Gen.Trojan.Heur.GM.0400450434_d6fb85332f

by malwarelabrobot on October 6th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Trojan.Heur.GM.0400450434 (B) (Emsisoft), Gen:Trojan.Heur.GM.0400450434 (AdAware), Backdoor.Win32.Farfli.FD, Trojan.Win32.IEDummy.FD, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Worm, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: d6fb85332fdb949a52862ae62162f8d7
SHA1: 4095c62e6c54f2429a15dd6de38e888cffaa1d4a
SHA256: 9af05301e1fdb3abf7f10d40dac884714542dd9bf17d61cbebcd37a2d1d5aea9
SSDeep: 98304:uor1kvpCv3 UlDCrUfdWKWgTo224xHyKLknjfedEbZObAT9t:uor2vpCv3 UlqUFhh24VyKwL9gEr
Size: 5381025 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Cinema10 PlusV16.09
Created at: 1978-03-19 04:26:23
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:752

The Trojan injects its code into the following process(es):

852BRModz Loader.exe:1196
svchost.exe:332
iexplore.exe:1596

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:752 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\852BRModz Loader.exe.exe (4 bytes)
%System%\852BRModz Loader.exe (34007 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\x.html (0 bytes)

Registry activity

The process 852BRModz Loader.exe:1196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC F9 06 54 C0 3E AF 89 71 59 E4 9B 1E FA A1 C3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process %original file name%.exe:752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 89 7E 7C E0 1D C1 FF 7A B4 4C BE D8 46 84 18"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\XtremeRAT]
"Mutex" = "pW3sk"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"852BRModz Loader.exe" = "BRModzLoader"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5	File path
bac25aa668864e8ed35bd7f51800d505	c:\WINDOWS\system32\852BRModz Loader.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.itext	4096	5107712	4608	4.96893	fc0357e0b7fbbbf348fe1728fc9cbad3
.const	5111808	5373952	5370880	5.54301	74fbfd76166999b87442ad813c5ec825
.idata	10485760	8192	4513	3.74477	11baf64ebb81fba54052edd19975dfc1
.rsrc	10493952	4096	0	0	d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://www.brmodz.com/versao/index.php	69.172.201.208

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /versao/index.php HTTP/1.1

Host: VVV.brmodz.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.7.5

Date: Sun, 05 Oct 2014 17:57:38 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=20

P3P: CP="NON DSP COR ADMa OUR IND UNI COM NAV INT"

Cache-Control: no-cache
615..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.
w3.org/TR/html4/strict.dtd">.<html>.<head>.<meta htt
p-equiv="Content-Type" content="text/html; charset=iso-8859-1">.<
;meta http-equiv="Content-Script-Type" content="text/javascript">.&
lt;script type="text/javascript">.function getCookie(c_name) { // L
ocal function for getting a cookie value.    if (document.cookie.lengt
h > 0) {.        c_start = document.cookie.indexOf(c_name   "=");. 
       if (c_start!=-1) {.        c_start=c_start   c_name.length   1;
.        c_end=document.cookie.indexOf(";", c_start);..        if (c_e
nd==-1) .            c_end = document.cookie.length;..        return u
nescape(document.cookie.substring(c_start,c_end));.        }.    }.   
 return "";.}.function setCookie(c_name, value, expiredays) { // Local
 function for setting a value of a cookie.    var exdate = new Date();
.    exdate.setDate(exdate.getDate() expiredays);.    document.cookie 
= c_name   "="   escape(value)   ((expiredays==null) ? "" : ";expires=
"   exdate.toGMTString())   ";path=/";.}.function getHostUri() {.    v
ar loc = document.location;.    return loc.toString();.}.setCookie('YP
F8827340282Jdskjhfiw_928937459182JAX666', '"%local server IP%"', 10);.try { 
 .    location.reload(true);  .} catch (err1) {  .    try {  .        
location.reload();  .    } catch (err2) {  .    .location.href = getHo
stUri();  .    }  .}.</script>.</head>.<body>.<no
script>This site requires JavaScript and Cookies to be enabled.<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

svchost.exe_332:

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

svchost.exe_332_rwx_10000000_00A03000:

.itext

`.const

.idata

.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

}.IWI

S.dm6

*>Dqz..Gh

t.Ht2Ht6Ht:Ht>

.%``0/1:

F&{00000000-0000-0000-C000-000000000046}

3This binary has no widestrings support compiled in.

ENoThreadSupport

ENoWideStringSupport

=?&{7B108C52-1D8F-4CDB-9CDF-57E071193D3F}$TMultiReadExclusiveWriteSynchronizer

1234567890

TlxLoaderInternalExportItem

TlxLoaderInternalExportList

&{3FEEC8E1-E400-4A24-BCAC-1F01476439B1}

.Owner

Invalid registry data type: "%s"

registry.sinvalidregtype

Failed to create key: "%s"

registry.sregcreatefailed

Failed to set data for value "%s"

registry.sregsetdatafailed

Failed to get data for value "%s"

registry.sreggetdatafailed

1.1.2

sysconst.sabstracterror

sysconst.saccessdenied

sysconst.saccessviolation

Missing argument in format "%s"

sysconst.sargumentmissing

%s (%s, line %d)

sysconst.sasserterror

sysconst.sassertionfailed

sysconst.sbuserror

sysconst.scontrolc

sysconst.sdiskfull

sysconst.sdispatcherror

sysconst.sdivbyzero

sysconst.sendoffile

External exception %x

sysconst.sexternalexception

sysconst.sfilenotassigned

sysconst.sfilenotfound

sysconst.sfilenotopen

sysconst.sfilenotopenforinput

sysconst.sfilenotopenforoutput

sysconst.sinvalidfilename

sysconst.sintoverflow

Interface not supported

sysconst.sintfcasterror

Invalid argument index in format "%s"

sysconst.sinvalidargindex

sysconst.sinvalidcast

sysconst.sinvaliddrive

sysconst.sinvalidfilehandle

Invalid format specifier : "%s"

sysconst.sinvalidformat

sysconst.sinvalidinput

Invalid floating point operation

sysconst.sinvalidop

Invalid pointer operation

sysconst.sinvalidpointer

sysconst.sinvalidvarcast

Invalid variant operation

sysconst.sinvalidvarop

Threads not supported. Recompile program with thread driver.

sysconst.snothreadsupport

sysconst.smissingwstringmanager

System error, (OS Code %d):

sysconst.soserror

sysconst.soutofmemory

sysconst.soverflow

sysconst.sprivilege

sysconst.srangeerror

sysconst.ssafecallexception

sysconst.siconverror

sysconst.stoomanyopenfiles

sysconst.sunknownruntimeerror

sysconst.sunderflow

An operating system call failed.

sysconst.sunkoserror

sysconst.svararraybounds

sysconst.svararraycreate

sysconst.svarnotarray

Ancestor class for "%s" not found.

rtlconsts.sancestornotfound

Cannot assign a %s to a %s.

rtlconsts.sassignerror

Class "%s" not found

rtlconsts.sclassnotfound

Duplicate name: A component named "%s" already exists

rtlconsts.sduplicatename

rtlconsts.sduplicatestring

rtlconsts.semptystreamillegalreader

rtlconsts.semptystreamillegalwriter

Unable to create file "%s"

rtlconsts.sfcreateerror

Unable to open file "%s"

rtlconsts.sfopenerror

rtlconsts.sinvalidimage

"%s" is not a valid component name

rtlconsts.sinvalidname

rtlconsts.sinvalidpropertypath

rtlconsts.sinvalidpropertyvalue

List capacity (%d) exceeded.

rtlconsts.slistcapacityerror

List count (%d) out of bounds.

rtlconsts.slistcounterror

List index (%d) out of bounds

rtlconsts.slistindexerror

rtlconsts.smemorystreamerror

Error reading %s%s%s: %s

rtlconsts.spropertyexception

rtlconsts.sreaderror

rtlconsts.sreadonlyproperty

Resource "%s" not found

rtlconsts.sresnotfound

%s.Seek not implemented

rtlconsts.sseeknotimplemented

Operation not allowed on sorted list

rtlconsts.ssortedlisterror

Reading from %s is not supported

rtlconsts.sstreamnoreading

Writing to %s is not supported

rtlconsts.sstreamnowriting

Unknown property: "%s"

rtlconsts.sunknownproperty

Unknown property type %d

rtlconsts.sunknownpropertytype

rtlconsts.swriteerror

RegCloseKey

RegCreateKeyExA

RegFlushKey

RegOpenKeyExA

RegQueryInfoKeyA

GetProcessHeap

GetWindowsDirectoryA

ShellExecuteW

oleaut32.dll

0r.lv

.liNN\

Gj.lK

y7u.Sb

Sk.Ch

tNR(%U

)h%u9

{DLF.jd

g%fvh7

&S".oi

-.lGW/z

j_Ko-sBB}

%fKDt

f.Yzh

T;%F&

%$.zf

.Md@j

U\.YW

%fYbJ

p%sFV

n@cX%f l

.dSJH

i.STS

.KYa(

w_.DW

mSghD

D%XV?

,kK0.wN

2.ci0C

!.BXc

.Vh;8

.WKAZ<{

f=%SX^y8S%FLh

.bw.6

%cli,@

l.fQ74

n.EG!

:.RZ\

bX.xK

%SX t

d1% .HS

Q.DJp

p8.Yj/

]B6.GQ

-=O,%F

.ckzVuy

J.HmD

H2.Zx!)

:öN(

.iAFrD

i4.FH

S.nNNW

A%x7:

%U{"f

h.CXH.

)w=.Iz0

VP.FI

[email protected]

W.gh7k

vc)h#%c

.LnX7

K.HKrS

.KNSYN

1%UQ2H

Z.%XK

d.AX9

3eG%d

%S6l#

_<Y.rg

lLT

.OG>(

.oL51

A].RR

H%Dhyu_

p.ET7

0.sa|

GE.Sl

f.ie*

)?%C&

/cR34%s

3%d/lE-

1gXF%C

6<

.jN62Go

.ZBq,9

=w%C:

7!I%s*/

rm%DHb=

#V%Dv

K;KK.WI

%1&$)%U&

'%sH6

[.nB)

.QZdTrH[

&>.Ej

N.ynZ4V

9]s^%Ch

%Xy'I

.qL>Q

sv%dt

A(K%C

yq.cW

%Dm}L

p}Y%U

@W.OYs

v|.WN3f

BR1%S

{m1~|1

h.BH[

,,S.hB

w.kgi

%4U/=

`.GzZ

9eW%x

Nl&%x

;4.Fa

0jt%c

^.be 49

.OR1*

e%Xq*

M%Fr'

%s3nA

y\]

I)=.Ygc

A.vQ

*1.gi

.BG~o

l.jD(

.rj\e

[U"9.Ys%]{

.wdRm.8

$@j%fU)O

.yvFd

w;%SW

.RwYn

uRlt

f,.FOv

&z0%C

uDz,r%x c

o.SA?p

Z!X%D=O

2<.vA

X\z.ZU

e%So!

!&cmd,

P5-m}^

IJ%S|

.ktL_?

%d@"%D

F:.kF

4B.pM

kP^.Wc

X:5%X

YB!Z{.TT

.ua-'

.si`5V

t&.LB

,nO.CV

%F=''

.gVKOY

&QC%U

{.NZJZ@

/.phe

?*.BQ

^.ERZA`

l|[.wv

%u`G[

l.ubNDs

1l.ON

s|B

.KL.wA

^;3.qI<

LT.BB

m.AhC9l

)2.bE

[xp%F

OM%4U

.UG@nx

.NGu]

8.i%d

z~%X$J.

y:%s]

G.Cb5

N%4SQ

!-h}M5

U>?%F

.wbUFv

Ln.Kp'k

wa.bX

Xx34.Zd

.%X"Up)

D.CD$

P.eU6c

"G.zo

~.EN[cg

'}.qh

J1F1H.CY$

d.Xyd4

.kpy@

j .uT

ûE&~

bg*%X

yp4K%x

#.sHhu/

7].fO n

m>,.XT

4.yB,

eSQlp

oJY-

%Xn T

.Jf$U

%u0s~n

C%U&%

^.Bhf

,.Fi"

`nk1.dI

w<F]%c

.fcs\;

[&.ld

[email protected]

*.Ihx

BmsG

|.VXk.

"2.FZy@,

jp51\9%U{A

3/(%D

/~--U%d&

.bb vM:

Es.Vx

/.TM.

.4%DH

p.wu1

G.fH>;

%fgvjN

.iB7UH

1)%sN

*'}|o.KnM

b.JsR[

%CsO,"Y

Z.vda

%DT&j

X.YQ0

.iR2@%

rI%Sy

[a.Up

}ra.EN

GN|.LRmB

XZ%u`

.XYZi

v$>%d!

^_%Sz

.eH8@

6|.Hgm

W=h

|#.hLQT

.wN8yzUo_

3|v%c

6'Ú

S%xP8

.cGjkR

-6}Q;6

]#.wk

kbÜ

G{,%S

ÀZbz

%C}\MboR

J.VTeO

X.xz

SK%Dk

/}a.Qd

.TI$L

.KX}b

%DRo{\

].jsn

) `Dk.Gz

ÈW ]R

bL{\QHo

.Gb q

opoRT

).lPiS

%u&,C

q6!%c

hF<(%s

G\j%d

.EW{*

Z.bf'

D%U|aj

{ (.iI!

>*%sp

%d$l1wX

"a.vj

Q.mV\

l%C!B

KG.gb

:F<V%C

NfTpj*4

]ói

BLT%s[Ls

"1-cN}

J.OUY

.UoDs

`.YV&'

ZT.xK

oN%u(t@

h.Gim

-a

{.Ihr

%sicTn]u

'=.NS

y&.Yc

.iO5'

~DxhuuDP

=O.qD

y^7|

4.rDC

1b%x_

F.uCRw\-

.PblC

.cJe@

ai'ý

{?-B}

@s<.Ib

@W%U\

|G.rX

.kSle#

[email protected]

.TGkwh

[email protected]

xy>%UL

" .Jtt-F

5^.Af

.nAB1N

x %xa

.zmYJN

iS%Uo@

wG.zT

œKr

;T]SqL

,%.CCR2

B[C%dQ

%f:_9

h.Dsd

O.wSQ

%XHFO

 %x=$E,

ts.Zk

.bl?<N

3({6.zik

[email protected]

Q?%f?H

;p.BK

.Pm5e

]%XB#

.NDnC$

I~%.UR5

ga.su

3~.KT

b]%dq

i%Dk4

kET%sMN G

88%U(

KtCPBg;

cMd:"

.hj&k

>-qk}

#HT.nj

.SYmi

3:%F\

i9.Wb

%XtW0

e%Ul!a

-M.HS

%xhfp

fEgm%D=

.zASj

(pJ&.kg

F;T%F

J{.Ry}

i.Bx2NR

\2tB]%f

j.gSj

;?a%d

@'.DZTQ

[`.hq

k8zs.hc:05\

-4V}:

.Lk!d[

-|2.Kr

L#.tz

}|.gG

.noAV

K.OD]

W.QFo

dH.jys

%.sv-

.vWnR

j.Rv\

wXy$=|%D

.Kc{-9

;.St9

;7.Bq

}.bSQ

%uC`r

os.sL

9user32.dll

OLEAUT32.DLL

ADVAPI32.DLL

ActivateKeyboardLayout

GetKeyboardLayoutNameW

EnumWindows

GetKeyboardLayoutList

MapVirtualKeyW

EnumThreadWindows

SetWindowsHookExW

GetKeyNameTextW

GetKeyboardState

UnhookWindowsHookEx

GetCPInfo

RegOpenKeyExW

RegCreateKeyExW

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

77777772.no-ip.org

:\User77777772.no-ip.org

7777777777772.no-ip.org

crypter windows

explorer.exe

Gruexplorer.exe

{J60D5RR8-F76Y-SG35-SOI4-B8KT8RL3P1XJ}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AAA%SERVER%

PTF.ftpserver.com

ftpuser

iexplore.exe_1596:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

iexplore.exe_1596_rwx_10000000_00A03000:

.itext

`.const

.idata

.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

}.IWI

S.dm6

*>Dqz..Gh

t.Ht2Ht6Ht:Ht>

.%``0/1:

F&{00000000-0000-0000-C000-000000000046}

3This binary has no widestrings support compiled in.

ENoThreadSupport

ENoWideStringSupport

=?&{7B108C52-1D8F-4CDB-9CDF-57E071193D3F}$TMultiReadExclusiveWriteSynchronizer

1234567890

TlxLoaderInternalExportItem

TlxLoaderInternalExportList

&{3FEEC8E1-E400-4A24-BCAC-1F01476439B1}

.Owner

Invalid registry data type: "%s"

registry.sinvalidregtype

Failed to create key: "%s"

registry.sregcreatefailed

Failed to set data for value "%s"

registry.sregsetdatafailed

Failed to get data for value "%s"

registry.sreggetdatafailed

1.1.2

sysconst.sabstracterror

sysconst.saccessdenied

sysconst.saccessviolation

Missing argument in format "%s"

sysconst.sargumentmissing

%s (%s, line %d)

sysconst.sasserterror

sysconst.sassertionfailed

sysconst.sbuserror

sysconst.scontrolc

sysconst.sdiskfull

sysconst.sdispatcherror

sysconst.sdivbyzero

sysconst.sendoffile

External exception %x

sysconst.sexternalexception

sysconst.sfilenotassigned

sysconst.sfilenotfound

sysconst.sfilenotopen

sysconst.sfilenotopenforinput

sysconst.sfilenotopenforoutput

sysconst.sinvalidfilename

sysconst.sintoverflow

Interface not supported

sysconst.sintfcasterror

Invalid argument index in format "%s"

sysconst.sinvalidargindex

sysconst.sinvalidcast

sysconst.sinvaliddrive

sysconst.sinvalidfilehandle

Invalid format specifier : "%s"

sysconst.sinvalidformat

sysconst.sinvalidinput

Invalid floating point operation

sysconst.sinvalidop

Invalid pointer operation

sysconst.sinvalidpointer

sysconst.sinvalidvarcast

Invalid variant operation

sysconst.sinvalidvarop

Threads not supported. Recompile program with thread driver.

sysconst.snothreadsupport

sysconst.smissingwstringmanager

System error, (OS Code %d):

sysconst.soserror

sysconst.soutofmemory

sysconst.soverflow

sysconst.sprivilege

sysconst.srangeerror

sysconst.ssafecallexception

sysconst.siconverror

sysconst.stoomanyopenfiles

sysconst.sunknownruntimeerror

sysconst.sunderflow

An operating system call failed.

sysconst.sunkoserror

sysconst.svararraybounds

sysconst.svararraycreate

sysconst.svarnotarray

Ancestor class for "%s" not found.

rtlconsts.sancestornotfound

Cannot assign a %s to a %s.

rtlconsts.sassignerror

Class "%s" not found

rtlconsts.sclassnotfound

Duplicate name: A component named "%s" already exists

rtlconsts.sduplicatename

rtlconsts.sduplicatestring

rtlconsts.semptystreamillegalreader

rtlconsts.semptystreamillegalwriter

Unable to create file "%s"

rtlconsts.sfcreateerror

Unable to open file "%s"

rtlconsts.sfopenerror

rtlconsts.sinvalidimage

"%s" is not a valid component name

rtlconsts.sinvalidname

rtlconsts.sinvalidpropertypath

rtlconsts.sinvalidpropertyvalue

List capacity (%d) exceeded.

rtlconsts.slistcapacityerror

List count (%d) out of bounds.

rtlconsts.slistcounterror

List index (%d) out of bounds

rtlconsts.slistindexerror

rtlconsts.smemorystreamerror

Error reading %s%s%s: %s

rtlconsts.spropertyexception

rtlconsts.sreaderror

rtlconsts.sreadonlyproperty

Resource "%s" not found

rtlconsts.sresnotfound

%s.Seek not implemented

rtlconsts.sseeknotimplemented

Operation not allowed on sorted list

rtlconsts.ssortedlisterror

Reading from %s is not supported

rtlconsts.sstreamnoreading

Writing to %s is not supported

rtlconsts.sstreamnowriting

Unknown property: "%s"

rtlconsts.sunknownproperty

Unknown property type %d

rtlconsts.sunknownpropertytype

rtlconsts.swriteerror

RegCloseKey

RegCreateKeyExA

RegFlushKey

RegOpenKeyExA

RegQueryInfoKeyA

GetProcessHeap

GetWindowsDirectoryA

ShellExecuteW

oleaut32.dll

0r.lv

.liNN\

Gj.lK

y7u.Sb

Sk.Ch

tNR(%U

)h%u9

{DLF.jd

g%fvh7

&S".oi

-.lGW/z

j_Ko-sBB}

%fKDt

f.Yzh

T;%F&

%$.zf

.Md@j

U\.YW

%fYbJ

p%sFV

n@cX%f l

.dSJH

i.STS

.KYa(

w_.DW

mSghD

D%XV?

,kK0.wN

2.ci0C

!.BXc

.Vh;8

.WKAZ<{

f=%SX^y8S%FLh

.bw.6

%cli,@

l.fQ74

n.EG!

:.RZ\

bX.xK

%SX t

d1% .HS

Q.DJp

p8.Yj/

]B6.GQ

-=O,%F

.ckzVuy

J.HmD

H2.Zx!)

:öN(

.iAFrD

i4.FH

S.nNNW

A%x7:

%U{"f

h.CXH.

)w=.Iz0

VP.FI

[email protected]

W.gh7k

vc)h#%c

.LnX7

K.HKrS

.KNSYN

1%UQ2H

Z.%XK

d.AX9

3eG%d

%S6l#

_<Y.rg

lLT

.OG>(

.oL51

A].RR

H%Dhyu_

p.ET7

0.sa|

GE.Sl

f.ie*

)?%C&

/cR34%s

3%d/lE-

1gXF%C

6<

.jN62Go

.ZBq,9

=w%C:

7!I%s*/

rm%DHb=

#V%Dv

K;KK.WI

%1&$)%U&

'%sH6

[.nB)

.QZdTrH[

&>.Ej

N.ynZ4V

9]s^%Ch

%Xy'I

.qL>Q

sv%dt

A(K%C

yq.cW

%Dm}L

p}Y%U

@W.OYs

v|.WN3f

BR1%S

{m1~|1

h.BH[

,,S.hB

w.kgi

%4U/=

`.GzZ

9eW%x

Nl&%x

;4.Fa

0jt%c

^.be 49

.OR1*

e%Xq*

M%Fr'

%s3nA

y\]

I)=.Ygc

A.vQ

*1.gi

.BG~o

l.jD(

.rj\e

[U"9.Ys%]{

.wdRm.8

$@j%fU)O

.yvFd

w;%SW

.RwYn

uRlt

f,.FOv

&z0%C

uDz,r%x c

o.SA?p

Z!X%D=O

2<.vA

X\z.ZU

e%So!

!&cmd,

P5-m}^

IJ%S|

.ktL_?

%d@"%D

F:.kF

4B.pM

kP^.Wc

X:5%X

YB!Z{.TT

.ua-'

.si`5V

t&.LB

,nO.CV

%F=''

.gVKOY

&QC%U

{.NZJZ@

/.phe

?*.BQ

^.ERZA`

l|[.wv

%u`G[

l.ubNDs

1l.ON

s|B

.KL.wA

^;3.qI<

LT.BB

m.AhC9l

)2.bE

[xp%F

OM%4U

.UG@nx

.NGu]

8.i%d

z~%X$J.

y:%s]

G.Cb5

N%4SQ

!-h}M5

U>?%F

.wbUFv

Ln.Kp'k

wa.bX

Xx34.Zd

.%X"Up)

D.CD$

P.eU6c

"G.zo

~.EN[cg

'}.qh

J1F1H.CY$

d.Xyd4

.kpy@

j .uT

ûE&~

bg*%X

yp4K%x

#.sHhu/

7].fO n

m>,.XT

4.yB,

eSQlp

oJY-

%Xn T

.Jf$U

%u0s~n

C%U&%

^.Bhf

,.Fi"

`nk1.dI

w<F]%c

.fcs\;

[&.ld

[email protected]

*.Ihx

BmsG

|.VXk.

"2.FZy@,

jp51\9%U{A

3/(%D

/~--U%d&

.bb vM:

Es.Vx

/.TM.

.4%DH

p.wu1

G.fH>;

%fgvjN

.iB7UH

1)%sN

*'}|o.KnM

b.JsR[

%CsO,"Y

Z.vda

%DT&j

X.YQ0

.iR2@%

rI%Sy

[a.Up

}ra.EN

GN|.LRmB

XZ%u`

.XYZi

v$>%d!

^_%Sz

.eH8@

6|.Hgm

W=h

|#.hLQT

.wN8yzUo_

3|v%c

6'Ú

S%xP8

.cGjkR

-6}Q;6

]#.wk

kbÜ

G{,%S

ÀZbz

%C}\MboR

J.VTeO

X.xz

SK%Dk

/}a.Qd

.TI$L

.KX}b

%DRo{\

].jsn

) `Dk.Gz

ÈW ]R

bL{\QHo

.Gb q

opoRT

).lPiS

%u&,C

q6!%c

hF<(%s

G\j%d

.EW{*

Z.bf'

D%U|aj

{ (.iI!

>*%sp

%d$l1wX

"a.vj

Q.mV\

l%C!B

KG.gb

:F<V%C

NfTpj*4

]ói

BLT%s[Ls

"1-cN}

J.OUY

.UoDs

`.YV&'

ZT.xK

oN%u(t@

h.Gim

-a

{.Ihr

%sicTn]u

'=.NS

y&.Yc

.iO5'

~DxhuuDP

=O.qD

y^7|

4.rDC

1b%x_

F.uCRw\-

.PblC

.cJe@

ai'ý

{?-B}

@s<.Ib

@W%U\

|G.rX

.kSle#

[email protected]

.TGkwh

[email protected]

xy>%UL

" .Jtt-F

5^.Af

.nAB1N

x %xa

.zmYJN

iS%Uo@

wG.zT

œKr

;T]SqL

,%.CCR2

B[C%dQ

%f:_9

h.Dsd

O.wSQ

%XHFO

 %x=$E,

ts.Zk

.bl?<N

3({6.zik

[email protected]

Q?%f?H

;p.BK

.Pm5e

]%XB#

.NDnC$

I~%.UR5

ga.su

3~.KT

b]%dq

i%Dk4

kET%sMN G

88%U(

KtCPBg;

cMd:"

.hj&k

>-qk}

#HT.nj

.SYmi

3:%F\

i9.Wb

%XtW0

e%Ul!a

-M.HS

%xhfp

fEgm%D=

.zASj

(pJ&.kg

F;T%F

J{.Ry}

i.Bx2NR

\2tB]%f

j.gSj

;?a%d

@'.DZTQ

[`.hq

k8zs.hc:05\

-4V}:

.Lk!d[

-|2.Kr

L#.tz

}|.gG

.noAV

K.OD]

W.QFo

dH.jys

%.sv-

.vWnR

j.Rv\

wXy$=|%D

.Kc{-9

;.St9

;7.Bq

}.bSQ

%uC`r

os.sL

9user32.dll

OLEAUT32.DLL

ADVAPI32.DLL

ActivateKeyboardLayout

GetKeyboardLayoutNameW

EnumWindows

GetKeyboardLayoutList

MapVirtualKeyW

EnumThreadWindows

SetWindowsHookExW

GetKeyNameTextW

GetKeyboardState

UnhookWindowsHookEx

GetCPInfo

RegOpenKeyExW

RegCreateKeyExW

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

77777772.no-ip.org

:\User77777772.no-ip.org

7777777777772.no-ip.org

crypter windows

explorer.exe

Gruexplorer.exe

{J60D5RR8-F76Y-SG35-SOI4-B8KT8RL3P1XJ}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AAA%SERVER%

PTF.ftpserver.com

ftpuser

c:\%original file name%.exe

%Program Files%\Internet Explorer\iexplore.exe

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:752
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%System%\852BRModz Loader.exe.exe (4 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.