Trojan.GenericKD.2529035_2339fa747a

by malwarelabrobot on August 26th, 2015 in Malware Descriptions.

Trojan.MSIL.Agent.aawng (Kaspersky), Trojan.GenericKD.2529035 (B) (Emsisoft), Trojan.GenericKD.2529035 (AdAware), Backdoor.Win32.PcClient.FD, Worm.Win32.Ainslot.VB.FD, GenericAutorunWorm.YR, WormAinslot_VariantOfZeus.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 2339fa747a93adb320ccb83832fe6ed8
SHA1: 4efd2224df57ed619d2c9b039c905396359f52bd
SHA256: c8f5732e7766aea14d5b3ac83fd702c71fe54f1dcf579288e325fd7cfe4ecb2b
SSDeep: 12288:u/vsSddcnWLFzOhkQFQxZ Ej3hYcryd9nw9kquld2P6zR9lNYY:ubunW5F as9wxze9lNYY
Size: 606936 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2015-06-30 17:50:55
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

schtasks.exe:1160
schtasks.exe:1092
rundll32.exe:612
dumprep.exe:1240
dumprep.exe:464

The Trojan injects its code into the following process(es):

sql_support.exe:564
%original file name%.exe:1756
svchost.exe:1180

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process sql_support.exe:564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aQQQQQ.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\msdcsc.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (50 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aQQQQQ.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (0 bytes)

The process %original file name%.exe:1756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sql_support.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\msdcsc.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (50 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (50 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aRRRRR.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (54 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aRRRRR.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (0 bytes)

The process dumprep.exe:1240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WER3805.dir00\svchost.exe.mdmp (99485 bytes)

The process dumprep.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WER3805.dir00\svchost.exe.hdmp (217030 bytes)

Registry activity

The process schtasks.exe:1160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 93 45 70 B5 36 AF 09 3F 3F 12 23 D9 36 18 C5"

The process schtasks.exe:1092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 2F B9 D6 6D 66 B9 F8 5A 53 06 5F 12 9A 1C 66"

The process rundll32.exe:612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 D5 22 DA C4 D6 AC DB FE AF BC 08 7E 62 C8 BE"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"svchost.exe" = "Generic Host Process for Win32 Services"

[HKLM\System\CurrentControlSet\Control\Session Manager\AppCompatibility]
"AppCompatCache" = "EF BE AD DE 60 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%System%]
"svchost.exe" = "EnableNXShowUI"

The process sql_support.exe:564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 98 E8 94 AC 52 13 4B 5A A4 D4 4C 0B A1 DD E7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process %original file name%.exe:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 59 F3 D0 73 3A 8A B0 7D A1 E1 51 B9 CD 8B 3C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"schtasks.exe" = "Schedule Tasks"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"sql_support.exe" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process dumprep.exe:1240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 C4 0F 4A 16 75 D9 42 9B A6 A8 9F 3A 76 1E 6D"

The process dumprep.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 B1 75 37 DA 0F 82 6E 0A 3D B1 0E 14 11 CA 54"

Dropped PE files

MD5 File path
27c6d03bcdb8cfeb96b716f3d8be3e18 c:\Documents and Settings\"%CurrentUserName%"\Application Data\file.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name:
Product Version: 0.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: RewardsMedia.exe
Internal Name: RewardsMedia.exe
File Version: 0.0.0.0
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 496884 497152 4.51023 f98894818632b919f9ee319784046293
.rsrc 507904 100704 100864 3.96692 7a028bcf56d72e01e2c3070a64f7a736
.reloc 614400 12 512 0.070639 d5869dde28e05c811482a071bf989278

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://c-0001.c-msedge.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://c-0001.c-msedge.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://e6845.ce.akamaiedge.net/pca3-g5.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2010.crl
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 191.234.4.50
hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl 23.43.133.163
hxxp://crl.verisign.com/pca3-g5.crl 23.43.133.163
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt 191.234.4.50


