MD5: 729977ff3d75e5c57337a99e7a2c7ebe
SHA1: 0448be1ec0a9fd36fd55bf9d3818fa4f3603fc4e
SHA256: 8c0014ee5ae9cff2aa4807fa52eb40de2fe592f5ce31697a2cd76ff18bfeba41
SSDeep: 12288:qK2mhAMJ/cPlhdRvox0B2Jhz oLW0162ZQRQwJlAQbZyE3K/DoikMRSN3rA:b2O/Glh6XgoLH1MJCQbtK/EiN43rA
Size: 519083 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-06-09 16:19:49
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:560
uibtrym.exe:484
erg45.exe:716
erg45.exe:1156

The Trojan injects its code into the following process(es):

uibtrym.exe:1388

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\O49A\erg45.exe (9665 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\O49A\__tmp_rar_sfx_access_check_831750 (0 bytes)

The process uibtrym.exe:484 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\P31R87.QX5 (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (1249 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\P31R87.QX5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (0 bytes)

The process erg45.exe:716 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\P31R87.QX5 (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (1249 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\P31R87.QX5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)

The process erg45.exe:1156 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\uibtrym.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 4A CA 53 24 D5 44 DA 64 B5 13 FF A1 E3 39 A0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\O49A]
"erg45.exe" = "erg45"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process uibtrym.exe:484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 33 A6 CA 46 1E 42 99 0F 49 7D 64 C6 0A F0 55"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process uibtrym.exe:1388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Microsoft\yOLE]
"Supports RAS Connections" = "uibtrym.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\SYSTEM\CurrentControlSet\Control\Lsa]
"Supports RAS Connections" = "uibtrym.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\yOLE]
"Supports RAS Connections" = "uibtrym.exe"

[HKLM\System\CurrentControlSet\Control\Lsa]
"Supports RAS Connections" = "uibtrym.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 99 AC 2D A1 AE E4 84 BF 17 39 32 66 DF FC 23"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Supports RAS Connections" = "uibtrym.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Supports RAS Connections" = "uibtrym.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Supports RAS Connections" = "uibtrym.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Supports RAS Connections" = "uibtrym.exe"

The process erg45.exe:716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B C6 FF 96 FA C7 56 65 3F 21 12 7D 23 D2 47 A7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process erg45.exe:1156 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 3B 91 7B 71 E0 B5 71 3A AD 4F 2E 04 4E 4B 8B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

_WSSh

t1SSSSh

PeekNamedPipe

CreatePipe

KERNEL32.dll

WS2_32.dll

GetCPInfo

%d. %s = %s

[%.2d-%.2d-M %.2d:%.2d:%.2d] %s

[DDoS]: Send error: <%d>.

ddos.random

ddos.ack

ddos.syn

[DOWNLOAD]: Bad URL, or DNS Error: %s.

[UPDATE]: Update failed: Error executing file: %s.

[UPDATE]: Downloaded %.1fKB to %s @ %.1fKB/sec. Updating.

[DOWNLOAD]: Opened: %s.

[DOWNLOAD]: Downloaded %.1f KB to %s @ %.1f KB/sec.

[DOWNLOAD]: CRC Failed (%d != %d).

[DOWNLOAD]: Filesize is incorrect: (%d != %d).

[DOWNLOAD]: Update: %s (%dKB transferred).

[DOWNLOAD]: File download: %s (%dKB transferred).

[DOWNLOAD]: Couldn't open file: %s.

[IDENTD]: Error: server failed, returned: <%d>.

: USERID : UNIX : %s

[IDENTD]: Client connection from IP: %s:%d.

%s %s :%s

PRIVMSG

avicap32.dll

SQLDisconnect

SQLFreeHandle

SQLAllocHandle

SQLExecDirect

SQLSetEnvAttr

SQLDriverConnect

odbc32.dll

ShellExecuteA

shell32.dll

mpr.dll

iphlpapi.dll

dnsapi.dll

netapi32.dll

icmp.dll

Mozilla/4.0 (compatible)

InternetCrackUrlA

InternetOpenUrlA

HttpSendRequestA

HttpOpenRequestA

wininet.dll

ws2_32.dll

gdi32.dll

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

advapi32.dll

ExitWindowsEx

user32.dll

kernel32.dll

Avicap32.dll failed. <%d>

Odbc32.dll failed. <%d>

Shell32.dll failed. <%d>

Mpr32.dll failed. <%d>

Iphlpapi.dll failed. <%d>

Dnsapi.dll failed. <%d>

Netapi32.dll failed. <%d>

Icmp.dll failed. <%d>

Wininet.dll failed. <%d>

Ws2_32.dll failed. <%d>

Gdi32.dll failed. <%d>

Advapi32.dll failed. <%d>

User32.dll failed. <%d>

Kernel32.dll failed. <%d>

videos.p0rn-lover.us

support.exe

Supports RAS Connections

g.dat

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunServices

winpass

sqlpassoainstall

databasepassword

databasepass

dbpassword

dbpass

domainpassword

domainpass

loginpass

login

windows

1234567890

123456789

12345678

1234567

pass1234

passwd

password

password1

*@fbi.edu

Ý %dh %dm

[NETINFO]: [Type]: %s (%s). [IP Address]: %s. [Hostname]: %s.

[IDENTD]: Failed to start server, error: <%d>.

[IDENTD]: Server running on Port: 113.

%s %d "%s"

%s\%s

[MAIN]: Connected to %s.

NICK %s

USER %s 0 0 :%s

PASS %s

MODE %s %s

USERHOST %s

[MAIN]: User: %s logged in.

[MAIN]: Password accepted.

[MAIN]: *Failed host auth by: (%s!%s).

NOTICE %s :Host Auth failed (%s!%s).

[MAIN]: *Failed pass auth by: (%s!%s).

NOTICE %s :Your attempt has been logged.

NOTICE %s :Pass auth failed (%s!%s).

[MAIN]: Random nick change: %s

[FTP]: Uploading file: %s to: %s failed.

[FTP]: Uploading file: %s to: %s

PTF.exe

-s:%s

open %s

put %s

%s\%i%i%i.dll

[FTP]: File not found: %s.

[MAIN]: Invalid login slot number: %d.

[MAIN]: No user logged in at slot: %d.

[MAIN]: %s

QUIT :%s

[MAIN]: Status: Ready. Bot Uptime: %s.

[MAIN]: Bot ID: %s.

[THREADS]: Failed to start list thread, error: <%d>.

[MAIN]: Uptime: %s.

[CMD]: Remote shell ready.

[CMD]: Couldn't open remote shell.

[CMD]: Remote shell already running.

[TFTP]: Failed to start server thread, error: <%d>.

[TFTP]: Server started on Port: %d, File: %s, Request: %s.

[TFTP]: Already running.

[MAIN]: Nick changed to: '%s'.

[MAIN]: Joined channel: '%s'.

[MAIN]: Parted channel: '%s'.

[MAIN]: IRC Raw: %s.

[THREADS]: Failed to kill thread: %s.

[THREADS]: Killed thread: %s.

[THREADS]: Stopped: %d thread(s).

[MAIN]: Prefix changed to: '%c'.

[SHELL]: Couldn't open file: %s

[SHELL]: File opened: %s

[MAIN]: Server changed to: '%s'.

[DNS]: Lookup: %s -> %s.

[FILE]: Deleted '%s'.

[VISIT]: Failed to start connection thread, error: <%d>.

[VISIT]: URL: %s.

[CMD]: Commands: %s

[CMD]: Error sending to remote shell.

[MAIN]: Read file failed: %s

[MAIN]: Read file complete: %s

[MAIN]: Gethost: %s.

[MAIN]: Gethost: %s, Command: %s

[MAIN]: Alias added: %s.

[MAIN]: Privmsg: %s: %s.

[MAIN]: Action: %s: %s.

PART %s

[MAIN]: Mode change: %s

MODE %s

[CLONE]: Raw (%s): %s

[CLONE]: Mode (%s): %s

[CLONE]: Nick (%s): %s

JOIN %s %s

[MAIN]: Repeat not allowed in command line: %s

[MAIN]: Repeat: %s

%s %s %s :%s

[UPDATE]: Failed to start download thread, error: <%d>.

[UPDATE]: Downloading update from: %s.

%s%s.exe

[EXEC]: Commands: %s

[EXEC]: Couldn't execute file.

[CLONES]: Failed to start clone thread, error: <%d>.

[CLONES]: Created on %s:%d, in channel %s.

[DDoS]: Failed to start flood thread, error: <%d>.

[DDoS]: Flooding: (%s:%s) for %s seconds.

[DOWNLOAD]: Failed to start transfer thread, error: <%d>.

[DOWNLOAD]: Downloading URL: %s to: %s.

[REDIRECT]: Failed to start redirection thread, error: <%d>.

[REDIRECT]: TCP redirect created from: %s:%d to: %s:%d.

[SCAN]: Failed to start scan thread, error: <%d>.

[SCAN]: Port scan started: %s:%d with delay: %d(ms).

[%s] <%s> %s

[%s] * %s %s

ACTION %s

[UDP]: Failed to start flood thread, error: <%d>.

[UDP]: Sending %d packets to: %s. Packet size: %d, Delay: %d(ms).

ICMP.dll not available

[PING]: Failed to start flood thread, error: <%d>.

[PING]: Sending %d pings to %s. packet size: %d, timeout: %d(ms).

[EMAIL]: Message sent to %s.

helo $rndnick

mail from: <%s>

rcpt to: <%s>

subject: %s

from: %s

udpflood

c_privmsg

. Failed to start flood thread, error: <%d>.

. Flooding: (%s:%s) for %s seconds.

ddos.supersyn

c_join

c_nick

privmsg

[IDENT]: Server stopped. (%d thread(s) stopped.)

mirccmd

c_rndnick

join

nick

tftp

tftpserver

[MAIN]: Login list complete.

%d. %s

-[Login List]-

[CMD]

cmdstop

ocmd

opencmd

[TFTP]

tftpstop

supersyn.stop

TCP redirect

rndnick

$rndnick

NOTICE %s :

PING %s

VERSION %s

[MAIN]: Joined channel: %s.

[MAIN]: User: %s logged out.

:%s%s

NICK

NOTICE %s :%s

[MAIN]: User %s logged out.

PONG %s

%s Error: %s <%d>.

explorer.exe

%%comspec%% /c %s %s

del "%s"

%sdel.bat

%d.%d.%d.%d

[PING]: Finished sending pings to %s.

[PING]: Error sending pings to %s.

[UDP]: Finished sending packets to %s.

[UDP]: Error sending pings to %s.

[REDIRECT]: Failed to start client thread, error: <%d>.

[REDIRECT]: Client connection from IP: %s:%d, Server thread: %d.

[REDIRECT]: Failed to start connection thread, error: <%d>.

[REDIRECT]: Client connection to IP: %s:%d, Server thread: %d.

PRIVMSG %s :%s

[CMD]: Could not read data from proccess.

[CMD]: Proccess has terminated.

[CMD]: Could not read data from proccess

[CMD]: Failed to start IO thread, error: <%d>.

[CMD]: Remote Command Prompt

cmd.exe

[%s]|

[%d]%s

[SCAN]: IP: %s Port: %d is open.

[SCAN]: Scanning IP: %s, Port: %d.

tPTF.exe -i get

IP: %s

[TFTP]: Failed to open file: %s.

[TFTP]: Error: socket() failed, returned: <%d>.

%s: No %s thread found.

%s: %s stopped. (%d thread(s) stopped.)

[VISIT]: Failed to connect to HTTP server.

[VISIT]: Invalid URL.

[VISIT]: Failed to get requested URL from HTTP server.

[VISIT]: URL visited.

zcÁ

[12-09-2014 15:36:21] [IDENTD]: Server running on Port: 113.

%System%\uibtrym.exe

uibtrym.exe_1388_rwx_00400000_0009C000:

.text

`.rdata

@.data

_WSSh

t1SSSSh

PeekNamedPipe

CreatePipe

KERNEL32.dll

WS2_32.dll

GetCPInfo

%d. %s = %s

[%.2d-%.2d-M %.2d:%.2d:%.2d] %s

[DDoS]: Send error: <%d>.

ddos.random

ddos.ack

ddos.syn

[DOWNLOAD]: Bad URL, or DNS Error: %s.

[UPDATE]: Update failed: Error executing file: %s.

[UPDATE]: Downloaded %.1fKB to %s @ %.1fKB/sec. Updating.

[DOWNLOAD]: Opened: %s.

[DOWNLOAD]: Downloaded %.1f KB to %s @ %.1f KB/sec.

[DOWNLOAD]: CRC Failed (%d != %d).

[DOWNLOAD]: Filesize is incorrect: (%d != %d).

[DOWNLOAD]: Update: %s (%dKB transferred).

[DOWNLOAD]: File download: %s (%dKB transferred).

[DOWNLOAD]: Couldn't open file: %s.

[IDENTD]: Error: server failed, returned: <%d>.

: USERID : UNIX : %s

[IDENTD]: Client connection from IP: %s:%d.

%s %s :%s

PRIVMSG

avicap32.dll

SQLDisconnect

SQLFreeHandle

SQLAllocHandle

SQLExecDirect

SQLSetEnvAttr

SQLDriverConnect

odbc32.dll

ShellExecuteA

shell32.dll

mpr.dll

iphlpapi.dll

dnsapi.dll

netapi32.dll

icmp.dll

Mozilla/4.0 (compatible)

InternetCrackUrlA

InternetOpenUrlA

HttpSendRequestA

HttpOpenRequestA

wininet.dll

ws2_32.dll

gdi32.dll

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

advapi32.dll

ExitWindowsEx

user32.dll

kernel32.dll

Avicap32.dll failed. <%d>

Odbc32.dll failed. <%d>

Shell32.dll failed. <%d>

Mpr32.dll failed. <%d>

Iphlpapi.dll failed. <%d>

Dnsapi.dll failed. <%d>

Netapi32.dll failed. <%d>

Icmp.dll failed. <%d>

Wininet.dll failed. <%d>

Ws2_32.dll failed. <%d>

Gdi32.dll failed. <%d>

Advapi32.dll failed. <%d>

User32.dll failed. <%d>

Kernel32.dll failed. <%d>

videos.p0rn-lover.us

support.exe

Supports RAS Connections

g.dat

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunServices

winpass

sqlpassoainstall

databasepassword

databasepass

dbpassword

dbpass

domainpassword

domainpass

loginpass

login

windows

1234567890

123456789

12345678

1234567

pass1234

passwd

password

password1

*@fbi.edu

Ý %dh %dm

[NETINFO]: [Type]: %s (%s). [IP Address]: %s. [Hostname]: %s.

[IDENTD]: Failed to start server, error: <%d>.

[IDENTD]: Server running on Port: 113.

%s %d "%s"

%s\%s

[MAIN]: Connected to %s.

NICK %s

USER %s 0 0 :%s

PASS %s

MODE %s %s

USERHOST %s

[MAIN]: User: %s logged in.

[MAIN]: Password accepted.

[MAIN]: *Failed host auth by: (%s!%s).

NOTICE %s :Host Auth failed (%s!%s).

[MAIN]: *Failed pass auth by: (%s!%s).

NOTICE %s :Your attempt has been logged.

NOTICE %s :Pass auth failed (%s!%s).

[MAIN]: Random nick change: %s

[FTP]: Uploading file: %s to: %s failed.

[FTP]: Uploading file: %s to: %s

PTF.exe

-s:%s

open %s

put %s

%s\%i%i%i.dll

[FTP]: File not found: %s.

[MAIN]: Invalid login slot number: %d.

[MAIN]: No user logged in at slot: %d.

[MAIN]: %s

QUIT :%s

[MAIN]: Status: Ready. Bot Uptime: %s.

[MAIN]: Bot ID: %s.

[THREADS]: Failed to start list thread, error: <%d>.

[MAIN]: Uptime: %s.

[CMD]: Remote shell ready.

[CMD]: Couldn't open remote shell.

[CMD]: Remote shell already running.

[TFTP]: Failed to start server thread, error: <%d>.

[TFTP]: Server started on Port: %d, File: %s, Request: %s.

[TFTP]: Already running.

[MAIN]: Nick changed to: '%s'.

[MAIN]: Joined channel: '%s'.

[MAIN]: Parted channel: '%s'.

[MAIN]: IRC Raw: %s.

[THREADS]: Failed to kill thread: %s.

[THREADS]: Killed thread: %s.

[THREADS]: Stopped: %d thread(s).

[MAIN]: Prefix changed to: '%c'.

[SHELL]: Couldn't open file: %s

[SHELL]: File opened: %s

[MAIN]: Server changed to: '%s'.

[DNS]: Lookup: %s -> %s.

[FILE]: Deleted '%s'.

[VISIT]: Failed to start connection thread, error: <%d>.

[VISIT]: URL: %s.

[CMD]: Commands: %s

[CMD]: Error sending to remote shell.

[MAIN]: Read file failed: %s

[MAIN]: Read file complete: %s

[MAIN]: Gethost: %s.

[MAIN]: Gethost: %s, Command: %s

[MAIN]: Alias added: %s.

[MAIN]: Privmsg: %s: %s.

[MAIN]: Action: %s: %s.

PART %s

[MAIN]: Mode change: %s

MODE %s

[CLONE]: Raw (%s): %s

[CLONE]: Mode (%s): %s

[CLONE]: Nick (%s): %s

JOIN %s %s

[MAIN]: Repeat not allowed in command line: %s

[MAIN]: Repeat: %s

%s %s %s :%s

[UPDATE]: Failed to start download thread, error: <%d>.

[UPDATE]: Downloading update from: %s.

%s%s.exe

[EXEC]: Commands: %s

[EXEC]: Couldn't execute file.

[CLONES]: Failed to start clone thread, error: <%d>.

[CLONES]: Created on %s:%d, in channel %s.

[DDoS]: Failed to start flood thread, error: <%d>.

[DDoS]: Flooding: (%s:%s) for %s seconds.

[DOWNLOAD]: Failed to start transfer thread, error: <%d>.

[DOWNLOAD]: Downloading URL: %s to: %s.

[REDIRECT]: Failed to start redirection thread, error: <%d>.

[REDIRECT]: TCP redirect created from: %s:%d to: %s:%d.

[SCAN]: Failed to start scan thread, error: <%d>.

[SCAN]: Port scan started: %s:%d with delay: %d(ms).

[%s] <%s> %s

[%s] * %s %s

ACTION %s

[UDP]: Failed to start flood thread, error: <%d>.

[UDP]: Sending %d packets to: %s. Packet size: %d, Delay: %d(ms).

ICMP.dll not available

[PING]: Failed to start flood thread, error: <%d>.

[PING]: Sending %d pings to %s. packet size: %d, timeout: %d(ms).

[EMAIL]: Message sent to %s.

helo $rndnick

mail from: <%s>

rcpt to: <%s>

subject: %s

from: %s

udpflood

c_privmsg

. Failed to start flood thread, error: <%d>.

. Flooding: (%s:%s) for %s seconds.

ddos.supersyn

c_join

c_nick

privmsg

[IDENT]: Server stopped. (%d thread(s) stopped.)

mirccmd

c_rndnick

join

nick

tftp

tftpserver

[MAIN]: Login list complete.

%d. %s

-[Login List]-

[CMD]

cmdstop

ocmd

opencmd

[TFTP]

tftpstop

supersyn.stop

TCP redirect

rndnick

$rndnick

NOTICE %s :

PING %s

VERSION %s

[MAIN]: Joined channel: %s.

[MAIN]: User: %s logged out.

:%s%s

NICK

NOTICE %s :%s

[MAIN]: User %s logged out.

PONG %s

%s Error: %s <%d>.

explorer.exe

%%comspec%% /c %s %s

del "%s"

%sdel.bat

%d.%d.%d.%d

[PING]: Finished sending pings to %s.

[PING]: Error sending pings to %s.

[UDP]: Finished sending packets to %s.

[UDP]: Error sending pings to %s.

[REDIRECT]: Failed to start client thread, error: <%d>.

[REDIRECT]: Client connection from IP: %s:%d, Server thread: %d.

[REDIRECT]: Failed to start connection thread, error: <%d>.

[REDIRECT]: Client connection to IP: %s:%d, Server thread: %d.

PRIVMSG %s :%s

[CMD]: Could not read data from proccess.

[CMD]: Proccess has terminated.

[CMD]: Could not read data from proccess

[CMD]: Failed to start IO thread, error: <%d>.

[CMD]: Remote Command Prompt

cmd.exe

[%s]|

[%d]%s

[SCAN]: IP: %s Port: %d is open.

[SCAN]: Scanning IP: %s, Port: %d.

tPTF.exe -i get

IP: %s

[TFTP]: Failed to open file: %s.

[TFTP]: Error: socket() failed, returned: <%d>.

%s: No %s thread found.

%s: %s stopped. (%d thread(s) stopped.)

[VISIT]: Failed to connect to HTTP server.

[VISIT]: Invalid URL.

[VISIT]: Failed to get requested URL from HTTP server.

[VISIT]: URL visited.

zcÁ

[12-09-2014 15:36:21] [IDENTD]: Server running on Port: 113.

%System%\uibtrym.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:560
   uibtrym.exe:484
   erg45.exe:716
   erg45.exe:1156

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\O49A\erg45.exe (9665 bytes)
   %Documents and Settings%\%current user%\P31R87.QX5 (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (1249 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (1249 bytes)
   %System%\uibtrym.exe (5441 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices]
   "Supports RAS Connections" = "uibtrym.exe"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Supports RAS Connections" = "uibtrym.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Supports RAS Connections" = "uibtrym.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
   "Supports RAS Connections" = "uibtrym.exe"

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.