Backdoor.Win32.PcClient_2ff4d57d22

by malwarelabrobot on June 20th, 2014 in Malware Descriptions.

Trojan.Win32.Llac.gugk (Kaspersky), Gen:Heur.ManBat.1 (B) (Emsisoft), Gen:Heur.ManBat.1 (AdAware), Backdoor.Win32.PcClient.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Worm, VirTool, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 2ff4d57d2203575bac6e2fe165181e45
SHA1: 4f1f38270b18f03b43ff3800a89907025cabf1ac
SHA256: 0dfad0678e6f5d025287c245a1dd14a0e68e7dcc0f22f72ccb1468950f7b38fe
SSDeep: 24576:GF1wYAowSwIFadVan8Xb07M6dFMk7IXQFIjy9bl8uMXbk1sGbnkAZxbZL9g:Qwu3wIAXCMwP/7WIcSbzMXwSCnkUxXg
Size: 1537036 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Firseria sl
Created at: 2014-06-12 20:01:42
Analyzed on: WindowsXP SP3 32-bit

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Backdoor creates the following process(es):

dwwin.exe:2624
rundll32.exe:2604
rundll32.exe:2460
rundll32.exe:2204
rundll32.exe:3024
rundll32.exe:2940
rundll32.exe:2748
rundll32.exe:1880
%original file name%.exe:1940
%original file name%.exe:1108
cftmon.exe:596
cftmon.exe:572
cftmon.exe:2456
cftmon.exe:2436
cftmon.exe:492
cftmon.exe:1712
cftmon.exe:2880
cftmon.exe:2544
cftmon.exe:344
cftmon.exe:2664
cftmon.exe:1116
cftmon.exe:2012
cftmon.exe:2912
cftmon.exe:896
cftmon.exe:2580
cftmon.exe:388
cftmon.exe:1284
cftmon.exe:2232
cftmon.exe:1180
cftmon.exe:512
cftmon.exe:2536

The Backdoor injects its code into the following process(es):

rundll32.exe:1912
cftmon.exe:1312
cftmon.exe:676
Explorer.EXE:884

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process dwwin.exe:2624 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\134161.dmp (138011 bytes)

The process %original file name%.exe:1940 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%System%\cftmon.exe (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (234 bytes)

The process %original file name%.exe:1108 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)

The process cftmon.exe:596 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)

The process cftmon.exe:2456 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)

The process cftmon.exe:492 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (234 bytes)

The process cftmon.exe:2880 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)

The process cftmon.exe:1116 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (234 bytes)

The process cftmon.exe:2012 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)

The process cftmon.exe:1312 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1c47_appcompat.txt (6214 bytes)

The process cftmon.exe:896 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)

The process cftmon.exe:676 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XxX.xXx (6232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UuU.uUu (16 bytes)
%Documents and Settings%\%current user%\Application Data\logs.dat (15 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UuU.uUu (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XxX.xXx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (0 bytes)

The process cftmon.exe:2232 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)

The process cftmon.exe:2536 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)

Registry activity

The process dwwin.exe:2624 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 99 D6 6E 4B 5A F8 D0 EA D6 E3 6E 6C 7C 27 42"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process rundll32.exe:2604 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 A1 0C 0F 52 B5 83 0A 48 C8 B8 BE 62 9F 54 F3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:2460 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 44 8F 31 AA CB BB 21 72 EE 43 B5 1A 87 11 23"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:2204 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 9B DD E6 1E 9D 96 C3 2D 53 4A 89 A7 90 56 AF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:3024 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 1B 0D 5A 25 BC 78 F8 46 86 AE 72 14 1F 2D 28"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:2940 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 19 06 77 FC 15 1C B6 9E E3 F7 F5 E9 27 8B 85"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:2748 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B F4 BB 9E 11 B8 89 51 9E 1D 49 0E 88 9C 39 C8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:1912 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 67 FA 64 89 F8 31 AF 20 5C 79 BB B4 58 CA 4B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:1880 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 DE 03 FB 18 90 13 2B 6A 52 3C A2 EE 16 0D 92"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:1940 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 6C DC 5A 58 CD 25 C2 C0 22 8D 1F 1A FA 73 5E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{06FRS15A-PJJC-36N0-6C57-2YBYHN66M0H2}]
"StubPath" = "%System%\cftmon.exe Restart"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"cftmon.exe" = "vudmWThdHr"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cftmon" = "%System%\cftmon.exe"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process %original file name%.exe:1108 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 F4 D4 99 8A 8F 4D 87 72 62 B2 D5 80 14 45 68"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"shimgvw.dll" = "Windows Picture and Fax Viewer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process cftmon.exe:596 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 46 43 E7 FF F1 7A 82 A2 95 65 C4 7D 29 4E 6E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"

The process cftmon.exe:2456 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 F1 B4 EE C6 2F 21 4B D7 0D 0F 0D 84 A3 79 E3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"

The process cftmon.exe:2436 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 45 1D 12 7A 2B E0 C6 4F 61 BC 5E CD 81 22 49"

The process cftmon.exe:492 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F BC 45 E3 B3 40 A3 25 10 2B 64 13 CC 84 A5 F1"

The process cftmon.exe:2880 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 00 43 D9 56 09 3A AD 79 77 57 94 D6 F3 D7 65"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"

The process cftmon.exe:2544 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 C4 43 9E 47 67 FB F4 94 19 E9 6A E5 EE 3F EC"

The process cftmon.exe:2664 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 5C 30 D7 6A AC 2D 5F F5 3C 00 DB 34 CB 6C 2A"

The process cftmon.exe:1116 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 92 73 F3 DC F3 06 BF 15 8B 95 F1 A0 25 FA ED"

The process cftmon.exe:2012 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 23 8E F9 B7 CE 7D 7B CE E1 EA 50 86 8F BC 73"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"

The process cftmon.exe:2912 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 0F BB 51 57 81 93 AF 3A 27 9E DD 96 CF 0D B8"

The process cftmon.exe:1312 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 2B E7 2C 8C 46 E5 B4 16 2F CE 6E 27 F1 21 53"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The Backdoor deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The Backdoor deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

The process cftmon.exe:896 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 B5 E9 66 0D 3C 0C 1A D5 23 A4 42 17 EB A4 4B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"

The process cftmon.exe:676 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 0C 31 C5 27 9B A7 E6 48 8B 93 A4 EE F6 0B AA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\CryptoSuite_Victim]
"NewIdentification" = "CryptoSuite_Victim"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\CryptoSuite_Victim]
"FirstExecution" = "19/06/2014 -- 11:18"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process cftmon.exe:2232 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 B9 4F B8 B9 9A DE 35 F5 E7 07 FB 08 8F 47 9D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"

