MD5: 0917cdf1e9e326604e40e04bb5829f90
SHA1: b3cf5e5ba18c87afa1e04ded0f7d3c1e14946d59
SHA256: cc28ed8bec14b3e06ce3c95977dcdcd54213cea76f2e9423393fdcbba7ac8266
SSDeep: 3072:GZY2C8LsyuwHbE2wACXKhA9f/F9JRiYAFEkX5dCEPOy1BbBFVF41hqSw:D4I2QXK27DRitFE/CDBbrVF
Size: 175104 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2005-09-01 02:53:12
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:404
%original file name%.exe:264

The Trojan injects its code into the following process(es):

%original file name%.exe:1288

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1288 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GQJTLUAT\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\config\SOFTWARE.LOG (3715 bytes)
%System%\config\software (1427 bytes)
%Documents and Settings%\%current user%\Application Data\60168\8AB6.016 (2668 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLUFC5EN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LEFOZ47\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Program Files%\Internet Explorer\F006\CF2.exe (84801 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RDORE5UF\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 7D FA 90 71 4A 79 6D C8 60 D4 C2 3A B5 39 3B"

The process %original file name%.exe:1288 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 03 00 00 00 14 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:63798"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A F2 1F F4 5F 23 5A 2C 65 60 46 A9 26 1B 90 4F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CF2.exe" = "%Program Files%\Internet Explorer\F006\CF2.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyOverride"

The process %original file name%.exe:264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 B2 4B CA 0E 44 5E 18 69 52 0D 63 51 53 10 8B"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
freetv4you.com
bigcherrybox.com
electronicstheory.com
yourhqimages.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

