Sample_ec5d603371
HEUR:Trojan.Win32.Generic (Kaspersky), BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: ec5d603371457079d23234aa9198bb5f
SHA1: bc73f239f8dcdafc7f03cb2ed9d11ff2e97a8794
SHA256: cce986dabaee115d3f610017593ea73ace711c41e627e117cd1f45536099c129
SSDeep: 49152:2bwuPEMdfFuW8gf856LebJGpzo2Zrmj0xg0d55oCBo1RY7uxqjWbRtsTJ1HDo:PuPEGuWRf2YmJKqo2vxqi
Size: 4014080 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-11-25 23:31:06
Analyzed on: WindowsXP SP3 32-bit
Summary:
Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1948
%original file name%.exe:448
%original file name%.exe:668
%original file name%.exe:552
%original file name%.exe:1100
%original file name%.exe:1376
%original file name%.exe:2016
%original file name%.exe:516
The Trojan injects its code into the following process(es):
lWEUMcgA.exe:936
UOYUAYsk.exe:1488
uyoUsggM.exe:2000
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process UOYUAYsk.exe:1488 makes changes in the file system.
The Trojan deletes the following file(s):
C:\%original file name%.exe (0 bytes)
The process uyoUsggM.exe:2000 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\YuogIoUc\OQQK.exe (16391 bytes)
%Documents and Settings%\%current user%\YuogIoUc\hYEg.exe (14615 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\cYEW.exe (16457 bytes)
%Documents and Settings%\%current user%\YuogIoUc\jgwC.exe (15978 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (16158 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Lgcc.exe (16403 bytes)
%Documents and Settings%\%current user%\YuogIoUc\TwkK.exe (14734 bytes)
%Documents and Settings%\%current user%\YuogIoUc\cUIO.exe (15492 bytes)
%Documents and Settings%\%current user%\YuogIoUc\YgsY.exe (16371 bytes)
%Documents and Settings%\%current user%\YuogIoUc\swgS.exe (16411 bytes)
%Documents and Settings%\%current user%\YuogIoUc\tsEy.exe (18411 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ukoe.exe (16457 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (22350 bytes)
%Documents and Settings%\%current user%\YuogIoUc\eAca.exe (16746 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\jYcc.exe (16399 bytes)
%Documents and Settings%\%current user%\YuogIoUc\HgsC.exe (16746 bytes)
%Documents and Settings%\%current user%\YuogIoUc\bYse.exe (15946 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ZIYo.exe (15328 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ygcY.exe (15974 bytes)
%Documents and Settings%\%current user%\YuogIoUc\SAMo.exe (22414 bytes)
%Documents and Settings%\%current user%\YuogIoUc\skIw.exe (16065 bytes)
%Documents and Settings%\%current user%\YuogIoUc\TQke.exe (16371 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (15278 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (45846 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ksko.exe (14929 bytes)
%Documents and Settings%\%current user%\YuogIoUc\JokY.exe (16362 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Kcss.exe (16358 bytes)
%Documents and Settings%\%current user%\YuogIoUc\rQEK.exe (15365 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (15506 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (15506 bytes)
C:\totalcmd\TCUNINST.EXE.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\VQQy.exe (16395 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gIss.exe (45145 bytes)
%Documents and Settings%\%current user%\YuogIoUc\cgoS.exe (16391 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (15278 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\SEga.exe (16330 bytes)
%Documents and Settings%\%current user%\YuogIoUc\VwEu.exe (16379 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (15799 bytes)
%Documents and Settings%\%current user%\YuogIoUc\hgAS.exe (18350 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ycIG.exe (16321 bytes)
%Documents and Settings%\%current user%\YuogIoUc\QoUk.exe (14783 bytes)
%Documents and Settings%\%current user%\YuogIoUc\QksO.exe (16346 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\XkYU.exe (16366 bytes)
%Documents and Settings%\%current user%\YuogIoUc\WIUa.exe (16407 bytes)
%Documents and Settings%\%current user%\YuogIoUc\FUkC.exe (14771 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (15799 bytes)
%Documents and Settings%\%current user%\YuogIoUc\JwgQ.exe (16391 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\wsYU.exe (17102 bytes)
%Documents and Settings%\%current user%\YuogIoUc\dsYm.exe (16309 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kcIS.exe (16391 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (15799 bytes)
%Documents and Settings%\%current user%\YuogIoUc\vIom.exe (16800 bytes)
%Documents and Settings%\%current user%\YuogIoUc\owgK.exe (34576 bytes)
%Documents and Settings%\%current user%\YuogIoUc\HkIG.exe (17184 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ekEc.exe (17116 bytes)
%Documents and Settings%\%current user%\YuogIoUc\nYgC.exe (15978 bytes)
%Documents and Settings%\%current user%\YuogIoUc\RQEa.exe (18427 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\YsIY.exe (23140 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (15799 bytes)
%Documents and Settings%\%current user%\YuogIoUc\vEwW.exe (16771 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (16158 bytes)
%Documents and Settings%\%current user%\YuogIoUc\wYsi.exe (16391 bytes)
%Documents and Settings%\%current user%\YuogIoUc\VwUi.exe (16383 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (15278 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\dkIy.exe (15999 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iMgq.exe (16076 bytes)
C:\totalcmd\TCMDX32.EXE.exe (15799 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sswE.exe (16493 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ZgAo.exe (15970 bytes)
%Documents and Settings%\%current user%\YuogIoUc\MYQC.exe (16391 bytes)
%Documents and Settings%\%current user%\YuogIoUc\zkkK.exe (16128 bytes)
%Documents and Settings%\%current user%\YuogIoUc\KoMq.exe (16863 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (16158 bytes)
C:\totalcmd\TcUsbRun.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Mswi.exe (16015 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (16582 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (22336 bytes)
%Documents and Settings%\%current user%\YuogIoUc\RQci.exe (16325 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ZQcO.exe (16362 bytes)
%Documents and Settings%\All Users\KAYc.txt (55978 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ZAQa.exe (15999 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\GAos.exe (16007 bytes)
%Documents and Settings%\%current user%\YuogIoUc\lwsM.exe (16325 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\YuogIoUc\OQQK.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\hYEg.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\cYEW.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\jgwC.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Lgcc.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\TwkK.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\cUIO.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\YgsY.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\swgS.exe (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ukoe.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\eAca.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\KoMq.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\tsEy.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\HgsC.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\jYcc.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\bYse.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ygcY.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\SAMo.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\skIw.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\TQke.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ksko.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\JokY.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Kcss.exe (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\rQEK.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\nYgC.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\VQQy.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\XkYU.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\cgoS.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\VwEu.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ZIYo.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\hgAS.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\QoUk.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ycIG.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\QksO.exe (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
C:\%original file name%.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\WIUa.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\FUkC.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\JwgQ.exe (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\wsYU.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\dsYm.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kcIS.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\vIom.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\owgK.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\HkIG.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ekEc.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\RQEa.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\YsIY.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\vEwW.exe (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\wYsi.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\VwUi.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gIss.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\SEga.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\dkIy.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iMgq.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sswE.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ZgAo.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\MYQC.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\zkkK.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Mswi.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\RQci.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ZQcO.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ZAQa.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\GAos.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\lwsM.exe (0 bytes)
The process %original file name%.exe:1948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\rWUwEQEU.bat (4 bytes)
C:\ec5d603371457079d23234aa9198bb5f (9606 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\rWUwEQEU.bat (0 bytes)
The process %original file name%.exe:448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ec5d603371457079d23234aa9198bb5f (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OOsUwEkM.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\OOsUwEkM.bat (0 bytes)
The process %original file name%.exe:668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ec5d603371457079d23234aa9198bb5f (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yIcsowEs.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\yIcsowEs.bat (0 bytes)
The process %original file name%.exe:552 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ec5d603371457079d23234aa9198bb5f (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xykoYIcY.bat (4 bytes)
The Trojan deletes the following file(s):
C:\%original file name%.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xykoYIcY.bat (0 bytes)
The process %original file name%.exe:1100 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\bGkoEsck.bat (4 bytes)
C:\ec5d603371457079d23234aa9198bb5f (9606 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\bGkoEsck.bat (0 bytes)
The process %original file name%.exe:1376 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ec5d603371457079d23234aa9198bb5f (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\paMoAQEs.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\paMoAQEs.bat (0 bytes)
C:\%original file name%.exe (0 bytes)
The process %original file name%.exe:2016 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe (14803 bytes)
%Documents and Settings%\All Users\NSIsgYEw\lWEUMcgA.exe (14803 bytes)
C:\ec5d603371457079d23234aa9198bb5f (9606 bytes)
%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe (14803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EcUwQcoc.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\EcUwQcoc.bat (0 bytes)
Registry activity
The process lWEUMcgA.exe:936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 57 A7 64 49 E5 65 BA 98 F8 F6 84 22 43 94 CA"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UOYUAYsk.exe" = "%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe"
The process UOYUAYsk.exe:1488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 B1 FF 06 9D F5 2B F6 8F 19 B8 A2 B7 EA AD 11"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UOYUAYsk.exe" = "%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe"
The process uyoUsggM.exe:2000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 12 63 D3 1E 9B 0E 2E 4C 93 01 15 71 42 1C C8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"uyoUsggM.exe" = "%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe"
The process %original file name%.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A EC 92 8D 55 4A F4 9A 92 01 1B CC C0 2C D8 86"
The process %original file name%.exe:448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 63 E7 2B 73 8B 04 86 C7 2D E0 D1 6D 3B 9F 4C"
The process %original file name%.exe:668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 A4 85 00 C5 1D FF F8 AD 87 65 06 18 C3 DB 1F"
The process %original file name%.exe:552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 87 F1 0F E8 7B 43 13 42 3B B9 12 BC DF C2 AD"
The process %original file name%.exe:1100 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A E3 3F 0A 23 84 50 90 F0 EF 7A B7 91 A9 7F 42"
The process %original file name%.exe:1376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 81 8E 7B 29 60 F5 F0 93 62 77 1C 79 1A EE D4"
The process %original file name%.exe:2016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 7D 8D 55 29 93 41 C7 2B C5 E6 45 7E DB 8A 15"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe,"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"uyoUsggM.exe" = "%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UOYUAYsk.exe" = "%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe"
The process %original file name%.exe:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 3C A2 83 9B AA DB 9C 6C 89 76 02 91 A1 6B F0"
Dropped PE files
| MD5 | File path |
|---|---|
| c5904a0a7e53bbb0659797a30a6858cc | c:\Documents and Settings\All Users\AUUoUgAI\UOYUAYsk.exe |
| e6f97fff7859ee07778d24799f5044e2 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe |
| 59d767b125c1923f7932c3ccfd122a7a | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe |
| d4fb0738b7fd458cd4a350c04332fc9a | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe |
| 8bb73e07096a630a924d53d5dc57c88c | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe |
| 7a5565079cb1bd02924dc4ceaa363b99 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe |
| 8a50c9f1f22a0034637486f216068f08 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe |
| a7b15c7ecf22d91986d92fb7b962b8b7 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe |
| d975d331e27b6b043d1a520b7157a552 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe |
| bf38bfe433953c267be54e421d47c42c | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe |
| 94a3fb578dfe2965b182b5b87b50ad8b | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe |
| c5054c57c4615b8840172b632f77df56 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe |
| 620d46aeaa303063150f29541021757c | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe |
| 1e8d4930bf8002a0cdf584dcec2005a5 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe |
| c73ae5687d19adc1bb80a141de925908 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe |
| 8884b68e8e6f1542d1dfed9ec2918a71 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe |
| 587cbb2f9faf213ad42de306ba06bbec | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe |
| fa34e6a3303af0fc0e9a49dc8469f642 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe |
| 44328f9921f372e15ff4b70067eade14 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe |
| 72cbbabac56590b33ff2441446b89abf | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe |
| dbed692f7396720bf0d6bf804e66e212 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe |
| 8ecb3911e4d711542481f1f1675aad91 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe |
| 7331607eda045a1f4413085abe02738c | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe |
| 293b3bb5a611a7f6497edd670ad2ac71 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe |
| 07d55e0089f634bf22e979a46201bf8b | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe |
| 9dcccfd067fd4aefe72f5b6d3761eeda | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe |
| 571a69d26c8482ce8e12268f1bd68de8 | c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe |
| acd696ecbdc22d3798ee77cf8e5c55a0 | c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe |
| f0fb46183cdeccd7902d3a2c80dfe93c | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe |
| a2b46773637a4ea19775f27d871052f8 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe |
| 85bb5dc334a11ac2b550a175de0cf773 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe |
| 8924eae63e3d05b51827cf470f19c61c | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe |
| a55ad0445acc7242761b41174223d015 | c:\Documents and Settings\All Users\NSIsgYEw\lWEUMcgA.exe |
| 95e13e7a1857bf90cdf91fb560cbf28c | c:\Documents and Settings\"%CurrentUserName%"\YuogIoUc\uyoUsggM.exe |
| e50c9a2b060cb9795c9559380799f50a | c:\Perl\eg\IEExamples\ie_animated.gif.exe |
| 83ed63d19d4975498af67d8f2b16d4c9 | c:\Perl\eg\IEExamples\psbwlogo.gif.exe |
| 3fd6dc47b8411e7f2a54edbf593902ce | c:\Perl\eg\aspSamples\ASbanner.gif.exe |
| 9e64efe009117603a4bcd651e61596d5 | c:\Perl\eg\aspSamples\Main_Banner.gif.exe |
| ba654c2d4e514b28f28bb3bbe80b2365 | c:\Perl\eg\aspSamples\psbwlogo.gif.exe |
| 049a8b3a5c8acb0447d0bdc6f8a55bdd | c:\Perl\html\images\AS_logo.gif.exe |
| ea9bb4b136d7bffa21037c4b536268bf | c:\Perl\html\images\PerlCritic_run.png.exe |
| a97f0549716014bed544b3d7614c068e | c:\Perl\html\images\aslogo.gif.exe |
| bd656f6ca3412a66a29dc9c55a81e782 | c:\Perl\html\images\ppm_gui.png.exe |
| b0a29dcc87f453de92617f465998ce8d | c:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe |
| cc6887785c9c564ed093bee91c7c4cf7 | c:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe |
| 29e712088ddc5d2c16ffce63df5bda14 | c:\Perl\lib\Devel\NYTProf\js\asc.png.exe |
| b90e1dbcfbf5e81ecda180bc3a7e5af1 | c:\Perl\lib\Devel\NYTProf\js\bg.png.exe |
| 1889b74378e9d195ee791042d945265b | c:\Perl\lib\Devel\NYTProf\js\desc.png.exe |
| 6ba21d353a083a0c3c6c9a0613fdd49b | c:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe |
| 55e36faeca9ed59dea9c3c3f41b3cffc | c:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe |
| e147d89212bc256560244c6efe0dd14c | c:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe |
| e9517dab87cc9e918753a3455dfb26b9 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe |
| 77bfcf4c2006be5b4c4b212532b28357 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 2531328 | 2531328 | 5.44415 | 679248594afc30c7512bb708d9dac7ef |
| .rdata | 2535424 | 8192 | 10240 | 0.159399 | 62404807add496a2737ec8ddeeb34616 |
| .data | 2543616 | 1466368 | 1466368 | 4.03274 | 1f78f02118ad5a5c69fbd854e1769d18 |
| .rsrc | 4009984 | 4608 | 4608 | 3.07464 | 7d12b5d669d0d92a7cc75ca5502fe4e2 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1948
%original file name%.exe:448
%original file name%.exe:668
%original file name%.exe:552
%original file name%.exe:1100
%original file name%.exe:1376
%original file name%.exe:2016
%original file name%.exe:516 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\YuogIoUc\OQQK.exe (16391 bytes)
%Documents and Settings%\%current user%\YuogIoUc\hYEg.exe (14615 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\cYEW.exe (16457 bytes)
%Documents and Settings%\%current user%\YuogIoUc\jgwC.exe (15978 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (16158 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Lgcc.exe (16403 bytes)
%Documents and Settings%\%current user%\YuogIoUc\TwkK.exe (14734 bytes)
%Documents and Settings%\%current user%\YuogIoUc\cUIO.exe (15492 bytes)
%Documents and Settings%\%current user%\YuogIoUc\YgsY.exe (16371 bytes)
%Documents and Settings%\%current user%\YuogIoUc\swgS.exe (16411 bytes)
%Documents and Settings%\%current user%\YuogIoUc\tsEy.exe (18411 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ukoe.exe (16457 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (22350 bytes)
%Documents and Settings%\%current user%\YuogIoUc\eAca.exe (16746 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\jYcc.exe (16399 bytes)
%Documents and Settings%\%current user%\YuogIoUc\HgsC.exe (16746 bytes)
%Documents and Settings%\%current user%\YuogIoUc\bYse.exe (15946 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ZIYo.exe (15328 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ygcY.exe (15974 bytes)
%Documents and Settings%\%current user%\YuogIoUc\SAMo.exe (22414 bytes)
%Documents and Settings%\%current user%\YuogIoUc\skIw.exe (16065 bytes)
%Documents and Settings%\%current user%\YuogIoUc\TQke.exe (16371 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (15278 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (45846 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ksko.exe (14929 bytes)
%Documents and Settings%\%current user%\YuogIoUc\JokY.exe (16362 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Kcss.exe (16358 bytes)
%Documents and Settings%\%current user%\YuogIoUc\rQEK.exe (15365 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (15506 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (15506 bytes)
C:\totalcmd\TCUNINST.EXE.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\VQQy.exe (16395 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gIss.exe (45145 bytes)
%Documents and Settings%\%current user%\YuogIoUc\cgoS.exe (16391 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (15278 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\SEga.exe (16330 bytes)
%Documents and Settings%\%current user%\YuogIoUc\VwEu.exe (16379 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (15799 bytes)
%Documents and Settings%\%current user%\YuogIoUc\hgAS.exe (18350 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ycIG.exe (16321 bytes)
%Documents and Settings%\%current user%\YuogIoUc\QoUk.exe (14783 bytes)
%Documents and Settings%\%current user%\YuogIoUc\QksO.exe (16346 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\XkYU.exe (16366 bytes)
%Documents and Settings%\%current user%\YuogIoUc\WIUa.exe (16407 bytes)
%Documents and Settings%\%current user%\YuogIoUc\FUkC.exe (14771 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (15799 bytes)
%Documents and Settings%\%current user%\YuogIoUc\JwgQ.exe (16391 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\wsYU.exe (17102 bytes)
%Documents and Settings%\%current user%\YuogIoUc\dsYm.exe (16309 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kcIS.exe (16391 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (15799 bytes)
%Documents and Settings%\%current user%\YuogIoUc\vIom.exe (16800 bytes)
%Documents and Settings%\%current user%\YuogIoUc\owgK.exe (34576 bytes)
%Documents and Settings%\%current user%\YuogIoUc\HkIG.exe (17184 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ekEc.exe (17116 bytes)
%Documents and Settings%\%current user%\YuogIoUc\nYgC.exe (15978 bytes)
%Documents and Settings%\%current user%\YuogIoUc\RQEa.exe (18427 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\YsIY.exe (23140 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (15799 bytes)
%Documents and Settings%\%current user%\YuogIoUc\vEwW.exe (16771 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (16158 bytes)
%Documents and Settings%\%current user%\YuogIoUc\wYsi.exe (16391 bytes)
%Documents and Settings%\%current user%\YuogIoUc\VwUi.exe (16383 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (15278 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\dkIy.exe (15999 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iMgq.exe (16076 bytes)
C:\totalcmd\TCMDX32.EXE.exe (15799 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sswE.exe (16493 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ZgAo.exe (15970 bytes)
%Documents and Settings%\%current user%\YuogIoUc\MYQC.exe (16391 bytes)
%Documents and Settings%\%current user%\YuogIoUc\zkkK.exe (16128 bytes)
%Documents and Settings%\%current user%\YuogIoUc\KoMq.exe (16863 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (16158 bytes)
C:\totalcmd\TcUsbRun.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Mswi.exe (16015 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (16582 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (22336 bytes)
%Documents and Settings%\%current user%\YuogIoUc\RQci.exe (16325 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ZQcO.exe (16362 bytes)
%Documents and Settings%\All Users\KAYc.txt (55978 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ZAQa.exe (15999 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\GAos.exe (16007 bytes)
%Documents and Settings%\%current user%\YuogIoUc\lwsM.exe (16325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rWUwEQEU.bat (4 bytes)
C:\ec5d603371457079d23234aa9198bb5f (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OOsUwEkM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yIcsowEs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xykoYIcY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bGkoEsck.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\paMoAQEs.bat (4 bytes)
%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe (14803 bytes)
%Documents and Settings%\All Users\NSIsgYEw\lWEUMcgA.exe (14803 bytes)
%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe (14803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EcUwQcoc.bat (4 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UOYUAYsk.exe" = "%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"uyoUsggM.exe" = "%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe" - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe," - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
