Gen.Variant.Symmi.32908_9af0960396

by malwarelabrobot on October 13th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Symmi.32908 (B) (Emsisoft), Gen:Variant.Symmi.32908 (AdAware), Trojan-PSW.Win32.Zbot.6.FD, Sinowal.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 9af096039609faf33c46972aec7876e4
SHA1: 0b9c43e954d9e092440e82862974a1049c836ee7
SHA256: c68eebcd7d2101efce53e8043a8276dcddb201f7b5e27b607c5e1e0ec8c141f5
SSDeep: 6144:SHqdkgM3K5sI lk89tycurjHZdSdQtqHAC0/qs:SHqdkx3K2I DjGbiqtVCm
Size: 254609 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-09-23 16:31:32
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3836
WinMail.exe:2896

The Trojan injects its code into the following process(es):

conhost.exe:768
taskhost.exe:872
Dwm.exe:1376
Explorer.EXE:1440
TPAutoConnect.exe:2160
conhost.exe:2168

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3836 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp9aa73fd6.bat (179 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Ilqy\edagk.exe (512 bytes)

The process WinMail.exe:2896 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (54048 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2896_2 (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol (608 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9223.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (25648 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9222.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (3466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (300 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 (558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\49F56725-00000001.eml (1924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\49F56725-00000001.eml:OECustomProperty (260 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\WindowsMail.pat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb00001.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2896_2.ui (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9222.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\WindowsMail.MSMessageStore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2896_2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\edb00001.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9223.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old (0 bytes)

Registry activity

The process WinMail.exe:2896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\IdentityCRL\Dynamic Salt]
"Size" = "330"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows Mail]
"Compact Check Count" = "2"
"Settings Upgraded" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows Mail\Junk Mail\Block Senders List]
"Version" = "327680"

[HKCU\Software\Microsoft\Windows Mail]
"LastBackup" = "E1 07 0A 00 04 00 0C 00 0C 00 00 00 22 00 83 03"
"Running" = "1"
"V7StoreMigDone" = "01 00 00 00"
"StoreMigratedV5" = "1"

[HKCU\Software\Microsoft\Windows Mail\Junk Mail\Safe Senders List]
"Version" = "327680"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Welcome Message" = "0"

[HKCU\Software\Microsoft\Windows Mail]
"SpoolerDlgPos" = "2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF"

[HKCU\Software\Microsoft\IdentityCRL\Dynamic Salt]
"Value" = "01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0"

[HKCU\Identities]
"Identity Ordinal" = "2"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Secure Safe Attachments" = "1"
"Default_CodePage" = "28591"

[HKCU\Software\Microsoft\WAB]
"NamedPropCount" = "1"

[HKCU\Software\Microsoft\IAM\Accounts]
"ConnectionSettingsMigrated" = "1"

[HKCU\Software\Microsoft\Windows Mail]
"SpoolerTack" = "0"

[HKCU\Software\Microsoft\IAM]
"Default News Account" = "account{CE54EE8F-8454-4E11-A69C-0E6F9BED6C0A}.oeaccount"

[HKCU\Software\Microsoft\Windows Mail]
"lastrun" = "B7 88 E4 B9 51 43 D3 01"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Safe Attachments" = "1"

[HKCU\Software\Microsoft\IAM]
"Server ID" = "2"

[HKCU\Software\Microsoft\WAB]
"NamedProps" = "04 20 06 00 00 00 00 00 C0 00 00 00 00 00 00 46"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\WAB]
"NamedPropCount"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Identities]
"Changing"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Identities]
"IncomingID"
"OutgoingID"

[HKCU\Software\Microsoft\WAB]
"NamedProps"

Dropped PE files

MD5	File path
ed3f3df52fc2d4a616ed1e4d5824e8d0	c:\Users\"%CurrentUserName%"\AppData\Roaming\Ilqy\edagk.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WINMM.dll:

PlaySoundW

The Trojan installs the following user-mode hooks in WININET.dll:

HttpEndRequestW
HttpSendRequestExA
HttpSendRequestA
InternetSetFilePointer
HttpSendRequestW
HttpOpenRequestW
HttpOpenRequestA
HttpEndRequestA
HttpSendRequestExW
InternetReadFileExA
InternetQueryDataAvailable
InternetReadFile
HttpQueryInfoA
InternetCloseHandle

