Trojan.Win32.Sasfis_b38b846f02

by malwarelabrobot on July 6th, 2014 in Malware Descriptions.

Susp_Dropper (Kaspersky), Gen:Variant.Kazy.18560 (B) (Emsisoft), Gen:Variant.Kazy.18560 (AdAware), Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: b38b846f0295c18d82d82937f1cdb675
SHA1: 2a806048375d670a362249af42a7b23a12eaf180
SHA256: 71e9dc62d9341042fac17618637b862d592ab3150a3f20d076231cc6ea9faedf
SSDeep: 12288:FwiBBcJjPtR5tJv5YtZsvCO2z5OlfKLp5 vTimSiwiE:ZmJhR1v2tyaRcmme9iwi
Size: 624128 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AirInstaller
Created at: 1970-01-01 03:00:00
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1500

The Trojan injects its code into the following process(es):

%original file name%.exe:1876
Explorer.EXE:880

Mutexes

The following mutexes were created/opened:

DBWinMutex
ShimCacheMutex
YCS0mRtQ316
KAENA_HOOK
RasPbFile

File activity

The process %original file name%.exe:1876 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\srtserv\set.dat (638 bytes)
%Documents and Settings%\All Users\Application Data\srtserv\sdata.dll (23 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\srtserv\set.dat (0 bytes)

The process %original file name%.exe:1500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\srtserv\%original file name%.exe (4185 bytes)

Registry activity

The process %original file name%.exe:1876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\MSrtn]
"value1" = "%original file name%.exe"
"Value2" = "1876"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 0D 4C 61 5C 26 00 79 96 FD 66 4A 20 6F 47 58"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"srtserv" = "%Documents and Settings%\All Users\Application Data\srtserv\%original file name%.exe"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger]
[HKLM\System\CurrentControlSet\Control\SafeBoot]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 32 8F C6 A0 CD 87 43 AF 8C 42 6D 52 08 9E 93"

Dropped PE files

MD5 File path
03728900440b890fab1e64c5764d20eb c:\Documents and Settings\All Users\Application Data\srtserv\sdata.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 465004 465408 5.47981 b85f84b61bd2ae66e32c31434f14347f
DATA 471040 7768 8192 5.18327 48cad813c5fbb74711826ee7d2631e1e
BSS 479232 5625 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 487424 9284 9728 5.31958 30bad7627271bfce2cda397bb6115688
.tls 499712 16 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 503808 24 512 0.139033 ce816691f22b5c3afac0e8853257800d
.rsrc 507904 79368 79872 5.48097 3f445931b463642f12a52440d66f3e64
.idata 589824 4096 512 0.676778 391185fc7c811b7961a49211af83fac9
.text 593920 4096 4096 2.53276 82ebad904da2bbe4f3af98469295ffe2
.rsrc 598016 131072 54784 4.67426 8e6aa7c317997e1595aa6591f6f91282

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
b005f74876a73ff79858a348e864b65e

URLs

URL IP
hxxp://24stat.ru/data/setx.txt 148.251.36.54
hxxp://elefant.ru/data/setx.txt 213.189.197.6
hxxp://d3e7f6a9.110mb.com/setx.txt
hxxp://feddcdda.yourfreehosting.net/setx.txt 72.52.4.120
hxxp://afa8ae84.h18.ru/setx.txt 89.108.91.182


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /setx.txt HTTP/1.1
Content-Type: text/html
Host: afa8ae84.h18.ru
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 302 Found
Server: nginx/0.7.62
Date: Sat, 05 Jul 2014 20:14:21 GMT
Content-Type: text/html; charset=windows-1251
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
Location: hXXp://err.h18.ru/error404.shtml
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Last-Modified: Sat, 05 Jul 2014 20:14:21 GMT
11c..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<HTML
><HEAD>.<TITLE>302 Found</TITLE>.</HEAD><
;BODY>.<H1>Found</H1>.The document has moved <A HREF
="hXXp://err.h18.ru/error404.shtml">here</A>.<P>.<HR
>.<ADDRESS>Apache/1.3.41 Server at afa8ae84.h18.ru Port 80<
;/ADDRESS>.</BODY></HTML>...0..



GET /data/setx.txt HTTP/1.1
Content-Type: text/html
Host: elefant.ru
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 404 Not Found
Server: nginx/Zenon
Date: Sat, 05 Jul 2014 20:14:16 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 211
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /da
ta/setx.txt was not found on this server.</p>.</body></
html>...



GET /data/setx.txt HTTP/1.1
Content-Type: text/html
Host: 24stat.ru
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 404 Not Found
Server: nginx/1.4.4
Date: Sat, 05 Jul 2014 20:14:13 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 286
Connection: keep-alive
Keep-Alive: timeout=15
Vary: Accept-Encoding
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /da
ta/setx.txt was not found on this server.</p>.<hr>.<add
ress>Apache/2.2.22 (Debian) Server at 24stat.ru Port 80</address
>.</body></html>...



GET /setx.txt HTTP/1.1
Content-Type: text/html
Host: feddcdda.yourfreehosting.net
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.0 200 OK
Date: Sat, 05 Jul 2014 20:14:19 GMT
Server: Apache
X-Powered-By: PHP/5.3.3-7 squeeze17
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 05 Jul 2014 20:14:19 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: tu=056c8adc112525f36082746796cbcf86; expires=Tue, 31-Dec-2019 23:00:00 GMT; path=/; domain=yourfreehosting.net; httponly
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_mTCK17ph7zU2t1Y5v68ZFWfLBqRYOcQLm85MbfRytREA3uXw5WIO2aKsyTf38MC0SV9ipD0RZvUgXZVJH563Iw==
Vary: User-Agent,Accept-Encoding
Content-Type: text/html
X-Cache: MISS from 300819
Connection: close
.<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQ
ADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c o8f
YOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_mTCK17ph7zU2t1Y5v68ZFWfLBqRYOcQLm
85MbfRytREA3uXw5WIO2aKsyTf38MC0SV9ipD0RZvUgXZVJH563Iw=="><head&g
t;<meta charset="utf-8" /><style type="text/css">/*!normal
ize.css v1.1.2 | MIT License | git.io/normalize */ article,aside,detai
ls,figcaption,figure,footer,header,hgroup,main,nav,section,summary{dis
play:block;}audio,canvas,video{display:inline-block;*display:inline;*z
oom:1;}audio:not([controls]){display:none;height:0;}[hidden]{display:n
one;}html{font-size:100%;-ms-text-size-adjust:100%;-webkit-text-size-a
djust:100%;}html,button,input,select,textarea{font-family:sans-serif;}
body{margin:0;}a:focus{outline:thin dotted;}a:active,a:hover{outline:0
;}h1{font-size:2em;margin:0;}h2{font-size:1.33em;margin:0;}h3{font-siz
e:1.1em;margin:0;}h4{font-size:1em;margin:0;}h5{font-size:.83em;margin
:0;}h6{font-size:.67em;margin:0;}abbr[title]{border-bottom:1px dotted;
}b,strong{font-weight:bold;}blockquote{margin:.11em 40px;}dfn{font-sty
le:italic;}hr{-moz-box-sizing:content-box;box-sizing:content-box;heigh
t:0;}mark{background:#ff0;color:#000;}p,pre{margin:.11em 0;}code,kbd,p
re,samp{font-family:monospace,serif;_font-family:'courier new',monospa
ce;font-size:1em;}pre{white-space:pre;white-space:pre-wrap;word-wrap:b
reak-word;}q{quotes:none;}q:before,q:after{content:'';content:none;}sm
all{font-size:80%;}sub,sup{font-size:75%;line-height:0;position:re
<<< skipped >>>


GET /setx.txt HTTP/1.1
Content-Type: text/html
Host: d3e7f6a9.110mb.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 302 Found
Date: Sat, 05 Jul 2014 20:14:18 GMT
Server: Apache
Location: hXXp://VVV.110mb.com/404.php
Content-Length: 212
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://VVV.110mb.com/404.php">here</a>.</p>.</
body></html>...

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1876:

.idata
.rdata
P.rsrc
P.idata
.text
.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
Uh.AB
USER32.DLL
comctl32.dll
uxtheme.dll
Uh%xB
MAPI32.DLL
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
Uh.MC
imm32.dll
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
OnKeyDownP
OnKeyPress
OnKeyUp(
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %d %s %d %s %s
password
Password
IdHTTPHeaderInfo
ProxyPassword<
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMax
Port@
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
saUsernamePassword
Password<
Port
0.0.0.1
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile
CertFile
KeyFile
OnGetPassword<
EIdOSSLLoadingRootCertError
EIdOSSLLoadingCertError
EIdOSSLLoadingKeyError
Uh0%F
TIdTCPClient
TIdTCPClient 3F
IdTCPClient
BoundPort
PortU
CommentURL
Uh.SF
Content-Disposition: form-data; name="%s"
; filename="%s"
Content-Type: %s
Unsupported operation.
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPRequest
TIdHTTPRequest
TIdHTTPProtocolPmF
TIdCustomHTTP
TIdCustomHTTPPmF
TIdHTTP8oF
TIdHTTP
HTTPOptions
EIdHTTPProtocolException
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
http://defaf663.110mb.com
http://24stat.ru/data
http://student-card.ru/data
http://elefant.ru/data
http://psyherbal.com/data
.110mb.com
.yourfreehosting.net
ucoz.ru
.h18.ru
.eu.pn
.info
.org.ru
http://psynergi.dk/data
http://pushnik.freehostia.com
AXlove_install.exe
Booble-the-Game.exe
DaVinci_code.exe
PlayboyXXX.exe
pornolab_docs.exe
WinRar.exe
Winamp.exe
Snoopy_mult.exe
Tom-and-Jerry.exe
AUTO_BASE2011.exe
bank_transfers_2010.exe
Multi Password Recovery
/admin6.php
*.mpf
/mp.exe
\mpr.ini
Key=UksDAAAARkZGCAAAAAcgeBc6NCcxCAAAADzRFyaCP0paNwAAADA1AhkA8gN8smHcJdKj7yYv4 vBIhFf8npvMwTyAhhUDUF4wF7nGPv5Y89Vz JjuWEvGmAr7MUEt7Kg
LeftPane=0
/export
application/x-www-form-urlencoded
/stat.php
http://top-torrent.info/data/save_s.php
SOFTWARE\Microsoft\Windows\CurrentVersion\ProductID
:\aUtoRuN.iNF
Icon=%system%\shell32.dll,4
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srtserv
wininet.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData
explorer.exe
set.dat
/setx.txt
update.dat
http://
maratl.exe
task.dat
/taskx.txt
Software\Microsoft\Windows\CurrentVersion\MSrtn\value1
Software\Microsoft\Windows\CurrentVersion\MSrtn\value2
sdata.dll
?456789:;<=
!"#$%&'()* ,-./0123
%Documents and Settings%\All Users\Application Data\srtserv\set.dat
t type="text/javascript" src="http://img.sedoparking.com/js/jquery-1.4.2.min.js" >
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
32.dllWGetLongPa
.jJX8
c.eDoE,
.VyDR,_
KERNEL32.DLL
ntdll.dll
#%'''<[[^^\\]
"%
$-8GGhnsrr}
$-9GGggs}s
.oN4)
F%F@@
tCPl2
%Mgr.RhY4RfE5Qd:f
KWindows
0IdHTTPHeaderInfo
 IdTCPServer
IdTCPStream
UrlMon
S[[7a^ECBV[gEXCRTC75777o_
00000000

%original file name%.exe_1876_rwx_00400000_00092000:




.idata
.rdata
P.rsrc
P.idata
.text
.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
Uh.AB
USER32.DLL
comctl32.dll
uxtheme.dll
Uh%xB
MAPI32.DLL
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
Uh.MC
imm32.dll
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
OnKeyDownP
OnKeyPress
OnKeyUp(
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %d %s %d %s %s
password
Password
IdHTTPHeaderInfo
ProxyPassword<
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMax
Port@
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
saUsernamePassword
Password<
Port
0.0.0.1
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile
CertFile
KeyFile
OnGetPassword<
EIdOSSLLoadingRootCertError
EIdOSSLLoadingCertError
EIdOSSLLoadingKeyError
Uh0%F
TIdTCPClient
TIdTCPClient 3F
IdTCPClient
BoundPort
PortU
CommentURL
Uh.SF
Content-Disposition: form-data; name="%s"
; filename="%s"
Content-Type: %s
Unsupported operation.
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPRequest
TIdHTTPRequest
TIdHTTPProtocolPmF
TIdCustomHTTP
TIdCustomHTTPPmF
TIdHTTP8oF
TIdHTTP
HTTPOptions
EIdHTTPProtocolException
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
http://defaf663.110mb.com
http://24stat.ru/data
http://student-card.ru/data
http://elefant.ru/data
http://psyherbal.com/data
.110mb.com
.yourfreehosting.net
ucoz.ru
.h18.ru
.eu.pn
.info
.org.ru
http://psynergi.dk/data
http://pushnik.freehostia.com
AXlove_install.exe
Booble-the-Game.exe
DaVinci_code.exe
PlayboyXXX.exe
pornolab_docs.exe
WinRar.exe
Winamp.exe
Snoopy_mult.exe
Tom-and-Jerry.exe
AUTO_BASE2011.exe
bank_transfers_2010.exe
Multi Password Recovery
/admin6.php
*.mpf
/mp.exe
\mpr.ini
Key=UksDAAAARkZGCAAAAAcgeBc6NCcxCAAAADzRFyaCP0paNwAAADA1AhkA8gN8smHcJdKj7yYv4 vBIhFf8npvMwTyAhhUDUF4wF7nGPv5Y89Vz JjuWEvGmAr7MUEt7Kg
LeftPane=0
/export
application/x-www-form-urlencoded
/stat.php
http://top-torrent.info/data/save_s.php
SOFTWARE\Microsoft\Windows\CurrentVersion\ProductID
:\aUtoRuN.iNF
Icon=%system%\shell32.dll,4
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srtserv
wininet.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData
explorer.exe
set.dat
/setx.txt
update.dat
http://
maratl.exe
task.dat
/taskx.txt
Software\Microsoft\Windows\CurrentVersion\MSrtn\value1
Software\Microsoft\Windows\CurrentVersion\MSrtn\value2
sdata.dll
?456789:;<=
!"#$%&'()* ,-./0123
%Documents and Settings%\All Users\Application Data\srtserv\set.dat
t type="text/javascript" src="http://img.sedoparking.com/js/jquery-1.4.2.min.js" >
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
32.dllWGetLongPa
.jJX8
c.eDoE,
.VyDR,_
KERNEL32.DLL
ntdll.dll
#%'''<[[^^\\]
"%
$-8GGhnsrr}
$-9GGggs}s
.oN4)
F%F@@
tCPl2
%Mgr.RhY4RfE5Qd:f
KWindows
0IdHTTPHeaderInfo
 IdTCPServer
IdTCPStream
UrlMon
S[[7a^ECBV[gEXCRTC75777o_

%original file name%.exe_1876_rwx_00951000_00010000:




kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
mvkmisc.exe
ntdll.dll
Software\Microsoft\Windows\CurrentVersion\MSrtn\value1
Software\Microsoft\Windows\CurrentVersion\MSrtn\value2
KWindows
GetCPInfo
RegOpenKeyExA
RegCloseKey
GetKeyboardType
SetWindowsHookExA
.idata
.reloc
P.rsrc
calc.exe
aUtoRuN.iNF
Invalid variant operation
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation

Explorer.EXE_880_rwx_02141000_00010000:




kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
mvkmisc.exe
ntdll.dll
Software\Microsoft\Windows\CurrentVersion\MSrtn\value1
Software\Microsoft\Windows\CurrentVersion\MSrtn\value2
KWindows
GetCPInfo
RegOpenKeyExA
RegCloseKey
GetKeyboardType
SetWindowsHookExA
.idata
.reloc
P.rsrc
calc.exe
aUtoRuN.iNF
Invalid variant operation
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1500

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\All Users\Application Data\srtserv\set.dat (638 bytes)
    %Documents and Settings%\All Users\Application Data\srtserv\sdata.dll (23 bytes)
    %Documents and Settings%\All Users\Application Data\srtserv\%original file name%.exe (4185 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "srtserv" = "%Documents and Settings%\All Users\Application Data\srtserv\%original file name%.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now