Gen.Variant.Strictor.69781_49560e0c30

by malwarelabrobot on August 17th, 2015 in Malware Descriptions.

Susp_Dropper (Kaspersky), Gen:Variant.Strictor.69781 (B) (Emsisoft), Gen:Variant.Strictor.69781 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 49560e0c30558149123a2201e14a8670
SHA1: 7f4c095930090f5b7d0e6db456befeaa92a42bfa
SHA256: 66506884075b6b3c04ad535d222a6f68cec8ec288c6126206ed1ea418c4f8dd5
SSDeep: 12288:fF QDcZJGUG3zlxSx9Wm/x5maHMhWDaxM7an4UKct8LoiNWsTSpeqU63f 34iAyW:kv7Ul4tzpuWmMU5zsTSpwkf7iQA0bTT
Size: 1327104 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-05-17 15:21:56
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:120

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:120 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\Logo[1].png (4917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\tool[1].htm (1301 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\leaan[1].js (731 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (291 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040920140410 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040920140410\index.dat (0 bytes)

Registry activity

The process %original file name%.exe:120 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015081620150817]
"CachePrefix" = ":2015081620150817:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015081620150817]
"CacheOptions" = "11"
"CacheLimit" = "8192"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015081620150817]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015081620150817]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015081620150817\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 47 25 70 10 66 B8 EF EA 6D A8 2E 61 73 6D F1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014040920140410]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: GameMaster????-??????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: GameMaster????-??????
Comments: GameMaster????-??????
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1033458 1036288 5.14722 fe12196dabf5c9524135b18a54fef205
.rdata 1040384 172752 176128 2.92402 069e8a8be79957389610d668bacfeea4
.data 1216512 299562 86016 4.35744 6141abe6636712acdab4eb3be1b7cd0a
.rsrc 1519616 24288 24576 3.38027 39fd0626d6bceefe8dd814bbcb821b02

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.56645.com/Logo.png 120.26.64.169
hxxp://s1.56645.com/leaan.js 114.215.185.27
hxxp://s1.56645.com/stat/index?id=leaan&rf=&w=1916&h=902&cdp=32&ld=null&t=0&mac=62795793&rnd=686&dwt=undefined 114.215.185.27
hxxp://p.56645.com/stat/index?id=leaan&rf=&w=1916&h=902&cdp=32&ld=null&t=0&mac=62795793&rnd=686&dwt=undefined 114.215.185.27


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /stat/index?id=leaan&rf=&w=1916&h=902&cdp=32&ld=null&t=0&mac=62795793&rnd=686&dwt=undefined HTTP/1.1
Accept: */*
Referer: hXXp://VVV.56645.com/tool.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p.56645.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sun, 16 Aug 2015 02:11:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 3.0
Cache-Control: private
Content-Length: 0
HTTP/1.1 200 OK..Date: Sun, 16 Aug 2015 02:11:36 GMT..Server: Microsof
t-IIS/6.0..X-Powered-By: ASP.NET..X-AspNet-Version: 4.0.30319..X-AspNe
tMvc-Version: 3.0..Cache-Control: private..Content-Length: 0..



GET /Logo.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.56645.com/tool.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.56645.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 16081
Content-Type: image/png
Last-Modified: Sun, 03 Mar 2013 23:22:03 GMT
Accept-Ranges: bytes
ETag: "80df95e96518ce1:e26"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 16 Aug 2015 02:11:55 GMT
.PNG........IHDR...>...7......@&L....pHYs.................gAMA....|
.Q.... cHRM..z%..............u0...`..:....o._.F..>GIDATx..]w..E..v.
..0.s..%/.@\@D.e=9..dM.i.....SOP......T<..s8...1..........y6N.....g
j..=.......?3;.....W.z...*F.$(.a.DZ..b.~.r.[!......0....&W.......S...2
6.......L...x.........z...>..~....@. ... ....G.B.]....=i...r..@....
.|.........-...T.uQ..R..)Z.J....j:...,)4..T...>.z.....xQ..l...g..kT
..F.......f.2.....F...../W.G6}.:.09S...|...:..... K)?O......I.....KG9s
..........T..W.....j0....L....7.S..:.x&.x....... ..!&...r.u....`.j}.(.
T{....Ni.S...4...........rYI....).E....).......9..g....C@...(...t.....
..<.%...^tQ.o'.C..-Eg.....n ...3.....2.y.zY.....C}..lE....m.../.[.X
x4..2r..1....g..b....oI.5.H>.0...k|us9P..$-=.[...!..L....G[.&.b...(
..Qxn"f.7.y.......%._...k..\.........z...`.. [email protected]..........
......a$...Z.Z.........1c....)&.!yi..n......0Z\0.<...8]5.....X....B
......Kv..f].%.....P..fJ.. /.|.,QH.]..M.. *.a.dl..I.......hp.I.B..[.. 
.`.......d4.4-.)..c^....W......>.}.H....t..H:C<.Dr%..Y..0w.X....
a.r.Lp.....j.tb...7.<../..k.).R..$r....0..L3.(...G..Q....t>..N..
NUg-.....e..C5"..q...E.\..Q.t.P:.b,f..j.V..m.F0Y....M....,.@.(y...I...
......2...%@..Ar..]....]..t8..........X.q......Kt..=,}..m.....#.g..*Jb
%.O... ..)...X<..b$e.EL...GL.f,...`k.w..\...#I.'J...O.Ah.......lB..
yo(@../.;..S.\ZF.^...k/.......fDFq.......y/...6~.V/X*d.M....$d^*......
.....h_.0........".2.....r....L....`K.`.&^......K.db.....&C:2l.".:....
....!m=.p..S...B[.V........v...,...#q.;/..J,-...\].r....e.H'.....G
<<< skipped >>>


GET /leaan.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.56645.com/tool.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: s1.56645.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sun, 16 Aug 2015 02:11:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 3.0
Cache-Control: private
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 2804
(function(obj){eval(function(p,a,c,k,e,r){e=function(c){return c.toStr
ing(36)};if('0'.replace(0,e)==0){while(c--)r[e(c)]=k[c];k=[function(e)
{return r[e]||e}];e=function(){return'[89dfh-jl-n]'};c=1};while(c--)if
(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('i(
8(p,a,c,k,e,r){e=j;d(\'0\'.f(0,e)==0){h(c--)r[e(c)]=k[c];k=[8(e){9 r[e
]||e}];e=8(){9\'[2-6]\'};c=1};h(c--)d(k[c])p=p.f(l m(\'\\\\b\' e(c) \'
\\\\b\',\'g\'),k[c]);9 p}(\'i(2(p,a,c,k,e,r){e=j;4(\\\'0\\\'.5(0,e)==0
){6(c--)r[e(c)]=k[c];k=[2(e){3 r[e]||e}];e=2(){3\\\'[0]\\\'};c=1};6(c-
-)4(k[c])p=p.5(l m(\\\'\\\\\\\\b\\\' e(c) \\\'\\\\\\\\b\\\',\\\'g\\\')
,k[c]);3 p}(\\\'2 copyright(name,value){0 author=\\\\\\\'ccstat.com\\\
\\\\';0 contact=\\\\\\\'4008588958\\\\\\\'}\\\',[],1,\\\'var\\\'.n(\\\
'|\\\'),0,{}))\',[],7,\'||8|9|d|f|h\'.n(\'|\'),0,{}))',[],24,'||||||||
function|return||||if||replace||while|eval|String||new|RegExp|split'.s
plit('|'),0,{}));var siteId="leaan";var pUrl="hXXp://p.56645.com/stat/
index";var lastTime=null,vTimes,mac,referrer,dwTime;var a=function(){r
eferrer=escape(document.referrer);}();var gc=function(name){var arr=do
cument.cookie.match(new RegExp("(^| )" name siteId "=([^;]*)(;|$)"));i
f(arr!=null)return unescape(arr[2]);return null;};var sc=function(name
,value,hours){var expire="";if(hours!=null){expire=new Date((new Date(
)).getTime() hours*3600000);expire="; expires=" expire.toGMTString();}
.document.cookie=name siteId "=" escape(value) expire;};var b=function
(){return;}();var c=function(n){var rnd="";for(var i=0;i<n;i  )
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_120:

.text
.rdata
@.data
.rsrc
uh.AP
t$(SSh
|$D.tm
~%UVW
HW%X>S
u$SShe
ole32.dll
wininet.dll
kernel32.dll
advapi32.dll
shlwapi.dll
user32.dll
Kernel32.dll
oleaut32.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
ShellExecuteA
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpGetFileA
FtpFindFirstFileA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpDeleteFileA
FtpRenameFileA
FtpPutFileA
FtpOpenFileA
FtpGetFileSize
hXXp://VVV.56645.com//MyAJAX/HdCheckUser.ashx?t=Reg&clientid=txtUname&rand=1&txtUname=
@qq.com&txtUQQ=
hXXp://VVV.56645.com/Register.aspx?ac=add
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
hXXps://
hXXp://
hXXp://VVV.56645.com/UserLogin.aspx?userName=
hXXp://VVV.56645.com/v/WebsiteList.aspx
5277147
\config\gamemaster.dat
Password
hXXp://open.baidu.com/special/time/
window.baidu_time(
function timea(){var d,s;d=new Date();d.setTime('
D:\MirServer\Config.ini
D:\MirServer
\LoginSrv\IDDB
Config.ini
\Config.ini
Mir200\!Setup.txt
\Mir200\!Setup.txt
\Config\Mergetext.ini
\Tool\HeroTool.lde
\Tool\!Config.ini
\Tool\Config.ini
scripting.FileSystemObject
LoginSrv\IDDB\ID.DB
DBServer\FDB\HUM.DB
DBServer\FDB\Mir.DB
Mir200\Envir\UserData\LimitItem.txt
ID.DB
HUM.DB
Mir.DB
ID.txt
\LoginSrv\IDDB\
\Hum.DB
\DBServer\FDB\Hum.DB
\Mir.DB
\DBServer\FDB\Mir.DB
\Id.DB
\LoginSrv\IDDB\Id.DB
\UserSellOff.gold
\Mir200\Envir\Market_SellOff\UserSellOff.gold
\UserSellOff.sell
\Mir200\Envir\Market_SellOff\UserSellOff.sell
\BaiTan.Sell
\LoginSrv\IDDB\ID.DB
\DBServer\FDB\HUM.DB
M2Server.exe
Hum.DB
hXXp://wpa.qq.com/msgrd?V=1&Uin=527714&Site=-&Menu=no
hXXp://VVV.56645.com/config.htm
527714789
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
(HeroM2)-hXXp://VVV.56645.com/-2.20150517
hXXp://VVV.56645.com/
\Config\Cleanfolder.ini
LoginSrv\ChrLog
LoginSrv\CountLog
LoginSrv\IDDB
\Config\Cleantext.ini
Mir200\GuildBase\GuildList.txt
Mir200\Envir\AdminList.txt
Mir200\Envir\DenyAccountList.txt
Mir200\Envir\DenyChrNameList.txt
Mir200\Envir\DenyIPAddrList.txt
Mir200\Envir\DisableSendMsgList.txt
Mir200\Envir\ItemBindAccount.txt
Mir200\Envir\ItemBindChrName.txt
Mir200\Envir\ItemBindIPaddr.txt
Mir200\Envir\UnForceMaster.txt
Mir200\Envir\UnMaster.txt
Mir200\Envir\UnMarry.txt
2.20150517
2.20150517
\Config\Config.ini
D:\MirServer\
127.0.0.1
ServerPort
GatePort
LoginGate
GatePort1
GatePort2
GatePort3
GatePort4
GatePort5
GatePort6
GatePort7
GatePort8
LoginServer
MonPort
RunPort
Port
MsgSrvPort
[email protected]
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
VBScript.RegExp
hXXp://VVV.56645.com/tool.htmlo
2009-11-10
(Config.ini)|Config.ini
|*.zip
Id.DB
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
RASAPI32.dll
GetProcessHeap
WinExec
GetWindowsDirectoryA
KERNEL32.dll
GetKeyState
RegisterHotKey
UnregisterHotKey
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
USER32.dll
GetViewportOrgEx
GDI32.dll
WINMM.dll
MSIMG32.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
COMCTL32.dll
oledlg.dll
WS2_32.dll
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
WLDAP32.dll
GetCPInfo
CreateDialogIndirectParamA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
RegCreateKeyExA
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
code %d bits %d->%d
gen_codes: max_code %d
bl code -
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u
last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)
1.1.3
%d%d%d
rundll32.exe shell32.dll,
msctls_hotkey32
[%s:%d]
Range: bytes=%s-
[%s:%d]
PASS %s
PASS ******
USER %s
E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
SIZE %s
PORT
User-Agent: %s
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Host: %s
GET %s HTTP/1.1
Cookie: %s
%d, %s
\\192.168.0.129\TCP\1037
NSPlayer/9.0.0.2980; {%s}; Host: %s
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
%s %s %s
Session: %s
Cseq: %u
%*s %s
%*s %u
CSeq: %u
rtsp://%s:%i
rtsp://%s:%i/%s
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
GUID: 00000000-0000-0000-0000-000000000000
[%s:%d]
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
Range: npt=%s-
%s/streamid=1
%s/streamid=0
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
If-Match: %s
RealChallenge2: %s, sd=%s
Title: %s
Copyright: %s
Author: %s
real: Content-length for description too big (> %uMB)!
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
Bandwidth: %u
Challenge1: %s
hash output: %x %x %x %x
hash input: %x %x %x %x
stream=%u;rule=%u,
Illegal character '%c' in input.
(*.htm;*.html)|*.htm;*.html
;3 #>6.&
'2, / 0&7!4-)1#
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
(*.*)
1.0.0.0

%original file name%.exe_120_rwx_00401000_000FD000:

uh.AP
t$(SSh
|$D.tm
~%UVW
HW%X>S
u$SShe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (150 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\Logo[1].png (4917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\tool[1].htm (1301 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\leaan[1].js (731 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (291 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now