Trojan.GenericKD.2256290_288f8641da
Trojan.Win32.Llac.juiy (Kaspersky), Trojan.GenericKD.2256290 (B) (Emsisoft), Trojan.GenericKD.2256290 (AdAware), WormRebhip.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 288f8641da01e885041cd7f05d2298cc
SHA1: ec44c3f91666004273b0ebae04da60dc64bba9c4
SHA256: 03db1a9be2154fb255076eb48d444e4d6aca3f5d4c287d000518c46f07258bd4
SSDeep: 6144:HKwLo7uzRLvm2YmENNY6F mwKTCalMjXUWG7bs4MK9Te24O:TLoQI66LwKTCdELs3MSTO
Size: 471040 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: PCUtilities Software Limited
Created at: 2009-07-14 02:42:43
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:196
rundll64.exe:576
rundll64.exe:228
adobe.exe:576
adobe.exe:816
The Trojan injects its code into the following process(es):
svchost.exe:424
Explorer.EXE:1912
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:196 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\adobe.exe (6040 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\adobe.exe (0 bytes)
The process adobe.exe:816 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\rundll64.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (235 bytes)
Registry activity
The process %original file name%.exe:196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 BC 87 20 1C C0 29 71 7D 70 F8 6A CE 50 B7 09"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"
The process rundll64.exe:576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 B1 B3 24 32 EE 67 2B C0 68 49 D8 CF CE 36 76"
The process rundll64.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 19 23 89 01 F3 7E 15 3A FB 51 47 DD 05 5B CF"
The process adobe.exe:576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 8E 04 7E D4 10 81 8C CC BB A1 FA 80 F3 CF DF"
The process adobe.exe:816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 91 35 A7 79 15 EA FD 72 2F EB E0 DD 01 3D AD"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{M861KIAB-0B6Q-FLRD-G5X1-5IX057WXS61A}]
"StubPath" = "%WinDir%\System32\rundll64.exe Restart"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"{RBCISAAX-32TI-O5A0-57Y5-D8B1OY6F5704}" = "%WinDir%\System32\rundll64.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"{RBCISAAX-32TI-O5A0-57Y5-D8B1OY6F5704}" = "%WinDir%\System32\rundll64.exe"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader" = "%WinDir%\System32\rundll64.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader" = "%WinDir%\System32\rundll64.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| feff04079332c802657287327ef8bbc6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\adobe.exe |
| feff04079332c802657287327ef8bbc6 | c:\WINDOWS\system32\rundll64.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 8.00.7600.16385
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 8.00.7600.16385 (win7_rtm.090713-1255)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: Chinese (Simplified, PRC)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 43748 | 44032 | 4.53606 | 3aeb6fb8fe8ab95f2462e3afb8b8acd3 |
| .data | 49152 | 8796 | 1536 | 4.57321 | f3764284f4d25ed35f75b9c16e1ab608 |
| .rsrc | 61440 | 420636 | 420864 | 5.07106 | 318b13841ff3af728c7f2c1d03cb9c33 |
| .reloc | 483328 | 3480 | 3584 | 3.33168 | bc74eb2a181cf1029262828db6ac5b5d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512
svchost.exe_424_rwx_00090000_00001000:
KERNEL32.DLL
svchost.exe_424_rwx_001D0000_00001000:
KERNEL32.DLL
svchost.exe_424_rwx_00210000_00001000:
KERNEL32.DLL
