Gen.Variant.Strictor.20604_8301ac295e

by malwarelabrobot on March 4th, 2015 in Malware Descriptions.

Trojan.Win32.Reconyc.dshg (Kaspersky), Gen:Variant.Strictor.20604 (B) (Emsisoft), Gen:Variant.Strictor.20604 (AdAware), GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 8301ac295ed00f6e6fc7c23cd72a9993
SHA1: 8d37c1bcd7c9365bed8b77fd43bccc0f79e4a509
SHA256: 78deb1dd72a584fcb687892db0038e97a771ccdbdd98593f24002ab9e8860775
SSDeep: 98304:QHRzpLyMg9/z7DG7R6jTqUoLjBp5MXrPHpWQJy:QXLRw/Xy TiBrKJW8y
Size: 4120576 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2015-02-03 04:54:26
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

schtasks.exe:1608
schtasks.exe:644
%original file name%.exe:1076

The Trojan injects its code into the following process(es):

Windows Loader.exe:1052
iexplore.exe:500

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1076 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\svchost.exe (30490 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\svchost.exe:ZONE.identifier (28 bytes)
%Documents and Settings%\%current user%\Application Data\Windows Loader.exe (25429 bytes)

Registry activity

The process schtasks.exe:1608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 DB CF 40 71 56 8F C3 1F DF 4D D5 06 66 60 B1"

The process schtasks.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 4A 07 B9 B5 62 3A 2E 58 F1 BE A9 2C D5 45 04"

The process Windows Loader.exe:1052 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 9A 15 79 7B 29 3A 14 7C BE 61 BC 7F 89 B3 4B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The Trojan deletes the following registry key(s):

[HKLM\HARDWARE\DESCRIPTION\System\BIOS]

The process %original file name%.exe:1076 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 89 7C D3 44 DF 9E F6 FB 4C 95 14 AE 40 3B E2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"WINDOWS LOADER.EXE" = "Windows Loader"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"svchost.exe" = "svchost"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5 File path
3976bd5fcbb7cd13f0c12bb69afc2adc c:\Documents and Settings\"%CurrentUserName%"\Application Data\Windows Loader.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 4083940 4087808 5.54389 94e992e81ab9a9eb2155612c1999a21c
.rsrc 4096000 22874 24576 3.86525 182c5f265e699f7a2205a21a85ebe505
.reloc 4120576 12 4096 0.011373 0f784690123c94ddefa30c4572d78116

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Windows Loader.exe_1052:

`.rsrc
FtPQW
~.SSW
SPSSSSSSSh
PQSSh
u.jhh
mscoree.dll
.mixcrt
KERNEL32.DLL
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
kernel32.dll
GetProcessWindowStation
USER32.DLL
operator
..\..\..\..\Common\application.cpp
c:\RB\Universal\StringMap.h
..\..\..\..\Common\array.cpp
..\..\..\..\Common\basicstr.cpp
ptr - out.CString() == totalLen
theStr.Encoding() == kEncodingUTF8 or theStr.Encoding() == kEncodingUTF16 or theStr.Encoding() == kEncodingASCII
..\..\..\..\Common\BlowFish.cpp
ewcKeyDown
KeyDown
..\..\..\..\Common\Canvas.cpp
..\..\..\..\Common\CommonListbox.cpp
MinWidthExpression doesn't support the Asterisk ('*') format.
MaxWidthExpression doesn't support the Asterisk ('*') format.
..\..\..\..\Common\commonruntime.cpp
trace.log
..\..\..\..\Common\CommonRunView.cpp
We weren't passed in a control, we got nil.
..\..\..\..\Universal\CommonWinFunctions.cpp
Operator_Convert
..\..\..\..\Common\ConsoleApplication.cpp
msvcrt.dll
..\..\..\..\Universal\DataFile.cpp
Operator_Compare
dateSQLDateTimeSetter
dateSQLDateTimeGetter
SQLDateTime
dateSQLDateSetter
dateSQLDateGetter
SQLDate
..\..\..\..\Common\DateCommon.cpp
..\..\..\..\Universal\DateImp\DateImpWin32.cpp
Password
SQLSelect
databaseSQLExecute
SQLExecute
sqlString
databaseSQLSelect
..\..\..\..\Common\dbInterface.cpp
00:00:00
00:00:00
Invalid operator
Quotes expected after LIKE operation
Only COUNT(*) supported
Unsupported SELECT function
Only single GROUP BY columns currently supported
Expecting 'KEY'
Dropping columns is not supported for this database
Dropping tables from this database is not currently supported.
..\..\..\..\Common\DebuggerConnection.cpp
0000000000000000
127.0.0.1
c:\RB\Compiler\SmartRef.h
..\..\..\..\Common\DebuggerSupport.cpp
00000000
The debug application cannot connect back to the REALbasic IDE. This is mostly likely due to a software firewall or packet filter not allowing localhost network traffic on ports 13897 or 60554. You should reconfigure your software firewall or packet filter to allow the debug application to connect to REALbasic.
DebuggerSupport.cpp
dictionaryHasKey
HasKey
2147483647
..\..\..\..\Common\Dictionary.cpp
dictionaryKeys
Keys
dictionaryKey
..\..\..\..\Common\DockItem.cpp
..\..\..\..\Common\DragItem.cpp
Could not lock the BITMAPINFO structure passsed to the DrawableBitmap constructor
..\..\..\..\Common\drawable.cpp
..\..\..\..\Common\fileTypes.cpp
..\..\..\..\Common\FolderItemDialog.cpp
Shell32.dll
FolderItemDialogInitializer
OpenDialogInitializer
SaveAsDialogInitializer
SelectFolderDialogInitializer
..\..\..\..\Universal\FolderItemImp\FolderItemImpVirtual.cpp
..\..\..\..\Universal\FolderItemImp\FolderItemImpWin32.cpp
Kernel32.dll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
in Windows
OpenAsPicture doesn't support format
in Windows.
SaveAsPicture doesn't support format
Gdiplus.dll
not other.IsVirtual()
SHFileOperationW
SHFileOperationA
%%.ß
%%.Þ
..\..\..\..\Common\Graphics.cpp
..\..\..\..\Common\GraphicsGDI.cpp
..\..\..\..\Common\GroupBox.cpp
..\..\..\..\Common\intrinsicClass.cpp
NULL == defn->initializer.toc
NULL == defn->finalizer.toc
OpenURLMovie
PortType
comparisonKey
OrdinalKey
StringJoin
Join
RuntimeCompleteParamScriptExecute
_CompleteParamScriptExecute
RuntimeScriptExecute
_ScriptExecute
getKeyboardObject
Keyboard
GlobalShowURL
ShowURL
getApplicationSupportFolder
ApplicationSupportFolder
VB_RuntimeMsgBox
RuntimeMsgBox
MsgBox
exportPicture
ExportPicture
getIndexedObjectDescriptor
GetIndexedObjectDescriptor
openURLMovie
..\..\..\..\Common\intrinsicFunction.cpp
keyboardKeyName
KeyName
keyboardAsyncKeyDown
AsyncKeyDown
KeyCode
AsyncAlternateMenuShortcutKey
AsyncMenuShortcutKey
AlternateMenuShortcutKey
MenuShortcutKey
AsyncAltKey
AsyncOptionKey
AsyncControlKey
AsyncOSKey
AsyncCommandKey
asyncModifierKeyGetter
AsyncShiftKey
AltKey
OptionKey
ControlKey
OSKey
CommandKey
modifierKeyGetter
ShiftKey
_Keyboard
..\..\..\..\Common\LineControl.cpp
Windows
Operator_AddRight
Operator_Add
' was not exported
..\..\..\..\Common\loaderX86.cpp
import.dat
code.dat
data.dat
rsrc.dat
options.dat
symbols.dat
MemoryBlockCompareOperator
MemoryBlockAddOperator
MemoryBlockFromStringOperator
MemoryBlockToStringOperator
..\..\..\..\Common\MemoryBlock.cpp
..\..\..\..\Universal\MemoryManager.cpp
c:\rb\universal\SimpleVector.h
..\..\..\..\Common\Menu.cpp
..\..\..\..\Common\menubar.cpp
KeyboardShortcut
RuntimeMenuItemCommandKeySetter
RuntimeMenuItemCommandKeyGetter
TaskDialogIndirect
..\..\..\..\Common\MessageDialog.cpp
