MD5: 4690a58e7e8dceb74522fd0c68c02c03
SHA1: a74efe8a476cf642c2bd94963de24c6c0d3eaafc
SHA256: de868bd0ee0f322b9505678621c52fc5c40ba05ecf46562e5af3d620be4c45c4
SSDeep: 49152:Xslv2uaVPSleFkAGa2PFVbcTWBAlUq2hQlgjV4zq:Xslk6eFkAwrcTWylUVVB
Size: 2162688 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: AppsInstaller
Created at: 2014-06-03 23:35:27
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1708

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1708 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Desktop\4690a58e7e8dceb74522fd0c68c02c03.lnk (527 bytes)

Registry activity

The process %original file name%.exe:1708 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib]
"Version" = "1.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 20 62 C5 E3 27 1E 63 E7 5B 82 06 29 98 13 28"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib]
"(Default)" = "{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: 175???
Product Name: DN Launcher
Product Version: 1.0.0.0
Legal Copyright: ???????,?????24?????
??????????????,??????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ??????
Comments: ??????
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://www.175dn.com/gg.htm	199.168.102.138
game.175dn.com	58.221.59.153

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /gg.htm HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.175dn.com

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Sun, 19 Oct 2014 17:45:45 GMT

Content-Length: 1163
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=gb2312"/>..<title>404 - ..
................</title>..<style type="text/css">..<!--
..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, 
sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} .
.h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0
;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;
} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family
:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#55
5555;}..#content{margin:0 0 0 2%;position:relative;}...content-contain
er{background:#FFF;width:96%;margin-top:8px;padding:10px;position:rela
tive;}..-->..</style>..</head>..<body>..<div i
d="header"><h1>..........</h1></div>..<div id=
"content">.. <div class="content-container"><fieldset>.
.  <h2>404 - ..................</h2>..  <h3>........
..............................................</h3>.. </field
set></div>..</div>..</body>..</html>....

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

.bkack

.adata

t%SVh

t$(SSh

~%UVW

u$SShe

@(=%c

ntdll.dll

NTDLL.DLL

user32.dll

kernel32.dll

advapi32.dll

gdiplus.dll

GdiPlus.dll

Kernel32.dll

Ole32.dll

User32.dll

Wininet.dll

OLEACC.DLL

gdi32.dll

Gdi32.dll

dwmapi.dll

Gdiplus.dll

ExitWindowsEx

GetWindowsDirectoryA

InternetOpenUrlA

HttpQueryInfoA

EnumChildWindows

ShellExecuteA

GdipGetStringFormatHotkeyPrefix

GdipSetStringFormatHotkeyPrefix

{B6F7542F-B8FE-46a8-9605-98856A687097}

{84A90340-1CE7-4C96-8FFC-FB0124DE9AD7}

hXXp://(.*?)

/up.exe

hXXp://

Function Getcpuid()

Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")

getcpuid=cpu.ProcessorId

Getcpuid

10/05/12

\.YVV

Ï[H

L <

.jUHD

_Pr%fw6

Q}kl.IFV

Q".ET

$%S#1

\DragonNest\Config\Config.ini

game.175dn.com

Ex_DirectUI_MsgBox

07/08/13

09/27/12

User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)

document.body.style.border='none';document.body.style.overflow='hidden';

/port:

VVV.175dn.com

jP.Vp

DragonNest.exe

[email protected]

.exe|.rar|.zip|.gif|.jpg|.mp3|.rm

hXXp://VVV.175dn.com/gg.htm

b6.oD

keye

v]%S6.

.VN6Q

\.czz

J%u3 

#G*Psú

4;P2\?%s

.FD*F

1.KzL

\T.WD

zZkY.UZ

Z .YK

,.wi-^e

ZRchwC<%x

?].UQ

[email protected]

.TF(7!u

r%duy

0.EUh]

OnsSH

.wc}F)

Si%d:'

<H.rLO@

.z.lyX

9}.FA

@%s:`

%S[jIY

K"yO%9xe

.Add*

eUs%xv

L.iF7,

q.jAj!h

3,.VO

o.IiyRJ

],.Rw]

H.hO}

.YO&b

.NOY]

G-%Fk

uC].pQ

/2JP.uH

|;KK%Sp

0e.Hx/,!

-N}d2

Ti{.DD

%S-yY

.LIh:

_pr.aO

}< %xt&i

[5.xP

.qdu{

%Ue1y

.TE~#k

&o%Dm

.ll,L

R(.vn]

".CGw

^.tLlZU

&f~%F

.KD<F

]Vc.Xn

ÎMT2in

0.HZEI

B3n1R%S

%D&a2

gzgES%U

,6bf %um

cJ.CD

!B1w0.lso

Fa9b,%X

..Sd $"":

gQ@%D

diTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:DDD122E7A584E2118FF1FE0FC3DAB2B7" xmpMM:DocumentID="xmp.did:A0B65855870011E2AFB69C04A7201614" xmpMM:InstanceID="xmp.iid:A0B65854870011E2AFB69C04A7201614" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:22F24EC22D86E211815A8FDDD6268239" stRef:documentID="xmp.did:DDD122E7A584E2118FF1FE0FC3DAB2B7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

T%uj)P

11/15/11

.tvm\M

'D5f]%cq8

]V%Dg

l.JJYD

"".Rh

x%UdN5

r-4} 

sqLb

.rQ^K|

g(.cn

.Ys_T

SIC%c

4m.vX

.pkA|

G-E %x

0I%5S@ :0

'.xG7

@.UFN

5CK.CnGS

<Go%c;d

c.Vm<

.FNDPR

URlz

L&r

Adobe Photoshop CS6 (Windows)

2014:04:30 08:01:16

IEC hXXp://VVV.iec.ch

.IEC 61966-2.1 Default RGB colour space - sRGB

CRT curv

urlTEXT

MsgeTEXT

}hXXp://ns.adobe.com/xap/1.0/

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="70C14BECAFF7B0A5D64C13038C7BC7F1" xmpMM:InstanceID="xmp.iid:5ACF398DFACFE31191D1FEFB2219DEF1" xmpMM:OriginalDocumentID="70C14BECAFF7B0A5D64C13038C7BC7F1" dc:format="image/jpeg" photoshop:ColorMode="3" xmp:CreateDate="2014-04-30T07:52:48 08:00" xmp:ModifyDate="2014-04-30T08:01:16 08:00" xmp:MetadataDate="2014-04-30T08:01:16 08:00"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:59CF398DFACFE31191D1FEFB2219DEF1" stEvt:when="2014-04-30T08:01:16 08:00" stEvt:softwareAgent="Adobe Photoshop CS6 (Windows)" stEvt:changed="/"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:5ACF398DFACFE31191D1FEFB2219DEF1" stEvt:when="2014-04-30T08:01:16 08:00" stEvt:softwareAgent="Adobe Photoshop CS6 (Windows)" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>

N.hu(

'.MQO

.vj;u

Y!%uv

3#J.Mz

^K.Zu

SO.hW

.Koyu}

Idgfi%sW

ORp%u

.cB:B

E0%uqWb

UDpM

pz?F%F

1.2.18

inflate 1.1.3 Copyright 1995-1998 Mark Adler

CCmdTarget

CNotSupportedException

commctrl_DragListMsg

COMCTL32.DLL

__MSVCRT_HEAP_SELECT

EnumWindows

USER32.dll

GetProcessHeap

KERNEL32.dll

ole32.dll

GDI32.dll

ADVAPI32.dll

IMM32.dll

SHELL32.dll

comdlg32.dll

WINSPOOL.DRV

COMCTL32.dll

WINMM.dll

SetWindowsHookExA

GetKeyState

UnhookWindowsHookEx

GetCPInfo

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

exui.dll

?456789:;<=

!"#$%&'()* ,-./0123

%*.*f

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

MSWHEEL_ROLLMSG

F%D,3

imm32.dll

shell32.dll

winspool.drv

comctl32.dll

winmm.dll

RASAPI32.dll

MSVFW32.dll

AVIFIL32.dll

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WS2_32.dll

VERSION.dll

WinExec

CreateDialogIndirectParamA

GetViewportOrgEx

GetViewportExtEx

MSIMG32.dll

OLEAUT32.dll

oledlg.dll

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

\\.\Scsi0:

\\.\PhysicalDrive0

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

(*.htm;*.html)|*.htm;*.html

[%s:%d]

Range: bytes=%s-

[%s:%d]

PASS %s

PASS ******

USER %s

E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp

SIZE %s

PORT

User-Agent: %s

Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Referer: %s

Host: %s

GET %s HTTP/1.1

HTTP/1.1

Cookie: %s

%d, %s

\\192.168.0.129\TCP\1037

NSPlayer/9.0.0.2980; {%s}; Host: %s

rmff_fix_header: assuming data.size=%i

rmff_fix_header: assuming data.num_packets=%i

rmff_fix_header: assuming prop.num_packets=%i

rmff_fix_header: setting prop.data_offset from %i to %i

rmff_fix_header: correcting prop.num_streams from %i to %i

rmff_fix_header: correcting prop.size from %i to %i

%s %s %s

Session: %s

Cseq: %u

%*s %s

%*s %u

CSeq: %u

rtsp://%s:%i

rtsp://%s:%i/%s

ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586

GUID: 00000000-0000-0000-0000-000000000000

[%s:%d]

User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)

Range: npt=%s-

%s/streamid=1

%s/streamid=0

Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play

If-Match: %s

RealChallenge2: %s, sd=%s

Title: %s

Copyright: %s

Author: %s

real: Content-length for description too big (> %uMB)!

Require: com.real.retain-entity-for-setup

SupportsMaximumASMBandwidth: 1

Bandwidth: %u

Challenge1: %s

hash output: %x %x %x %x

hash input: %x %x %x %x

stream=%u;rule=%u,

Illegal character '%c' in input.

(*.avi)|*.avi

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

.pi]\L}L

/.rE*L)k

eapi.fne

VVV.exui.cc ==================

[email protected]

2014. 3.10

ex_ui keye

%dpcE"h

@%Xi U1(

8DtCPS

_?.Ak9

.pK>NG`

P>f%S9e

.qn{\

.mkBT

.qc]b

{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}

{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}

2!iTXtXML:com.adobe.xmp

<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">

xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/">

<xmp:CreatorTool>Adobe Fireworks CS5 11.0.0.484 Windows</xmp:CreatorTool>

xmlns:dc="hXXp://purl.org/dc/elements/1.1/">

N.trB&#

.cqn$

AttributeEditorexui.dll

GetAsyncKeyState

program internal error number is %d.

:"%s"

:"%s".

.?AVCCmdTarget@@

.?AVCCmdUI@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCTestCmdUI@@

zcÁ

c:\%original file name%.exe

<Msg%s>%ld</Msg%s>

0000%d

</Msg0000>

<Msg0000>

EMSG

Recv Sub Packet(%s)..

Recv Packet (%s)...

<Msg0001>4</Msg0001>%s

1.1.3

;3 #>6.&

'2, / 0&7!4-)1#

.PAVCOleException@@

.PAVCResourceException@@

.PAVCUserException@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

right-curly-bracket

left-curly-bracket

0123456789

#include "l.chs\afxres.rc" // Standard components

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

rasapi32.dll

msvfw32.dll

avifil32.dll

ws2_32.dll

msimg32.dll

oleaut32.dll

wininet.dll

<assemblyIdentity version="1.0.0.0" name=".add"/>

<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

12345678

(*.*)

1.0.0.0

%original file name%.exe_1708_rwx_009C3000_00002000:

kernel32.dll

user32.dll

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

ole32.dll

gdiplus.dll

gdi32.dll

advapi32.dll

imm32.dll

shell32.dll

winspool.drv

comctl32.dll

winmm.dll

rasapi32.dll

msvfw32.dll

avifil32.dll

ws2_32.dll

msimg32.dll

comdlg32.dll

oleaut32.dll

oledlg.dll

wininet.dll

GetKeyState

RegOpenKeyExA

RegCreateKeyExA

InternetCanonicalizeUrlA

<assemblyIdentity version="1.0.0.0" name=".add"/>

<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

1.0.0.0

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Desktop\4690a58e7e8dceb74522fd0c68c02c03.lnk (527 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.