The process cftmon.exe:512 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 38 5A F7 1C AB FC 64 64 D2 06 20 A9 2A CE B4"

The process cftmon.exe:2536 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D A7 FB 2C 3E 6C 9D 3A 20 C8 D3 64 F9 19 4D CB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: rDLWIRKjKV
Product Name: VxzDFUhwea
Product Version: 1.9.3.7
Legal Copyright: OLYtIoGEcx
Legal Trademarks: rqROtSJgDf
Original Filename: temp.exe
Internal Name: temp.exe
File Version: 1.9.3.7
File Description: vudmWThdHr
Comments: DAaRZoSkot
Language: English (Australia)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	92882	93184	4.60091	002ff879b2b0c4f3677f1e27f2b72572
.rdata	98304	19974	20480	3.3885	67440396afdbc87c679ada8acd0fdf2e
.data	118784	18636	6144	2.72567	cf19e9657143166e9ac0344d20fd2b45
.rsrc	139264	205016	205312	3.26	462472bd839efe26effa60bb27543fd6
.reloc	348160	8110	8192	3.42245	43339f5586549001020910796e980af4
Pyrm	356352	4096	512	0.261475	bcd4e3320580612a10d7e29e233f87d5

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
445566.no-ip.biz	198.136.55.78

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Backdoor connects to the servers at the folowing location(s):

rundll32.exe_1912:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

cftmon.exe_676_rwx_00150000_00001000:

KERNEL32.DLL

cftmon.exe_676_rwx_00290000_00001000:

KERNEL32.DLL

cftmon.exe_676_rwx_002D0000_00001000:

KERNEL32.DLL

cftmon.exe_676_rwx_00310000_00001000:

KERNEL32.DLL

cftmon.exe_676_rwx_00350000_00001000:

KERNEL32.DLL

cftmon.exe_676_rwx_00390000_00001000:

KERNEL32.DLL

cftmon.exe_676_rwx_00B20000_00001000:

advapi32.dll

cftmon.exe_676_rwx_00C50000_00001000:

RegOpenKeyA

cftmon.exe_676_rwx_00C60000_00001000:

advapi32.dll

cftmon.exe_676_rwx_00C90000_00001000:

AVICAP32.DLL

cftmon.exe_676_rwx_00DD0000_00001000:

AVICAP32.DLL

cftmon.exe_676_rwx_00E00000_00001000:

gdi32.dll

cftmon.exe_676_rwx_00E40000_00001000:

gdi32.dll

cftmon.exe_676_rwx_00E70000_00001000:

gdiplus.dll

cftmon.exe_676_rwx_00EB0000_00001000:

gdiplus.dll

cftmon.exe_676_rwx_00EF0000_00001000:

mpr.dll

cftmon.exe_676_rwx_01260000_00001000:

mpr.dll

cftmon.exe_676_rwx_01290000_00001000:

msacm32.dll

cftmon.exe_676_rwx_013D0000_00001000:

msacm32.dll

cftmon.exe_676_rwx_01400000_00001000:

ntdll.dll

cftmon.exe_676_rwx_01540000_00001000:

ntdll.dll

cftmon.exe_676_rwx_01570000_00001000:

ole32.dll

cftmon.exe_676_rwx_016B0000_00001000:

ole32.dll

cftmon.exe_676_rwx_016E0000_00001000:

oleaut32.dll

cftmon.exe_676_rwx_01720000_00001000:

oleaut32.dll

cftmon.exe_676_rwx_01860000_00001000:

powrprof.dll

cftmon.exe_676_rwx_019A0000_00001000:

powrprof.dll

cftmon.exe_676_rwx_019D0000_00001000:

shell32.dll

cftmon.exe_676_rwx_01B10000_00001000:

shell32.dll

cftmon.exe_676_rwx_01B40000_00001000:

user32.dll

cftmon.exe_676_rwx_01C80000_00001000:

user32.dll

cftmon.exe_676_rwx_01CB0000_00001000:

wininet.dll

cftmon.exe_676_rwx_01DE0000_00001000:

FtpOpenFileA

cftmon.exe_676_rwx_01DF0000_00001000:

wininet.dll

cftmon.exe_676_rwx_01E20000_00001000:

winmm.dll

cftmon.exe_676_rwx_01F60000_00001000:

winmm.dll

cftmon.exe_676_rwx_01F90000_00001000:

wsock32.dll

cftmon.exe_676_rwx_020E0000_00001000:

wsock32.dll

cftmon.exe_676_rwx_028B0000_0004B000:

`.rsrc

40,(''''$

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ole32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

##@@## ##@@## ##@@##

sqlite3_bind_blob

sqlite3_bind_text

sqlite3_bind_double

sqlite3_bind_int

sqlite3_bind_int64

sqlite3_bind_null

sqlite3_bind_parameter_index

sqlite3_open

sqlite3_close

sqlite3_errmsg

sqlite3_errcode

sqlite3_free

sqlite3_prepare_v2

sqlite3_column_count

sqlite3_column_name

sqlite3_column_decltype

sqlite3_step

sqlite3_column_blob

sqlite3_column_bytes

sqlite3_column_double

sqlite3_column_text

sqlite3_column_type

sqlite3_column_int64

sqlite3_finalize

sqlite3_reset

SQL error or missing database

An internal logic error in SQLite

Operation terminated by sqlite3_interrupt()

Uses OS features not supported on host

2nd parameter to sqlite3_bind out of range

sqlite3_step() has another row ready

sqlite3_step() has finished executing

Unknown SQLite Error Code "

u%CNu

%s[%d]

ESQLiteException

TSQLiteDatabase

TSQLiteTable

Failed to open database "%s" : %s

Failed to open database "%s" : unknown error

Error [%d]: %s.

"%s": %s

Error executing SQL

Could not prepare SQL statement

Error executing SQL statement

SQLite is Busy

\Google\Chrome\User Data\Default\Web Data

SELECT * FROM logins

password_value

origin_url

getservbyport

WSAAsyncGetServByPort

WSAJoinLeaf

WS2_32.DLL

127.0.0.1

TIdSocketListWindows

TIdStackWindowsU

IdStackWindows

ftpTransfer

ftpReady

ftpAborted

ClientPortMin<

ClientPortMaxh

Port

EIdCanNotBindPortInRange

EIdInvalidPortRangeSVW

saUsernamePassword

Password<

Porth

0.0.0.1

TIdTCPConnection

TIdTCPConnection4

IdTCPConnection

EIdTCPConnectionError

EIdObjectTypeNotSupported

%Documents and Settings%\Administrateur\Bureau\Anubis RAT v1.0\Spy-net.2.7.beta\Units_em_comum\Indy\IdStrings.pas

TIdTCPServer

IdTCPServer

CmdDelimiterh

TIdTCPServerConnection

DefaultPort

OnExecuteP

EIdTCPServerError

EIdNoExecuteSpecified

TIdTCPClient

IdTCPClient

BoundPorth

PortU

TOnHTTPDocument

TIdHTTPProxyServer

TIdHTTPProxyServer4

IdHTTPProxyServer

DefaultPorth

OnHTTPDocument

HTTP/1.0

Windows Firewall Update

1.2.3

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

KWindows

IdTCPStream

 IdTCPServer

SQLiteTable3

SQLite3

DIdHTTPProxyServer

UnitChrome

GetCPInfo

RegOpenKeyExA

RegFlushKey

RegCreateKeyExA

RegCloseKey

GetKeyboardType

MsgWaitForMultipleObjects

((&)))!&$

"#$$&-)01$$'&,--%.&,

4\@%c

.idata

.edata

P.reloc

P.rsrc

KERNEL32.DLL

advapi32.dll

crypt32.dll

user32.dll

funcoes.dll

GetChromePass

StartHttpProxy

Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.

Command not supported.

Address type not supported.

Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.

Operation would block.

Operation now in progress.

Operation already in progress.

Socket operation on non-socket.

Protocol not supported.

Socket type not supported."Operation not supported on socket.

Protocol family not supported.0Address family not supported by protocol family.

&Error on loading Winsock2 library (%s)

Resolving hostname %s.

Connecting to %s.

%s is not a valid service.

Socket Error # %d

File "%s" not found1Only one TIdAntiFreeze can exist per application.

Object type not supported.

No execute handler found.

No data to read.$Can not bind in port range (%d - %d)

Invalid Port Range (%d - %d)

No command handler found.*Error on call Winsock2 library function %s

Error reading %s%s%s: %s

Failed to set data for '%s'

%s.Seek not implemented$Operation not allowed on sorted list

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)

Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.

Ancestor for '%s' not found

Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s$''%s'' is not a valid component name

Invalid property value List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d)

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Interface not supported

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value('%s' is not a valid floating point value

I/O error %d

Integer overflow Invalid floating point operation

cftmon.exe_676_rwx_02A40000_0004B000:

`.rsrc

40,(''''$

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ole32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

##@@## ##@@## ##@@##

sqlite3_bind_blob

sqlite3_bind_text

sqlite3_bind_double

sqlite3_bind_int

sqlite3_bind_int64

sqlite3_bind_null

sqlite3_bind_parameter_index

sqlite3_open

sqlite3_close

sqlite3_errmsg

sqlite3_errcode

sqlite3_free

sqlite3_prepare_v2

sqlite3_column_count

sqlite3_column_name

sqlite3_column_decltype

sqlite3_step

sqlite3_column_blob

sqlite3_column_bytes

sqlite3_column_double

sqlite3_column_text

sqlite3_column_type

sqlite3_column_int64

sqlite3_finalize

sqlite3_reset

SQL error or missing database

An internal logic error in SQLite

Operation terminated by sqlite3_interrupt()

Uses OS features not supported on host

2nd parameter to sqlite3_bind out of range

sqlite3_step() has another row ready

sqlite3_step() has finished executing

Unknown SQLite Error Code "

u%CNu

%s[%d]

ESQLiteException

TSQLiteDatabase

TSQLiteTable

Failed to open database "%s" : %s

Failed to open database "%s" : unknown error

Error [%d]: %s.

"%s": %s

Error executing SQL

Could not prepare SQL statement

Error executing SQL statement

SQLite is Busy

\Google\Chrome\User Data\Default\Web Data

SELECT * FROM logins

password_value

origin_url

getservbyport

WSAAsyncGetServByPort

WSAJoinLeaf

WS2_32.DLL

127.0.0.1

TIdSocketListWindows

TIdStackWindowsU

IdStackWindows

ftpTransfer

ftpReady

ftpAborted

ClientPortMin<

ClientPortMaxh

Port

EIdCanNotBindPortInRange

EIdInvalidPortRangeSVW

saUsernamePassword

Password<

Porth

0.0.0.1

TIdTCPConnection

TIdTCPConnection4

IdTCPConnection

EIdTCPConnectionError

EIdObjectTypeNotSupported

%Documents and Settings%\Administrateur\Bureau\Anubis RAT v1.0\Spy-net.2.7.beta\Units_em_comum\Indy\IdStrings.pas

TIdTCPServer

IdTCPServer

CmdDelimiterh

TIdTCPServerConnection

DefaultPort

OnExecuteP

EIdTCPServerError

EIdNoExecuteSpecified

TIdTCPClient

IdTCPClient

BoundPorth

PortU

TOnHTTPDocument

TIdHTTPProxyServer

TIdHTTPProxyServer4

IdHTTPProxyServer

DefaultPorth

OnHTTPDocument

HTTP/1.0

Windows Firewall Update

1.2.3

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

KWindows

IdTCPStream

 IdTCPServer

SQLiteTable3

SQLite3

DIdHTTPProxyServer

UnitChrome

GetCPInfo

RegOpenKeyExA

RegFlushKey

RegCreateKeyExA

RegCloseKey

GetKeyboardType

MsgWaitForMultipleObjects

((&)))!&$

"#$$&-)01$$'&,--%.&,

4\@%c

.idata

.edata

P.reloc

P.rsrc

KERNEL32.DLL

advapi32.dll

crypt32.dll

user32.dll

funcoes.dll

GetChromePass

StartHttpProxy

Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.

Command not supported.

Address type not supported.

Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.

Operation would block.

Operation now in progress.

Operation already in progress.

Socket operation on non-socket.

Protocol not supported.

Socket type not supported."Operation not supported on socket.

Protocol family not supported.0Address family not supported by protocol family.

&Error on loading Winsock2 library (%s)

Resolving hostname %s.

Connecting to %s.

%s is not a valid service.

Socket Error # %d

File "%s" not found1Only one TIdAntiFreeze can exist per application.

Object type not supported.

No execute handler found.

