Trojan.Generic.15484775_2546bbb5b6

by malwarelabrobot on June 22nd, 2016 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.15484775 (B) (Emsisoft), Trojan.Generic.15484775 (AdAware), Worm.Win32.AutoIt.FD, WormAutoItGen.YR (Lavasoft MAS)
Behaviour: Trojan, Worm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 2546bbb5b6e5cb0d8dc274abd3ba7459
SHA1: d9ff1394ae014e3bab1c05f9888568cd1706d63b
SHA256: ffd48bd9ca39feddab8ca114958bed4d40fc07e0324f1602ef3eaffce1f87dd9
SSDeep: 24576:ZRmJkcoQricOIQxiZY1iaxzcj0oa4CdcstlneOVrPXh7fgyr6NpdpiFs4lvU/Jq4:2JZoQrbTFZY1iaxzcjHa4 zfvJPXhg8I
Size: 1553895 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-01-29 23:32:28
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

attrib.exe:968
attrib.exe:1640
%original file name%.exe:1820
%original file name%.exe:228
ntvdm.exe:1384
ntvdm.exe:308
notepad.exe:1112
schtasks.exe:1832
schtasks.exe:1968
schtasks.exe:1312
schtasks.exe:772
schtasks.exe:1336
schtasks.exe:1920
schtasks.exe:1112
schtasks.exe:644
schtasks.exe:1928
schtasks.exe:1912

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\Java\Java Update\jusched.exe (9605 bytes)

The process %original file name%.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\Spotify.exe (16853 bytes)
%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\~hjpdthq.tmp (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\~zstzfte.tmp (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\~rridkjb.tmp (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\~htccpbn.tmp (2 bytes)
%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\CLPSLA.exe (16853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\06ZW593K\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\ati2s9ag.exe (16853 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\AdobeARM.exe (16853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Program Files%\Common Files\VMware\Drivers\memctl\~cbguruu.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7CVM4VS6\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\HPWuSchd2.exe (16853 bytes)
%Program Files%\Common Files\VMware\Drivers\memctl\CLPSLA.exe (16853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AdobeARM.exe (3635 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4L1GRUKJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Z27OFNPK\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\AdobeARM.exe (0 bytes)
%Program Files%\Common Files\VMware\Drivers\memctl\~cbguruu.tmp (0 bytes)
%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\CLPSLA.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\Spotify.exe (0 bytes)
%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\~hjpdthq.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\~htccpbn.tmp (0 bytes)
%Program Files%\Common Files\VMware\Drivers\memctl\CLPSLA.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\~rridkjb.tmp (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\HPWuSchd2.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\ati2s9ag.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\~zstzfte.tmp (0 bytes)

The process ntvdm.exe:1384 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\DOCUMENTS AND SETTINGS (4 bytes)
%Program Files%\WIRESHARK (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%WinDir%\REGISTRATION (4 bytes)
%WinDir% (576 bytes)
C:\$Directory (792 bytes)
%WinDir%\Temp\scs2.tmp (10145 bytes)
%System% (1920 bytes)
%Program Files%\COMMON FILES (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
C:\PROGRAM FILES (8 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
%System%\wbem (1064 bytes)
%System%\drivers (32 bytes)
%Documents and Settings%\%current user% (4 bytes)
%WinDir%\Temp\scs1.tmp (33880 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (16 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\scs1.tmp (0 bytes)
%WinDir%\Temp\scs2.tmp (0 bytes)

The process ntvdm.exe:308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\Perflib_Perfdata_638.dat (4 bytes)
%WinDir%\Temp\scs4.tmp (10145 bytes)
%WinDir% (96 bytes)
C:\ (4 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (16 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%Documents and Settings%\All Users (4 bytes)
%Documents and Settings%\All Users\DOCUMENTS (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (16 bytes)
%System%\config (4 bytes)
C:\$Directory (968 bytes)
%System% (3952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (388 bytes)
%WinDir%\Temp\scs3.tmp (33880 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\scs4.tmp (0 bytes)
%WinDir%\Temp\scs3.tmp (0 bytes)

The process notepad.exe:1112 makes changes in the file system.
The Trojan deletes the following file(s):

C:\%original file name%.exe (0 bytes)

Registry activity

The process attrib.exe:968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 88 78 E2 83 9E C6 7D 9F 11 44 4E 10 25 5A 74"

The process attrib.exe:1640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 C8 73 5E EA 9F 95 0C 6A AE C5 69 28 A2 8B 1B"

The process %original file name%.exe:1820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 B9 58 F0 C7 9C E3 FA 71 EE 13 56 70 DD 38 DF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Start Menu\Programs\Java\Java Update]
"jusched.exe" = "jusched"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\Start Menu\Programs\Java\Java Update\jusched.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Java Update" = "%Documents and Settings%\All Users\Start Menu\Programs\Java\Java Update\jusched.exe"

The process %original file name%.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26]
"adobearm.exe" = "RUNASADMIN"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"schtasks.exe" = "Schedule Tasks"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15]
"ati2s9ag.exe" = "RUNASADMIN"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\Spotify]
"StubPath" = "%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\Spotify.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Program Files%\VMware\VMware Tools\Drivers]
"sttray64.exe" = "RUNASADMIN"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 EB BC 3E 18 41 6F 38 42 03 CB ED AE 31 AA 1D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\Spotify]
"Version" = "12,1,7601,9171"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386]
"CLPSLA.exe" = "RUNASADMIN"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Adobe Reader and Acrobat Manager" = "%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\AdobeARM.exe"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ATISmart" = "%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\ati2s9ag.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDT PC Audio" = "%Program Files%\VMware\VMware Tools\Drivers\sttray64.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Comodo" = "%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\CLPSLA.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process notepad.exe:1112 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 39 C2 D0 BD 55 11 64 94 25 50 AB 5C F6 02 B8"

The process schtasks.exe:1832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 15 A0 18 A7 C5 BE B5 1B 88 38 21 6A 4E 7E C1"

The process schtasks.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 B6 7D 04 79 11 07 A7 5F 8D CD 6E 52 EA CE DB"

The process schtasks.exe:1312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 A5 DD 7D 78 B8 8F 88 79 09 7A 79 9E 2C 57 22"

The process schtasks.exe:772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 25 29 E2 57 55 C0 3B 1C 73 71 82 33 AE BE 68"

The process schtasks.exe:1336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 A1 E7 FF 6E CA D8 72 2A A2 3B 62 46 39 B4 D6"

The process schtasks.exe:1920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 3D 40 59 39 5B 4E 0F 56 8F 05 9E B2 D6 84 02"

The process schtasks.exe:1112 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 F2 AE 11 3F 34 E9 32 DB 9A ED 6B 6C E5 69 39"

The process schtasks.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 BD D9 8F 96 2A E0 C6 54 61 CC 08 E4 85 D8 6A"

The process schtasks.exe:1928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 E1 86 56 20 59 83 8F 30 A4 3E FC 5F C0 CD F7"

The process schtasks.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 47 D1 06 86 86 20 90 CF 41 A1 EF 8E BF 3E E7"

Dropped PE files

MD5 File path
0a88c93ab506bc3e01257eb438605ef8 c:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPWuSchd2.exe
e89729be4966e092c517222058f3e261 c:\Documents and Settings\"%CurrentUserName%"\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\ati2s9ag.exe
a512ad1ddc93341b617ead15c78d4a4f c:\Documents and Settings\"%CurrentUserName%"\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\AdobeARM.exe
b23fd3dbfa6cdd11c8f907d33d62146e c:\Documents and Settings\"%CurrentUserName%"\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\Spotify.exe
95b7ea06c89ffdc243d3c5defbcf2818 c:\Program Files\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\CLPSLA.exe
15dc472347ed815ff9f3a52aa4e370ff c:\Program Files\Common Files\VMware\Drivers\memctl\CLPSLA.exe
d6254397f0c3f2735319cbd56329d6e5 c:\Program Files\VMware\VMware Tools\Drivers\sttray64.exe
ae5acac04c7ad758014ecdacab211621 c:\Program Files\VMware\VMware Tools\help\wwhdata\js\search\pairs\HPWuSchd2.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3, 3, 8, 1
File Description:
Comments:
Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 525852 526336 4.63347 61ffce4768976fa0dd2a8f6a97b1417a
.rdata 532480 57280 57344 3.32693 0354bc5f2376b5e9a4a3ba38b682dff1
.data 589824 108376 26624 1.49032 8033f5a38941b4685bc2299e78f31221
.rsrc 700416 10200 10240 2.48753 640bc742b83032975c9f113c57f618b1

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 20
1ead5ffc46964bcdcf395b960a87bb40
7b488a6d157876f4148fefa7ea4b43ed
9c02b04d47f5fe246ba8605f33638910
2599268479685a1beaa590bb75da17b4
0f6ba808a287d36477d14a7e123be53c
d8f0b719f7097a6a9a525157de5709aa
d65b580db5bb446942aea6bc3ad9943b
b5a1711253e3cd0dca8dba4c00ccaaa7
eff6df5c38f713cc7370eef30ea531c8
ee19935ccf4593b3fc7c25dc0c613788
7accbeec33ac0bb3a26ec3b2fecce097
2e6247f7bb5f1919f52203da0dc97b79
f2fcd4678bee9d13d80649eaa3900463
eb106a14ae0efbc52f0815c2be5b4926
85196aa5cba244d88ed00224d6c243d3
cadeb1d79ee8f2f32e6ed969c67250c8
96ac704a88e6a6d8abbf58f58b1dbe4d
f8da43f6e31d5826ba9840c7c2052b38
f661a1fbfd5059f763567dc262f1d0b8
fc66297be389ef68c2e3223bb7fa6177

URLs

URL IP
hxxp://update.gpr0xy.com/version.txt 91.195.241.121
hxxp://update.gpr0xy.com/8a8bc5f3a301eff8e06be4e000db87c7 91.195.241.121


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile

Traffic

GET /version.txt HTTP/1.1
User-Agent: AutoIt
Host: update.gpr0xy.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 20 Jun 2016 21:52:09 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.45-0 deb7u3
Vary: Accept-Encoding
Content-Length: 737
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "htt
p://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>..<
meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.
.<meta name="robots" content="index,follow"/>..<meta name="re
visit-after" content="7 days" />..<meta name="expires" content="
now" />..<meta http-equiv="pragma" content="no-cache" />..<
;title>Domain Expires</title>.</head>.<body>...&l
t;div style="width: 100%; text-align: center; ">...<img src="/im
g/warning.jpg">....<h3 style="font-size: 30px;">This domain n
ame has expired.</h3>...<h4 style="font-size: 16px;">....I
n order to restore the domain and continue the service you will have t
o contact your registrar immediately....</h4>..</div>.<
/body>.</html>....


GET /8a8bc5f3a301eff8e06be4e000db87c7 HTTP/1.1


User-Agent: AutoIt
Host: update.gpr0xy.com


HTTP/1.1 200 OK
Date: Mon, 20 Jun 2016 21:52:09 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.45-0 deb7u3
Vary: Accept-Encoding
Content-Length: 737
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "htt
p://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>..<
meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.
.<meta name="robots" content="index,follow"/>..<meta name="re
visit-after" content="7 days" />..<meta name="expires" content="
now" />..<meta http-equiv="pragma" content="no-cache" />..<
;title>Domain Expires</title>.</head>.<body>...&l
t;div style="width: 100%; text-align: center; ">...<img src="/im
g/warning.jpg">....<h3 style="font-size: 30px;">This domain n
ame has expired.</h3>...<h4 style="font-size: 16px;">....I
n order to restore the domain and continue the service you will have t
o contact your r..



GET /version.txt HTTP/1.1
User-Agent: AutoIt
Host: update.gpr0xy.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 20 Jun 2016 21:51:30 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.45-0 deb7u3
Vary: Accept-Encoding
Content-Length: 737
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "htt
p://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>..<
meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.
.<meta name="robots" content="index,follow"/>..<meta name="re
visit-after" content="7 days" />..<meta name="expires" content="
now" />..<meta http-equiv="pragma" content="no-cache" />..<
;title>Domain Expires</title>.</head>.<body>...&l
t;div style="width: 100%; text-align: center; ">...<img src="/im
g/warning.jpg">....<h3 style="font-size: 30px;">This domain n
ame has expired.</h3>...<h4 style="font-size: 16px;">....I
n order to restore the domain and continue the service you will have t
o contact your registrar immediately....</h4>..</div>.<
/body>.</html>....


GET /8a8bc5f3a301eff8e06be4e000db87c7 HTTP/1.1


User-Agent: AutoIt
Host: update.gpr0xy.com


HTTP/1.1 200 OK
Date: Mon, 20 Jun 2016 21:51:30 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.45-0 deb7u3
Vary: Accept-Encoding
Content-Length: 737
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "htt
p://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>..<
meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.
.<meta name="robots" content="index,follow"/>..<meta name="re
visit-after" content="7 days" />..<meta name="expires" content="
now" />..<meta http-equiv="pragma" content="no-cache" />..<
;title>Domain Expires</title>.</head>.<body>...&l
t;div style="width: 100%; text-align: center; ">...<img src="/im
g/warning.jpg">....<h3 style="font-size: 30px;">This domain n
ame has expired.</h3>...<h4 style="font-size: 16px;">....I
n order to restore the domain and continue the service you will have t
o contact your registrar immediately....</h4>..</div>.<
/body>.</html>HTTP/1.1 200 OK..Date: Mon, 20 Jun 2016 21:51:3
0 GMT..Server: Apache/2.2.22 (Debian)..X-Powered-By: PHP/5.4.45-0 deb7
u3..Vary: Accept-Encoding..Content-Length: 737..Content-Type: text/htm
l..<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "
hXXp://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>..&
lt;meta http-equiv="Content-Type" content="text/html; charset=UTF-8"&g
t;..<meta name="robots" content="index,follow"/>..<meta name=
"revisit-after" content="7 days" />..<meta name="expires" conten
t="now" />..<meta http-equiv="pragma" content="no-cache" />..
<title>Domain Expires</title>.</head>.<body&g
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    attrib.exe:968
    attrib.exe:1640
    %original file name%.exe:1820
    %original file name%.exe:228
    ntvdm.exe:1384
    ntvdm.exe:308
    notepad.exe:1112
    schtasks.exe:1832
    schtasks.exe:1968
    schtasks.exe:1312
    schtasks.exe:772
    schtasks.exe:1336
    schtasks.exe:1920
    schtasks.exe:1112
    schtasks.exe:644
    schtasks.exe:1928
    schtasks.exe:1912

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\All Users\Start Menu\Programs\Java\Java Update\jusched.exe (9605 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\Spotify.exe (16853 bytes)
    %Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\~hjpdthq.tmp (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\~zstzfte.tmp (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\~rridkjb.tmp (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\~htccpbn.tmp (2 bytes)
    %Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\CLPSLA.exe (16853 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\06ZW593K\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\ati2s9ag.exe (16853 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\AdobeARM.exe (16853 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Program Files%\Common Files\VMware\Drivers\memctl\~cbguruu.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7CVM4VS6\desktop.ini (67 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Startup\HPWuSchd2.exe (16853 bytes)
    %Program Files%\Common Files\VMware\Drivers\memctl\CLPSLA.exe (16853 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AdobeARM.exe (3635 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4L1GRUKJ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Z27OFNPK\desktop.ini (67 bytes)
    C:\DOCUMENTS AND SETTINGS (4 bytes)
    %Program Files%\WIRESHARK (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (400 bytes)
    %WinDir%\REGISTRATION (4 bytes)
    C:\$Directory (792 bytes)
    %WinDir%\Temp\scs2.tmp (10145 bytes)
    %System% (1920 bytes)
    %Program Files%\COMMON FILES (4 bytes)
    %WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
    C:\PROGRAM FILES (8 bytes)
    %Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
    %System%\wbem (1064 bytes)
    %System%\drivers (32 bytes)
    %WinDir%\Temp\scs1.tmp (33880 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (16 bytes)
    %WinDir%\Temp\Perflib_Perfdata_638.dat (4 bytes)
    %WinDir%\Temp\scs4.tmp (10145 bytes)
    %Documents and Settings%\All Users\DOCUMENTS (4 bytes)
    %System%\config (4 bytes)
    %WinDir%\Temp\scs3.tmp (33880 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Java Update" = "%Documents and Settings%\All Users\Start Menu\Programs\Java\Java Update\jusched.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "Adobe Reader and Acrobat Manager" = "%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\AdobeARM.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "ATISmart" = "%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\ati2s9ag.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IDT PC Audio" = "%Program Files%\VMware\VMware Tools\Drivers\sttray64.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Comodo" = "%Program Files%\Common Files\VMware\Drivers\Virtual Printer\TPOGPS\i386\CLPSLA.exe"

  5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\Start Menu\Programs\Java\Java Update\jusched.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now