.....08..CK...<.......m..dK.......D.d'....fW...RJe.).."...n.Ie.,E
.RH...L....\...z.^...p.<g.9...~...=.d/.. ...H....8f|&x.N.d..p(....(
[email protected](.p`d. .....D.....g%.j..w.DF..GW .....*.@6....#.8....
v..=T..^.G.G.!.A........_...r..3n...G.g\_.r.....Au..sw.3.....G.f. ..0.
.0.^.R".K|.....y...l..1.......t.(...0Y......4.,......x..ENY.`d..O.....
!..9A~....^[email protected][email protected].).|.H.
..A.[.Q. D`.}YQvx.B`b.=....,X...-.5S..N..=x.....C.Mj^.H....5b...5.....
...I...`..... ..l.n.:.....j...u2gA.hx.`%K.bw...\!o.........R....=..*..
.w..J....q.?^.PuA..W...>.._..O......9|.../......m.E.u.d...J2.U.e?..
..}h.S.zC^...<.c)...^c.b}.2..'X567.!.h. ......5.......S*.z%..%..e..
.R...C#p..k.[...3...jI.<.Z.GX.u.- ....ut{.&>...:.......f...f.)y.
....5.../R.b.......r.!.4.-a.....!...P......Q'7.0.%[.~m_..v....;..:.X..
~...,.......O....u|T.L....w....)5.bBs..W..r..u.......W......'G......y.
..h.. %. z?..............f.Nx./c...R...`..y.>....'......l=.O..#....
..... ..P..Q.......3.............M......%...v.:(...u..zU......G_.<u
e...F.....6Xo......P.......@L#........4<....K.g:...3o.N..:..zb...5.
.,.5...C... .4..`Q0.....$9./.$1....WL)$.0F......^..k..D.*.#.L3. (}.,,.
kd.<W.....[,.....Y.n.b.....4.Y)...c.g..`.y.........X..I? '.{Cb.GDh.
d..F..2B...sT.^..!.L..}.P....C...?.......~.....d....5.j...1.y9^_K..g..
pX.......^z.e)....yc......?..o...e......KJ..H.O..m......B27....?.~m ..
[email protected](....f1...h.0.u4..(.........2b`....]..H.Ja..
<<< skipped >>>

The Backdoor connects to the servers at the folowing location(s):

vbc.exe_1036:

.text
`.itext
`.data
.idata
.rdata
@.reloc
B.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
%s_%d
EInvalidGraphicOperation
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
%s, ClassID: %s
%s, ProgID: "%s"
ole32.dll
USER32.DLL
uxtheme.dll
DWMAPI.DLL
clWebSnow
clWebFloralWhite
clWebLavenderBlush
clWebOldLace
clWebIvory
clWebCornSilk
clWebBeige
clWebAntiqueWhite
clWebWheat
clWebAliceBlue
clWebGhostWhite
clWebLavender
clWebSeashell
clWebLightYellow
clWebPapayaWhip
clWebNavajoWhite
clWebMoccasin
clWebBurlywood
clWebAzure
clWebMintcream
clWebHoneydew
clWebLinen
clWebLemonChiffon
clWebBlanchedAlmond
clWebBisque
clWebPeachPuff
clWebTan
clWebYellow
clWebDarkOrange
clWebRed
clWebDarkRed
clWebMaroon
clWebIndianRed
clWebSalmon
clWebCoral
clWebGold
clWebTomato
clWebCrimson
clWebBrown
clWebChocolate
clWebSandyBrown
clWebLightSalmon
clWebLightCoral
clWebOrange
clWebOrangeRed
clWebFirebrick
clWebSaddleBrown
clWebSienna
clWebPeru
clWebDarkSalmon
clWebRosyBrown
clWebPaleGoldenrod
clWebLightGoldenrodYellow
clWebOlive
clWebForestGreen
clWebGreenYellow
clWebChartreuse
clWebLightGreen
clWebAquamarine
clWebSeaGreen
clWebGoldenRod
clWebKhaki
clWebOliveDrab
clWebGreen
clWebYellowGreen
clWebLawnGreen
clWebPaleGreen
clWebMediumAquamarine
clWebMediumSeaGreen
clWebDarkGoldenRod
clWebDarkKhaki
clWebDarkOliveGreen
clWebDarkgreen
clWebLimeGreen
clWebLime
clWebSpringGreen
clWebMediumSpringGreen
clWebDarkSeaGreen
clWebLightSeaGreen
clWebPaleTurquoise
clWebLightCyan
clWebLightBlue
clWebLightSkyBlue
clWebCornFlowerBlue
clWebDarkBlue
clWebIndigo
clWebMediumTurquoise
clWebTurquoise
clWebCyan
clWebPowderBlue
clWebSkyBlue
clWebRoyalBlue
clWebMediumBlue
clWebMidnightBlue
clWebDarkTurquoise
clWebCadetBlue
clWebDarkCyan
clWebTeal
clWebDeepskyBlue
clWebDodgerBlue
clWebBlue
clWebNavy
clWebDarkViolet
clWebDarkOrchid
clWebMagenta
clWebDarkMagenta
clWebMediumVioletRed
clWebPaleVioletRed
clWebBlueViolet
clWebMediumOrchid
clWebMediumPurple
clWebPurple
clWebDeepPink
clWebLightPink
clWebViolet
clWebOrchid
clWebPlum
clWebThistle
clWebHotPink
clWebPink
clWebLightSteelBlue
clWebMediumSlateBlue
clWebLightSlateGray
clWebWhite
clWebLightgrey
clWebGray
clWebSteelBlue
clWebSlateBlue
clWebSlateGray
clWebWhiteSmoke
clWebSilver
clWebDimGray
clWebMistyRose
clWebDarkSlateBlue
clWebDarkSlategray
clWebGainsboro
clWebDarkGray
clWebBlack
comctl32.dll
AutoHotkeysd-C
AutoHotkeys
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
OnKeyDownL
OnKeyPress
OnKeyUpH
GlassFrame.Bottom
GlassFrame.Enabled
GlassFrame.Left
GlassFrame.Right
GlassFrame.SheetOfGlass
GlassFrame.Top
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
Uh.ID
User32.dll
TKeyEvent
TKeyPressEvent
HelpKeyword nA
crSQLWait
%s (%s)
imm32.dll
TSocketPort
%d.%d.%d.%d
0.0.0.0
PSAPI.dll
TDCWebCam
127.0.0.1
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
1.2.3
127.0.0.1:1604
#KCMDDC51#-
5.3.0
cmd.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hkey
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
*.torrent
\Internet Explorer\iexplore.exe
explorer.exe
wlanapi.dll
80211_SHARED_KEY
user32.dll
TUploadFTP
notepad.exe
KEYNAME
%ShortCut#
RELATEDCMD
ping 127.0.0.1 -n 4 > NUL && "
DRKey
CRKey
DelMSKey
InstallHKEY
ActiveOnlineKeylogger
UnActiveOnlineKeylogger
KeylogOn
ActiveOfflineKeylogger
UnActiveOfflineKeylogger
ActiveOnlineKeyStrokes
UnActiveOnlineKeyStrokes
OpenWebPage
tmpprint.txt
URLUpdate
MSGBOX
#BOT#VisitUrl
#BOT#OpenUrl
HTTP://
hXXp://
BTRESULTOpen URL|
Command successfully executed!|
#BOT#URLUpdate
BTERRORUpdate from URL| Error on downloading file check if you type the correct url...|
BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|
#BOT#URLDownload
GetActivePorts
out.txt
tmp.txt
DDOSHTTPFLOOD
DDOSUDPFLOOD
%IPPORTSCAN
SAPI.SpVoice
WEBCAMLIVE
WEBCAMSTOP
PASSWORD
FTPFILEUPLOAD
URLDOWNLOADTOFILE
UPLOADEXEC
UPANDEXEC
FTPPORT
FTPPASS
FTPUSER
FTPHOST
FTPROOT
FTPUPLOADK
FTPSIZE
BTRESULTUDP Flood|UDP Flood task finished!|
PortScanAdd
BTRESULTVisit URL|finished to visit
BTERRORVisit URL|An exception occured in the thread|
POST /index.php/1.0
BTRESULTHTTP Flood|Http Flood task finished!|
Mozilla
BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|
BTERRORDownload File| Error on downloading file check if you type the correct url...|
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
ERR|Cannot listen to port, try another one..|
TCaptureWebcam
taskmgr.exe
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
DC3_FEXEC
Windows NT 4.0
Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Windows 7
Windows 95
Windows 98
Windows Me
S-%u-
FAKEMSG
MSGICON
MSGTITLE
MSGCORE
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
advapi32.dll
RegOpenKeyExA
RegCloseKey
GetKeyboardType
keybd_event
VkKeyScanA
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutNameA
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
ExitWindowsEx
EnumWindows
EnumThreadWindows
EnumChildWindows
ActivateKeyboardLayout
gdi32.dll
SetViewportOrgEx
version.dll
WinExec
PeekNamedPipe
GetWindowsDirectoryA
GetProcessHeap
GetCPInfo
CreatePipe
RegQueryInfoKeyA
RegOpenKeyA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
wsock32.dll
shell32.dll
ShellExecuteExA
ShellExecuteA
SHFileOperationA
URLMON.DLL
URLDownloadToFileA
wininet.dll
InternetOpenUrlA
HttpQueryInfoA
FtpPutFileA
winmm.dll
netapi32.dll
gdiplus.dll
GdiplusShutdown
msacm32.dll
ntdll.dll
WS2_32.DLL
SHFolder.dll
SHELL32.DLL
AVICAP32.DLL
1!1,1=1|1
6 6$6(6,606
=!=$=)=-=1=
01m1
0 0$0(0,0004080<0@0
<!=$=)=-=4=
;"<?<_<|<
; ;$;(;,;0;4;8;<;@;
7 8$888<8
= =$=(=,=0=4=8=
UntKeylogger
KWindows
UntActivePorts
UntControlKey
UntCaptureWebcam
UntWebCam
UrlMon
(UntUploadFTPThread
UntFTP
_UntUDPFlood
YUntScanPorts
0UntPasswordAndData
XUntHTTPFlood
UntCPU
66006666
No help found for %s#No context-sensitive help installed
No help found for context$No topic-based help system installedNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Invalid clipboard format Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Unsupported clipboard format
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
No argument for format '%s'"Variant method calls not supported
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
!'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time
'%s' is not a valid GUID value
I/O error %d
1, 0, 0, 1
MSRSAAP.EXE
4, 0, 0, 0

vbc.exe_1036_rwx_00400000_000CA000:

.text
`.itext
`.data
.idata
.rdata
@.reloc
B.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
%s_%d
EInvalidGraphicOperation
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
%s, ClassID: %s
%s, ProgID: "%s"
ole32.dll
USER32.DLL
uxtheme.dll
DWMAPI.DLL
clWebSnow
clWebFloralWhite
clWebLavenderBlush
clWebOldLace
clWebIvory
clWebCornSilk
clWebBeige
clWebAntiqueWhite
clWebWheat
clWebAliceBlue
clWebGhostWhite
clWebLavender
clWebSeashell
clWebLightYellow
clWebPapayaWhip
clWebNavajoWhite
clWebMoccasin
clWebBurlywood
clWebAzure
clWebMintcream
clWebHoneydew
clWebLinen
clWebLemonChiffon
clWebBlanchedAlmond
clWebBisque
clWebPeachPuff
clWebTan
clWebYellow
clWebDarkOrange
clWebRed
clWebDarkRed
clWebMaroon
clWebIndianRed
clWebSalmon
clWebCoral
clWebGold
clWebTomato
clWebCrimson
clWebBrown
clWebChocolate
clWebSandyBrown
clWebLightSalmon
clWebLightCoral
clWebOrange
clWebOrangeRed
clWebFirebrick
clWebSaddleBrown
clWebSienna
clWebPeru
clWebDarkSalmon
clWebRosyBrown
clWebPaleGoldenrod
clWebLightGoldenrodYellow
clWebOlive
clWebForestGreen
clWebGreenYellow
clWebChartreuse
clWebLightGreen
clWebAquamarine
clWebSeaGreen
clWebGoldenRod
clWebKhaki
clWebOliveDrab
clWebGreen
clWebYellowGreen
clWebLawnGreen
clWebPaleGreen
clWebMediumAquamarine
clWebMediumSeaGreen
clWebDarkGoldenRod
clWebDarkKhaki
clWebDarkOliveGreen
clWebDarkgreen
clWebLimeGreen
clWebLime
clWebSpringGreen
clWebMediumSpringGreen
clWebDarkSeaGreen
clWebLightSeaGreen
clWebPaleTurquoise
clWebLightCyan
clWebLightBlue
clWebLightSkyBlue
clWebCornFlowerBlue
clWebDarkBlue
clWebIndigo
clWebMediumTurquoise
clWebTurquoise
clWebCyan
clWebPowderBlue
clWebSkyBlue
clWebRoyalBlue
clWebMediumBlue
clWebMidnightBlue
clWebDarkTurquoise
clWebCadetBlue
clWebDarkCyan
clWebTeal
clWebDeepskyBlue
clWebDodgerBlue
clWebBlue
clWebNavy
clWebDarkViolet
clWebDarkOrchid
clWebMagenta
clWebDarkMagenta
clWebMediumVioletRed
clWebPaleVioletRed
clWebBlueViolet
clWebMediumOrchid
clWebMediumPurple
clWebPurple
clWebDeepPink
clWebLightPink
clWebViolet
clWebOrchid
clWebPlum
clWebThistle
clWebHotPink
clWebPink
clWebLightSteelBlue
clWebMediumSlateBlue
clWebLightSlateGray
clWebWhite
clWebLightgrey
clWebGray
clWebSteelBlue
clWebSlateBlue
clWebSlateGray
clWebWhiteSmoke
clWebSilver
clWebDimGray
clWebMistyRose
clWebDarkSlateBlue
clWebDarkSlategray
clWebGainsboro
clWebDarkGray
clWebBlack
comctl32.dll
AutoHotkeysd-C
AutoHotkeys
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
OnKeyDownL
OnKeyPress
OnKeyUpH
GlassFrame.Bottom
GlassFrame.Enabled
GlassFrame.Left
GlassFrame.Right
GlassFrame.SheetOfGlass
GlassFrame.Top
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
Uh.ID
User32.dll
TKeyEvent
TKeyPressEvent
HelpKeyword nA
crSQLWait
%s (%s)
imm32.dll
TSocketPort
%d.%d.%d.%d
0.0.0.0
PSAPI.dll
TDCWebCam
127.0.0.1
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
1.2.3
127.0.0.1:1604
#KCMDDC51#-
5.3.0
cmd.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hkey
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
*.torrent
\Internet Explorer\iexplore.exe
explorer.exe
wlanapi.dll
80211_SHARED_KEY
user32.dll
TUploadFTP
notepad.exe
KEYNAME
%ShortCut#
RELATEDCMD
ping 127.0.0.1 -n 4 > NUL && "
DRKey
CRKey
DelMSKey
InstallHKEY
ActiveOnlineKeylogger
UnActiveOnlineKeylogger
KeylogOn
ActiveOfflineKeylogger
UnActiveOfflineKeylogger
ActiveOnlineKeyStrokes
UnActiveOnlineKeyStrokes
OpenWebPage
tmpprint.txt
URLUpdate
MSGBOX
#BOT#VisitUrl
#BOT#OpenUrl
HTTP://
hXXp://
BTRESULTOpen URL|
Command successfully executed!|
#BOT#URLUpdate
BTERRORUpdate from URL| Error on downloading file check if you type the correct url...|
BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|
#BOT#URLDownload
GetActivePorts
out.txt
tmp.txt
DDOSHTTPFLOOD
DDOSUDPFLOOD
%IPPORTSCAN
SAPI.SpVoice
WEBCAMLIVE
WEBCAMSTOP
PASSWORD
FTPFILEUPLOAD
URLDOWNLOADTOFILE
UPLOADEXEC
UPANDEXEC
FTPPORT
FTPPASS
FTPUSER
FTPHOST
FTPROOT
FTPUPLOADK
FTPSIZE
BTRESULTUDP Flood|UDP Flood task finished!|
PortScanAdd
BTRESULTVisit URL|finished to visit
BTERRORVisit URL|An exception occured in the thread|
POST /index.php/1.0
BTRESULTHTTP Flood|Http Flood task finished!|
Mozilla
BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|
BTERRORDownload File| Error on downloading file check if you type the correct url...|
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
ERR|Cannot listen to port, try another one..|
TCaptureWebcam
taskmgr.exe
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
DC3_FEXEC
Windows NT 4.0
Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Windows 7
Windows 95
Windows 98
Windows Me
S-%u-
FAKEMSG
MSGICON
MSGTITLE
MSGCORE
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
advapi32.dll
RegOpenKeyExA
RegCloseKey
GetKeyboardType
keybd_event
VkKeyScanA
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutNameA
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
ExitWindowsEx
EnumWindows
EnumThreadWindows
EnumChildWindows
ActivateKeyboardLayout
gdi32.dll
SetViewportOrgEx
version.dll
WinExec
PeekNamedPipe
GetWindowsDirectoryA
GetProcessHeap
GetCPInfo
CreatePipe
RegQueryInfoKeyA
RegOpenKeyA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
wsock32.dll
shell32.dll
ShellExecuteExA
ShellExecuteA
SHFileOperationA
URLMON.DLL
URLDownloadToFileA
wininet.dll
InternetOpenUrlA
HttpQueryInfoA
FtpPutFileA
winmm.dll
netapi32.dll
gdiplus.dll
GdiplusShutdown
msacm32.dll
ntdll.dll
WS2_32.DLL
SHFolder.dll
SHELL32.DLL
AVICAP32.DLL
1!1,1=1|1
6 6$6(6,606
=!=$=)=-=1=
01m1
0 0$0(0,0004080<0@0
<!=$=)=-=4=
;"<?<_<|<
; ;$;(;,;0;4;8;<;@;
7 8$888<8
= =$=(=,=0=4=8=
UntKeylogger
KWindows
UntActivePorts
UntControlKey
UntCaptureWebcam
UntWebCam
UrlMon
(UntUploadFTPThread
UntFTP
_UntUDPFlood
YUntScanPorts
0UntPasswordAndData
XUntHTTPFlood
UntCPU
66006666
No help found for %s#No context-sensitive help installed
No help found for context$No topic-based help system installedNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Invalid clipboard format Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Unsupported clipboard format
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
No argument for format '%s'"Variant method calls not supported
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
!'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time
'%s' is not a valid GUID value
I/O error %d
1, 0, 0, 1
MSRSAAP.EXE
4, 0, 0, 0


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    csc.exe:1552
    cvtres.exe:328

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Local Settings\Temp\CSC8.tmp (652 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h8oyeawo.out (396 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h8oyeawo.dll (12735 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RES9.tmp (2912 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (49 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tWfleNOr.exe (5441 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\h8oyeawo.cmdline (225 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp7.tmp.txt (90628 bytes)
    %Documents and Settings%\%current user%\My Documents\MSDCSC\msdcsc.exe (7547 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "(Default)" = "%Documents and Settings%\%current user%\Local Settings\Temp\tWfleNOr.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "FacebookUpdate" = "%Documents and Settings%\%current user%\My Documents\MSDCSC\msdcsc.exe"

  5. Remove the references to the Backdoor by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "UserInit" = "%System%\userinit.exe,%Documents and Settings%\%current user%\My Documents\MSDCSC\msdcsc.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now