MD5: 3d9c37bc7dda48469b0cbc9b2ef761ba
SHA1: ce8615e5f30c037edc86e018032f810fb371bbcb
SHA256: 3d922578a8f014bc20e9b52d1e4a0ec076a6add423c6a358a70b66c7faf4d96d
SSDeep: 12288:DFszBhqS5mGcSj9ki9JIc0eOOQvgasvM 3wkrI6GUWi4z/VrQaTa1NTJ9G:DFszWS5RSi930JbgassAIlUWi4zh7TUw
Size: 648674 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-03-02 09:40:24
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Process activity

The Trojan-PSW creates the following process(es):

%original file name%.exe:284
miku.exe:1464
miku.exe:1004
miku.exe:1572
dialected.exe:1920
dialected.exe:608

The Trojan-PSW injects its code into the following process(es):

dialected.exe:1156
cmd.exe:1836
Explorer.EXE:1852

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:284 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\file.bin (2405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\dialected.exe (6261 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\Nueva imagen de mapa de bits.bmp (21153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\Nueva imagen de mapa de bits.bmp (632092 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\dialected.exe (0 bytes)

The process dialected.exe:1156 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%WinDir%\file.bin (665 bytes)
C:\test\test.exe (521 bytes)
C:\test\file.bin (1330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LHUMDMwjAHR.gif (660 bytes)

The process dialected.exe:608 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmpf005af95.bat (201 bytes)
%Documents and Settings%\%current user%\Application Data\Gimera\miku.exe (1651 bytes)

Registry activity

The process %original file name%.exe:284 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0]
"dialected.exe" = "dialected"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process miku.exe:1464 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC B8 5A 55 06 D6 EE 77 71 28 8B AF B1 85 47 20"

The process miku.exe:1004 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE B7 E9 81 76 F0 64 03 72 D0 87 8D A6 AE DA 6A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process miku.exe:1572 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 4C EE 47 BF 2F 44 A7 01 17 73 24 45 80 B0 A4"

The process dialected.exe:1920 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 25 BB 6D AD E8 F9 06 F7 DA 32 9B 2E 59 F8 12"

The process dialected.exe:1156 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 01 C9 5D 68 38 85 69 13 D1 24 4E B9 8F D1 BF"

[HKCU\Software\Microsoft\Ybox]
"Ozacewmo" = "2D 10 7C 91 08 76 B4 C9 6E 47 08 AC 58 61 F0 F6"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process dialected.exe:608 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 07 2D 39 50 0D 88 B1 E5 46 02 25 FE 13 BD E7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetQueryDataAvailable
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

SetCursorPos
DefMDIChildProcA
DefFrameProcA
DefDlgProcA
GetClipboardData
DefMDIChildProcW
DefFrameProcW
GetUpdateRgn
RegisterClassA
GetDCEx
ReleaseCapture
SetCapture
DefWindowProcA
CallWindowProcA
GetUpdateRect
PeekMessageA
CallWindowProcW
GetMessagePos
GetCursorPos
EndPaint
BeginPaint
DefWindowProcW
RegisterClassExA
GetMessageA
DefDlgProcW
SwitchDesktop
OpenInputDesktop
RegisterClassExW
RegisterClassW
GetCapture
PeekMessageW
GetMessageW
GetWindowDC
TranslateMessage
GetDC
ReleaseDC

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSASend
send
closesocket

The Trojan-PSW installs the following user-mode hooks in kernel32.dll:

GetFileAttributesExW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan-PSW's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 64
80284946036519ada15d3ba9a34f1bf8
e954f2fc4e464a66ee967d173d2a85db
6b0c93ccaa4e3f99a3acf43b4b900af8
4cda024141dcf4233f8cd7f1c1923948
bc81fc0bee5c8979d6ef82fa61374777
fda2114164d8902234d4dd27273990b2
76140af5ae8a1961dff3fd30915b0f27
822f5c0e72416bb5644d55581b672573
9f43f96c68d367228938971f146bdc1c
4358512a2c3c9d8e5150994839fa0057
4b41f50b9d107bdd5859e7ab1d696c97
93c1a8de047c4e15d0dce2c1db30be73
c59d2c497b77017f479c653746575524
f6e4377fe07335db827eada25b2ff08c
fb3f8db6fdb68d089f87d6d0fdbc0436
2494fd433244a929f1b3059dc9a34dc4
cfaa4da5a435117e8ed02327ad055621
7ec89c5a1d65a146ad0e37a40574a0ec
590c989b7c8a8fd745f732effa3e644e
00de2b1be3b50e20ae4ebcfc058f404e
90b4923b887bac5bdef394b14536fc01
880fc72694f5567f942017f3c3847251
f2795d072c0dc4b23ce2141638f4c1d7
5a2fb3de1e4e1e484d799b257b548402
06528cef47c297713d0f635eabbb6da6

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan-PSW connects to the servers at the folowing location(s):

.text

`.data

.rsrc

MSVBVM60.DLL

RemoteExecution

%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB

MSVBVM60.dll

shell32.dll

ShellExecuteA

kernel32.dll

ntdll.dll

FindExecutableA

MsgboxFunction

UACx64_dumpandexecute

VBA6.DLL

advapi32.dll

RegOpenKeyExA

RegCloseKey

.code

`.text

`.rdata

@.data

@.reloc

Test.dll

MSVCRT.dll

KERNEL32.dll

CreatePipe

ShellExecuteExA

SHELL32.DLL

version="1.0.0.0"

name="CompanyName.ProductName.YourApp"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

.reloc

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

HTTP/1.1

http://hollywood.heartjohn.com/modules/holl.bin

Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)

pufjwdx.jvh

" !=%(>";;

=225;6%%7!=

3:6 1*7=$;-

*4*-0*1?7!

MK[(bocmdgs

15#77??68.

&'/( <99

$!*4,#)<:

mfh{g~amzgs.dgg

:; 1299;2

>.Rdd

<-?).$: (26

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

urlmon.dll

cabinet.dll

http://

https://

HTTP/1.

http://www.google.com/webhp

t7SSSh

t"SSSh

GetProcessHeap

MapVirtualKeyW

ExitWindowsEx

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

USER32.dll

RegOpenKeyExW

RegEnumKeyExW

RegCreateKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

=?>#?.?;?

