Gen.Variant.Strictor.22279_12dee02191

by malwarelabrobot on June 1st, 2016 in Malware Descriptions.

Gen:Variant.Strictor.22279 (B) (Emsisoft), Gen:Variant.Strictor.22279 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 12dee021912ba98ddb274ca9a6159616
SHA1: f4a75b94e9c3c1a7aa47246aceb1160a695605a4
SHA256: a2fd7f45bfcb4c8654a0cde06f48959fff1980abf97ef7446c00c7121a909567
SSDeep: 49152:KY1AeNPLTye5x TI/cpP n3vhZ5mNBokNGwEA:9bDTywx Tb2n/hZeKWM
Size: 2764800 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2015-09-29 15:08:10
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:1148

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1148 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\config\system (2484 bytes)
%WinDir%\ProtectS.sys (1281 bytes)
C:\ProtectS.sys (236 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@163[1].txt (169 bytes)
%System%\config (288 bytes)
%System%\config\SYSTEM.LOG (4793 bytes)

The Trojan deletes the following file(s):

C:\ProtectS.sys (0 bytes)
%System%\drivers\etc\hosts (0 bytes)

Registry activity

The process %original file name%.exe:1148 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\ProtectS\Instances\ProtectS Instance]
"Flags" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\ProtectS\Instances]
"DefaultInstance" = "ProtectS Instance"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\System\CurrentControlSet\Services\ProtectS\Instances\ProtectS Instance]
"Altitude" = "360054"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 F1 CA 9F 7A 80 CA FE 54 18 FC A0 45 DF F6 14"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
d4713595f01fc42591338b2740f7e072 c:\WINDOWS\ProtectS.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\??\%WinDir%\ProtectS.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "\??\%WinDir%\ProtectS.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
The Trojan installs the following kernel-mode hooks:

ZwCreateKey
ZwOpenKey
ZwOpenProcess
ZwTerminateProcess

Propagation

VersionInfo

Company Name:
Product Name: Microsoft? Visual Studio .NET
Product Version: 3.14.10.20
Legal Copyright: ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.14.10.20
File Description:
Comments: Microsoft Corporation
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1076639 1077248 4.52288 61642b2f2c11834b0e1308f2117ad088
.rdata 1081344 1523182 1523712 4.5552 0be11fb38a8bf0e37b7a9ed3a93e2e8a
.data 2605056 432074 122880 3.86888 ec669982563ceb0c2edf0da06320c821
.rsrc 3039232 36864 36864 3.69069 c4b53791403a26c654946f0d248c09b2

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1148:

.text
`.rdata
@.data
.rsrc
t%SVh
t$(SSh
D$8h%f
huDP
~%UVW
t.It It
u$SShe
kernel32.dll
advapi32.dll
Kernel32.dll
shlwapi.dll
Mem|LzmaLib.dll
LzmaLib_32.dll
ws2_32.dll
Ws2_32.dll
GetProcessHeap
RegOpenKeyA
RegCloseKey
GetWindowsDirectoryA
RegOpenKeyExA
RegCreateKeyExA
RegFlushKey
\Data\Model.axp
.ngwf
>yT.dQK_
B&.UdBc
1e:%Cv
B1 C.pI18C8
%).LpU
R%DH0
ip%sh
{P&n%X
e$I.aj
s0G'hB%X
"(7%X
ÛsOwP
.Op"[P/
.pP`M
R.eS>
VX.yg
h.rdata
H.data
.reloc
SSSSh
Game.exe
explorer.exe
Find:%d-%d
Process Id=%d, Parent Id=%d, Process Name=%s, Parent Name=%s
csrss.exe
taskmgr.exe
svchost.exe
f:\baiduy~1\0618\drv\release\i386\MxDriver.pdb
ZwQueryValueKey
ZwOpenKey
ZwSetValueKey
ZwCreateKey
RtlFormatCurrentUserKeyPath
ZwDeleteKey
ntoskrnl.exe
HAL.dll
FltCloseCommunicationPort
FltCloseClientPort
FltCreateCommunicationPort
FLTMGR.SYS
1<2@2\2`2
g%Fx"
5%D"|rah
I_kf:.Gi
Gf.WUF
).wpv2
,%sPJu^
ZQftpJ
4[p%s
G%^ .Zj
&hXXps://VVV.globalsign.com/repository/03
"hXXp://crl.globalsign.net/root.crl0
&hXXps://VVV.globalsign.com/repository/0
1hXXp://crl.globalsign.com/gs/gstimestampingg2.crl0T
8hXXp://secure.globalsign.com/cacert/gstimestampingg2.crt0
-hXXp://crl.globalsign.com/gs/gscodesigng2.crl0
4hXXp://secure.globalsign.com/cacert/gscodesigng2.crt04
(hXXp://ocsp2.globalsign.com/gscodesigng20
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
.pdata
f:\baiduy~1\0618\drv\release\amd64\MxDriver.pdb
ZM%Xs
.AE5p
.RT$%
-.Jo8
]o%fk"X
ENg.OT
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Windows 10
Windows 8.1
Windows 8
Windows 7
Windows Vista
Windows Server 2003
Windows XP
Windows 2000
\Bin\lpk.dll
\lpk.dll
\DirectX9\lpk.dll
\Bin\USP10.DLL
\USP10.DLL
\DirectX9\USP10.DLL
.rdata
.data
.idata
.adata
>.sLC
%uk>`
3iY#.%s
.sa/y,O
xp.En
Invalid allocation size: %u bytes.
Client hook allocation failure at file %hs line %d.
_CrtCheckMemory()
_CrtIsValidHeapPointer(pUserData)
Allocation too large or negative: %u bytes.
Client hook re-allocation failure at file %hs line %d.
DAMAGE: after %hs block (#%d) at 0xX.
DAMAGE: before %hs block (#%d) at 0xX.
memory check error at 0xX = 0xX, should be 0xX.
%hs located at 0xX is %u bytes long.
%hs allocated at file %hs(%d).
DAMAGE: on top of Free block at 0xX.
Bad memory block found at 0xX.
_CrtMemCheckPoint: NULL state pointer.
_CrtMemDifference: NULL state pointer.
crt block at 0xX, subtype %x, %u bytes long.
normal block at 0xX, %u bytes long.
client block at 0xX, subtype %x, %u bytes long.
%hs(%d) :
#File Error#(%d) :
Data: <%s> %s
%s(%d) : %s
_CrtDbgReport: String too long or IO Error
Second Chance Assertion Failed: File %s, Line %d
user32.dll
Debug %s!
Program: %s%s%s%s%s%s%s%s%s%s%s
__MSVCRT_HEAP_SELECT
portuguese-brazilian
LZMA.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
E:\Lzma465-Good\LzmaLib\Debug\LZMA.pdb
LzmaLib.dll
\System.cfg
\Data\Interface.axp
\data.axp
.dates
,WepSpy,WpASpy,WpeSpy.dll,monitor.dll,theworld.dll,tcp-z.dll,dutool.dll,alchemy.dll,cmdial32.dll,cyshock.dll,kUserHook.dll,xiprad.dll
@hXXp://
tConfig.exe
\Game.exe
Function Getcpuid()
Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")
getcpuid=cpu.ProcessorId
Getcpuid
,127.0.0.1:
,1,201,3,1,0,
\Patch\LoginServer.txt
\\.\PhysicalDrive0
0.0.0.0
127.0.0.1
\Game.log
[email protected],
,.!-0!/3
DG"FI&CI&?K&=L'>O(?Q)@R*AT*CW-EX.FX-GV*KR&MS"MS#OV)LZ,J].I^1J^4M\5QZ1W_ \c,Y` T^.O`0Lb0Kc1Lc1Ne3Oe4Pf4Rh3Tk4Tm5Tn6Tk8Ti;Ui=Xk;Wm:Xo9Yq9Yr8Yt9Zu:\v9_w7et7ju7nx:g{<b|<_|<^x>]v?^w@_wBayBcyBh}@d
j CrT1
[email protected]
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
15.09.10 - ABE|
10.00.00
t^.cI
?1/)/-&/,&/,%. $-*#.,%0-&. $/,&0-&,)"0-'/,%. $0-&-*#0-&-*#,(!. %/,&.,%.,%0-'0.'0.'0.'0.'0-'0-'0-'0.'0-&/,&/,&/,&. %,)" ( /,%0-'. $. %/-&. $. $/-&.,%/,&/,&/,&,)". $0-'-*#. %/-&. $*&
@game.sohu.com
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSWHEEL_ROLLMSG
ole32.dll
Broken pipe
Inappropriate I/O control operation
Operation not permitted
RASAPI32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
MSVFW32.dll
AVIFIL32.dll
WinExec
GetCPInfo
KERNEL32.dll
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
USER32.dll
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GDI32.dll
WINSPOOL.DRV
comdlg32.dll
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
COMCTL32.dll
oledlg.dll
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
\\.\Scsi0:
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
(*.htm;*.html)|*.htm;*.html
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
VVV.dywt.com.cn
x86 Family %s Model %s Stepping %s
X-X-X-X
\\.\Smartvsd
\\.\PhysicalDrive%d
\\.\Scsi%d:
[%s:%d]
Range: bytes=%s-
[%s:%d]
PASS %s
PASS ******
USER %s
E:\e5\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
SIZE %s
PORT
User-Agent: %s
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Host: %s
GET %s HTTP/1.1
HTTP/1.1
hXXp://
Cookie: %s
%d, %s
\\192.168.0.129\TCP\1037
NSPlayer/9.0.0.2980; {%s}; Host: %s
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
%s %s %s
Session: %s
Cseq: %u
%*s %s
%*s %u
CSeq: %u
rtsp://%s:%i
rtsp://%s:%i/%s
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
GUID: 00000000-0000-0000-0000-000000000000
[%s:%d]
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
Range: npt=%s-
%s/streamid=1
%s/streamid=0
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
If-Match: %s
RealChallenge2: %s, sd=%s
Title: %s
Copyright: %s
Author: %s
real: Content-length for description too big (> %uMB)!
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
Bandwidth: %u
Challenge1: %s
hash output: %x %x %x %x
hash input: %x %x %x %x
stream=%u;rule=%u,
Illegal character '%c' in input.
;3 #>6.&
'2, / 0&7!4-)1#
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
<assemblyIdentity version="1.0.0.0" name=".add"/>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
\DosDevices\%s
\Device\%s
*KERNEL32.DLL
\SystemRoot\system32\drivers\%s.sys
\ProtectPort
1234789
(*.*)
3.14.10.20
Microsoft? Visual Studio .NET


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1148

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %System%\config\system (2484 bytes)
    %WinDir%\ProtectS.sys (1281 bytes)
    C:\ProtectS.sys (236 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@163[1].txt (169 bytes)
    %System%\config\SYSTEM.LOG (4793 bytes)

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now