MD5: bdc8aa47665b3900566397a784db0d37
SHA1: 726722214384650ed4971b0e2495d7d50e1dfffd
SHA256: 056e27011150facd0598bed4df441b240681808bf98e1b828ae461c901873da3
SSDeep: 1536:oQpQ5EP0ijnRTXJH68gkW RoeGd8yNkM/Dk220ZCLU1ZomNxoNym8pJD 7g:oQIURTXJH7Ozd8yNkaTZCLGaVbK M
Size: 101072 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:46
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

YTDSetup.exe:504
%original file name%.exe:1276

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCounterMutex
ZonesCacheCounterMutex
RasPbFile
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
ShimCacheMutex

File activity

The process YTDSetup.exe:504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nswB7.tmp\NSISHelper.dll (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswB7.tmp\getCountry (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp (45379 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswB7.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswB7.tmp\NSISdl.dll (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswB7.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswB7.tmp\modern-header.bmp (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\so[1].xml (15988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswB7.tmp\NSISPluginW.dll (15168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswB7.tmp\UserInfo.dll (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nswB7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\so[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswB7.tmp\inst_start (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbB5.tmp (0 bytes)

The process %original file name%.exe:1276 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB4.tmp\YTDSetup.exe (713178 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB4.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\YTDSetup[1].exe (713178 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB4.tmp\inetca.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB3.tmp (2175 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB4.tmp\System.dll (11 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsfB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB2.tmp (0 bytes)

Registry activity

The process YTDSetup.exe:504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\GreenTree Applications\YTD]
"ISN" = "641DC974FB054B60B171132D843C6E55"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 4F 58 ED 99 E2 40 20 23 BC 8F EA B3 1C 80 DA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE A8 94 52 B2 FD 81 D0 42 DD 31 FE E8 F1 51 83"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: GreenTree Applications SRL
Product Name: YTD Video Downloader
Product Version: 4.8.6.3
Legal Copyright: (c) 2014 GreenTree Applications SRL. All rights reserved.
Legal Trademarks:
Original Filename: YTDStub.exe
Internal Name: YTDStubInstaller
File Version: 4.8.6.3
File Description: YTD Video Downloader stub installer
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://ytd2.greentreeapps.ro/images/pixel.gif?action=install&point=start&cid=84746429e7b4ba1fd97c2ba2c71d8b78&isn=641DC974FB054B60B171132D843C6E55&kt=ytd
hxxp://ytd2.greentreeapps.ro/getcountry.html
hxxp://www.mybrowserbar.com/kits/EasyBundlingDLL/937811/so.xml?kt=ytd&rsv=3	174.36.215.20
hxxp://www.youtubedownloadersite.com/getcountry.html	95.211.187.90
hxxp://www.youtubedownloadersite.com/images/pixel.gif?action=install&point=start&cid=84746429e7b4ba1fd97c2ba2c71d8b78&isn=641DC974FB054B60B171132D843C6E55&kt=ytd	95.211.187.90

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /getcountry.html HTTP/1.0

Host: VVV.youtubedownloadersite.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 10 Jan 2015 16:01:10 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 2

Connection: close
CA..

GET /kits/EasyBundlingDLL/937811/so.xml?kt=ytd&rsv=3 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.mybrowserbar.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 10 Jan 2015 16:01:11 GMT

Server: Apache

Vary: Host

Keep-Alive: timeout=30, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/xml; charset=utf-8
13697..<?xml version="1.0" encoding="UTF-8"?>.<so>..<rs
v>3</rsv>.    ....<o>....<n>sgbe</n>....<
;nos>&tov=20&sbe=0&sds=0&shp=0</nos>....<r
k />....<c>....<![CDATA[..<!DOCTYPE html>..<html&
gt;...<head>....<meta http-equiv="MSThemeCompatible" content=
"yes" />....<meta http-equiv="Content-Type" content="text/html; 
charset=UTF-8">....<script>.....window.onerror = function() {
 return true; }.....function regularLinkClick() {......window.event.re
turnValue = false;......external.OpenLink(window.event.srcElement.href
);.....}.....var strTOV = '20';.....var setupURL = 'hXXp://download.my
browserbar.com/kits/sds/SearchProtectionStub.exe';.....var cmdBE = " /
runbe /iebf=15 /ffbf=15 /noeh";.....var cmdDS = " /dsie /dsff /dsgc /r
egister /seprotect";.....var cmdHP = " /hp /wait /ntp_ie";.....var ehU
RL = "hXXp://download.mybrowserbar.com/kits/hlp/exthelper.exe";.....va
r ehCmd = "";.....function UpdateCommandLine().....{......var cmdLineP
arams = "";......var statsParams = "";......if (document.getElementByI
d("express").checked) {.......statsParams = "&sbe=1&sds=1&shp=1";.....
..cmdLineParams = cmdLineParams   cmdBE;.......cmdLineParams = cmdLine
Params   cmdDS;.......cmdLineParams = cmdLineParams   cmdHP;.......ehC
md = "/ot ytdsanth";......}......else {.......statsParams = (document.
getElementById("cbBE").checked ? "&sbe=1" : "&sbe=2");.......statsPara
ms = statsParams   (document.getElementById("cbDS").checked ? "&sd
<<< skipped >>>

GET /images/pixel.gif?action=install&point=start&cid=84746429e7b4ba1fd97c2ba2c71d8b78&isn=641DC974FB054B60B171132D843C6E55&kt=ytd HTTP/1.0

Host: VVV.youtubedownloadersite.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 10 Jan 2015 16:01:10 GMT

Content-Type: text/html; charset=utf-8

Connection: close

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsfB4.tmp\YTDSetup.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsfB4.tmp\inetca.dll

DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsfB4.tmp

DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsfB4.tmp\inetca.dll

u.Wj@

MSVCRT.dll

HttpSendRequestA

HttpSendRequestExA

HttpQueryInfoA

FtpCreateDirectoryA

FtpOpenFileA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpEndRequestA

InternetCrackUrlA

WININET.dll

inetc.dll

Open URL Error

URL Parts Error

FtpCreateDir failed (550)

Error FTP path (550)

Downloading %s

%dkB (%d%%) of %dkB @ %d.
dkB/s

(%d %s%s remaining)

REST %d

SIZE %s

Content-Length: %d

Content-Type: application/x-www-form-urlencoded

Authorization: basic %s

Proxy-authorization: basic %s

%s:%s

FtpCommandA

wininet.dll

%u MB

%u kB

%u bytes

%d:d:d

%s - %s

(Err=%d)

NSIS_Inetc (Mozilla)

/password

Uploading %s

.reloc

System.dll

callback%d

UserInfo.dll

@.reloc

net.dll

8>1Œ

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsfB4.tmp

nsfB4.tmp

~1\Temp\nsfB4.tmp

p://download.ytddownloader.com/kits/ytd/YTDSetup.exe

"""201412200411"

ttp://download.ytddownloader.com/kits/ytd/YTDSetup.exe

//download.ytddownloader.com/kits/ytd/YTDSetup.ex

c:\%original file name%.exe

%original file name%.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsuB2.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

-2147483648

-2063532032

-2147284440

hXXp://download.ytddownloader.com/kits/ytd/YTDSetup.exe

hXXp://VVV.ytddownloader.com/images/pixel.gif?src=stub&kt=ytd

YTDSetup.exe

133336633

0153668886663311

 1536888

;886631  ~

 113688;

86351 ($

>1367631%

<  5<  9

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

4.8.6.3

YTDStub.exe

%original file name%.exe_1276_rwx_10004000_00001000:

callback%d

YTDSetup.exe_504:

.text

`.rdata

@.data

.ndata

.rsrc

@.reloc

RegDeleteKeyExW

Kernel32.DLL

PSAPI.DLL

%s=%s

GetWindowsDirectoryW

KERNEL32.dll

ExitWindowsEx

GetAsyncKeyState

USER32.dll

GDI32.dll

SHFileOperationW

ShellExecuteW

SHELL32.dll

RegDeleteKeyW

RegCloseKey

RegEnumKeyW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

%s~q=

CX%x^

8%u3P

GetProcessHeap

COMDLG32.dll

nsDialogs.dll

133336633

0153668886663311

 1536888

;886631  ~

 113688;

86351 ($

>1367631%

<  5<  9

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

logging set to %d

settings logging to %d

created uninstaller: %d, "%s"

WriteReg: error creating key "%s\%s"

WriteReg: error writing into "%s\%s" "%s"

WriteRegBin: "%s\%s" "%s"="%s"

WriteRegDWORD: "%s\%s" "%s"="0xx"

WriteRegExpandStr: "%s\%s" "%s"="%s"

WriteRegStr: "%s\%s" "%s"="%s"

DeleteRegKey: "%s\%s"

DeleteRegValue: "%s\%s" "%s"

WriteINIStr: wrote [%s] %s=%s in %s

CopyFiles "%s"->"%s"

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d

Error registering DLL: Could not load %s

Error registering DLL: %s not found in %s

GetTTFFontName(%s) returned %s

GetTTFVersionString(%s) returned %s

Exec: failed createprocess ("%s")

Exec: success ("%s")

Exec: command="%s"

ExecShell: success ("%s": file:"%s" params:"%s")

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d

Exch: stack < %d elements

RMDir: "%s"

MessageBox: %d,"%s"

Delete: "%s"

File: wrote %d to "%s"

File: skipped: "%s" (overwriteflag=%d)

File: error creating "%s"

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"

Rename failed: %s

Rename on reboot: %s

Rename: %s

IfFileExists: file "%s" does not exist, jumping %d

IfFileExists: file "%s" exists, jumping %d

CreateDirectory: "%s" created

CreateDirectory: can't create "%s" - a file already exists

CreateDirectory: can't create "%s" (err=%d)

CreateDirectory: "%s" (%d)

SetFileAttributes: "%s":X

Sleep(%d)

detailprint: %s

Call: %d

Aborting: "%s"

Jump: %d

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

install.log

%u.%u%s%s

Skipping section: "%s"

Section: "%s"

New install of "%s" to "%s"

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

*?|<>/":

invalid registry key

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

x%c

RMDir: RemoveDirectory failed("%s")

RMDir: RemoveDirectory on Reboot("%s")

RMDir: RemoveDirectory("%s")

RMDir: RemoveDirectory invalid input("%s")

Delete: DeleteFile failed("%s")

Delete: DeleteFile on Reboot("%s")

Delete: DeleteFile("%s")

%s: failed opening file "%s"

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nswB7.tmp\nsDialogs.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nswB7.tmp\nsDialogs.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nswB7.tmp

YTDSetup.exe

All Files|*.*

YTD Video Downloader 4.8.9 Setup

nswB7.tmp

File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nswB7.tmp\nsDialogs.dll" (overwriteflag=1)

p\nsDialogs.dll"

1763632

OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsfB4.tmp\YTDSetup.exe

1\"%CurrentUserName%"\LOCALS~1\Temp\nsfB4.tmp\YTDSetup.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsfB4.tmp\YTDSetup.exe

%Program Files%\GreenTree Applications\YTD Video Downloader

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsfB4.tmp

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsbB5.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

1507664

420086342

83951616

-2063532032

-2147284440

1376476

1638678

1114346

973734625

1426719906

04090000

4.8.9

Uninstall.exe

4.8.9.0.5

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\nswB7.tmp\NSISHelper.dll (8560 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nswB7.tmp\getCountry (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp (45379 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nswB7.tmp\nsDialogs.dll (9 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nswB7.tmp\NSISdl.dll (15 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nswB7.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nswB7.tmp\modern-header.bmp (3312 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\so[1].xml (15988 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nswB7.tmp\NSISPluginW.dll (15168 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nswB7.tmp\UserInfo.dll (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsfB4.tmp\YTDSetup.exe (713178 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsfB4.tmp\UserInfo.dll (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\YTDSetup[1].exe (713178 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsfB4.tmp\inetca.dll (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nskB3.tmp (2175 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsfB4.tmp\System.dll (11 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.