9%9)9/939

urlmon

URLDownloadToFileA

.idata

KERNEL32.DLL

OLE32.DLL

MULTIPLEKEYSTARTUP

MULTIPLEKEYSTARTUP=N

user32.dll

RegCreateKeyExA

RegDeleteKeyA

`.rsrc

v2.0.50727

HelloWorld.exe

.ctor

System.Reflection

System.Runtime.InteropServices

System.Diagnostics

System.Runtime.CompilerServices

$6435476c-9335-4c58-9ec7-4b2c918b2541

1.0.0.0

_CorExeMain

mscoree.dll

%Xwh%N
D%U|H
.BHn_
tIH>D8.hJ
;\T%dG
l.iX``A
I.ItANj
X %D,
ok).yRp
!"#$%&'()* ,-./
.xsa/
O%S!'
Gy.yN
H0My.y.PNpIy.y.
.txt/:GW
V:\OBERON
gdQgpi.TPO
zcÁ
Í Ra-x
*\AR:\OBERON CRYPTER PRO\VB6 MODULES\VB6 Modules-Unicode-Adapted-RECODED\Project1.vbp
\rtl70.bpl
Scripting.FileSystemObject
autorun.inf
Icon=%SystemRoot%\system32\SHELL32.dll,7
WScript.Shell
shell32.dll, 2
shell32.dll, 3
.fldr
shell32.dll, 0
\explorer.exe
vboxmrxnp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
/f /v Debugger /t REG_SZ /d fadfjadfjddjx.exe
http://www.facebook.com
SendKeys
https://twitter.com
\conhost.exe
\SysWOW64\svchost.exe
\system32\svchost.exe
\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
ekrn.exe
%Program Files%\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
\file.bin
c:\test\file.bin
c:\windows\file.bin
\SysWOW64\explorer.exe
\system32\explorer.exe
\vbxac.tmp
SUPPORT
C:\test
C:\test\file.bin
C:\test\test.txt
C:\test\project1.exe
SbieCtrl.exe
sandboxie.exe
C:\windows\rtl70.bpl
c:\test\rtl70.bpl
msconfig.exe
rstrui.exe
BYPASSUAC=Y
NETSUPPORT=Y
x.exe
BYPASSUAC=N
C:\test\rtl70.bpl
c:\test
c:\test\test.exe
\media\ir_inter.wav
CRYPTBASE.dll
\System32\sysprep\CRYPTBASE.dll
Wscript.Shell
HKEY_CLASSES_ROOT\HTTP\shell\open\command\
c:\test\test.txt
c:\test\project1.exe
\System32\sysprep\sysprep.exe
Explorer.exe
aspnet_library.dll
uninstaller.ico
\Intel\OpenCL_SDK.dll
x.jpg
media.exe
Shell32.dll
ShellExecuteExW
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
@*\AR:\OBERON CRYPTER PRO\VB6 MODULES\VB6 Modules-Unicode-Adapted-RECODED\Project1.vbp
*\AR:\OBERON CRYPTER PRO\VB6 MODULES\VB6 Modules-Unicode-Adapted-RECODED\zzzAntibotkill.vbp
3.08.0002
zzzAntibotkill.exe
SysShadow
"%s" %s
/c "%s"
%sx.%s
%sx
cGlobal\XXX
@021400-0
*\AR:\OBERON CRYPTER PRO\VB6 MODULES\VB6 Modules-Unicode-Adapted-RECODED\zDownloaderKiller.vbp
\testx64.exe -c -ctype service -cobject
\testx86.exe -c -ctype service -cobject
\testx86.exe -c -ctype process -cobject
\testx64.exe -c -ctype process -cobject
egui.exe
avastsvc.exe
avastui.exe
avp.exe
avpui.exe
mbamgui.exe
mbam.exe
GDSC.exe
McSvHost.exe
psksvc.exe
iface.exe
PavFnSvr.exe
pavsrvx86.exe
pavsrvx64.exe
AVENGINE.EXE
PsCtrlS.exe
SrvLoad.exe
PsImSvc.exe
ApVxdWin.exe
msseces.exe
MsMpeng.exe
cfp.exe
avguard.exe
avshadow.exe
avgnt.exe
avcenter.exe
avscan.exe
uiWatchDog.exe
uiWinMgr.exe
uiSeAgnt.exe
NAV.exe
bdagent.exe
seccenter.exe
updatesrv.exe
vsserv.exe
avgwdsvc.exe
avgnsa.exe
avgcsrva.exe
avgemca.exe
avgrsa.exe
avgfws.exe
avgidsagent.exe
avgui.exe
AdAwareUpdater.exe
AdAwareTray.exe
AdAwareDesktop.exe
LavasoftAdAwareService11.exe
op_mon.exe
\testx64.exe
http://centralstub.com/killer/testx64.exe
\wawilonasofter.sys
http://centralstub.com/killer/watx64.exe
AvastUI.exe
GDScan.exe
AVKWCtl.exe
AVKTray.exe
McItInfo.exe
McUICnt.exe
mcupdate.exe
McAPExe
AntiVirWebService
cmdHlp
cmdAgent
cmdGuard
\testx86.exe
http://centralstub.com/killer/testx86.exe
\wawiloniawowar.sys
http://centralstub.com/killer/watx86.exe
ZOZA.exe
Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
@021400-000
*\AR:\OBERON CRYPTER PRO\VB6 MODULES\VB6 Modules-Unicode-Adapted-RECODED\zzStartups.vbp
{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}
{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}
MULTIPLEKEYSTARTUP=Y
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
/f /v WindowsUAC /t REG_SZ /d
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\BootExecute
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
wscript.Shell
\conhost.lnk
STARTUP.exe
vb6stfunc.exe

dialected.exe_1156_rwx_00400000_00067000:


.text
`.data
.rsrc
MSVBVM60.DLL
RemoteExecution
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
MSVBVM60.dll
shell32.dll
ShellExecuteA
kernel32.dll
ntdll.dll
FindExecutableA
MsgboxFunction
UACx64_dumpandexecute
VBA6.DLL
advapi32.dll
RegOpenKeyExA
RegCloseKey
.code
`.text
`.rdata
@.data
@.reloc
Test.dll
MSVCRT.dll
KERNEL32.dll
CreatePipe
ShellExecuteExA
SHELL32.DLL
version="1.0.0.0"
name="CompanyName.ProductName.YourApp"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
.reloc
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
HTTP/1.1
http://hollywood.heartjohn.com/modules/holl.bin
Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)
pufjwdx.jvh
" !=%(>";;
=225;6%%7!=
3:6 1*7=$;-
*4*-0*1?7!
MK[(bocmdgs
15#77??68.
&'/( <99
$!*4,#)<:
mfh{g~amzgs.dgg
:; 1299;2
>.Rdd
<-?).$: (26
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
urlmon.dll
cabinet.dll
http://
https://
HTTP/1.
http://www.google.com/webhp
t7SSSh
t"SSSh
GetProcessHeap
MapVirtualKeyW
ExitWindowsEx
OpenWindowStationW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
SetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
USER32.dll
RegOpenKeyExW
RegEnumKeyExW
RegCreateKeyExW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
SetViewportOrgEx
GDI32.dll
WS2_32.dll
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
PFXImportCertStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpQueryInfoA
InternetCrackUrlA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
WININET.dll
OLEAUT32.dll
NETAPI32.dll
=?>#?.?;?
9%9)9/939
urlmon
URLDownloadToFileA
.idata
KERNEL32.DLL
OLE32.DLL
MULTIPLEKEYSTARTUP
MULTIPLEKEYSTARTUP=N
user32.dll
RegCreateKeyExA
RegDeleteKeyA
`.rsrc
v2.0.50727
HelloWorld.exe
.ctor
System.Reflection
System.Runtime.InteropServices
System.Diagnostics
System.Runtime.CompilerServices
$6435476c-9335-4c58-9ec7-4b2c918b2541
1.0.0.0
_CorExeMain
mscoree.dll
%Xwh%N
D%U|H
.BHn_
tIH>D8.hJ
;\T%dG
l.iX``A
I.ItANj
X %D,
ok).yRp
!"#$%&'()* ,-./
.xsa/
O%S!'
Gy.yN
H0My.y.PNpIy.y.
.txt/:GW
V:\OBERON
gdQgpi.TPO
zcÁ
Í Ra-x
*\AR:\OBERON CRYPTER PRO\VB6 MODULES\VB6 Modules-Unicode-Adapted-RECODED\Project1.vbp
\rtl70.bpl
Scripting.FileSystemObject
autorun.inf
Icon=%SystemRoot%\system32\SHELL32.dll,7
WScript.Shell
shell32.dll, 2
shell32.dll, 3
.fldr
shell32.dll, 0
\explorer.exe
vboxmrxnp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
/f /v Debugger /t REG_SZ /d fadfjadfjddjx.exe
http://www.facebook.com
SendKeys
https://twitter.com
\conhost.exe
\SysWOW64\svchost.exe
\system32\svchost.exe
\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
ekrn.exe
%Program Files%\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
\file.bin
c:\test\file.bin
c:\windows\file.bin
\SysWOW64\explorer.exe
\system32\explorer.exe
\vbxac.tmp
SUPPORT
C:\test
C:\test\file.bin
C:\test\test.txt
C:\test\project1.exe
SbieCtrl.exe
sandboxie.exe
C:\windows\rtl70.bpl
c:\test\rtl70.bpl
msconfig.exe
rstrui.exe
BYPASSUAC=Y
NETSUPPORT=Y
x.exe
BYPASSUAC=N
C:\test\rtl70.bpl
c:\test
c:\test\test.exe
\media\ir_inter.wav
CRYPTBASE.dll
\System32\sysprep\CRYPTBASE.dll
Wscript.Shell
HKEY_CLASSES_ROOT\HTTP\shell\open\command\
c:\test\test.txt
c:\test\project1.exe
\System32\sysprep\sysprep.exe
Explorer.exe
aspnet_library.dll
uninstaller.ico
\Intel\OpenCL_SDK.dll
x.jpg
media.exe
Shell32.dll
ShellExecuteExW
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
@*\AR:\OBERON CRYPTER PRO\VB6 MODULES\VB6 Modules-Unicode-Adapted-RECODED\Project1.vbp
*\AR:\OBERON CRYPTER PRO\VB6 MODULES\VB6 Modules-Unicode-Adapted-RECODED\zzzAntibotkill.vbp
3.08.0002
zzzAntibotkill.exe
SysShadow
"%s" %s
/c "%s"
%sx.%s
%sx
cGlobal\XXX
@021400-0
*\AR:\OBERON CRYPTER PRO\VB6 MODULES\VB6 Modules-Unicode-Adapted-RECODED\zDownloaderKiller.vbp
\testx64.exe -c -ctype service -cobject
\testx86.exe -c -ctype service -cobject
\testx86.exe -c -ctype process -cobject
\testx64.exe -c -ctype process -cobject
egui.exe
avastsvc.exe
avastui.exe
avp.exe
avpui.exe
mbamgui.exe
mbam.exe
GDSC.exe
McSvHost.exe
psksvc.exe
iface.exe
PavFnSvr.exe
pavsrvx86.exe
pavsrvx64.exe
AVENGINE.EXE
PsCtrlS.exe
SrvLoad.exe
PsImSvc.exe
ApVxdWin.exe
msseces.exe
MsMpeng.exe
cfp.exe
avguard.exe
avshadow.exe
avgnt.exe
avcenter.exe
avscan.exe
uiWatchDog.exe
uiWinMgr.exe
uiSeAgnt.exe
NAV.exe
bdagent.exe
seccenter.exe
updatesrv.exe
vsserv.exe
avgwdsvc.exe
avgnsa.exe
avgcsrva.exe
avgemca.exe
avgrsa.exe
avgfws.exe
avgidsagent.exe
avgui.exe
AdAwareUpdater.exe
AdAwareTray.exe
AdAwareDesktop.exe
LavasoftAdAwareService11.exe
op_mon.exe
\testx64.exe
http://centralstub.com/killer/testx64.exe
\wawilonasofter.sys
http://centralstub.com/killer/watx64.exe
AvastUI.exe
GDScan.exe
AVKWCtl.exe
AVKTray.exe
McItInfo.exe
McUICnt.exe
mcupdate.exe
McAPExe
AntiVirWebService
cmdHlp
cmdAgent
cmdGuard
\testx86.exe
http://centralstub.com/killer/testx86.exe
\wawiloniawowar.sys
http://centralstub.com/killer/watx86.exe
ZOZA.exe
Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
@021400-000
*\AR:\OBERON CRYPTER PRO\VB6 MODULES\VB6 Modules-Unicode-Adapted-RECODED\zzStartups.vbp
{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}
{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}
MULTIPLEKEYSTARTUP=Y
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
/f /v WindowsUAC /t REG_SZ /d
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\BootExecute
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
wscript.Shell
\conhost.lnk
STARTUP.exe
vb6stfunc.exe

dialected.exe_1156_rwx_00E30000_00001000:


.reloc

dialected.exe_1156_rwx_00E80000_0002C000:


.text
`.data
.reloc
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
HTTP/1.1
http://hollywood.heartjohn.com/modules/holl.bin
Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)
pufjwdx.jvh
" !=%(>";;
=225;6%%7!=
3:6 1*7=$;-
*4*-0*1?7!
MK[(bocmdgs
15#77??68.
&'/( <99
$!*4,#)<:
mfh{g~amzgs.dgg
:; 1299;2
>.Rdd
<-?).$: (26
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
urlmon.dll
cabinet.dll
http://
https://
HTTP/1.
http://www.google.com/webhp
t7SSSh
t"SSSh
GetProcessHeap
KERNEL32.dll
MapVirtualKeyW
ExitWindowsEx
OpenWindowStationW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
SetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
USER32.dll
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
SetViewportOrgEx
GDI32.dll
WS2_32.dll
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
PFXImportCertStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpQueryInfoA
InternetCrackUrlA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
WININET.dll
OLEAUT32.dll
NETAPI32.dll
=?>#?.?;?
9%9)9/939
SysShadow
kernel32.dll
"%s" %s
/c "%s"
%sx.%s
%sx
cGlobal\XXX
Global\{A4046B38-BFBA-AD62-880A-CFE035797B74}
%Documents and Settings%\%current user%\Application Data
{9C299170-5427-1343-B5A2-D98D6C76A4CD}
:\Documents and Settings\"%CurrentUserName%"\Application Data\Zoym\irwac.seq
%Documents and Settings%\%current user%\Application Data\Zoym
irwac.seq

cmd.exe_1836:


.text
`.data
.rsrc
KERNEL32.dll
NTDLL.DLL
msvcrt.dll
USER32.dll
SetConsoleInputExeNameW
APerformUnaryOperation: '%c'
APerformArithmeticOperation: '%c'
ADVAPI32.dll
SHELL32.dll
MPR.dll
RegEnumKeyW
RegDeleteKeyW
RegCloseKey
RegOpenKeyW
RegCreateKeyExW
RegOpenKeyExW
ShellExecuteExW
CmdBatNotification
GetWindowsDirectoryW
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
_pipe
GetProcessWindowStation
cmd.pdb
del "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\dialected.exe"
f exist "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\dialected.exe" goto d
del /F "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmpf005af95.bat"
af95.bat"
CMD Internal Error %s
)(&&())))(&))
)&((&)&))&())
)&((&)&)&()))
)(&&()))&))))
CMD.EXE
()|&=,;"
COPYCMD
\XCOPY.EXE
CMDCMDLINE
WKERNEL32.DLL
Software\Policies\Microsoft\Windows\System
0123456789
cmd.exe
DIRCMD
%d.%d.d
Ungetting: '%s'
DisableCMD
GeToken: (%x) '%s'
%s\Shell\Open\Command
%x %c
*** Unknown type: %x
Args: `%s'
Cmd: %s Type: %x
%s (%s) %s
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\dialected.exe"
1\Temp\tmpf005af95.bat"
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
%WinDir%;%WinDir%\System32\Wbem;c:\Program Files\Wireshark
if exist "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\dialected.exe" goto d
CMDEXTVERSION
KEYS
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\dialected.exe
LS~1\Temp\RarSFX0\dialected.exe
%s %s
(%s) %s
%s %s%s
&()[]{}^=;!%' ,`~
d%sd%s
-%sd%sd%sd
d%sd%sd
%s=%s
X-X
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS
<> -*/%()|^&=,
\CMD.EXE
Windows Command Processor
5.1.2600.5512 (xpsp.080413-2111)
Cmd.Exe
Windows
Operating System
5.1.2600.5512
Press any key to continue . . . %0
operable program or batch file.
The system cannot execute the specified program.
and press any key when ready. %0
Microsoft Windows XP [Version %1]%0
a pipe operation.
KEYS is on.
KEYS is off.
The process tried to write to a nonexistent pipe.
The switch /Y may be preset in the COPYCMD environment variable.
to prompt on overwrites unless COPY command is being executed from
Switches may be preset in the DIRCMD environment variable. Override
Quits the CMD.EXE program (command interpreter) or the current batch
CMD.EXE. If executed from outside a batch script, it
will quit CMD.EXE
ERRORLEVEL that number. If quitting CMD.EXE, sets the process
Displays or sets a search path for executable files.
Type PATH ; to clear all search-path settings and direct cmd.exe to search
Changes the cmd.exe command prompt.
$B | (pipe)
$V Windows XP version number
Displays, sets, or removes cmd.exe environment variables.
Displays the Windows XP version.
Tells cmd.exe whether to verify that your files are written correctly to a
Records comments (remarks) in a batch file or CONFIG.SYS.
Press any key to continue . . . %0
Directs cmd.exe to a labeled line in a batch program.
NOT Specifies that Windows XP should carry out
will execute the command after the ELSE keyword if the
I The new environment will be the original environment passed
to the cmd.exe and not the current environment.
SEPARATE Start 16-bit Windows program in separate memory space
SHARED Start 16-bit Windows program in shared memory space
If it is an internal cmd command or a batch file then
the command processor is run with the /K switch to cmd.exe.
If it is not an internal cmd command or batch file then
parameters These are the parameters passed to the command/program
under Windows XP.
Starts a new instance of the Windows XP command interpreter
CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /V:OFF]
/D Disable execution of AutoRun commands from registry (see below)
/A Causes the output of internal commands to a pipe or file to be ANSI
/U Causes the output of internal commands to a pipe or file to be
variable var at execution time. The %var% syntax expands variables
of an executable file.
If /D was NOT specified on the command line, then when CMD.EXE starts, it
either or both are present, they are executed first.
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
can enable or disable extensions for all invocations of CMD.EXE on a
following REG_DWORD values in the registry using REGEDT32.EXE:
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You
can enable or disable completion for all invocations of CMD.EXE on a
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
at execution time.
CMD.EXE with the /F:ON or /F:OFF switch. You can enable or disable
completion for all invocations of CMD.EXE on a machine and/or user logon
the registry using REGEDT32.EXE:
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
Shift key with the control character will move through the list
&()[]{}^=;!%' ,`~
Command Processor Extensions enabled by default. Use CMD /? for details.
ASSOC [.ext[=[fileType]]]
.ext Specifies the file extension to associate the file type with
ASSOC .pl=PerlScript
FTYPE PerlScript=perl.exe %%1 %%*
script.pl 1 2 3
set PATHEXT=.pl;%%PATHEXT%%
The restartable option to the COPY command is not supported by
this version of the operating system.
The following usage of the path operator in batch-parameter
The unicode output option to CMD.EXE is not supported by this
version of the operating system.
If Command Extensions are enabled the DATE command supports
If Command Extensions are enabled the TIME command supports
If Command Extensions are enabled the PROMPT command supports
is pretty simple and supports the following operations, in decreasing
! ~ - - unary operators
* / %% - arithmetic operators
  - - arithmetic operators
&= ^= |= <<= >>=
If you use any of the logical or modulus operators, you will need to
values. If SET /A is executed from the command line outside of a
assignment operator requires an environment variable name to the left of
the assignment operator. Numeric values are decimal numbers, unless
occurrence of the remaining portion of str1.
Finally, support for delayed environment variable expansion has been
added. This support is always disabled by default, but may be
enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?
of text is read, not when it is executed. The following example
So the actual FOR loop we are executing is:
%Í%% - expands to the current directory string.
%ÚTE%% - expands to current date using same format as DATE command.
%%CMDEXTVERSION%% - expands to the current Command Processor Extensions
%%CMDCMDLINE%% - expands to the original command line that invoked the
If Command Extensions are enabled the SHIFT command supports
control is passed to the statement after the label specified. You must
%%4 %%5 ...)
CMD /? for details.
This works because on old versions of CMD.EXE, SETLOCAL does NOT
command execution.
non-executable files may be invoked through their file association just
by typing the name of the file as a command. (e.g. WORD.DOC would
launch the application associated with the .DOC file extension).
When executing an application that is a 32-bit GUI application, CMD.EXE
the command prompt. This new behavior does NOT occur if executing
When executing a command line whose first token is the string "CMD "
without an extension or path qualifier, then "CMD" is replaced with
the value of the COMSPEC variable. This prevents picking up CMD.EXE
When executing a command line whose first token does NOT contain an
extension, then CMD.EXE uses the value of the PATHEXT
.COM;.EXE;.BAT;.CMD
When searching for an executable, if there is no match on any extension,
If Command Extensions are enabled, and running on the Windows XP
forms of the FOR command are supported:
Walks the directory tree rooted at [drive:]path, executing the FOR
passes the first blank separated token from each line of each file.
is a quoted string which contains one or more keywords to specify
different parsing options. The keywords are:
be passed to the for body for each iteration.
where a back quoted string is executed as a
FOR /F "eol=; tokens=2,3* delims=, " %%i in (myfile.txt) do @echo %%i %%j %%k
would parse each line in myfile.txt, ignoring lines that begin with
a semicolon, passing the 2nd and 3rd token from each line to the for
line, which is passed to a child CMD.EXE and the output is captured
IF CMDEXTVERSION number command
The CMDEXTVERSION conditional works just like ERRORLEVEL, except it is
CMDEXTVERSION conditional is never true when Command Extensions are
%%CMDCMDLINE%% will expand into the original command line passed to
CMD.EXE prior to any processing by CMD.EXE, provided that there is not
already an environment variable with the name CMDCMDLINE, in which case
%%CMDEXTVERSION%% will expand into a string representation of the
current value of CMDEXTVERSION, provided that there is not already
an environment variable with the name CMDEXTVERSION, in which case you
under Windows XP, as command line editing is always enabled.
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported. Defaulting to Windows directory.
CMD does not support UNC paths as current directories.
UNC paths not supported for current directory. Using
to create temporary drive letter to support UNC current
Missing operand.
Missing operator.
The COMSPEC environment variable does not point to CMD.EXE.
The FAT File System only support Last Write Times
of a batch script is reached, an implied ENDLOCAL is executed for any
application execution.
The switch /Y may be present in the COPYCMD environment variable.
to prompt on overwrites unless MOVE command is being executed from
when CMD.EXE started. This value either comes from the current console
The COLOR command sets ERRORLEVEL to 1 if an attempt is made to execute

cmd.exe_1836_rwx_00910000_0002C000:


.text
`.data
.reloc
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
HTTP/1.1
http://hollywood.heartjohn.com/modules/holl.bin
Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)
pufjwdx.jvh
" !=%(>";;
=225;6%%7!=
3:6 1*7=$;-
*4*-0*1?7!
MK[(bocmdgs
15#77??68.
&'/( <99
$!*4,#)<:
mfh{g~amzgs.dgg
:; 1299;2
>.Rdd
<-?).$: (26
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
urlmon.dll
cabinet.dll
http://
https://
HTTP/1.
http://www.google.com/webhp
t7SSSh
t"SSSh
GetProcessHeap
KERNEL32.dll
MapVirtualKeyW
ExitWindowsEx
OpenWindowStationW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
SetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
USER32.dll
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
SetViewportOrgEx
GDI32.dll
WS2_32.dll
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
PFXImportCertStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpQueryInfoA
InternetCrackUrlA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
WININET.dll
OLEAUT32.dll
NETAPI32.dll
=?>#?.?;?
9%9)9/939
SysShadow
kernel32.dll
"%s" %s
/c "%s"
%sx.%s
%sx
cGlobal\XXX
Global\{A4046B38-BFBA-AD62-880A-CFE035797B74}
%Documents and Settings%\%current user%\Application Data
{9C299170-5427-1343-B5A2-D98D6C76A4CD}
:\Documents and Settings\"%CurrentUserName%"\Application Data\Zoym\irwac.seq
%Documents and Settings%\%current user%\Application Data\Zoym
irwac.seq

Explorer.EXE_1852_rwx_00E30000_0002C000:


.text
`.data
.reloc
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
HTTP/1.1
http://hollywood.heartjohn.com/modules/holl.bin
Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2)
pufjwdx.jvh
" !=%(>";;
=225;6%%7!=
3:6 1*7=$;-
*4*-0*1?7!
MK[(bocmdgs
15#77??68.
&'/( <99
$!*4,#)<:
mfh{g~amzgs.dgg
:; 1299;2
>.Rdd
<-?).$: (26
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
urlmon.dll
cabinet.dll
http://
https://
HTTP/1.
http://www.google.com/webhp
t7SSSh
t"SSSh
GetProcessHeap
KERNEL32.dll
MapVirtualKeyW
ExitWindowsEx
OpenWindowStationW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
SetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
USER32.dll
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
SetViewportOrgEx
GDI32.dll
WS2_32.dll
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
PFXImportCertStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpQueryInfoA
InternetCrackUrlA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
WININET.dll
OLEAUT32.dll
NETAPI32.dll
=?>#?.?;?
9%9)9/939
SysShadow
kernel32.dll
"%s" %s
/c "%s"
%sx.%s
%sx
cGlobal\XXX
Global\{A4046B38-BFBA-AD62-880A-CFE035797B74}
%Documents and Settings%\%current user%\Application Data
{9C299170-5427-1343-B5A2-D98D6C76A4CD}
%Documents and Settings%\%current user%\Application Data\Zoym\irwac.seq
%Documents and Settings%\%current user%\Application Data\Zoym
irwac.seq

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:284
   miku.exe:1464
   miku.exe:1004
   miku.exe:1572
   dialected.exe:1920
   dialected.exe:608
   

3. Delete the original Trojan-PSW file.
   
4. Delete or disinfect the following files created/modified by the Trojan-PSW:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\file.bin (2405 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\dialected.exe (6261 bytes)
   C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\Nueva imagen de mapa de bits.bmp (21153 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\Nueva imagen de mapa de bits.bmp (632092 bytes)
   %WinDir%\file.bin (665 bytes)
   C:\test\test.exe (521 bytes)
   C:\test\file.bin (1330 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\LHUMDMwjAHR.gif (660 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmpf005af95.bat (201 bytes)
   %Documents and Settings%\%current user%\Application Data\Gimera\miku.exe (1651 bytes)

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.