Gen.Variant.Zusy.101801_88cd75b82d

by malwarelabrobot on August 13th, 2014 in Malware Descriptions.

Trojan.Win32.Nimnul.fcu (Kaspersky), Gen:Variant.Zusy.101801 (AdAware), Backdoor.Win32.Farfli.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 88cd75b82d0f222ee1a69a4d5a6b3a6a
SHA1: dcfa4da6a40c930ad302b754db8c2c3cf8b52b85
SHA256: 376fd92524e149ae384974ad9d2ebf4573c7a34840c2d92032bd9fb8098edf91
SSDeep: 3072:iVjHe0mRAfUsJZyu7IlFWWduwk8ekaC8ZNQrnESqoZv:iNHe/AMMkQIlFW4HPp8ETJp
Size: 182784 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-08-05 17:06:50
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

csslisog.exe:812
%original file name%.exe:1728

The Trojan injects its code into the following process(es):

mscorsvw.exe:1924
svchost.exe:1344
svchost.exe:1832
services.exe:764
lsass.exe:776
wmiprvse.exe:916
svchost.exe:932
svchost.exe:1012
svchost.exe:1100
svchost.exe:1148
svchost.exe:1212
spoolsv.exe:1436
Explorer.EXE:1852
jqs.exe:1964

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process csslisog.exe:812 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Start Menu\Programs\Startup\swegbgid.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kqmtqgym\swegbgid.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jyabgndb.exe (673 bytes)

The process %original file name%.exe:1728 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXA3W9QN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SR47AVCJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KXYJCT6V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\csslisog.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\07EI1JZP\desktop.ini (67 bytes)

Registry activity

The process csslisog.exe:812 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
"UAC_bypassed" = "TRUE"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 90 53 3B 08 90 AA 02 34 DD A9 60 EF 91 C8 8F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The following service is disabled:

[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "4"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SweGbgid" = "%Documents and Settings%\%current user%\Local Settings\Application Data\kqmtqgym\swegbgid.exe"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

The following service is disabled:

[HKLM\System\CurrentControlSet\Services\wuauserv]
"Start" = "4"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"

The process %original file name%.exe:1728 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 65 D4 B1 6B AF C9 9E F8 28 35 C9 30 FC C4 57"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process mscorsvw.exe:1924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\LocalService\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in USER32.dll:

TranslateMessage

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSASendTo
WSARecvFrom
WSASend
recv
WSARecv
send
closesocket
recvfrom
sendto

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread
NtQueryDirectoryFile

Propagation

VersionInfo

Company Name: Adobe Systems Incorporated
Product Name: Adobe Flash Player Control Panel Applet
Product Version: 1.1.3.9
Legal Copyright: Copyright (C) 2013 Adobe Systems Incorporated
Legal Trademarks:
Original Filename: FlashPlayerCPLApp.cpl
Internal Name: FlashPlayerCPLApp.cpl
File Version: 1.1.3.9
File Description: Adobe Flash Player Control Panel Applet
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 84959 84992 4.91486 3c77101703e2b612459fb5465e0cfee5
.rdata 90112 81724 81920 5.20054 11b60711ff311b0e386af1067ce2840c
.data 172032 13552 6144 2.09461 b8c2249a17a840d8dcd1b5d7c2e1142c
.rsrc 188416 1436 1536 2.98589 1f6c9093f6975efdb6922e59467fb09b
.reloc 192512 6828 7168 2.87267 2cf7ac0f83260617560e07e3c1fddf27

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

svchost.exe_1344:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

svchost.exe_1344_rwx_000C0000_00001000:

|C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe

svchost.exe_1344_rwx_15110000_00071000:

`.rsrc
.text
`.rdata
@.data
.reloc
Gh.logWj
h.logPj
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryA
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
kernel32.dll
ExitWindowsEx
user32.dll
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
advapi32.dll
modules.dll
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
%CommonProgramFiles%
\/*.*
\\.\pipe\
VWRQRh.exe
h.exe
ws2_32.dll
RegCreateKeyA
RegCreateKeyExA
ShellExecuteA
gdi32.dll
ole32.dll
rmnsoft.dll
google.com:80
bing.com:80
yahoo.com:80
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Software\Microsoft\Windows\CurrentVersion\policies\system
\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
"ntdll.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Run
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
gdiplus.dll
GdiplusShutdown
\\.\631D2408D44C4f47AC647AB96987D4D5
\Google\Chrome\User Data\Default\Cookies
\Google\Chrome\User Data\Default\Extension Cookies
%APPDATA%\Apple Computer\Safari\Cookies\Cookies.plist
%APPDATA%\Mozilla\Firefox\
%WinDir%\Application Data\Mozilla\Firefox\
profiles.ini
Profile%d
\cookies.txt
\cookies.sqlite
%APPDATA%\Opera\
\profile\cookies4.dat
\cookies4.dat
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Opera.exe
FireFox Cookies\Profile %d\cookies.txt
FireFox Cookies\Profile %d\cookies.sqlite
Chrome\Cookies
Chrome\Extension Cookies
Opera\Profile %d\cookies4.dat
Safari\Cookies.plist
getexec
complete.dat
1 1&1,12181>1
SRQVWh.exe
h.exeVj
PSSSSSSh
More information: hXXp://VVV.ibsensoftware.com/
.TNIRPTN.
com.%s.sdb
%s\cmd.%s.bat
start "" "%s"
"%%windir%%\%s\ntprint.exe"
"%%windir%%\system32\sdbinst.exe" "%s"
"%%windir%%\system32\sdbinst.exe" /q /u "%s"
SOFTWARE\Microsoft\Windows NT\CurrentVersion\
UAC_bypassed
cmd.exe
%TEMP%\p.exe
" %TEMP%\p.exe
SOFTWARE\Microsoft\Updates\Windows XP\SP4
SOFTWARE\Microsoft\Updates\Windows XP\SP3
SOFTWARE\Microsoft\Updates\Windows XP\SP10
SOFTWARE\Microsoft\Updates\Windows XP\SP0
SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
wmic.exe QFE where "HotFixID='KB2778930'" get HotFixID, Description
\cache.dat
CheckBypassed ok
di32.dll
loader.exe
_CheckBypassed@0
\/{X-X-X-X-XX}
|ZwDelayExecution
%ProgramFiles%\Internet Explorer\iexplore.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
http\shell\open\command
chrome.exe
opera.exe
/C ""%s"" %s
/C ""%s""
svchost.exe
p.exe
Rapport
:Zone.Identifier
consent.exe
%Program Files%\Internet Explorer\iexplore.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\p.exe
RegOpenKeyA
RegEnumKeyA
ShellExecuteExA
keybd_event
.rdata
.rsrc
.TNIRP
>.%s.[
s\cmd
PF8-.XU
O3$dS7"%U9
KERNEL32.DLL
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
2.1.0.3
ntprint.exe
RedirectEXE
%temp%\..\..\LocalLow\cmd.%username%.bat

svchost.exe_1344_rwx_20010000_00001000:

.text
`.rdata
@.data
.reloc

svchost.exe_1832:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

svchost.exe_1832_rwx_000C0000_00001000:

|C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe

svchost.exe_1832_rwx_15110000_00071000:

