Gen.Variant.Hiloti.2_450999c364

by malwarelabrobot on August 16th, 2016 in Malware Descriptions.

Susp_Dropper (Kaspersky), Gen:Variant.Hiloti.2 (AdAware), Backdoor.Win32.PcClient.FD, Tdl4.YR (Lavasoft MAS)
Behaviour: Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 450999c36485a084aa7dd1b603da875b
SHA1: 89c33e40bede2fb65038f37cc2e2389336de433e
SHA256: 3dc880a6465b9fcb63a1b95da48190210d82a8d8c5e14a3b1307c83f2ed1d382
SSDeep: 12288:Y6JJ/cNFuth3R7qfEH7m8FUBLSMmR9v3oqGXrFGWsLjdkeM6ZvZF:pY6h3cwUBLSMq9v6XoW2VF
Size: 501387 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Cortado AG
Created at: 2009-02-21 21:46:23
Analyzed on: WindowsXP SP3 32-bit

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:860
4IR.exe:276
sc.exe:1836
sc.exe:2012
1EuroP.exe:1752
net1.exe:1920
net1.exe:1940
2E4U - Bucks.exe:336
3IC.exe:644
net.exe:1868
net.exe:1284
rundll32.exe:300
runonce.exe:1200
Rundll32.exe:1084
grpconv.exe:1336
5tbp.exe:1912

The Backdoor injects its code into the following process(es):

b2l0zj6.exe:1924
b2l0zj6.exe:596
rundll32.exe:1548
svchost.exe:1104
spoolsv.exe:1440
Explorer.EXE:1572

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:860 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\4IR.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\3IC.exe (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\tbp.exe (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\2E4U - Bucks.exe (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\1EuroP.exe (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp (12280 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\5tbp.exe (3616 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\4IR.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\5tbp.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\2E4U - Bucks.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\1EuroP.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\tbp.exe (0 bytes)

The process 4IR.exe:276 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\mdinstall.inf (426 bytes)
%Documents and Settings%\%current user%\Application Data\b2l0zj6.exe (55 bytes)
%Documents and Settings%\%current user%\Application Data\MouseDriver.bat (105 bytes)
%Documents and Settings%\%current user%\Application Data\f7lf8ipd.bat (142 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\mdinstall.inf (0 bytes)

The process 1EuroP.exe:1752 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3LIV8TU3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Scv..bat (168 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WHUZ4XAN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MDGIO53K\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UHM52P4D\desktop.ini (67 bytes)

The process 3IC.exe:644 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (1281 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\5.tmp (0 bytes)

The process 5tbp.exe:1912 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\svmgrt.dll (114 bytes)

Registry activity

The process %original file name%.exe:860 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 6D 65 2A 8C FE BE 3B 5A D3 D3 21 0D 4F D4 31"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\7.tmp, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss3.tmp\1EuroP.exe,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss3.tmp]
"1EuroP.exe" = "SysSund setup"
"tbp.exe" = "Systray .exe stub"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss3.tmp]
"5tbp.exe" = "PC/SC Driver for Reflex USB V3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss3.tmp]
"3IC.exe" = "3IC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss3.tmp]
"2E4U - Bucks.exe" = "Creative"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss3.tmp]
"4IR.exe" = "4IR"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process 4IR.exe:276 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\tgs90gv74r]
"tgs90gv74rpath" = "%Documents and Settings%\%current user%\Application Data\"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\tgs90gv74r]
"tgs90gv74rexepath" = "%Documents and Settings%\%current user%\Application Data\b2l0zj6.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E DA 50 AF 77 FE 92 C3 38 DB C9 C2 34 3E 14 5C"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\4IR\DEBUG]
"Trace Level" = ""

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"scfpwb" = "%Documents and Settings%\%current user%\Application Data\b2l0zj6.exe"

The Backdoor deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\4IR\DEBUG]
"Trace Level"

The process sc.exe:1836 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 79 D0 50 BF 3E FA 0F EA 4D B9 83 8B 6F FA AB"