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Length: 18
Content-Type: text/plain
Last-Modified: Thu, 23 Jul 2015 23:16:35 GMT
Accept-Ranges: bytes
ETag: "80b4b9e9dc5d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-CID: 7
X-CCC: NL
X-MSEdge-Ref: Ref A: B057B75A216A4410B8F0941C13293727 Ref B: 452B515E929CFE9963FE7EF8E4968B49 Ref C: Tue Aug 25 04:27:25 2015 PST
Date: Tue, 25 Aug 2015 11:27:25 GMT
1401D0C59D9E95282D....


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Length: 50013
Content-Type: application/octet-stream
Last-Modified: Fri, 24 Jul 2015 19:32:35 GMT
Accept-Ranges: bytes
ETag: "808bd77d47c6d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-CID: 7
X-CCC: NL
X-MSEdge-Ref: Ref A: EB703D9171544231A8E5ABD6F72B3944 Ref B: 88590B7681A022E2921E0757FDB5DC4C Ref C: Tue Aug 25 04:27:26 2015 PST
Date: Tue, 25 Aug 2015 11:27:25 GMT
MSCF....].......,...................I..................F.a .authroot.s
tl....".8..CK...<T.....c.5(..=..Q..DvI.N.%.2......,.JR!..i..!i...E.
%)...f....uo...~/.3..s..y>...=..l..... %.%.p.X...s ..!..C9.v.fe.&..
3.:O.gaWf....-....$.....b......g'..o.?...*...B..5.5P.....?v.......w..=
.....UnV..G.....(.."..G9.Q>.g.m.1...i..P..o..?.gU|..\.N...1Dv...T.&
..&..9.gw...P....\...A.]..J..I.= 5yt..8.......x,_r.O..X..i>U.hd..op
. asK......P(...!.$...V(.e...s$p.z.u.......H...W..~.D. ......#7'*..L..
%j.". .j....g..i.eGy`......03.2.ayX..;6N&.:..b....O,...E....#T...v.f..
.|. ..sL...U.....Q..m7...F...q..M.#^.l...."..HS........Z.@ ....(...0..
..R...S^..,.k....Q...../.E........B;. .......?...a......1.^...I......#
.bX....t....q.....x....v..W....tj}.....i...g...s.....K.'...).Y.......a
.|.&4.....-.,..w`.iP0-.X.{.....c....u.~.u2..[.r.Va.w88.. 0.#.].pw"Mg.Z
.aNp...J...eB..7.vG.....IH.B ..T.........-m....E...u....Jy..>:.R}..
.[...<Q...F....}..@c0*.p.H0N....B...I.<...Os..: X.Xv..K(t*.%t...
7.uMt......:..l.....c".w!.t. .K....X...;-|...da..e@#.....]z.......h...
...4b......O.%.S.l.g..P...Q......ZM...[<.4.S.NU.....q.[..[,XF!GL...
......y..>v ." .7..x"u_ EJ.!N..=../@d.i..Z.Y...1........pLx........
G a{..d.v.P..'c....c.P..B...j-6x.~..J4.o...B.W._v/~...|.mV......[c.l.W
..T@~-..<..z ..y....I~.#.ZN.ef...7L.V.v#o....S...9........a.h..s...
l.N.}.X..#_....,Z...E.yr..p.G..~..m.f`.x,...Dl. ......-....;[email protected].
.7..{[email protected].....#.......>-.."  L..TR.Q...p&.........Q.
[,.....T.m..j>.mJ.X.....I.p=@.=...e..^...dd......B`.....&#YK...
<<< skipped >>>