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

SetCursorPos
ReleaseCapture
SetCapture
GetMessagePos
DefDlgProcW
CallWindowProcA
DefMDIChildProcA
DefFrameProcA
GetUpdateRgn
DefFrameProcW
DefMDIChildProcW
DefDlgProcA
GetClipboardData
GetMessageW
TranslateMessage
PeekMessageW
EndPaint
BeginPaint
GetDC
ReleaseDC
DefWindowProcW
GetWindowDC
GetDCEx
CallWindowProcW
PeekMessageA
GetMessageA
RegisterClassExW
RegisterClassW
RegisterClassA
DefWindowProcA
GetUpdateRect
GetCursorPos
GetCapture
RegisterClassExA
OpenInputDesktop
SwitchDesktop

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CreateProcessAsUserA
CreateProcessAsUserW

The Trojan installs the following user-mode hooks in WS2_32.dll:

gethostbyname
send
WSASend
getaddrinfo
closesocket

The Trojan installs the following user-mode hooks in kernel32.dll:

ExitProcess
GetFileAttributesExW

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
ZwCreateUserProcess

Propagation

VersionInfo

Company Name: AIMP DevTeam
Product Name: AIMP3
Product Version:
Legal Copyright: Artem Izmaylov
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.0.0.810
File Description: It is a long string
Comments: Made in Russia
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	19305	19456	4.49576	67161fa521f97c8cde94863fef98008a
.rdata	24576	13836	14336	4.29182	6fd75e92961961dda89a07584418afc2
.data	40960	7620	3072	1.7944	bb90d778b99212d939442ebd096cf5a0
.rsrc	49152	215536	215552	4.17099	2becac22471fe7cc0854a040959d9b4b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
bac857d9abc30e72d8f3312da1a9c490

URLs

URL	IP
hxxp://a1363.dscg.akamai.net/pki/crl/products/CodeSignPCA.crl
hxxp://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl	62.140.236.169

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /pki/crl/products/CodeSignPCA.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Length: 558

Content-Type: application/pkix-crl

Content-MD5: PMABL5b49EFkwY194FAj2Q==

Last-Modified: Wed, 23 Aug 2017 20:44:38 GMT

ETag: 0x8D4EA67C5E6D892

Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0

x-ms-request-id: 6db382f6-0001-0060-805f-1c0252000000

x-ms-version: 2009-09-19

x-ms-lease-status: unlocked

x-ms-blob-type: BlockBlob

Date: Thu, 12 Oct 2017 12:00:34 GMT

Connection: keep-alive

0..*0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Copyright (c) 20
00 Microsoft Corp.1#0!..U....Microsoft Code Signing PCA..111110211944Z
..420416234935Z.7050...U.#..0...%. K].rT....*.....S.0... .....7.......
..0...*.H...............&..%PIu@.....\0KF....0..^.h9=.1jT,5.L....Ed ..
6.......i.6.xva....oX.^f'....s...!......O...h.1a..Ud);.?....J_...Fu...
.<v.zx..t..h.0JU%.nk;..B[4.?&Zm^..M.!.'...w.u.\T..Tr..Ch.[.z:....#.
..T.4Ct.......,...c..}F..U....:..7J...%.#..D6 . ....G..#....T..G;.....
.HTTP/1.1 200 OK..Content-Length: 558..Content-Type: application/pkix-
crl..Content-MD5: PMABL5b49EFkwY194FAj2Q==..Last-Modified: Wed, 23 Aug
 2017 20:44:38 GMT..ETag: 0x8D4EA67C5E6D892..Server: Windows-Azure-Blo
b/1.0 Microsoft-HTTPAPI/2.0..x-ms-request-id: 6db382f6-0001-0060-805f-
1c0252000000..x-ms-version: 2009-09-19..x-ms-lease-status: unlocked..x
-ms-blob-type: BlockBlob..Date: Thu, 12 Oct 2017 12:00:34 GMT..Connect
ion: keep-alive..0..*0......0...*.H........0..1.0...U....US1.0...U....
Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U...
"Copyright (c) 2000 Microsoft Corp.1#0!..U....Microsoft Code Signing P
CA..111110211944Z..420416234935Z.7050...U.#..0...%. K].rT....*.....S.0
... .....7.........0...*.H...............&..%PIu@.....\0KF....0..^.h9=
.1jT,5.L....Ed ..6.......i.6.xva....oX.^f'....s...!......O...h.1a..Ud)
;.?....J_...Fu....<v.zx..t..h.0JU%.nk;..B[4.?&Zm^..M.!.'...w.u.\T..
Tr..Ch.[.z:....#...T.4Ct.......,...c..}F..U....:..7J...%.#..D6 . .

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

conhost.exe_768_rwx_001B0000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

%s%s%s

%?$-5'1!