The process sc.exe:2012 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA DC DD DB CA 76 ED 08 F6 5C 10 0C 43 69 6F 64"

The process 1EuroP.exe:1752 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\]
"1806" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A D0 A7 2B C5 B3 D7 8F BE E2 16 3E 60 25 9C E0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process net1.exe:1920 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 0F E5 B0 CD 14 FB 00 12 FF 1A 37 DA C6 E0 A3"

The process net1.exe:1940 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 02 81 89 F3 7A FB 7D 73 0C 7C 5C C3 25 16 80"

The process 2E4U - Bucks.exe:336 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E D8 9B CA AB C3 F4 00 6B C4 22 B4 EE 9E F6 9A"

The process 3IC.exe:644 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 E6 1A 2E 24 E1 0B 21 97 98 D9 CA D4 E8 02 ED"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\7.tmp,"

The process b2l0zj6.exe:1924 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\b2l0zj6\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 E6 59 E0 27 9B CA 0C 5F 96 94 83 5B F8 FB D9"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\b2l0zj6\DEBUG]
"Trace Level"

The process b2l0zj6.exe:596 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 26 18 20 F7 E1 47 58 84 2A 8A 1C DC D2 8B B3"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process net.exe:1868 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 AD 7C E1 0E BF DF A1 AB 8B E3 64 F1 BF BD 37"

The process net.exe:1284 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 FB FB 91 10 CD C7 63 DD 21 49 DC 9B 7B 89 ED"

The process rundll32.exe:300 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 21 8F 58 BC 62 DB C2 8E 76 72 4B EC 55 F0 DE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"

The process rundll32.exe:1548 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 2B 4D 22 89 AF 0A 3B 6A 6B 76 16 95 22 0A 69"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Eqegaqojoqoka" = "192"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Ihoragiqinicim" = "rundll32.exe %WinDir%\svmgrt.dll,Startup"

The process runonce.exe:1200 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 AF 0E 06 9F 69 62 4E 0E A2 87 21 3C 20 10 F0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"grpconv.exe" = "Windows Progman Group Converter"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following value(s) in system registry:
The Backdoor disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"

The process Rundll32.exe:1084 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 72 6F D3 5F B5 61 3B FC 85 B5 B3 AC 5B 8E 7B"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv" = "grpconv -o"

The process grpconv.exe:1336 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 39 C4 01 3D DD FE 78 3C 59 04 86 13 42 D2 A7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\GrpConv]
"Log" = "Init Application."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\MSProgramGroup\Shell\Open\Command]
"(Default)" = "%System%\grpconv.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCR\MSProgramGroup]
"(Default)" = "Microsoft Program Group"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\.grp]
"(Default)" = "MSProgramGroup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The process 5tbp.exe:1912 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 3A 0F 90 F7 05 16 A5 20 EC DB 68 B7 39 A7 CA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"
"Ydapup" = "35 01 33 03 34 05 34 07 3D 09 4F 0B 3E 0D 3B 0F"

Dropped PE files

MD5	File path
25dc18797540da3ddd151c9d5fdd80ef	c:\Documents and Settings\"%CurrentUserName%"\Application Data\b2l0zj6.exe
1ea2371df3f4804d820e70863931e3f7	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7.tmp
59c5f115d7d4b8a68247943c9279036e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nss3.tmp\5tbp.exe
f571da9338883f8857ab020f02e40d68	c:\WINDOWS\svmgrt.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "UNKNOWN" the Backdoor controls loading executable images into a memory by installing the Load image notifier.
Using the driver ROOTKITPATH the Backdoor intercepts DriverStartIO in a miniport driver of a hard drive controller (ATAPI) to handle request to its own files:

StartIo

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23458	23552	4.5133	2cec663f64ef38694dc96bb9f9cb766d
.rdata	28672	4496	4608	3.58909	db16645055619c0cc73276ff5c3adb75
.data	36864	3774424	1024	3.26654	b9d0aa986d9e766521436f5ad38cd7c5
.ndata	3813376	32768	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	3846144	1736	2048	2.01899	2f2678dd9e97ae3fdffce33f180dbf60

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 70
13ab683047580206713a0f19ebe0427e
709c892167fce654126edb577421be29
1dc8f3bb2a983d7137276a217b4d705b
0f339065053ebd425e75b23558963750
ca5d6a20d387eb2e49389f6a39636da9
8a2f117c3e780d2a0ee0aefc9602d738
14e473d02dd6b3107715a02a70cfc4ca
a51b0e4d59528d3c37c089b3920aefe1
2f92f621850cf288ff8a61cc0a7e1034
0092c82b8f71c849b1799747344a0013
848bd0a9a22e7e72609328d19e9ac880
273bae01660db7dac324f798d2c8812b
e612517c3e59b53ffb829dab9699a8f7
5853e9ba1c8d75393dcef359471d5a9e
90eeaf37ac1ec866ddf48f1f56edf745
65b18506a33d72ec059fb281acf7f87e
485f7cc7b007342caccad569a8eb6b44
8dd7ebf5a62c9e827a47347570e45811
e3f9c53041e0b03574cfab09dd2f52b0
ba09f806f9384606a5ec869cdbef26c1
a4693a1a63e0cae305d6a79b8002d2b4
a9b71e2f32432de14c3f7e1530879405
4f2e8b6f0c728f22967588e577676720
595e8956b75d14122085caba1c9f87c1
599238d7063cbebdf1dc113390f8caab

URLs

URL	IP
hxxp://rooftopjam.in/?ini=v22MyzzjT4KjWDNmvVFHEeE2PuPsctM6PdFWTH11KB0CWwXTiUHUzGr1BVrHIQqMgMqV7ZlDeAiBMF4XAHPzbYiRtufQpKX/NvtsuO7olw==

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Long Fake wget 3.0 User-Agent Detected
ET TROJAN Artro Downloader User-Agent Detected

Traffic

The Backdoor connects to the servers at the folowing location(s):

rundll32.exe_1548:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

rundll32.exe_1548_rwx_00970000_00010000:

4%9sVh

rundll32.exe_1548_rwx_10000000_00001000:

.text

`.data

.reloc

b2l0zj6.exe_1924:

`.rsrc

SHDocVwCtl.WebBrowser

VB5!6&vb6chs.dll

shdocvw.dll

WebBrowser

shell32.dll

psapi.dll

%System%\shdocvw.oca

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

shlwapi.dll

VBA6.DLL

advapi32.dll

RegOpenKeyA

RegOpenKeyExA

RegCloseKey

RegCreateKeyExA

RegEnumKeyExA

RegDeleteKeyA

RegQueryInfoKeyA

InternetOpenUrlA

wininet.dll

HttpQueryInfoA

netapi32.dll

kernel32.dll

GetProcessHeap

IPHLPAPI.DLL

GetExtendedTcpTable

SetTcpEntry

%System%\msvbvm60.dll\3

fURLdaxT072GKc13EQKtCYwJC

.text

`.data

.rsrc

KERNEL32.DLL

MSVBVM60.DLL

USER32.DLL

ADVAPI32.DLL

WININET.DLL

DataExecutionPrevention_SupportPolicy

1.01.0001

o6j4nsN96zLHi8bjeswDdfq2vUn9Yuob.exe

b2l0zj6.exe_1924_rwx_00401000_0002C000:

SHDocVwCtl.WebBrowser

VB5!6&vb6chs.dll

shdocvw.dll

WebBrowser

shell32.dll

psapi.dll

%System%\shdocvw.oca

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

shlwapi.dll

VBA6.DLL

advapi32.dll

RegOpenKeyA

RegOpenKeyExA

RegCloseKey

RegCreateKeyExA

RegEnumKeyExA

RegDeleteKeyA

RegQueryInfoKeyA

InternetOpenUrlA

wininet.dll

HttpQueryInfoA

netapi32.dll

kernel32.dll

GetProcessHeap

IPHLPAPI.DLL

GetExtendedTcpTable

SetTcpEntry

%System%\msvbvm60.dll\3

fURLdaxT072GKc13EQKtCYwJC

.text

`.data

.rsrc

USER32.DLL

KERNEL32.DLL

ADVAPI32.DLL

WININET.DLL

DataExecutionPrevention_SupportPolicy

b2l0zj6.exe_596:

`.rsrc

SHDocVwCtl.WebBrowser

VB5!6&vb6chs.dll

shdocvw.dll

WebBrowser

shell32.dll

psapi.dll

%System%\shdocvw.oca

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

shlwapi.dll

VBA6.DLL

advapi32.dll

RegOpenKeyA

RegOpenKeyExA

RegCloseKey

RegCreateKeyExA

RegEnumKeyExA

RegDeleteKeyA

RegQueryInfoKeyA

InternetOpenUrlA

wininet.dll

HttpQueryInfoA

netapi32.dll

kernel32.dll

GetProcessHeap

IPHLPAPI.DLL

GetExtendedTcpTable

SetTcpEntry

%System%\msvbvm60.dll\3

fURLdaxT072GKc13EQKtCYwJC

.text

`.data

.rsrc

KERNEL32.DLL

MSVBVM60.DLL

USER32.DLL

ADVAPI32.DLL

WININET.DLL

DataExecutionPrevention_SupportPolicy

1.01.0001

o6j4nsN96zLHi8bjeswDdfq2vUn9Yuob.exe

b2l0zj6.exe_596_rwx_00401000_0002C000:

SHDocVwCtl.WebBrowser

VB5!6&vb6chs.dll

shdocvw.dll

WebBrowser

shell32.dll

psapi.dll

%System%\shdocvw.oca

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

shlwapi.dll

VBA6.DLL

advapi32.dll

RegOpenKeyA

RegOpenKeyExA

RegCloseKey

RegCreateKeyExA

RegEnumKeyExA

RegDeleteKeyA

RegQueryInfoKeyA

InternetOpenUrlA

wininet.dll

HttpQueryInfoA

netapi32.dll

kernel32.dll

GetProcessHeap

IPHLPAPI.DLL

GetExtendedTcpTable

SetTcpEntry

%System%\msvbvm60.dll\3

fURLdaxT072GKc13EQKtCYwJC

.text

`.data

.rsrc

USER32.DLL

KERNEL32.DLL

ADVAPI32.DLL

WININET.DLL

DataExecutionPrevention_SupportPolicy

svchost.exe_1104_rwx_01CB0000_0001A000:

Fmsvcrt.dll

%d %d %d %d %d %d

hXXps://

hXXp://

.com/

Global\C3819288-93FA-4E29-A254-BD9476B53C20

cfg.ini

%s\%s

bckfg.tmp

lsflt7.ver

0;225;224;77;38;56;16;74;75

maxhttpredirects

software\microsoft\windows\currentversion\internet settings

enablehttp1_1

software\microsoft\windows\currentversion\internet settings\zones\3

{AEBA21FA-782A-4A90-978D-B72164C80120}

{A8A88C49-5EB2-4990-A1A2-0876022C854F}

Opera\Opera\operaprefs.ini

\profile\operaprefs.ini

\prefs.js

network.cookie.cookieBehavior

Mozilla\Firefox\Profiles\

/login/;/tweet/;action=embed-flash;/faq/;/terms/;/contact/;/Forgotpassword/

hXXp://%s/?xurl=%s&xref=%s

ole32.dll

winmm.dll

atl.dll

oleaut32.dll

clk=%s&bid=%s&aid=%s&sid=%s&rd=%s

n%D,3

Global\6C29A0C8-62C6-415C-9538-B87690BC58D2

lsash.xp

%d|%d|%s|%s

cmd.dll

cmd64.dll

setup.exe

%u|%s

%s=%u|%s

%[^.].%[^(](%[^)])

command|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s

masks|%s

hXXp://NO REF/

.softgeek.

%s#%s

url|%s%s|

%s.dll

kernel32.dll

12345678

0123456789

.text

.rdata

HTTP/1.1 302 Found

Location: %s

HTTP/1.1 200 OK

Content-Length: %d

%sConnection: close

<body><a id=link target=_top></body><script>var url='%s';try{var x=document.getElementById('link');x.href=url;x.click()}catch(e){try{var x=parent?parent:window;x.location.replace(url)}catch(e){}}</script><noscript><META http-equiv="refresh" content="0;URL='%s'"></noscript>

<iframe src='%s' style='visibility:hidden;'></iframe>

<script>history.back()</script>

Set-Cookie: %s; expires=%s, u-%s-u u:u:u GMT

urlmon.dll

Global\56684A82-D074-4384-AEB9-D1A40041D9FB

chrome

wermgr.exe

-queuereporting_svc

firefox

opera

svchost.exe

ping.exe

127.0.0.1 -t

Global\B10C62E4-234C-4BF6-A1D5-1C0309CED145

Global\D6E9C81C-3831-4873-96BA-7C98D2DEBEF9

Global\a68d7de8-eba6-4a54-90e0-9cb9d93b3ed7

Global\cc51461b-e32a-4883-8e97-e0706dc65415

keywords

Accept-Language: %s

%s hXXp://%s/?xurl=%s&xref=%s

%s %s

1.8|%s|%s|%s|%s|%s|%s

software\classes\http\shell\open\command

<>:"/\|?*

%s-%s

. d SP.%s

google;yahoo;bing.;live.com;msn.com;altavista.com;ask.com;exalead.com;excite.com;dogpile.com;metacrawler.com;webcrawler.com;alltheweb.com;.lycos.;gigablast.com;cuil.com;.aol.;entireweb.com;.search.com;mamma.com;mytalkingbuddy.com;about.com;conduit.com;alexa.com;alltheinternet.com;blinkx.com;aolcdn.com;othersonline.com;everesttech.net;adrevolver.com;tribalfusion.com;adbureau.net;abmr.net;gstatic.com;virtualearth.net;atdmt.com;ivwbox.;powerset.net;yimg.com;2mdn.net;doubleclick.net;iwon.com;scorecardresearch.com;66.235.120.66;66.235.120.67;ytimg.com;infospace.com;edgesuite.net;superpages.com;lygo.com;compete.com;firmserve.com;worthathousandwords.com;yieldmanager.com;wazizu.com;meedea.com;atwola.com;doubleverify.com;tacoda.net;truveo.com;openx.org;adcertising.com;twimg.com;picsearch.com;oneriot.com;.com.com;flickr.com;searchvideo.com;.tqn.com;myspacecdn.com;fimservecdn.com;alexametrics.com

%u|%u

ver=%s&bid=%s&aid=%s&sid=%s&rd=%s&eng=%s&q=%s

hXXp://%s%s

VVV.google.

search.yahoo.com

.altavista.com

/web/results

.ask.com

VVV.exalead.com

/search/web/results

VVV.alltheweb.com

search.lycos.

tab=web

gigablast.com

cuil.com

.aol.

entireweb.com

md=web

VVV.search.com

VVV.mamma.com

mytalkingbuddy.com

searchservice.myspace.com

type=web

search.conduit.com

search.toolbars.alexa.com

alltheinternet.com

/ws/results/web/

?xurl=

http/1.

mozilla

windowsupdate

3459942235

1471282206

\\?\globalroot\device\00000bd2\60415a8a\lsash.xp

%WinDir%\System32\svchost.exe

\\?\globalroot\device\00000bd2\60415a8a

\\?\globalroot\device\00000bd2\60415a8a\cfg.ini

WinExec

SHEnumKeyExA

ExitWindowsEx

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoW

InternetCrackUrlA

`.rdata

@.data

.reloc

b=R.aE

]TCpP

KERNEL32.DLL

ADVAPI32.dll

imagehlp.dll

ntdll.dll

SHELL32.dll

SHLWAPI.dll

USER32.dll

WININET.dll

WebBrowser

127.0.0.1

.google.

%s-%d

eplorer\iexplore.exe" -nohome

spoolsv.exe_1440_rwx_00F40000_00028000:

.text

`.rdata

@.data

.config

.reloc

t%SSS

N. d SP.

%x%x%x%x%x%x

%s|%s|%s|%x|%x|%s|%x|%x|prn15

%[^;];%[^;];%[^;];

kernel32.dll

ntdll.dll

\\?\globalroot\systemroot\system32\kernel32.dll

%s\cfg.ini

%s\config.ini

%s\drv32

cmd.dll

%s\bckfg.tmp

%s\cmd.dll

%s\cmd64.dll

%[^|]|%[^|]|%s

system\currentcontrolset\services\%x

\\?\globalroot%s\cmd.dll

\\?\globalroot%s\cfg.ini

\\?\globalroot%s\bckfg.tmp

%d.%d.%d %d:%d:%d

\\?\globalroot%s\ldr16

\\?\globalroot%s\ldr32

\\?\globalroot%s\ldr64

\\?\globalroot%s\drv64

\\?\globalroot%s\cmd64.dll

cmd64.dll

\\?\globalroot%s\drv32

\\?\globalroot\systemroot\system32\kdcom.dll

\\?\globalroot\systemroot\system32\hal.dll

\\?\globalroot\systemroot\system32\ntoskrnl.exe

\\?\globalroot\systemroot\system32\drivers\etc\hosts

aid=%s

sid=%s

installdate=%s

*=cmd.dll

* (x64)=cmd64.dll

[cmd]

srv=%s

wsrv=%s

psrv=%s

cfg.ini

bckfg.tmp

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2"><ms_asmv2:security><ms_asmv2:requestedPrivileges><ms_asmv2:requestedExecutionLevel level="requireAdministrator"></ms_asmv2:requestedExecutionLevel></ms_asmv2:requestedPrivileges></ms_asmv2:security></ms_asmv2:trustInfo></assembly>

ZwConnectPort

spoolsv.exe

GetWindowsDirectoryW

KERNEL32.dll

RegCreateKeyA

RegCloseKey

ADVAPI32.dll

SHDeleteKeyA

SHLWAPI.dll

imagehlp.dll

PSAPI.DLL

RPCRT4.dll

InternetCrackUrlA

HttpOpenRequestA

HttpSendRequestA

WININET.dll

ShellExecuteW

SHELL32.dll

ole32.dll

WINSPOOL.DRV

.pnLu

`.reloc

kdcom.dll

ntoskrnl.exe

`.pdata

_w.wG

/S.oR

.lQ\%D

j2.Om

wx.IY

|jX.VC(j

HTd%f

.PFkX

:F-I}|

.JOf~

u"%cO

\{x-x-x-x-xx}

\registry\machine\%S

\??\physicaldrive%d

services.exe

\??\globalroot\systemroot\system32\tasks\%x

\\?\globalroot%s

%s.manifest

%s\setup%u.exe

r\\?\globalroot%s

spoolsv.exe_1440_rwx_01370000_00048000:

.itext

.rdata

.rsrc

@.reloc

BaPXp283.exe

'.Gy\

u.lq/

.OQept

9Cw.YA#

RWEb

T.Ie2n

lrri.Okg-

(wX.FJz

\.tEF

-C.RLT0

OFtp

^z|.kj

j.EF-

X:\rdPwbw\QIbafS\WUaokvXE\VEath.pdb

xkYvkeYZ EKQIaNRerewjwjbogYlylyqdvxPhUmerewlYqIvizmzrb gTgtqDqd

SetViewportExtEx

GDI32.dll

COMCTL32.dll

KERNEL32.dll

GetKeyState

MapVirtualKeyExA

EnumThreadWindows

USER32.dll

MSVCRT.dll

SHLWAPI.dll

2%2C2H2N2k2y2~2

T:\test.exe sys

Explorer.EXE_1572_rwx_00FF0000_0000A000:

ver76%scgkfzdywr.php?adv=

SafariChromeFiref

http.

?evdxsql6gqxg

p1pi.dllGdd

urlmN

PSShX4

.exeu]

%scgkfzdywr.php?adv=adv401&code1=%s&code2=%s&id=%d&p=%s&b=%s&c=%d

Chrome

Firefox

Opera

%sfpcf.exe

%sndhpjrck.php?adv=adv401&id=%d&c=%d

%smsmfuu.exe

%ssgnicbidbj.php?adv=adv401&id=%d&c=%d

%sbkfj.exe

%srhlxrztbz.php?adv=adv401&id=%d&c=%d

%sywowu.exe

%snezgbiub.php?adv=adv401&id=%d&c=%d

%srjjpwxgp.exe

%sevdxsql.php?adv=adv401&id=%d&c=%d

%sqxghu.exe

%sxxszuc.php?adv=adv401&id=%d&c=%d

%sivotm.exe

%syptgomubw.php?adv=adv401&id=%d&c=%d

%sjaognl.exe

%syckrzu.php?adv=adv401&id=%d&c=%d

%svjbf.exe

%sluckrmksmy.php?adv=adv401&id=%d&c=%d

%svpywo.exe

%sxofmhs.php?adv=adv401&id=%d&c=%d

%syyaik.exe

%saeztbmubn.php?adv=adv401&id=%d&c=%d

%sznucw.php?adv=adv401&id=%d&c=%d

hXXp://baonsale.com/heiqks/

hXXp://aacartel.com/heiqks/

psapi.dll

ddraw.dll

urlmon.dll

shell32.dll

kernel32.dll

user32.dll

wininet.dll

ntdll.dll

\svchost.exe

explorer.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss3.tmp\2E4U - Bucks.exe

ShellExecuteExA

InternetOpenUrlA

.text

`.rdata

@.data

.reloc

KERNEL32.DLL

ADVAPI32.dll

DDRAW.dll

PSAPI.DLL

SHELL32.dll

SHLWAPI.dll

USER32.dll

WININET.dll

Explorer.EXE_1572_rwx_01E20000_00001000:

.text

`.data

.reloc

Explorer.EXE_1572_rwx_01EA0000_00010000:

4%9sVh

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:860
4IR.exe:276
sc.exe:1836
sc.exe:2012
1EuroP.exe:1752
net1.exe:1920
net1.exe:1940
2E4U - Bucks.exe:336
3IC.exe:644
net.exe:1868
net.exe:1284
rundll32.exe:300
runonce.exe:1200
Rundll32.exe:1084
grpconv.exe:1336
5tbp.exe:1912
Delete the original Backdoor file.
Delete or disinfect the following files created/modified by the Backdoor:

%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\4IR.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\3IC.exe (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\tbp.exe (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\2E4U - Bucks.exe (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\1EuroP.exe (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp (12280 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\5tbp.exe (3616 bytes)
%Documents and Settings%\%current user%\Application Data\mdinstall.inf (426 bytes)
%Documents and Settings%\%current user%\Application Data\b2l0zj6.exe (55 bytes)
%Documents and Settings%\%current user%\Application Data\MouseDriver.bat (105 bytes)
%Documents and Settings%\%current user%\Application Data\f7lf8ipd.bat (142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3LIV8TU3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Scv..bat (168 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WHUZ4XAN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MDGIO53K\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UHM52P4D\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (1281 bytes)
%WinDir%\svmgrt.dll (114 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"scfpwb" = "%Documents and Settings%\%current user%\Application Data\b2l0zj6.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Ihoragiqinicim" = "rundll32.exe %WinDir%\svmgrt.dll,Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv" = "grpconv -o"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.