Trojan.Win32.Delphi_eb247a94fa
Trojan.Win32.Staser.brkk (Kaspersky), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: eb247a94fa17831f454427efb83260cd
SHA1: 41ec2d78d412cea5c2e6f202b01e5e59fb3bb660
SHA256: 732afd0c2e8037bf801cf73e3c088c07c2193269307c444f0d345fd2eec87546
SSDeep: 12288:lL0 NZy/GsAFp2o52 llgj6Y4SntADGQHUxYqaV2xS /ykCWnYxpo9hYbUKshN:lBwGdFp55Rk6YshUxYqaQBtnMpo9hY2/
Size: 741958 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1504
The Trojan injects its code into the following process(es):
iyAw.exe:3312
vbc.exe:1664
vbc.exe:2788
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:1504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\iyAw.exe (6186 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\sUHEUcst\iyAwnSoR.exe (5441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0.exe (210 bytes)
The process iyAw.exe:3312 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\sUHEUcst\iyAwnSoR.exe (5441 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\sUHEUcst\iyAwnSoR.exe (0 bytes)
The process vbc.exe:2788 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\rundll.exe (15 bytes)
Registry activity
The process %original file name%.exe:1504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"sUHEUcst" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\sUHEUcst\iyAwnSoR.exeC."
Dropped PE files
| MD5 | File path |
|---|---|
| 8c6a627febfc47c048fedd97934deb6d | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\0.exe |
| f91a5c11b4dde67b2fc940848038403f | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\rundll.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name: dotPDN LLC
Product Name: Paint.NET
Product Version: 3.58.4081.24586
Legal Copyright: Copyright (c) 2011 dotPDN LLC, Rick Brewster, and past contributors. All Rights Reserved.
Legal Trademarks:
Original Filename: PaintDotNet.exe
Internal Name: PaintDotNet.exe
File Version: 3.58.4081.24586
File Description: Paint.NET
Comments: Image and photo editing software.
Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 622592 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 626688 | 249856 | 249856 | 5.49794 | 354aaea822600763f75c96f7931cee39 |
| .rsrc | 876544 | 172032 | 168960 | 3.9734 | d7b1d3265130ef1bedc08658aab53710 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| dns.msftncsi.com |  131.107.255.255 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
The Trojan connects to the servers at the folowing location(s):
vbc.exe_2788:
.text
`.itext
`.data
.idata
.rdata
@.reloc
B.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
data.dbf
\rundll.exe
Ya.rLpe
y^.RE
oleaut32.dll
advapi32.dll
RegOpenKeyExA
RegCloseKey
user32.dll
GetKeyboardType
GetProcessHeap
GetCPInfo
wsock32.dll
7 7$7(7,7
svwhsos.exe
217.150.93.11#PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
vbc.exe_2788_rwx_00160000_0001B000:
.text
`.itext
`.data
.idata
.rdata
@.reloc
B.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
data.dbf
\rundll.exe
Ya.rLpe
y^.RE
oleaut32.dll
advapi32.dll
RegOpenKeyExA
RegCloseKey
user32.dll
GetKeyboardType
GetProcessHeap
GetCPInfo
wsock32.dll
7 7$7(7,7
svwhsos.exe
217.150.93.11#PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
rundll.exe_3980:
.text
`.rdata
@.data
@.reloc
ntdll.dll
KERNEL32.dll
ADVAPI32.dll
C:\Users\root\Desktop\hide\Release\hide.pdb
kernel32.dll
taskmgr.exe
iyAw.exe_3312:
`.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s_%d
EInvalidGraphicOperation
USER32.DLL
windows
comctl32.dll
uxtheme.dll
PasswordChar
OnKeyDown
OnKeyPress
OnKeyUp
ssHorizontal
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")JumpID("","%s")TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
Uh.VD
imm32.dll
OnExecuteP
AutoHotkeys
AutoHotkeys$
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
MAPI32.DLL
RICHED32.DLL
ole32.dll
supports
importNode
TSQLTimeStampVariantType
TSQLTimeStampData
SqlTimSt
SQLTimeStamp
olepro32.dll
AllowJoinedWordsT
TEgUcuRlB
cmmsGaXLYzSza$
zVOKtcPP
1iu2.iu
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
33333333330
3333338
3333333330
3333833330
3333330
333333330
3333333333
338333?330
33383?3330
3833830
KWindows
UrlMon
rSqlTimSt
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Lines.Strings
american.vtd
vspeller.hlp
wSqLb
cmmsGaXLYzSza
yAduuPRURl
GetCPInfo
RegOpenKeyExA
RegCloseKey
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
GetKeyboardType
.idata
.rdata
P.reloc
P.rsrc
S.xZjhYG
!!!@}}};
...CtwwC
.RTTA
.txx7
:;;.djj%
.sww8
455 9:: <==
g7&:;;(ABB GHH-MOO.SUU-WXX1ilmD
-CDD.GHH1OQQ3VXX5]__6dff5fgg;
%FHH>~
011 455!899"<==">@@$BDD$EGG"DEE.lqrU
$566$677'<==(ABB*FGG,KLL-OQQ.SUU.WYY.XZZ0ostQ
(:;;';<<*ABB,FGG.KMM0QSS0UWW1Z\\2_aa0]__8
.DEE-DEE0KLL2PRR4VXX5[]]6acc6fhh6jmm5gii>
advapi32.dll
gdi32.dll
KERNEL32.DLL
user32.dll
version.dll
winspool.drv
;Property or Method "%s" is not supported by DOM Vendor "%s"
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
%s is not a valid BCD value$Could not parse SQL TimeStamp string
Invalid SQL date/time values
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design mode
No help keyword specified.
Failed to Save Stream)"%s" DOMImplementation already registered
Clipboard does not support Icons
Text exceeds memo capacity.There is no default printer currently selected/Menu '%s' is already being used by another form
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Cannot focus a disabled or invisible window!Control '%s' has no parent window
%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active*A control cannot have itself as its parent
Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Invalid property element: %s
Invalid property type: %s
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point valueI/O error %d
Paint.NET
3.58.4081.24586
PaintDotNet.exe
iyAw.exe_3312_rwx_00401000_000D4000:
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s_%d
EInvalidGraphicOperation
USER32.DLL
windows
comctl32.dll
uxtheme.dll
PasswordChar
OnKeyDown
OnKeyPress
OnKeyUp
ssHorizontal
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")JumpID("","%s")TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
Uh.VD
imm32.dll
OnExecuteP
AutoHotkeys
AutoHotkeys$
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
MAPI32.DLL
RICHED32.DLL
ole32.dll
supports
importNode
TSQLTimeStampVariantType
TSQLTimeStampData
SqlTimSt
SQLTimeStamp
olepro32.dll
AllowJoinedWordsT
TEgUcuRlB
cmmsGaXLYzSza$
zVOKtcPP
1iu2.iu
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
33333333330
3333338
3333333330
3333833330
3333330
333333330
3333333333
338333?330
33383?3330
3833830
KWindows
UrlMon
rSqlTimSt
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Lines.Strings
american.vtd
vspeller.hlp
wSqLb
cmmsGaXLYzSza
yAduuPRURl
GetCPInfo
RegOpenKeyExA
RegCloseKey
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
GetKeyboardType
.idata
.rdata
P.reloc
P.rsrc
S.xZjhYG
;Property or Method "%s" is not supported by DOM Vendor "%s"
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
%s is not a valid BCD value$Could not parse SQL TimeStamp string
Invalid SQL date/time values
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design mode
No help keyword specified.
Failed to Save Stream)"%s" DOMImplementation already registered
Clipboard does not support Icons
Text exceeds memo capacity.There is no default printer currently selected/Menu '%s' is already being used by another form
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Cannot focus a disabled or invisible window!Control '%s' has no parent window
%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active*A control cannot have itself as its parent
Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Invalid property element: %s
Invalid property type: %s
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point valueI/O error %d
vbc.exe_1664:
.text
`.itext
`.data
.idata
.rdata
@.reloc
B.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
data.dbf
\rundll.exe
Ya.rLpe
y^.RE
oleaut32.dll
advapi32.dll
RegOpenKeyExA
RegCloseKey
user32.dll
GetKeyboardType
GetProcessHeap
GetCPInfo
wsock32.dll
7 7$7(7,7
svwhsos.exe
217.150.93.11#PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
iyAw.exe_3312_rwx_015E0000_000F5000:
Portions Copyright (c) 1999,2003 Avenger by NhT
kernel32.dll
GetProcessHeap
oleaut32.dll
ntdll.dll
KWindows
iyAw.exe_3312_rwx_019C0000_000F5000:
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
C:\Windows\SysWOW64\ntdll.dll
C:\Windows\
SysWOW64\notepad.exe
system32\notepad.exe
vbc.exe
%Program Files% (x86)\
Microsoft.NET\Framework\v2.0.50727\regasm.exe
Microsoft.NET\Framework\v4.0.30319\regasm.exe
SysWOW64\explorer.exe
explorer.exe
SysWOW64\WerFault.exe
System32\WerFault.exe
Microsoft.NET\Framework\v2.0.50727\vbc.exe
Microsoft.NET\Framework\v4.0.30319\vbc.exe
Mozilla Firefox\firefox.exe
\Google\Chrome\Application\chrome.exe
Internet Explorer\iexplore.exe
data.bin
bindedfiledropandexecute
S-%u-
oleaut32.dll
EVariantBadIndexError
%s, ClassID: %s
ole32.dll
NtSetValueKey
C:\Windows\System32\eventvwr.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion
data.exe
/c reg add hkcu\Environment /v windir /d "cmd /c start
C:\Windows\System32\cmd.exe
/c schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I && exit
notepad.exe
\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
cmd.exe
.0.0\avpui.exe
%Program Files% (x86)\Kaspersky Lab\Kaspersky Anti-Virus
%Program Files% (x86)\Kaspersky Lab\Kaspersky Internet Security
.NET Framework 2.0
.NET Framework 4.0
FC:\Windows\System32\
C:\Windows\System32\Mycomput.dll
.lnk" "C:\Users\
\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
.lnk"
:Zone.Identifier
iyAwnSoR.exe
%Program Files%\Bitdefender
avpui.exe
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
GetProcessHeap
GetCPInfo
ADVAPI32.DLL
shell32.dll
ShellExecuteA
ntdll.dll
NtCreateKey
1%2x223v3{36"6&6-616{6KWindows
UrlMon
hU_MemExecute
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation
vbc.exe_1664_rwx_00160000_0001B000:
.text
`.itext
`.data
.idata
.rdata
@.reloc
B.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
data.dbf
\rundll.exe
Ya.rLpe
y^.RE
oleaut32.dll
advapi32.dll
RegOpenKeyExA
RegCloseKey
user32.dll
GetKeyboardType
GetProcessHeap
GetCPInfo
wsock32.dll
7 7$7(7,7
svwhsos.exe
217.150.93.11#PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
rundll.exe_524:
.text
`.rdata
@.data
@.reloc
ntdll.dll
KERNEL32.dll
ADVAPI32.dll
C:\Users\root\Desktop\hide\Release\hide.pdb
kernel32.dll
taskmgr.exe
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1504
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\iyAw.exe (6186 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\sUHEUcst\iyAwnSoR.exe (5441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0.exe (210 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\rundll.exe (15 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"sUHEUcst" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\sUHEUcst\iyAwnSoR.exeC." - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
