MD5: 32729f403fec598fd447cc1459d6fc77
SHA1: b106b04bfd20549af2f6f37c153ebe12be73396a
SHA256: 225ec10e4f7527cf6fb447e0e0fc2206de732c932e0a09b92dd54287eb2cb632
SSDeep: 49152:53ratU0lWmeeXl2r f8A2c8Xo jPDxvjBCNlhEgrq mGiXB/xBaN1KVkezFLc:57h0lWg8Cj2c03iGD YTBajKVk2L
Size: 3203072 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, Armadillov183, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2000-08-05 19:19:37
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1648
schtasks.exe:260

The Trojan injects its code into the following process(es):

32729f403fec598fd447cc1459d6fc77.TMP0:1804

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ArmD.tmp (89 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D8A4DF39.TMP (16 bytes)
C:\32729f403fec598fd447cc1459d6fc77.TMP0 (177115 bytes)

The process schtasks.exe:260 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Tasks\startt.job (188 bytes)

The process 32729f403fec598fd447cc1459d6fc77.TMP0:1804 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\Startup\Wapp.exe (154878 bytes)
C:\autoexec.bat (1144 bytes)

The Trojan deletes the following file(s):

C:\AUTOEXEC.BAT (0 bytes)

Registry activity

The process %original file name%.exe:1648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 46 6C C8 34 35 94 49 22 9D A4 98 4D B9 46 9A"

[HKCR\CLSID\{756DBD7B-C816-11D1-B2E4-0060975B8649}\TypeLib]
"(Default)" = "{D14EBB90-D27E-600C-1B5A-3A4AFBE2663A}"

[HKLM\SOFTWARE\The Silicon Realms Toolworks\Armadillo]
"{D8A4DF3904936BDC}" = "04 3C 2B 09 0A 5B 21 2F 21 EE E2 B0 03 CE 66 5C"

The process schtasks.exe:260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 7E 04 2D E4 42 3E CB F0 19 78 03 DE 80 25 ED"

The process 32729f403fec598fd447cc1459d6fc77.TMP0:1804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 98 1E D0 F8 E0 17 01 4E A8 65 8C 2F B8 B8 95"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wapp" = "C:\Arquivos de programas\Wapp.exe"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

.data

.rsrc

user32.dll

KERNEL32.dll

EnumWindows

USER32.dll

GDI32.dll

GetCPInfo

DebugActiveProcess() failed with error code %d. Please report to author.

Failed to execute target process

ARM*.TMP

.TMP*

\\.\mailslot\client\

LoadLibrary error %d

%d: %s

Location AX, code %u, thread handle is X

Location A, code %u, thread handle is X

Simulate.CD

%s%s.TMP%d%s

KERNEL32.DLL

\\.\mailslot\server\

(Error code %u)

c:\32729f403fec598fd447cc1459d6fc77.TMP0

c:\%original file name%.exe

7777777

777777777777

777777777

77777777

77777777777777777

77777777777777777777

77777777777

7777777777

7777777777777

32729f403fec598fd447cc1459d6fc77.TMP0_1804:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

uxtheme.dll

Proportional

MAPI32.DLL

PasswordChar

OnKeyDown

OnKeyPress

OnKeyUp

ssHorizontal

OnKeyUp8mC

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword

crSQLWait

%s (%s)

imm32.dll

AutoHotkeys

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

Uh.eF

User32.dll

OnExecuteMacro

Service %s

Topic %s

getservbyport

WSAAsyncGetServByPort

WSAJoinLeaf

WS2_32.DLL

127.0.0.1

TIdSocketListWindows

TIdStackWindowsU

IdStackWindows

%s, %d %s %d %s %s

ftpTransfer

ftpReady

ftpAborted

ClientPortMinT

ClientPortMax

PortH

EIdCanNotBindPortInRange

EIdInvalidPortRangeSVW

saUsernamePassword

PasswordT

Port

0.0.0.1

TIdTCPStream

End of stream: %s at %d

TIdTCPConnection

TIdTCPConnection07G

IdTCPConnection

EIdTCPConnectionError

EIdObjectTypeNotSupported

TIdTCPClient

IdTCPClient

BoundPort

PortU

%s <%s>

=?WINDOWS

Indy 9.00.10

atLogin

IdSMTP$

TIdSMTP

TIdSMTP$

IdSMTP

Password

AUTH LOGIN

LOGIN

edtcp

Edit1KeyPress

Edit2KeyPress

Edit3KeyPress

Edit4KeyPress

Edit5KeyPress

Edit6KeyPress

Edit7KeyPress

Edit8KeyPress

Edit9KeyPress

Edit10KeyPress

Edit11KeyPress

Edit12KeyPress

Edit13KeyPress

Edit14KeyPress

Edit15KeyPress

Edit16KeyPress

Edit17KeyPress

Edit18KeyPress

Edit19KeyPress

Edit20KeyPress

Edit21KeyPress

Edit22KeyPress

Edit23KeyPress

Edit24KeyPress

Edit25KeyPress

Edit26KeyPress

Edit27KeyPress

Edit28KeyPress

Edit29KeyPress

Edit30KeyPress

Edit31KeyPress

Edit32KeyPress

Edit33KeyPress

Edit34KeyPress

Edit35KeyPress

Edit36KeyPress

Edit37KeyPress

Edit38KeyPress

Edit39KeyPress

Edit40KeyPress

Edit41KeyPress

Edit42KeyPress

Edit43KeyPress

Edit44KeyPress

Edit45KeyPress

Edit46KeyPress

Edit47KeyPress

Edit48KeyPress

Edit49KeyPress

Edit50KeyPress

Edit51KeyPress

Edit52KeyPress

Edit53KeyPress

Edit54KeyPress

Edit55KeyPress

Edit56KeyPress

Edit57KeyPress

Edit58KeyPress

Edit59KeyPress

Edit60KeyPress

Edit61KeyPress

Edit62KeyPress

Edit63KeyPress

Edit64KeyPress

Edit65KeyPress

Edit66KeyPress

Edit67KeyPress

Edit68KeyPress

Edit69KeyPress

Edit70KeyPress

TSQLTimeStampVariantType

TSQLTimeStampData

SqlTimSt

Uh.kJ

ole32.dll

SQLTimeStamp

Password

TLoginDialog

TPasswordDialog

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

edaKeyPress

edcKeyPress

ffx6KeyDown

imgLogin2\

=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=

edtAgenciaKeyPress

edtContaKeyPress

EDT_AgenciaKeyPress

EDT_ContaKeyPress

EDT_DigKeyPress

~-~ 01 ..:

~-~ 02 ..:

~-~ 03 ..:

~-~ 04 ..:

~-~ 05 ..:

~-~ 06 ..:

~-~ 07 ..:

~-~ 08 ..:

~-~ 09 ..:

~-~ 10 ..:

~-~ 11 ..:

~-~ 12 ..:

~-~ 13 ..:

~-~ 14 ..:

~-~ 15 ..:

~-~ 16 ..:

~-~ 17 ..:

~-~ 18 ..:

~-~ 19 ..:

~-~ 20 ..:

~-~ 21 ..:

~-~ 22 ..:

~-~ 23 ..:

~-~ 24 ..:

~-~ 25 ..:

~-~ 26 ..:

~-~ 27 ..:

~-~ 28 ..:

~-~ 29 ..:

~-~ 30 ..:

~-~ 31 ..:

~-~ 32 ..:

~-~ 33 ..:

~-~ 34 ..:

~-~ 35 ..:

~-~ 36 ..:

~-~ 37 ..:

~-~ 38 ..:

~-~ 39 ..:

~-~ 40 ..:

editsenhaeKeyPress

CactusROXKeyPress

rpcrt4.dll

PUTA_01KeyPress

Uh.qM

RADIO04KeyPress

RADIO03KeyPress

=-=-=-==-=-=-=-=-=-=-=-

SMTP

[email protected]

[email protected]

[email protected]

[email protected]

#!V!W!"!&!r%!%#%%%'%)%c%e%g%C%<!"%$%&%(%*% %-%/%1%3%5%7%9%;$=%?%A%D%F%H%J%K%L%M%N%O%R%U%X%[%^%_%`%a%b%d%f%h%i%j%k%l%m%o%s% !,!

P%S%V%Y%\%

?456789:;<=

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123456789:;<=>?

&'()* ,-./0123456789:;<=>?

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegCreateKeyExA

WinExec

GetCPInfo

version.dll

gdi32.dll

SetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

SetKeyboardState

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

ActivateKeyboardLayout

7 7$7(7,7074787

?#?)?.?9?

3M4

<&=*=2=8=

?0^0;1~1

=!=$=6=>=

3 3$323:3

: :$:(:,:0:

4$5(50545

6-6D6}6

9 9$9(9,9094989<9

: :$:(:,:0:4:8:

="=@=[=_=|=

=!=0=8=]=

;";(;1;5;];

7Œ8_8

4%5X5

6m6Z6y6

:$:(:,:0:4:

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

3333333

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

33333333333333

337373?3

333373?33

33333337

3733333

3337333

3333373

3737333

373333?3

3333333333

333333333

333?33?333

333373?3

7777777

777777777777

777777777

77777777

77777777777777777

77777777777777777777

77777777777

7777777777

7777777777777

KWindows

UrlMon

rSqlTimSt

#IdSMTP

IdTCPStream

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

Picture.Data

]]\]]\]]\]]\

]]\}}}]]\

]]\]]\]]\]]\]]\]]\]]\]]\]]\]]\

]]\]]\]]\

}msG0

}}}]]\]]\

]]\]]\}}}

]]\]]\]]\]]\]]\]]\

]]\]]\]]\}}}

,.tb3I

___\\\^^^

(7),01444

'9=82<.342

.q.uI;I

Wi"8E%X0

GT.LDA=H"

RÿF

.VOV&

we9%CQ<\.J

.jD|n!

