Trojan.Generic.15579685_0839bb441b

by malwarelabrobot on May 4th, 2016 in Malware Descriptions.

Susp_Dropper (Kaspersky), Trojan.Generic.15579685 (AdAware), Worm.Win32.AutoIt.FD, WormAutoItGen.YR (Lavasoft MAS)
Behaviour: Trojan, Worm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0839bb441bb88dbd39e3d9bb4f389420
SHA1: 515e2833934588ccc33b1df65bb1116559674ed0
SHA256: ea50cc5b877c8113fad1a74f17b8f73e2ea47c89c6ca45165aefd5b8eb556e2b
SSDeep: 24576:YH6gW6hgIua0/qBSK7osfdkEoMVwYOyIvPDPK0TGnhe:C6g97SqQMMEoQwYOfPDP2nhe
Size: 1551164 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2008-05-03 17:08:38
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

sudden hack 10-29ÀÏÀÚ¾÷µ« ¿ìȸ.exe:224
hack.exe:956
15978.exe:1432
¹«·á¸ÅÅ©·Î.exe:660
Server.exe:1252
netsh.exe:992
%original file name%.exe:1868
À̹ÌÁö¸ÅÅ©·Î.exe:344
userinit.exe:308
injyqkarh.exe:1360

The Trojan injects its code into the following process(es):

server.exe:444

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process sudden hack 10-29ÀÏÀÚ¾÷µ« ¿ìȸ.exe:224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Server.exe (980 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hack.exe (8897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (5201 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (0 bytes)

The process hack.exe:956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut6.tmp (62 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut5.tmp (62 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut5.tmp (0 bytes)

The process 15978.exe:1432 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\¹«·á¸ÅÅ©·Î.exe (21636 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\À̹ÌÁö¸ÅÅ©·Î.exe (5334 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp (0 bytes)

The process Server.exe:1252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\server.exe (24 bytes)

The process server.exe:444 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Start Menu\Programs\Startup\f5c2b15139259d819b408608bf80fc99.exe (24 bytes)

The process %original file name%.exe:1868 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv1.tmp (0 bytes)

The process À̹ÌÁö¸ÅÅ©·Î.exe:344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\injyqkarh.exe (432 bytes)
%System%\injyqkarh.exe_lang.ini (55 bytes)

The process injyqkarh.exe:1360 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\522250_res.tmp (2145 bytes)

Registry activity

The process sudden hack 10-29ÀÏÀÚ¾÷µ« ¿ìȸ.exe:224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 64 0A AE 10 3F 98 F0 77 A6 0D F7 DF BB 37 8D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process hack.exe:956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 AE 97 27 B0 C8 55 4D 8F 78 E0 D1 EE FE 5E 90"

The process 15978.exe:1432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 55 02 8D CB F7 3E 26 9A 20 22 40 0B C9 85 A5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"À̹ÌÁö¸ÅÅ©·Î.exe" = "install"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"¹«·á¸ÅÅ©·Î.exe" = "¹«·á¸ÅÅ©·Î"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process ¹«·á¸ÅÅ©·Î.exe:660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF 2F F9 EC ED FB 0C 6A F4 05 A3 0E 3C 4B DA 45"

The process Server.exe:1252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F C3 1C A9 EA 93 8E F4 20 4F DA 58 C7 29 B5 3F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU]
"di" = "!"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"server.exe" = "server"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process server.exe:444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 60 FE 34 DA 6A 2F E6 F5 C9 63 D7 67 6E 61 5D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCU\Software\f5c2b15139259d819b408608bf80fc99]
"[kl]" = ""

[HKCU]
"di" = "!"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Environment]
"SEE_MASK_NOZONECHECKS" = "1"

The process netsh.exe:992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA D1 51 40 BB 6A D4 0D 97 34 03 C1 5C 4E 85 97"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data]
"server.exe" = "%Documents and Settings%\%current user%\Application Data\server.exe:*:Enabled:server.exe"

The process %original file name%.exe:1868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF B6 38 D7 18 AB 74 5B 21 69 93 77 93 2E D6 46"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"15978.exe" = "15978"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"sudden hack 10-29ÀÏÀÚ¾÷µ« ¿ìȸ.exe" = "sudden hack 10-29ÀÏÀÚ¾÷µ« ¿ìȸ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process À̹ÌÁö¸ÅÅ©·Î.exe:344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 70 45 B2 ED F8 71 67 42 46 0E C3 9B DF 72 B5"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{FA388937-B278-4f64-B549-9C76B5D98155}]
"StubPath" = "%System%\injyqkarh.exe"

The process userinit.exe:308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 EB 33 8A 07 82 89 BA 4B 62 37 DD 35 C1 2B 23"

[HKLM\System\CurrentControlSet\Services\PCRatStact]
"Type" = "288"

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\PCRatStact]
"InstallModule"

The process injyqkarh.exe:1360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 FE A5 02 EA 3D 79 33 71 61 F4 55 71 E9 EF 21"

Dropped PE files

MD5 File path
fe50aebdb9db1fe8039cfb212bfc7d1e c:\Documents and Settings\"%CurrentUserName%"\Application Data\server.exe
95acc3b3505b6adac2faeb71cc16d22d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\522312_lang.dll
fe50aebdb9db1fe8039cfb212bfc7d1e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Server.exe
39b2a1150ec282a30e4c4de14c25c870 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\hack.exe
deaff831684c609702418e88aa6eb307 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\¹«·á¸ÅÅ©·Î.exe
8b1adbcb9d4cf27bd6be1dfd65b4f32a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\À̹ÌÁö¸ÅÅ©·Î.exe
5bb798380818acf9bf42885bcb8fedc7 c:\WINDOWS\system32\injyqkarh.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 22442 22528 4.47873 f67e97a816d8398d216c91c01800fb17
.rdata 28672 4496 4608 3.58804 0f7b157b78f399340e80aa07581634eb
.data 36864 110424 1024 3.18325 99140708b36c93b713dac5ad4a21f093
.ndata 147456 266240 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 413696 356352 354304 2.33767 f64871ad1038caf6fcfdd81b5604df2f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://a402.b.akamai.net/PostView.nhn?blogId=cjddms52&logNo=130104953765&parentCategoryNo=1&viewDate=&currentPage=1&listtype=0&userTopListOpen=false&userTopListCount=5&userTopListManageOpen=false&userTopListCurrentPage=undefined
hxxp://hiblog.co.kr/link.txt 112.175.184.4
hxxp://dothome.co.kr/expiration/404.html 112.175.184.100
hxxp://blog.naver.com/PostView.nhn?blogId=cjddms52&logNo=130104953765&parentCategoryNo=1&viewDate=&currentPage=1&listtype=0&userTopListOpen=false&userTopListCount=5&userTopListManageOpen=false&userTopListCurrentPage=undefined 212.30.134.207
hxxp://www.dothome.co.kr/expiration/404.html 112.175.184.100
rmaapekf.iptime.org 211.215.147.41


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN W32/Mepaow.Backdoor Initial Checkin to Intermediary Pre-CnC

Traffic

GET /expiration/404.html HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: dothome.co.kr
Connection: Keep-Alive


HTTP/1.1 302 Found
Date: Tue, 03 May 2016 01:35:44 GMT
Server: Microsoft-IIS/5.0
Location: hXXp://VVV.dothome.co.kr/expiration/404.html
Content-Length: 228
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://VVV.dothome.co.kr/expiration/404.html">here</a>.
</p>.</body></html>.HTTP/1.1 302 Found..Date: Tue, 0
3 May 2016 01:35:44 GMT..Server: Microsoft-IIS/5.0..Location: hXXp://w
ww.dothome.co.kr/expiration/404.html..Content-Length: 228..Keep-Alive:
 timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html; 
charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//E
N">.<html><head>.<title>302 Found</title>.&
lt;/head><body>.<h1>Found</h1>.<p>The docum
ent has moved <a href="hXXp://VVV.dothome.co.kr/expiration/404.html
">here</a>.</p>.</body></html>...



GET /expiration/404.html HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: VVV.dothome.co.kr
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 03 May 2016 01:35:45 GMT
Server: Microsoft-IIS/5.0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
1f65..<!DOCTYPE html>..<html lang="ko">..<head>..<
;meta http-equiv="Content-Type" content="text/html; charset=utf-8" /&g
t;..<meta http-equiv="X-UA-Compatible" content="IE=edge" />..<
;meta name="viewport" content="width=device-width, initial-scale=1.0"&
gt;..<!--<meta name="viewport" content="width=device-width, heig
ht=device-height,  initial-scale=1.0, user-scalable=no;user-scalable=0
;"/>-->..<meta http-equiv="cache-control" content="max-age=0"
 />..<meta http-equiv="cache-control" content="no-cache" />..
<meta http-equiv="expires" content="0" />..<meta http-equiv="
expires" content="Tue, 01 Jan 1980 1:00:00 GMT" />..<meta http-e
quiv="pragma" content="no-cache" />..<meta name="format-detectio
n" content="telephone=no" />..<meta name="author" content="anyse
cure">..<meta name="robots" content="index, follow">..<met
a name="googlebot" content="index, follow">..<meta name="descrip
tion" content="......... ......... .........,...... ............, ....
..... ........., ......... ............ ...... ............ ..........
......">..<meta name="keywords" content="......, .........,.....
.... ........., ............, ...... ........., ......... ........., .
........... ......, ...... ............, ...... ........., ......... .
....., ............... SSL...............">..<title>.........
 | ............... | .................. | ............ ...... | dothom
e</title>..    <!-- Bootstrap core CSS -->..    <li
<<< skipped >>>


GET /link.txt HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: hiblog.co.kr
Connection: Keep-Alive


HTTP/1.1 302 Found
Date: Tue, 03 May 2016 01:25:01 GMT
Server: Microsoft-IIS/5.0
Location: hXXp://dothome.co.kr/expiration/404.html
Content-Length: 297
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://dothome.co.kr/expiration/404.html">here</a>.<
/p>.<hr>.<address>Microsoft-IIS/5.0 Server at hiblog.co
.kr Port 80</address>.</body></html>...



GET /PostView.nhn?blogId=cjddms52&logNo=130104953765&parentCategoryNo=1&viewDate=¤tPage=1&listtype=0&userTopListOpen=false&userTopListCount=5&userTopListManageOpen=false&userTopListCurrentPage=undefined HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: blog.naver.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
P3P: CP="ALL CURa ADMa DEVa TAIa OUR BUS IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC OTC"
Content-Type: text/html; charset=ks_c_5601-1987
Date: Tue, 03 May 2016 01:25:02 GMT
Content-Length: 4943
Connection: keep-alive
Set-Cookie: JSESSIONID=0C1847B7D24656EF0FB9961B29173821.jvm1; Path=/; HttpOnly
........<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//
EN" "hXXp://VVV.w3.org/TR/html4/loose.dtd">..<html>..<head
>..<meta http-equiv="Content-Type" content="text/html; charset=e
uc-kr">..<title>...... :: ......</title>..<style typ
e="text/css">..body {margin:0; padding:0; font-size:12px; font-fami
ly:"....", Gulim, Helvetica, Sans-serif; text-align:center; line-heigh
t:14px;}..img, fieldset {border:none;}..legend {display:none;}..form {
margin:0;}..fieldset {padding:0;}..img {vertical-align:top;}..ul, ol, 
p, h1, h2, h3, h4, h5, h6  {margin:0; padding:0; font-size:12px;}..li 
{margin:0; list-style:none; line-height:14px;}..em { font-style:normal
;}..a {color:#666; text-decoration:none;}..a:hover, a:active, a:focus 
{text-decoration:underline;}../*090522 ....*/..#wrap {width:476px; mar
gin:150px auto 0 auto; text-align:left;}..#header {width:476px; paddin
g-bottom:2px; overflow:hidden;}..#header h1 {float:left; font-size:0;}
..#header h1 a {display:block; padding:7px 5px 5px 0;}..#header h2 {fl
oat:left; font-size:0;}..#header h2 a {display:block; padding:0 3px 3p
x 1px;}..#header .list_type {float:right; margin-top:6px;}..#header .l
ist_type li {float:left; margin-left:6px; padding-left:8px; font-size:
11px; background:url(hXXp://static.naver.com/common/error/090316/bu_ar
r.gif) left 2px no-repeat; line-height:15px; *line-height:14px; _line-
height:16px;}..#header .list_type li a {color:#444; font-family:"...."
, dotum, "....", Gulim, Helvetica, Sans-serif; letter-spacing:-1px
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

¹«·á¸ÅÅ©·Î.exe_660:

.text
`.data
.rsrc
MSVBVM60.DLL
MSWINSCK.OCX
MSWinsockLib.Winsock
ModKeyLog
TCPViewB
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
udpsocket
%System%\MSWINSCK.oca
Urldowns
shell32.dll
ShellExecuteA
udpflood
udpstop
advapi32.dll
RegCloseKey
RegCreateKeyA
RegDeleteKeyA
RegOpenKeyA
winmm.dll
keybd_event
SetWindowsHookExA
UnhookWindowsHookEx
EnumWindows
user32.dll
GetAsyncKeyState
kernel32.dll
VBA6.DLL
ntdll.dll
RegOpenKeyExA
GetKeyState
msvbvm60.dll
zlib.dll
imm32.dll
E 0.oH
/`.gf
.dD#F
Adobe Photoshop CS3 Windows
2010:02:28 13:48:08
.hhs\
urlTEXT
MsgeTEXT
hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.1-c036 46.276720, Mon Feb 19 2007 22:40:08 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:xap="hXXp://ns.adobe.com/xap/1.0/" xmlns:xapMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" dc:format="image/jpeg" xap:CreatorTool="Adobe Photoshop CS3 Windows" xap:CreateDate="2010-02-28T13:48:08 09:00" xap:ModifyDate="2010-02-28T13:48:08 09:00" xap:MetadataDate="2010-02-28T13:48:08 09:00" xapMM:DocumentID="uuid:31B852522424DF11BFCDDEE13E9B1F7B" xapMM:InstanceID="uuid:32B852522424DF11BFCDDEE13E9B1F7B" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" photoshop:History="" tiff:Orientation="1" tiff:XResolution="720000/10000" tiff:YResolution="720000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;6A393A925945A96EF61FCAD0F0764C4D" exif:PixelXDimension="640" exif:PixelYDimension="480" exif:ColorSpace="1" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;5F16774B6DAC1BD6435F8A113F749540"> <xapMM:DerivedFrom stRef:instanceID="uuid:E57BDC182424DF11BFCDDEE13E9B1F7B" stRef:documentID="uuid:E57BDC182424DF11BFCDDEE13E9B1F7B"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
IEC hXXp://VVV.iec.ch
.IEC 61966-2.1 Default RGB colour space - sRGB
CRT curv
%#$456'7
C2A2'7.pD
K.KvD%
%FLEl;
t.klJN^Qi{
cg:;.Lm
.aeQ#Ga
ZT";%X
sy9d.Gt
:d%XQ
9.Cm%MI"QX=!I
version="1.0.0.0"
name="Windows Visual Style Manifest"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
C:\Documents and
isual Studio\VB98\LINK.EXE.M
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
\Project1.vbp
PortA
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
Software\Microsoft\Windows\CurrentVersion\Run
\system32\zlib.dll
\system32\netstat.exe
\regedit.exe
InternetExplorer.Application
WScript.Shell
" > C:\Result.txt
C:\Result.txt
Windows NT 3
1.4.0
Windows 95
1.4.10
Windows 98
1.4.98
Windows ME
2.3.51
2.4.0
Windows NT 4
2.5.0
Windows 2000
2.5.1
Windows XP
2.6.0
Windows Vista
2.6.1
Windows 7
WinHttp.WinHttpRequest.5.1
FileUrl': '
hXXp://hiblog.co.kr/link.txt
hXXp://map.naver.com/
mtp.address)">
hXXp://blog.naver.com/PostView.nhn?blogId=cjddms52&logNo=130104953765&parentCategoryNo=1&viewDate=¤tPage=1&listtype=0&userTopListOpen=false&userTopListCount=5&userTopListManageOpen=false&userTopListCurrentPage=undefined
wscript.shell
\system32\MSWINSCK.ocx
TCPViewClass
%Documents and Settings%\Local User\
Install.exe

userinit.exe_308:

.text
`.data
.rsrc
USER32.dll
ADVAPI32.dll
CRYPT32.dll
WINSPOOL.DRV
ntdll.dll
NETAPI32.dll
WLDAP32.dll
msvcrt.dll
KERNEL32.dll
ShellExecuteExW
CMP_Report_LogOn
USERINIT: Failed to set working directory %ws for SessionId %u
PAUTOENR.dll
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
userinit.pdb
CertAutoEnrollment
ExitWindowsEx
GetKeyboardLayout
RegCloseKey
RegQueryInfoKeyW
RegOpenKeyExW
RegCreateKeyExW
ReportEventW
NtOpenKey
_acmdln
RegOpenKeyExA
shell32.dll
W%SystemRoot%\Explorer.EXE
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
setupapi.dll
Hotkey
Keyboard Layout\Toggle
Software\Microsoft\Windows\CurrentVersion\Runonce
ctfmon.exe /n
ctfmon.exe
Software\Microsoft\Windows NT\CurrentVersion\ProfileList
MS-ITS:rdesktop.chm::/rdesktop_troubleshoot.htm
Wwinsta.dll
\repl\import\scripts
SOFTWARE\Policies\Microsoft\Windows\System
userenv.dll
proquota.exe
stsappcmp.dll
imm32.dll
netapi32.dll
Software\Policies\Microsoft\Windows\System\Scripts\
Software\Microsoft\Windows\CurrentVersion\Group Policy\State\
grpconv.exe -p
Could not execute the following script %1. %2.
5.1.2600.5512 (xpsp.080413-2113)
USERINIT.EXE
Windows
Operating System
5.1.2600.5512
control main.cpl system Rundll32 shell32,Control_RunDLL desk.cpl,,3Q%s
This working directory is invalid: %s
Please consult help for more informationV%s
This initial program cannot be started: %s
An error (%u) occurred while creating user logon.

hack.exe_956:

.text
`.rdata
@.data
.rsrc
@.reloc
j.Yf;
r%f;M
j.Xf;
j.Zf;
PSSSSSSh
Gt.Ht$
kernel32.dll
?#%X.y
GetProcessWindowStation
operator
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
erroffset passed as NULL
POSIX collating elements are not supported
this version of PCRE is compiled without UTF support
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with Unicode property support
\N is not supported in a class
RegDeleteKeyExW
advapi32.dll
Error text not found (please report)
WSOCK32.dll
VERSION.dll
WINMM.dll
COMCTL32.dll
MPR.dll
InternetCrackUrlW
HttpQueryInfoW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
WININET.dll
PSAPI.DLL
IPHLPAPI.DLL
USERENV.dll
UxTheme.dll
GetProcessHeap
CreatePipe
GetWindowsDirectoryW
KERNEL32.dll
OpenWindowStationW
SetProcessWindowStation
CloseWindowStation
MapVirtualKeyW
EnumChildWindows
EnumWindows
VkKeyScanW
GetKeyState
GetKeyboardState
SetKeyboardState
GetAsyncKeyState
keybd_event
EnumThreadWindows
ExitWindowsEx
UnregisterHotKey
RegisterHotKey
GetKeyboardLayoutNameW
USER32.dll
SetViewportOrgEx
GDI32.dll
COMDLG32.dll
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
RegEnumKeyExW
RegDeleteKeyW
ADVAPI32.dll
ShellExecuteW
SHFileOperationW
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
GetCPInfo
zcÁ
n..GGHHH
n...GGHHH
n ....HGHHHH
n  ....G.HHH
~~~~{~{{{{
n!! ....HGHHHH
n!!  .....HHHHHH
!!!  ....GGHHH
!!"".....HHHHnv
"""...-.nv
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
3!3 353@3
: :$:(:,:0:4:8:
= =$=(=,=0=4=8=
7 7$7(7,7074787
5 5$5(5,5
88
?#?'? ?/?3?
9!9%9)9-9195999
4 4/494@4
<$=4=8=<=
3 3(30383@3
/AutoIt3ExecuteScript
/AutoIt3ExecuteLine
CMDLINE
CMDLINERAW
>>>AUTOIT NO CMDEXECUTE<<<
FTPSETPROXY
GUICTRLRECVMSG
GUICTRLSENDMSG
GUIGETMSG
GUIREGISTERMSG
HOTKEYSET
HTTPSETPROXY
HTTPSETUSERAGENT
ISKEYWORD
MAPKEYS
MSGBOX
REGENUMKEY
SHELLEXECUTE
SHELLEXECUTEWAIT
TCPACCEPT
TCPCLOSESOCKET
TCPCONNECT
TCPLISTEN
TCPNAMETOIP
TCPRECV
TCPSEND
TCPSHUTDOWN
TCPSTARTUP
TRAYGETMSG
UDPBIND
UDPCLOSESOCKET
UDPOPEN
UDPRECV
UDPSEND
UDPSHUTDOWN
UDPSTARTUP
SendKeyDownDelay
SendKeyDelay
TCPTimeout
mscoree.dll
combase.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
789:;<=>?
APPSKEY
WINDOWSDIR
AUTOITEXE
HOTKEYPRESSED
%s (%d) : ==> %s.:
Line %d:
Line %d (File "%s"):
%s (%d) : ==> %s:
AutoIt script files (*.au3, *.a3x)
*.au3;*.a3x
All files (*.*)
KEYS
\\?\UNC\
04090000
%u.%u.%u.%u
0.0.0.0
Mddddd
"%s" (%d) : ==> %s:
\??\%s
GUI_RUNDEFMSG
AUTOITCALLVARIABLE%d
255.255.255.255
Keyword
AUTOIT.ERROR
Null Object assignment in FOR..IN loop
Incorrect Object type in FOR..IN loop
3, 3, 14, 1
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_USERS
%d/d/d
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\hack.exe
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
Missing operator in expression."Unbalanced brackets in expression.
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.
0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    sudden hack 10-29ÀÏÀÚ¾÷µ« ¿ìȸ.exe:224
    hack.exe:956
    15978.exe:1432
    ¹«·á¸ÅÅ©·Î.exe:660
    Server.exe:1252
    netsh.exe:992
    %original file name%.exe:1868
    À̹ÌÁö¸ÅÅ©·Î.exe:344
    userinit.exe:308
    injyqkarh.exe:1360

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\Server.exe (980 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (588 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hack.exe (8897 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (5201 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut6.tmp (62 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut5.tmp (62 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\¹«·á¸ÅÅ©·Î.exe (21636 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\À̹ÌÁö¸ÅÅ©·Î.exe (5334 bytes)
    %Documents and Settings%\%current user%\Application Data\server.exe (24 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\f5c2b15139259d819b408608bf80fc99.exe (24 bytes)
    %System%\injyqkarh.exe (432 bytes)
    %System%\injyqkarh.exe_lang.ini (55 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\522250_res.tmp (2145 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now