`.rsrc
.text
`.rdata
@.data
.reloc
Gh.logWj
h.logPj
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryA
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
kernel32.dll
ExitWindowsEx
user32.dll
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
advapi32.dll
modules.dll
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
%CommonProgramFiles%
\/*.*
\\.\pipe\
VWRQRh.exe
h.exe
ws2_32.dll
RegCreateKeyA
RegCreateKeyExA
ShellExecuteA
gdi32.dll
ole32.dll
rmnsoft.dll
google.com:80
bing.com:80
yahoo.com:80
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Software\Microsoft\Windows\CurrentVersion\policies\system
\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
"ntdll.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Run
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
gdiplus.dll
GdiplusShutdown
\\.\631D2408D44C4f47AC647AB96987D4D5
\Google\Chrome\User Data\Default\Cookies
\Google\Chrome\User Data\Default\Extension Cookies
%APPDATA%\Apple Computer\Safari\Cookies\Cookies.plist
%APPDATA%\Mozilla\Firefox\
%WinDir%\Application Data\Mozilla\Firefox\
profiles.ini
Profile%d
\cookies.txt
\cookies.sqlite
%APPDATA%\Opera\
\profile\cookies4.dat
\cookies4.dat
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Opera.exe
FireFox Cookies\Profile %d\cookies.txt
FireFox Cookies\Profile %d\cookies.sqlite
Chrome\Cookies
Chrome\Extension Cookies
Opera\Profile %d\cookies4.dat
Safari\Cookies.plist
getexec
complete.dat
1 1&1,12181>1
SRQVWh.exe
h.exeVj
PSSSSSSh
More information: hXXp://VVV.ibsensoftware.com/
.TNIRPTN.
com.%s.sdb
%s\cmd.%s.bat
start "" "%s"
"%%windir%%\%s\ntprint.exe"
"%%windir%%\system32\sdbinst.exe" "%s"
"%%windir%%\system32\sdbinst.exe" /q /u "%s"
SOFTWARE\Microsoft\Windows NT\CurrentVersion\
UAC_bypassed
cmd.exe
%TEMP%\p.exe
" %TEMP%\p.exe
SOFTWARE\Microsoft\Updates\Windows XP\SP4
SOFTWARE\Microsoft\Updates\Windows XP\SP3
SOFTWARE\Microsoft\Updates\Windows XP\SP10
SOFTWARE\Microsoft\Updates\Windows XP\SP0
SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
wmic.exe QFE where "HotFixID='KB2778930'" get HotFixID, Description
\cache.dat
CheckBypassed ok
di32.dll
loader.exe
_CheckBypassed@0
\/{X-X-X-X-XX}
|ZwDelayExecution
%ProgramFiles%\Internet Explorer\iexplore.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
http\shell\open\command
chrome.exe
opera.exe
/C ""%s"" %s
/C ""%s""
svchost.exe
p.exe
Rapport
:Zone.Identifier
consent.exe
%Program Files%\Internet Explorer\iexplore.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\p.exe
RegOpenKeyA
RegEnumKeyA
ShellExecuteExA
keybd_event
.rdata
.rsrc
.TNIRP
>.%s.[
s\cmd
PF8-.XU
O3$dS7"%U9
KERNEL32.DLL
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
2.1.0.3
ntprint.exe
RedirectEXE
%temp%\..\..\LocalLow\cmd.%username%.bat

svchost.exe_1832_rwx_20010000_00001000:

.text
`.rdata
@.data
.reloc

svchost.exe_1832_rwx_20021000_00011000:

Gh.logWj
h.logPj
{X-X-X-X-XX}
ntdll.dll
kernel32.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
%CommonProgramFiles%
\/*.*
advapi32.dll
wshell32.dll
\Google\Chrome\User Data\Default\Cookies
\Google\Chrome\User Data\Default\Extension Cookies
%APPDATA%\Apple Computer\Safari\Cookies\Cookies.plist
%APPDATA%\Mozilla\Firefox\
%WinDir%\Application Data\Mozilla\Firefox\
profiles.ini
Profile%d
\cookies.txt
\cookies.sqlite
%APPDATA%\Opera\
\profile\cookies4.dat
\cookies4.dat
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Opera.exe
FireFox Cookies\Profile %d\cookies.txt
FireFox Cookies\Profile %d\cookies.sqlite
Chrome\Cookies
Chrome\Extension Cookies
Opera\Profile %d\cookies4.dat
Safari\Cookies.plist
GetWindowsDirectoryA
RegQueryInfoKeyA
RegOpenKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegCloseKey
ExitWindowsEx
.text
`.rdata
@.data
.reloc
{X-
eKeyA
s^.exe

svchost.exe_1832_rwx_20041000_00011000:

0WSSh
h.log
%USERPROFILE%
Kernel32.dll
%s %s %s: %s:%d
GetWindowsDirectoryA
GetProcessHeap
PeekNamedPipe
.text
`.rdata
@.data
.idata
.reloc
ernel32.dllS.
ls.EnW
m.div

svchost.exe_1832_rwx_20061000_000A0000:

i<%u-
.iniu>
.exeuZH
=.datuLh
Q=.bpsuLh
.xmluIh
t%SVP
.iniu
.prfu1
h.log
Q.Rjv
H.Qjv
#$%&'()* ,--
-4-4--567
s%j.Zf
j%Xf;
>%u[f
FtpControl
32bit FTP
LeapFtp
SoftFx FTP
ClassicFTP
WebSitePublisher
FtpExplorer
Core ftp
Coffee cup ftp
FFFtp
TurboFtp
SmartFtp
BulletproofFTP
FtpCommander
Cute FTP
WS FTP
Windows/Total commander
PTF://
Password
password
FtpIniName
\Ipswitch\WS_FTP Home\Sites
\Ipswitch\WS_FTP\Sites
\%.d.0
Quick.dat
port
sitemanager.xml
Port
Software\Microsoft\Windows\CurrentVersion\Uninstall
History.dat
Favorites.dat
\Frigate3\FtpSite.XML
\sites.xml
\FTPRush\RushSite.xml
SET PASS
NODE: TYPE = FTP
\BitKinex\bitkinex.ds
_Password
FtpUserName
FtpServer
FtpDirectory
FtpDescription
_FtpPassword
SELECT ServerName, Url, ServerUser, ServerPass, RemoteDir FROM "TServers"
SharedSettings.ccs
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
sites.dat
LeapFTP
HostPassword
\32BitFtp.ini
PassWord
%USERPROFILE%
Kernel32.dll
sql_trace
sqlite_version
sqlite_rename_trigger
sqlite_rename_table
RowKey
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
ABORTABLEFTEMPORARYADDATABASELECTHENDEFAULTRANSACTIONATURALTERAISEACHECKEYAFTEREFERENCESCAPELSEXCEPTRIGGEREGEXPLAINITIALLYANALYZEXCLUSIVEXISTSTATEMENTANDEFERRABLEATTACHAVINGLOBEFOREIGNOREINDEXAUTOINCREMENTBEGINNERENAMEBETWEENOTNULLIKEBYCASCADEFERREDELETECASECASTCOLLATECOLUMNCOMMITCONFLICTCONSTRAINTERSECTCREATECROSSCURRENT_DATECURRENT_TIMESTAMPLANDESCDETACHDISTINCTDROPRAGMATCHFAILIMITFROMFULLGROUPDATEIFIMMEDIATEINSERTINSTEADINTOFFSETISNULLJOINORDEREPLACEOUTERESTRICTPRIMARYQUERYRIGHTROLLBACKROWHENUNIONUNIQUEUSINGVACUUMVALUESVIEWHEREVIRTUAL
f){-.gBsu1Z2^
3.3.14
Ad-d-d d:d:d
d:d:d
d-d-d
M@d
2147483647
%s\etilqs_
Outstanding page count goes from %d to %d during this analysis
Pointer map page %d is referenced
Page %d is never used
Unable to malloc %d bytes
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Failed to read ptrmap key=%d
freelist leaf count too big on page %d
failed to get page %d
%d of %d pages missing from overflow list starting at %d
2nd reference to page %d
invalid page number %d
Fragmented space is %d byte reported as %d on page %d
Multiple uses for byte %d of page %d
Corruption detected in cell %d on page %d
On page %d at right child:
On tree page %d cell %d:
initPage() returns error code %d
unable to get the page. error code=%d
Page %d:
%s(%d)
keyinfo(%d
%s-mjX
Aunable to use function %s in the requested context
Unsupported module operation: xNext
Unsupported module operation: xColumn
Unsupported module operation: xRowid
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s
sqlite_master
sqlite_temp_master
transaction - SQL statements in progress
variable number must be between ?1 and ?%d
not authorized to use function: %s
ambiguous column name: %s
no such column: %s
%.*s%Q%s
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE %Q.sqlite_sequence set name = %Q WHERE name = %Q
sqlite_sequence
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name, %d 18,10) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
table %s may not be altered
sqlite_
there is already another table or index with this name: %s
%s OR name=%Q
UPDATE %Q.%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d,length(sql)) WHERE type = 'table' AND name = %Q
Cannot add a PRIMARY KEY column
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
CREATE TABLE %Q.sqlite_stat1(tbl,idx,stat)
sqlite_stat1
SELECT idx, stat FROM %Q.sqlite_stat1
sqlite_detach
sqlite_attach
unable to open database: %s
database %s is already in use
too many attached databases - max %d
database %s is locked
cannot detach database %s
no such database: %s
%s %T cannot reference objects in database %s
access to %s.%s is prohibited
access to %s.%s.%s is prohibited
illegal return value (%d) from the authorization function - should be SQLITE_OK, SQLITE_IGNORE, or SQLITE_DENY
no such table: %s
no such table: %s.%s
object name reserved for internal use: %s
there is already an index named %s
duplicate column name: %s
default value of column [%s] is not constant
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
table "%s" has more than one primary key
CREATE TABLE %Q.sqlite_sequence(name,seq)
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#0, sql=%Q WHERE rowid=#1
CREATE %s %.*s
view %s is circularly defined
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %s.sqlite_sequence WHERE name=%Q
use DROP VIEW to delete view %s
use DROP TABLE to delete table %s
table %s may not be dropped
UPDATE %Q.%s SET rootpage=%d WHERE #0 AND rootpage=#0
unknown column "%s" in foreign key definition
number of columns in foreign key does not match the number of columns in the referenced table
foreign key on %s should reference only one column of table %T
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#0,%Q);
CREATE%s INDEX %.*s
table %s has no column named %s
sqlite_autoindex_
index %s already exists
there is already a table named %s
virtual tables may not be indexed
views may not be indexed
table %s may not be indexed
indexed columns are not unique
DELETE FROM %Q.%s WHERE name=%Q
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
no such index: %S
unable to identify the object to be reindexed
no such collation sequence: %s
cannot modify %s because it is a view
table %s may not be modified
table %S has no column named %s
%d values for %d columns
table %S has %d columns but %d values were supplied
PRIMARY KEY must be unique
error during initialization: %s
no entry point [%s] in shared library [%s]
unable to open shared library [%s]
sqlite3_extension_init
automatic extension loading failed: %s
unsupported encoding: %s
*** in database %s ***
foreign_key_list
SELECT name, rootpage, sql FROM '%q'.%s
unsupported file format
database schema is locked: %s
RIGHT and FULL OUTER JOINs are not currently supported
unknown or unsupported join type: %T%s%T%s%T
%z:%d
column%d
%s.%s
sqlite_subquery_%p_
cannot join using column %s - column not present in both tables
cannot have both ON and USING clauses in the same join
a NATURAL join may not have an ON or USING clause
%s BY column number %d out of range - should be between 1 and %d
SELECTs to the left and right of %s do not have the same number of result columns
LIMIT clause should come after %s not before
ORDER BY clause should come after %s not before
ORDER BY term number %d does not match any result column
ORDER BY position %d should be between 1 and %d
sqlite3_get_table() called with two or more incompatible queries
cannot create INSTEAD OF trigger on table: %S
cannot create %s trigger on view: %S
no such trigger: %S
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21,100000000) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14,100000000) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14,100000000) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
PRAGMA vacuum_db.synchronous=OFF
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#1
no such module: %s
vtable constructor did not declare schema: %s
vtable constructor failed: %s
%z VIRTUAL TABLE INDEX %d:%s
%z USING PRIMARY KEY
%z WITH INDEX %s
%z AS %s
TABLE %s
B}Tat most %d tables in a join
incomplete SQL statement
kernel lacks large file support
SQL logic error or missing database
Invalid parameter passed to C runtime function.
SOFTWARE\Far2\SavedDialogHistory\FTPHost
SOFTWARE\Far2\Plugins\FTP\Hosts
\wcx_PTF.ini
Software\Ghisler\Windows Commander
CSMFTPItem
\sm.dat
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Home
\GlobalSCAPE\CuteFTP Lite
\Quick.dat
\Sites.dat
<schema> <document name="FileZilla3"> <collection name="Servers"> <collection name="Server" type="mixed"> <text name="Host"/> <text name="Port"/> <text name="Protocol"/> <text name="Type"/> <text name="User"/> <text name="Pass"/> <text name="Logontype"/> <text name="TimezoneOffset"/> <text name="PasvMode"/> <text name="MaximumMultipleConnections"/> <text name="EncodingType"/> <text name="BypassProxy"/> <text name="Name"/> <text name="Comments"/> <text name="LocalDir"/> <text name="RemoteDir"/> <text name="SyncBrowsing"/> </collection> </collection> </document></schema>
<schema> <document name="FileZilla3"> <collection name="RecentServers"> <collection name="Server" type="mixed"> <text name="Host"/> <text name="Port"/> <text name="Protocol"/> <text name="Type"/> <text name="User"/> <text name="Pass"/> <text name="Logontype"/> <text name="TimezoneOffset"/> <text name="PasvMode"/> <text name="MaximumMultipleConnections"/> <text name="EncodingType"/> <text name="BypassProxy"/> </collection> </collection> </document></schema>
\FileZilla\sitemanager.xml
\FileZilla\recentservers.xml
\ftplist.txt
FTP Commander Pro
FTP Navigator
FTP Commander
FTP Commander Deluxe
Software\BFTP
\BulletProof Software\BulletProof FTP Client 2009
\BulletProof Software\BulletProof FTP Client
<schema> <document name="FavoriteItem"> <text name="Version"/> <text name="Name"/> <text name="Id"/> <text name="Protocol"/> <text name="Host"/> <text name="Port"/> <text name="User"/> <text name="Password"/> <text name="Path"/> <text name="Description"/> <collection name="Settings"> </collection> <collection name="Statistics"> </collection> </document></schema>
\SmartFTP\Client 2.0\Favorites
\SmartFTP
\TurboFTP
\addrbk.dat
Software\TurboFTP
Software\Sota\FFFTP
DefaultPassword
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
<schema> <document name="FTPx10"> <text name="Name"/> <text name="Host"/> <text name="Login"/> <text name="Password"/> <text name="LocalPath"/> <text name="RemotePath"/> <text name="Description"/> <text name="Anonymous"/> <text name="Cache"/> <text name="Default"/> <text name="PasvMode"/> <text name="Retries"/> <text name="RetryDelay"/> <text name="Port"/> </document></schema>
</FTPx10>
<FTPx10>
\FTP Explorer\profiles.xml
<schema> <document name="Ftp"> <collection name="Item"> <attribute name="Name"/> <attribute name="Host"/> <attribute name="Home"/> <attribute name="User"/> <attribute name="Pass"/> <attribute name="Port"/> <attribute name="UserProxy"/> <attribute name="Passive"/> <attribute name="SecureType"/> <attribute name="UploadType"/> <attribute name="CodePage"/> <attribute name="SingleConnect"/> <attribute name="RequestPassword"/> </collection> </document></schema>
<schema> <document name="SITES"> <collection name="GROUP"> <attribute name="NAME"/> <collection name="SITE"> <attribute name="NAME"/> <collection name="CONNECT"> <attribute name="RETRYCOUNT"/> <attribute name="DELAY"/> <attribute name="FTPTIMEOUT"/> </collection> <text name="HOST"/> <text name="USER"/> <text name="PASS"/> <text name="RPATH"/> </collection> </collection> </document></schema>
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UltraFXP
<schema> <document name="SITES"> <collection name="GROUP"> <collection name="GROUP"> <attribute name="NAME"/> <collection name="SITE"> <attribute name="NAME"/> <attribute name="UID"/> <text name="HOST"/> <text name="SHORT"/> <text name="USER"/> <text name="PASS"/> <text name="RPATH"/> </collection> </collection> </collection> </document></schema>
Software\Cryer\WebSitePublisher
Software\NCH Software\ClassicFTP\FTPAccounts
Software\SoftX.org\FTPClient\Sites
Software\FTPClient\Sites
<schema><document name="ftpsites"> <collection name="site"> <attribute name="cfgflags"/> <attribute name="flags"/> <attribute name="flags2"/> <attribute name="indexmax"/> <attribute name="name"/> <attribute name="siteflags"/> <attribute name="type"/> <collection name="host"> <attribute name="comment"/> <attribute name="host"/> <attribute name="pass"/> <attribute name="port"/> <attribute name="user"/> </collection> <text name="dir"/> </collection></document></schema>
\GPSoftware\Directory Opus\ConfigFiles\PTF.oxc
Software\Dev Zero G\FTP Uploader\FTP Uploader
Software\South River Technologies\WebDrive\Connections
<schema> <document name="FTP"> <collection name="Site"> <attribute name="Type"/> <attribute name="Name"/> <attribute name="UID"/> <text name="Address"/> <text name="User"/> <text name="Pass"/> <text name="Drive"/> <text name="Port"/> <text name="ConnectAtRun"/> <text name="Anonymous"/> <text name="Passive"/> <text name="ConnectAtBoot"/> <text name="Encoding"/> <text name="SSL"/> <text name="WriteFtpLogs"/> <text name="FtpLogsPath"/> <text name="SessionsLimit"/> <text name="SessionsLimitNumber"/> <text name="FTPListA"/> <text name="ProxyType"/> <text name="ProxyAddress"/> <text name="ProxyPort"/> <text name="ProxyUser"/> <text name="ProxyPass"/> </collection> </document></schema>
klfhuw%$#%fgjlvf
</FTP>
<FTP>
\NetDrive\NDSites.ini
zcÁ
GetWindowsDirectoryA
GetProcessHeap
PeekNamedPipe
RegEnumKeyExA
RegOpenKeyA
RegCloseKey
.flat
.text
`.rdata
@.data
.idata
.asmdata
@.reloc
TPFk/dPipeG
;-keXE
 .ho"

svchost.exe_1832_rwx_20111000_00007000:

USERPASSCWD CDUPQUITPORTPASVTYPEMODERETRSTORAPPERESTRNFRRNTOABORDELERMD MKD LISTNLSTSYSTSTATHELPNOOPSIZEEXECPWD
220 220 RMNetwork FTP
227 Entering Passive Mode (%i,%i,%i,%i,%i,%i).
331 Password required for %s.
350 REST supported. Ready to resume at byte offset %lu.
530 Login or Password incorrect.
200 Type set to %c.
257 "%s" is current directory.
200 Port command successful.
550 No port specified.
250 File executed successfully.
drwxrwxrwx 1 ftp ftp 0 Jan 01 1980 C:
-rw-rw-rw- 1 ftp ftp lu %s %2.2i %s %s
.exe.bat.com.scr.cmd.pif
ShellExecuteA
.text
`.rdata
@.data
.reloc
RPASSCWD CDUPQUITPORTVTYPEM7
PNOOPSIZEEXECPc
Ig Passive
5uRlm
Rt*%c

services.exe_764_rwx_20160000_00001000:

.text
`.rdata
@.data
.reloc

lsass.exe_776_rwx_20160000_00001000:

.text
`.rdata
@.data
.reloc

wmiprvse.exe_916_rwx_20160000_00001000:

.text
`.rdata
@.data
.reloc

svchost.exe_932_rwx_20160000_00001000:

.text
`.rdata
@.data
.reloc

svchost.exe_1012_rwx_20160000_00001000:

.text
`.rdata
@.data
.reloc

svchost.exe_1100_rwx_20160000_00001000:

.text
`.rdata
@.data
.reloc

svchost.exe_1148_rwx_20160000_00001000:

.text
`.rdata
@.data
.reloc

svchost.exe_1212_rwx_20160000_00001000:

.text
`.rdata
@.data
.reloc

spoolsv.exe_1436_rwx_20160000_00001000:

.text
`.rdata
@.data
.reloc

Explorer.EXE_1852_rwx_20160000_00001000:

.text
`.rdata
@.data
.reloc

mscorsvw.exe_1924_rwx_20160000_00001000:

.text
`.rdata
@.data
.reloc

jqs.exe_1964_rwx_20160000_00001000:

.text
`.rdata
@.data
.reloc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    csslisog.exe:812
    %original file name%.exe:1728

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\swegbgid.exe (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\kqmtqgym\swegbgid.exe (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jyabgndb.exe (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXA3W9QN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SR47AVCJ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KXYJCT6V\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\csslisog.exe (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\07EI1JZP\desktop.ini (67 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "SweGbgid" = "%Documents and Settings%\%current user%\Local Settings\Application Data\kqmtqgym\swegbgid.exe"

  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now