`.rsrc

SSj%S

<%u,V

<3%u1f

GetProcessWindowStation

operator

XXXXXXXXXX

[%d] %s

Software\Microsoft\Windows NT\CurrentVersion\NetworkCards

deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler

1.2.5

inflate 1.2.5 Copyright 1995-2010 Mark Adler

BINPLACE : error BNP0000: Invalid switch - /%c

BINPLACE : warning BNP0000: ignoring directory %s

{A5B35993-9674-43cd-8AC7-5BC5013E617B}

\Windows NT

Software\Microsoft\Windows\CurrentVersion\Run

%s\%s

{35BCA615-C82A-4152-8857-BCC626AE4C8D}

{4D92BB9F-9A66-458f-ACA4-66172A7016D4}

lvvm.exe

{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}

{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}

{6B985724-623F-492e-B0D6-C9715ADE853B}

/g/t.php?q=%s

{B37C48AF-B05C-4520-8B38-2FE181D5DC78}

{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}

INST_REPORT

Advapi32.dll

%s%s_1

%s_0_%d_%s

%s_%d

%s_%d_%d_%d_%d

%s_%s

hXXp://

POST %s HTTP/1.1

Host: %s

User-Agent: mozilla/2.0

Content-Length: %u

POST hXXp://%s%s HTTP/1.1

HTTP/1.0 200 OK

HTTP/1.1 200 OK

%s.%s

stor.cfg

exec%s

id=%s&vt=o3&hwid=%s&c=%d&joo=0&ver=103

%s_%s_%d

_1_%d

_2_%d

_3_%d

_4_%d

INST_REPORT_TM

hXXp://yourhqimages.com

hXXp://freetv4you.com

hXXp://goldenfilestorage.com

hXXp://bigcherrybox.com

hXXp://onlinemediacontrol.com

hXXp://ultradiscofx.com

hXXp://stotre4image.com

hXXp://allsoft4you.com

hXXp://videocontainer.com

hXXp://maxtroeurosys.com

SELECT_RESERV_SRV_%d

%s_%d_%s

id=%s&c=%d

%s_%d_%d_%d

%s_%d_%d

%s %s

%s start%s%c%s

c1.exe

c2.exe

c3.exe

%sq=%s

DWN_CON_STRP_%d_%s

hXXp://%d.ctrl.%s

logo.png

img/135.png

img/136.png

t=%s&prt=v&q=%s&xx=z&s=%d&hrs=%d

t=%s&q=&s=%d&hrs=%d

%s/%s?tq=%s&pr=%d

%s:%d/%s?tq=%s&pr=%d

hXXp://armoredlegion.com/305986.png

hXXp://armoredlegion.com/16354.png

hXXp://armoredlegion.com/716354_m61.png

hXXp://mektek.net/thelab/wiley.jpg

hXXp://knowledgesutra.com/img/temp/hi.cgi

hXXp://knowledgesutra.com/img/temp/head.png

hXXp://battleon.com/134.gif

hXXp://battleon.com/132.gif

hXXp://battleon.com/133.gif

hXXp://browsermmorpg.com/images/cpc.png

hXXp://browsermmorpg.com/images/cpc2.png

hXXp://browsermmorpg.com/img/intel.gif

hXXp://browsermmorpg.com/img/intel.jpg

hXXp://012webpages.com/christian12.jpg

hXXp://012webpages.com/christian13.jpg

hXXp://012webpages.com/christian14.jpg

hXXp://tri-countymech.com/g/livechat.png

hXXp://tri-countymech.com/g/logo.png

hXXp://tri-countymech.com/g/133.jpg

hXXp://tri-countymech.com/g/134.jpg

hXXp://electronicstheory.com/pics/valley.png

hXXp://electronicstheory.com/pics/sun.png

hXXp://classicbattletech.com/lhous3.gif

hXXp://classicbattletech.com/lhous4.gif

hXXp://classicbattletech.com/lhous5.gif

hXXp://classicbattletech.com/lhous6.gif

hXXp://engineeringcrossing.com/images/misc/23525.png

hXXp://engineeringcrossing.com/images/misc/64646.png

t=t&hrs=%d&q=id=1000&ver=%s&s=%d

t=ip&hrs=%d&q=&s=1

%s?pr=%s

\gb_%d.bat

del "%s"

if exist "%s" goto a

cmd.exe /c "%s"

%s.zl

{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d

{C66E79CE-8935-4ed9-A6B1-4983619CB925}

{61B98B86-5F44-42b3-BCA1-33904B067B81}

{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}

GET %s HTTP/1.0

drweb

{5A92A751-F926-4BB9-872E-BEC4A4CD571F}

ldr.ini

ourbigbooklibrarry.com

hXXp://%s/s.php?c=121&id=%s

mediaforclouds.com

%s_1_%d_%s

%s_2_%d_%s

%s_3_%d_%s

%s_4_%d_%s

pmv=2&id=%s&hwid=%s

u.exe

%s up%s

&%s=%s

PARAM_LISTEN_PORT

avgnt.exe

AVGIDSAgent.exe

avgwdsvc.exe

ccsvchst.exe

AvastUI.exe

mcagent.exe

127.0.0.1

HTTP/1.x

google.com

hXXp://VVV.google.com

HTTP/1.1 302 Found

Location: %s

id=%s&type=%d&ppcid=%s

%s: %s

%s_5_%s

http=127.0.0.1:

prefs.js

Mozilla

"network.proxy.http"

"network.proxy.http_port"

"network.proxy.type"

"127.0.0.1"

%s(%s, %s);

operaprefs.ini

Opera

Use HTTP

HTTP server

127.0.0.1:%s

%s=%s

%s:%s

hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s

id=%s&hwid=%s

exec|%s

http=

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

bing.com

yahoo.com

search.aol.

suche.aol.

searcht2.aol.

.yimg.com

.bing.net

scorecardresearch.com

brightcove.com

.aol.

.atwola.

.ivwbox.

.google

.atdmt.

.abmr.

.tacoda.

.adtechus.

.autodatadirect.

.mapquestapi.

.ggpht.

.virtualearth.

.opera.

.microsoft.