;=9?&<s?23297>{ )/'ci8`

->:0059>&

1,/*<:=32$

3.#70!2)

 6;/(9*1

ROEVREUCUejxyea.abzygm{Jnqui~l?,}SFQVMHHZ

R,.qVOYFHCJ

92$8':,?

38.2-0&5

  6*5(>-

Gjhseov.Xt~j2)/x

.{YITPût`

CWEB@T]GGO

PR_OpenTCPSocket

hXXp://VVV.google.com/webhp

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

_getFirefoxCookie

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

update.exe

config.bin

SSShL

SSShwD

CreatePipe

GetProcessHeap

KERNEL32.dll

GetKeyboardLayoutList

ExitWindowsEx

GetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

MapVirtualKeyW

SetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegCreateKeyExW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

42>204:4

sXXXX

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Process: %s

Input: %s

nspr4.dll

chrome.dll

kernel32.dll

Global\XXX

Chrome

Firefox

SysShadow

\StringFileInfo\xx\%s

ntdll.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Global\{C8441B0D-72D1-54D9-2588-09E57000E208}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Cyde\ocsou.ege

C:\Users\"%CurrentUserName%"\AppData\Roaming\Cyde

ocsou.ege

C:\Users\"%CurrentUserName%"\AppData\Roaming

{5E3FA928-C0F4-C2A2-2588-09E57000E208}

taskhost.exe_872_rwx_005E0000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

%s%s%s

%?$-5'1!

;=9?&<s?23297>{ )/'ci8`

->:0059>&

1,/*<:=32$

3.#70!2)

 6;/(9*1

ROEVREUCUejxyea.abzygm{Jnqui~l?,}SFQVMHHZ

R,.qVOYFHCJ

92$8':,?

38.2-0&5

  6*5(>-

Gjhseov.Xt~j2)/x

.{YITPût`

CWEB@T]GGO

PR_OpenTCPSocket

hXXp://VVV.google.com/webhp

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

_getFirefoxCookie

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

update.exe

config.bin

SSShL

SSShwD`

CreatePipe

GetProcessHeap

KERNEL32.dll

GetKeyboardLayoutList

ExitWindowsEx

GetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

MapVirtualKeyW

SetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegCreateKeyExW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

42>204:4

sXXXX

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Process: %s

Input: %s

nspr4.dll

chrome.dll

kernel32.dll

Global\XXX

Chrome

Firefox

SysShadow

\StringFileInfo\xx\%s

ntdll.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Global\{C8441B0D-72D1-54D9-2588-09E57000E208}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Cyde\ocsou.ege

C:\Users\"%CurrentUserName%"\AppData\Roaming\Cyde

ocsou.ege

C:\Users\"%CurrentUserName%"\AppData\Roaming

{5E3FA928-C0F4-C2A2-2588-09E57000E208}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Iwda\telue.ity

C:\Users\"%CurrentUserName%"\AppData\Roaming\Iwda

telue.ity

Dwm.exe_1376_rwx_00110000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

%s%s%s

%?$-5'1!

;=9?&<s?23297>{ )/'ci8`

->:0059>&

1,/*<:=32$

3.#70!2)

 6;/(9*1

ROEVREUCUejxyea.abzygm{Jnqui~l?,}SFQVMHHZ

R,.qVOYFHCJ

92$8':,?

38.2-0&5

  6*5(>-

Gjhseov.Xt~j2)/x

.{YITPût`

CWEB@T]GGO

PR_OpenTCPSocket

hXXp://VVV.google.com/webhp

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

_getFirefoxCookie

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

update.exe

config.bin

SSShL

SSShwD

CreatePipe

GetProcessHeap

KERNEL32.dll

GetKeyboardLayoutList

ExitWindowsEx

GetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

MapVirtualKeyW

SetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegCreateKeyExW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

42>204:4

sXXXX

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Process: %s

Input: %s

nspr4.dll

chrome.dll

kernel32.dll

Global\XXX

Chrome

Firefox

SysShadow

\StringFileInfo\xx\%s

ntdll.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Global\{C8441B0D-72D1-54D9-2588-09E57000E208}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Cyde\ocsou.ege

C:\Users\"%CurrentUserName%"\AppData\Roaming\Cyde

ocsou.ege

C:\Users\"%CurrentUserName%"\AppData\Roaming

{5E3FA928-C0F4-C2A2-2588-09E57000E208}

:\Users\"%CurrentUserName%"\AppData\Roaming\Iwda\telue.ity

C:\Users\"%CurrentUserName%"\AppData\Roaming\Iwda

telue.ity

Explorer.EXE_1440_rwx_03A90000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

%s%s%s

%?$-5'1!

;=9?&<s?23297>{ )/'ci8`

->:0059>&

1,/*<:=32$

3.#70!2)

 6;/(9*1

ROEVREUCUejxyea.abzygm{Jnqui~l?,}SFQVMHHZ

R,.qVOYFHCJ

92$8':,?

38.2-0&5

  6*5(>-

Gjhseov.Xt~j2)/x

.{YITPût`

CWEB@T]GGO

PR_OpenTCPSocket

hXXp://VVV.google.com/webhp

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

_getFirefoxCookie

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

update.exe

config.bin

SSShL

SSShwD

CreatePipe

GetProcessHeap

KERNEL32.dll

GetKeyboardLayoutList

ExitWindowsEx

GetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

MapVirtualKeyW

SetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegCreateKeyExW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

42>204:4

sXXXX

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Process: %s

Input: %s

nspr4.dll

chrome.dll

kernel32.dll

Global\XXX

Chrome

Firefox

SysShadow

\StringFileInfo\xx\%s

ntdll.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Global\{C8441B0D-72D1-54D9-2588-09E57000E208}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Cyde\ocsou.ege

C:\Users\"%CurrentUserName%"\AppData\Roaming\Cyde

ocsou.ege

C:\Users\"%CurrentUserName%"\AppData\Roaming

{5E3FA928-C0F4-C2A2-2588-09E57000E208}

TPAutoConnect.exe_2160_rwx_00390000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

%s%s%s

%?$-5'1!

;=9?&<s?23297>{ )/'ci8`

->:0059>&

1,/*<:=32$

3.#70!2)

 6;/(9*1

ROEVREUCUejxyea.abzygm{Jnqui~l?,}SFQVMHHZ

R,.qVOYFHCJ

92$8':,?

38.2-0&5

  6*5(>-

Gjhseov.Xt~j2)/x

.{YITPût`

CWEB@T]GGO

PR_OpenTCPSocket

hXXp://VVV.google.com/webhp

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

_getFirefoxCookie

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

update.exe

config.bin

SSShL

SSShwD;

CreatePipe

GetProcessHeap

KERNEL32.dll

GetKeyboardLayoutList

ExitWindowsEx

GetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

MapVirtualKeyW

SetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegCreateKeyExW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

42>204:4

sXXXX

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Process: %s

Input: %s

nspr4.dll

chrome.dll

kernel32.dll

Global\XXX

Chrome

Firefox

SysShadow

\StringFileInfo\xx\%s

ntdll.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Global\{C8441B0D-72D1-54D9-2588-09E57000E208}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Cyde\ocsou.ege

C:\Users\"%CurrentUserName%"\AppData\Roaming\Cyde

ocsou.ege

C:\Users\"%CurrentUserName%"\AppData\Roaming

{5E3FA928-C0F4-C2A2-2588-09E57000E208}

conhost.exe_2168_rwx_002D0000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

%s%s%s

%?$-5'1!

;=9?&<s?23297>{ )/'ci8`

->:0059>&

1,/*<:=32$

3.#70!2)

 6;/(9*1

ROEVREUCUejxyea.abzygm{Jnqui~l?,}SFQVMHHZ

R,.qVOYFHCJ

92$8':,?

38.2-0&5

  6*5(>-

Gjhseov.Xt~j2)/x

.{YITPût`

CWEB@T]GGO

PR_OpenTCPSocket

hXXp://VVV.google.com/webhp

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

_getFirefoxCookie

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

update.exe

config.bin

SSShL

SSShwD/

CreatePipe

GetProcessHeap

KERNEL32.dll

GetKeyboardLayoutList

ExitWindowsEx

GetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

MapVirtualKeyW

SetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegCreateKeyExW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

42>204:4

sXXXX

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Process: %s

Input: %s

nspr4.dll

chrome.dll

kernel32.dll

Global\XXX

Chrome

Firefox

SysShadow

\StringFileInfo\xx\%s

ntdll.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Global\{C8441B0D-72D1-54D9-2588-09E57000E208}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Cyde\ocsou.ege

C:\Users\"%CurrentUserName%"\AppData\Roaming\Cyde

ocsou.ege

C:\Users\"%CurrentUserName%"\AppData\Roaming

{5E3FA928-C0F4-C2A2-2588-09E57000E208}

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:3836
WinMail.exe:2896
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp9aa73fd6.bat (179 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Ilqy\edagk.exe (512 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (54048 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2896_2 (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol (608 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9223.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (25648 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9222.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (3466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (300 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 (558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\49F56725-00000001.eml (1924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\49F56725-00000001.eml:OECustomProperty (260 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Symmi.32908_9af0960396

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet