Gen.Variant.Strictor.52257_6001e81167

by malwarelabrobot on November 13th, 2014 in Malware Descriptions.

Gen:Variant.Strictor.52257 (B) (Emsisoft), Gen:Variant.Strictor.52257 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6001e81167cf443ade88ba4268b3254a
SHA1: 39c50beb7be63b8a7327a5d4640cad5310715c58
SHA256: 548591a7ef860c1ea1313f640b533109f76bf4ad1227cc126905fb1725c9f19f
SSDeep: 24576:r/J2L5JlJ1yyJx1pncqPg4xjheLJNR3cthaKxkcOQmj99ku2AVQ:r/M/FJxAJ4xqNE0KxZORk/
Size: 1556480 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2014-08-16 08:00:18
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:1484

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1484 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\14911066[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\icon_9[1].gif (893 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
C:\wk7b.ini (74 bytes)

Registry activity

The process %original file name%.exe:1484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 F8 09 D1 68 49 97 5D 11 AB 07 A7 B0 BD 30 DB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ????
Product Name: ????
Product Version: 3.3.0.0
Legal Copyright: ???? ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.3.0.0
File Description: www.wk7b.com
Comments: [email protected]
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1104538 1105920 4.51377 6f773ce4704626781f3bfd9516a5faec
.rdata 1110016 309566 311296 3.44712 e868ee650b233ba4be08ba5dd3ef0e9f
.data 1421312 431665 102400 3.68606 c7ce6538665304ba166f90c401f40c58
.rsrc 1855488 30772 32768 3.75973 226a654302ad328390cfda5d7d566391

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://113.107.42.34/14911066.js
hxxp://icon.ajiang.net/icon_9.gif 125.46.49.200
hxxp://js.users.51.la/14911066.js
web2.51.la 117.21.224.31


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

GET /14911066.js HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: js.users.51.la
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: max-age=300
Content-Length: 1981
Content-Type: application/x-javascript
Last-Modified: Wed, 16 Jul 2014 05:20:40 GMT
Accept-Ranges: bytes
ETag: "325d3cafb5a0cf1:1b73"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 12 Nov 2014 13:04:19 GMT
Connection: close
document.write ('<a href="hXXp://VVV.51.la/?14911066" target="_blan
k"><img alt="51.la 专业
;、免费、强健的访•
EE;统计" src="hXXp://icon.ajiang.net/icon_9.gif" style="bo
rder:none" /></a>\n');..var a1066tf="51la";var a1066pu="";var
 a1066pf="51la";var a1066su=window.location;var a1066sf=document.refer
rer;var a1066of="";var a1066op="";var a1066ops=1;var a1066ot=1;var a10
66d=new Date();var a1066color="";if (navigator.appName=="Netscape"){a1
066color=screen.pixelDepth;} else {a1066color=screen.colorDepth;}..try
{a1066tf=top.document.referrer;}catch(e){}..try{a1066pu =window.parent
.location;}catch(e){}..try{a1066pf=window.parent.document.referrer;}ca
tch(e){}..try{a1066ops=document.cookie.match(new RegExp("(^| )AJSTAT_o
k_pages=([^;]*)(;|$)"));a1066ops=(a1066ops==null)?1: (parseInt(unescap
e((a1066ops)[2])) 1);var a1066oe =new Date();a1066oe.setTime(a1066oe.g
etTime() 60*60*1000);document.cookie="AJSTAT_ok_pages=" a1066ops  ";pa
th=/;expires=" a1066oe.toGMTString();a1066ot=document.cookie.match(new
 RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a1066ot==null){a1066o
t=1;}else{a1066ot=parseInt(unescape((a1066ot)[2])); a1066ot=(a1066ops=
=1)?(a1066ot 1):(a1066ot);}a1066oe.setTime(a1066oe.getTime() 365*24*60
*60*1000);document.cookie="AJSTAT_ok_times=" a1066ot ";path=/;expires=
" a1066oe.toGMTString();}catch(e){}..try{if(document.cookie==""){a1066
ops=-1;a1066ot=-1;}}catch(e){}..a1066of=a1066sf;if(a1066pf!=="51la
<<< skipped >>>


GET /icon_9.gif HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: icon.ajiang.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: max-age=14400
Content-Length: 893
Content-Type: image/gif
Last-Modified: Fri, 26 May 2006 14:28:04 GMT
Accept-Ranges: bytes
ETag: "0b24a99d080c61:1496"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 12 Nov 2014 13:04:29 GMT
Connection: close
GIF89a0............`..6..4.........f..............

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1484:

.text
`.rdata
@.data
.rsrc
t%SVh
t$(SSh
~%UVW
u$SShe
User32.dll
kernel32.dll
WinINet.dll
Wininet.dll
wininet.dll
urlmon.dll
user32.dll
ComCtl32.dll
KERNEL32.DLL
Oleacc.dll
winmm.dll
OLEACC.DLL
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntryA
UrlMkSetSessionOption
URLDownloadToFileA
EnumWindows
{B6F7542F-B8FE-46a8-9605-98856A687097}
{EB5A8679-6C96-4465-A329-7911418F2582}
WebBrowser
wk7b_update.exe
\wk7b.ini
rasphone.exe -d
/wk-login.asp?banben=3.3&username=
hXXp://
221.233.60.44:8090
sys.rradmin.com:8090
sys.wk7b.com:8090
sys.yichenit.com:8090
3598123.exe
http=
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
\wk7b_update.exe
/3.3/ip-data.asp
/3.3/pv-data.asp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
hXXp://VVV.wk7b.com/TaskForum.asp?ForumID=19
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.2a1pre) Gecko/20110324 Firefox/4.2a1pre
Mozilla/5.0 (Windows; U; Windows NT 6.1; tr-TR) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27
Mozilla/5.0 (Windows; U; Windows NT 6.0) AppleWebKit/533.1 (KHTML, like Gecko) Maxthon/3.0.8.2 Safari/533.1
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; QQDownload 1.7; GTB6.6; TencentTraveler 4.0; SLCC1; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7)
Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.53 Safari/534.30
Mozilla/4.0 (compatible; MSIE 6.1; Windows XP; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36 SE 2.X MetaSr 1.0
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SV1) ; 360SE)
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 BIDUBrowser/2.x Safari/537.31
Opera/9.80 (Android 4.2.2; Linux; Opera Mobi/ADR-1012211514; U; cn) Presto/2.6.35 Version/10.1
Mozilla/5.0 (Linux;U;Android 4.2.2;zh-cn;I7500 Build FRG83) AppleWebKit/533.1 (KHTML, like Gecko)Version/4.0 Mobile Safari/533.1
Mozilla/5.0 (Linux; U; Android 4.1.2; zh-cn; Coolpad 5890 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30; 360browser(securitypay,securityinstalled); 360(android,uppayplugin); 360 Aphone Browser (4.9.0)
Mozilla/5.0 (Android 4.2.2; zh-cn; HTC_DesireS_S510e Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Mozilla/5.0 (Android 4.2.2; zh-cn; Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Mozilla/5.0 (Linux; U; Android 4.2.2; zh-cn; MI-ONE Plus Build/GINGERBREAD) UC AppleWebKit/534.31 (KHTML, like Gecko) Mobile Safari/534.31
Opera/9.80 (Android 4.2.2; Opera Mini/7.6.32764/28.3234; U; zh) Presto/2.8.119 Version/11.10
Opera/9.80 (Android 4.2.2; Linux; Opera Mobi/ADR-1012221546; U; cn) Presto/2.7.60 Version/10.5
9@hXXp://VVV.wk7b.com
?baidu.com,google-analytics.com
hXXp://VVV.wk7b.com/wk_help.asp
v@hXXp://VVV.wk7b.com/CreateUser.asp
hXXp://VVV.wk7b.com/wk_soft.asp?userid=
hXXp://VVV.baidu.com/s?cl=3&wd=
hXXp://VVV.google.com/search?complete=1&hl=zh-CN&btnG=Google 搜索&meta=&q=
hXXp://VVV.so.com/s?ie=utf-8&src=360sou_home&q=
hXXp://sys.rradmin.com/tools.asp
hXXps://
onkeydown
&7item.taobao.com/item.htm?id=20282100201
s.taobao.com/search?initiative_id=staobaoz_20130419&q=»ù´¡µçÐÅÐéÄâÖ÷»ú¿Õ¼ä 100MÐÍ
item.htm
ws2_32.dll
Shell.Explorer.2
Winmm.dll
dsound.dll
S@hXXp://VVV.baidu.com
hXXp://VVV.wk7b.com/wk_dama.asp
hXXp://iframe.ip138.com/ic.asp
2012-1-1
.js"></script>
<script language="javascript" type="text/javascript" src="hXXp://js.users.51.la/14911066.js"></script><script language="javascript" type="text/javascript" src="hXXp://js.users.51.la/
<script language="javascript" type="text/javascript" src="hXXp://js.users.51.la/14911066.js"></script>
hXXp://VVV.wk7b.com/wk_tx.asp
ieframe.dll
fNsQL
6=get 7.post 8.sina
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
Q%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
ole32.dll
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
RASAPI32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
GetProcessHeap
WinExec
KERNEL32.dll
GetKeyState
RegisterHotKey
UnregisterHotKey
SetWindowsHookExA
UnhookWindowsHookEx
EnumChildWindows
USER32.dll
GetViewportOrgEx
GDI32.dll
MSIMG32.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegCreateKeyA
RegOpenKeyA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
COMCTL32.dll
oledlg.dll
WSOCK32.dll
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
ATL.DLL
GetCPInfo
CreateDialogIndirectParamA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
ReleaseNamedPipe
DisConnectNamedPipe
WriteNamedPipe
ReadNamedPipe
ConnectNamedPipe
ListenNamedPipe
CreateNamedPipe
\\.\mailslot\
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
%s\%s.lnk
Software\Microsoft\Windows\CurrentVersion\Run
%d%d%d
rundll32.exe shell32.dll,
;3 #>6.&
'2, / 0&7!4-)1#
SERVER_PORT_SECURE
SERVER_PORT
REMOTE_PORT
HTTPS_SERVER_SUBJECT
HTTPS_SERVER_ISSUER
HTTPS_SECRETKEYSIZE
HTTPS_KEYSIZE
HTTPS
HTTP_HeaderName
CERT_SUBJECT
CERT_SERVER_SUBJECT
CERT_SERVER_ISSUER
CERT_SERIALNUMBER
CERT_SECRETKEYSIZE
CERT_KEYSIZE
CERT_ISSUER
CERT_FLAGS
CERT_COOKIE
AUTH_PASSWORD
ALL_HTTP
(*.htm;*.html)|*.htm;*.html
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
right-curly-bracket
left-curly-bracket
0123456789
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
(*.*)
3.3.0.0
VVV.wk7b.com
[email protected]


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1484

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\14911066[1].js (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\icon_9[1].gif (893 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    C:\wk7b.ini (74 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now