GET /CSC3-2010.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2010-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "269ae3260b634b54cff1f67ca0a240bc:1440493544"
Last-Modified: Tue, 25 Aug 2015 09:05:44 GMT
Date: Tue, 25 Aug 2015 11:27:26 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding
Content-Type: application/pkix-crl
00006000..0..?.0..>....0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code S
igning 2010 [email protected].
.140730092631Z0!....c..k....D.k.....120708062201Z0!... _...u.t.=.<.
&...130218061114Z0!...&..].....P.k.:...120125130117Z0!...7P.x....8.Q..
.s..130227010252Z0!...J.....Q..Y.[.....110404153956Z0!...d...=..q!_...
g9..130729145216Z0!...d....Y.......o...140711083257Z0!...l.....h2<.
H......120329152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM....
...0...121221080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v.
....w..140423054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%
...iM..121102230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.
[M83...140108164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!
.ID{]..101228182208Z0!....b^......{d.J'...130102154110Z0!.......n.....
...'u..140521222808Z0!......0..........I..130912181631Z0!.....1.;C,.. 
L..0...141111073655Z0!....6e...~..T.......130131012247Z0!.....|.....t.
l.o....140827175301Z0!.........bD#*u......130226223939Z0!.......@..'$.
).;}\..130121172259Z0!....7.v..........n..120724160733Z0!....n[..P..a.
y...p..141121045513Z0!....P;.Y..d...c.(...120209181451Z0!.....].bb[...
..!....140328205453Z0!.....a...L`..IV.....130402103508Z0!......fFW.z..
[email protected]!...........].{7.....120730000000Z0!...".......Z.
V.,.e..121031192224Z0!...'....[.1......g..130318195659Z0!...,GI.jH
<<< skipped >>>


GET /pca3-g5.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "e4ea60d914f34d3f3d341907f72da002:1435263916"
Last-Modified: Thu, 25 Jun 2015 20:25:16 GMT
Date: Tue, 25 Aug 2015 11:27:26 GMT
Content-Length: 533
Connection: keep-alive
Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U
....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For aut
horized use only1E0C..U...<VeriSign Class 3 Public Primary Certific
ation Authority - G5..150617000000Z..150930235959Z0...*.H.............
\j......H.......;...s....>U.:.-..A....\;/._>s ..T.....LY...w1..}
........}<.........T........6.a..n..._.,m.=.Xu9.1.|1...&.)_6...wo..
...w..9.........)...7...A....W..f..R.}[email protected]....&.v.....x.r.._......
5..n....g..2..:-...b...#"......2]........A.5.b.)NMX.6..HTTP/1.1 200 OK
..Server: Apache..ETag: "e4ea60d914f34d3f3d341907f72da002:1435263916".
.Last-Modified: Thu, 25 Jun 2015 20:25:16 GMT..Date: Tue, 25 Aug 2015 
11:27:26 GMT..Content-Length: 533..Connection: keep-alive..Content-Typ
e: application/pkix-crl..0...0..0...*.H........0..1.0...U....US1.0...U
....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006
 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 
3 Public Primary Certification Authority - G5..150617000000Z..15093023
5959Z0...*.H.............\j......H.......;...s....>U.:.-..A....\;/.
_>s ..T.....LY...w1..}........}<.........T........6.a..n..._.,m.
=.Xu9.1.|1...&.)_6...wo.....w..9.........)...7...A....W..f..R.}[email protected]..
4....&.v.....x.r.._......5..n....g..2..:-...b...#"......2]........A.5.
b.)NMX.6....
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1756_rwx_00A0A000_00002000:

.iJyP

svchost.exe_1180:

.text
`.data
.rsrc
MSVBVM60.DLL
bss_server.usrReverseRelay
tmrWebHide
bss_server.Socket
bss_server.usrRelay
mswinsck.ocx
MSWinsockLib.Winsock
ieframe.dll
SHDocVwCtl.WebBrowser
WebBrowser
modLaunchWeb
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
C:\Windows\SysWOW64\ieframe.dll
winmm.dll
user32.dll
advapi32.dll
shell32.dll
kernel32.dll
avicap32.dll
advpack.dll
GetAsyncKeyState
SetWindowsHookExA
UnhookWindowsHookEx
GetKeyboardLayout
GetKeyboardState
GetKeyState
SHFileOperationA
CreatePipe
PSAPI.DLL
GetTcpTable
ExitWindowsEx
EnumWindows
WinInet.dll
DeleteUrlCacheEntryA
urlmon
URLDownloadToFileA
ShellExecuteA
keybd_event
AddMsg
CHAT_ADDMSG
VBA6.DLL
C:\Windows\SysWow64\msvbvm60.dll\3
ws2_32.dll
olepro32.dll
GdiplusShutdown
RemotePort
LocalPort
WSOCK32.DLL
RegCloseKey
RegOpenKeyExA
ntdll.dll
C:\Windows\SysWOW64\ieframe.oca
6tmrTCP
%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca
tmrUDP
UDPSocket
UDPFlood
ole32.dll
crypt32.dll
oleaut32.dll
RegOpenKeyA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
txtPassword
imgLoginPressed
imgLogin
RegCreateKeyA
RegDeleteKeyA
RegEnumKeyExA
gdi32.dll
FtpDownload
InternetOpenUrlA
FtpUpload
FtpGetFileA
FtpPutFileA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpOpenFileA
FtpGetFileSize
FtpDeleteFileA
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpRenameFileA
FtpGetDirectory
Http_DownloadFile
cmdShowfiles
msvbvm60.dll
tmrTCP
?8??8??8??8??8?
2>e%Xdq
uMsg
strMsg
MsgNum
AllMsgs
lngPort
URL_TARGET
Port
Password
WebURL
Returns/Sets the port to be connected to on the remote computer
Returns/Sets the port used on the local computer
Binds socket to specific port and adapter
Occurs after a send operation has completed
killuasan.chickenkiller.com
file.exe
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5
{00020404-0000-0000-C000-000000000046}
\nir_cmd.bss speak text
\nir_cmd.bss setsysvolume 65535
\nir_cmd.bss mutesysvolume 1
\nir_cmd.bss mutesysvolume 0
\nir_cmd.bss screensaver
\nir_cmd.bss monitor off
\nir_cmd.bss monitor on
PORT
TRANSFERPORT
\rsout.tmp
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
Keylog
Wscript.Shell
HKEY_CLASSES_ROOT\HTTP\shell\open\command\
\winlogon.exe
iexplore.exe
ADVAPI32.dll
hXXp://VVV.facebook.com/?ref=home
hXXp://VVV.facebook.com
Windows Firewall/Internet Connection Sharing (ICS)
WebCamCapture
\Vuze\Azureus.exe
\LimeWire\LimeWire.exe
\uTorrent\uTorrent.exe
\uTorrent\uTorrent.exe /HIDE
\BitTorrent\bittorrent.exe
\MSWINSCK.OCX
\cmd.exe
\data.dat
\steam\steam.exe
nkey
dkey
regsvr32.exe
\pws_mail.bss
\pws_mess.bss
\pws_cdk.bss
\pws_ff.bss
\pws_chro.bss
\nir_cmd.bss
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "
:*:Enabled:Windows Messanger" /f
winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2
00000000
winmgmts:\\.\root\cimv2
Select * from Win32_Keyboard
api.ipinfodb.com
GET /v2/ip_query.php?key=
&timezone=off HTTP/1.1
Host: api.ipinfodb.com
GET /v2/ip_query_country.php?key=
Portable
WScript.Shell
winmgmts:\\.\root\SecurityCenter
\wallpaper.bmp
\wallpaper.jpg
WinServer 2003, Web Edition
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
__oxFrame.class__
Scripting.FileSystemObject
Autorun.ini
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
Address family not supported by protocol family.
Operation already in progress.
Operation now in progress.
Socket operation on nonsocket.
Operation not supported.
Protocol family not supported.
Protocol not supported.
Socket type not supported.
Winsock.dll version out of range.
CSocketMaster.SocketExists
CSocketMaster.PostSocket
CSocketMaster.ConnectToIP
CSocketMaster.ResolveIfHostname
CSocketMaster.SendBufferedDataUDP
CSocketMaster.SendBufferedData
abe2869f-9b47-4cd9-a358-c22904dba7f7
/stext mess.dat
\mess.dat
/stext mail.dat
\mail.dat
/stext ffpw.dat
\ffpw.dat
Web Site
Password
/stext chro.dat
\chro.dat
Action URL
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion
Windows
SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command
http\shell\open\command
127.0.0.1
\dump.txt
\uTorrent\uTorrent.exe /DIRECTORY
255.255.255.255
finalizarprocessoportas
CONNECT %s:%i HTTP/1.0
SOFTWARE\Classes\http\shell\open\command
Software\Classes\http\shell\open\command
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
code.is.a.winner
Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId
bps1.exe
bhookpl.dll
bnfa.exe
drvloadn.dll
drvloadx.dll
VNCHooks.dll
xr4tdwa.exe
shutdown.exe
TCnRawKeyBoard
HuntHTTPDownload
autorun.inf
hXXps://onlineeast#.bankofamerica.com
winlogon.exe
moz_logins
WEBCAMLIVE
explorer.exe
\system32\userinit.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\system32\userinit.exe,
notepad.exe
steam.exe
hl.exe
\rspad.dat

svchost.exe_1180_rwx_00400000_00078000:

.text
`.data
.rsrc
MSVBVM60.DLL
bss_server.usrReverseRelay
tmrWebHide
bss_server.Socket
bss_server.usrRelay
mswinsck.ocx
MSWinsockLib.Winsock
ieframe.dll
SHDocVwCtl.WebBrowser
WebBrowser
modLaunchWeb
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
C:\Windows\SysWOW64\ieframe.dll
winmm.dll
user32.dll
advapi32.dll
shell32.dll
kernel32.dll
avicap32.dll
advpack.dll
GetAsyncKeyState
SetWindowsHookExA
UnhookWindowsHookEx
GetKeyboardLayout
GetKeyboardState
GetKeyState
SHFileOperationA
CreatePipe
PSAPI.DLL
GetTcpTable
ExitWindowsEx
EnumWindows
WinInet.dll
DeleteUrlCacheEntryA
urlmon
URLDownloadToFileA
ShellExecuteA
keybd_event
AddMsg
CHAT_ADDMSG
VBA6.DLL
C:\Windows\SysWow64\msvbvm60.dll\3
ws2_32.dll
olepro32.dll
GdiplusShutdown
RemotePort
LocalPort
WSOCK32.DLL
RegCloseKey
RegOpenKeyExA
ntdll.dll
C:\Windows\SysWOW64\ieframe.oca
6tmrTCP
%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca
tmrUDP
UDPSocket
UDPFlood
ole32.dll
crypt32.dll
oleaut32.dll
RegOpenKeyA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
txtPassword
imgLoginPressed
imgLogin
RegCreateKeyA
RegDeleteKeyA
RegEnumKeyExA
gdi32.dll
FtpDownload
InternetOpenUrlA
FtpUpload
FtpGetFileA
FtpPutFileA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpOpenFileA
FtpGetFileSize
FtpDeleteFileA
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpRenameFileA
FtpGetDirectory
Http_DownloadFile
cmdShowfiles
msvbvm60.dll
tmrTCP
?8??8??8??8??8?
2>e%Xdq
uMsg
strMsg
MsgNum
AllMsgs
lngPort
URL_TARGET
Port
Password
WebURL
Returns/Sets the port to be connected to on the remote computer
Returns/Sets the port used on the local computer
Binds socket to specific port and adapter
Occurs after a send operation has completed
killuasan.chickenkiller.com
file.exe
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5
{00020404-0000-0000-C000-000000000046}
\nir_cmd.bss speak text
\nir_cmd.bss setsysvolume 65535
\nir_cmd.bss mutesysvolume 1
\nir_cmd.bss mutesysvolume 0
\nir_cmd.bss screensaver
\nir_cmd.bss monitor off
\nir_cmd.bss monitor on
PORT
TRANSFERPORT
\rsout.tmp
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
Keylog
Wscript.Shell
HKEY_CLASSES_ROOT\HTTP\shell\open\command\
\winlogon.exe
iexplore.exe
ADVAPI32.dll
hXXp://VVV.facebook.com/?ref=home
hXXp://VVV.facebook.com
Windows Firewall/Internet Connection Sharing (ICS)
WebCamCapture
\Vuze\Azureus.exe
\LimeWire\LimeWire.exe
\uTorrent\uTorrent.exe
\uTorrent\uTorrent.exe /HIDE
\BitTorrent\bittorrent.exe
\MSWINSCK.OCX
\cmd.exe
\data.dat
\steam\steam.exe
nkey
dkey
regsvr32.exe
\pws_mail.bss
\pws_mess.bss
\pws_cdk.bss
\pws_ff.bss
\pws_chro.bss
\nir_cmd.bss
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "
:*:Enabled:Windows Messanger" /f
winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2
00000000
winmgmts:\\.\root\cimv2
Select * from Win32_Keyboard
api.ipinfodb.com
GET /v2/ip_query.php?key=
&timezone=off HTTP/1.1
Host: api.ipinfodb.com
GET /v2/ip_query_country.php?key=
Portable
WScript.Shell
winmgmts:\\.\root\SecurityCenter
\wallpaper.bmp
\wallpaper.jpg
WinServer 2003, Web Edition
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
__oxFrame.class__
Scripting.FileSystemObject
Autorun.ini
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
Address family not supported by protocol family.
Operation already in progress.
Operation now in progress.
Socket operation on nonsocket.
Operation not supported.
Protocol family not supported.
Protocol not supported.
Socket type not supported.
Winsock.dll version out of range.
CSocketMaster.SocketExists
CSocketMaster.PostSocket
CSocketMaster.ConnectToIP
CSocketMaster.ResolveIfHostname
CSocketMaster.SendBufferedDataUDP
CSocketMaster.SendBufferedData
abe2869f-9b47-4cd9-a358-c22904dba7f7
/stext mess.dat
\mess.dat
/stext mail.dat
\mail.dat
/stext ffpw.dat
\ffpw.dat
Web Site
Password
/stext chro.dat
\chro.dat
Action URL
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion
Windows
SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command
http\shell\open\command
127.0.0.1
\dump.txt
\uTorrent\uTorrent.exe /DIRECTORY
255.255.255.255
finalizarprocessoportas
CONNECT %s:%i HTTP/1.0
SOFTWARE\Classes\http\shell\open\command
Software\Classes\http\shell\open\command
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
code.is.a.winner
Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId
bps1.exe
bhookpl.dll
bnfa.exe
drvloadn.dll
drvloadx.dll
VNCHooks.dll
xr4tdwa.exe
shutdown.exe
TCnRawKeyBoard
HuntHTTPDownload
autorun.inf
hXXps://onlineeast#.bankofamerica.com
winlogon.exe
moz_logins
WEBCAMLIVE
explorer.exe
\system32\userinit.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\system32\userinit.exe,
notepad.exe
steam.exe
hl.exe
\rspad.dat

rundll32.exe_612:

.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    schtasks.exe:1160
    schtasks.exe:1092
    rundll32.exe:612
    dumprep.exe:1240
    dumprep.exe:464

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\aQQQQQ.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\msdcsc.exe (4185 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sql_support.exe (4185 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (50 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (50 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (147 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aRRRRR.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WER3805.dir00\svchost.exe.mdmp (99485 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WER3805.dir00\svchost.exe.hdmp (217030 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now