Gen.Variant.Zusy.64822_76c1fe70cc

by malwarelabrobot on October 13th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.64822 (B) (Emsisoft), Gen:Variant.Zusy.64822 (AdAware), Trojan-PSW.Win32.Zbot.6.FD, Sinowal.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 76c1fe70cc482ff5ed46283c98ac7874
SHA1: 9bb95bb9b142956a33d62358d64a921acce90e8c
SHA256: d3315b126a83c90a52fbf6e4fbdf1b3fefedcb0540d72dd31b774311f0b129c3
SSDeep: 3072:DkRPx2PIqW9UAsI22pGkEJT6BdqnaIDZC1OTrvsGPmyIpOT4ov9kJz9sGv4 uU:Ds9dOA72NZJlnam7T7sGPmyIpmeJzSj
Size: 265728 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Tigibura
Created at: 2013-09-18 13:05:02
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

WinMail.exe:2448
%original file name%.exe:1484

The Trojan injects its code into the following process(es):

conhost.exe:768
taskhost.exe:872
Dwm.exe:1376
Explorer.EXE:1440
TPAutoConnect.exe:2160
conhost.exe:2168

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process WinMail.exe:2448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (38544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab733D.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar733E.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2448_2 (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol (608 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (23848 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\568B4721-00000001.eml:OECustomProperty (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (300 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 (558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (3466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\568B4721-00000001.eml (1924 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\WindowsMail.pat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2448_2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2448_2.ui (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb00001.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar733E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\WindowsMail.MSMessageStore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab733D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\edb00001.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old (0 bytes)

The process %original file name%.exe:1484 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp6c64e9c0.bat (179 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Icri\tuoc.exe (531 bytes)

Registry activity

The process WinMail.exe:2448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\IdentityCRL\Dynamic Salt]
"Size" = "330"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows Mail]
"Compact Check Count" = "2"
"Settings Upgraded" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows Mail\Junk Mail\Block Senders List]
"Version" = "327680"

[HKCU\Software\Microsoft\Windows Mail]
"LastBackup" = "E1 07 0A 00 04 00 0C 00 0C 00 05 00 00 00 55 03"
"Running" = "1"
"V7StoreMigDone" = "01 00 00 00"
"StoreMigratedV5" = "1"

[HKCU\Software\Microsoft\Windows Mail\Junk Mail\Safe Senders List]
"Version" = "327680"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Welcome Message" = "0"

[HKCU\Software\Microsoft\Windows Mail]
"SpoolerDlgPos" = "2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF"

[HKCU\Software\Microsoft\IdentityCRL\Dynamic Salt]
"Value" = "01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0"

[HKCU\Identities]
"Identity Ordinal" = "2"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Secure Safe Attachments" = "1"
"Default_CodePage" = "28591"

[HKCU\Software\Microsoft\WAB]
"NamedPropCount" = "1"

[HKCU\Software\Microsoft\IAM\Accounts]
"ConnectionSettingsMigrated" = "1"

[HKCU\Software\Microsoft\Windows Mail]
"SpoolerTack" = "0"

[HKCU\Software\Microsoft\IAM]
"Default News Account" = "account{CE54EE8F-8454-4E11-A69C-0E6F9BED6C0A}.oeaccount"

[HKCU\Software\Microsoft\Windows Mail]
"lastrun" = "4F 89 1D 58 52 43 D3 01"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Safe Attachments" = "1"

[HKCU\Software\Microsoft\IAM]
"Server ID" = "2"

[HKCU\Software\Microsoft\WAB]
"NamedProps" = "04 20 06 00 00 00 00 00 C0 00 00 00 00 00 00 46"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\WAB]
"NamedPropCount"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Identities]
"Changing"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Identities]
"IncomingID"
"OutgoingID"

[HKCU\Software\Microsoft\WAB]
"NamedProps"

The process %original file name%.exe:1484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Lefu]
"Piivmi" = "BD 30 4E 0A B4 E5 9C D2 D2 D2 6A 48 E6 0A 9B FF"

Dropped PE files

MD5	File path
9852ceb4caa41ea9788677305660a7ca	c:\Users\"%CurrentUserName%"\AppData\Roaming\Icri\tuoc.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WINMM.dll:

PlaySoundW

The Trojan installs the following user-mode hooks in WININET.dll:

HttpEndRequestW
HttpSendRequestExA
HttpSendRequestA
InternetSetFilePointer
HttpSendRequestW
HttpOpenRequestW
HttpOpenRequestA
HttpEndRequestA
HttpSendRequestExW
InternetReadFileExA
InternetQueryDataAvailable
InternetReadFile
HttpQueryInfoA
InternetCloseHandle

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

SetCursorPos
ReleaseCapture
SetCapture
GetMessagePos
DefDlgProcW
CallWindowProcA
DefMDIChildProcA
DefFrameProcA
GetUpdateRgn
DefFrameProcW
DefMDIChildProcW
DefDlgProcA
GetClipboardData
GetMessageW
TranslateMessage
PeekMessageW
EndPaint
BeginPaint
GetDC
ReleaseDC
DefWindowProcW
GetWindowDC
GetDCEx
CallWindowProcW
PeekMessageA
GetMessageA
RegisterClassExW
RegisterClassW
RegisterClassA
DefWindowProcA
GetUpdateRect
GetCursorPos
GetCapture
RegisterClassExA
OpenInputDesktop
SwitchDesktop

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CreateProcessAsUserA
CreateProcessAsUserW

The Trojan installs the following user-mode hooks in WS2_32.dll:

gethostbyname
send
WSASend
getaddrinfo
closesocket

The Trojan installs the following user-mode hooks in kernel32.dll:

ExitProcess
GetFileAttributesExW

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
ZwCreateUserProcess

Propagation

VersionInfo

Company Name: DefineSoft Lab.
Product Name: WPF DataGrid Controller
Product Version: 3.5.1.2
Legal Copyright: Copyright (C) 2009-2013 - DefineSoft Lab.
Legal Trademarks:
Original Filename: wpfdatagridctrl
Internal Name: WPF DataGrid CTRL
File Version: 3.5.1.2
File Description: WPF DataGrid Controller
Comments:
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	235065	235520	5.32723	b2cb86e9c718fd5b9073a4d0cb7144fc
.rdata	241664	20622	20992	3.71711	289ffd6a3f8c88eeab4441721ffd01cd
.data	266240	17324	6656	3.07057	d4e716bde361bb00fee3c8e73c61e7f1
.rsrc	286720	1438	1536	2.69575	fb1172d8a21af3ea3b56696607c41356

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://a1363.dscg.akamai.net/pki/crl/products/CodeSignPCA.crl
hxxp://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl	62.140.236.169

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /pki/crl/products/CodeSignPCA.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Length: 558

Content-Type: application/pkix-crl

Content-MD5: PMABL5b49EFkwY194FAj2Q==

Last-Modified: Wed, 23 Aug 2017 20:44:38 GMT

ETag: 0x8D4EA67C5E6D892

Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0

x-ms-request-id: 6db382f6-0001-0060-805f-1c0252000000

x-ms-version: 2009-09-19

x-ms-lease-status: unlocked

x-ms-blob-type: BlockBlob

Date: Thu, 12 Oct 2017 12:05:00 GMT

Connection: keep-alive

0..*0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Copyright (c) 20
00 Microsoft Corp.1#0!..U....Microsoft Code Signing PCA..111110211944Z
..420416234935Z.7050...U.#..0...%. K].rT....*.....S.0... .....7.......
..0...*.H...............&..%PIu@.....\0KF....0..^.h9=.1jT,5.L....Ed ..
6.......i.6.xva....oX.^f'....s...!......O...h.1a..Ud);.?....J_...Fu...
.<v.zx..t..h.0JU%.nk;..B[4.?&Zm^..M.!.'...w.u.\T..Tr..Ch.[.z:....#.
..T.4Ct.......,...c..}F..U....:..7J...%.#..D6 . ....G..#....T..G;.....
.HTTP/1.1 200 OK..Content-Length: 558..Content-Type: application/pkix-
crl..Content-MD5: PMABL5b49EFkwY194FAj2Q==..Last-Modified: Wed, 23 Aug
 2017 20:44:38 GMT..ETag: 0x8D4EA67C5E6D892..Server: Windows-Azure-Blo
b/1.0 Microsoft-HTTPAPI/2.0..x-ms-request-id: 6db382f6-0001-0060-805f-
1c0252000000..x-ms-version: 2009-09-19..x-ms-lease-status: unlocked..x
-ms-blob-type: BlockBlob..Date: Thu, 12 Oct 2017 12:05:00 GMT..Connect
ion: keep-alive..0..*0......0...*.H........0..1.0...U....US1.0...U....
Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U...
"Copyright (c) 2000 Microsoft Corp.1#0!..U....Microsoft Code Signing P
CA..111110211944Z..420416234935Z.7050...U.#..0...%. K].rT....*.....S.0
... .....7.........0...*.H...............&..%PIu@.....\0KF....0..^.h9=
.1jT,5.L....Ed ..6.......i.6.xva....oX.^f'....s...!......O...h.1a..Ud)
;.?....J_...Fu....<v.zx..t..h.0JU%.nk;..B[4.?&Zm^..M.!.'...w.u.\T..
Tr..Ch.[.z:....#...T.4Ct.......,...c..}F..U....:..7J...%.#..D6 . .

