Gen.Trojan.Heur.yqNfrXBDD3fib_84e2a5c868

by malwarelabrobot on October 24th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Trojan.Heur.yqNfrXBDD3fib (B) (Emsisoft), Gen:Trojan.Heur.yqNfrXBDD3fib (AdAware), Worm.Win32.AutoIt.FD, WormAutoItGen.YR (Lavasoft MAS)
Behaviour: Trojan, Worm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 84e2a5c868a21ef62485b0821d43299b
SHA1: 9f4cba723e5be72420894e3bd8664cdc5e9b9aaa
SHA256: ffadbcac7719bca689537fe073ee0f0b2795b9dbc76fa06780161c570f71eca5
SSDeep: 12288:e6Wq4aaE6KwyF5L0Y2D1PqL8ECqpm3c2c:kthEVaPqLfCZs2c
Size: 398740 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: Install Manager
Created at: 2012-01-29 23:32:28
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1764
schtasks.exe:1580
at.exe:852

The Trojan injects its code into the following process(es):

svhost.exe:1024

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1764 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\commander.exe (1910 bytes)
%WinDir%\svhost.exe (2419 bytes)

The Trojan deletes the following file(s):

%WinDir%\Tasks\SA.DAT (0 bytes)
%WinDir%\Tasks\desktop.ini (0 bytes)

The process schtasks.exe:1580 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Tasks\At1.job (68 bytes)

Registry activity

The process %original file name%.exe:1764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE FF 8C 70 07 D0 63 15 68 B7 DB B0 60 35 86 36"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process schtasks.exe:1580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 93 08 A6 BC 2E 9A CD 8D 2A B9 90 C8 4A 48 C9"

The process svhost.exe:1024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D CD 97 08 C1 3E 57 04 EC 30 9F BB 53 96 D1 1F"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "01 00 00 00"
"SuperHidden" = "01 00 00 00"
"ShowSuperHidden" = "00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

The process at.exe:852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 3B B5 6F E2 8C EE 29 F4 D8 0D FC 7F 09 A4 F8"

Dropped PE files

MD5 File path
80edf2a2469d4207202869b461ff857e c:\Documents and Settings.exe
a4d148eeca7b11d3a855e1d09ffe4a19 c:\Perl.exe
be363e88c1e153e8b9981f56e57704ab c:\Program Files.exe
be363e88c1e153e8b9981f56e57704ab c:\RECYCLER.exe
cf2ac9b98c5ac40ebe7a3480e4ab4955 c:\System Volume Information.exe
083d8c6c02193680f47d2a442a437fff c:\WINDOWS.exe
b4e1df0ea982ab5e5f5ddb7daa251ec7 c:\WINDOWS\svhost.exe
c41eda6bc2637ebdf057feb8bbe65e76 c:\WINDOWS\system32\commander.exe
dd948caff593045084c0146b5b5574a6 c:\WINDOWS\system32\svhost.exe
02a374477ee7c51c2d7ba07bcac9cbed c:\WINDOWS\system32\system.exe
6d5ee6c30438c00f01ee091564a57293 c:\startup.exe
083d8c6c02193680f47d2a442a437fff c:\totalcmd.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3, 3, 8, 1
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 458752 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 462848 274432 270848 5.49596 fbbc65106e4f953d7901220acca2fadb
.rsrc 737280 8192 8192 2.87665 73ef0400c84be6b1c080861ae5d18865
.RUPX1 745472 61440 61440 5.35924 ddbfa56ad1481c1ab9b73f7c39dc236a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 120
002c739c88eb7b2fdac0838483b122a9
a29d19869677925a8fbdab5aaa859468
eb9ee68eda27c43307f26ffe6e747058
e85bb9f5fec5d5d8af516d2beb626e1c
e85406750b196b3677f61ce83c03c879
d9a545c4c6086aa5c3b098364239eee4
d251632a8e761561ed2996b05900431b
d02bc9d421e584fe594fde298d78063b
cff4f3f5a8884001e8272dd133e05e07
cf6389533a164f00c29f622fd39be93f
cb8ee96e5b5a0cfcab1bf773ec254371
cb86d391e6a834a78a6eaf940bc1079d
caf47cab135bdc832ed92cd50454a0d5
ca59b86a5837cd11d32b66c8d2d522c8
c67566b3e29cc70777d99048c20f2c6b
c36037396e8c6fa25f6ae38a9f0dbfa5
c5616a732e1fc087379782cd56f8c240
bc31b1a15bfd7bdc061c08645f3dad9e
b5bba6a00c11a7582bf698b51f3e6504
b3192d5998813eb1fa1e8707acdbfb99
b08e7198d91d3ba8ab636ae0c41b1dd7
ab5577f1237ccd0fb498953c9a48d59d
aa11841df4a195597ed01582b0f23f39
a703cd3cfb26d58f25a99e9d488bfccf
a451607ce73d7aedf284b5a427a9c885
a3f4a95aa24a3c6b654c8a1bd2cdff5c

URLs

URL IP
hxxp://11776.BODIS.com/aa.txt
hxxp://www.google.com/adsense/domains/caf.js 74.125.226.20
hxxp://www.google.com/ads/search/module/ads/1.0/9d2d7b647e46871a12c71f1e092a6cde4269fab7/n/domains.js 74.125.226.20
hxxp://11776.BODIS.com/glp?r=&u=http://infikuje.freevnn.com/aa.txt
hxxp://11776.BODIS.com/gzcr?t=ZD1mcmVldm5uLmNvbSZkaT0yMjg2NDgyJmM9MzgmaWE9MCZpdWY9MCZydT1odHRwJTNBJTJGJTJGaW5maWt1amUuZnJlZXZubi5jb20lMkZhYS50eHQmcj0mdT0xMTc3Ng
hxxp://gs1.wac.v2cdn.net/00658E/parking/page-loader.gif
hxxp://infikuje.freevnn.com/glp?r=&u=http://infikuje.freevnn.com/aa.txt 199.59.243.121
hxxp://infikuje.freevnn.com/aa.txt 199.59.243.121
hxxp://wac.658e.edgecastcdn.net/00658E/parking/page-loader.gif 72.21.91.19


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /00658E/parking/page-loader.gif HTTP/1.0
Accept: */*
Referer: hXXp://infikuje.freevnn.com/aa.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: wac.658e.edgecastcdn.net
Connection: Keep-Alive


HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=604800
Content-Type: image/gif
Date: Thu, 23 Oct 2014 04:11:21 GMT
Etag: "3116423221"
Expires: Thu, 30 Oct 2014 04:11:21 GMT
Last-Modified: Fri, 06 Jun 2014 01:01:06 GMT
Server: ECS (lga/1396)
X-Cache: HIT
Content-Length: 9087
Connection: keep-alive
GIF89a . .......}}}.........UVU............yyy.....................aba
...............uuu,,,...mmm...#"#YYY.........999iii...................
..EEE......333...QQQ......HHHBAB.........===pppfff............]]].....
.............rrr..................///...........................NNN...
...stsnpn......>@>.........FGF............OPOjlj...797`_`<;&l
t;```VWVggg......9;9WVW...............................................
...........................................rqr........................
..................{{{.................................................
....................KKKSSS.........STS...qrq............GGG...{|{xwx..
.777.........................................................???...ccc
.........POP.........CCC..................wxw........................(
'(.........kkk.........!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket b
egin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="a
dobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-
14:56:27        "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02
/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="ht
tp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/m
m/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:C
reatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid
:52B98279E53A11E3A43F9487AE8C5DC7" xmpMM:DocumentID="xmp.did:52B9827AE
53A11E3A43F9487AE8C5DC7"> <xmpMM:DerivedFrom stRef:instanceID="x
mp.iid:52B98277E53A11E3A43F9487AE8C5DC7" stRef:documentID="xmp.did
<<< skipped >>>


GET /ads/search/module/ads/1.0/9d2d7b647e46871a12c71f1e092a6cde4269fab7/n/domains.js HTTP/1.0
Accept: */*
Referer: hXXp://infikuje.freevnn.com/aa.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google.com
Connection: Keep-Alive


HTTP/1.0 200 OK
Content-Type: text/javascript; charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 23 Oct 2014 04:11:20 GMT
Expires: Fri, 23 Oct 2015 04:11:20 GMT
Cache-Control: public, max-age=31536000
ETag: "m9d2d7b647e46871a12c71f1e092a6cde4269fab7"
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="f.txt"
Server: amfe
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=0.01
(function() {var version_='1.0';var hash_='9d2d7b647e46871a12c71f1e092
a6cde4269fab7';var module_='ads';var packages_='domains';var googleApi
sBase_='//ajax.googleapis.com/ajax';var serviceBase_='//VVV.google.com
/uds';var serviceHost_='VVV.google.com';var k;var aa=this,ba=function(
a){var b=typeof a;if("object"==b)if(a){if(a instanceof Array)return"ar
ray";if(a instanceof Object)return b;var c=Object.prototype.toString.c
all(a);if("[object Window]"==c)return"object";if("[object Array]"==c||
"number"==typeof a.length&&"undefined"!=typeof a.splice&&"undefined"!=
typeof a.propertyIsEnumerable&&!a.propertyIsEnumerable("splice"))retur
n"array";if("[object Function]"==c||"undefined"!=typeof a.call&&"undef
ined"!=typeof a.propertyIsEnumerable&&!a.propertyIsEnumerable("call"))
return"function"}else return"null";.else if("function"==b&&"undefined"
==typeof a.call)return"object";return b},ca=function(a){return null!=a
},l=function(a){return"string"==typeof a},da=function(a,b){var c=Array
.prototype.slice.call(arguments,1);return function(){var b=c.slice();b
.push.apply(b,arguments);return a.apply(this,b)}},ea=Date.now||functio
n(){return new Date},fa=function(a,b){function c(){}c.prototype=b.prot
otype;a.Lk=b.prototype;a.prototype=new c;a.prototype.constructor=a;a.K
k=function(a,c,f){return b.prototype[c].apply(a,.Array.prototype.slice
.call(arguments,2))}};var ga=["iPhone OS 5_","iPhone OS 4_","SC-02C Bu
ild/GINGERBREAD"],ha=window.navigator?window.navigator.userAgent:"",ia
=function(){return 0!=ha.indexOf("Opera")&&(-1!=ha.indexOf("MSIE")
<<< skipped >>>


GET /adsense/domains/caf.js HTTP/1.0
Accept: */*
Referer: hXXp://infikuje.freevnn.com/aa.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google.com
Connection: Keep-Alive


HTTP/1.0 200 OK
Content-Type: text/javascript; charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 23 Oct 2014 04:11:20 GMT
Expires: Thu, 23 Oct 2014 04:11:20 GMT
Cache-Control: private, max-age=3600
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="f.txt"
Server: amfe
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=0.01
if(!window['googleNDT_']){window['googleNDT_']=(new Date()).getTime();
}window.googleAltLoader=1;document.write('<script src="//VVV.google
.com/ads/search/module/ads/1.0/9d2d7b647e46871a12c71f1e092a6cde4269fab
7/n/domains.js" type="text/javascript"></script>');..



GET /aa.txt HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: infikuje.freevnn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Sat, 02 Aug 2014 11:21:06 GMT
Accept-Ranges: bytes
ETag: "03df8d943aecf1:0"
Server: Microsoft-IIS/7.5
Date: Thu, 23 Oct 2014 04:11:42 GMT
Connection: keep-alive
Content-Length: 1244
<!DOCTYPE html>.<!--[if lt IE 7 ]><html class="ie6">
<![endif]--><!--[if IE 7 ]><html class="ie7"><![e
ndif]--><!--[if IE 8 ]><html class="ie8"><![endif]--
><!--[if IE 9 ]><html class="ie9"><![endif]--><
;!--[if (gt IE 9)|!(IE)]><!--><html><!--<![endif]
-->.<head>.  <meta http-equiv="Content-Type" content="text
/html; charset=utf-8">.  <title></title>.  <meta nam
e="viewport" content="width=device-width, initial-scale=1">.  <n
oscript>.    <meta HTTP-EQUIV="REFRESH" content="0; url=/Zm9yY2V
TUg">.  </noscript>.  <script src="hXXp://VVV.google.com/a
dsense/domains/caf.js" type="text/javascript"></script>.</
head>.<body>.<div id="G-B"></div>.<script type
="text/javascript">.  if (top.location != location) top.location.hr
ef = window.location.href;.  var h = window.location.href.split('?')[0
], d = h.match(/bodisparking\.com\//) ? '&d='   h.substr(h.lastIndexOf
('/')   1).replace(/\?.*/, '') : '', doc = document, r = doc.referrer 
? doc.referrer : '', x = 0;.  var s = doc.createElement('script');s.ty
pe = 'text/javascript';s.src = '/glp?r='   encodeURIComponent(r)   '&u
='   encodeURIComponent(h)   d;.  doc.getElementsByTagName('body')[0].
appendChild(s);.  if(!window['googleNDT_']) window.location.replace('/
Zm9yY2VTUg');.</script>.</body>.</html>....
<<< skipped >>>

GET /glp?r=&u=http://infikuje.freevnn.com/aa.txt HTTP/1.0


Accept: */*
Referer: hXXp://infikuje.freevnn.com/aa.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: infikuje.freevnn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate,post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/javascript
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Server: Microsoft-IIS/7.5
Date: Thu, 23 Oct 2014 04:11:46 GMT
Connection: keep-alive
Content-Length: 1585
$B = {"u":"freevnn.com","d":"Freevnn.com","x":false,"z":"w","s":"C","e
":"0","D":"ZD1mcmVldm5uLmNvbSZkaT0yMjg2NDgyJmM9MzgmaWE9MCZpdWY9MCZydT1
odHRwJTNBJTJGJTJGaW5maWt1amUuZnJlZXZubi5jb20lMkZhYS50eHQmcj0mdT0xMTc3N
g"};(function(){var.F=document,O='',v,M=0,n=0,W=function(P){location.h
ref=P;},Y=function(){var X=navigator.userAgent.toLowerCase();return(X.
indexOf('msie')!=-1)?parseInt(X.split('msie')[1]):false;};if($B.c){if(
n).return;location.href=$B.v;n=1;return;}.O ='<div style="text-alig
n: center;position:absolute;top:0;left:0;bottom:0;right:0;">' '<
div style="height:100%;vertical-align:middle;display:inline-block;">
;</div>' '<div style="vertical-align:middle;display:inline-bl
ock;position:relative;padding:20px 20px 20px 70px;text-align:left;font
-family: Helvetica, arial, sans-serif;border:1px solid #c5c5c5;border-
radius:5px">' '<div style="background:url(\'hXXp://wac.658E.edge
castcdn.net/00658E/parking/page-loader' (Y()<=8?'':'2@') '.gif\') n
o-repeat 0 0;background-size:32px 32px;width:32px;height:32px;position
:absolute;top:25px;left:20px;"></div>' '<div style="font-s
ize:24px;font-weight: 300;">Redirecting to Advertiser</div>' 
'<div style="font-size:12px;font-weight: 300;">This will only ta
ke a few seconds. Please wait...</div>' '</div>' '</div
>';F.getElementById('G-B').innerHTML=O;v=F.createElement('script');
v.type='text/javascript';v.src='/gzcr?t=' encodeURIComponent($B.D);v.o
nload=v.onreadystatechange=function(){if(!M&&(!this.readyState||th
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

svhost.exe_1024:

`.rsrc
.RUPX1
s%j.Zf
8crtsu
:crts
crts
GetProcessWindowStation
operator
This is a compiled AutoIt script. AV researchers please email [email protected] for support.
uxtheme.dll
kernel32.dll
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
erroffset passed as NULL
POSIX collating elements are not supported
this version of PCRE is not compiled with PCRE_UTF8 support
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with PCRE_UCP support
ICMP.DLL
advapi32.dll
RegDeleteKeyExW
Error text not found (please report)
zcÁ
]DmD%d
GetProcessHeap
CreatePipe
GetWindowsDirectoryW
GetCPInfo
RegDeleteKeyW
RegEnumKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
SetViewportOrgEx
ShellExecuteExW
SHFileOperationW
ShellExecuteW
RegisterHotKey
GetKeyboardLayoutNameW
ExitWindowsEx
EnumThreadWindows
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
EnumWindows
EnumChildWindows
MapVirtualKeyW
CloseWindowStation
SetProcessWindowStation
OpenWindowStationW
UnregisterHotKey
keybd_event
InternetCrackUrlW
HttpQueryInfoW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
.text
`.rdata
@.data
.rsrc
23$--%"!'
=o:-/s.akw
S.VBr
F%p_SubÆ*
`.rdn
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"></assemblyIdentity>
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
MPR.dll
ole32.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
USER32.dll
USERENV.dll
VERSION.dll
WININET.dll
WINMM.dll
WSOCK32.dll
:0}C%u
ÁTd
m.MeA
LG\%S
%x3Z~
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
>>>AUTOIT NO CMDEXECUTE<<<
CMDLINERAW
CMDLINE
/AutoIt3ExecuteLine
/AutoIt3ExecuteScript
%s (%d) : ==> %s.:
Line %d:
Line %d (File "%s"):
%s (%d) : ==> %s:
AutoIt script files (*.au3, *.a3x)
*.au3;*.a3x
All files (*.*)
#NoAutoIt3Execute
APPSKEY
04090000
%u.%u.%u.%u
0.0.0.0
Mddddd
%s (%d) : ==> %s:
UDPSTARTUP
UDPSHUTDOWN
UDPSEND
UDPRECV
UDPOPEN
UDPCLOSESOCKET
UDPBIND
TRAYGETMSG
TCPSTARTUP
TCPSHUTDOWN
TCPSEND
TCPRECV
TCPNAMETOIP
TCPLISTEN
TCPCONNECT
TCPCLOSESOCKET
TCPACCEPT
SHELLEXECUTEWAIT
SHELLEXECUTE
REGENUMKEY
MSGBOX
ISKEYWORD
HTTPSETUSERAGENT
HTTPSETPROXY
HOTKEYSET
GUIREGISTERMSG
GUIGETMSG
GUICTRLSENDMSG
GUICTRLRECVMSG
FTPSETPROXY
\??\%s
GUI_RUNDEFMSG
SendKeyDelay
SendKeyDownDelay
TCPTimeout
AUTOITCALLVARIABLE%d
255.255.255.255
Keyword
AutoIt.Error
Null Object assignment in FOR..IN loop
Incorrect Object type in FOR..IN loop
HOTKEYPRESSED
AUTOITEXE
WINDOWSDIR
3, 3, 8, 1
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_USERS
%d/d/d
%WinDir%\svhost.exe
:%WinDir%\svhost.exe
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
Missing operator in expression."Unbalanced brackets in expression.
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.)Array variable subscript badly formatted.'Subscript used with non-Array variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
3This keyword cannot be used after a "Then" keyword.
>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

svhost.exe_1024_rwx_00401000_000B1000:

s%j.Zf
8crtsu
:crts
crts
GetProcessWindowStation
operator
This is a compiled AutoIt script. AV researchers please email [email protected] for support.
uxtheme.dll
kernel32.dll
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
erroffset passed as NULL
POSIX collating elements are not supported
this version of PCRE is not compiled with PCRE_UTF8 support
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with PCRE_UCP support
ICMP.DLL
advapi32.dll
RegDeleteKeyExW
Error text not found (please report)
zcÁ
]DmD%d
GetProcessHeap
CreatePipe
GetWindowsDirectoryW
GetCPInfo
RegDeleteKeyW
RegEnumKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
SetViewportOrgEx
ShellExecuteExW
SHFileOperationW
ShellExecuteW
RegisterHotKey
GetKeyboardLayoutNameW
ExitWindowsEx
EnumThreadWindows
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
EnumWindows
EnumChildWindows
MapVirtualKeyW
CloseWindowStation
SetProcessWindowStation
OpenWindowStationW
UnregisterHotKey
keybd_event
InternetCrackUrlW
HttpQueryInfoW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
.text
`.rdata
@.data
.rsrc
23$--%"!'
=o:-/s.akw
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
>>>AUTOIT NO CMDEXECUTE<<<
CMDLINERAW
CMDLINE
/AutoIt3ExecuteLine
/AutoIt3ExecuteScript
%s (%d) : ==> %s.:
Line %d:
Line %d (File "%s"):
%s (%d) : ==> %s:
AutoIt script files (*.au3, *.a3x)
*.au3;*.a3x
All files (*.*)
#NoAutoIt3Execute
APPSKEY
04090000
%u.%u.%u.%u
0.0.0.0
Mddddd
%s (%d) : ==> %s:
UDPSTARTUP
UDPSHUTDOWN
UDPSEND
UDPRECV
UDPOPEN
UDPCLOSESOCKET
UDPBIND
TRAYGETMSG
TCPSTARTUP
TCPSHUTDOWN
TCPSEND
TCPRECV
TCPNAMETOIP
TCPLISTEN
TCPCONNECT
TCPCLOSESOCKET
TCPACCEPT
SHELLEXECUTEWAIT
SHELLEXECUTE
REGENUMKEY
MSGBOX
ISKEYWORD
HTTPSETUSERAGENT
HTTPSETPROXY
HOTKEYSET
GUIREGISTERMSG
GUIGETMSG
GUICTRLSENDMSG
GUICTRLRECVMSG
FTPSETPROXY
\??\%s
GUI_RUNDEFMSG
SendKeyDelay
SendKeyDownDelay
TCPTimeout
AUTOITCALLVARIABLE%d
255.255.255.255
Keyword
AutoIt.Error
Null Object assignment in FOR..IN loop
Incorrect Object type in FOR..IN loop
HOTKEYPRESSED
AUTOITEXE
WINDOWSDIR
3, 3, 8, 1
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_USERS
%d/d/d
%WinDir%\svhost.exe
:%WinDir%\svhost.exe
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
Missing operator in expression."Unbalanced brackets in expression.
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.)Array variable subscript badly formatted.'Subscript used with non-Array variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
3This keyword cannot be used after a "Then" keyword.
>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1764
    schtasks.exe:1580
    at.exe:852

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %System%\commander.exe (1910 bytes)
    %WinDir%\svhost.exe (2419 bytes)
    %WinDir%\Tasks\At1.job (68 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now