MD5: c2cd0766ea4cb8f0ac17538d735a7585
SHA1: 658565c9fadd65ec5fa2931ce13d8ee37ffa71d6
SHA256: 53b70b67e13583bf819bfb01fb3c76264083a388d310e1ad9e640f7af2090929
SSDeep: 12288:5l8GskSBnHw6GDytmxuVcBQPKGO/Yt/783hPdIpG6TcYK2fDxnv923G3AxHx:H1skyHw6GDXxueQSGMYZ7WhPdKPTc4NY
Size: 740194 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: Open Software Installer
Created at: 2003-03-06 01:13:56
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

1_.ii:1180
1_.ii:1772
logogo.exe:1568
logogo.exe:468

The Trojan injects its code into the following process(es):

%original file name%.exe:188
logogo.exe:1316

Mutexes

The following mutexes were created/opened:

ShimCacheMutex

File activity

The process 1_.ii:1772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\system\logogo.exe (26 bytes)

The process %original file name%.exe:188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_MSI5166._IS (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_is1.tmp (0 bytes)

The process logogo.exe:1568 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\system\SYSTEM64.tmp (0 bytes)

The Trojan deletes the following file(s):

%WinDir%\system\SYSTEM64.vxd (0 bytes)
%WinDir%\system\SYSTEM64.tmp (0 bytes)

The process logogo.exe:1316 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\setup.exe (78 bytes)
C:\autorun.inf (255 bytes)

The Trojan deletes the following file(s):

%WinDir%\win.log (0 bytes)
C:\autorun.inf (0 bytes)

The process logogo.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\system\SYSTEM64.tmp (0 bytes)

The Trojan deletes the following file(s):

%WinDir%\system\SYSTEM64.tmp (0 bytes)

Registry activity

The process 1_.ii:1180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 4B 3A 06 0E 6C CC 8D 2B 0E 55 BD D0 45 96 22"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process 1_.ii:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 F3 8A AC B0 6B 94 65 41 3F 1E 61 21 71 39 95"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process %original file name%.exe:188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 5E AB BC 4C E0 A1 2E 60 52 D7 24 C7 C6 80 B2"

The process logogo.exe:1568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 41 88 F1 FB C6 D0 35 7F D1 82 EB 26 53 9C 95"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process logogo.exe:1316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 6E 97 6A 06 04 50 08 B0 29 9F B7 3E 75 DF B3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"logogo" = "%WinDir%\system\logogo.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process logogo.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 26 6F 90 F8 94 7C FF 11 6A 5B E3 DA EF 7D AF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: InstallShield Software Corporation
Product Name: Multimedia Card Reader
Product Version: 1.06.5
Legal Copyright: Copyright (C) 2003 InstallShield Software Corp.
Legal Trademarks:
Original Filename: setup.exe
Internal Name: setup.exe
File Version: 1.06.5
File Description: Setup Launcher
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
515def999ffc28d780d2587245f4168f

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.lea

t%SWVVVVVVh

SSSSh0u

SShxuB

SShpuB

SShhuB

SShPuB

PSSSSSSh

__MSVCRT_HEAP_SELECT

user32.dll

VERSION.dll

SHELL32.dll

COMCTL32.dll

GetWindowsDirectoryA

KERNEL32.dll

MsgWaitForMultipleObjects

ExitWindowsEx

USER32.dll

GDI32.dll

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

RegDeleteKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

RegOpenKeyA

NO_KEY_VALUE

_ISMSIDEL.INI

CmdLine

hXXps://

hXXp://

PTF://

Referer: %s

wintrust.dll

WTHelperGetProvCertFromChain

CertCompareCertificate

crypt32.dll

Forcing item moniker %s into ROT...

CLSID\%s

BetaMarker.dat

EvalMarker.dat

Setup.iss

PASSWORD

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion

Software\InstallShield\ISWI\7.0\SetupExeLog

NoSuppressRebootKey

SETUPEXEDIR

CertKey

ISScript.Msi

SupportOS

dotnetredistSp2.exe

langpack.exe

Microsoft(R) .NET Framework

J#CmdLine

/jscmd:

DotNetLangPackCmd

/langcmd:"/c:\"

DotNetFxCmd

vjredist.exe

dotnetredist.exe

dotnetfx.exe

Software\Microsoft\Windows\CurrentVersion\Installer

ISScript8.Msi

%s /a "%s"%s

%s /f%s "%s" %s

%s /j%s "%s" %s

%s /x "%s" %s

/p"%s" %s

%s /p "%s" %s

%s /i "%s" %s

%s %s

%s="%s"

%s TRANSFORMS="%s"

%s%s%s;%s

"%s" %s /l%d /t"%s" /e"%s" /v"%s" %s

"%s" /k %s /l%d /t"%s" /e"%s" /w /v"%s" %s

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows\CurrentVersion\RunOnceEx

SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries

System\CurrentControlSet\Control\Windows

1.20.1827.0

Msi.DLL

"%s" /c:"msiinst /delayrebootq"

"%s" /q

2.0.2600.0

%s /g %s /g %s

%s /g %s /g %s /s

4.70.0.1300

WinInet.dll

SHFolder.dll

Software\Microsoft\Windows\CurrentVersion\Uninstall\%s

{31EE4FE8-7F9C-11D5-ABB8-00B0D02332EB}

{7E76A8D6-33D1-0032-16C3-4593092861D0}

{E7E2C871-090A-C372-F9AE-C3C6A988D260}

{6741C120-01BA-87F9-8734-5FB9DA8A4445}

d.
d %s%s

DataCabInSetupExe

Data.Cab

Setup.skin

MSIEXEC.EXE

INSTMSIW.EXE

INSTMSIA.EXE

Setup.INI

Setup.bmp

msi.dll

0x0%s.ini

%s"%s"

%s /q"%s" %s

CloneSetupExe

.rdata

.debug

%d: %s

%s,%u

%u.%u.%u.%u

InternetCanonicalizeUrlA

HttpEndRequestA

HttpSendRequestExA

HttpSendRequestA

HttpOpenRequestA

FtpFindFirstFileA

HttpQueryInfoA

InternetCreateUrlA

InternetCrackUrlA

InternetOpenUrlA

wininet.dll

RPAWINET.DLL

AutoConfigURL

Software\Microsoft\Windows\CurrentVersion\Internet Settings

netscape.exe

FTP_ProxyPort

FTP_Proxy

HTTPS_ProxyPort

HTTPS_Proxy

https=

HTTP_ProxyPort

HTTP_Proxy

http=

\prefs.js

\nsreg.dat

"network.proxy.autoconfig_url"

"network.proxy.no_proxies_on"

"network.proxy.ftp_port"

"network.proxy.ftp"

"network.proxy.ssl_port"

"network.proxy.ssl"

"network.proxy.http_port"

"network.proxy.http"

network.proxy.type

Range: bytes=%d-

zcÁ

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_is1

c:\Setup.INI

c:\%original file name%.exe

version="1.0.0.0"

name="InstallShield.Setup"

<description>InstallShield.Setup</description>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

!"#$%&'()* ,

 (%U#n

.aFg\3z

WinExec

1_.ii

MZKERNEL32.DLL

.Upack

=%Us9

sPTF://

nSoftware\Microsoft\Active Setup\Installed Components\%s

{1C370964-514B-321C-7237-2B4FD86D8568}

{021122EA-49DC-4aeb-9D15-DCEAD9BAB1BC}

{F1B13231-13BE-1231-5401-486BA763DEB6}

{F279058C-50B2-4BE4-60C9-369CACF06821}

{78705f0d-e8db-4b2d-8193-982bdda15ecd}

{9B29D757-088E-E8C9-2535-AA319B92C00A}

%*.*f

1.06.5

setup.exe

1.06.5

Please enter the password

Password:

/Error extracting '%s' to the temporary location'Error reading setup initialization file

WS\system32\cmd.exe

cmd.exe

cmd.exe2

%System%\cmd.exe

D:\AlCS3TW\Adobe Illustrator CS3

\vcredist_x86_2.0.50727.762.exe

%original file name%.exe_188_rwx_0043C000_00001000:

WinExec

1_.ii

MZKERNEL32.DLL

.Upack

.rsrc

=%Us9

%original file name%.exe_188_rwx_00442000_00001000:

D:\AlCS3TW\Adobe Illustrator CS3

\vcredist_x86_2.0.50727.762.exe

logogo.exe_1316:

MZKERNEL32.DLL

.Upack

.rsrc

Portions Copyright (c) 1999,2003 Avenger by NhT

kernel32.dll

1_.ii

CA.exe NMCOSrv.exe CONFIG.exe Updater.exe WE8.exe settings.exe PES5.exe PES6.exe zhengtu.exenettools.exe laizi.exe proxy.exe Launcher.exe WoW.exe Repair.exe BackgroundDownloader.exeo2_unins_web.exe O2Jam.exe O2JamPatchClient.exe O2ManiaDriverSelect.exe OTwo.exe sTwo.exeGAME2.EXE GAME3.EXE Game4.exe game.exe hypwise.exe Roadrash.exe O2Mania.exe Lobby_Setup.exeCoralQQ.exe QQ.exe QQexternal.exe BugReport.exe tm.exe ra2.exe ra3.exe ra4.exe ra21006ch.exedzh.exe Findbug.EXE fb3.exe Meteor.exe mir.exe KartRider.exe NMService.exe AdBalloonExt.exeztconfig.exe patchupdate.exe

setup.exe

autorun.inf

shellexecute=

win.log

*.exe /

KERNEL32.DLL

IEXPLORE.EXE

cmd /c erase /A:RHSA "

"&cmd /c del "

hXXp://web.858656.com/120/tj10.htm

logo_1.exe

logo1_.exe

inudhya.dll

logogo.exe

SYSTEM64.tmp

SYSTEM64.vxd

hXXp://web.858656.com/120/tj.htm

SoftWare\Microsoft\Windows\CurrentVersion\Run

=%Us9

KWindows

GetProcessHeap

USER32.DLL

ADVAPI32.DLL

RegCreateKeyExA

RegCloseKey

PeekNamedPipe

GetWindowsDirectoryA

CreatePipe

SHLWAPI.DLL

SHELL32.DLL

ShellExecuteA

WS\system32\cmd.exe

cmd.exe

cmd.exe2

%System%\cmd.exe

D:\AlCS3TW\Adobe Illustrator CS3

\vcredist_x86_2.0.50727.762.exe

logogo.exe_1316_rwx_00401000_00014000:

Portions Copyright (c) 1999,2003 Avenger by NhT

kernel32.dll

1_.ii

CA.exe NMCOSrv.exe CONFIG.exe Updater.exe WE8.exe settings.exe PES5.exe PES6.exe zhengtu.exenettools.exe laizi.exe proxy.exe Launcher.exe WoW.exe Repair.exe BackgroundDownloader.exeo2_unins_web.exe O2Jam.exe O2JamPatchClient.exe O2ManiaDriverSelect.exe OTwo.exe sTwo.exeGAME2.EXE GAME3.EXE Game4.exe game.exe hypwise.exe Roadrash.exe O2Mania.exe Lobby_Setup.exeCoralQQ.exe QQ.exe QQexternal.exe BugReport.exe tm.exe ra2.exe ra3.exe ra4.exe ra21006ch.exedzh.exe Findbug.EXE fb3.exe Meteor.exe mir.exe KartRider.exe NMService.exe AdBalloonExt.exeztconfig.exe patchupdate.exe

setup.exe

autorun.inf

shellexecute=

win.log

*.exe /

KERNEL32.DLL

IEXPLORE.EXE

cmd /c erase /A:RHSA "

"&cmd /c del "

hXXp://web.858656.com/120/tj10.htm

logo_1.exe

logo1_.exe

inudhya.dll

logogo.exe

SYSTEM64.tmp

SYSTEM64.vxd

hXXp://web.858656.com/120/tj.htm

SoftWare\Microsoft\Windows\CurrentVersion\Run

MZKERNEL32.DLL

.Upack

.rsrc

=%Us9

KWindows

GetProcessHeap

USER32.DLL

ADVAPI32.DLL

RegCreateKeyExA

RegCloseKey

PeekNamedPipe

GetWindowsDirectoryA

CreatePipe

SHLWAPI.DLL

SHELL32.DLL

ShellExecuteA

WS\system32\cmd.exe

cmd.exe

cmd.exe2

%System%\cmd.exe

D:\AlCS3TW\Adobe Illustrator CS3

\vcredist_x86_2.0.50727.762.exe

iexplore.exe_1388:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   1_.ii:1180
   1_.ii:1772
   logogo.exe:1568
   logogo.exe:468

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %WinDir%\system\logogo.exe (26 bytes)
   %WinDir%\system\SYSTEM64.tmp (0 bytes)
   C:\setup.exe (78 bytes)
   C:\autorun.inf (255 bytes)
   

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "logogo" = "%WinDir%\system\logogo.exe"

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.