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

conhost.exe_768_rwx_002D0000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

%s%s%s

%?$-5'1!

;=9?&<s?23297>{ )/'ci8`

->:0059>&

1,/*<:=32$

3.#70!2)

 6;/(9*1

ROEVREUCUejxyea.abzygm{Jnqui~l?,}SFQVMHHZ

R,.qVOYFHCJ

92$8':,?

38.2-0&5

  6*5(>-

Gjhseov.Xt~j2)/x

.{YITPût`

CWEB@T]GGO

PR_OpenTCPSocket

hXXp://VVV.google.com/webhp

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

_getFirefoxCookie

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

update.exe

config.bin

SSShL

SSShwD/

CreatePipe

GetProcessHeap

KERNEL32.dll

GetKeyboardLayoutList

ExitWindowsEx

GetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

MapVirtualKeyW

SetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegCreateKeyExW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

42>204:4

sXXXX

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Process: %s

Input: %s

nspr4.dll

chrome.dll

kernel32.dll

Global\XXX

Chrome

Firefox

SysShadow

\StringFileInfo\xx\%s

ntdll.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Global\{C8441B0D-72D1-54D9-2588-09E57000E208}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymond\uruwe.ile

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymond

uruwe.ile

C:\Users\"%CurrentUserName%"\AppData\Roaming

{5E3FA928-C0F4-C2A2-2588-09E57000E208}

taskhost.exe_872_rwx_00580000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

%s%s%s

%?$-5'1!

;=9?&<s?23297>{ )/'ci8`

->:0059>&

1,/*<:=32$

3.#70!2)

 6;/(9*1

ROEVREUCUejxyea.abzygm{Jnqui~l?,}SFQVMHHZ

R,.qVOYFHCJ

92$8':,?

38.2-0&5

  6*5(>-

Gjhseov.Xt~j2)/x

.{YITPût`

CWEB@T]GGO

PR_OpenTCPSocket

hXXp://VVV.google.com/webhp

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

_getFirefoxCookie

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

update.exe

config.bin

SSShL

SSShwDZ

CreatePipe

GetProcessHeap

KERNEL32.dll

GetKeyboardLayoutList

ExitWindowsEx

GetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

MapVirtualKeyW

SetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegCreateKeyExW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

42>204:4

sXXXX

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Process: %s

Input: %s

nspr4.dll

chrome.dll

kernel32.dll

Global\XXX

Chrome

Firefox

SysShadow

\StringFileInfo\xx\%s

ntdll.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Global\{C8441B0D-72D1-54D9-2588-09E57000E208}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymond\uruwe.ile

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymond

uruwe.ile

C:\Users\"%CurrentUserName%"\AppData\Roaming

{5E3FA928-C0F4-C2A2-2588-09E57000E208}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Uzkare\nevo.okz

C:\Users\"%CurrentUserName%"\AppData\Roaming\Uzkare

nevo.okz

Dwm.exe_1376_rwx_00110000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

%s%s%s

%?$-5'1!

;=9?&<s?23297>{ )/'ci8`

->:0059>&

1,/*<:=32$

3.#70!2)

 6;/(9*1

ROEVREUCUejxyea.abzygm{Jnqui~l?,}SFQVMHHZ

R,.qVOYFHCJ

92$8':,?

38.2-0&5

  6*5(>-

Gjhseov.Xt~j2)/x

.{YITPût`

CWEB@T]GGO

PR_OpenTCPSocket

hXXp://VVV.google.com/webhp

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

_getFirefoxCookie

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

update.exe

config.bin

SSShL

SSShwD

CreatePipe

GetProcessHeap

KERNEL32.dll

GetKeyboardLayoutList

ExitWindowsEx

GetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

MapVirtualKeyW

SetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegCreateKeyExW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

42>204:4

sXXXX

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Process: %s

Input: %s

nspr4.dll

chrome.dll

kernel32.dll

Global\XXX

Chrome

Firefox

SysShadow

\StringFileInfo\xx\%s

ntdll.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Global\{C8441B0D-72D1-54D9-2588-09E57000E208}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymond\uruwe.ile

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymond

uruwe.ile

C:\Users\"%CurrentUserName%"\AppData\Roaming

{5E3FA928-C0F4-C2A2-2588-09E57000E208}

:\Users\"%CurrentUserName%"\AppData\Roaming\Uzkare\nevo.okz

C:\Users\"%CurrentUserName%"\AppData\Roaming\Uzkare

nevo.okz

Explorer.EXE_1440_rwx_03A90000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

%s%s%s

%?$-5'1!

;=9?&<s?23297>{ )/'ci8`

->:0059>&

1,/*<:=32$

3.#70!2)

 6;/(9*1

ROEVREUCUejxyea.abzygm{Jnqui~l?,}SFQVMHHZ

R,.qVOYFHCJ

92$8':,?

38.2-0&5

  6*5(>-

Gjhseov.Xt~j2)/x

.{YITPût`

CWEB@T]GGO

PR_OpenTCPSocket

hXXp://VVV.google.com/webhp

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

_getFirefoxCookie

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

update.exe

config.bin

SSShL

SSShwD

CreatePipe

GetProcessHeap

KERNEL32.dll

GetKeyboardLayoutList

ExitWindowsEx

GetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

MapVirtualKeyW

SetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegCreateKeyExW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

42>204:4

sXXXX

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Process: %s

Input: %s

nspr4.dll

chrome.dll

kernel32.dll

Global\XXX

Chrome

Firefox

SysShadow

\StringFileInfo\xx\%s

ntdll.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Global\{C8441B0D-72D1-54D9-2588-09E57000E208}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymond\uruwe.ile

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymond

uruwe.ile

C:\Users\"%CurrentUserName%"\AppData\Roaming

{5E3FA928-C0F4-C2A2-2588-09E57000E208}

TPAutoConnect.exe_2160_rwx_00390000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

%s%s%s

%?$-5'1!

;=9?&<s?23297>{ )/'ci8`

->:0059>&

1,/*<:=32$

3.#70!2)

 6;/(9*1

ROEVREUCUejxyea.abzygm{Jnqui~l?,}SFQVMHHZ

R,.qVOYFHCJ

92$8':,?

38.2-0&5

  6*5(>-

Gjhseov.Xt~j2)/x

.{YITPût`

CWEB@T]GGO

PR_OpenTCPSocket

hXXp://VVV.google.com/webhp

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

_getFirefoxCookie

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

update.exe

config.bin

SSShL

SSShwD;

CreatePipe

GetProcessHeap

KERNEL32.dll

GetKeyboardLayoutList

ExitWindowsEx

GetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

MapVirtualKeyW

SetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegCreateKeyExW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

42>204:4

sXXXX

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Process: %s

Input: %s

nspr4.dll

chrome.dll

kernel32.dll

Global\XXX

Chrome

Firefox

SysShadow

\StringFileInfo\xx\%s

ntdll.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Global\{C8441B0D-72D1-54D9-2588-09E57000E208}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymond\uruwe.ile

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymond

uruwe.ile

C:\Users\"%CurrentUserName%"\AppData\Roaming

{5E3FA928-C0F4-C2A2-2588-09E57000E208}

conhost.exe_2168_rwx_002D0000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

%s%s%s

%?$-5'1!

;=9?&<s?23297>{ )/'ci8`

->:0059>&

1,/*<:=32$

3.#70!2)

 6;/(9*1

ROEVREUCUejxyea.abzygm{Jnqui~l?,}SFQVMHHZ

R,.qVOYFHCJ

92$8':,?

38.2-0&5

  6*5(>-

Gjhseov.Xt~j2)/x

.{YITPût`

CWEB@T]GGO

PR_OpenTCPSocket

hXXp://VVV.google.com/webhp

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

_getFirefoxCookie

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

update.exe

config.bin

SSShL

SSShwD/

CreatePipe

GetProcessHeap

KERNEL32.dll

GetKeyboardLayoutList

ExitWindowsEx

GetKeyboardState

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

MapVirtualKeyW

SetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegCreateKeyExW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHDeleteKeyW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

42>204:4

sXXXX

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Process: %s

Input: %s

nspr4.dll

chrome.dll

kernel32.dll

Global\XXX

Chrome

Firefox

SysShadow

\StringFileInfo\xx\%s

ntdll.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Global\{C8441B0D-72D1-54D9-2588-09E57000E208}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymond\uruwe.ile

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymond

uruwe.ile

C:\Users\"%CurrentUserName%"\AppData\Roaming

{5E3FA928-C0F4-C2A2-2588-09E57000E208}

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

WinMail.exe:2448
%original file name%.exe:1484
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (38544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab733D.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar733E.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2448_2 (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol (608 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (23848 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\568B4721-00000001.eml:OECustomProperty (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (300 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 (558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (3466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp6c64e9c0.bat (179 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Icri\tuoc.exe (531 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Zusy.64822_76c1fe70cc

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet