MD5: a1b4ea28a0341393f08da060cd016483
SHA1: d4fd42eeb197790a549c18d22bd56c4210c5b98e
SHA256: bb93faf1703c350e143206ac469e6a138fa1338dc29d7d7b15b7e16de12c633f
SSDeep: 98304:t3AAiq7cZh5jpnfFAoe5sQ5U4z8riF9yew8f4d:t3AAc3FfiU 8riLyew8f
Size: 3383296 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: no certificate found
Created at: 2015-09-23 13:47:17
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:668

The Trojan injects its code into the following process(es):

Injection.exe:1940

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Vista 13\Injection.exe (3730 bytes)
C:\Vista 13\Injection.ini (100 bytes)
%System%\drivers\etc\hosts (2 bytes)
%System%\D3DX9_43.dll (12288 bytes)
C:\Vista 13\Vista 13.dll (260 bytes)

Registry activity

The process Injection.exe:1940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 7D 2E D9 CC 0B 71 27 F9 F6 51 0B 3A 3C 72 5B"

The process %original file name%.exe:668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 C1 5F D0 FF 93 FA 5E 9B 9A 8C 1A F6 71 67 BE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Internet Explorer]
"iexplore.exe" = "Internet Explorer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 2072 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Vista 13
Product Name: Vista 13
Product Version: 1.00
Legal Copyright: Vista 13
Legal Trademarks: Vista 13
Original Filename: Vista 13 - Point Blank Garena Indonesia.exe
Internal Name: Vista 13 - Point Blank Garena Indonesia
File Version: 1.00
File Description: Vista 13
Comments: Vista 13
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://blogspot.l.googleusercontent.com/
hxxp://v2.zopim.com/?3IFwmxUXebISVHvic5bMQKSIRSRHo688
hxxp://googlecode.l.googleusercontent.com/svn/trunk/html5.js
hxxp://v2.zopim.com/bin/v/widget_v2.106.js
hxxp://blogspot.l.googleusercontent.com/favicon.ico
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.7.1/jquery.min.js
hxxp://e3821.dspe1.akamaiedge.net/en_US/all.js
hxxp://scontent.xx.fbcdn.net/rsrc.php/v2/ya/r/3rhSv5V8j3o.gif
hxxp://static.xx.fbcdn.net/rsrc.php/v2/ya/r/3rhSv5V8j3o.gif	31.13.92.14
hxxp://connect.facebook.net/en_US/all.js	23.64.223.139
hxxp://vista-tigabelas.blogspot.com/favicon.ico	216.58.209.161
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js	216.58.209.202
hxxp://html5shiv.googlecode.com/svn/trunk/html5.js	64.233.164.82
hxxp://vista-tigabelas.blogspot.com/	216.58.209.161
jp06.zopim.com	52.69.112.0
apis.google.com	173.194.113.197

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /ajax/libs/jquery/1.7.1/jquery.min.js HTTP/1.1

Accept: */*

Referer: hXXp://vista-tigabelas.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript; charset=UTF-8

Last-Modified: Mon, 02 Apr 2012 18:24:28 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

Date: Mon, 07 Sep 2015 18:08:50 GMT

Expires: Tue, 06 Sep 2016 18:08:50 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 33186

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=31536000

Age: 1855993
.............~.F....?......!J......7.......Y...h....w.T*.".Y.Y...|.D..
 (g..;.....b=q.8......?.....w.....>.......g{s.....2...........e. WK
?VI.h....~.<n...fy6.....e.z...8.{.U......(.. .e.8....V...}.[..|../.
......j-.~'...Q.....%Q.KV...Ec....q.{...x........*..^...^Vn........&_.
..~.....o.Z..~..^....{?.S..&.w.W.|A...r......t.../V.,.Dt.Pf...&yYLv.U.
.....r.Q}.^']...*W.:H.........~_=.r..s.^..T..=l.]..)Vj.......^.ys...x.
..C_.h..&............`.^b<.^:_m1'Y....c.....e..1Oo....q...q.x......
o...........?..q:..;.>.whu.....=.... . P..i...I..E.!..f.&v(.......m
...r...w~.SW.......6p>...........,.........Lsj...L7..j.......y..'.F
..h44..SY.V.......i.mw...4Yi.H{'.._..].9?...}..Jn................5Q%m.
y.,v.5U.(.^..\-.R...?^m."...7e..vy...b...L..%....]..f...l5>...nw.rY
x..|8..V.......0F..|4....<.q....d.(~...h....p.......q1.......y..ZF.
p1..;.^..W.Y...(.....<x.F...iI.t..n..p.-......w.p:..I.\.:x\...H..T.
j...../i..h....3....Y..w.......5...:..n.....U...]B..`.ZQ..nE}.....L..`
..A..W....C.\'......e^./.j\[...6.v."..u...-..K.3Tb....24>,..hD.R..&
lt;.F..q5C..vR.iO)Z.(..&T..v.Z#.. [email protected]..
.=Q...RZ ..SIt.}.....J.me.....Yq`..5......5.....28L..~.-L.=...b)M'..Gd
.....1..,.:H...f.....h..T. Q...~.|%#%....y....7....L......"QU.y0H...&l
t;.s....n....I'Z............A........K...k..2...P._..1Z...B..4~.&..h.o
{.y..q.......Z..R...l......&.....>....P.......&.;W.3...L......@$...
,....Q..U1..hC1.$ .;ByWj.M..... B=1....s_....:HP...&.7.&..>7.(=....
.P.b8...Q..Nw,...E........t;.4..`..._ F.P.......t....hm..w...Q....
<<< skipped >>>

GET /rsrc.php/v2/ya/r/3rhSv5V8j3o.gif HTTP/1.1

Accept: */*

Referer: hXXp://vista-tigabelas.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.xx.fbcdn.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Last-Modified: Mon, 01 Jan 2001 08:00:00 GMT

Content-MD5: mB0qbhI5nsDyc9mlRioodg==

Expires: Thu, 15 Sep 2016 23:12:38 GMT

Cache-Control: public, max-age=31536000

Timing-Allow-Origin: *

Content-Type: image/gif

X-Content-Type-Options: nosniff

Vary: Accept-Encoding

X-FB-Debug: N50KYmTcOOIcTLiz0DXqzC6ftJEBlIui6dYGz34FjuccN6 J2X24dZ8knPTKlFvRPZEm/fqC9UjLDtXL4 Qu9A==

Date: Tue, 29 Sep 2015 05:42:04 GMT

Connection: keep-alive

Content-Length: 3140
GIF89a..................................y........j.....d|.u..}........
...................................................n..............w...
...........Sn.........................................................
......................................................................
.......................................q..............................
.....t....................p....................!..NETSCAPE2.0.....!..X
MP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c06
0 61.134777, 2010/02/12-17:32:00        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="
hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.a
dobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:0280117407206811B
42AB08EEDFBFF03" xmpMM:DocumentID="xmp.did:D45F7D93583711E0A1AB8A6CE82
08B7E" xmpMM:InstanceID="xmp.iid:D45F7D92583711E0A1AB8A6CE8208B7E" xmp
:CreatorTool="Adobe Photoshop CS5 Macintosh"> <xmpMM:DerivedFrom
 stRef:instanceID="xmp.iid:467D404D11206811A72CAD457977F9AE" stRef:doc
umentID="xmp.did:0280117407206811B42AB08EEDFBFF03"/> </rdf:Descr
iption> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?&g
t;....................................................................
..............................................................~}|{zyxw
vutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;
<<< skipped >>>

GET /svn/trunk/html5.js HTTP/1.1

Accept: */*

Referer: hXXp://vista-tigabelas.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: html5shiv.googlecode.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 29 Sep 2015 05:40:26 GMT

Server: Apache

Last-Modified: Thu, 26 Sep 2013 10:05:28 GMT

ETag: "32//trunk/html5.js"

Accept-Ranges: bytes

Expires: Tue, 29 Sep 2015 05:43:26 GMT

Content-Length: 2429

Content-Type: text/javascript

Cache-Control: public, max-age=180

Age: 96
/*. HTML5 Shiv v3.7.0 | @afarkas @jdalton @jon_neal @rem | MIT/GPL2 Li
censed.*/.(function(l,f){function m(){var a=e.elements;return"string"=
=typeof a?a.split(" "):a}function i(a){var b=n[a[o]];b||(b={},h  ,a[o]
=h,n[h]=b);return b}function p(a,b,c){b||(b=f);if(g)return b.createEle
ment(a);c||(c=i(b));b=c.cache[a]?c.cache[a].cloneNode():r.test(a)?(c.c
ache[a]=c.createElem(a)).cloneNode():c.createElem(a);return b.canHaveC
hildren&&!s.test(a)?c.frag.appendChild(b):b}function t(a,b){if(!b.cach
e)b.cache={},b.createElem=a.createElement,b.createFrag=a.createDocumen
tFragment,b.frag=b.createFrag();.a.createElement=function(c){return!e.
shivMethods?b.createElem(c):p(c,a,b)};a.createDocumentFragment=Functio
n("h,f","return function(){var n=f.cloneNode(),c=n.createElement;h.shi
vMethods&&(" m().join().replace(/[\w\-] /g,function(a){b.createElem(a)
;b.frag.createElement(a);return'c("' a '")'}) ");return n}")(e,b.frag)
}function q(a){a||(a=f);var b=i(a);if(e.shivCSS&&!j&&!b.hasCSS){var c,
d=a;c=d.createElement("p");d=d.getElementsByTagName("head")[0]||d.docu
mentElement;c.innerHTML="x<style>article,aside,dialog,figcaption
,figure,footer,header,hgroup,main,nav,section{display:block}mark{backg
round:#FF0;color:#000}template{display:none}</style>";.c=d.inser
tBefore(c.lastChild,d.firstChild);b.hasCSS=!!c}g||t(a,b);return a}var 
k=l.html5||{},s=/^<|^(?:button|map|select|textarea|object|iframe|op
tion|optgroup)$/i,r=/^(?:a|b|code|div|fieldset|h1|h2|h3|h4|h5|h6|i|lab
el|li|ol|p|q|span|strong|style|table|tbody|td|th|tr|ul)$/i,j,o="_h
<<< skipped >>>

GET /?3IFwmxUXebISVHvic5bMQKSIRSRHo688 HTTP/1.1

Accept: */*

Referer: hXXp://vista-tigabelas.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: v2.zopim.com

Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily

Date: Tue, 29 Sep 2015 05:42:02 GMT

Content-Type: application/octet-stream

Content-Length: 0

Connection: keep-alive

Set-Cookie: __cfduid=db23f0a1417fce7283265dbff48e70ba61443505322; expires=Wed, 28-Sep-16 05:42:02 GMT; path=/; domain=.zopim.com; HttpOnly

Location: hXXp://v2.zopim.com/bin/v/widget_v2.106.js

ETag: "5604b8c6-0"

Expires: Tue, 29 Sep 2015 08:58:22 GMT

Cache-Control: max-age=14400

Cache-Control: max-age=14400, public, must-revalidate, proxy-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 22d55cc919a92bac-AMS
....


GET /bin/v/widget_v2.106.js HTTP/1.1

Accept: */*

Referer: hXXp://vista-tigabelas.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: v2.zopim.com

Connection: Keep-Alive

Cookie: __cfduid=db23f0a1417fce7283265dbff48e70ba61443505322

HTTP/1.1 200 OK

Date: Tue, 29 Sep 2015 05:42:02 GMT

Content-Type: application/javascript; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Expires: Fri, 26 Sep 2025 05:42:02 GMT

Cache-Control: public, max-age=315360000

Content-Encoding: gzip

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 22d55cc979b42bac-AMS
3d27..............y{.8.(.?.......!.t..0q.%,...Io...0...N.t.B.g.U...1$=
.=....Y.%.J.R.T*mVo2...p`y..Oo.n.O..v.8....?r..?S..q.V....m.&.m..Z\...
...(...7.n..}.Y....Nx{..!..[....y.............{.#........~.....o.mB..7
..x..h..... s.e...h<...c...[...4g.....".t........ .Y.x.. ..FK.F..].
...........b.H..%4.H.?^.0F..............K..........5{...Kh.F...0...u..
.7...%4. .7K.u...... ...4V...,i......>|C>|_.......wl..K....._Bd.
...\....n./..4..,.. ..N."'.......K.f..s........nL....e0........[d..E..
".%.p..p...#d.hIeGX...%.?.`I..a..-...J..~..=..o..@..,.a.4L..a.|.,.0A.?
...'.zz.*.,.a..v.i).$..YR...7^.pc. .t%H{..S4t..j=.........~z2.~zA....8
=......?...g}...i....Fi/}..F0z...o..K.&ww.p.. I.........&...d4.\.Q.h..
......p.o....c...Q........ia.....a.i...l...:.....t.!b.&..G..[..`2.G...
..mb..F......j..#....<..0|}.M.]8..._..{.1J..x"U....F.......4......}
..|d.....(.. .....!O..e.....?$..N^.&.GX.........{,ksv..A....1.G..c....
.......8......1..^.../n......%0. .OI...(=.......7.%..$....1p.q.r#.....
}8.w.....T,q......?......5}[email protected];.9..".j"[email protected]@o.
.... .[.....B...>e.!O.i.....).....c.h...2....$.......~.^< ^D...S
....6............C)H(..>i...S...P....GR...|.....U.C..B..1;.....z...
Ui....^Y.. e...c..!....._b..ALfL..z.Qg..A..)P..eJB...#.M^......y..n.O.
..$.?....~.O......Th...U.RKA%....b/..].y.....^...2Z.......<H.......
....Y.).p..2..,c.]#.'.<.tW.t........-.D..f..C..G..q.1.a.h.\.:~...q.
R.Sv......Qe.........].V.....k.!N.)[email protected]..{.$$t4...R`.6.`...c.Q.
...o1.|HC.....=R.O.{.S...>......kl...#..a...........G.......hEP
<<< skipped >>>

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vista-tigabelas.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Expires: Tue, 29 Sep 2015 05:42:02 GMT

Date: Tue, 29 Sep 2015 05:42:02 GMT

Cache-Control: private, max-age=0

Last-Modified: Sun, 27 Sep 2015 20:51:19 GMT

ETag: "a7ea887d-e7e3-4c48-9685-2cb7d0432ac1"

Content-Encoding: gzip

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Content-Length: 14349

Server: GSE
...........}.z.8....S ..HjS.%Y...9..t|&Nrb'=..|[email protected]...(~.....n....&
.I:.3..b.(......x........:!.`n..<._...Q...2....?*..`1h4........M.j.
.o. ........NmZ7.y..l.5.s......h...(,@o.....T.&<.......;!...kN.[W..
........j5...#.n.tT..M...]i<..\[..^.....>}.L...X.S1.....<.q.3
GQ.Q]}.....?..;.....?.1..G....tN...W.:2.S......B.......5.....b.......@
.V..f<z'@..Ou..u...&<B.a.x...h.d.4.RJJi.Lj...p.@<cTj4.Zu.....
......7......gW........O_..~.v..KPc0.u.5y.m..v..K)......<h....u....
......O...U .k,[email protected]..?.....H.6..
r...t.9H.._..!%...w.1..{V....1\'..G.}...v.v......_&..'.'......e.8....f
...-......r#.....<...C....Q.C.y<..]....3.|......y....o.C....o..v
..-CCI..~m..ldR.IZc/..X...5...F.2...r..k7.{X..E.....T...y7..6zs....".k
...u5*.s....K.....5.T1f.;g....Q{sX;v..h.n...i .!B6...>...JVDz[....h
.U0.|P....?Y.e...b(:......L.|0....J.EU4.....U x....3.....Tx..H....JX&h
...........R:>?m.v...H.1....N".R..,..gi..@!A.P.[P.ts.9.}......X..L.
C,7.i..zh}........V.,9D....F l.70.........q..#..hW...0...2.w.|.?|H.F..
%..,Y0.5.z.#5Gi .8...l._.>.....J.sX....D04..t.....Z....F..a'1a~.0.Z
7|...L.f....^%.P.........CFuLo.;fDn^I..'2..#U....*...H.h....M@=G.e...9
A...4. M....Q.mZ..H."[email protected].^.i...2i...... ... .%..(L.p.
...e..1JA..#m..k..../...-.&.....MF..adH.hU0.....A0.<?....6......L..
.hyn.`.... [email protected]. [email protected]..=a%Z.z....sIf..D..
.....Px..._.....s..........G.Q._."P.. M...K......9..N..q`zI.....$<.
.X...6.E.].H!...3..bM."..|"<Em..9......U.)5......a........u..oO
<<< skipped >>>

GET /favicon.ico HTTP/1.1

Accept: */*

Referer: hXXp://vista-tigabelas.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vista-tigabelas.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/x-icon

Expires: Tue, 29 Sep 2015 05:42:03 GMT

Date: Tue, 29 Sep 2015 05:42:03 GMT

Cache-Control: private, max-age=86400

Last-Modified: Sun, 27 Sep 2015 20:51:19 GMT

ETag: "a7ea887d-e7e3-4c48-9685-2cb7d0432ac1"

Content-Encoding: gzip

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Content-Length: 795

Server: GSE
..........u.]lKa.._..Db.,].....v.i...w"!. !.....D...0!.D$.......Q3..\.
D..p%.$.r!...W\..{V.do....9...>....1...3..}b.4!f.!4.[.../.9ML.\...:
_K.l.n..`:....Ro<..o....B...z.Z.<4....U...<Eu"....A..S...[..&
lt;PX$!2...v..z.z....*9r...A(..x.:N.!.F..w;R....F... ..l..p.U.}.......
.`.=dN..Q.........o.P.!j.E P.ys6#..A.w...... .U..t..(...>...-..L...
A..sm...........Q^>.....z...*..?..."?L...~..:.!e%**......5....H....
....tz<......}....6...&....D...V.F..m....h.}.^..._........G`...W.A$
RA.....}.E<:.7.z..ds....u...5.?.Db.df.2.'.t..u...=.l@:...l.v.}..;9.
.g...L'..O......H..Q[.$S.x\.Tz;0.V.d/[email protected]...
...go.......Ne..%...{4.{>#<......t..|...7c.=t..<d,........<
;X.~..~..z..o.c.?....i....I........9lk.6.a...Qz.P..fL..x.~C......A.?..
{..y;.;.Q;.mjB..q...fd[v............ D...p....L.^.l.."......~.....

GET /en_US/all.js HTTP/1.1

Accept: */*

Referer: hXXp://vista-tigabelas.blogspot.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: connect.facebook.net

Connection: Keep-Alive

HTTP/1.1 200 OK

ETag: "35d3ec4731a74aa8d2b7bebb6c8a4c89"

Content-Type: application/x-javascript; charset=utf-8

Timing-Allow-Origin: *

Vary: Accept-Encoding

Content-Encoding: gzip

Content-MD5: M4gGc94dKEVZWRLgf6Y7ag==

X-FB-Debug: Eg8Nn05ISHdWP5ELAMyuJE2HFGKK6yIA5O85QwGn2Ozbdhv2hf w/QUgI/jNl  opHCZBD92 XetbfO0/6X7mg==

Content-Length: 54473

Cache-Control: public, max-age=1200

Expires: Tue, 29 Sep 2015 06:02:03 GMT

Date: Tue, 29 Sep 2015 05:42:03 GMT

Connection: keep-alive
............k..H.7...>...1.6-.vN-....a&..I6IO......h..%.".....?..U.
"E.NO......Su..........O..=m>m.>.......&...l...d..].......#/.t~.
.....?.?...j?P...,..d..A/.&...a.kP.r..z.$.......j. ....=..r....YJ]...M
..d.....}}...d#.]..R:.....w........'........\7..T[.k.....].d...?W.....
y..I.W.'..8.d&..S.\..>.&4t.v.D.ZS..0....dn...<...d..*...t....`..
..*EV[)$.1.N....w:T.F..]..........^...d.`..'.q'...y?L.j..L&I.d........
.,.N....F:.'...@N./...oR#o.....V...5tga6.Mj.y,..Q.6eg..09.E[...p;....?
...W....$.fC..V....^.4.....H..y.z.....Y.f..=.Z.Io..S.6..,..;;......l.\
...R..;..g.T965..4.......z.z.Q.........g...s..5r..nc.D..G.)m.q......rv
./...@..~a.^.}D..J&..I......,pj...G....|..e....e...... 1f.~.>$.L.qh
A.fJ......%..[.<_..^`.....W..]..Q;.Q.......3S.$2...Bk..^e.X?.{&...X
6... ={c.[...7zA.......7.I....X.............x>. .G7.u.vp29.......P.
.am......ga.u...lv..}..iX(.....~8O..p..ojyP.....7...h2..Y...U......H..
........].. ..w.n..P.y.A>.......2....,[email protected]. .=...O..8..1.
.U'.z{K.)...?.w..K..>..i2.R.....c..s..^c....'.g.M/..............(..
..Z..f.um.^...f.......9...5j.F.P....f0.}..^.]....E..NS/....G8s.H....r.
....!i...Q;..u..u.....I|[email protected].. .h..........5.)C}Ve...\.W.
.0.$.....,.........}?jL......CG.|.....&.V&O..8@.{..Fo..4.C..p..[ .p...
.....\....D8.n.B..u.a.Z}._.^..~x.....i..(...:..U.Mf.....A..F...w_.....
[B.,.X.....#.........X.uq.n9...u.J1.9......5....Q...4E....5..}..a....;
".......#.:....4.'.3?...=$Q..%......R;....... .Q.S......t._..M...DoH..
xuR.....kof..y...i.......pv.......;.{. .-.H....1.~LK2&RB}.1z......
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

Injection.exe_1940:

.packed

.RLPack

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s_%d

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

uxtheme.dll

Proportional

MAPI32.DLL

!"#$%d

PasswordChar

OnKeyDown

OnKeyPress

OnKeyUp

OnKeyUp|

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword|

crSQLWait

%s (%s)

imm32.dll

AutoHotkeys

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

pbSA.exe

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

3333333

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

KWindows

UrlMon

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

Picture.Data

PointBlank.exe

Dynamic Link Library (DLL)|*.dll

%SEoM

94T%x

sMtp 

o:.Lk>d

.Kl,P]

%XYbY}

Keyw;

hV%u'

njX%S

@%F?-

USER32.DqL

t.BP(

$%CY^B

9CMDX@

_vo%ug

"#$%d

9@gKey

%u#mV

.EO=l(xH'

%xiED!ºx<

x(t7.aFz

%s g(

W"%dH

.EWY(

0DÍ

<.An.&

JCh;go.ry

tR>'\%cT

%Cl_RA

T$%Ci~?

@keys

4567890

tÖ!G

uDPj#D

6tÏ_

0R;B0%uGU

 x.LG

12345678

.cPl3Qh

%s <Ax

I%x*~@D'

o%xRW

UdPK

.HKrT

_%ug8'3

u_ q\.lX

h 4c%X-

,* 71.02-(^

dÃTHqd

.QHIb

IDm%D

DK.AN

%xBTPt

No help keyword specified.

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Unable to insert a line Clipboard does not support Icons/Menu '%s' is already being used by another form

Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count

Unsupported clipboard format

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Unable to write to %s

Invalid stream format$''%s'' is not a valid component name

Ancestor for '%s' not found

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

"Variant method calls not supported

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

1.0.0.0

Injection.exe_1940_rwx_00401000_00063000:

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s_%d

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

uxtheme.dll

Proportional

MAPI32.DLL

!"#$%d

PasswordChar

OnKeyDown

OnKeyPress

OnKeyUp

OnKeyUp|

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword|

crSQLWait

%s (%s)

imm32.dll

AutoHotkeys

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

pbSA.exe

Injection.exe_1940_rwx_00465000_00052000:

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

3333333

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

KWindows

UrlMon

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

Picture.Data

PointBlank.exe

Dynamic Link Library (DLL)|*.dll

No help keyword specified.

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Unable to insert a line Clipboard does not support Icons/Menu '%s' is already being used by another form

Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count

Unsupported clipboard format

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Unable to write to %s

Invalid stream format$''%s'' is not a valid component name

Ancestor for '%s' not found

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

"Variant method calls not supported

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

1.0.0.0

Injection.exe_1940_rwx_00542000_00001000:

kernel32.dll

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:668

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Vista 13\Injection.exe (3730 bytes)
   C:\Vista 13\Injection.ini (100 bytes)
   %System%\drivers\etc\hosts (2 bytes)
   %System%\D3DX9_43.dll (12288 bytes)
   C:\Vista 13\Vista 13.dll (260 bytes)

4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.