MemScan.Trojan.Generic.1808384_272e86665f

by malwarelabrobot on June 7th, 2016 in Malware Descriptions.

HEUR:Backdoor.Win32.Generic (Kaspersky), MemScan:Trojan.Generic.1808384 (B) (Emsisoft), MemScan:Trojan.Generic.1808384 (AdAware), GenericMSNWorm.YR, GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Worm, IRCBot, MSNWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 272e86665f358391e9154ee4214b041e
SHA1: 639a67db461685b5007157f177fe7cd1eccc6e3a
SHA256: dd871b97337ea50ac2fe54f18c020f2c63dd91081ea46da52c651e153f75676c
SSDeep: 1536:A/5GJEhlcbW5sk1BlfLvveIbXWm nwN6JMas5g7PhkJV6PJzGSYyVKcXIEoenW:AGu9BlfzWIbXWm w0JW5iNJzrXIEoKW
Size: 113664 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, MicrosoftVisualCv60SPx, UPolyXv05_v6
Company: no certificate found
Created at: 2008-04-13 21:32:45
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
IRCBot A bot can communicate with command and control servers via IRC channel.
MSNWorm A worm can spread its copies through the MSN Messanger.


Process activity

The MemScan creates the following process(es):

msn.exe:1992
%original file name%.exe:660

The MemScan injects its code into the following process(es):

msn.exe:164

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process msn.exe:164 makes changes in the file system.
The MemScan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%WinDir%\msnmsgrs.exe (36 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

The process %original file name%.exe:660 makes changes in the file system.
The MemScan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\msn.exe (1568 bytes)

The MemScan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\msn.exe (0 bytes)

Registry activity

The process msn.exe:164 makes changes in the system registry.
The MemScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 5E 80 B5 E2 09 0B 3C 76 C8 12 AB 89 7C 64 E5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

To automatically run itself each time Windows is booted, the MemScan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows UDP Control Center" = "msnmsgrs.exe"

The process %original file name%.exe:660 makes changes in the system registry.
The MemScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 76 8E C6 21 ED 84 FE D5 07 13 B3 E4 07 63 4F"

To automatically run itself each time Windows is booted, the MemScan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The MemScan deletes the following value(s) in system registry:
The MemScan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"

Dropped PE files

MD5 File path
621ae49aaf1107ee62d6664ae8d25500 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\msn.exe
621ae49aaf1107ee62d6664ae8d25500 c:\WINDOWS\msnmsgrs.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread its copies through the MSN Messanger.

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.00.2900.5512
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 6.00.2900.5512 (xpsp.080413-2105)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 39368 39424 4.54066 d7ec4e821055e2e5c09f4ea981460a21
.data 45056 7140 7168 0.633989 400007384245a392360f4d3963c86e82
.rsrc 53248 57344 57344 4.72383 87201710e59918031a9e26a4f838b7c9
.idata 110592 3072 3072 3.29984 99f5c7e8dc473e54793b0f0fbc2d6c99

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The MemScan connects to the servers at the folowing location(s):

msn.exe_164:

.text
`.rdata
@.data
t1SSSSh
SSShp
r.getfile
r.new
r.update
r.upd4te
login
msn.msg
msn.stop
aim.msg
aim.stop
triton.msg
triton.stop
GetWindowsDirectoryA
KERNEL32.dll
VkKeyScanA
keybd_event
USER32.dll
MSVCRT.dll
_acmdln
RegCloseKey
RegCreateKeyExA
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
%s Welcome.
%s Fail.
%s Spy: %s!%s@%s (PM: "%s")
%s Fail by: %s!%s@%s (Pass Tried: %s)
%s %s out.
%s <%i> out.
%s No user at: <%i>
%s Invalid slot: <%i>
%s Kill: <%d> threads
%s No threads
%s Killed thread: <%s>
%s Failed kt: <%s>
%s %s already running: <%d>.
%s Fail start %s, err: <%d>.
%s Status: %s. Box Uptime: %s, Bot Uptime: %s, Connected for: %s.
%s Bot installed on: %s.
Go fuck yourself %s.
MSN// Message & Zipfile sent to: %d contacts.
MSN// Message sent to: %d Contacts.
MSN// Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.
%s logged in.
Removed by: %s!%s@%s
%s Advapi.dll Failed
%s PStore.dll Failed.
%s Naim thd.
%s RuC.
%s mis param.
%s Failed to parse command.
%s Downloading URL: %s to: %s.
%s Downloading update from: %s to: %s.
%seraseme_%d%d%d%d%d.exe
%s Thread Disabled.
%s Thread Activated: Sending Message.
%s Bad URL or DNS Error, error: <%d>
%s Update failed: Error executing file: %s.
%s Process Finished: "%s", Total Running Time: %s.
%s Created process: "%s", PID: <%d>
%s Failed to create process: "%s", error: <%d>
%s Couldn't parse path, error: <%d>
%s File download: %.1fKB to: %s @ %.1fKB/sec.
%s Couldn't open file for writing: %s.
Ping Timeout? (%d-%d)%d/%d
USER %s * 0 :%s
NICK %s
PASS %s
QUIT %s
PONG %s
NICK
PRIVMSG
JOIN
PRIVMSG %s :%s
JOIN %s
JOIN %s %s
MODE %s %s %s
MODE %s %s
__oxFrame.class__
shlwapi.dll
psapi.dll
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
ShellExecuteA
shell32.dll
mpr.dll
GetUdpTable
GetTcpTable
iphlpapi.dll
dnsapi.dll
netapi32.dll
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetOpenUrlA
FtpPutFileA
FtpGetFileA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
ws2_32.dll
RegEnumKeyExA
advapi32.dll
user32.dll
kernel32.dll
%s!%s@%s
msnmsgrs.exe
*!*@fbi.gov
Windows UDP Control Center
next.hi5photos.mobi
Windows Microsoft Viewer
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
%s\%s
%s No %s thread found.
%s %s thread stopped. (%d thread(s) stopped.)
del "%s">nul
if exist "%s" goto Repeat
ping 0.0.0.0>nul
%s\removeMe%i%i%i%i.bat

msn.exe_164_rwx_00400000_0004C000:

.text
`.rdata
@.data
t1SSSSh
SSShp
r.getfile
r.new
r.update
r.upd4te
login
msn.msg
msn.stop
aim.msg
aim.stop
triton.msg
triton.stop
GetWindowsDirectoryA
KERNEL32.dll
VkKeyScanA
keybd_event
USER32.dll
MSVCRT.dll
_acmdln
RegCloseKey
RegCreateKeyExA
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
%s Welcome.
%s Fail.
%s Spy: %s!%s@%s (PM: "%s")
%s Fail by: %s!%s@%s (Pass Tried: %s)
%s %s out.
%s <%i> out.
%s No user at: <%i>
%s Invalid slot: <%i>
%s Kill: <%d> threads
%s No threads
%s Killed thread: <%s>
%s Failed kt: <%s>
%s %s already running: <%d>.
%s Fail start %s, err: <%d>.
%s Status: %s. Box Uptime: %s, Bot Uptime: %s, Connected for: %s.
%s Bot installed on: %s.
Go fuck yourself %s.
MSN// Message & Zipfile sent to: %d contacts.
MSN// Message sent to: %d Contacts.
MSN// Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.
%s logged in.
Removed by: %s!%s@%s
%s Advapi.dll Failed
%s PStore.dll Failed.
%s Naim thd.
%s RuC.
%s mis param.
%s Failed to parse command.
%s Downloading URL: %s to: %s.
%s Downloading update from: %s to: %s.
%seraseme_%d%d%d%d%d.exe
%s Thread Disabled.
%s Thread Activated: Sending Message.
%s Bad URL or DNS Error, error: <%d>
%s Update failed: Error executing file: %s.
%s Process Finished: "%s", Total Running Time: %s.
%s Created process: "%s", PID: <%d>
%s Failed to create process: "%s", error: <%d>
%s Couldn't parse path, error: <%d>
%s File download: %.1fKB to: %s @ %.1fKB/sec.
%s Couldn't open file for writing: %s.
Ping Timeout? (%d-%d)%d/%d
USER %s * 0 :%s
NICK %s
PASS %s
QUIT %s
PONG %s
NICK
PRIVMSG
JOIN
PRIVMSG %s :%s
JOIN %s
JOIN %s %s
MODE %s %s %s
MODE %s %s
__oxFrame.class__
shlwapi.dll
psapi.dll
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
ShellExecuteA
shell32.dll
mpr.dll
GetUdpTable
GetTcpTable
iphlpapi.dll
dnsapi.dll
netapi32.dll
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetOpenUrlA
FtpPutFileA
FtpGetFileA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
ws2_32.dll
RegEnumKeyExA
advapi32.dll
user32.dll
kernel32.dll
%s!%s@%s
msnmsgrs.exe
*!*@fbi.gov
Windows UDP Control Center
next.hi5photos.mobi
Windows Microsoft Viewer
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
%s\%s
%s No %s thread found.
%s %s thread stopped. (%d thread(s) stopped.)
del "%s">nul
if exist "%s" goto Repeat
ping 0.0.0.0>nul
%s\removeMe%i%i%i%i.bat


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    msn.exe:1992
    %original file name%.exe:660

  2. Delete the original MemScan file.
  3. Delete or disinfect the following files created/modified by the MemScan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %WinDir%\msnmsgrs.exe (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\msn.exe (1568 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows UDP Control Center" = "msnmsgrs.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now