Gen.Variant.Zbot.15_ea805843d3

by malwarelabrobot on October 3rd, 2014 in Malware Descriptions.

HEUR:Backdoor.Win32.Generic (Kaspersky), Gen:Variant.Zbot.15 (B) (Emsisoft), Gen:Variant.Zbot.15 (AdAware), Shiz.YR, Sinowal.YR, GenericInjector.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: ea805843d32cbea341ce6e796599db85
SHA1: 177e0844dfab6470bb3c670b3cd5df0fddf678b6
SHA256: ef8db9d910908644084bd0f63d5c6ea3b07d79960c1170c1f4f6015514c4300f
SSDeep: 3072:pxG5Er7 qD/mfP/BnY F0Su7n7yQX7dPzKSvk:pxh9O1l6SkZs
Size: 101376 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AKorea
Created at: 2000-06-25 06:33:28
Analyzed on: WindowsXP SP3 32-bit


Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1988

The Trojan injects its code into the following process(es):

services.exe:764
Explorer.EXE:1684

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

The process %original file name%.exe:1988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 22 1A 33 11 24 9E 62 B0 F0 6B C1 2A E2 B1 54"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Svxruw Uwzyhjm Owipnut Xtpnusy
Product Name: Fdkip Anlsq
Product Version: 0.2.5.1
Legal Copyright: Wyhkm
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 4.1.7.8
File Description: Xpuvqw Utign Fuovtbi Dkipt
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 29855 30208 5.18662 74b88f46604ee78a5a6b365595e15b4a
.data 36864 60016 60416 4.94398 45f6076214648553307c4f2e7ef4126e
.idata 98304 1366 1536 3.19634 340ff712aad3815a7109ad7db87d516a
.rsrc 102400 8164 8192 5.01446 70974b91b1d2477a08b312a799ca5e00

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

services.exe_764_rwx_00040000_0002C000:

|$L.tj
t.Vh<2
SSSh*
u#SSSh
SSShh@
SSShP
SSShV
beautifumortimer.com
POST /gate.php HTTP/1.0
Host: %s
Content-Length: %u
195.222.17.0
74.55.143.0
62.67.184.0
208.43.44.0
188.40.74.0
212.59.118.0
81.176.67.0
87.242.75.0
83.102.130.0
207.44.254.0
75.125.212.0
74.86.125.0
75.125.43.0
75.125.189.0
74.54.46.0
74.54.130.0
174.120.184.0
174.120.185.0
174.133.38.0
74.54.139.0
74.86.232.0
74.53.70.0
208.43.71.0
174.120.186.0
75.125.185.0
74.55.74.0
95.140.225.0
94.236.0.0
94.23.206.0
93.191.13.0
93.184.71.0
92.53.106.0
92.123.155.0
91.209.196.0
91.199.212.0
91.121.97.0
90.183.101.0
90.156.159.0
89.202.157.0
89.202.149.0
89.111.176.0
89.108.66.0
88.221.119.0
87.242.79.0
87.242.74.0
87.242.72.0
87.238.48.0
87.230.79.0
87.106.254.0
87.106.242.0
85.31.222.0
85.255.19.0
85.214.106.0
85.17.210.0
85.12.57.0
84.40.30.0
83.223.117.0
83.222.31.0
83.222.23.0
83.202.175.0
82.98.86.0
82.165.103.0
82.151.107.0
82.117.238.0
81.24.35.0
81.177.31.0
81.176.66.0
80.86.107.0
80.237.132.0
80.190.154.0
80.190.130.0
80.153.193.0
79.125.5.0
78.47.87.0
78.137.164.0
78.108.86.0
75.125.82.0
75.125.29.0
74.55.40.0
74.53.201.0
74.52.233.0
74.50.0.0
74.208.20.0
74.208.158.0
74.125.77.0
72.32.70.0
72.32.149.0
72.32.125.0
72.3.254.0
72.232.246.0
70.84.211.0
69.93.226.0
69.57.142.0
69.20.104.0
69.18.148.0
69.162.79.0
68.177.102.0
67.227.172.0
67.225.206.0
67.192.135.0
67.19.34.0
67.15.231.0
67.15.103.0
67.134.208.0
66.77.70.0
66.249.17.0
66.223.50.0
65.55.240.0
65.55.184.0
65.175.38.0
64.78.182.0
64.66.190.0
64.41.151.0
64.41.142.0
64.246.4.0
64.202.189.0
64.13.134.0
64.128.133.0
63.85.36.0
62.75.216.0
62.75.163.0
62.213.110.0
62.189.194.0
62.146.66.0
62.146.210.0
62.14.249.0
38.113.1.0
217.174.103.0
217.170.21.0
217.16.16.0
217.106.234.0
216.99.133.0
216.55.183.0
216.49.94.0
216.49.88.0
216.246.90.0
216.239.122.0
216.12.145.0
216.10.192.0
213.31.172.0
213.220.100.0
213.198.89.0
213.171.218.0
213.133.34.0
212.8.79.0
212.72.62.0
212.67.88.0
212.47.219.0
209.87.209.0
209.62.68.0
209.62.112.0
209.51.167.0
209.216.46.0
209.160.22.0
209.157.69.0
209.124.55.0
208.79.250.0
207.66.0.0
207.46.232.0
207.46.20.0
207.46.18.0
207.44.154.0
206.204.52.0
205.227.136.0
205.178.145.0
204.14.90.0
203.160.188.0
199.203.243.0
198.6.49.0
195.70.37.0
195.64.225.0
195.55.72.0
195.210.42.0
195.2.240.0
195.146.235.0
195.137.160.0
194.33.180.0
194.206.126.0
194.112.106.0
194.109.142.0
194.0.200.0
193.71.68.0
193.69.114.0
193.66.251.0
193.24.237.0
193.193.194.0
193.17.85.0
193.110.109.0
193.1.193.0
193.0.6.0
192.150.94.0
188.93.8.0
18.85.2.0
166.70.98.0
165.160.15.0
162.40.10.0
155.35.248.0
150.70.93.0
149.101.225.0
141.202.248.0
139.91.222.0
128.130.60.0
128.130.56.0
128.111.48.0
sfc.dll
winlogon.exe
\\.\PhysicalDrive
smss.exe
csrss.exe
lsass.exe
%s\%s
%d.%d.%d.%d
route.exe -p add %s mask 255.255.255.0 %s
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
[[[URL: %s
Process: %s
Referer: %s
User-Agent: %s
Title: %s]]]
ntdll.dll
keys
bssrepp\private.txt
bssrepp\keys
bssrepp\public.txt
keys.zip
\*.key
\self.cer
self.cer
path.txt
pass.log
ctunnel.exe
ctunnel.zip
path_ctunnel.txt
keylog.txt
links.log
Content-Disposition: form-data; name="file"; filename="report"
header.key
keys99
\header.key
masks2.key
\masks2.key
masks.key
\masks.key
name.key
\name.key
primary2.key
\primary2.key
primary.key
\primary.key
keys99.zip
path99.txt
user32.dll
prv_key.pfx
keys\
sign.cer
\History.IE5\index.dat
https
\Opera\Opera\typed_history.xml
secret.key
pubkeys.key
\\.\KmxAgent
\Windows Defender
MpClient.dll
____AVP.Root
avipc.dll
\AVG\AVG9\dfncfg.dat
\AVG\AVG9\dfmcfg.dat
kernel32.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
Server 2003 for Itanium64
Server 2003 for AMD64
smime3.dll
nss3.dll
softokn3.dll
nssutil3.dll
sqlite3.dll
plc4.dll
plds4.dll
nspr4.dll
mozcrt19.dll
webmoney
PK11_ListCerts
CERT_DestroyCertList
CERT_GetDefaultCertDB
PORT_UCS2_UTF8Conversion
PORT_SetUCS2_ASCIIConversionFunction
PK11_GetInternalKeySlot
PK11_CheckUserPassword
SEC_PKCS12AddPasswordIntegrity
SEC_PKCS12CreatePasswordPrivSafe
SEC_PKCS12AddCertAndKey
SEC_PKCS12DestroyExportContext
SEC_PKCS12CreateExportContext
1234567890
firefox
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\
balance.htm
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
action=auth&np=&login=
IW_FormName=fmLogin&IW_FormClass=TfmLogin
opera.dll
HttpSendRequestA
HttpSendRequestW
Title: %s
User-agent: %s]]]
{{{%s}}}
Kernel32.dll
\*.bk
ISClient.cfg
interpro.ini
rfk.zip
pass_
login=
password=
ws2_32.dll
Agava_Client.exe
KeysDiskPath
Agava_Client.ini
Agava_keys
keys_path.txt
path1.txt
inter.zip
cbsmain.dll
bsi.dll
vb_pfx_import
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|mnp.exe|loadmain.exe
hXXp://
/knok.php?id=
hXXp://beautifumortimer.com/knok.php?id=
C:\temp_file_bin
login
software\microsoft\windows nt\currentversion\winlogon
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
%d:TCP
%d:TCP:*:Enabled:%d
%Program Files%
services.exe
/socks.php?name=
&port=
iexplore.exe
java.exe
javaw.exe
javaws.exe
opera.exe
mnp.exe
explorer.exe
isclient.exe
intpro.exe
loadmain.exe
advapi32.dll
sks2xyz.dll
FilialRCon.dll
Wininet.dll
qlogin
SYSTEM!XP1!F9BE9A8A
XP Service Pack 3
%Program Files%\Common Files\
WinExec
GetProcessHeap
GetSystemWindowsDirectoryA
RegOpenKeyExA
RegCreateKeyExA
RegFlushKey
RegCloseKey
RegOpenKeyA
CertOpenSystemStoreA
CertDeleteCertificateFromStore
PFXExportCertStoreEx
CertDuplicateCertificateContext
CertEnumCertificatesInStore
PFXImportCertStore
CertGetNameStringA
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
SHFileOperationA
URLDownloadToFileA
GetKeyboardState
GetKeyState
DeleteUrlCacheEntry
InternetOpenUrlA
6$6$6$6$6 6
.text
`.rdata
@.data
.reloc
KERNEL32.DLL
ADVAPI32.dll
CRYPT32.dll
IPHLPAPI.DLL
MSVCRT.dll
ole32.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
SHLWAPI.dll
urlmon.dll
USER32.dll
WININET.dll
WS2_32.dll
J,%u?>
hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx
btnLogin
lself.cer
\secrets.key

services.exe_764_rwx_00093000_00001000:

Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
5.1.2600.551
\Driver\PptpMiniport

services.exe_764_rwx_000B2000_00001000:

w2.5.29.1
w2.5.29.2
w2.5.29.4
w2.5.29.7
w2.5.29.8
w2.5.29.10
w2.5.29.15
w2.5.29.19
w2.5.29.32
w1.3.6.1.5.5.7.2.2
w2.5.29.35
w2.5.29.14
w2.5.29.17
w2.5.29.18
w2.5.29.21
w1.3.6.1.5.5.7.1.1
w2.5.29.31
w1.3.6.1.4.1.311.2.1.14
w1.2.840.113549.1.9.14
w1.3.6.1.4.1.311.10.2
w2.5.29.37
w1.3.6.1.4.1.311.10.1
w1.2.840.113549.3.2
w1.2.840.113549.1.9.15
w1.2.840.113549.1.9.5
w1.3.6.1.4.1.311.13.2.1
w1.3.6.1.4.1.311.13.2.2
w2.5.29.20
w2.5.29.27
w2.5.29.28
w2.5.29.46
w2.5.29.30
w2.5.29.33
w2.5.29.5
w2.5.29.36
w1.3.6.1.4.1.311.10.9.1
w1.3.6.1.4.1.311.21.7
w2.5.29.3
\\.\PIPE\scerpc

services.exe_764_rwx_000B9000_00001000:

q CKM66.228.61.232
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\
%WinDir%\System32\svchost.exe -k netsvcs
\svchost.exe.Con
%System%\svchost -k rpcss

services.exe_764_rwx_000C7000_00001000:

.dll,!
w0.9.2342.19200300.100.1.25
%System%\userinit.exe,%System%\mqbgmm.exe,
%Documents and Settings%\LocalService\Local Settings\History\History.IE5\index.dat
%System%\mqbgmm.exe,
ware\microsoft\windows nt\currentversion\winlogon

services.exe_764_rwx_000CD000_00001000:

hXXp://beautifumortimer.com/knok.php?id=SYSTEM!XP1!F9BE9A8A&ver=16&up=1348&os=XP Service Pack 3
CryptDllExportPublicKeyInfoEx
CryptDllImportPublicKeyInfoEx
CryptDllConvertPublicKeyInfo
w1.3.14.3.2.12

services.exe_764_rwx_000D2000_00001000:

w2.5.4.4
:2013021120130212:
beautifumortimer.com
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
w2.5.4.10
w2.5.4.3
INDOWS\system32\route.exe
5.1.2600.5512
0303030303030303

Explorer.EXE_1684_rwx_000C4000_00001000:

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat
\\?\IDE#CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
%Documents and Settings%\All Users\Start Menu\Programs\Startup
%System%\stobject.dll

Explorer.EXE_1684_rwx_000E2000_00001000:

%SystemRoot%\system32\mswsock.dll
%Program Files%\VMware\VMware Tools\VSock SDK\bin\win32\vsocklib.dll
Tcpip
CLSID\{8C7461EF-2B13-11D2-BE35-3078302C2030}
%System%\browseui.dll
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
%Documents and Settings%\%current user%\My Documents
ice\{E1070104-F404-44CE-B556-0622F9D63EE5}
CLSID\{26FDC864-BE88-46E7-9235-032D8EA5162E}
%System%\SHELL32.dll

Explorer.EXE_1684_rwx_000F4000_00001000:

@C:\PROGRA~1\MOVIEM~1\wmm2res.dll,-61446
%SystemRoot%\system32\mswsock.dll
%WinDir%\LastGood
ice\{E1070104-F404-44CE-B556-0622F9D63EE5}
Maker.lnk
%Program Files%\Movie Mak
%WinDir%\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\
%Documents and Settings%\All Users\Application Data\Adobe\Acrobat\9.0\Replicate\Security\
ISTRY\USER\S-1-5-21-1844237615-1960408961-1801674531-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
MSAFD NetBIOS [\Device\NetBT_Tcpip_{FA3B3797-8A29-4E30-9B14-9ECEA8F69703}] SEQPACKET 2

Explorer.EXE_1684_rwx_0010C000_00001000:

@shell32.dll,-22016
4/04/10 13:22:14 1684.35]
4/04/10 13:22:14 1684.36]
Wizard.lnk
[2014/04/10 13:22:14 1684.37]
wiz.exe
b8a05-beee-4442-

Explorer.EXE_1684_rwx_0013A000_00001000:

1.2.840.113549.1.9.16.2.3
1.2.840.113549.1.9.16.2.4
1.3.6.1.4.1.311.12.1.1
1.3.6.1.4.1.311.12.1.2
sk: 255.255.255.0
02:\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.193_x-ww_ac24e7bf\downlevel_manifest.8.0.50727.193\
NDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark

Explorer.EXE_1684_rwx_00142000_00001000:

IsFileSupportedName
Set\ServCLSID\{F020E586-5264-11D1-A532-0000F8757D7E}
%System%\hnetcfg.dll
CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}
%System%\wbem\wbemprox.dll
0D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}

Explorer.EXE_1684_rwx_00153000_00002000:

ice\NetBT_Tcpip_{E1070104-F404-44CE-B556-0622F9D63EE5}
DCLSID\{5B4DAE26-B807-11D0-9815-00C04FD91972}
NDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark
ADOBER~1.LNKAdobe Reader 9.lnk

Explorer.EXE_1684_rwx_0015B000_00001000:

{E1070104-F404-44CE-B556-0622F9D63EE5}
AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
192.168.25.207
255.255.255.0
192.168.25.3
0.0.0.0
255.255.255.255
192.168.25.26
urCLSID\{ECD4FC4F-521C-11D0-B792-00A0C90312E1}
erl\site\bin;C:\Perl\bin;%System%;%WinDir%;%WinDir%\System32\Wbem;c:\Program Files\Wireshark
ess Monitor - Exporting event data

Explorer.EXE_1684_rwx_00EE0000_00021000:

|$L.tj
t.Vh<2
SSSh*
u#SSSh
SSShh@
SSShP
SSShV
beautifumortimer.com
POST /gate.php HTTP/1.0
Host: %s
Content-Length: %u
195.222.17.0
74.55.143.0
62.67.184.0
208.43.44.0
188.40.74.0
212.59.118.0
81.176.67.0
87.242.75.0
83.102.130.0
207.44.254.0
75.125.212.0
74.86.125.0
75.125.43.0
75.125.189.0
74.54.46.0
74.54.130.0
174.120.184.0
174.120.185.0
174.133.38.0
74.54.139.0
74.86.232.0
74.53.70.0
208.43.71.0
174.120.186.0
75.125.185.0
74.55.74.0
95.140.225.0
94.236.0.0
94.23.206.0
93.191.13.0
93.184.71.0
92.53.106.0
92.123.155.0
91.209.196.0
91.199.212.0
91.121.97.0
90.183.101.0
90.156.159.0
89.202.157.0
89.202.149.0
89.111.176.0
89.108.66.0
88.221.119.0
87.242.79.0
87.242.74.0
87.242.72.0
87.238.48.0
87.230.79.0
87.106.254.0
87.106.242.0
85.31.222.0
85.255.19.0
85.214.106.0
85.17.210.0
85.12.57.0
84.40.30.0
83.223.117.0
83.222.31.0
83.222.23.0
83.202.175.0
82.98.86.0
82.165.103.0
82.151.107.0
82.117.238.0
81.24.35.0
81.177.31.0
81.176.66.0
80.86.107.0
80.237.132.0
80.190.154.0
80.190.130.0
80.153.193.0
79.125.5.0
78.47.87.0
78.137.164.0
78.108.86.0
75.125.82.0
75.125.29.0
74.55.40.0
74.53.201.0
74.52.233.0
74.50.0.0
74.208.20.0
74.208.158.0
74.125.77.0
72.32.70.0
72.32.149.0
72.32.125.0
72.3.254.0
72.232.246.0
70.84.211.0
69.93.226.0
69.57.142.0
69.20.104.0
69.18.148.0
69.162.79.0
68.177.102.0
67.227.172.0
67.225.206.0
67.192.135.0
67.19.34.0
67.15.231.0
67.15.103.0
67.134.208.0
66.77.70.0
66.249.17.0
66.223.50.0
65.55.240.0
65.55.184.0
65.175.38.0
64.78.182.0
64.66.190.0
64.41.151.0
64.41.142.0
64.246.4.0
64.202.189.0
64.13.134.0
64.128.133.0
63.85.36.0
62.75.216.0
62.75.163.0
62.213.110.0
62.189.194.0
62.146.66.0
62.146.210.0
62.14.249.0
38.113.1.0
217.174.103.0
217.170.21.0
217.16.16.0
217.106.234.0
216.99.133.0
216.55.183.0
216.49.94.0
216.49.88.0
216.246.90.0
216.239.122.0
216.12.145.0
216.10.192.0
213.31.172.0
213.220.100.0
213.198.89.0
213.171.218.0
213.133.34.0
212.8.79.0
212.72.62.0
212.67.88.0
212.47.219.0
209.87.209.0
209.62.68.0
209.62.112.0
209.51.167.0
209.216.46.0
209.160.22.0
209.157.69.0
209.124.55.0
208.79.250.0
207.66.0.0
207.46.232.0
207.46.20.0
207.46.18.0
207.44.154.0
206.204.52.0
205.227.136.0
205.178.145.0
204.14.90.0
203.160.188.0
199.203.243.0
198.6.49.0
195.70.37.0
195.64.225.0
195.55.72.0
195.210.42.0
195.2.240.0
195.146.235.0
195.137.160.0
194.33.180.0
194.206.126.0
194.112.106.0
194.109.142.0
194.0.200.0
193.71.68.0
193.69.114.0
193.66.251.0
193.24.237.0
193.193.194.0
193.17.85.0
193.110.109.0
193.1.193.0
193.0.6.0
192.150.94.0
188.93.8.0
18.85.2.0
166.70.98.0
165.160.15.0
162.40.10.0
155.35.248.0
150.70.93.0
149.101.225.0
141.202.248.0
139.91.222.0
128.130.60.0
128.130.56.0
128.111.48.0
sfc.dll
winlogon.exe
\\.\PhysicalDrive
smss.exe
csrss.exe
lsass.exe
%s\%s
%d.%d.%d.%d
route.exe -p add %s mask 255.255.255.0 %s
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
[[[URL: %s
Process: %s
Referer: %s
User-Agent: %s
Title: %s]]]
ntdll.dll
keys
bssrepp\private.txt
bssrepp\keys
bssrepp\public.txt
keys.zip
\*.key
\self.cer
self.cer
path.txt
pass.log
ctunnel.exe
ctunnel.zip
path_ctunnel.txt
keylog.txt
links.log
Content-Disposition: form-data; name="file"; filename="report"
header.key
keys99
\header.key
masks2.key
\masks2.key
masks.key
\masks.key
name.key
\name.key
primary2.key
\primary2.key
primary.key
\primary.key
keys99.zip
path99.txt
user32.dll
prv_key.pfx
keys\
sign.cer
\History.IE5\index.dat
https
\Opera\Opera\typed_history.xml
secret.key
pubkeys.key
\\.\KmxAgent
\Windows Defender
MpClient.dll
____AVP.Root
avipc.dll
\AVG\AVG9\dfncfg.dat
\AVG\AVG9\dfmcfg.dat
kernel32.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
Server 2003 for Itanium64
Server 2003 for AMD64
smime3.dll
nss3.dll
softokn3.dll
nssutil3.dll
sqlite3.dll
plc4.dll
plds4.dll
nspr4.dll
mozcrt19.dll
webmoney
PK11_ListCerts
CERT_DestroyCertList
CERT_GetDefaultCertDB
PORT_UCS2_UTF8Conversion
PORT_SetUCS2_ASCIIConversionFunction
PK11_GetInternalKeySlot
PK11_CheckUserPassword
SEC_PKCS12AddPasswordIntegrity
SEC_PKCS12CreatePasswordPrivSafe
SEC_PKCS12AddCertAndKey
SEC_PKCS12DestroyExportContext
SEC_PKCS12CreateExportContext
1234567890
firefox
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\
balance.htm
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
action=auth&np=&login=
IW_FormName=fmLogin&IW_FormClass=TfmLogin
opera.dll
HttpSendRequestA
HttpSendRequestW
Title: %s
User-agent: %s]]]
{{{%s}}}
Kernel32.dll
\*.bk
ISClient.cfg
interpro.ini
rfk.zip
pass_
login=
password=
ws2_32.dll
Agava_Client.exe
KeysDiskPath
Agava_Client.ini
Agava_keys
keys_path.txt
path1.txt
inter.zip
cbsmain.dll
bsi.dll
vb_pfx_import
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|mnp.exe|loadmain.exe
hXXp://
/knok.php?id=
hXXp://beautifumortimer.com/knok.php?id=
C:\temp_file_bin
login
software\microsoft\windows nt\currentversion\winlogon
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
%d:TCP
%d:TCP:*:Enabled:%d
%Program Files%
services.exe
/socks.php?name=
&port=
iexplore.exe
java.exe
javaw.exe
javaws.exe
opera.exe
mnp.exe
explorer.exe
isclient.exe
intpro.exe
loadmain.exe
advapi32.dll
sks2xyz.dll
FilialRCon.dll
Wininet.dll
%Program Files%\Common Files\
WinExec
GetProcessHeap
GetSystemWindowsDirectoryA
RegOpenKeyExA
RegCreateKeyExA
RegFlushKey
RegCloseKey
RegOpenKeyA
CertOpenSystemStoreA
CertDeleteCertificateFromStore
PFXExportCertStoreEx
CertDuplicateCertificateContext
CertEnumCertificatesInStore
PFXImportCertStore
CertGetNameStringA
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
SHFileOperationA
URLDownloadToFileA
GetKeyboardState
GetKeyState
DeleteUrlCacheEntry
InternetOpenUrlA
6$6$6$6$6 6
.text
`.rdata
@.data
.reloc
KERNEL32.DLL
ADVAPI32.dll
CRYPT32.dll
IPHLPAPI.DLL
MSVCRT.dll
ole32.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
SHLWAPI.dll
urlmon.dll
USER32.dll
WININET.dll
WS2_32.dll
hXXps://light.wmtransfer.com/login.aspx?ReturnUrl=/default.aspx
btnLogin
lself.cer
\secrets.key

Explorer.EXE_1684_rwx_03171000_00001000:

Software\Policies\Microsoft\SystemCertificates\trust
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1988

  2. Delete the original Trojan file.
  3. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now