Gen.Trojan.Heur.xGWtzYbrfGb_05fa1ccd34

by malwarelabrobot on October 25th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Trojan.Heur.xGW@tzYbr!fGb (B) (Emsisoft), Gen:Trojan.Heur.xGW@tzYbr!fGb (AdAware), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, VirTool, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 05fa1ccd34a60048c0965cf4a4004ed6
SHA1: 34ed95f8b3babc34378fac55ce5870c44e5b8ef2
SHA256: 347fa276bfd0bb658b4e676859b02f750fe4468f9d6c8d5887d87c8dfa3346e4
SSDeep: 6144:2XMGdFPxk8xkiWAC6KLI1dvfIhU0w3cnBSxWHtilsh SLel:OMQFPxk8WiMA1fI5SxitVwg0
Size: 384512 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: Conduit
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:396

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:396 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\conf.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\winsgx.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index[1].htm (731 bytes)

The Trojan deletes the following file(s):

%System%\conf.dll (0 bytes)

Registry activity

The process %original file name%.exe:396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 3C 82 86 5B CE 83 AB D5 0F F2 4A 30 E1 71 38"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinsGx" = "%System%\winsgx.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 316880 316928 4.52926 052461116079f287b74183b17341638b
DATA 323584 4392 4608 2.84522 da4fee5deec71b8210fb51a492af3daf
BSS 331776 3113 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 335872 8358 8704 3.41176 4855d887873612b9681ef28a76b6b60c
.tls 348160 16 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 352256 24 512 0.143426 49751d4c0a7712b35705e54f27f83758
.reloc 356352 22196 22528 4.61957 914b51ffca9f6b8f1d2afffcdca2d2f4
.rsrc 380928 58880 30208 2.91184 19d7ef3a0a5b56e77aef2ec5f2371fcf

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.managerold.kit.net/conf.txt 201.7.184.2
hxxp://www.managerold.kit.net/index.html 201.7.184.2


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /conf.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.managerold.kit.net
Connection: Keep-Alive


HTTP/1.1 302 Found
Server: Apache/2.2.15
Location: hXXp://VVV.managerold.kit.net/index.html
Content-Type: text/html; charset=iso-8859-1
Content-Length: 224
Accept-Ranges: bytes
Date: Fri, 24 Oct 2014 10:55:40 GMT
X-Varnish: 1545048005 1545046816
Age: 46
Connection: keep-alive
X-Bip: 1545048005 71 205
Via: 1.1 CachOS
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://VVV.managerold.kit.net/index.html">here</a>.<
/p>.</body></html>.HTTP/1.1 302 Found..Server: Apache/2
.2.15..Location: hXXp://VVV.managerold.kit.net/index.html..Content-Typ
e: text/html; charset=iso-8859-1..Content-Length: 224..Accept-Ranges: 
bytes..Date: Fri, 24 Oct 2014 10:55:40 GMT..X-Varnish: 1545048005 1545
046816..Age: 46..Connection: keep-alive..X-Bip: 1545048005 71 205..Via
: 1.1 CachOS..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
.<html><head>.<title>302 Found</title>.</he
ad><body>.<h1>Found</h1>.<p>The document ha
s moved <a href="hXXp://VVV.managerold.kit.net/index.html">here&
lt;/a>.</p>.</body></html>...



GET /conf.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.managerold.kit.net
Connection: Keep-Alive


HTTP/1.1 302 Found
Server: Apache/2.2.15
Location: hXXp://VVV.managerold.kit.net/index.html
Content-Type: text/html; charset=iso-8859-1
Content-Length: 224
Accept-Ranges: bytes
Date: Fri, 24 Oct 2014 10:56:10 GMT
X-Varnish: 1545048925 1545046816
Age: 76
Connection: keep-alive
X-Bip: 1545048925 71 205
Via: 1.1 CachOS
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The do..



GET /conf.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.managerold.kit.net
Connection: Keep-Alive


HTTP/1.1 302 Found
Server: Apache/2.2.15
Location: hXXp://VVV.managerold.kit.net/index.html
Content-Type: text/html; charset=iso-8859-1
Content-Length: 224
Accept-Ranges: bytes
Date: Fri, 24 Oct 2014 10:55:30 GMT
X-Varnish: 1545047728 1545046816
Age: 36
Connection: keep-alive
X-Bip: 1545047728 71 205
Via: 1.1 CachOS
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://VVV.managerold.kit.net/index.html">here</a>.<
/p>.</body></html>.....


GET /index.html HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.managerold.kit.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache/2.2.15
Last-Modified: Tue, 12 Mar 2013 18:46:03 GMT
ETag: "17c5f00-fef-4d7beb3950b0c"
Content-Type: text/html; charset=UTF-8
Content-Length: 4079
Accept-Ranges: bytes
Date: Fri, 24 Oct 2014 10:55:30 GMT
X-Varnish: 1545047736
Age: 0
Connection: keep-alive
X-Bip: 1545047736 71 205
Via: 1.1 CachOS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.<html dir="ltr" xml:l
ang="pt-br" lang="pt-br" xmlns="hXXp://VVV.w3.org/1999/xhtml">.<
head>..<meta http-equiv="Content-Type" content="text/html; chars
et=UTF-8" />..<title>Globo.com - Desculpe-nos, página 
não encontrada</title>..<meta name="keywords" content=
"" />..<meta name="description" content="" />..<link rel="
copyright" href="#" />..<script src="hXXp://VVV.google-analytics
.com/urchin.js" type="text/javascript">..</script>...<scri
pt type="text/javascript">.._uacct = "UA-296593-2";.._udn = "VVV.gl
obo.com";..urchinTracker();....function trackerPortal(obj, index)..{..
.try {....re = /https?\:\/\/[^\'\"] /;....array = obj.href.match(re);.
...if (array != null && array.length > 0)....{.....str = array[0].r
eplace(/^https?\:\/\//, ""); .....urchinTracker("/out/"   index   "/" 
  str);....}...}catch(e){}.....}..</script>....    <!-- ESTIL
OS -->.    <link type="text/css" rel="stylesheet" href="hXXp://s
.glbimg.com/er/c/glb-reset.css">.    <link type="text/css" rel="
stylesheet" href="hXXp://s.glbimg.com/er/c/glb-grid.css">.    <l
ink type="text/css" rel="stylesheet" href="hXXp://s.glbimg.com/er/c/pa
ginas-erros.css">.    .    <script type="text/javascript" src="h
ttp://s.glbimg.com/er/j/jquery-1.3.2.min.js"></script>.    &l
t;script>.        // inclusao do endereco de erro na pagina..  
<<< skipped >>>


GET /conf.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.managerold.kit.net
Connection: Keep-Alive


HTTP/1.1 302 Found
Server: Apache/2.2.15
Location: hXXp://VVV.managerold.kit.net/index.html
Content-Type: text/html; charset=iso-8859-1
Content-Length: 224
Accept-Ranges: bytes
Date: Fri, 24 Oct 2014 10:56:00 GMT
X-Varnish: 1545048626 1545046816
Age: 66
Connection: keep-alive
X-Bip: 1545048626 71 205
Via: 1.1 CachOS
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://VVV.managerold.kit.net/index.html">here</a>.<
/p>.</body></html>.HTTP/1.1 302 Found..Server: Apache/2
.2.15..Location: hXXp://VVV.managerold.kit.net/index.html..Content-Typ
e: text/html; charset=iso-8859-1..Content-Length: 224..Accept-Ranges: 
bytes..Date: Fri, 24 Oct 2014 10:56:00 GMT..X-Varnish: 1545048626 1545
046816..Age: 66..Connection: keep-alive..X-Bip: 1545048626 71 205..Via
: 1.1 CachOS..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
.<html><head>.<title>302 Found</title>.</he
ad><body>.<h1>Found</h1>.<p>The document ha
s moved <a href="hXXp://VVV.managerold.kit.net/index.html">here&
lt;/a>.</p>.</body></html>...



GET /conf.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.managerold.kit.net
Connection: Keep-Alive


HTTP/1.1 302 Found
Server: Apache/2.2.15
Location: hXXp://VVV.managerold.kit.net/index.html
Content-Type: text/html; charset=iso-8859-1
Content-Length: 224
Accept-Ranges: bytes
Date: Fri, 24 Oct 2014 10:55:50 GMT
X-Varnish: 1545048241 1545046816
Age: 56
Connection: keep-alive
X-Bip: 1545048241 71 205
Via: 1.1 CachOS
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://VVV.managerold.kit.net/index.html">here</a>.<
/p>.</body></html>.HTTP/1.1 302 Found..Server: Apache/2
.2.15..Location: hXXp://VVV.managerold.kit.net/index.html..Content-Typ
e: text/html; charset=iso-8859-1..Content-Length: 224..Accept-Ranges: 
bytes..Date: Fri, 24 Oct 2014 10:55:50 GMT..X-Varnish: 1545048241 1545
046816..Age: 56..Connection: keep-alive..X-Bip: 1545048241 71 205..Via
: 1.1 CachOS..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
.<html><head>.<title>302 Found</title>.</he
ad><body>.<h1>Found</h1>.<p>The document ha
s moved <a href="hXXp://VVV.managerold.kit.net/index.html">here&
lt;/a>.</p>.</body></html>...

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_396:

.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s_%d
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
MAPI32.DLL
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword<
crSQLWait
%s (%s)
imm32.dll
AutoHotkeysX
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreviewL
WindowState
OnKeyDown
OnKeyPress
OnKeyUp
TScreenh%D
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
\winsgx.exe
\Software\Microsoft\Windows\CurrentVersion\Run
\conf.dll
conf.txt
\conf1.dll
hXXp://VVV.managerold.kit.net/conf.txt
hXXp://VVV.managernew.kit.net/conf.txt
1.exe
:\DiskInfo.exe
open=diskinfo.exe
icon=diskinfo.exe,0
:\autorun.inf
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegCreateKeyExA
WinExec
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
URLMON.DLL
URLDownloadToFileA
9 9$9(9,9
4 4$4(4,4044484<4
7 7/7?7_7
2"2&2*2.2
=">&>*>.>2>8>
1,2q2
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
UrlMon
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Unsupported clipboard format
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation

%original file name%.exe_396_rwx_0045D000_0000F000:

333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
UrlMon
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Unsupported clipboard format
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %System%\conf.dll (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %System%\winsgx.exe (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index[1].htm (731 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinsGx" = "%System%\winsgx.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now