.wsod.

.doubleclick.

.ypcdn.

.truveo.

.tlowdb.

mapq.st

.dartsearch.

.thawte.

http://

bing.com/search

search.yahoo.com/search

%s_1_%s

err%d%s_%d_%d

err0%s_%d_%d

&useragent=%s

&referer=%s

&type=%d

%s:443/?ver=103&system=%d&id=%s&hwid=%s&search=%s

%s_2_%s

%s_%s_%s

%s_3_%s

VVV.VVV.ru

hXXps://

.doubleclick.net

doubleclick.net

msn.com

%s_0%d_%d

=='undefined'?'%s':'%s'

.referrer

HTTP/1.0

User-Agent: chrome/9.0

%s %s %s

hXXp://VVV.google.com/

hXXp://VVV.yahoo.com/

.class

.midi

google_ad.url

google_ad.title

r.msn.com

google_ad.line1

zcÁ

c:\%original file name%.exe

%Program Files%\68AB6

%Documents and Settings%\%current user%\Application Data\60168

%Program Files%\Internet Explorer\F006

GetProcessHeap

GetCPInfo

RegCloseKey

RegFlushKey

RegOpenKeyExA

RegEnumKeyExA

keybd_event

WinHttpSendRequest

WinHttpConnect

WinHttpCloseHandle

WinHttpOpen

WinHttpOpenRequest

WinHttpReadData

WinHttpReceiveResponse

WinHttpQueryDataAvailable

.text

`.rdata

@.data

.rsrc

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></windowsSettings></application></assembly>P

KERNEL32.DLL

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

RASAPI32.dll

SHELL32.dll

SHLWAPI.dll

USER32.dll

WINHTTP.dll

WININET.dll

WS2_32.dll

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

Dr.Web

mhttp=127.0.0.1:%d

hXXp://VVV.yahoo.com

1.0.0.1

%original file name%.exe_1288_rwx_00145000_00001000:

%SystemRoot%\system32\mswsock.dll

|%SystemRoot%\system32\rsvpsp.dll

%SystemRoot%\system32\rsvpsp.dll

MSAFD Tcpip [RAW/IP]

RSVP UDP Service Provider

\Device\{E1070104-F404-44CE-B556-0622F9D63EE5}

RSVP TCP Service Provider

MSAFD NetBIOS [\Device\NetBT_Tcpip_{E1070104-F404-44CE-B556-0622F9D63EE5}] SEQPACKET 0

%original file name%.exe_1288_rwx_0015D000_00001000:

CryptSIPDllGetSignedDataMsg

CryptSIPDllRemoveSignedDataMsg

w1.3.14.3.2.22

CryptDllExportPublicKeyInfoEx

CryptDllImportPublicKeyInfoEx

CryptDllConvertPublicKeyInfo

w1.3.14.3.2.12

w1.2.840.10040.4.1

w1.2.840.10046.2.1

w1.2.840.113549.1.3.1

w1.2.840.113549.1.1.1

CertDllVerifyRevocation

CertDllVerifyCTLUsage

ystemRoot%\System32\wshtcpip.dll

NDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark

%original file name%.exe_1288_rwx_00400000_00049000:

`.rsrc

SSj%S

<%u,V

<3%u1f

GetProcessWindowStation

operator

XXXXXXXXXX

[%d] %s

Software\Microsoft\Windows NT\CurrentVersion\NetworkCards

deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler

1.2.5

inflate 1.2.5 Copyright 1995-2010 Mark Adler

BINPLACE : error BNP0000: Invalid switch - /%c

BINPLACE : warning BNP0000: ignoring directory %s

{A5B35993-9674-43cd-8AC7-5BC5013E617B}

\Windows NT

Software\Microsoft\Windows\CurrentVersion\Run

%s\%s

{35BCA615-C82A-4152-8857-BCC626AE4C8D}

{4D92BB9F-9A66-458f-ACA4-66172A7016D4}

lvvm.exe

{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}

{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}

{6B985724-623F-492e-B0D6-C9715ADE853B}

/g/t.php?q=%s

{B37C48AF-B05C-4520-8B38-2FE181D5DC78}

{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}

INST_REPORT

Advapi32.dll

%s%s_1

%s_0_%d_%s

%s_%d

%s_%d_%d_%d_%d

%s_%s

hXXp://

POST %s HTTP/1.1

Host: %s

User-Agent: mozilla/2.0

Content-Length: %u

POST hXXp://%s%s HTTP/1.1

HTTP/1.0 200 OK

HTTP/1.1 200 OK

%s.%s

stor.cfg

exec%s

id=%s&vt=o3&hwid=%s&c=%d&joo=0&ver=103

%s_%s_%d

_1_%d

_2_%d

_3_%d

_4_%d

INST_REPORT_TM

hXXp://yourhqimages.com

hXXp://freetv4you.com

hXXp://goldenfilestorage.com

hXXp://bigcherrybox.com

hXXp://onlinemediacontrol.com

hXXp://ultradiscofx.com

hXXp://stotre4image.com

hXXp://allsoft4you.com

hXXp://videocontainer.com

hXXp://maxtroeurosys.com

SELECT_RESERV_SRV_%d

%s_%d_%s

id=%s&c=%d

%s_%d_%d_%d

%s_%d_%d

%s %s

%s start%s%c%s

c1.exe

c2.exe

c3.exe

%sq=%s

DWN_CON_STRP_%d_%s

hXXp://%d.ctrl.%s

logo.png

img/135.png

img/136.png

t=%s&prt=v&q=%s&xx=z&s=%d&hrs=%d

t=%s&q=&s=%d&hrs=%d

%s/%s?tq=%s&pr=%d

%s:%d/%s?tq=%s&pr=%d

hXXp://armoredlegion.com/305986.png

hXXp://armoredlegion.com/16354.png

hXXp://armoredlegion.com/716354_m61.png

hXXp://mektek.net/thelab/wiley.jpg

hXXp://knowledgesutra.com/img/temp/hi.cgi

hXXp://knowledgesutra.com/img/temp/head.png

hXXp://battleon.com/134.gif

hXXp://battleon.com/132.gif

hXXp://battleon.com/133.gif

hXXp://browsermmorpg.com/images/cpc.png

hXXp://browsermmorpg.com/images/cpc2.png

hXXp://browsermmorpg.com/img/intel.gif

hXXp://browsermmorpg.com/img/intel.jpg

hXXp://012webpages.com/christian12.jpg

hXXp://012webpages.com/christian13.jpg

hXXp://012webpages.com/christian14.jpg

hXXp://tri-countymech.com/g/livechat.png

hXXp://tri-countymech.com/g/logo.png

hXXp://tri-countymech.com/g/133.jpg

hXXp://tri-countymech.com/g/134.jpg

hXXp://electronicstheory.com/pics/valley.png

hXXp://electronicstheory.com/pics/sun.png

hXXp://classicbattletech.com/lhous3.gif

hXXp://classicbattletech.com/lhous4.gif

hXXp://classicbattletech.com/lhous5.gif

hXXp://classicbattletech.com/lhous6.gif

hXXp://engineeringcrossing.com/images/misc/23525.png

hXXp://engineeringcrossing.com/images/misc/64646.png

t=t&hrs=%d&q=id=1000&ver=%s&s=%d

t=ip&hrs=%d&q=&s=1

%s?pr=%s

\gb_%d.bat

del "%s"

if exist "%s" goto a

cmd.exe /c "%s"

%s.zl

{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d

{C66E79CE-8935-4ed9-A6B1-4983619CB925}

{61B98B86-5F44-42b3-BCA1-33904B067B81}

{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}

GET %s HTTP/1.0

drweb

{5A92A751-F926-4BB9-872E-BEC4A4CD571F}

ldr.ini

ourbigbooklibrarry.com

hXXp://%s/s.php?c=121&id=%s

mediaforclouds.com

%s_1_%d_%s

%s_2_%d_%s

%s_3_%d_%s

%s_4_%d_%s

pmv=2&id=%s&hwid=%s

u.exe

%s up%s

&%s=%s

PARAM_LISTEN_PORT

avgnt.exe

AVGIDSAgent.exe

avgwdsvc.exe

ccsvchst.exe

AvastUI.exe

mcagent.exe

127.0.0.1

HTTP/1.x

google.com

hXXp://VVV.google.com

HTTP/1.1 302 Found

Location: %s

id=%s&type=%d&ppcid=%s

%s: %s

%s_5_%s

http=127.0.0.1:

prefs.js

Mozilla

"network.proxy.http"

"network.proxy.http_port"

"network.proxy.type"

"127.0.0.1"

%s(%s, %s);

operaprefs.ini

Opera

Use HTTP

HTTP server

127.0.0.1:%s

%s=%s

%s:%s

hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s

id=%s&hwid=%s

exec|%s

http=

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

bing.com

yahoo.com

search.aol.

suche.aol.

searcht2.aol.

.yimg.com

.bing.net

scorecardresearch.com

brightcove.com

.aol.

.atwola.

.ivwbox.

.google

.atdmt.

.abmr.

.tacoda.

.adtechus.

.autodatadirect.

.mapquestapi.

.ggpht.

.virtualearth.

.opera.

.microsoft.

.wsod.

.doubleclick.

.ypcdn.

.truveo.

.tlowdb.

mapq.st

.dartsearch.

.thawte.

http://

bing.com/search

search.yahoo.com/search

%s_1_%s

err%d%s_%d_%d

err0%s_%d_%d

&useragent=%s

&referer=%s

&type=%d

%s:443/?ver=103&system=%d&id=%s&hwid=%s&search=%s

%s_2_%s

%s_%s_%s

%s_3_%s

VVV.VVV.ru

hXXps://

.doubleclick.net

doubleclick.net

msn.com

%s_0%d_%d

=='undefined'?'%s':'%s'

.referrer

HTTP/1.0

User-Agent: chrome/9.0

%s %s %s

hXXp://VVV.google.com/

hXXp://VVV.yahoo.com/

.class

.midi

google_ad.url

google_ad.title

r.msn.com

google_ad.line1

zcÁ

c:\%original file name%.exe

%Program Files%\68AB6

%Documents and Settings%\%current user%\Application Data\60168

%Program Files%\Internet Explorer\F006

GetProcessHeap

GetCPInfo

RegCloseKey

RegFlushKey

RegOpenKeyExA

RegEnumKeyExA

keybd_event

WinHttpSendRequest

WinHttpConnect

WinHttpCloseHandle

WinHttpOpen

WinHttpOpenRequest

WinHttpReadData

WinHttpReceiveResponse

WinHttpQueryDataAvailable

.text

`.rdata

@.data

.rsrc

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></windowsSettings></application></assembly>P

KERNEL32.DLL

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

RASAPI32.dll

SHELL32.dll

SHLWAPI.dll

USER32.dll

WINHTTP.dll

WININET.dll

WS2_32.dll

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

Dr.Web

mhttp=127.0.0.1:%d

hXXp://VVV.yahoo.com

1.0.0.1

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:404
   %original file name%.exe:264

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GQJTLUAT\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %System%\config\SOFTWARE.LOG (3715 bytes)
   %System%\config\software (1427 bytes)
   %Documents and Settings%\%current user%\Application Data\60168\8AB6.016 (2668 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KLUFC5EN\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LEFOZ47\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %Program Files%\Internet Explorer\F006\CF2.exe (84801 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RDORE5UF\desktop.ini (67 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "CF2.exe" = "%Program Files%\Internet Explorer\F006\CF2.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.