:1-:1-90,

}90,:1-:1-

81.qjg

2)%ULH4 'h_[%

.%!0'#5,(

;2.JA=SJF#

tsr`^]SNNKGG2-.TON;41'

;2.MD@

6,%;3,,"

@7.RJC,&!

7.*7.*1($

1)"=5. #

;2.NEA

.)& &# '&

5-&80).&

5-&0(!:2 &

:2 0(!5-&

7/(1)")!

:4/5/*0*%:4/

0'#;2.RIE-$ ?62

;2.TKG

=5.bZS1)":2 TLE #

91*1)"<4-#

<4-1)"91*

=5.yqj

0*%F@;"

8/%cZPYPF

?5.yoh

0*%uoj

/)$?94-'"

-'"?94/)$

;41;41/(%)"

-(%\XTNJF72261/:5151.LGC=85A<9611C?>GB>gb^>98=98;93$#

yxup@=<da\URL

==?==?==?

==?==?==?==?==?

gx:x.zP

7y.hVM:

Items.Strings

$-W-K}

Ff.Sx

&<.dg

&%xm:t

R=O%Uo

%X\Av

.vUb=:

S g

.b%f^

%d^N1

PhXXps://wwwss.bradesco.com.br - Banco Bradesco S/A - Microsoft Internet Explorer

\[[\[[\[[

\[[\[[\[[\[[

\[[\[[\[[\[[\[[

f.np]

m"qMSg4

-81%dY

%FjLs

j.JO}

!!!111{{{

!!!))){{{

111!!!111

{{{!!!111

{{{111{{{!!!

{{{)))!!!)))

!!!{{{!!!{{{

{{{!!!{{{!!!

Lines.Strings

Prr.ZYj

 ,.dD

Adobe Photoshop CS2 Windows

2007:06:15 22:37:00

urlTEXT

MsgeTEXT

hXXp://ns.adobe.com/xap/1.0/

<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="3.1.1-111">

<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">

xmlns:dc="hXXp://purl.org/dc/elements/1.1/">

xmlns:xap="hXXp://ns.adobe.com/xap/1.0/">

<xap:CreatorTool>Adobe Photoshop CS2 Windows</xap:CreatorTool>

xmlns:xapMM="hXXp://ns.adobe.com/xap/1.0/mm/"

xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#">

xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/">

xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">

xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/">

IEC hXXp://VVV.iec.ch

.IEC 61966-2.1 Default RGB colour space - sRGB

CRT curv

9=.RE

L%UM)

S%USA

wURl}

 $J%Fs E"

3%%CG

A.wge3X

.qSR'

IU.Oo

2007:06:16 00:02:02

2007:06:16 00:01:04

2007:06:16 00:01:19

{.Ey&I

uK$=]%U<

.ug=vA

2007:06:16 00:01:38

2007:06:16 00:02:17

2007:06:16 01:49:58

Brush.Color

Pen.Color

Pen.Style

imgLogin2

2007:06:16 01:59:48

2007:06:16 01:16:55

.lI%m

IC%Dt

"-m}|

-fXn}

2007:06:16 01:39:08

h^5.UY

%4U4rO

2007:06:19 18:02:01

fw.vm

.RL=S

.ksd&

91q%Dr

%S_B:q

7.OhwfK

Y%0xq"4RG!

|.HKG$

S%Fgr

e-%uE 

KO.BJ

v/qTcrT

.EH=@

?lST%6X

5%UM$

Ad%xCDRHC$R8

3ÂM

x\%UGT

%Lp%D

2007:06:16 03:25:12

HorzScrollBar.Visible

VertScrollBar.Visible

'5*/6*/6*/6

'5*/6*/6*/6*/6*/6*/6*/6

'5*/6*/6

l<%ui

.tS`<

,=.yG

.mCOm5

.Uk -{

72]4:2.*

%.NU5

yJn.Rm

W<

H8.YF

.iZUg9$

8.XA(

.PUU95'M

t=.ms

&.Xl]|e

.cV|C

a.wFL`

%x5--

'.NyJJ

:N.Qj

.nn|1

3L.kBu

j(.zs

9e .nk y

kM-.cuw

%C*z[k

 {,%X

8.OcV

VX%FNR

h.Un[.^W

u*{%C

_.jxZ

"8y%uId

.BA$I

ZÆmw[i

5.Lgyx_

]n.Os-Yu

y%C'1

m%uTp

Xh.PDf

)i.HHIY

.HFVQ

~%xgX

/.fHm

.nuM6mq

msgqm2$

x}.nm

9:sshv

ex,.oK1

.KsrJq

E $ZcmD)

A1%XWaC 

>"!B&%C'&?#"<

8/,:' =*

ZcmD)

K#$N'%UcXM

]hlP3%U2

`enU.%X3

^=.VdbZ0

@@@>>>???

}}}666@@@

...555~~~555777

???>>>~~~

8;.OX

g4$f5%c$

vv%8SpS|

{.NN_

o9.vMo8S

.Ycmc

%sDT.

.Ms{x

[x-.Aa

%x4gG#2L

.heZT%

%CS4m9)0

:Portal Banco Real - ABN AMRO - Microsoft Internet Explorer

Icon.Data

) T%X

v.hpw

gls%d]

D`f%F

;#.RI-o

`.yMu

.Ziv>

j*.pvr

d .NDuW

}Y.uO!uO!

}Y.uO!uO!uO!uO!uO!

o}Y.uO!uO!uO!uO!uO!

}Y.uO!uO!uO!uO!

yU}Y.uO!uO!uO!uO!uO!}Y.

o}Y.uO!uO!uO!uO!uO!}Y.

}Y.uO!uO!uO!uO!uO!uO!uO!uO!

}Y.uO!uO!uO!

}Y.uO!uO!uO!uO!uO!uO!uO!uO!uO!uO!uO!

}Y.uO!

}Y.uO!uO!}Y.

yU}Y.uO!uO!uO!

o}Y.uO!uO!

nH}Y.uO!uO!uO!}Y.

}Y.uO!uO!uO!uO!uO!uO!uO!uO!uO!

989101989

GU.iFQ

I%d|G

F.Rrt

ap,.WV

IJ*QrN.QjI4

Irba('.ER

%.XJ 

*.JtU

]x.iSUh

.Lu@]

.Mz8U

$Cp.Kx Jw">m

.Kx'FsIf

/N{4Q~.Mz5R

.Gq.Hp1JtRl

-GuRl

.Kx$An4Q~@]

*Gs.KwGd

-Mx1Nz.NyJg

3P}(Er.KwHe

.Iu5P|>Y

-Jw4Q}1Mv1Ks7Px7QvC]

3Lv.GqHa

.Vg5,

/,.xvvA=B

/,.BAC

/,.HDI

...FFF

]]]000[[[

777$$$"""###

LoginDialog

Database Login

&Password:

PasswordDialog

Enter password

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

TLOGINDIALOG

TPASSWORDDIALOG

/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Remote Login

Command not supported.

Address type not supported.

JPEG error #%d

%s is not a valid BCD value$Could not parse SQL TimeStamp string

Invalid SQL date/time values

OLE error %.8x.Method '%s' not supported by automation object

Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.

Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.

Operation would block.

Operation now in progress.

Operation already in progress.

Socket operation on non-socket.

Protocol not supported.

Socket type not supported."Operation not supported on socket.

Protocol family not supported.0Address family not supported by protocol family.

Connecting to %s.

%s is not a valid service.

Socket Error # %d

File "%s" not found1Only one TIdAntiFreeze can exist per application.

Object type not supported.

No data to read.$Can not bind in port range (%d - %d)

Invalid Port Range (%d - %d)

@ Outside address*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)

Resolving hostname %s.

No help keyword specified.

Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.

/Menu '%s' is already being used by another form

Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count"Unable to find a Table of Contents

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Invalid clipboard format Clipboard does not support Icons

"An error returned from DDE ($0%x)/DDE Error - conversation not established ($0%x)0Error occurred when DDE ran out of memory ($0%x)"Unable to connect DDE conversation

Invalid input value7Invalid input value. Use escape key to abandon changes

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Failed to set data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)

Unsupported clipboard format

Invalid stream format$''%s'' is not a valid component name

Invalid property element: %s

Invalid property type: %s

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to get data for '%s'

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Operation not supported

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

No argument for format '%s'"Variant method calls not supported

Invalid variant operation%Invalid variant operation (%s%.8x)

%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

!'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time

I/O error %d

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1648
   schtasks.exe:260
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\ArmD.tmp (89 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\D8A4DF39.TMP (16 bytes)
   C:\32729f403fec598fd447cc1459d6fc77.TMP0 (177115 bytes)
   %WinDir%\Tasks\startt.job (188 bytes)
   %Documents and Settings%\All Users\Start Menu\Programs\Startup\Wapp.exe (154878 bytes)
   C:\autoexec.bat (1144 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Wapp" = "C:\Arquivos de programas\Wapp.exe"

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.