Trojan.Win32.Swrort.3_0873d74bd1

by malwarelabrobot on October 26th, 2014 in Malware Descriptions.

Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0873d74bd1b3a1f90b3f9a19d5075aed
SHA1: 9cdc2d4dd95cb2eb942edfd660625ac27c7b7a6c
SHA256: 852388e129a1d02a2eb45948d6f2f2c1c318d68efe849395d67d7366b4f54e26
SSDeep: 24576:zEfCvka3NO 3OXi6kgaINVRX/diX2n0e435qkLeI t2r48WVsVGOjbvD/ XbdeXF:QfCL9iXiTcNjPdiGnT65qkYt2r48WADv
Size: 1294688 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: PDFConverter
Created at: 2014-09-10 17:13:39
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

2.tmp:324
tmppack.exe:1628

The Trojan injects its code into the following process(es):

%original file name%.exe:320

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 2.tmp:324 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UIPXEJJX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\87MZ2BED\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4T9MWJR8\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\broker\postback.xml (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\broker\broker_check.log (180856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\broker\config.xml (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S72DWPY3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\broker\ping.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\broker\timing.dat (121 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\broker\config.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\broker (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\broker\postback.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\broker\ping.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\broker\timing.dat (0 bytes)

The process tmppack.exe:1628 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UJKQATVUGLNBYK\installer.pak (9606 bytes)

The process %original file name%.exe:320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\btn.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\template_40.png (110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\js\jquery-1.7.min.js (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\4174.html (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\logo.png (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\jdloixvlju (2019 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\portal_more.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\corn1.png (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\4167.html (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\4171.html (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\js\config.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\FindamoA.html (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\conditions\conditions.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\b-bg.gif (295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UJKQATVUGLNBYK\tmppack.exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\pb-bg-left.jpg (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\js\smart.js (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\4172.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\mask.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\red-pb-act.jpg (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\btn2.png (402 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\mid.jpg (403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\red-pb-act-left.jpg (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\main_old.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\red-pb-act-right.jpg (694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (6403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\corn3.png (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\pb-bg.jpg (333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\4176.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\b4.gif (661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\trust.gif (437 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\events\cav.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\center2.jpg (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\main.css (8 bytes)
%System%\wbem\Logs\wbemprox.log (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ajax-loader.gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\js\utils.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\corn4.png (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\events\events.js (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\4166.html (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\corn2.png (136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\b3.gif (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\lbg-top.gif (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\arrow.gif (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\arrow.png (911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\4395.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ajax-loader2.gif (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\lbg-bottom.gif (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\check.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\wizard.xml (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\js\jquery.noselect.min.js (299 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\3631.html (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\pb-bg-right.jpg (468 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\4173.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\lbg.gif (5 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UJKQATVUGLNBYK (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (0 bytes)

Registry activity

The process 2.tmp:324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\usyndication.com]
"UID" = "{6DABBB53-56C5-4498-9CED-CB0D7A38E82D}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 15 30 C8 B8 67 54 74 CA F5 7A BA 36 AF 6C FB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process tmppack.exe:1628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 A5 6A 0B 7C F4 B1 52 6A FF AA 63 B2 FB 92 AD"

The process %original file name%.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014102520141026]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014102520141026]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 76 96 8F 1F 98 9D 3E A6 4E B6 EA E6 5D 41 36"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014102520141026]
"CachePrefix" = ":2014102520141026:"
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014102520141026]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014102520141026\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "C:\%original file name%.exe:*:Enabled:%original file name%.exe (in)"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

Dropped PE files

MD5 File path
07132df56fcc549cdb764a5030221f70 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\UJKQATVUGLNBYK\tmppack.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: PDFConverter
Product Name: PDFConverter
Product Version: 14.9.18.5
Legal Copyright: Copyright 2014
Legal Trademarks:
Original Filename: PDFConverterSetup.exe
Internal Name: PDFConverter
File Version: 14.9.18.5
File Description: PDFConverter
Comments:
Language: English (United Kingdom)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 104901 104960 4.6091 fa1e9933a9f7b5467ce5392ce58125f3
.rdata 110592 24648 25088 3.33822 e893f9adcea2ed668fdd513880efa5eb
.data 139264 15584 7168 2.97885 13f19281c5b35facf84ff2d1f445e846
.reloc 155648 10996 11264 3.05129 303874dac7f98d6b62f8cd5d69059496
.rsrc 167936 1138176 1138176 5.33543 e80a98db566f79b8a49a32e43c23fe7b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 4
6383c14f0197d5bcefb36d15cd04872b
646e9a3a5222fab5a638f29d527e3b41
535ede4984d113006077f88c8d1d3dda
0a6747d022d02233c8e31d04e03562e1

URLs

URL IP
hxxp://ibbalance.ib.netdna-cdn.com/files/components/Yahoo_w3i.exe
hxxp://usyndication.com/api/productsession 66.77.96.160
hxxp://usyndication.com/api/trackofferinstalldetails 66.77.96.160
hxxp://cdn.softiappspeed.com/files/components/Yahoo_w3i.exe 108.161.188.128
api.ibario.com 50.22.175.76


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /files/components/Yahoo_w3i.exe HTTP/1.1
Host: cdn.softiappspeed.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 25 Oct 2014 01:48:00 GMT
Content-Type: application/octet-stream
Content-Length: 962216
Connection: keep-alive
Last-Modified: Mon, 25 Mar 2013 10:24:34 GMT
Server: NetDNA-cache/2.2
Expires: Sun, 26 Oct 2014 01:48:00 GMT
Cache-Control: max-age=86400
X-Cache: HIT
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......Mi..........
.....p#.(....p2.J.....(..............p5......p%..............p<.p..
..Z"......p'.....Rich....................PE..L...E.HQ.................
............P.......P....@.......................................@....
..............................H.......0.......................... p...
T...............................................P.....................
..........text............................... ..`.text-co.P.......R...
............... ..`.text-co>.... ...................... ..`.text-ti
.....0...................... ..`.text-co............................ .
.`.text-co.(.......*.................. ..`.text-co.0.......2..........
........ ..`[email protected].................. ..`.text-coH.........
...>.............. ..`.rdata.......P......................@[email protected]
....N...`...*[email protected]............. .............
[email protected]............"[email protected](............$...
[email protected]([email protected](......
......([email protected]............*[email protected]
[email protected]..... .......<..........
[email protected].......>..............@[email protected].............
[email protected].................................................
......................................................................
..................................................................
<<< skipped >>>


POST /api/productsession HTTP/1.1
Content-Type: application/json; charset=utf-8
Accept: application/xml
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: usyndication.com
Content-Length: 115
Cache-Control: no-cache

{"CampaignName":"4448","AccountId":"14115","Detection":true,"Offers":true,"PartnerCode":"7663","ShortName":"yahoo"}
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/xml; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sat, 25 Oct 2014 01:48:02 GMT
Content-Length: 1247
<response>..  <productsessionid>0a9324d8-cb5c-46bc-83b6-b2
dc7a084dda</productsessionid>..  <config>..    <host>
;host</host>..    <month>10</month>..    <year>
;2014</year>..    <week>43</week>..    <campaigni
d>8888433</campaignid>..    <campaignname>4448</camp
aignname>..    <vendorid>7663</vendorid>..    <accou
ntid>14115</accountid>..    <country>UA</country>
..    <countryid>804</countryid>..    <ipaddress>193
.138.244.231</ipaddress>..    <pingurl>hXXp://usyndication
.com/api/productsession</pingurl>..    <postbackurl>http:/
/usyndication.com/api/trackofferinstalldetails</postbackurl>..  
  <errorurl>hXXp://usyndication.com/api/installerror</errorur
l>..    <detectiontype>internal</detectiontype>..    &l
t;processtype>dynamic</processtype>..  </config>..  <
;offers />..  <restrictedoffers>..    <restrictedoffer>
..      <offerid>19668</offerid>..      <offername>y
ahoo.brokerage.toolbar</offername>..      <restriction>Cou
ntryRestriction</restriction>..    </restrictedoffer>..   
 <restrictedoffer>..      <offerid>19669</offerid>..
      <offername>yahoo.brokerage.defaultsearch</offername>
..      <restriction>CountryRestriction</restriction>..   
 </restrictedoffer>..  </restrictedoffers>..  <dete
<<< skipped >>>

POST /api/trackofferinstalldetails HTTP/1.1


Content-Type: application/json; charset=utf-8
Accept: application/xml
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: usyndication.com
Content-Length: 778
Cache-Control: no-cache

{"ProductSession":{"Session":{"AccountId":14115,"IPAddress":"193.138.244.231","CampaignId":8888433,"CampaignName":"4448","Country":"UA","CountryId":804},"ProductSessionId":"0a9324d8-cb5c-46bc-83b6-b2dc7a084dda"},"Offers":[],"InstallTechProfile":{"OSId":5,"DefaultBrowserId":4,"LangId":1033},"InstallDetail":{"ParentProcess":"%original file name%.exe","ReturnCodeId":460,"InstallUnique":true,"InstallerVersion":"2.0.8.0","WindowsErrorCode":13},"ParentsDetected":[],"instfields":[{"Key":"pproc4","Value":"rc=460,os=5,ver=2.0.8.0,v=7663,a=14115,pp=%original file name%.exe"},{"Key":"BrokerResult2","Value":"460,13,WINXP,ie,default,ie,2.0.8.0,7663,14115"},{"Key":"BrokerTiming1","Value":"460,13,WINXP,ie,2.0.8.0,7663,0.15,0.16,0.719,0.0,-1,-1,-1,-1,-1,-1"}]}
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/xml; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sat, 25 Oct 2014 01:48:03 GMT
Content-Length: 50
<response>..  <success>true</success>..</response
>HTTP/1.1 200 OK..Cache-Control: no-cache..Pragma: no-cache..Conten
t-Type: application/xml; charset=utf-8..Expires: -1..Server: Microsoft
-IIS/7.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Sa
t, 25 Oct 2014 01:48:03 GMT..Content-Length: 50..<response>..  &
lt;success>true</success>..</response>..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_320:

.text
`.rdata
@.data
.reloc
B.rsrc
xSSSh
C.PjRV
FTPjKS
FtPj;S
operator
portuguese-brazilian
GetProcessWindowStation
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
GetProcessHeap
KERNEL32.dll
USER32.dll
GDI32.dll
SHLWAPI.dll
GetCPInfo
zcÁ
=!>->3>8>>>
.sxdata
.rsrc
<x.uW
OLEAUT32.dll
MSVCRT.dll
-p{Password}: set Password
Data Error in encrypted file. Wrong password?
CRC Failed in encrypted file. Wrong password?
Unsupported Method
Can not open encrypted archive. Wrong password?
Enter password (will not be echoed):
R.NON
.rGS9
"`.Pe
FJ.ut.
.ha[:
1[.Gf6
Y<Y.Db
Hm.CN
=K$.Xz
]?B^`A
\2t0%DL
%d~1W
_v%XZ07
m1%DRR
%u_,V@]
m2I%u
weBt
Q.fe#
8.Mi4
,D%Uzql
YQ%dO
C{]*%u;h
ôNB(
%UR!&
SFVúls
~%fj\
A1x%x[K
X @.XIk-
.RU>[
 \$4|/)_
`.YECj
4l^%cv
3=.MWq
cn.NK
?`!916~\
%Xr}[
F.eQN
!.Ob&K
rp,.He|0
.ZO".
"e%Sk
-;Ýhy
keyc]
I%UD/ J1
:%x}^7
<????( @
???(`$??
!"#$%&'()* ,-./0123456789:;<=>?
?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????%u
@?)~@?)}
?;2 >;2 >;2!?;2!>;2!>;2!?;2!>;2 >;2 ?;1 >:1 ?:0
?=;8?:2'>;3)?;4*?<5 ><6,?=6-?=7-?=7.>=7.?=7.><6-?<6-?<5,>;5,?><:?-
?7, ?8/&?8/&?6 
k* -s}}}qkik
kik-> s<'"'&>'kik™s'f(kik
s!==9sff*-'g:&/= (99:9,,-g*&$kik ('-&&s}y}}}qkik ( 0%&'sx{}|qzkik/ '-($&sykik9; *,.&'.sykik*&'-< =s
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
ler.pak
\tmppack.exe
Ael32.dll
akernel32.dll
KERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
c:\%original file name%.exe
7z.sfx
7z.sfx.exe
installer.pak
14.9.18.5
PDFConverterSetup.exe

%original file name%.exe_320_rwx_00F30000_00001000:

.text
`.rdata
@.data
.rsrc
@.reloc

%original file name%.exe_320_rwx_010B0000_00005000:

c:\%original file name%.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    2.tmp:324
    tmppack.exe:1628

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UIPXEJJX\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\87MZ2BED\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4T9MWJR8\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\broker\postback.xml (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\broker\broker_check.log (180856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\broker\config.xml (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S72DWPY3\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\broker\ping.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\broker\timing.dat (121 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UJKQATVUGLNBYK\installer.pak (9606 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\btn.png (716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\template_40.png (110 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\js\jquery-1.7.min.js (94 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\4174.html (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\logo.png (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\jdloixvlju (2019 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\portal_more.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\corn1.png (139 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\4167.html (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\4171.html (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\js\config.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\FindamoA.html (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\conditions\conditions.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\b-bg.gif (295 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UJKQATVUGLNBYK\tmppack.exe (3808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\pb-bg-left.jpg (460 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\js\smart.js (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\4172.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\mask.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\red-pb-act.jpg (380 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\btn2.png (402 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\mid.jpg (403 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\red-pb-act-left.jpg (681 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\main_old.css (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\red-pb-act-right.jpg (694 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (6403 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\corn3.png (138 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\pb-bg.jpg (333 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\4176.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\b4.gif (661 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\trust.gif (437 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\events\cav.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\center2.jpg (305 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\main.css (8 bytes)
    %System%\wbem\Logs\wbemprox.log (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ajax-loader.gif (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\js\utils.js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\corn4.png (130 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\events\events.js (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\4166.html (33 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\corn2.png (136 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\b3.gif (384 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\lbg-top.gif (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\arrow.gif (207 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\arrow.png (911 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\4395.html (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ajax-loader2.gif (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\lbg-bottom.gif (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\check.jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\wizard.xml (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\js\jquery.noselect.min.js (299 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\3631.html (17 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\pb-bg-right.jpg (468 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\4173.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\q637gv5afs\gui\ib\lbg.gif (5 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now