svchost.exe_424_rwx_00250000_00001000:
KERNEL32.DLL
svchost.exe_424_rwx_00290000_00001000:
KERNEL32.DLL
svchost.exe_424_rwx_002D0000_00001000:
KERNEL32.DLL
svchost.exe_424_rwx_00AA0000_00001000:
advapi32.dll
svchost.exe_424_rwx_00AD0000_00001000:
RegOpenKeyA
svchost.exe_424_rwx_00AE0000_00001000:
advapi32.dll
svchost.exe_424_rwx_00B10000_00001000:
AVICAP32.DLL
svchost.exe_424_rwx_00D60000_00001000:
AVICAP32.DLL
svchost.exe_424_rwx_00D90000_00001000:
gdi32.dll
svchost.exe_424_rwx_00ED0000_00001000:
gdi32.dll
svchost.exe_424_rwx_00F00000_00001000:
gdiplus.dll
svchost.exe_424_rwx_00F40000_00001000:
gdiplus.dll
svchost.exe_424_rwx_00F80000_00001000:
mpr.dll
svchost.exe_424_rwx_00FC0000_00001000:
mpr.dll
svchost.exe_424_rwx_00FF0000_00001000:
msacm32.dll
svchost.exe_424_rwx_01340000_00001000:
msacm32.dll
svchost.exe_424_rwx_01370000_00001000:
ntdll.dll
svchost.exe_424_rwx_014B0000_00001000:
ntdll.dll
svchost.exe_424_rwx_014E0000_00001000:
ole32.dll
svchost.exe_424_rwx_01620000_00001000:
ole32.dll
svchost.exe_424_rwx_01650000_00001000:
oleaut32.dll
svchost.exe_424_rwx_01790000_00001000:
oleaut32.dll
svchost.exe_424_rwx_017C0000_00001000:
powrprof.dll
svchost.exe_424_rwx_01900000_00001000:
powrprof.dll
svchost.exe_424_rwx_01930000_00001000:
shell32.dll
svchost.exe_424_rwx_01A70000_00001000:
shell32.dll
svchost.exe_424_rwx_01AA0000_00001000:
user32.dll
svchost.exe_424_rwx_01BE0000_00001000:
user32.dll
svchost.exe_424_rwx_01C10000_00001000:
wininet.dll
svchost.exe_424_rwx_01D40000_00001000:
FtpOpenFileA
svchost.exe_424_rwx_01D50000_00001000:
wininet.dll
svchost.exe_424_rwx_01D80000_00001000:
winmm.dll
svchost.exe_424_rwx_01EC0000_00001000:
winmm.dll
svchost.exe_424_rwx_01EF0000_00001000:
wsock32.dll
svchost.exe_424_rwx_02040000_00001000:
wsock32.dll
svchost.exe_424_rwx_24080000_00062000:
`.rsrc
/w)f%u/
kernel32.dll
Portions Copyright (c) 1999,2003 Avenger by NhT
SHFileOperationA
shell32.dll
URLDownloadToFileA
urlmon.dll
ShellExecuteA
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
GetWindowsDirectoryA
SOFTWARE\Microsoft\Windows\CurrentVersion
http\shell\open\command
\Internet Explorer\iexplore.exe
####@####
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
Portugal
Turkey
Windows 3.1
Windows 95 (Release 2)
Windows 95
Windows 98 SE
Windows 98
Windows ME
Windows 7
Windows Vista
%s %s
Windows XP Professional x64
Windows XP Home
Windows XP Professional
Windows 2000 Professional
Windows NT %d.%d
Windows 2008
%s %s Server
Windows 2003 Server Datacenter
Windows 2003 Server Enterprise
Windows 2003 Server Web Edition
Windows 2003 Server
Windows Home Server
Windows 2003 Server (Release 2)
Windows 2000 Server Datacenter
Windows 2000 Server Enterprise
Windows 2000 Server Web Edition
Windows 2000 Server
Windows NT 4.0 Server Datacenter
Windows NT 4.0 Server Enterprise
Windows NT 4.0 Server Web Edition
Windows NT 4.0 Server
Unknown Platform ID (%d)
%d.%d
%s (Build: %d
- Service Pack: %s
KERNEL32.DLL
teste.vbs
teste.txt
Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)Set objFileSystem = CreateObject("Scripting.fileSystemObject")Set objFile = objFileSystem.CreateTextFile("Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter
Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter
objFile.WriteLine(Info)
objFile.Close
cscript.exe
AVICAP32.dll
tFtpAccess
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
SetupApi.dll
SetupDiOpenClassRegKey
SetupDiOpenClassRegKeyExA
SetupDiOpenClassRegKeyExW
SetupDiCreateDeviceInterfaceRegKeyA
SetupDiCreateDeviceInterfaceRegKeyW
SetupDiOpenDeviceInterfaceRegKey
SetupDiDeleteDeviceInterfaceRegKey
SetupDiCreateDevRegKeyA
SetupDiCreateDevRegKeyW
SetupDiOpenDevRegKey
SetupDiDeleteDevRegKey
CM_DEVCAP_LOCKSUPPORTED
CM_DEVCAP_EJECTSUPPORTED
PDCAP_D0_SUPPORTED
PDCAP_D1_SUPPORTED
PDCAP_D2_SUPPORTED
PDCAP_D3_SUPPORTED
PDCAP_WAKE_FROM_D0_SUPPORTED
PDCAP_WAKE_FROM_D1_SUPPORTED
PDCAP_WAKE_FROM_D2_SUPPORTED
PDCAP_WAKE_FROM_D3_SUPPORTED
PDCAP_WARM_EJECT_SUPPORTED
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
127.0.0.1
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
SetTcpEntry
GetExtendedTcpTable
GetExtendedUdpTable
Mozilla3_5Password
GetChromePass
StartHttpProxy
1.2.3
XxX.xXx
UuU.uUu
keyboardkey
webcaminactive
webcamgetbuffer
webcam
enviarexecnormal
enviarexechidden
openweb
downexec
sendftp
keylogger
keyloggergetlog
keyloggereraselog
keyloggerativar
keyloggerdesativar
renamekey
windowsfechar
windowsmax
windowsmin
windowsmostrar
windowsocultar
windowsmintodas
windowscaption
listarportas
listarportasdns
finalizarprocessoportas
webcamsettings
chatmsg
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
PSAPI.dll
\config\SteamAppData.vdf
AutoLoginUser
/ClientRegistry.Blob
\ClientRegistry.blob
\steam.dll
%SYS%
ÞSKTOP%
FirstExecution
chatmsg|
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
listarjanelas|windowsfechar|
listarjanelas|windowsmax|
listarjanelas|windowsmin|
listarjanelas|windowsmostrar|
listarjanelas|windowsocultar|
listarjanelas|windowsmintodas|
listarjanelas|windowscaption|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
listarportas|listadeportaspronta|
listarportas|finalizarconexao|
listarportas|finalizarprocessoportas|Y|
listarportas|finalizarprocessoportas|N|
registro|renamekey|
keylogger|keylogger|keyloggerativar|
keylogger|keylogger|keyloggerdesativar|
keylogger|keyloggergetlog|
keylogger|keylogger|keyloggervazio|
keyloggersearch
keyloggersearchok|
webcam|webcaminactive|
webcam|webcamactive|
getpassword
_x_X_PASSWORDLIST_X_x_
NOIP.abc
MSN.abc
FIREFOX.abc
IELOGIN.abc
IEPASS.abc
IEAUTO.abc
IEWEB.abc
SOFTWARE\Mozilla\Mozilla Firefox
getfirefox
getielogin
getiepass
getieweb
getchrome
getpassword|getpasswordlist|
getpassword|getpassworderror|
updateservidorweb
##@@## ##@@## ##@@##
Windows\CurrentVersion\Uninstall\eDonkey2000
UNWISE.EXE
ntdll.dll
icon=shell32.dll,4
shellexecute=
autorun.inf
XX--XX--XX.txt
logs.dat
SQLite3.dll
$1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
KWindows
UnitExecutarComandos
uftp
UrlMon
.UnitBytesSize
UnitListarPortasAtivas
UnitWebcam
UnitKeylogger
WinExec
SetNamedPipeHandleState
GetProcessHeap
CreatePipe
RegOpenKeyExA
RegOpenKeyA
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyA
RegCloseKey
GdiplusShutdown
keybd_event
MapVirtualKeyA
GetKeyboardState
GetKeyboardLayoutNameA
GetKeyState
GetAsyncKeyState
ExitWindowsEx
EnumWindows
FtpGetFileSize
FtpSetCurrentDirectoryA
FtpOpenFileA
%( % & % % % ]
.idata
.reloc
P.rsrc
advapi32.dll
AVICAP32.DLL
gdi32.dll
gdiplus.dll
mpr.dll
msacm32.dll
ole32.dll
oleaut32.dll
powrprof.dll
user32.dll
wininet.dll
winmm.dll
wsock32.dll
Explorer.EXE_1912_rwx_00FF0000_00001000:
KERNEL32.DLL
Explorer.EXE_1912_rwx_01F20000_00001000:
KERNEL32.DLL
Explorer.EXE_1912_rwx_02070000_00001000:
KERNEL32.DLL
Explorer.EXE_1912_rwx_020B0000_00001000:
KERNEL32.DLL
Explorer.EXE_1912_rwx_020F0000_00001000:
KERNEL32.DLL
Explorer.EXE_1912_rwx_02130000_00001000:
KERNEL32.DLL
Explorer.EXE_1912_rwx_02160000_00001000:
advapi32.dll
Explorer.EXE_1912_rwx_02290000_00001000:
RegOpenKeyA
Explorer.EXE_1912_rwx_022A0000_00001000:
advapi32.dll
Explorer.EXE_1912_rwx_022D0000_00001000:
AVICAP32.DLL
Explorer.EXE_1912_rwx_02410000_00001000:
AVICAP32.DLL
Explorer.EXE_1912_rwx_02440000_00001000:
gdi32.dll
Explorer.EXE_1912_rwx_02580000_00001000:
gdi32.dll
Explorer.EXE_1912_rwx_025B0000_00001000:
gdiplus.dll
Explorer.EXE_1912_rwx_026F0000_00001000:
gdiplus.dll
Explorer.EXE_1912_rwx_02720000_00001000:
mpr.dll
Explorer.EXE_1912_rwx_02760000_00001000:
mpr.dll
Explorer.EXE_1912_rwx_02790000_00001000:
msacm32.dll
Explorer.EXE_1912_rwx_027D0000_00001000:
msacm32.dll
Explorer.EXE_1912_rwx_02800000_00001000:
ntdll.dll
Explorer.EXE_1912_rwx_02B50000_00001000:
ntdll.dll
Explorer.EXE_1912_rwx_02B80000_00001000:
ole32.dll
Explorer.EXE_1912_rwx_02CC0000_00001000:
ole32.dll
Explorer.EXE_1912_rwx_02CF0000_00001000:
oleaut32.dll
Explorer.EXE_1912_rwx_02E30000_00001000:
oleaut32.dll
Explorer.EXE_1912_rwx_02E60000_00001000:
powrprof.dll
Explorer.EXE_1912_rwx_02FA0000_00001000:
powrprof.dll
Explorer.EXE_1912_rwx_02FD0000_00001000:
shell32.dll
Explorer.EXE_1912_rwx_03110000_00001000:
shell32.dll
Explorer.EXE_1912_rwx_03140000_00001000:
user32.dll
Explorer.EXE_1912_rwx_03280000_00001000:
user32.dll
Explorer.EXE_1912_rwx_032B0000_00001000:
wininet.dll
Explorer.EXE_1912_rwx_033E0000_00001000:
FtpOpenFileA
Explorer.EXE_1912_rwx_033F0000_00001000:
wininet.dll
Explorer.EXE_1912_rwx_03420000_00001000:
winmm.dll
Explorer.EXE_1912_rwx_03560000_00001000:
winmm.dll
Explorer.EXE_1912_rwx_03590000_00001000:
wsock32.dll
Explorer.EXE_1912_rwx_036D0000_00001000:
wsock32.dll
Explorer.EXE_1912_rwx_24010000_00062000:
`.rsrc
/w)f%u/
kernel32.dll
Portions Copyright (c) 1999,2003 Avenger by NhT
SHFileOperationA
shell32.dll
URLDownloadToFileA
urlmon.dll
ShellExecuteA
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
GetWindowsDirectoryA
SOFTWARE\Microsoft\Windows\CurrentVersion
http\shell\open\command
\Internet Explorer\iexplore.exe
####@####
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
Portugal
Turkey
Windows 3.1
Windows 95 (Release 2)
Windows 95
Windows 98 SE
Windows 98
Windows ME
Windows 7
Windows Vista
%s %s
Windows XP Professional x64
Windows XP Home
Windows XP Professional
Windows 2000 Professional
Windows NT %d.%d
Windows 2008
%s %s Server
Windows 2003 Server Datacenter
Windows 2003 Server Enterprise
Windows 2003 Server Web Edition
Windows 2003 Server
Windows Home Server
Windows 2003 Server (Release 2)
Windows 2000 Server Datacenter
Windows 2000 Server Enterprise
Windows 2000 Server Web Edition
Windows 2000 Server
Windows NT 4.0 Server Datacenter
Windows NT 4.0 Server Enterprise
Windows NT 4.0 Server Web Edition
Windows NT 4.0 Server
Unknown Platform ID (%d)
%d.%d
%s (Build: %d
- Service Pack: %s
KERNEL32.DLL
teste.vbs
teste.txt
Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)Set objFileSystem = CreateObject("Scripting.fileSystemObject")Set objFile = objFileSystem.CreateTextFile("Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter
Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter
objFile.WriteLine(Info)
objFile.Close
cscript.exe
AVICAP32.dll
tFtpAccess
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
SetupApi.dll
SetupDiOpenClassRegKey
SetupDiOpenClassRegKeyExA
SetupDiOpenClassRegKeyExW
SetupDiCreateDeviceInterfaceRegKeyA
SetupDiCreateDeviceInterfaceRegKeyW
SetupDiOpenDeviceInterfaceRegKey
SetupDiDeleteDeviceInterfaceRegKey
SetupDiCreateDevRegKeyA
SetupDiCreateDevRegKeyW
SetupDiOpenDevRegKey
SetupDiDeleteDevRegKey
CM_DEVCAP_LOCKSUPPORTED
CM_DEVCAP_EJECTSUPPORTED
PDCAP_D0_SUPPORTED
PDCAP_D1_SUPPORTED
PDCAP_D2_SUPPORTED
PDCAP_D3_SUPPORTED
PDCAP_WAKE_FROM_D0_SUPPORTED
PDCAP_WAKE_FROM_D1_SUPPORTED
PDCAP_WAKE_FROM_D2_SUPPORTED
PDCAP_WAKE_FROM_D3_SUPPORTED
PDCAP_WARM_EJECT_SUPPORTED
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
127.0.0.1
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
SetTcpEntry
GetExtendedTcpTable
GetExtendedUdpTable
Mozilla3_5Password
GetChromePass
StartHttpProxy
1.2.3
XxX.xXx
UuU.uUu
keyboardkey
webcaminactive
webcamgetbuffer
webcam
enviarexecnormal
enviarexechidden
openweb
downexec
sendftp
keylogger
keyloggergetlog
keyloggereraselog
keyloggerativar
keyloggerdesativar
renamekey
windowsfechar
windowsmax
windowsmin
windowsmostrar
windowsocultar
windowsmintodas
windowscaption
listarportas
listarportasdns
finalizarprocessoportas
webcamsettings
chatmsg
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
PSAPI.dll
\config\SteamAppData.vdf
AutoLoginUser
/ClientRegistry.Blob
\ClientRegistry.blob
\steam.dll
%SYS%
ÞSKTOP%
FirstExecution
chatmsg|
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
listarjanelas|windowsfechar|
listarjanelas|windowsmax|
listarjanelas|windowsmin|
listarjanelas|windowsmostrar|
listarjanelas|windowsocultar|
listarjanelas|windowsmintodas|
listarjanelas|windowscaption|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
listarportas|listadeportaspronta|
listarportas|finalizarconexao|
listarportas|finalizarprocessoportas|Y|
listarportas|finalizarprocessoportas|N|
registro|renamekey|
keylogger|keylogger|keyloggerativar|
keylogger|keylogger|keyloggerdesativar|
keylogger|keyloggergetlog|
keylogger|keylogger|keyloggervazio|
keyloggersearch
keyloggersearchok|
webcam|webcaminactive|
webcam|webcamactive|
getpassword
_x_X_PASSWORDLIST_X_x_
NOIP.abc
MSN.abc
FIREFOX.abc
IELOGIN.abc
IEPASS.abc
IEAUTO.abc
IEWEB.abc
SOFTWARE\Mozilla\Mozilla Firefox
getfirefox
getielogin
getiepass
getieweb
getchrome
getpassword|getpasswordlist|
getpassword|getpassworderror|
updateservidorweb
##@@## ##@@## ##@@##
Windows\CurrentVersion\Uninstall\eDonkey2000
UNWISE.EXE
ntdll.dll
icon=shell32.dll,4
shellexecute=
autorun.inf
XX--XX--XX.txt
logs.dat
SQLite3.dll
$1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
KWindows
UnitExecutarComandos
uftp
UrlMon
.UnitBytesSize
UnitListarPortasAtivas
UnitWebcam
UnitKeylogger
WinExec
SetNamedPipeHandleState
GetProcessHeap
CreatePipe
RegOpenKeyExA
RegOpenKeyA
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyA
RegCloseKey
GdiplusShutdown
keybd_event
MapVirtualKeyA
GetKeyboardState
GetKeyboardLayoutNameA
GetKeyState
GetAsyncKeyState
ExitWindowsEx
EnumWindows
FtpGetFileSize
FtpSetCurrentDirectoryA
FtpOpenFileA
%( % & % % % ]
.idata
.reloc
P.rsrc
advapi32.dll
AVICAP32.DLL
gdi32.dll
gdiplus.dll
mpr.dll
msacm32.dll
ole32.dll
oleaut32.dll
powrprof.dll
user32.dll
wininet.dll
winmm.dll
wsock32.dll
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:196
rundll64.exe:576
rundll64.exe:228
adobe.exe:576
adobe.exe:816 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\adobe.exe (6040 bytes)
%System%\rundll64.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (235 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader" = "%WinDir%\System32\rundll64.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader" = "%WinDir%\System32\rundll64.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