No data to read.$Can not bind in port range (%d - %d)

Invalid Port Range (%d - %d)

No command handler found.*Error on call Winsock2 library function %s

Error reading %s%s%s: %s

Failed to set data for '%s'

%s.Seek not implemented$Operation not allowed on sorted list

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)

Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.

Ancestor for '%s' not found

Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s$''%s'' is not a valid component name

Invalid property value List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d)

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Interface not supported

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value('%s' is not a valid floating point value

I/O error %d

Integer overflow Invalid floating point operation

cftmon.exe_676_rwx_02B90000_0004B000:

`.rsrc

40,(''''$

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ole32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

##@@## ##@@## ##@@##

sqlite3_bind_blob

sqlite3_bind_text

sqlite3_bind_double

sqlite3_bind_int

sqlite3_bind_int64

sqlite3_bind_null

sqlite3_bind_parameter_index

sqlite3_open

sqlite3_close

sqlite3_errmsg

sqlite3_errcode

sqlite3_free

sqlite3_prepare_v2

sqlite3_column_count

sqlite3_column_name

sqlite3_column_decltype

sqlite3_step

sqlite3_column_blob

sqlite3_column_bytes

sqlite3_column_double

sqlite3_column_text

sqlite3_column_type

sqlite3_column_int64

sqlite3_finalize

sqlite3_reset

SQL error or missing database

An internal logic error in SQLite

Operation terminated by sqlite3_interrupt()

Uses OS features not supported on host

2nd parameter to sqlite3_bind out of range

sqlite3_step() has another row ready

sqlite3_step() has finished executing

Unknown SQLite Error Code "

u%CNu

%s[%d]

ESQLiteException

TSQLiteDatabase

TSQLiteTable

Failed to open database "%s" : %s

Failed to open database "%s" : unknown error

Error [%d]: %s.

"%s": %s

Error executing SQL

Could not prepare SQL statement

Error executing SQL statement

SQLite is Busy

\Google\Chrome\User Data\Default\Web Data

SELECT * FROM logins

password_value

origin_url

getservbyport

WSAAsyncGetServByPort

WSAJoinLeaf

WS2_32.DLL

127.0.0.1

TIdSocketListWindows

TIdStackWindowsU

IdStackWindows

ftpTransfer

ftpReady

ftpAborted

ClientPortMin<

ClientPortMaxh

Port

EIdCanNotBindPortInRange

EIdInvalidPortRangeSVW

saUsernamePassword

Password<

Porth

0.0.0.1

TIdTCPConnection

TIdTCPConnection4

IdTCPConnection

EIdTCPConnectionError

EIdObjectTypeNotSupported

%Documents and Settings%\Administrateur\Bureau\Anubis RAT v1.0\Spy-net.2.7.beta\Units_em_comum\Indy\IdStrings.pas

TIdTCPServer

IdTCPServer

CmdDelimiterh

TIdTCPServerConnection

DefaultPort

OnExecuteP

EIdTCPServerError

EIdNoExecuteSpecified

TIdTCPClient

IdTCPClient

BoundPorth

PortU

TOnHTTPDocument

TIdHTTPProxyServer

TIdHTTPProxyServer4

IdHTTPProxyServer

DefaultPorth

OnHTTPDocument

HTTP/1.0

Windows Firewall Update

1.2.3

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

KWindows

IdTCPStream

 IdTCPServer

SQLiteTable3

SQLite3

DIdHTTPProxyServer

UnitChrome

GetCPInfo

RegOpenKeyExA

RegFlushKey

RegCreateKeyExA

RegCloseKey

GetKeyboardType

MsgWaitForMultipleObjects

((&)))!&$

"#$$&-)01$$'&,--%.&,

4\@%c

.idata

.edata

P.reloc

P.rsrc

KERNEL32.DLL

advapi32.dll

crypt32.dll

user32.dll

funcoes.dll

GetChromePass

StartHttpProxy

Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.

Command not supported.

Address type not supported.

Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.

Operation would block.

Operation now in progress.

Operation already in progress.

Socket operation on non-socket.

Protocol not supported.

Socket type not supported."Operation not supported on socket.

Protocol family not supported.0Address family not supported by protocol family.

&Error on loading Winsock2 library (%s)

Resolving hostname %s.

Connecting to %s.

%s is not a valid service.

Socket Error # %d

File "%s" not found1Only one TIdAntiFreeze can exist per application.

Object type not supported.

No execute handler found.

No data to read.$Can not bind in port range (%d - %d)

Invalid Port Range (%d - %d)

No command handler found.*Error on call Winsock2 library function %s

Error reading %s%s%s: %s

Failed to set data for '%s'

%s.Seek not implemented$Operation not allowed on sorted list

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)

Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.

Ancestor for '%s' not found

Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s$''%s'' is not a valid component name

Invalid property value List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d)

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Interface not supported

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value('%s' is not a valid floating point value

I/O error %d

Integer overflow Invalid floating point operation

cftmon.exe_676_rwx_24010000_00062000:

`.rsrc

kernel32.dll

Portions Copyright (c) 1999,2003 Avenger by NhT

SHFileOperationA

shell32.dll

URLDownloadToFileA

urlmon.dll

ShellExecuteA

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

GetWindowsDirectoryA

SOFTWARE\Microsoft\Windows\CurrentVersion

http\shell\open\command

\Internet Explorer\iexplore.exe

####@####

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

Portugal

Turkey

Windows 3.1

Windows 95 (Release 2)

Windows 95

Windows 98 SE

Windows 98

Windows ME

Windows 7

Windows Vista

%s %s

Windows XP Professional x64

Windows XP Home

Windows XP Professional

Windows 2000 Professional

Windows NT %d.%d

Windows 2008

%s %s Server

Windows 2003 Server Datacenter

Windows 2003 Server Enterprise

Windows 2003 Server Web Edition

Windows 2003 Server

Windows Home Server

Windows 2003 Server (Release 2)

Windows 2000 Server Datacenter

Windows 2000 Server Enterprise

Windows 2000 Server Web Edition

Windows 2000 Server

Windows NT 4.0 Server Datacenter

Windows NT 4.0 Server Enterprise

Windows NT 4.0 Server Web Edition

Windows NT 4.0 Server

Unknown Platform ID (%d)

%d.%d

%s (Build: %d

- Service Pack: %s

KERNEL32.DLL

teste.vbs

teste.txt

Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")

Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)

Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)

Set objFileSystem = CreateObject("Scripting.fileSystemObject")

Set objFile = objFileSystem.CreateTextFile("

Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter

Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter

objFile.WriteLine(Info)

objFile.Close

cscript.exe

AVICAP32.dll

tFtpAccess

BuildImportTable: can't load library:

BuildImportTable: ReallocMemory failed

BuildImportTable: GetProcAddress failed

BTMemoryLoadLibary: BuildImportTable failed

BTMemoryGetProcAddress: no export table found

BTMemoryGetProcAddress: DLL doesn't export anything

BTMemoryGetProcAddress: exported symbol not found

SetupApi.dll

SetupDiOpenClassRegKey

SetupDiOpenClassRegKeyExA

SetupDiOpenClassRegKeyExW

SetupDiCreateDeviceInterfaceRegKeyA

SetupDiCreateDeviceInterfaceRegKeyW

SetupDiOpenDeviceInterfaceRegKey

SetupDiDeleteDeviceInterfaceRegKey

SetupDiCreateDevRegKeyA

SetupDiCreateDevRegKeyW

SetupDiOpenDevRegKey

SetupDiDeleteDevRegKey

CM_DEVCAP_LOCKSUPPORTED

CM_DEVCAP_EJECTSUPPORTED

PDCAP_D0_SUPPORTED

PDCAP_D1_SUPPORTED

PDCAP_D2_SUPPORTED

PDCAP_D3_SUPPORTED

PDCAP_WAKE_FROM_D0_SUPPORTED

PDCAP_WAKE_FROM_D1_SUPPORTED

PDCAP_WAKE_FROM_D2_SUPPORTED

PDCAP_WAKE_FROM_D3_SUPPORTED

PDCAP_WARM_EJECT_SUPPORTED

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

127.0.0.1

iphlpapi.dll

AllocateAndGetTcpExTableFromStack

AllocateAndGetUdpExTableFromStack

SetTcpEntry

GetExtendedTcpTable

GetExtendedUdpTable

Mozilla3_5Password

GetChromePass

StartHttpProxy

1.2.3

XxX.xXx

UuU.uUu

keyboardkey

webcaminactive

webcamgetbuffer

webcam

enviarexecnormal

enviarexechidden

openweb

downexec

sendftp

keylogger

keyloggergetlog

keyloggereraselog

keyloggerativar

keyloggerdesativar

renamekey

windowsfechar

windowsmax

windowsmin

windowsmostrar

windowsocultar

windowsmintodas

windowscaption

listarportas

listarportasdns

finalizarprocessoportas

webcamsettings

chatmsg

getpassword

updateservidorweb

keyloggersearch

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

PSAPI.dll

\config\SteamAppData.vdf

AutoLoginUser

/ClientRegistry.Blob

\ClientRegistry.blob

\steam.dll

%SYS%

ÞSKTOP%

FirstExecution

chatmsg|

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

listarjanelas|windowsfechar|

listarjanelas|windowsmax|

listarjanelas|windowsmin|

listarjanelas|windowsmostrar|

listarjanelas|windowsocultar|

listarjanelas|windowsmintodas|

listarjanelas|windowscaption|

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

listarportas|listadeportaspronta|

listarportas|finalizarconexao|

listarportas|finalizarprocessoportas|Y|

listarportas|finalizarprocessoportas|N|

registro|renamekey|

keylogger|keylogger|keyloggerativar|

keylogger|keylogger|keyloggerdesativar|

keylogger|keyloggergetlog|

keylogger|keylogger|keyloggervazio|

keyloggersearchok|

webcam|webcaminactive|

webcam|webcamactive|

_x_X_PASSWORDLIST_X_x_

NOIP.abc

MSN.abc

IELOGIN.abc

IEPASS.abc

IEAUTO.abc

IEWEB.abc

getielogin

getiepass

getieweb

getchrome

getpassword|getpasswordlist|

getpassword|getpassworderror|

##@@## ##@@## ##@@##

Windows\CurrentVersion\Uninstall\eDonkey2000

UNWISE.EXE

ntdll.dll

icon=shell32.dll,4

shellexecute=

autorun.inf

XX--XX--XX.txt

logs.dat

SQLite3.dll

$1.2.3

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

KWindows

UnitExecutarComandos

uftp

UrlMon

.UnitBytesSize

UnitListarPortasAtivas

UnitWebcam

UnitKeylogger

WinExec

SetNamedPipeHandleState

GetProcessHeap

CreatePipe

RegOpenKeyExA

RegOpenKeyA

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyA

RegCloseKey

GdiplusShutdown

keybd_event

MapVirtualKeyA

GetKeyboardState

GetKeyboardLayoutNameA

GetKeyState

GetAsyncKeyState

ExitWindowsEx

EnumWindows

FtpGetFileSize

FtpSetCurrentDirectoryA

FtpOpenFileA

%( % & % % % ]

.idata

.reloc

P.rsrc

h`S%S

advapi32.dll

AVICAP32.DLL

gdi32.dll

gdiplus.dll

mpr.dll

msacm32.dll

ole32.dll

oleaut32.dll

powrprof.dll

user32.dll

wininet.dll

winmm.dll

wsock32.dll

cftmon.exe_1312_rwx_00150000_00001000:

KERNEL32.DLL

cftmon.exe_1312_rwx_00290000_00001000:

KERNEL32.DLL

cftmon.exe_1312_rwx_002D0000_00001000:

KERNEL32.DLL

cftmon.exe_1312_rwx_00310000_00001000:

KERNEL32.DLL

cftmon.exe_1312_rwx_00350000_00001000:

KERNEL32.DLL

cftmon.exe_1312_rwx_00390000_00001000:

KERNEL32.DLL

cftmon.exe_1312_rwx_00B20000_00001000:

advapi32.dll

cftmon.exe_1312_rwx_00C50000_00001000:

RegOpenKeyA

cftmon.exe_1312_rwx_00C60000_00001000:

advapi32.dll

cftmon.exe_1312_rwx_00C90000_00001000:

AVICAP32.DLL

cftmon.exe_1312_rwx_00DD0000_00001000:

AVICAP32.DLL

cftmon.exe_1312_rwx_00E00000_00001000:

gdi32.dll

cftmon.exe_1312_rwx_00E40000_00001000:

gdi32.dll

cftmon.exe_1312_rwx_00E70000_00001000:

gdiplus.dll

cftmon.exe_1312_rwx_00EB0000_00001000:

gdiplus.dll

cftmon.exe_1312_rwx_00EF0000_00001000:

mpr.dll

cftmon.exe_1312_rwx_01260000_00001000:

mpr.dll

cftmon.exe_1312_rwx_01290000_00001000:

msacm32.dll

cftmon.exe_1312_rwx_013D0000_00001000:

msacm32.dll

cftmon.exe_1312_rwx_01400000_00001000:

ntdll.dll

cftmon.exe_1312_rwx_01540000_00001000:

ntdll.dll

cftmon.exe_1312_rwx_01570000_00001000:

ole32.dll

cftmon.exe_1312_rwx_016B0000_00001000:

ole32.dll

cftmon.exe_1312_rwx_016E0000_00001000:

oleaut32.dll

cftmon.exe_1312_rwx_01720000_00001000:

oleaut32.dll

cftmon.exe_1312_rwx_01860000_00001000:

powrprof.dll

cftmon.exe_1312_rwx_019A0000_00001000:

powrprof.dll

cftmon.exe_1312_rwx_019D0000_00001000:

shell32.dll

cftmon.exe_1312_rwx_01B10000_00001000:

shell32.dll

cftmon.exe_1312_rwx_01B40000_00001000:

user32.dll

cftmon.exe_1312_rwx_01C80000_00001000:

user32.dll

cftmon.exe_1312_rwx_01CB0000_00001000:

wininet.dll

cftmon.exe_1312_rwx_01DE0000_00001000:

FtpOpenFileA

cftmon.exe_1312_rwx_01DF0000_00001000:

wininet.dll

cftmon.exe_1312_rwx_01E20000_00001000:

winmm.dll

cftmon.exe_1312_rwx_01F60000_00001000:

winmm.dll

cftmon.exe_1312_rwx_01F90000_00001000:

wsock32.dll

cftmon.exe_1312_rwx_020E0000_00001000:

wsock32.dll

cftmon.exe_1312_rwx_24010000_00062000:

`.rsrc

kernel32.dll

Portions Copyright (c) 1999,2003 Avenger by NhT

SHFileOperationA

shell32.dll

URLDownloadToFileA

urlmon.dll

ShellExecuteA

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

GetWindowsDirectoryA

SOFTWARE\Microsoft\Windows\CurrentVersion

http\shell\open\command

\Internet Explorer\iexplore.exe

####@####

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

Portugal

Turkey

Windows 3.1

Windows 95 (Release 2)

Windows 95

Windows 98 SE

Windows 98

Windows ME

Windows 7

Windows Vista

%s %s

Windows XP Professional x64

Windows XP Home

Windows XP Professional

Windows 2000 Professional

Windows NT %d.%d

Windows 2008

%s %s Server

Windows 2003 Server Datacenter

Windows 2003 Server Enterprise

Windows 2003 Server Web Edition

Windows 2003 Server

Windows Home Server

Windows 2003 Server (Release 2)

Windows 2000 Server Datacenter

Windows 2000 Server Enterprise

Windows 2000 Server Web Edition

Windows 2000 Server

Windows NT 4.0 Server Datacenter

Windows NT 4.0 Server Enterprise

Windows NT 4.0 Server Web Edition

Windows NT 4.0 Server

Unknown Platform ID (%d)

%d.%d

%s (Build: %d

- Service Pack: %s

KERNEL32.DLL

teste.vbs

teste.txt

Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")

Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)

Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)

Set objFileSystem = CreateObject("Scripting.fileSystemObject")

Set objFile = objFileSystem.CreateTextFile("

Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter

Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter

objFile.WriteLine(Info)

objFile.Close

cscript.exe

AVICAP32.dll

tFtpAccess

BuildImportTable: can't load library:

BuildImportTable: ReallocMemory failed

BuildImportTable: GetProcAddress failed

BTMemoryLoadLibary: BuildImportTable failed

BTMemoryGetProcAddress: no export table found

BTMemoryGetProcAddress: DLL doesn't export anything

BTMemoryGetProcAddress: exported symbol not found

SetupApi.dll

SetupDiOpenClassRegKey

SetupDiOpenClassRegKeyExA

SetupDiOpenClassRegKeyExW

SetupDiCreateDeviceInterfaceRegKeyA

SetupDiCreateDeviceInterfaceRegKeyW

SetupDiOpenDeviceInterfaceRegKey

SetupDiDeleteDeviceInterfaceRegKey

SetupDiCreateDevRegKeyA

SetupDiCreateDevRegKeyW

SetupDiOpenDevRegKey

SetupDiDeleteDevRegKey

CM_DEVCAP_LOCKSUPPORTED

CM_DEVCAP_EJECTSUPPORTED

PDCAP_D0_SUPPORTED

PDCAP_D1_SUPPORTED

PDCAP_D2_SUPPORTED

PDCAP_D3_SUPPORTED

PDCAP_WAKE_FROM_D0_SUPPORTED

PDCAP_WAKE_FROM_D1_SUPPORTED

PDCAP_WAKE_FROM_D2_SUPPORTED

PDCAP_WAKE_FROM_D3_SUPPORTED

PDCAP_WARM_EJECT_SUPPORTED

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

127.0.0.1

iphlpapi.dll

AllocateAndGetTcpExTableFromStack

AllocateAndGetUdpExTableFromStack

SetTcpEntry

GetExtendedTcpTable

GetExtendedUdpTable

Mozilla3_5Password

GetChromePass

StartHttpProxy

1.2.3

XxX.xXx

UuU.uUu

keyboardkey

webcaminactive

webcamgetbuffer

webcam

enviarexecnormal

enviarexechidden

openweb

downexec

sendftp

keylogger

keyloggergetlog

keyloggereraselog

keyloggerativar

keyloggerdesativar

renamekey

windowsfechar

windowsmax

windowsmin

windowsmostrar

windowsocultar

windowsmintodas

windowscaption

listarportas

listarportasdns

finalizarprocessoportas

webcamsettings

chatmsg

getpassword

updateservidorweb

keyloggersearch

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

PSAPI.dll

\config\SteamAppData.vdf

AutoLoginUser

/ClientRegistry.Blob

\ClientRegistry.blob

\steam.dll

%SYS%

ÞSKTOP%

FirstExecution

chatmsg|

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

listarjanelas|windowsfechar|

listarjanelas|windowsmax|

listarjanelas|windowsmin|

listarjanelas|windowsmostrar|

listarjanelas|windowsocultar|

listarjanelas|windowsmintodas|

listarjanelas|windowscaption|

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

listarportas|listadeportaspronta|

listarportas|finalizarconexao|

listarportas|finalizarprocessoportas|Y|

listarportas|finalizarprocessoportas|N|

registro|renamekey|

keylogger|keylogger|keyloggerativar|

keylogger|keylogger|keyloggerdesativar|

keylogger|keyloggergetlog|

keylogger|keylogger|keyloggervazio|

keyloggersearchok|

webcam|webcaminactive|

webcam|webcamactive|

_x_X_PASSWORDLIST_X_x_

NOIP.abc

MSN.abc

IELOGIN.abc

IEPASS.abc

IEAUTO.abc

IEWEB.abc

getielogin

getiepass

getieweb

getchrome

getpassword|getpasswordlist|

getpassword|getpassworderror|

##@@## ##@@## ##@@##

Windows\CurrentVersion\Uninstall\eDonkey2000

UNWISE.EXE

ntdll.dll

icon=shell32.dll,4

shellexecute=

autorun.inf

XX--XX--XX.txt

logs.dat

SQLite3.dll

$1.2.3

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

KWindows

UnitExecutarComandos

uftp

UrlMon

.UnitBytesSize

UnitListarPortasAtivas

UnitWebcam

UnitKeylogger

WinExec

SetNamedPipeHandleState

GetProcessHeap

CreatePipe

RegOpenKeyExA

RegOpenKeyA

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyA

RegCloseKey

GdiplusShutdown

keybd_event

MapVirtualKeyA

GetKeyboardState

GetKeyboardLayoutNameA

GetKeyState

GetAsyncKeyState

ExitWindowsEx

EnumWindows

FtpGetFileSize

FtpSetCurrentDirectoryA

FtpOpenFileA

%( % & % % % ]

.idata

.reloc

P.rsrc

h`S%S

advapi32.dll

AVICAP32.DLL

gdi32.dll

gdiplus.dll

mpr.dll

msacm32.dll

ole32.dll

oleaut32.dll

powrprof.dll

user32.dll

wininet.dll

winmm.dll

wsock32.dll

Explorer.EXE_884_rwx_014D0000_00001000:

KERNEL32.DLL

Explorer.EXE_884_rwx_02000000_00001000:

KERNEL32.DLL

Explorer.EXE_884_rwx_02040000_00001000:

KERNEL32.DLL

Explorer.EXE_884_rwx_02080000_00001000:

KERNEL32.DLL

Explorer.EXE_884_rwx_020C0000_00001000:

KERNEL32.DLL

Explorer.EXE_884_rwx_02100000_00001000:

KERNEL32.DLL

Explorer.EXE_884_rwx_02130000_00001000:

advapi32.dll

Explorer.EXE_884_rwx_02260000_00001000:

RegOpenKeyA

Explorer.EXE_884_rwx_02270000_00001000:

advapi32.dll

Explorer.EXE_884_rwx_022A0000_00001000:

AVICAP32.DLL

Explorer.EXE_884_rwx_023E0000_00001000:

AVICAP32.DLL

Explorer.EXE_884_rwx_02410000_00001000:

gdi32.dll

Explorer.EXE_884_rwx_02550000_00001000:

gdi32.dll

Explorer.EXE_884_rwx_02580000_00001000:

gdiplus.dll

Explorer.EXE_884_rwx_026C0000_00001000:

gdiplus.dll

Explorer.EXE_884_rwx_026F0000_00001000:

mpr.dll

Explorer.EXE_884_rwx_02730000_00001000:

mpr.dll

Explorer.EXE_884_rwx_02760000_00001000:

msacm32.dll

Explorer.EXE_884_rwx_027A0000_00001000:

msacm32.dll

Explorer.EXE_884_rwx_027D0000_00001000:

ntdll.dll

Explorer.EXE_884_rwx_02B20000_00001000:

ntdll.dll

Explorer.EXE_884_rwx_02B50000_00001000:

ole32.dll

Explorer.EXE_884_rwx_02C90000_00001000:

ole32.dll

Explorer.EXE_884_rwx_02CC0000_00001000:

oleaut32.dll

Explorer.EXE_884_rwx_02E00000_00001000:

oleaut32.dll

Explorer.EXE_884_rwx_02E30000_00001000:

powrprof.dll

Explorer.EXE_884_rwx_02F70000_00001000:

powrprof.dll

Explorer.EXE_884_rwx_02FA0000_00001000:

shell32.dll

Explorer.EXE_884_rwx_030E0000_00001000:

shell32.dll

Explorer.EXE_884_rwx_03110000_00001000:

user32.dll

Explorer.EXE_884_rwx_03250000_00001000:

user32.dll

Explorer.EXE_884_rwx_03280000_00001000:

wininet.dll

Explorer.EXE_884_rwx_033B0000_00001000:

FtpOpenFileA

Explorer.EXE_884_rwx_033C0000_00001000:

wininet.dll

Explorer.EXE_884_rwx_033F0000_00001000:

winmm.dll

Explorer.EXE_884_rwx_03530000_00001000:

winmm.dll

Explorer.EXE_884_rwx_03560000_00001000:

wsock32.dll

Explorer.EXE_884_rwx_036A0000_00001000:

wsock32.dll

Explorer.EXE_884_rwx_03840000_00001000:

c:\%original file name%.exe

Explorer.EXE_884_rwx_24010000_00062000:

`.rsrc

kernel32.dll

Portions Copyright (c) 1999,2003 Avenger by NhT

SHFileOperationA

shell32.dll

URLDownloadToFileA

urlmon.dll

ShellExecuteA

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

GetWindowsDirectoryA

SOFTWARE\Microsoft\Windows\CurrentVersion

http\shell\open\command

\Internet Explorer\iexplore.exe

####@####

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

Portugal

Turkey

Windows 3.1

Windows 95 (Release 2)

Windows 95

Windows 98 SE

Windows 98

Windows ME

Windows 7

Windows Vista

%s %s

Windows XP Professional x64

Windows XP Home

Windows XP Professional

Windows 2000 Professional

Windows NT %d.%d

Windows 2008

%s %s Server

Windows 2003 Server Datacenter

Windows 2003 Server Enterprise

Windows 2003 Server Web Edition

Windows 2003 Server

Windows Home Server

Windows 2003 Server (Release 2)

Windows 2000 Server Datacenter

Windows 2000 Server Enterprise

Windows 2000 Server Web Edition

Windows 2000 Server

Windows NT 4.0 Server Datacenter

Windows NT 4.0 Server Enterprise

Windows NT 4.0 Server Web Edition

Windows NT 4.0 Server

Unknown Platform ID (%d)

%d.%d

%s (Build: %d

- Service Pack: %s

KERNEL32.DLL

teste.vbs

teste.txt

Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")

Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)

Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)

Set objFileSystem = CreateObject("Scripting.fileSystemObject")

Set objFile = objFileSystem.CreateTextFile("

Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter

Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter

objFile.WriteLine(Info)

objFile.Close

cscript.exe

AVICAP32.dll

tFtpAccess

BuildImportTable: can't load library:

BuildImportTable: ReallocMemory failed

BuildImportTable: GetProcAddress failed

BTMemoryLoadLibary: BuildImportTable failed

BTMemoryGetProcAddress: no export table found

BTMemoryGetProcAddress: DLL doesn't export anything

BTMemoryGetProcAddress: exported symbol not found

SetupApi.dll

SetupDiOpenClassRegKey

SetupDiOpenClassRegKeyExA

SetupDiOpenClassRegKeyExW

SetupDiCreateDeviceInterfaceRegKeyA

SetupDiCreateDeviceInterfaceRegKeyW

SetupDiOpenDeviceInterfaceRegKey

SetupDiDeleteDeviceInterfaceRegKey

SetupDiCreateDevRegKeyA

SetupDiCreateDevRegKeyW

SetupDiOpenDevRegKey

SetupDiDeleteDevRegKey

CM_DEVCAP_LOCKSUPPORTED

CM_DEVCAP_EJECTSUPPORTED

PDCAP_D0_SUPPORTED

PDCAP_D1_SUPPORTED

PDCAP_D2_SUPPORTED

PDCAP_D3_SUPPORTED

PDCAP_WAKE_FROM_D0_SUPPORTED

PDCAP_WAKE_FROM_D1_SUPPORTED

PDCAP_WAKE_FROM_D2_SUPPORTED

PDCAP_WAKE_FROM_D3_SUPPORTED

PDCAP_WARM_EJECT_SUPPORTED

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

127.0.0.1

iphlpapi.dll

AllocateAndGetTcpExTableFromStack

AllocateAndGetUdpExTableFromStack

SetTcpEntry

GetExtendedTcpTable

GetExtendedUdpTable

Mozilla3_5Password

GetChromePass

StartHttpProxy

1.2.3

XxX.xXx

UuU.uUu

keyboardkey

webcaminactive

webcamgetbuffer

webcam

enviarexecnormal

enviarexechidden

openweb

downexec

sendftp

keylogger

keyloggergetlog

keyloggereraselog

keyloggerativar

keyloggerdesativar

renamekey

windowsfechar

windowsmax

windowsmin

windowsmostrar

windowsocultar

windowsmintodas

windowscaption

listarportas

listarportasdns

finalizarprocessoportas

webcamsettings

chatmsg

getpassword

updateservidorweb

keyloggersearch

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

PSAPI.dll

\config\SteamAppData.vdf

AutoLoginUser

/ClientRegistry.Blob

\ClientRegistry.blob

\steam.dll

%SYS%

ÞSKTOP%

FirstExecution

chatmsg|

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

listarjanelas|windowsfechar|

listarjanelas|windowsmax|

listarjanelas|windowsmin|

listarjanelas|windowsmostrar|

listarjanelas|windowsocultar|

listarjanelas|windowsmintodas|

listarjanelas|windowscaption|

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

listarportas|listadeportaspronta|

listarportas|finalizarconexao|

listarportas|finalizarprocessoportas|Y|

listarportas|finalizarprocessoportas|N|

registro|renamekey|

keylogger|keylogger|keyloggerativar|

keylogger|keylogger|keyloggerdesativar|

keylogger|keyloggergetlog|

keylogger|keylogger|keyloggervazio|

keyloggersearchok|

webcam|webcaminactive|

webcam|webcamactive|

_x_X_PASSWORDLIST_X_x_

NOIP.abc

MSN.abc

IELOGIN.abc

IEPASS.abc

IEAUTO.abc

IEWEB.abc

getielogin

getiepass

getieweb

getchrome

getpassword|getpasswordlist|

getpassword|getpassworderror|

##@@## ##@@## ##@@##

Windows\CurrentVersion\Uninstall\eDonkey2000

UNWISE.EXE

ntdll.dll

icon=shell32.dll,4

shellexecute=

autorun.inf

XX--XX--XX.txt

logs.dat

SQLite3.dll

$1.2.3

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

KWindows

UnitExecutarComandos

uftp

UrlMon

.UnitBytesSize

UnitListarPortasAtivas

UnitWebcam

UnitKeylogger

WinExec

SetNamedPipeHandleState

GetProcessHeap

CreatePipe

RegOpenKeyExA

RegOpenKeyA

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyA

RegCloseKey

GdiplusShutdown

keybd_event

MapVirtualKeyA

GetKeyboardState

GetKeyboardLayoutNameA

GetKeyState

GetAsyncKeyState

ExitWindowsEx

EnumWindows

FtpGetFileSize

FtpSetCurrentDirectoryA

FtpOpenFileA

%( % & % % % ]

.idata

.reloc

P.rsrc

h`S%S

advapi32.dll

AVICAP32.DLL

gdi32.dll

gdiplus.dll

mpr.dll

msacm32.dll

ole32.dll

oleaut32.dll

powrprof.dll

user32.dll

wininet.dll

winmm.dll

wsock32.dll

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

dwwin.exe:2624
rundll32.exe:2604
rundll32.exe:2460
rundll32.exe:2204
rundll32.exe:3024
rundll32.exe:2940
rundll32.exe:2748
rundll32.exe:1880
%original file name%.exe:1940
%original file name%.exe:1108
cftmon.exe:596
cftmon.exe:572
cftmon.exe:2456
cftmon.exe:2436
cftmon.exe:492
cftmon.exe:1712
cftmon.exe:2880
cftmon.exe:2544
cftmon.exe:344
cftmon.exe:2664
cftmon.exe:1116
cftmon.exe:2012
cftmon.exe:2912
cftmon.exe:896
cftmon.exe:2580
cftmon.exe:388
cftmon.exe:1284
cftmon.exe:2232
cftmon.exe:1180
cftmon.exe:512
cftmon.exe:2536
Delete the original Backdoor file.
Delete or disinfect the following files created/modified by the Backdoor:

%Documents and Settings%\%current user%\Local Settings\Temp\134161.dmp (138011 bytes)
%System%\cftmon.exe (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (234 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Chrysanthemum.jpg (7405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\file.exe (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1c47_appcompat.txt (6214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XxX.xXx (6232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UuU.uUu (16 bytes)
%Documents and Settings%\%current user%\Application Data\logs.dat (15 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cftmon" = "%System%\cftmon.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\file.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Backdoor.Win32.PcClient_2ff4d57d22

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Backdoor.Win32.PcClient_2ff4d57d22

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet