Backdoor.Win32.PcClient_d3ec766ab5

by malwarelabrobot on February 29th, 2016 in Malware Descriptions.

Trojan.Win32.Autoit.edt (Kaspersky), Dropped:Trojan.Autoit.Agent.HR (B) (Emsisoft), Backdoor.Win32.PcClient.FD, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: d3ec766ab5e9c6331e899d9488be8957
SHA1: 3595b3a915c78db2fe3bbe19868e94c17d7bf1a4
SHA256: 1592d1dae388d281548932c57b10f6d8ffd3be5425c12c2f2d4b3dfbd326d9b1
SSDeep: 24576:IIBe7GUPa77BCgkTs7VgYghPCPWX8qxaxe7C4 PmPi8HjajhaSj:IIISUPa71CThYNCakmm6hhau
Size: 1327522 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2008-09-16 17:17:44
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Backdoor creates the following process(es):

%original file name%.exe:924
uZOkAB.exe:1332
rundll32.exe:1300
rundll32.exe:1484
dumprep.exe:1240
dumprep.exe:1608
dumprep.exe:1252
dumprep.exe:2012

The Backdoor injects its code into the following process(es):

Svchost.exe:1676
Svchost.exe:380

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:924 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\voyVXU (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\uZOkAB.exe (12865 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\klbMgk.exe (2353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\jWqBJR.txt (9606 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\voyVXU (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\uZOkAB.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\klbMgk.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\__tmp_rar_sfx_access_check_831734 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\jWqBJR.txt (0 bytes)

The process uZOkAB.exe:1332 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Svchost.exe (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\voyVXU (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jWqBJR.txt (11518 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\klbMgk.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uZOkAB.exe (3073 bytes)

The process dumprep.exe:1240 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WERdc8e.dir00\Svchost.exe.mdmp (102821 bytes)

The process dumprep.exe:1608 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WERdc8e.dir00\Svchost.exe.hdmp (229466 bytes)

The process dumprep.exe:1252 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WERbbc6.dir00\Svchost.exe.hdmp (230101 bytes)

The process dumprep.exe:2012 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WERbbc6.dir00\Svchost.exe.mdmp (106192 bytes)

Registry activity

The process %original file name%.exe:924 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 C2 7B 05 6B FC 38 A0 20 54 F5 25 01 4D 4B 95"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0]
"uZOkAB.exe" = "AutoIt v3 Script"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process uZOkAB.exe:1332 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 49 82 1E 04 85 E5 C6 7F 4F A1 81 79 72 59 C4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:1300 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 9B 81 9E C5 2B 9A 98 2E 2B FE C0 56 28 AE 5A"

The process rundll32.exe:1484 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B F1 5F ED 4C EE 03 75 C4 2D 9A 8C 9A B8 50 E8"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Documents and Settings%\%current user%\Local Settings\Temp]
"svchost.exe" = "EnableNXShowUI"

[HKLM\System\CurrentControlSet\Control\Session Manager\AppCompatibility]
"AppCompatCache" = "EF BE AD DE 60 00 00 00 00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"svchost.exe" = "Generic Host Process for Win32 Services"

The process dumprep.exe:1240 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 CC 7D 39 CE 72 8C 61 D6 4C 14 0B 05 F0 01 FE"

The process dumprep.exe:1608 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A B6 13 E8 1D F0 37 FC 1A 7C CD DD 05 6A BA DC"

The process dumprep.exe:1252 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 26 08 95 11 11 EA 9A 08 49 EC 69 4C 4A 7B 00"

The process dumprep.exe:2012 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 64 21 B0 D1 CF 9D 3D 04 B5 68 59 EB 26 45 EC"

Dropped PE files

MD5 File path
27c6d03bcdb8cfeb96b716f3d8be3e18 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Svchost.exe
9444124ca8b68840ea8ba70da0525bd5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\klbMgk.exe
01d151ccd2a75bd713b8ce81d6509eb8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\uZOkAB.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 81920 80384 4.4941 d9c3b0b82d7da6d18b0896fb360cea84
.data 86016 32768 2560 3.41851 568dd221456d807ca821813c84d65e70
.idata 118784 8192 4608 3.31984 bc7806e1c1ce9ebfd00ad834c1f7a647
.rsrc 126976 14627 14848 3.04271 5d81a7baa5b61cc0275bd832f59c26f5

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Backdoor connects to the servers at the folowing location(s):

Svchost.exe_1676:

`.rsrc
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
kernel32.dll
MSVBVM60.dll
ntdll.dll
user32.dll
urlmon
URLDownloadToFileA
PSAPI.DLL
advapi32.dll
shell32.dll
ShellExecuteA
RegOpenKeyExA
RegCloseKey
FindExecutableA
VBA6.DLL
MasterKey
.text
`.reloc
B.rsrc
@?"333?(
y.fefeffeef(
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
fSystem.Drawing.Icon, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aBj
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Icon
System.Drawing.Size
Windows.v4.0.HiDef
-Gt1}
$`J.qp
7-Nxf}
%DOQ)s
.rkr&
%.qw ]
.tT*)
=SV%D
bj.Fy2
9.ZOZ
]t.ObG$N
|3n@%8X
\v.tJ
%sxfSz
%{.UQ
P)#n%s
.uxA:
j|'y.zuT
.%^%fx
t/%x|
J.lS"
.cDh9t
_V7.Aw
-IJ%S$
;u.Am
weB;SHZ
Z%.JH
.WOr.$}
2l%f!7
U~.mD
.SPzre#tI
%D,yZ
v4.0.30319
1%FND
1%FNl
1%FN,
1%FN<
1%FN$
1%FN\
1%FNL
1%FNd
1%FN|
M.MMMwM
Blockscape.exe
System.Windows.Forms
Microsoft.Xna.Framework.Game
Microsoft.Xna.Framework
Microsoft.Xna.Framework.Graphics
System.Drawing
System.Core
System.Xml
WindowsBase
System.Management
.resources
Microsoft.Xna.Framework.RuntimeProfile
Microsoft.Xna.Framework.Audio
Microsoft.Xna.Framework.Content
EffectPass
EffectPassCollection
VertexElement
VertexElementFormat
VertexElementUsage
Viewport
Microsoft.Xna.Framework.Input
Keyboard
KeyboardState
Keys
Microsoft.Xna.Framework.Media
System.Collections.Generic
KeyCollection
KeyValuePair`2
System.Collections
System.Collections.ObjectModel
System.ComponentModel
System.Diagnostics
System.Globalization
InvalidOperationException
System.IO
System.Linq
System.Net
System.Net.Sockets
TcpClient
TcpListener
WebRequest
WebResponse
NotSupportedException
System.Reflection
System.Resources
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Runtime.Versioning
System.Security.Cryptography
System.Text
System.Threading
KeyEventArgs
KeyEventHandler
KeyPressEventArgs
KeyPressEventHandler
System.Windows
System.Windows.Media.Imaging
System.Windows.Media
.ctor
.cctor
SetWindowsHookExA
UnhookWindowsHookEx
ContainsKey
get_SupportedDisplayModes
GetExecutingAssembly
set_PasswordChar
get_Keys
AcceptTcpClient
IsKeyDown
GetPressedKeys
get_Passes
get_Viewport
set_Viewport
get_Msg
get_KeyChar
GetPublicKeyToken
get_Key
).NETFramework,Version=v4.0,Profile=Client
.NET Framework 4 Client Profile
$1cb36746-1c92-461e-920f-a056aa95df47
_CorExeMain
mscoree.dll
`.data
.rsrc
MSVBVM60.DLL
F:\Softwares\VB98\VB6.OLB
0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0||1|0|0||PA1|1|262|.exe0|0|1|1|0|0|0|1|0|0|0|0|0|0|0|PAhXXp://VVV.host.com/path/yourfile.exe|1|262PMicrosoft Error|Microsoft Error|32|262PAuZOkAB.exe|jWqBJR.txt|klbMgk.exe|voyVXU|
KERNEL32.DLL
Avastui.exe
NIS.exe
\Norton Internet Security\Engine\21.1.0.18\NIS.exe
egui.exe
\ESET\ESET NOD32 Antivirus\ecls.exe
avpui.exe
bdagent.exe
\Bitdefender\Bitdefender 2015\certutil.exe
\AVAST Software\Avast\VisthAux.exe
\svchost.exe
\SysWOW64\svchost.exe
\System32\svchost.exe
cmd /c taskkill /F /pid
\net.exe
\file.txt
SELECT * FROM Win32_OperatingSystem
\skype.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
wscript.shell
\Project1.exe
\1.txt
\2.txt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
schtasks /create /sc minute /mo 1 /tn WindowsUpdate
schtasks /delete /tn WindowsUpdate
cmd /c icacls
/deny %username%:F
\test.exe
\SkypeUpdates\skype.exe
media.exe
WScript.Shell
hXXps://twitter.com
SendKeys
hXXp://VVV.facebook.com
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
cmd.exe
C:\Windows\system32\cmd.exe
&& ping 127.0.0.1 && exit
consent.exe
athenahttpbotnet
VVV.update.microsoft.com
POST /%s HTTP/1
compatible; MSIE 7.0; Windows NT 5.1; SV1)
MapVirtualKeyA
SOFTWARE\Microsoft\Active Setup\Installed Components\%s
RegCreateKeyExA
\system\systwin32.exe
DownloadAndExecute
javaw.exe
GetKeyboardType
InternetOpenUrlA
HTTP/1.1
PR_OpenTCPSocket
GdiplusShutdown
ole32.dll
UnitKeylogger
GetKeyboardLayoutNameA
C:\Windows\tracing
C:\ProgramData\Microsoft\Network\Connections\Pbk
*facebook.*/login.php*
*login.live.*/*post.srf*
*paypal.*/webscr?cmd=_login-submit*
application/x-www-form-urlencoded
Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36
%WinDir%\SysWOW64\svchost.exe
Content-Length: %d
Keylogger
CryptDllConvertPublicKeyInfo
CryptDllEncodePublicKeyAndParameters
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun
KeyHook
KeyboardHookDelegate
[BypassScreening]
HuntHTTPDownload
Webcam
Mozilla Firefox
KeyTLIST=b03
You need a registered nick to join that channel
flood.anope
InternetOpenUrlW
hXXp://VVV.gofuckbiz.com/
hXXp://kremlin.ru/
Opera/7.60 (Windows NT 5.2; U) [en] (IBM EVV/3.0/EAK01AG9/LE)
cmd /c taskkill /F /PID
Scripting.FileSystemObject
autorun.inf
Icon=%SystemRoot%\system32\SHELL32.dll,7
shell32.dll, 2
shell32.dll, 3
.fldr
shell32.dll, 0
\explorer.exe
Kernel32.dll
$this.Icon
0.9.5304.39905
Project1.exe
Project1xp.exe

Svchost.exe_1676_rwx_00400000_00183000:

`.rsrc
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
kernel32.dll
MSVBVM60.dll
ntdll.dll
user32.dll
urlmon
URLDownloadToFileA
PSAPI.DLL
advapi32.dll
shell32.dll
ShellExecuteA
RegOpenKeyExA
RegCloseKey
FindExecutableA
VBA6.DLL
MasterKey
.text
`.reloc
B.rsrc
@?"333?(
y.fefeffeef(
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
fSystem.Drawing.Icon, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aBj
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Icon
System.Drawing.Size
Windows.v4.0.HiDef
-Gt1}
$`J.qp
7-Nxf}
%DOQ)s
.rkr&
%.qw ]
.tT*)
=SV%D
bj.Fy2
9.ZOZ
]t.ObG$N
|3n@%8X
\v.tJ
%sxfSz
%{.UQ
P)#n%s
.uxA:
j|'y.zuT
.%^%fx
t/%x|
J.lS"
.cDh9t
_V7.Aw
-IJ%S$
;u.Am
weB;SHZ
Z%.JH
.WOr.$}
2l%f!7
U~.mD
.SPzre#tI
%D,yZ
v4.0.30319
1%FND
1%FNl
1%FN,
1%FN<
1%FN$
1%FN\
1%FNL
1%FNd
1%FN|
M.MMMwM
Blockscape.exe
System.Windows.Forms
Microsoft.Xna.Framework.Game
Microsoft.Xna.Framework
Microsoft.Xna.Framework.Graphics
System.Drawing
System.Core
System.Xml
WindowsBase
System.Management
.resources
Microsoft.Xna.Framework.RuntimeProfile
Microsoft.Xna.Framework.Audio
Microsoft.Xna.Framework.Content
EffectPass
EffectPassCollection
VertexElement
VertexElementFormat
VertexElementUsage
Viewport
Microsoft.Xna.Framework.Input
Keyboard
KeyboardState
Keys
Microsoft.Xna.Framework.Media
System.Collections.Generic
KeyCollection
KeyValuePair`2
System.Collections
System.Collections.ObjectModel
System.ComponentModel
System.Diagnostics
System.Globalization
InvalidOperationException
System.IO
System.Linq
System.Net
System.Net.Sockets
TcpClient
TcpListener
WebRequest
WebResponse
NotSupportedException
System.Reflection
System.Resources
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Runtime.Versioning
System.Security.Cryptography
System.Text
System.Threading
KeyEventArgs
KeyEventHandler
KeyPressEventArgs
KeyPressEventHandler
System.Windows
System.Windows.Media.Imaging
System.Windows.Media
.ctor
.cctor
SetWindowsHookExA
UnhookWindowsHookEx
ContainsKey
get_SupportedDisplayModes
GetExecutingAssembly
set_PasswordChar
get_Keys
AcceptTcpClient
IsKeyDown
GetPressedKeys
get_Passes
get_Viewport
set_Viewport
get_Msg
get_KeyChar
GetPublicKeyToken
get_Key
).NETFramework,Version=v4.0,Profile=Client
.NET Framework 4 Client Profile
$1cb36746-1c92-461e-920f-a056aa95df47
_CorExeMain
mscoree.dll
`.data
.rsrc
MSVBVM60.DLL
F:\Softwares\VB98\VB6.OLB
0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0||1|0|0||PA1|1|262|.exe0|0|1|1|0|0|0|1|0|0|0|0|0|0|0|PAhXXp://VVV.host.com/path/yourfile.exe|1|262PMicrosoft Error|Microsoft Error|32|262PAuZOkAB.exe|jWqBJR.txt|klbMgk.exe|voyVXU|
KERNEL32.DLL
Avastui.exe
NIS.exe
\Norton Internet Security\Engine\21.1.0.18\NIS.exe
egui.exe
\ESET\ESET NOD32 Antivirus\ecls.exe
avpui.exe
bdagent.exe
\Bitdefender\Bitdefender 2015\certutil.exe
\AVAST Software\Avast\VisthAux.exe
\svchost.exe
\SysWOW64\svchost.exe
\System32\svchost.exe
cmd /c taskkill /F /pid
\net.exe
\file.txt
SELECT * FROM Win32_OperatingSystem
\skype.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
wscript.shell
\Project1.exe
\1.txt
\2.txt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
schtasks /create /sc minute /mo 1 /tn WindowsUpdate
schtasks /delete /tn WindowsUpdate
cmd /c icacls
/deny %username%:F
\test.exe
\SkypeUpdates\skype.exe
media.exe
WScript.Shell
hXXps://twitter.com
SendKeys
hXXp://VVV.facebook.com
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
cmd.exe
C:\Windows\system32\cmd.exe
&& ping 127.0.0.1 && exit
consent.exe
athenahttpbotnet
VVV.update.microsoft.com
POST /%s HTTP/1
compatible; MSIE 7.0; Windows NT 5.1; SV1)
MapVirtualKeyA
SOFTWARE\Microsoft\Active Setup\Installed Components\%s
RegCreateKeyExA
\system\systwin32.exe
DownloadAndExecute
javaw.exe
GetKeyboardType
InternetOpenUrlA
HTTP/1.1
PR_OpenTCPSocket
GdiplusShutdown
ole32.dll
UnitKeylogger
GetKeyboardLayoutNameA
C:\Windows\tracing
C:\ProgramData\Microsoft\Network\Connections\Pbk
*facebook.*/login.php*
*login.live.*/*post.srf*
*paypal.*/webscr?cmd=_login-submit*
application/x-www-form-urlencoded
Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36
%WinDir%\SysWOW64\svchost.exe
Content-Length: %d
Keylogger
CryptDllConvertPublicKeyInfo
CryptDllEncodePublicKeyAndParameters
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun
KeyHook
KeyboardHookDelegate
[BypassScreening]
HuntHTTPDownload
Webcam
Mozilla Firefox
KeyTLIST=b03
You need a registered nick to join that channel
flood.anope
InternetOpenUrlW
hXXp://VVV.gofuckbiz.com/
hXXp://kremlin.ru/
Opera/7.60 (Windows NT 5.2; U) [en] (IBM EVV/3.0/EAK01AG9/LE)
cmd /c taskkill /F /PID
Scripting.FileSystemObject
autorun.inf
Icon=%SystemRoot%\system32\SHELL32.dll,7
shell32.dll, 2
shell32.dll, 3
.fldr
shell32.dll, 0
\explorer.exe
Kernel32.dll
$this.Icon
0.9.5304.39905
Project1.exe
Project1xp.exe

rundll32.exe_1484:

.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s

Svchost.exe_380:

`.rsrc
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
kernel32.dll
MSVBVM60.dll
ntdll.dll
user32.dll
urlmon
URLDownloadToFileA
PSAPI.DLL
advapi32.dll
shell32.dll
ShellExecuteA
RegOpenKeyExA
RegCloseKey
FindExecutableA
VBA6.DLL
MasterKey
.text
`.reloc
B.rsrc
@?"333?(
y.fefeffeef(
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
fSystem.Drawing.Icon, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aBj
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Icon
System.Drawing.Size
Windows.v4.0.HiDef
-Gt1}
$`J.qp
7-Nxf}
%DOQ)s
.rkr&
%.qw ]
.tT*)
=SV%D
bj.Fy2
9.ZOZ
]t.ObG$N
|3n@%8X
\v.tJ
%sxfSz
%{.UQ
P)#n%s
.uxA:
j|'y.zuT
.%^%fx
t/%x|
J.lS"
.cDh9t
_V7.Aw
-IJ%S$
;u.Am
weB;SHZ
Z%.JH
.WOr.$}
2l%f!7
U~.mD
.SPzre#tI
%D,yZ
v4.0.30319
1%FND
1%FNl
1%FN,
1%FN<
1%FN$
1%FN\
1%FNL
1%FNd
1%FN|
M.MMMwM
Blockscape.exe
System.Windows.Forms
Microsoft.Xna.Framework.Game
Microsoft.Xna.Framework
Microsoft.Xna.Framework.Graphics
System.Drawing
System.Core
System.Xml
WindowsBase
System.Management
.resources
Microsoft.Xna.Framework.RuntimeProfile
Microsoft.Xna.Framework.Audio
Microsoft.Xna.Framework.Content
EffectPass
EffectPassCollection
VertexElement
VertexElementFormat
VertexElementUsage
Viewport
Microsoft.Xna.Framework.Input
Keyboard
KeyboardState
Keys
Microsoft.Xna.Framework.Media
System.Collections.Generic
KeyCollection
KeyValuePair`2
System.Collections
System.Collections.ObjectModel
System.ComponentModel
System.Diagnostics
System.Globalization
InvalidOperationException
System.IO
System.Linq
System.Net
System.Net.Sockets
TcpClient
TcpListener
WebRequest
WebResponse
NotSupportedException
System.Reflection
System.Resources
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Runtime.Versioning
System.Security.Cryptography
System.Text
System.Threading
KeyEventArgs
KeyEventHandler
KeyPressEventArgs
KeyPressEventHandler
System.Windows
System.Windows.Media.Imaging
System.Windows.Media
.ctor
.cctor
SetWindowsHookExA
UnhookWindowsHookEx
ContainsKey
get_SupportedDisplayModes
GetExecutingAssembly
set_PasswordChar
get_Keys
AcceptTcpClient
IsKeyDown
GetPressedKeys
get_Passes
get_Viewport
set_Viewport
get_Msg
get_KeyChar
GetPublicKeyToken
get_Key
).NETFramework,Version=v4.0,Profile=Client
.NET Framework 4 Client Profile
$1cb36746-1c92-461e-920f-a056aa95df47
_CorExeMain
mscoree.dll
`.data
.rsrc
MSVBVM60.DLL
F:\Softwares\VB98\VB6.OLB
0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0||1|0|0||PA1|1|262|.exe0|0|1|1|0|0|0|1|0|0|0|0|0|0|0|PAhXXp://VVV.host.com/path/yourfile.exe|1|262PMicrosoft Error|Microsoft Error|32|262PAuZOkAB.exe|jWqBJR.txt|klbMgk.exe|voyVXU|
KERNEL32.DLL
Avastui.exe
NIS.exe
\Norton Internet Security\Engine\21.1.0.18\NIS.exe
egui.exe
\ESET\ESET NOD32 Antivirus\ecls.exe
avpui.exe
bdagent.exe
\Bitdefender\Bitdefender 2015\certutil.exe
\AVAST Software\Avast\VisthAux.exe
\svchost.exe
\SysWOW64\svchost.exe
\System32\svchost.exe
cmd /c taskkill /F /pid
\net.exe
\file.txt
SELECT * FROM Win32_OperatingSystem
\skype.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
wscript.shell
\Project1.exe
\1.txt
\2.txt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
schtasks /create /sc minute /mo 1 /tn WindowsUpdate
schtasks /delete /tn WindowsUpdate
cmd /c icacls
/deny %username%:F
\test.exe
\SkypeUpdates\skype.exe
media.exe
WScript.Shell
hXXps://twitter.com
SendKeys
hXXp://VVV.facebook.com
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
cmd.exe
C:\Windows\system32\cmd.exe
&& ping 127.0.0.1 && exit
consent.exe
athenahttpbotnet
VVV.update.microsoft.com
POST /%s HTTP/1
compatible; MSIE 7.0; Windows NT 5.1; SV1)
MapVirtualKeyA
SOFTWARE\Microsoft\Active Setup\Installed Components\%s
RegCreateKeyExA
\system\systwin32.exe
DownloadAndExecute
javaw.exe
GetKeyboardType
InternetOpenUrlA
HTTP/1.1
PR_OpenTCPSocket
GdiplusShutdown
ole32.dll
UnitKeylogger
GetKeyboardLayoutNameA
C:\Windows\tracing
C:\ProgramData\Microsoft\Network\Connections\Pbk
*facebook.*/login.php*
*login.live.*/*post.srf*
*paypal.*/webscr?cmd=_login-submit*
application/x-www-form-urlencoded
Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36
%WinDir%\SysWOW64\svchost.exe
Content-Length: %d
Keylogger
CryptDllConvertPublicKeyInfo
CryptDllEncodePublicKeyAndParameters
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun
KeyHook
KeyboardHookDelegate
[BypassScreening]
HuntHTTPDownload
Webcam
Mozilla Firefox
KeyTLIST=b03
You need a registered nick to join that channel
flood.anope
InternetOpenUrlW
hXXp://VVV.gofuckbiz.com/
hXXp://kremlin.ru/
Opera/7.60 (Windows NT 5.2; U) [en] (IBM EVV/3.0/EAK01AG9/LE)
cmd /c taskkill /F /PID
Scripting.FileSystemObject
autorun.inf
Icon=%SystemRoot%\system32\SHELL32.dll,7
shell32.dll, 2
shell32.dll, 3
.fldr
shell32.dll, 0
\explorer.exe
Kernel32.dll
$this.Icon
0.9.5304.39905
Project1.exe
Project1xp.exe

Svchost.exe_380_rwx_00400000_00183000:

`.rsrc
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
kernel32.dll
MSVBVM60.dll
ntdll.dll
user32.dll
urlmon
URLDownloadToFileA
PSAPI.DLL
advapi32.dll
shell32.dll
ShellExecuteA
RegOpenKeyExA
RegCloseKey
FindExecutableA
VBA6.DLL
MasterKey
.text
`.reloc
B.rsrc
@?"333?(
y.fefeffeef(
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
fSystem.Drawing.Icon, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aBj
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Icon
System.Drawing.Size
Windows.v4.0.HiDef
-Gt1}
$`J.qp
7-Nxf}
%DOQ)s
.rkr&
%.qw ]
.tT*)
=SV%D
bj.Fy2
9.ZOZ
]t.ObG$N
|3n@%8X
\v.tJ
%sxfSz
%{.UQ
P)#n%s
.uxA:
j|'y.zuT
.%^%fx
t/%x|
J.lS"
.cDh9t
_V7.Aw
-IJ%S$
;u.Am
weB;SHZ
Z%.JH
.WOr.$}
2l%f!7
U~.mD
.SPzre#tI
%D,yZ
v4.0.30319
1%FND
1%FNl
1%FN,
1%FN<
1%FN$
1%FN\
1%FNL
1%FNd
1%FN|
M.MMMwM
Blockscape.exe
System.Windows.Forms
Microsoft.Xna.Framework.Game
Microsoft.Xna.Framework
Microsoft.Xna.Framework.Graphics
System.Drawing
System.Core
System.Xml
WindowsBase
System.Management
.resources
Microsoft.Xna.Framework.RuntimeProfile
Microsoft.Xna.Framework.Audio
Microsoft.Xna.Framework.Content
EffectPass
EffectPassCollection
VertexElement
VertexElementFormat
VertexElementUsage
Viewport
Microsoft.Xna.Framework.Input
Keyboard
KeyboardState
Keys
Microsoft.Xna.Framework.Media
System.Collections.Generic
KeyCollection
KeyValuePair`2
System.Collections
System.Collections.ObjectModel
System.ComponentModel
System.Diagnostics
System.Globalization
InvalidOperationException
System.IO
System.Linq
System.Net
System.Net.Sockets
TcpClient
TcpListener
WebRequest
WebResponse
NotSupportedException
System.Reflection
System.Resources
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Runtime.Versioning
System.Security.Cryptography
System.Text
System.Threading
KeyEventArgs
KeyEventHandler
KeyPressEventArgs
KeyPressEventHandler
System.Windows
System.Windows.Media.Imaging
System.Windows.Media
.ctor
.cctor
SetWindowsHookExA
UnhookWindowsHookEx
ContainsKey
get_SupportedDisplayModes
GetExecutingAssembly
set_PasswordChar
get_Keys
AcceptTcpClient
IsKeyDown
GetPressedKeys
get_Passes
get_Viewport
set_Viewport
get_Msg
get_KeyChar
GetPublicKeyToken
get_Key
).NETFramework,Version=v4.0,Profile=Client
.NET Framework 4 Client Profile
$1cb36746-1c92-461e-920f-a056aa95df47
_CorExeMain
mscoree.dll
`.data
.rsrc
MSVBVM60.DLL
F:\Softwares\VB98\VB6.OLB
0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0||1|0|0||PA1|1|262|.exe0|0|1|1|0|0|0|1|0|0|0|0|0|0|0|PAhXXp://VVV.host.com/path/yourfile.exe|1|262PMicrosoft Error|Microsoft Error|32|262PAuZOkAB.exe|jWqBJR.txt|klbMgk.exe|voyVXU|
KERNEL32.DLL
Avastui.exe
NIS.exe
\Norton Internet Security\Engine\21.1.0.18\NIS.exe
egui.exe
\ESET\ESET NOD32 Antivirus\ecls.exe
avpui.exe
bdagent.exe
\Bitdefender\Bitdefender 2015\certutil.exe
\AVAST Software\Avast\VisthAux.exe
\svchost.exe
\SysWOW64\svchost.exe
\System32\svchost.exe
cmd /c taskkill /F /pid
\net.exe
\file.txt
SELECT * FROM Win32_OperatingSystem
\skype.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
wscript.shell
\Project1.exe
\1.txt
\2.txt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
schtasks /create /sc minute /mo 1 /tn WindowsUpdate
schtasks /delete /tn WindowsUpdate
cmd /c icacls
/deny %username%:F
\test.exe
\SkypeUpdates\skype.exe
media.exe
WScript.Shell
hXXps://twitter.com
SendKeys
hXXp://VVV.facebook.com
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
cmd.exe
C:\Windows\system32\cmd.exe
&& ping 127.0.0.1 && exit
consent.exe
athenahttpbotnet
VVV.update.microsoft.com
POST /%s HTTP/1
compatible; MSIE 7.0; Windows NT 5.1; SV1)
MapVirtualKeyA
SOFTWARE\Microsoft\Active Setup\Installed Components\%s
RegCreateKeyExA
\system\systwin32.exe
DownloadAndExecute
javaw.exe
GetKeyboardType
InternetOpenUrlA
HTTP/1.1
PR_OpenTCPSocket
GdiplusShutdown
ole32.dll
UnitKeylogger
GetKeyboardLayoutNameA
C:\Windows\tracing
C:\ProgramData\Microsoft\Network\Connections\Pbk
*facebook.*/login.php*
*login.live.*/*post.srf*
*paypal.*/webscr?cmd=_login-submit*
application/x-www-form-urlencoded
Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36
%WinDir%\SysWOW64\svchost.exe
Content-Length: %d
Keylogger
CryptDllConvertPublicKeyInfo
CryptDllEncodePublicKeyAndParameters
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun
KeyHook
KeyboardHookDelegate
[BypassScreening]
HuntHTTPDownload
Webcam
Mozilla Firefox
KeyTLIST=b03
You need a registered nick to join that channel
flood.anope
InternetOpenUrlW
hXXp://VVV.gofuckbiz.com/
hXXp://kremlin.ru/
Opera/7.60 (Windows NT 5.2; U) [en] (IBM EVV/3.0/EAK01AG9/LE)
cmd /c taskkill /F /PID
Scripting.FileSystemObject
autorun.inf
Icon=%SystemRoot%\system32\SHELL32.dll,7
shell32.dll, 2
shell32.dll, 3
.fldr
shell32.dll, 0
\explorer.exe
Kernel32.dll
$this.Icon
0.9.5304.39905
Project1.exe
Project1xp.exe

rundll32.exe_1300:

.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:924
    uZOkAB.exe:1332
    rundll32.exe:1300
    rundll32.exe:1484
    dumprep.exe:1240
    dumprep.exe:1608
    dumprep.exe:1252
    dumprep.exe:2012

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\voyVXU (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\uZOkAB.exe (12865 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\klbMgk.exe (2353 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\jWqBJR.txt (9606 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Svchost.exe (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\voyVXU (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jWqBJR.txt (11518 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\klbMgk.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uZOkAB.exe (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WERdc8e.dir00\Svchost.exe.mdmp (102821 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WERdc8e.dir00\Svchost.exe.hdmp (229466 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WERbbc6.dir00\Svchost.exe.hdmp (230101 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WERbbc6.dir00\Svchost.exe.mdmp (106192 bytes)

  4. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now