MessageDialogInitializer
..\..\..\..\Common\mouseCursor.cpp
SensApi.dll
..\..\..\..\Common\NuListbox.cpp
..\..\..\..\Common\Object Model\ObjectDefinition.cpp
..\..\..\..\Common\Object Model\ObjectDefinitionConverter.cpp
propertyCtr < out->properties.count
..\..\..\..\Common\objects.cpp
KeyPress
KeyUp
LicenseKey
PassByref
Does not support a collection
Invalid/Unsupported OLE Parameter Type
ole32.dll
oleaut32.dll
OLEObjectOperatorNot
Operator_Not
Operator_OrRight
OLEObjectOperatorOr
Operator_Or
Operator_AndRight
OLEObjectOperatorAnd
Operator_And
OLEObjectOperatorNegate
Operator_Negate
OLEObjectOperatorModuloRight
Operator_ModuloRight
OLEObjectOperatorModulo
Operator_Modulo
OLEObjectOperatorIntegerDivideRight
Operator_IntegerDivideRight
OLEObjectOperatorIntegerDivide
Operator_IntegerDivide
OLEObjectOperatorDivideRight
Operator_DivideRight
OLEObjectOperatorDivide
Operator_Divide
OLEObjectOperatorMultiplyRight
Operator_MultiplyRight
OLEObjectOperatorMultiply
Operator_Multiply
OLEObjectOperatorSubtractRight
Operator_SubtractRight
OLEObjectOperatorSubtract
Operator_Subtract
OLEObjectOperatorAddRight
OLEObjectOperatorAdd
OLEObjectOperatorCompare
OLEObjectOperatorConvert
OLEObjectOperatorLookupSetterWithParameters
OLEObjectOperatorLookup
OLEObjectNoReturnOperatorLookup
Operator_Lookup
..\..\..\..\Common\ClassLib\pane.cpp
..\..\..\..\Common\pictutil.cpp
Export Image As:
Bitmap (*.bmp)
..\..\..\..\Common\Graphics2D\PixMapRotate.cpp
..\..\..\..\Common\plugin.cpp
iface.super
.Events.
pluginEntryTable.GetEntry( entrypointName, out )
RasApi32.dll
RasDlg.dll
..\..\..\..\Common\New Socket Code\PPPSocketWin.cpp
HKEY_LOCAL_MACHINE\Software\Apple Computer, Inc.\QuickTime
because an unsupported column type was used
because an unsupported type was used
..\..\..\..\Common\rbdbThumb.cpp
offset == keyLen
Insert failed: primary key violation
KeyChainItemAttributeSetter
KeyChainItemAttributeGetter
KeyChainItemDelete
KeyChainFindPassword
FindPassword
KeyChainAddPassword
AddPassword
KeyChainLock
KeyChainUnlock
KeyChainConstructor
KeyChain
KeyChainItem
KeyChainItemConstructor
KeyChainItemDestructor
..\..\..\..\Common\RBStyledText.cpp
..\..\..\..\Universal\REALstring.cpp
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_USERS
SHDeleteKeyA
RegistryItemKeyCountGetter
KeyCount
..\..\..\..\Common\Win32\RegistryAccessors.cpp
RegistryItemKeyTypeGetter
KeyType
HKEY_LOCAL_MACHINE\Software\Made With REALbasic\
REALGetDBPassword
RegisterPluginExports
systemSetKeyScript
systemGetKeyScript
editPasswordSetter
editPasswordGetter
eWindowStringPassThroughGetter
eWindowBoolPassThroughSetter
eWindowBoolPassThroughGetter
eWindowIntPassThroughGetter
listColumnPressHeader
pictureIndexedImage
systemGetKeyChainCount
systemSetDefaultKeyChain
systemGetDefaultKeyChain
aeTargetPortTypeGetter
SerialPortDestructor
ServerSocketPortSetter
ServerSocketPortGetter
UDPSocketPacketsLeftToSend
UDPSocketGetBroadcast
UDPSocketSetLoopback
UDPSocketRouterHops
UDPReadDatagram
UDPSocketWriteDatagram
UDPSocketWrite
SocketJoinMulticastGroup
RuntimeUDPSocketConstructor
RuntimeUDPSocketDestructor
TCPSocketBytesLeftToSend
TCPSocketFlush
TCPSocketEof
SocketPortSetter
SocketPortGetter
FileURLGetter
FolderItemImpMakeFileExecutable
collectionKeyRemove
getSerialPortCount
getSerialPortByPath
getSerialPort
..\..\..\..\Common\relocentry.cpp
..\..\..\..\Common\ResourceManagerCommon.cpp
Keyword
..\..\..\..\Common\runcmm.cpp
Key As String
..\..\..\..\Common\runctl.cpp
NULL == target->eventTable[ctr].vector
SQLQuery
kEncodingUTF8 == s1.Encoding()
..\..\..\..\Common\runEditControl.cpp
kEncodingUTF8 == s2.Encoding()
..\..\..\..\Common\runFileAccess.cpp
OthersExecute
GroupExecute
OwnerExecute
..\..\..\..\Common\runFolderItem.cpp
Passing non-absolute shell paths is not currently supported
The path passed into new FolderItem was invalid
URLPath
_MakeFileExecutable
..\..\..\..\Common\RunIPCSocket.cpp
..\..\..\..\Common\runListbox.cpp
sCondemnedRows.size() > 0
sCondemnedRows.peek_back() == p
c:\RB\Universal\SimpleVector.h
..\..\..\..\Common\runMedia.cpp
IndexedImage
..\..\..\..\Common\runPicture.cpp
key as String
..\..\..\..\Common\runprint.cpp
SerialPort
Port
..\..\..\..\Common\runSerial.cpp
KeyScript
SerialPortCount
..\..\..\..\Common\RunSystem.cpp
KeyChainCount
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
AdvApi32.dll
ReportEventW
VVV.google.com
..\..\..\..\Common\RuntimeArrayFoundation.cpp
as the number of bits is not supported
..\..\..\..\Common\RuntimeDebug.cpp
Runtime Error %d: %s
Please report what caused this error
%s: %d
Failure Condition: %s
..\..\..\..\Common\Object Model\RuntimeExceptionFoundation.cpp
NoOpenTransportException
KeyNotFoundException
UnsupportedFormatException
KeyChainException
row as Integer, column as Integer, key as String
CellKeyDown
..\..\..\..\Common\RuntimeListboxAccessors.cpp
PressHeader
..\..\..\..\Common\RuntimeMain.cpp
MsgPumpWaiter
..\..\..\..\Common\Object Model\RuntimeObjectFoundation.cpp
out->methods.count >= base->methods.count
out->events.count >= base->events.count
out->properties.count >= base->properties.count
..\..\..\..\Common\RunTimer.cpp
JoinMulticastGroup
TCPSocket
UDPSocket
..\..\..\..\Common\New Socket Code\RuntimeSocketAccessors.cpp
..\..\..\..\Common\RuntimeStringFoundation.cpp
..\..\..\..\Common\ClassLib\RuntimeThread.cpp
Called Semaphore.Release too many times.
..\..\..\..\Common\ClassLib\RuntimeWindow.cpp
..\..\..\..\Common\Graphics2D\ShapePlotter.cpp
points.size() == 4
..\..\..\..\Common\Graphics2D\Shapes2D.cpp
wsock32.dll
ws2_32.dll
AcceleratorKey
..\..\..\..\Common\StaticText.cpp
c:\rb\universal\StringMap.h
..\..\..\..\Universal\StringUtils.cpp
..\..\..\..\Common\StyledTextBaseImp.cpp
..\..\..\..\Common\SubPane.cpp
..\..\..\..\Common\New Socket Code\TCPSocket.cpp
Made a new TCPSocketPosix
Destroying a TCPSocketPosix
from port
Starting the listening process on port
Shutting the TCPSocketPosix down
Resetting the TCPSocketPosix
Making a TCP socket
..\..\..\..\Common\New Socket Code\TCPSocketWin.cpp
windows-1258
windows-1257
windows-1256
windows-1255
windows-1254
windows-1253
windows-1251
windows-1250
windows-1252
DOSPortugese
WindowsKoreanJohab
WindowsVietnamese
WindowsBalticRim
WindowsArabic
WindowsHebrew
WindowsLatin5
WindowsGreek
WindowsCyrillic
WindowsLatin2
WindowsANSI
WindowsLatin1
DOSPortuguese
..\..\..\..\Universal\TextEncodingUtil.cpp
..\..\..\..\Common\Toolbar\ToolbarImpWin32.cpp
SHQueryRecycleBin requires Windows 95/NT4 with IE greater than 4.0
Shlwapi.dll
..\..\..\..\Common\TrayItem.cpp
Making a new UDPSocketPosix
Destroying a UDPSocketPosix
Unable to bind the udp socket
Unable to set the broadcast option on the UDP socket
udp socket is bound and ready
Trying to join the multicast group:
Could not join the multicast group
Joined the multicast group successfully
on port
01234567
..\..\..\..\Common\variant.cpp
Operator_PowerRight
Operator_Power
Operator_Hash
Operator_Hash%i4%o<
Operator_Convert%
..\..\..\..\Common\VariantConversions.cpp
..\..\..\..\Universal\VirtualVolumes\VFSCore.cpp
finfo->mPosWithinBlock >= kBlockHeaderSize and finfo->mPosWithinBlock < finfo->mBlockStart   finfo->mBlockHeader.mBlockLength - 4
..\..\..\..\Universal\VirtualVolumes\VHFS.cpp
..\..\..\..\Common\Win32\win32cmm.cpp
..\..\..\..\Common\Win32\win32Control.cpp
RICHED32.DLL
RICHED20.DLL
..\..\..\..\Common\Win32\win32EditControl.cpp
Styled text printer passed in to DrawBlock was nil
..\..\..\..\Common\Win32\win32Folderitem.cpp
..\..\..\..\Common\Win32\Win32Menu.cpp
..\..\..\..\Common\Win32\win32popupmenu.cpp
ComCtl32.dll
..\..\..\..\Common\Win32\win32progress.cpp
\\.\COM
..\..\..\..\Common\Win32\win32serial.cpp
..\..\..\..\Common\Win32\win32windows.cpp
..\..\..\..\Common\ClassLib\window.cpp
WMPlayer.OCX
{22D6F312-B0F6-11D0-94AB-0080C74C7E95}
..\..\..\..\Common\Win32\WindowsMediaPlayer.cpp
Can't load library %s
..\..\..\..\Common\Win32\WinPrinter.cpp
Could not get the default printer settings because a nil structure was passed in
Someone passed in a bogus value for getting printer information
uxtheme.dll
?#%X.y
c:\RB\REALbasic\REALbasic Visual Studio\REALbasic\release\X86RunHoudini.pdb
QuickTime.qts
zcÁ
%Documents and Settings%\%current user%\Application Data\Windows Loader.exe
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryA
GetCPInfo
GetConsoleOutputCP
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegQueryInfoKeyA
SetViewportOrgEx
SetViewportExtEx
ShellExecuteA
ShellExecuteW
EnumChildWindows
VkKeyScanA
MsgWaitForMultipleObjectsEx
GetKeyNameTextA
MapVirtualKeyA
GetKeyNameTextW
EnumWindows
GetKeyState
GetAsyncKeyState
midiOutShortMsg
.text
`.rdata
@.data
.rsrc
|}{yN,--Rw}
../.Sw}}
||}wYzyyO**...QQRvww}
.ww}}}
.www}}
..RRRRSSSw}w}
).RQ,,QRv||ww}}}
|||vv|RRS.RQQQ-'...-&,,,QQR||vR}}|}
version="1.0.0.0"
name="Windows Loader.exe"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
iphlpapi.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
VERSION.dll
WINMM.dll
2.2.1.0
Windows Loader.exe

Windows Loader.exe_1052_rwx_00401000_00219000:

FtPQW
~.SSW
SPSSSSSSSh
PQSSh
u.jhh
mscoree.dll
.mixcrt
KERNEL32.DLL
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
kernel32.dll
GetProcessWindowStation
USER32.DLL
operator
..\..\..\..\Common\application.cpp
c:\RB\Universal\StringMap.h
..\..\..\..\Common\array.cpp
..\..\..\..\Common\basicstr.cpp
ptr - out.CString() == totalLen
theStr.Encoding() == kEncodingUTF8 or theStr.Encoding() == kEncodingUTF16 or theStr.Encoding() == kEncodingASCII
..\..\..\..\Common\BlowFish.cpp
ewcKeyDown
KeyDown
..\..\..\..\Common\Canvas.cpp
..\..\..\..\Common\CommonListbox.cpp
MinWidthExpression doesn't support the Asterisk ('*') format.
MaxWidthExpression doesn't support the Asterisk ('*') format.
..\..\..\..\Common\commonruntime.cpp
trace.log
..\..\..\..\Common\CommonRunView.cpp
We weren't passed in a control, we got nil.
..\..\..\..\Universal\CommonWinFunctions.cpp
Operator_Convert
..\..\..\..\Common\ConsoleApplication.cpp
msvcrt.dll
..\..\..\..\Universal\DataFile.cpp
Operator_Compare
dateSQLDateTimeSetter
dateSQLDateTimeGetter
SQLDateTime
dateSQLDateSetter
dateSQLDateGetter
SQLDate
..\..\..\..\Common\DateCommon.cpp
..\..\..\..\Universal\DateImp\DateImpWin32.cpp
Password
SQLSelect
databaseSQLExecute
SQLExecute
sqlString
databaseSQLSelect
..\..\..\..\Common\dbInterface.cpp
00:00:00
00:00:00
Invalid operator
Quotes expected after LIKE operation
Only COUNT(*) supported
Unsupported SELECT function
Only single GROUP BY columns currently supported
Expecting 'KEY'
Dropping columns is not supported for this database
Dropping tables from this database is not currently supported.
..\..\..\..\Common\DebuggerConnection.cpp
0000000000000000
127.0.0.1
c:\RB\Compiler\SmartRef.h
..\..\..\..\Common\DebuggerSupport.cpp
00000000
The debug application cannot connect back to the REALbasic IDE. This is mostly likely due to a software firewall or packet filter not allowing localhost network traffic on ports 13897 or 60554. You should reconfigure your software firewall or packet filter to allow the debug application to connect to REALbasic.
DebuggerSupport.cpp
dictionaryHasKey
HasKey
2147483647
..\..\..\..\Common\Dictionary.cpp
dictionaryKeys
Keys
dictionaryKey
..\..\..\..\Common\DockItem.cpp
..\..\..\..\Common\DragItem.cpp
Could not lock the BITMAPINFO structure passsed to the DrawableBitmap constructor
..\..\..\..\Common\drawable.cpp
..\..\..\..\Common\fileTypes.cpp
..\..\..\..\Common\FolderItemDialog.cpp
Shell32.dll
FolderItemDialogInitializer
OpenDialogInitializer
SaveAsDialogInitializer
SelectFolderDialogInitializer
..\..\..\..\Universal\FolderItemImp\FolderItemImpVirtual.cpp
..\..\..\..\Universal\FolderItemImp\FolderItemImpWin32.cpp
Kernel32.dll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
in Windows
OpenAsPicture doesn't support format
in Windows.
SaveAsPicture doesn't support format
Gdiplus.dll
not other.IsVirtual()
SHFileOperationW
SHFileOperationA
%%.ß
%%.Þ
..\..\..\..\Common\Graphics.cpp
..\..\..\..\Common\GraphicsGDI.cpp
..\..\..\..\Common\GroupBox.cpp
..\..\..\..\Common\intrinsicClass.cpp
NULL == defn->initializer.toc
NULL == defn->finalizer.toc
OpenURLMovie
PortType
comparisonKey
OrdinalKey
StringJoin
Join
RuntimeCompleteParamScriptExecute
_CompleteParamScriptExecute
RuntimeScriptExecute
_ScriptExecute
getKeyboardObject
Keyboard
GlobalShowURL
ShowURL
getApplicationSupportFolder
ApplicationSupportFolder
VB_RuntimeMsgBox
RuntimeMsgBox
MsgBox
exportPicture
ExportPicture
getIndexedObjectDescriptor
GetIndexedObjectDescriptor
openURLMovie
..\..\..\..\Common\intrinsicFunction.cpp
keyboardKeyName
KeyName
keyboardAsyncKeyDown
AsyncKeyDown
KeyCode
AsyncAlternateMenuShortcutKey
AsyncMenuShortcutKey
AlternateMenuShortcutKey
MenuShortcutKey
AsyncAltKey
AsyncOptionKey
AsyncControlKey
AsyncOSKey
AsyncCommandKey
asyncModifierKeyGetter
AsyncShiftKey
AltKey
OptionKey
ControlKey
OSKey
CommandKey
modifierKeyGetter
ShiftKey
_Keyboard
..\..\..\..\Common\LineControl.cpp
Windows
Operator_AddRight
Operator_Add
' was not exported
..\..\..\..\Common\loaderX86.cpp
import.dat
code.dat
data.dat
rsrc.dat
options.dat
symbols.dat
MemoryBlockCompareOperator
MemoryBlockAddOperator
MemoryBlockFromStringOperator
MemoryBlockToStringOperator
..\..\..\..\Common\MemoryBlock.cpp
..\..\..\..\Universal\MemoryManager.cpp
c:\rb\universal\SimpleVector.h
..\..\..\..\Common\Menu.cpp
..\..\..\..\Common\menubar.cpp
KeyboardShortcut
RuntimeMenuItemCommandKeySetter
RuntimeMenuItemCommandKeyGetter
TaskDialogIndirect
..\..\..\..\Common\MessageDialog.cpp
MessageDialogInitializer
..\..\..\..\Common\mouseCursor.cpp
SensApi.dll
..\..\..\..\Common\NuListbox.cpp
..\..\..\..\Common\Object Model\ObjectDefinition.cpp
..\..\..\..\Common\Object Model\ObjectDefinitionConverter.cpp
propertyCtr < out->properties.count
..\..\..\..\Common\objects.cpp
KeyPress
KeyUp
LicenseKey
PassByref
Does not support a collection
Invalid/Unsupported OLE Parameter Type
ole32.dll
oleaut32.dll
OLEObjectOperatorNot
Operator_Not
Operator_OrRight
OLEObjectOperatorOr
Operator_Or
Operator_AndRight
OLEObjectOperatorAnd
Operator_And
OLEObjectOperatorNegate
Operator_Negate
OLEObjectOperatorModuloRight
Operator_ModuloRight
OLEObjectOperatorModulo
Operator_Modulo
OLEObjectOperatorIntegerDivideRight
Operator_IntegerDivideRight
OLEObjectOperatorIntegerDivide
Operator_IntegerDivide
OLEObjectOperatorDivideRight
Operator_DivideRight
OLEObjectOperatorDivide
Operator_Divide
OLEObjectOperatorMultiplyRight
Operator_MultiplyRight
OLEObjectOperatorMultiply
Operator_Multiply
OLEObjectOperatorSubtractRight
Operator_SubtractRight
OLEObjectOperatorSubtract
Operator_Subtract
OLEObjectOperatorAddRight
OLEObjectOperatorAdd
OLEObjectOperatorCompare
OLEObjectOperatorConvert
OLEObjectOperatorLookupSetterWithParameters
OLEObjectOperatorLookup
OLEObjectNoReturnOperatorLookup
Operator_Lookup
..\..\..\..\Common\ClassLib\pane.cpp
..\..\..\..\Common\pictutil.cpp
Export Image As:
Bitmap (*.bmp)
..\..\..\..\Common\Graphics2D\PixMapRotate.cpp
..\..\..\..\Common\plugin.cpp
iface.super
.Events.
pluginEntryTable.GetEntry( entrypointName, out )
RasApi32.dll
RasDlg.dll
..\..\..\..\Common\New Socket Code\PPPSocketWin.cpp
HKEY_LOCAL_MACHINE\Software\Apple Computer, Inc.\QuickTime
because an unsupported column type was used
because an unsupported type was used
..\..\..\..\Common\rbdbThumb.cpp
offset == keyLen
Insert failed: primary key violation
KeyChainItemAttributeSetter
KeyChainItemAttributeGetter
KeyChainItemDelete
KeyChainFindPassword
FindPassword
KeyChainAddPassword
AddPassword
KeyChainLock
KeyChainUnlock
KeyChainConstructor
KeyChain
KeyChainItem
KeyChainItemConstructor
KeyChainItemDestructor
..\..\..\..\Common\RBStyledText.cpp
..\..\..\..\Universal\REALstring.cpp
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_USERS
SHDeleteKeyA
RegistryItemKeyCountGetter
KeyCount
..\..\..\..\Common\Win32\RegistryAccessors.cpp
RegistryItemKeyTypeGetter
KeyType
HKEY_LOCAL_MACHINE\Software\Made With REALbasic\
REALGetDBPassword
RegisterPluginExports
systemSetKeyScript
systemGetKeyScript
editPasswordSetter
editPasswordGetter
eWindowStringPassThroughGetter
eWindowBoolPassThroughSetter
eWindowBoolPassThroughGetter
eWindowIntPassThroughGetter
listColumnPressHeader
pictureIndexedImage
systemGetKeyChainCount
systemSetDefaultKeyChain
systemGetDefaultKeyChain
aeTargetPortTypeGetter
SerialPortDestructor
ServerSocketPortSetter
ServerSocketPortGetter
UDPSocketPacketsLeftToSend
UDPSocketGetBroadcast
UDPSocketSetLoopback
UDPSocketRouterHops
UDPReadDatagram
UDPSocketWriteDatagram
UDPSocketWrite
SocketJoinMulticastGroup
RuntimeUDPSocketConstructor
RuntimeUDPSocketDestructor
TCPSocketBytesLeftToSend
TCPSocketFlush
TCPSocketEof
SocketPortSetter
SocketPortGetter
FileURLGetter
FolderItemImpMakeFileExecutable
collectionKeyRemove
getSerialPortCount
getSerialPortByPath
getSerialPort
..\..\..\..\Common\relocentry.cpp
..\..\..\..\Common\ResourceManagerCommon.cpp
Keyword
..\..\..\..\Common\runcmm.cpp
Key As String
..\..\..\..\Common\runctl.cpp
NULL == target->eventTable[ctr].vector
SQLQuery
kEncodingUTF8 == s1.Encoding()
..\..\..\..\Common\runEditControl.cpp
kEncodingUTF8 == s2.Encoding()
..\..\..\..\Common\runFileAccess.cpp
OthersExecute
GroupExecute
OwnerExecute
..\..\..\..\Common\runFolderItem.cpp
Passing non-absolute shell paths is not currently supported
The path passed into new FolderItem was invalid
URLPath
_MakeFileExecutable
..\..\..\..\Common\RunIPCSocket.cpp
..\..\..\..\Common\runListbox.cpp
sCondemnedRows.size() > 0
sCondemnedRows.peek_back() == p
c:\RB\Universal\SimpleVector.h
..\..\..\..\Common\runMedia.cpp
IndexedImage
..\..\..\..\Common\runPicture.cpp
key as String
..\..\..\..\Common\runprint.cpp
SerialPort
Port
..\..\..\..\Common\runSerial.cpp
KeyScript
SerialPortCount
..\..\..\..\Common\RunSystem.cpp
KeyChainCount
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
AdvApi32.dll
ReportEventW
VVV.google.com
..\..\..\..\Common\RuntimeArrayFoundation.cpp
as the number of bits is not supported
..\..\..\..\Common\RuntimeDebug.cpp
Runtime Error %d: %s
Please report what caused this error
%s: %d
Failure Condition: %s
..\..\..\..\Common\Object Model\RuntimeExceptionFoundation.cpp
NoOpenTransportException
KeyNotFoundException
UnsupportedFormatException
KeyChainException
row as Integer, column as Integer, key as String
CellKeyDown
..\..\..\..\Common\RuntimeListboxAccessors.cpp
PressHeader
..\..\..\..\Common\RuntimeMain.cpp
MsgPumpWaiter
..\..\..\..\Common\Object Model\RuntimeObjectFoundation.cpp
out->methods.count >= base->methods.count
out->events.count >= base->events.count
out->properties.count >= base->properties.count
..\..\..\..\Common\RunTimer.cpp
JoinMulticastGroup
TCPSocket
UDPSocket
..\..\..\..\Common\New Socket Code\RuntimeSocketAccessors.cpp
..\..\..\..\Common\RuntimeStringFoundation.cpp
..\..\..\..\Common\ClassLib\RuntimeThread.cpp
Called Semaphore.Release too many times.
..\..\..\..\Common\ClassLib\RuntimeWindow.cpp
..\..\..\..\Common\Graphics2D\ShapePlotter.cpp
points.size() == 4
..\..\..\..\Common\Graphics2D\Shapes2D.cpp
wsock32.dll
ws2_32.dll
AcceleratorKey
..\..\..\..\Common\StaticText.cpp
c:\rb\universal\StringMap.h
..\..\..\..\Universal\StringUtils.cpp
..\..\..\..\Common\StyledTextBaseImp.cpp
..\..\..\..\Common\SubPane.cpp
..\..\..\..\Common\New Socket Code\TCPSocket.cpp
Made a new TCPSocketPosix
Destroying a TCPSocketPosix
from port
Starting the listening process on port
Shutting the TCPSocketPosix down
Resetting the TCPSocketPosix
Making a TCP socket
..\..\..\..\Common\New Socket Code\TCPSocketWin.cpp
windows-1258
windows-1257
windows-1256
windows-1255
windows-1254
windows-1253
windows-1251
windows-1250
windows-1252
DOSPortugese
WindowsKoreanJohab
WindowsVietnamese
WindowsBalticRim
WindowsArabic
WindowsHebrew
WindowsLatin5
WindowsGreek
WindowsCyrillic
WindowsLatin2
WindowsANSI
WindowsLatin1
DOSPortuguese
..\..\..\..\Universal\TextEncodingUtil.cpp
..\..\..\..\Common\Toolbar\ToolbarImpWin32.cpp
SHQueryRecycleBin requires Windows 95/NT4 with IE greater than 4.0
Shlwapi.dll
..\..\..\..\Common\TrayItem.cpp
Making a new UDPSocketPosix
Destroying a UDPSocketPosix
Unable to bind the udp socket
Unable to set the broadcast option on the UDP socket
udp socket is bound and ready
Trying to join the multicast group:
Could not join the multicast group
Joined the multicast group successfully
on port
01234567
..\..\..\..\Common\variant.cpp
Operator_PowerRight
Operator_Power
Operator_Hash
Operator_Hash%i4%o<
Operator_Convert%
..\..\..\..\Common\VariantConversions.cpp
..\..\..\..\Universal\VirtualVolumes\VFSCore.cpp
finfo->mPosWithinBlock >= kBlockHeaderSize and finfo->mPosWithinBlock < finfo->mBlockStart   finfo->mBlockHeader.mBlockLength - 4
..\..\..\..\Universal\VirtualVolumes\VHFS.cpp
..\..\..\..\Common\Win32\win32cmm.cpp
..\..\..\..\Common\Win32\win32Control.cpp
RICHED32.DLL
RICHED20.DLL
..\..\..\..\Common\Win32\win32EditControl.cpp
Styled text printer passed in to DrawBlock was nil
..\..\..\..\Common\Win32\win32Folderitem.cpp
..\..\..\..\Common\Win32\Win32Menu.cpp
..\..\..\..\Common\Win32\win32popupmenu.cpp
ComCtl32.dll
..\..\..\..\Common\Win32\win32progress.cpp
\\.\COM
..\..\..\..\Common\Win32\win32serial.cpp
..\..\..\..\Common\Win32\win32windows.cpp
..\..\..\..\Common\ClassLib\window.cpp
WMPlayer.OCX
{22D6F312-B0F6-11D0-94AB-0080C74C7E95}
..\..\..\..\Common\Win32\WindowsMediaPlayer.cpp
Can't load library %s
..\..\..\..\Common\Win32\WinPrinter.cpp
Could not get the default printer settings because a nil structure was passed in
Someone passed in a bogus value for getting printer information
uxtheme.dll
?#%X.y
c:\RB\REALbasic\REALbasic Visual Studio\REALbasic\release\X86RunHoudini.pdb
QuickTime.qts
zcÁ
%Documents and Settings%\%current user%\Application Data\Windows Loader.exe
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryA
GetCPInfo
GetConsoleOutputCP
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegQueryInfoKeyA
SetViewportOrgEx
SetViewportExtEx
ShellExecuteA
ShellExecuteW
EnumChildWindows
VkKeyScanA
MsgWaitForMultipleObjectsEx
GetKeyNameTextA
MapVirtualKeyA
GetKeyNameTextW
EnumWindows
GetKeyState
GetAsyncKeyState
midiOutShortMsg
.text
`.rdata
@.data
.rsrc

iexplore.exe_500:

%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512

iexplore.exe_500_rwx_10000000_0004A000:

.idata
.rdata
P.reloc
P.rsrc
ServerKeyloggerU
789:;<&'()* ,-./12345
%SERVER%
URLMON.DLL
shell32.dll
hXXp://
advapi32.dll
kernel32.dll
mpr.dll
version.dll
comctl32.dll
gdi32.dll
opengl32.dll
user32.dll
wintrust.dll
msimg32.dll
GetKeyboardType
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
GetWindowsDirectoryW
UnhookWindowsHookEx
SetWindowsHookExW
MapVirtualKeyW
GetKeyboardLayout
GetKeyState
shlwapi.dll
SHDeleteKeyW
FindExecutableW
URLDownloadToCacheFileW
wininet.dll
FtpPutFileW
FtpSetCurrentDirectoryW
GetKeyboardState
ShellExecuteW
ntdll.dll
1 1$1(1,10141
KWindows
TServerKeylogger
x.html
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
[Execute]
KeyDelBackspace
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
.html
XtremeKeylogger
Software\Microsoft\Windows\CurrentVersion\Run
.functions
icon=shell32.dll,4
shellexecute=
autorun.inf
\Microsoft\Windows\
ÞFAULTBROWSER%
svchost.exe
flexcop.mooo.com
{UFE6PD14-TQ36-H08M-J0B8-65HQT3RPJY6B}
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
%svchost%
PTF.ftpserver.com
ÞFA
ftpuser
%Documents and Settings%\%current user%\Local Settings\Temp\svchost.exe
%Program Files%\Internet Explorer\iexplore.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    schtasks.exe:1608
    schtasks.exe:644
    %original file name%.exe:1076

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\svchost.exe (30490 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\svchost.exe:ZONE.identifier (28 bytes)
    %Documents and Settings%\%current user%\Application Data\Windows Loader.exe (25429 bytes)

  4. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now