Gen.Variant.Strictor.39554_e5685fd371
Susp_Dropper (Kaspersky), Gen:Variant.Strictor.39554 (AdAware), Backdoor.Win32.PcClient.FD (Lavasoft MAS)
Behaviour: Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: e5685fd3718e1faafc50b7faaea4eeab
SHA1: 1eafe9fc8abd866aaaa758230a04f9a87457ecc2
SHA256: 01f8fedaf08ec5257c2a291d0bbbab707ee7481926742d501c5edc81d695c8dc
SSDeep: 12288:tUomEFRu3xEPEd7BVAX24rT6Gd8qYvwoMebKgSw:rmOMSPEdT4e28s/e2gR
Size: 574031 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-06-10 20:11:07
Analyzed on: WindowsXP SP3 32-bit
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
%original file name%.exe:996
taskkill.exe:1776
taskkill.exe:256
taskkill.exe:1356
fapcf.exe:1580
FAPCF MODZ.exe:1044
FAPCFPACK.EXE:1664
netsh.exe:916
RunDll32.exe:548
RunDll32.exe:780
ERU79Y1MnVyg2PhYu39T.EXE:1104
mscorsvw.exe:172
The Backdoor injects its code into the following process(es):
Google Chrome.exe:2016
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:996 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
C:\fapcf\FAPCF MODZ.exe (4545 bytes)
C:\fapcf\fapcf.exe (65 bytes)
The Backdoor deletes the following file(s):
C:\fapcf\__tmp_rar_sfx_access_check_1365265 (0 bytes)
The process fapcf.exe:1580 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Google Chrome.exe (65 bytes)
The process Google Chrome.exe:2016 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\3fc95aa47218f21ec0000f752e6e36bd.exe (65 bytes)
The process FAPCF MODZ.exe:1044 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\FAPCF\FAPCFPACK.EXE (282 bytes)
The Backdoor deletes the following file(s):
%WinDir%\FAPCF\__tmp_rar_sfx_access_check_1366218 (0 bytes)
The process FAPCFPACK.EXE:1664 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
C:\RCXB4.tmp (122264 bytes)
%WinDir%\FAPCF\FAPCF.DAT (99 bytes)
%WinDir%\FAPCF\go1.bat (80 bytes)
%WinDir%\FAPCF\x2p6g4T5go9Uh9MzRW42.DB (149 bytes)
%WinDir%\FAPCF\4BYlqxnHUDDBuml3Fsnd.DB (117 bytes)
%WinDir%\FAPCF\BR4YkZ5XAVm7kbpMhRYq.DB (6378 bytes)
%WinDir%\FAPCF\ERU79Y1MnVyg2PhYu39T.EXE (5442 bytes)
The Backdoor deletes the following file(s):
%WinDir%\FAPCF\BR4YkZ5XAVm7kbpMhRYq.DB (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFB8D4.tmp (0 bytes)
%WinDir%\FAPCF\4BYlqxnHUDDBuml3Fsnd.DB (0 bytes)
%WinDir%\FAPCF\x2p6g4T5go9Uh9MzRW42.DB (0 bytes)
The process ERU79Y1MnVyg2PhYu39T.EXE:1104 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W47XWGVM\desktop.ini (67 bytes)
%System%\drivers\etc\hosts.ics (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Z6D9M5LH\32916[1].htm (1190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WO4KQ4VK\ajax-loader[1].gif (4001 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WO4KQ4VK\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WO4KQ4VK\FAPCF[1].HTML (695 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W47XWGVM\592[1].png (322 bytes)
%System%\drivers\etc\hosts (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Z6D9M5LH\18216[1].htm (1190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8TQFS5Y7\anti[1].php (480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Z6D9M5LH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8TQFS5Y7\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Desktop\FAPCF ONE.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8TQFS5Y7\990x90[1] (11045 bytes)
Registry activity
The process %original file name%.exe:996 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 A6 79 06 B4 54 DF F9 31 B1 A9 C2 C1 51 6C 7B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\fapcf]
"fapcf.exe" = "fapcf"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\WinRAR SFX]
"C%úpcf" = "C:\fapcf"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\fapcf]
"FAPCF MODZ.exe" = "FAPCF MODZ"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process taskkill.exe:1776 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 5E 70 69 AD 27 C3 79 76 B5 C7 18 1C DE 08 0B"
The process taskkill.exe:256 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 7A 6A 92 E6 5F B8 CB FB A8 99 C8 F6 66 71 B4"
The process taskkill.exe:1356 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 1D 30 8A 08 5E 6A CE 52 7F D6 1A 31 39 3A 24"
The process fapcf.exe:1580 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 69 0E 6F C5 8B 34 64 1A AC FA 9B 21 FA BB CD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU]
"di" = "!"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"google chrome.exe" = "Google Chrome"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process Google Chrome.exe:2016 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 EE A0 1D 2B DD 3F 74 41 66 5C C8 BC 5F 57 EF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKCU]
"di" = "!"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\3fc95aa47218f21ec0000f752e6e36bd]
"[kl]" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Environment]
"SEE_MASK_NOZONECHECKS" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"3fc95aa47218f21ec0000f752e6e36bd" = "%Documents and Settings%\%current user%\Local Settings\Temp\Google Chrome.exe .."
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"3fc95aa47218f21ec0000f752e6e36bd" = "%Documents and Settings%\%current user%\Local Settings\Temp\Google Chrome.exe .."
The process FAPCF MODZ.exe:1044 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 B1 0F 8D 1A E3 8B 8E F6 1F 69 91 91 86 A3 2D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%\FAPCF]
"FAPCFPACK.EXE" = "FAPCFPACK"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"taskkill.exe" = "Kill Process"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process FAPCFPACK.EXE:1664 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 62 1C 27 48 14 AC 05 60 35 A1 0D 0C C2 46 80"
The process netsh.exe:916 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 27 D0 DD CF 04 31 37 8B 72 D6 EC 3F A9 F0 DC"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"google chrome.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\Google Chrome.exe:*:Enabled:Google Chrome.exe"
The process RunDll32.exe:548 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 19 80 F7 C1 B7 92 D4 ED 81 E2 DF 75 B0 13 95"
The process RunDll32.exe:780 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 70 7B AD C3 97 82 98 DC E7 35 B3 2F 4C B3 D1"
The process ERU79Y1MnVyg2PhYu39T.EXE:1104 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1406799985"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "ERU79Y1MnVyg2PhYu39T.EXE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 BE B0 12 25 2F 93 32 FE 74 0C 1E 63 7D 02 F9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process mscorsvw.exe:172 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1260000"
Dropped PE files
| MD5 | File path |
|---|---|
| c91416399bd6196c37585de5ffe0b736 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Google Chrome.exe |
| 9524aebf94a0839f5505729052244f1d | c:\WINDOWS\FAPCF\ERU79Y1MnVyg2PhYu39T.EXE |
| 5c303d26e748f4813e289145b1d84fb6 | c:\fapcf\FAPCF MODZ.exe |
| c91416399bd6196c37585de5ffe0b736 | c:\fapcf\fapcf.exe |
HOSTS file anomalies
The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 480 bytes in size. The following strings are added to the hosts file listed below:
| 9.9.9.9 | mobily.pw |
| 9.9.9.9 | patron.tweethashcount.com |
| 9.9.9.9 | track.ttswebdesign.com |
| 9.9.9.9 | grizzl.thewell-beingcompany.com |
| 9.9.9.9 | rdp.thewalkinginstitute.com |
| 9.9.9.9 | welcome.thesplitscreenphotobooth.com |
| 9.9.9.9 | hello.thesplitscreenphotobooth.com |
| 9.9.9.9 | welcome.thecraftbarnwales.com |
| 9.9.9.9 | hello.sylvanstructures.com |
| 9.9.9.9 | remote.sylvanstructures.com |
| 9.9.9.9 | wuah.chekc.co.vu |
| 9.9.9.9 | canmacar.com |
| 9.9.9.9 | www.canmacar.com |
| 9.9.9.9 | phaelixe.com |
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 165203 | 165376 | 4.66056 | 0d2680623ee21ef164d1e5badd4a9069 |
| .rdata | 172032 | 20307 | 20480 | 3.70992 | 68d6f01f72380c61070d86b06775b053 |
| .data | 192512 | 137468 | 5632 | 2.40524 | 599cdae4e964b67335324e67538c2a9c |
| .rsrc | 331776 | 16796 | 16896 | 3.64547 | 10f378023b040627626fc351e12db0c0 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| hxxp://antiweb.zapto.org/ |  8.23.224.90 |
| hxxp://googlecode.l.googleusercontent.com/svn/trunk/anti.php | |
| hxxp://googlecode.l.googleusercontent.com/svn/trunk/FAPCF.HTML | |
| hxxp://whos.amung.us/swidget/fapcfone.png | 67.202.94.93 |
| hxxp://ad.a-ads.com/32916?size=990x90 | 69.172.212.46 |
| hxxp://ad.a-ads.com/18216?size=990x90 | 69.172.212.46 |
| hxxp://widgets.amung.us/small/05/592.png | 173.192.170.82 |
| hxxp://ad.a-ads.com/system/ads/10423/banners/990x90 | 69.172.212.46 |
| hxxp://cfpro00007.googlecode.com/svn/trunk/anti.php | 64.233.171.82 |
| hxxp://cfpro00007.googlecode.com/svn/trunk/FAPCF.HTML | 64.233.171.82 |
| hxxp://static.a-ads.com/system/ads/10423/banners/990x90 | 107.170.218.105 |
| hxxp://fapcf001.ddns.net/ | 8.23.224.90 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
<font color="red">GET /system/ads/10423/banners/990x90 HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://ad.a-ads.com/32916?size=990x90<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: static.a-ads.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx/1.6.0<br>
Date: Fri, 08 Aug 2014 13:41:48 GMT<br>
Content-Type: application/octet-stream<br>
Content-Length: 55761<br>
Last-Modified: Tue, 27 May 2014 21:33:35 GMT<br>
Connection: keep-alive<br>
ETag: "538504af-d9d1"<br>
Accept-Ranges: bytes<br><pre>.PNG........IHDR.......Z......../....tEXtSoftware.Adobe ImageReadyq.e&<br>lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe<br>hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=<br>"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> &<br>lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><br> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1<br>.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/<br>/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo<br>shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:D3078691E3EC11E397D4D1AA<br>93792BD8" xmpMM:DocumentID="xmp.did:D3078692E3EC11E397D4D1AA93792BD8"&<br>gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:D307868FE3EC11E397<br>D4D1AA93792BD8" stRef:documentID="xmp.did:D3078690E3EC11E397D4D1AA9379<br>2BD8"/> </rdf:Description> </rdf:RDF> </x:xmpmeta><br>; <?xpacket end="r"?>.:.r...EIDATx...............^?.......Q.."`.<br>[email protected]/....wfv...v......e..y....73..w..<br>....g..#M5{[email protected] .....G7vr......J*.;~......')j..h..Fld.<br>E.......=f[^Nn!.^.....h^Z....)*^...3..s.......H............y~...u.-.Ee<br>hTFeTFeT.."[email protected].#.&..1...@. ...Czp.6......>z. (<br>..nw......7.l.!..eU.......(C%.*O..wyR=xp.*.'.V*...........J.....Q..j5M<br>S.A`.....rt...h..!.T.M. j.._.v.. ...P.4'.Rct..X...0.!AZ...A..Z. .Jt8..<br>.3iZ.^.0..2..%...Hr.Z.jF...a.3.q...1..A~....p..........b..E1u..."...(.<br>.T.....H..I~....\r.G.|.[\>....Q..Q....2..;.s..S8....-....R&..1`</pre><<< skipped >>></font><br><br
<font color="red">GET /small/05/592.png HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://cfpro00007.googlecode.com/svn/trunk/FAPCF.HTML<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Connection: Keep-Alive<br>
Host: widgets.amung.us<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx/1.2.4<br>
Date: Fri, 08 Aug 2014 13:41:48 GMT<br>
Content-Type: image/png<br>
Content-Length: 322<br>
Last-Modified: Sun, 13 Jun 2010 09:48:29 GMT<br>
Connection: keep-alive<br>
Expires: Sun, 07 Sep 2014 13:41:48 GMT<br>
Cache-Control: max-age=2592000<br>
Accept-Ranges: bytes<br><pre>.PNG........IHDR...P.........D......9PLTE.bM.nX.82.G:................z<br>c.....z.UC..n.'-00/...555...........IDAT8...... .D.FF......c..J.J..S..<br>l0..E.x..d.."p$..Y....Q1.D..o...jfm&P.Db0...>^[email protected] .G........ .A<br>C"...s...0,.Q........r.R...q.....".....~.../.{.Y......<...e.D.. .c.<br>....8.....z.C... e.V)..X....QfI."G&u....IEND.B`...</pre></font><br><br
<font color="red">GET / HTTP/1.1<br>
Accept: */*<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: fapcf001.ddns.net<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 302 Found<br>
Date: Fri, 08 Aug 2014 13:41:47 GMT<br>
Server: Apache<br>
Location: hXXp://cfpro00007.googlecode.com/svn/trunk/FAPCF.HTML<br>
Content-Length: 0<br>
Connection: close<br>
Content-Type: text/html; charset=UTF-8<br><pre></pre></font><br><br
<font color="red">GET / HTTP/1.1<br>
Accept: */*<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: antiweb.zapto.org<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 302 Found<br>
Date: Fri, 08 Aug 2014 13:41:45 GMT<br>
Server: Apache<br>
Location: hXXp://cfpro00007.googlecode.com/svn/trunk/anti.php<br>
Content-Length: 0<br>
Connection: close<br>
Content-Type: text/html; charset=UTF-8<br><pre></pre></font><br><br
<font color="red">GET /32916?size=990x90 HTTP/1.1<br>
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*<br>
Referer: hXXp://cfpro00007.googlecode.com/svn/trunk/FAPCF.HTML<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: ad.a-ads.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Content-Type: text/html;charset=utf-8<br>
Content-Length: 5253<br>
Connection: keep-alive<br>
Status: 200 OK<br>
X-XSS-Protection: 1; mode=block<br>
X-Content-Type-Options: nosniff<br>
X-Powered-By: Phusion Passenger 4.0.44<br>
Date: Fri, 08 Aug 2014 13:41:48 GMT<br>
Server: nginx/1.6.0 Phusion Passenger 4.0.44<br><pre><!DOCTYPE html>.<html lang='en'>.<head>.<style><br>;. body{font:13px/1.231 arial,helvetica,clean,sans-serif;*font-size:s<br>mall;*font:x-small}select,input,textarea,button{font:99% arial,helveti<br>ca,clean,sans-serif}table{font-size:inherit;font:100%}pre,code,kbd,sam<br>p,tt{font-family:monospace;*font-size:108%;line-height:100%}html,body{<br>margin:0;padding:0;background:0 transparent;font-size:16px;font-family<br>:"Helvetica Neue",Helvetica,Arial,sans-serif}p,a,small{text-align:cent<br>er}a{color:#0069d6;text-decoration:none;line-height:inherit;font-weigh<br>t:inherit}a:hover{color:#00438a;text-decoration:underline}.size120x60,<br>.size120x60 .cell{width:120px;height:60px}.size120x90,.size120x90 .cel<br>l{width:120px;height:90px}.size120x240,.size120x240 .cell{width:120px;<br>height:240px}.size120x600,.size120x600 .cell{width:120px;height:600px}<br>.size125x125,.size125x125 .cell{width:125px;height:125px}.size160x90,.<br>size160x90 .cell{width:160px;height:90px}.size160x600,.size160x600 .ce<br>ll{width:160px;height:600px}.size180x90,.size180x90 .cell{width:180px;<br>height:90px}.size180x150,.size180x150 .cell{width:180px;height:150px}.<br>size200x90,.size200x90 .cell{width:200px;height:90px}.size200x200,.siz<br>e200x200 .cell{width:200px;height:200px}.size234x60,.size234x60 .cell{<br>width:234px;height:60px}.size240x400,.size240x400 .cell{width:240px;he<br>ight:400px}.size250x250,.size250x250 .cell{width:250px;height:250px}.s<br>ize300x250,.size300x250 .cell{width:300px;height:250px}.size320x50,.si<br>ze320x50 .cell{width:320px;height:50px}.size336x280,.size336x280 .</pre><<< skipped >>></font><br><br<font color="red">GET /18216?size=990x90 HTTP/1.1<br>
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*<br>
Referer: hXXp://cfpro00007.googlecode.com/svn/trunk/FAPCF.HTML<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: ad.a-ads.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Content-Type: text/html;charset=utf-8<br>
Content-Length: 5355<br>
Connection: keep-alive<br>
Status: 200 OK<br>
X-XSS-Protection: 1; mode=block<br>
X-Content-Type-Options: nosniff<br>
X-Powered-By: Phusion Passenger 4.0.44<br>
Date: Fri, 08 Aug 2014 13:41:48 GMT<br>
Server: nginx/1.6.0 Phusion Passenger 4.0.44<br><pre><!DOCTYPE html>.<html lang='en'>.<head>.<style><br>;. body{font:13px/1.231 arial,helvetica,clean,sans-serif;*font-size:s<br>mall;*font:x-small}select,input,textarea,button{font:99% arial,helveti<br>ca,clean,sans-serif}table{font-size:inherit;font:100%}pre,code,kbd,sam<br>p,tt{font-family:monospace;*font-size:108%;line-height:100%}html,body{<br>margin:0;padding:0;background:0 transparent;font-size:16px;font-family<br>:"Helvetica Neue",Helvetica,Arial,sans-serif}p,a,small{text-align:cent<br>er}a{color:#0069d6;text-decoration:none;line-height:inherit;font-weigh<br>t:inherit}a:hover{color:#00438a;text-decoration:underline}.size120x60,<br>.size120x60 .cell{width:120px;height:60px}.size120x90,.size120x90 .cel<br>l{width:120px;height:90px}.size120x240,.size120x240 .cell{width:120px;<br>height:240px}.size120x600,.size120x600 .cell{width:120px;height:600px}<br>.size125x125,.size125x125 .cell{width:125px;height:125px}.size160x90,.<br>size160x90 .cell{width:160px;height:90px}.size160x600,.size160x600 .ce<br>ll{width:160px;height:600px}.size180x90,.size180x90 .cell{width:180px;<br>height:90px}.size180x150,.size180x150 .cell{width:180px;height:150px}.<br>size200x90,.size200x90 .cell{width:200px;height:90px}.size200x200,.siz<br>e200x200 .cell{width:200px;height:200px}.size234x60,.size234x60 .cell{<br>width:234px;height:60px}.size240x400,.size240x400 .cell{width:240px;he<br>ight:400px}.size250x250,.size250x250 .cell{width:250px;height:250px}.s<br>ize300x250,.size300x250 .cell{width:300px;height:250px}.size320x50,.si<br>ze320x50 .cell{width:320px;height:50px}.size336x280,.size336x280 .</pre><<< skipped >>></font><br><br<font color="red">GET /swidget/fapcfone.png HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://cfpro00007.googlecode.com/svn/trunk/FAPCF.HTML<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: whos.amung.us<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 303 See Other<br>
Date: Fri, 08 Aug 2014 13:41:48 GMT<br>
Content-Type: text/html<br>
Transfer-Encoding: chunked<br>
Connection: close<br>
Location: hXXp://widgets.amung.us/small/05/592.png<br>
Set-Cookie: uid=CgH9H1Pk05zAAn97e7QcAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=atta; path=/<br><pre>0..</pre></font><br><br
<font color="red">GET /svn/trunk/anti.php HTTP/1.1<br>
Accept: */*<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Connection: Keep-Alive<br>
Host: cfpro00007.googlecode.com<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Date: Fri, 08 Aug 2014 13:41:45 GMT<br>
Server: Apache<br>
Last-Modified: Tue, 05 Aug 2014 15:55:58 GMT<br>
ETag: "2//trunk/anti.php"<br>
Accept-Ranges: bytes<br>
Expires: Fri, 08 Aug 2014 13:44:45 GMT<br>
Content-Length: 480<br>
Content-Type: text/plain<br>
Cache-Control: public, max-age=180<br>
Age: 0<br>
Alternate-Protocol: 80:quic<br><pre>9.9.9.9 mobily.pw..9.9.9.9 patron.tweethashcount.com..9.9.9.9 track.tt<br>swebdesign.com..9.9.9.9 grizzl.thewell-beingcompany.com..9.9.9.9 rdp.t<br>hewalkinginstitute.com..9.9.9.9 welcome.thesplitscreenphotobooth.com..<br>9.9.9.9 hello.thesplitscreenphotobooth.com..9.9.9.9 welcome.thecraftba<br>rnwales.com..9.9.9.9 hello.sylvanstructures.com..9.9.9.9 remote.sylvan<br>structures.com..9.9.9.9 wuah.chekc.co.vu..9.9.9.9 canmacar.com..9.9.9.<br>9 VVV.canmacar.com..9.9.9.9 phaelixe.com..9.9.9.9 nitrous.cf</font>...<br>.</pre></font><br><br><font color="red">GET /svn/trunk/FAPCF.HTML HTTP/1.1<br>
Accept: */*<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: cfpro00007.googlecode.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Date: Fri, 08 Aug 2014 13:41:47 GMT<br>
Server: Apache<br>
Last-Modified: Thu, 07 Aug 2014 09:47:19 GMT<br>
ETag: "7//trunk/FAPCF.HTML"<br>
Accept-Ranges: bytes<br>
Expires: Fri, 08 Aug 2014 13:44:47 GMT<br>
Content-Length: 1885<br>
Content-Type: text/plain<br>
Cache-Control: public, max-age=180<br>
Age: 0<br>
Alternate-Protocol: 80:quic<br><pre><html><head><meta http-equiv="content-type" content="te<br>xt/html;charset=utf-8"><title></title></head><<br>body>..<script type="text/javascript">.. var webLink = new<br> Array("hXXp://fpsmodz.net<=>SynBoz crossfire modz working<=&<br>gt;SynBoz crossfire modz working<=>SynBoz crossfire modz working<br>");..var randNumber = Math.floor(Math.random() * webLink.length);.. <br> var linkActive = webLink[randNumber];..... function eLinkActive(){.<br>...document.write("<div id='ACTIVEWEB'>" linkActive "");.. }..<br> </script><font color="white">..<script type="text/ja<br>vascript">eLinkActive()</script></font>..<font color<br>="white">..<div id="NOTE">INFOMATION: (07/08/2014) UPDATE FAP<br>CF ONE V4.6 - FIX XTRAP - SUPPORT CF: NA - EU - BZ - RU - PH - INDO -<br> KOREA - TAIWAN - SEA - ES !!!</div>..<div id="DLLINK">htt<br>p://VVV.fapcf.com</div>..<div id="VERHACK">4.6</div><br>..<div id="VERMODZ">FAPCF ONE V4.6 (07/08/2014) - FIX XTRAP</<br>div>..<div id="CTIME">60</div>..<div id="WEBPOP"><br>hXXp://VVV.fapcf.com</div>..<div id="LB">linkbucks.com/hL8<br>y,linkbucks.com/hL8n,linkbucks.com/hL7q,linkbucks.com/hL8y,linkbucks.c<br>om/hL8n,linkbucks.com/hL7q</div>..<div id="ADF">adf.ly/Pru<br>Fj,adf.ly/QeHwR,adf.ly/PhuJG,adf.ly/Phu4K,adf.ly/Phu2H</div>..&l<br>t;/font>..<iframe data-aa='32916' src='//ad.a-ads.com/32916?size<br>=990x90' scrolling='no' style='width:990px; height:90px; border:0p</pre><<< skipped >>></font><br><brThe Backdoor connects to the servers at the folowing location(s):
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s
RunDll32.exe_780:
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:996
taskkill.exe:1776
taskkill.exe:256
taskkill.exe:1356
fapcf.exe:1580
FAPCF MODZ.exe:1044
FAPCFPACK.EXE:1664
netsh.exe:916
RunDll32.exe:548
RunDll32.exe:780
ERU79Y1MnVyg2PhYu39T.EXE:1104
mscorsvw.exe:172 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
C:\fapcf\FAPCF MODZ.exe (4545 bytes)
C:\fapcf\fapcf.exe (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Google Chrome.exe (65 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\3fc95aa47218f21ec0000f752e6e36bd.exe (65 bytes)
%WinDir%\FAPCF\FAPCFPACK.EXE (282 bytes)
C:\RCXB4.tmp (122264 bytes)
%WinDir%\FAPCF\FAPCF.DAT (99 bytes)
%WinDir%\FAPCF\go1.bat (80 bytes)
%WinDir%\FAPCF\x2p6g4T5go9Uh9MzRW42.DB (149 bytes)
%WinDir%\FAPCF\4BYlqxnHUDDBuml3Fsnd.DB (117 bytes)
%WinDir%\FAPCF\BR4YkZ5XAVm7kbpMhRYq.DB (6378 bytes)
%WinDir%\FAPCF\ERU79Y1MnVyg2PhYu39T.EXE (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W47XWGVM\desktop.ini (67 bytes)
%System%\drivers\etc\hosts.ics (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Z6D9M5LH\32916[1].htm (1190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WO4KQ4VK\ajax-loader[1].gif (4001 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WO4KQ4VK\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WO4KQ4VK\FAPCF[1].HTML (695 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W47XWGVM\592[1].png (322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Z6D9M5LH\18216[1].htm (1190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8TQFS5Y7\anti[1].php (480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Z6D9M5LH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8TQFS5Y7\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Desktop\FAPCF ONE.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8TQFS5Y7\990x90[1] (11045 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"3fc95aa47218f21ec0000f752e6e36bd" = "%Documents and Settings%\%current user%\Local Settings\Temp\Google Chrome.exe .."
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"3fc95aa47218f21ec0000f752e6e36bd" = "%Documents and Settings%\%current user%\Local Settings\Temp\Google Chrome.exe .." - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
