MD5: bc83b3dd2f5ba625f22909c0e5e583f6
SHA1: e1fcd90cbc74db98871e59da867c4e221cefdbd7
SHA256: 41c825dae9664ef09a867b7edd95912cbe17f1806272543f59604daa30e50b37
SSDeep: 6144:Meu06aGygCzvDQL OTDLmC3RCAeL7xR8ZhDRPB:fDjGyA3LTRCRL769B
Size: 282760 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-11-27 08:18:53
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:348
vknasetup.exe:1632

Mutexes

The following mutexes were created/opened:

_VKNOTE_WEBINSTALLER_

File activity

The process %original file name%.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\extra.dll (6147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vknasetup.exe (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\sign.dll (261 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\nsJSON.dll (7 bytes)
%System%\wbem\Logs\wbemprox.log (75 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vknasetup.exe.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp (0 bytes)

The process vknasetup.exe:1632 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\extra.dll (6106 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\header.bmp (4232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\System.dll (11 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsu3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp (0 bytes)

Registry activity

The process %original file name%.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 74 8B 58 B5 AB 57 FF 56 75 D6 AD 32 9D A1 2E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process vknasetup.exe:1632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 0B AD 60 4B 42 0F 98 CC 55 B9 B8 AE C2 46 BA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
2dbfcaa93c9bb4ef62335e602d4ddf7e

URLs

URL	IP
hxxp://api.vknote.com/installer/get/?language=us&os=XP.SP3&admin=1&v=040214&ref=tc266.cwer1.0.001.271036e719&source=s1&av=b64-uTm90IEZvdW5k	78.140.170.120
hxxp://update.vknote.com/installers/vknotesetup.exe	78.140.176.132

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /installers/vknotesetup.exe HTTP/1.1

Host: update.vknote.com

Accept: */*

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 30 Sep 2014 01:24:27 GMT

Content-Type: application/octet-stream

Content-Length: 1562536

Connection: keep-alive

Last-Modified: Fri, 21 Feb 2014 13:02:27 GMT

Expires: Thu, 31 Dec 2037 23:55:55 GMT

Cache-Control: max-age=315360000

Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
....J.......J...........%....:.......:.......:......Rich..............
......PE..L......R.................r...j...B...8............@.........
.................  .....I[......................................@.....
......(...............................................................
.............................................text....q.......r........
.......... ..`.rdata..n .......,...v..............@[email protected].... ......
....................@....ndata...................................rsrc.
..(...........................@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected][email protected].....@
..}[email protected]... M.........3..M.....FQ.....NU..M.....
[email protected][email protected]
....E..9}[email protected].}[email protected]..
[email protected][email protected] [email protected].....@._^3.
[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G...
..t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.S....G.V.
<<< skipped >>>

GET /installer/get/?language=us&os=XP.SP3&admin=1&v=040214&ref=tc266.cwer1.0.001.271036e719&source=s1&av=b64-uTm90IEZvdW5k HTTP/1.1

Host: api.vknote.com

Accept: */*

HTTP/1.1 200 OK

Date: Tue, 30 Sep 2014 01:24:27 GMT

Server: Apache/2.2.22 (Ubuntu)

Content-Length: 94

Connection: close

Content-Type: text/html; charset=UTF-8
hXXp://update.vknote.com/installers/vknotesetup.exe,1562536,7eac61ec62
3a582d899ff4a84bd7e830,1..

GET /installers/vknotesetup.exe HTTP/1.1

Host: update.vknote.com

Accept: */*

Range: bytes=0-

HTTP/1.1 206 Partial Content

Server: nginx

Date: Tue, 30 Sep 2014 01:24:28 GMT

Content-Type: application/octet-stream

Content-Length: 1562536

Connection: keep-alive

Last-Modified: Fri, 21 Feb 2014 13:02:27 GMT

Expires: Thu, 31 Dec 2037 23:55:55 GMT

Cache-Control: max-age=315360000

Content-Range: bytes 0-1562535/1562536
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
....J.......J...........%....:.......:.......:......Rich..............
......PE..L......R.................r...j...B...8............@.........
.................  .....I[......................................@.....
......(...............................................................
.............................................text....q.......r........
.......... ..`.rdata..n .......,...v..............@[email protected].... ......
....................@....ndata...................................rsrc.
..(...........................@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected][email protected].....@
..}[email protected]... M.........3..M.....FQ.....NU..M.....
[email protected][email protected]
....E..9}[email protected].}[email protected]..
[email protected][email protected] [email protected].....@._^3.
[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G...
..t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.S....G.V.
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

`.rsrc

RegDeleteKeyExW

Kernel32.DLL

PSAPI.DLL

%s=%s

r&%u<:

*jÚ

D?-k}

.rsrc

} .rdR

KERNEL32.DLL

USER32.dll

nsJSON.dll

23456789:;

C:\W?

.pdb_

zcÁ

ole32.dll

OLEAUT32.dll

sign.dll

Pdl6*.iCZ

E*q.AY

.oK!,

K.DHLD

K.PTX

GetWindowsDirectoryW

RegEnumKeyW

RegOpenKeyExW

RegCloseKey

RegDeleteKeyW

RegCreateKeyExW

ShellExecuteW

SHFileOperationW

GetAsyncKeyState

ExitWindowsEx

.text

`.rdata

@.data

.ndata

fr.sLo$upV

KeyExJADV

Na<%FullbX

%fmaLLT

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

ADVAPI32.dll

COMCTL32.dll

GDI32.dll

SHELL32.dll

VERSION.dll

logging set to %d

settings logging to %d

created uninstaller: %d, "%s"

WriteReg: error creating key "%s\%s"

WriteReg: error writing into "%s\%s" "%s"

WriteRegBin: "%s\%s" "%s"="%s"

WriteRegDWORD: "%s\%s" "%s"="0xx"

WriteRegExpandStr: "%s\%s" "%s"="%s"

WriteRegStr: "%s\%s" "%s"="%s"

DeleteRegKey: "%s\%s"

DeleteRegValue: "%s\%s" "%s"

WriteINIStr: wrote [%s] %s=%s in %s

CopyFiles "%s"->"%s"

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d

Error registering DLL: Could not load %s

Error registering DLL: %s not found in %s

GetTTFFontName(%s) returned %s

GetTTFVersionString(%s) returned %s

Exec: failed createprocess ("%s")

Exec: success ("%s")

Exec: command="%s"

ExecShell: success ("%s": file:"%s" params:"%s")

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d

Exch: stack < %d elements

RMDir: "%s"

MessageBox: %d,"%s"

Delete: "%s"

File: wrote %d to "%s"

File: skipped: "%s" (overwriteflag=%d)

File: error creating "%s"

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"

Rename failed: %s

Rename on reboot: %s

Rename: %s

IfFileExists: file "%s" does not exist, jumping %d

IfFileExists: file "%s" exists, jumping %d

CreateDirectory: "%s" created

CreateDirectory: can't create "%s" - a file already exists

CreateDirectory: can't create "%s" (err=%d)

CreateDirectory: "%s" (%d)

SetFileAttributes: "%s":X

Sleep(%d)

detailprint: %s

Call: %d

Aborting: "%s"

Jump: %d

verifying installer: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

install.log

%u.%u%s%s

Skipping section: "%s"

Section: "%s"

New install of "%s" to "%s"

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

*?|<>/":

invalid registry key

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

x%c

RMDir: RemoveDirectory failed("%s")

RMDir: RemoveDirectory on Reboot("%s")

RMDir: RemoveDirectory("%s")

RMDir: RemoveDirectory invalid input("%s")

Delete: DeleteFile failed("%s")

Delete: DeleteFile on Reboot("%s")

Delete: DeleteFile("%s")

%s: failed opening file "%s"

m\LOCALS~1\Temp\nso2.tmp\extra.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp\extra.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp

1.0.1.0

nso2.tmp

File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp\extra.dll" (overwriteflag=1)

2.tmp\extra.dll"

:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp

-x vknotesetup -r "tc266.cwer1.0.001.271036e719"

hXXp://update.vknote.com/installers/vknotesetup.exe

1562536

c:\%original file name%.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

%original file name%.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

tc266.cwer1.0.001.271036e719

XP.SP3

hXXp://vknote.com

hXXp://api.vknote.com

hXXp://update.vknote.com

_VKNOTE_WEBINSTALLER_

vknote.bin

vknote.exe

vknasetup.exe

default.exe

%original file name%.exe_348_rwx_00401000_0018E000:

RegDeleteKeyExW

Kernel32.DLL

PSAPI.DLL

%s=%s

r&%u<:

*jÚ

D?-k}

.rsrc

} .rdR

KERNEL32.DLL

USER32.dll

nsJSON.dll

23456789:;

C:\W?

.pdb_

zcÁ

ole32.dll

OLEAUT32.dll

sign.dll

Pdl6*.iCZ

E*q.AY

.oK!,

K.DHLD

K.PTX

GetWindowsDirectoryW

RegEnumKeyW

RegOpenKeyExW

RegCloseKey

RegDeleteKeyW

RegCreateKeyExW

ShellExecuteW

SHFileOperationW

GetAsyncKeyState

ExitWindowsEx

.text

`.rdata

@.data

.ndata

fr.sLo$upV

KeyExJADV

logging set to %d

settings logging to %d

created uninstaller: %d, "%s"

WriteReg: error creating key "%s\%s"

WriteReg: error writing into "%s\%s" "%s"

WriteRegBin: "%s\%s" "%s"="%s"

WriteRegDWORD: "%s\%s" "%s"="0xx"

WriteRegExpandStr: "%s\%s" "%s"="%s"

WriteRegStr: "%s\%s" "%s"="%s"

DeleteRegKey: "%s\%s"

DeleteRegValue: "%s\%s" "%s"

WriteINIStr: wrote [%s] %s=%s in %s

CopyFiles "%s"->"%s"

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d

Error registering DLL: Could not load %s

Error registering DLL: %s not found in %s

GetTTFFontName(%s) returned %s

GetTTFVersionString(%s) returned %s

Exec: failed createprocess ("%s")

Exec: success ("%s")

Exec: command="%s"

ExecShell: success ("%s": file:"%s" params:"%s")

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d

Exch: stack < %d elements

RMDir: "%s"

MessageBox: %d,"%s"

Delete: "%s"

File: wrote %d to "%s"

File: skipped: "%s" (overwriteflag=%d)

File: error creating "%s"

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"

Rename failed: %s

Rename on reboot: %s

Rename: %s

IfFileExists: file "%s" does not exist, jumping %d

IfFileExists: file "%s" exists, jumping %d

CreateDirectory: "%s" created

CreateDirectory: can't create "%s" - a file already exists

CreateDirectory: can't create "%s" (err=%d)

CreateDirectory: "%s" (%d)

SetFileAttributes: "%s":X

Sleep(%d)

detailprint: %s

Call: %d

Aborting: "%s"

Jump: %d

verifying installer: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

install.log

%u.%u%s%s

Skipping section: "%s"

Section: "%s"

New install of "%s" to "%s"

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

*?|<>/":

invalid registry key

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

x%c

RMDir: RemoveDirectory failed("%s")

RMDir: RemoveDirectory on Reboot("%s")

RMDir: RemoveDirectory("%s")

RMDir: RemoveDirectory invalid input("%s")

Delete: DeleteFile failed("%s")

Delete: DeleteFile on Reboot("%s")

Delete: DeleteFile("%s")

%s: failed opening file "%s"

m\LOCALS~1\Temp\nso2.tmp\extra.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp\extra.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp

1.0.1.0

nso2.tmp

File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp\extra.dll" (overwriteflag=1)

2.tmp\extra.dll"

:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso2.tmp

-x vknotesetup -r "tc266.cwer1.0.001.271036e719"

hXXp://update.vknote.com/installers/vknotesetup.exe

1562536

c:\%original file name%.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

%original file name%.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

tc266.cwer1.0.001.271036e719

XP.SP3

hXXp://vknote.com

hXXp://api.vknote.com

hXXp://update.vknote.com

_VKNOTE_WEBINSTALLER_

vknote.bin

vknote.exe

vknasetup.exe

default.exe

%original file name%.exe_348_rwx_01151000_00067000:

TT T!"TT#$TTTT%&'TTT(T)*T TTT,-.TT/0123TTTTTT4TTTTTTT5TTTTTT6789:;TTTTTTTT<TTT=>?@ABCDTTTTETTTTFTTTTTTGTTHITTTTTJKTTTLLTTMTTTTTTTTTNTTOTPQRS

!"FFF#F$Fÿ&F'()FFFFFFFFFFFFF*FFFFFFFFFFFF FF,-FFFFFFFFFFF.F/FFFFFFFFFFFFFF01FF234FF56789FFFFFFFF:;FF<=>FF?FFFFF@ABFFFFFCFDFFFFFE

%u$Vj%

t.Gj:W

xSSSh

FTPjKS

FtPj;S

C.PjRV

Could not resolve %s: %s; %s

getaddrinfo() failed for %s:%d; %s

init_resolve_thread() failed for %s; %s

%s:%d

Added %s:%d:%s to DNS cache

Resolve %s found illegal!

%5[^:]:%d:%5s

About to connect() to %s%s port %ld (#%ld)

Connected to %s (%s) port %ld (#%ld)

IDN support not present, can't parse Unicode domains

Protocol %s not supported or disabled in libcurl

http_proxy

%5[^:@]:%5[^@]

:%5[^@]

Port number too large: %lu

%s://%s%s%s:%hu%s%s%s

;type=%c

[%*45[0123456789abcdefABCDEF:.]%c

Couldn't find host %s in the _netrc file; using defaults

[email protected]

Couldn't resolve host '%s'

Couldn't resolve proxy '%s'

User-Agent: %s

<url> malformed

:]://%[^

[^:]:%[^

Re-using existing connection! (#%ld) with host %s

%s://%s

Connection #%ld to host %s left intact

operation aborted by callback

ioctl callback returned error %d

the ioctl callback returned %d

seek callback returned error %d

Problem (%d) in the Chunked-Encoded data

HTTP server doesn't seem to support byte ranges. Cannot resume.

Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)

Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld

Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)

Rewinding stream by : %zd bytes on url %s (zero-length body)

Operation timed out after %ld milliseconds with %lld bytes received

Operation timed out after %ld milliseconds with %lld out of %lld bytes received

No URL set!

[^?&/:]://%c

Violate RFC 2616/10.3.2 and switch from POST to GET

Violate RFC 2616/10.3.3 and switch from POST to GET

Disables POST, goes with %s

Issue another request to this URL: '%s'

unspecified error %d

%s cookie %s="%s" for domain %s, path %s, expire %lld

#HttpOnly_

skipped cookie with bad tailmatch domain: %s

skipped cookie with illegal dotcount domain: %s

httponly

23[^;

=]=I99[^;

%s%s%s

# Fatal libcurl error

# Netscape HTTP Cookie File

# hXXp://curl.haxx.se/docs/http-cookies.html

# This file was generated by libcurl! Edit at your own risk.

WARNING: failed to save cookies in %s

[%s %s %s]

Send failure: %s

Recv failure: %s

Failed to set SO_KEEPALIVE on fd %d

bind failed with errno %d: %s

Local port: %hu

Couldn't bind to '%s'

Local Interface %s is ip %s using address family %i

getsockname() failed with errno %d: %s

Bind to local port %hu failed, trying next

Name '%s' family %i resolved to '%s' family %i

ssloc inet_ntop() failed with errno %d: %s

ssrem inet_ntop() failed with errno %d: %s

getpeername() failed with errno %d: %s

TCP_NODELAY set

Could not set TCP_NODELAY: %s

Failed to connect to %s: %s

Trying %s...

sa_addr inet_ntop() failed with errno %d: %s

Failed connect to %s:%ld; %s

Unable to parse FTP file list

Error in the SSH layer

Caller must register CURLOPT_CONV_ callback options

TFTP: No such user

TFTP: Unknown transfer ID

TFTP: Illegal operation

TFTP: Access Violation

TFTP: File Not Found

Login denied

Issuer check against peer certificate failed

Invalid LDAP URL

Unrecognized or bad HTTP Content or Transfer-Encoding

Problem with the SSL CA cert (path? access rights?)

Peer certificate cannot be authenticated with given CA certificates

Problem with the local SSL certificate

SSL peer certificate or SSH remote key was not OK

An unknown option was passed in to libcurl

A libcurl function was given a bad argument

Operation was aborted by an application callback

FTP: command REST failed

FTP: command PORT failed

HTTP response code said error

FTP: couldn't retrieve (RETR failed) the specified file

FTP: couldn't set file type

FTP: can't figure out the host in the PASV response

FTP: unknown 227 response format

FTP: unknown PASV reply

FTP: unknown PASS reply

FTP: The server did not accept the PRET command.

FTP: Accepting server connect has timed out

FTP: The server failed to connect to data port

FTP: weird server reply

A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.

URL using bad/illegal format or missing URL

Unsupported protocol

Winsock version not supported

Protocol family not supported

Address family not supported

Operation not supported

Socket is unsupported

Protocol is unsupported

Protocol option is unsupported

Unknown error %d (%#x)

Internal error removing splay node = %d

Internal error clearing splay node = %d

%d.%d.%d.%d

%s%s%s%s%s%s

Session: %s

%s %s RTSP/1.0

Range: %s

Referer: %s

Accept-Encoding: %s

Refusing to issue an RTSP SETUP without a Transport: header.

Transport: %s

Transport:

Refusing to issue an RTSP request [%s] without a session ID.

Got RTSP Session ID Line [%s], but wanted ID [%s]

Unable to read the CSeq header: [%s]

SMTP

EHLO %s

HELO %s

No known authentication mechanisms supported!

AUTH %s %s

LOGIN

AUTH %s

Got unexpected smtp-server response: %d

Remote access denied: %d

Access denied: %d

smtp

Authentication failed: %d

MAIL FROM:%s SIZE=%s

MAIL FROM:%s AUTH=%s SIZE=%s

MAIL FROM:%s AUTH=%s

MAIL FROM:%s

RCPT TO:<%s>

RCPT TO:%s

MAIL failed: %d

RCPT failed: %d

SMTPS not supported!

STARTTLS denied. %c

USER %s

APOP %s %s

No known SASL authentication mechanisms supported!

No known authentication types supported!

Access denied. %c

PASS %s

%s %s

POP3S not supported!

%s LOGIN %s %s

%s STARTTLS

%s SELECT %s

%s FETCH 1 BODY[TEXT]

%s LOGOUT

IMAPS not supported!

TFTP

set timeouts for state %d; Total %ld, retry %d maxtry %d

invalid tsize -:%s:- value in OACK packet

%s (%ld)

blksize is smaller than min supported

%s (%d)

blksize is larger than max supported

%s (%d) %s (%d)

got option=(%s) value=(%s)

tftp_rx: internal error

Timeout waiting for block %d ACK. Retries = %d

Received unexpected DATA packet block %d, expecting block %d

tftp_tx: internal error, event: %i

tftp_tx: giving up waiting for block %d ack

Received ACK for block %d, expecting %d

bind() failed; %s

tftp_send_first: internal error

%s%c%s%c

TFTP finished

TFTP response timeout

Can't get the size of %s

Can't open %s for writing

Last-Modified: %s, d %s M d:d:d GMT

Couldn't open file %s

There are more than %d entries

LDAP remote: %s

LDAP local: ldap_simple_bind_s %s

LDAP local: Cannot connect to %s:%hu

LDAP local: trying to establish %s connection

LDAP local: %s

LDAP local: LDAP Vendor = %s ; LDAP Version = %d

CLIENT libcurl 7.27.0

MATCH %s %s %s

DEFINE %s %s

insufficient winsock version to support telnet

WSAStartup failed (%d)

%s %d %d

%s %s %d

%s %s %s

%s IAC %d

%s IAC %s

Sending data failed (%d)

%d (unknown)

%s (unsupported)

%s IAC SB

Unknown telnet option %s

Syntax error in telnet option: %s

7[^= ]%*[ =]%5s

USER,%s

%c%c%c%c%s%c%c

%c%s%c%s

7[^,],7s

%c%c%c%c

FreeLibrary(wsock2) failed (%d)

WSACloseEvent failed (%d)

WSAEnumNetworkEvents failed (%d)

WSACreateEvent failed (%d)

failed to find WSAEnumNetworkEvents function (%d)

failed to find WSAEventSelect function (%d)

failed to find WSACloseEvent function (%d)

failed to find WSACreateEvent function (%d)

failed to load WS2_32.DLL (%d)

WS2_32.DLL

PORT

FTP response aborted due to select/poll error: %d

FTP response timeout

Failure sending PORT command: %s

,%d,%d

Failure sending EPRT command: %s

%s |%d|%s|%hu|

bind() failed, we ran out of ports!

bind(port=%hu) failed: %s

bind(port=%hu) on non-local address failed: %s

socket failure: %s

failed to resolve the address provided to PORT: %s

getsockname() failed: %s

Connect data stream passively

PRET RETR %s

PRET STOR %s

PRET %s

REST %d

SIZE %s

STOR %s

APPE %s

Failed to do PORT

Got a d response code instead of the assumed 200

RETR %s

ftp server doesn't support SIZE

PBSZ %d

Access denied: d

ACCT %s

ACCT rejected by server: d

TYPE %c

Connecting to %s (%s) port %d

Failure sending QUIT command: %s

Uploading to a URL without a file name!

FTPS not supported!

Preparing for accepting server on data port

MDTM %s

Bad PASV/EPSV response: d

Can't resolve new host %s:%hu

Can't resolve proxy host %s:%hu

Skips %d.%d.%d.%d for data connection, uses %s instead

%d,%d,%d,%d,%d,%d

%c%c%c%u%c

ddd d:d:d GMT

dddddd

unsupported MDTM reply format

Failed FTP upload: 

RETR response: d

QUOT string not accepted: %s

Wildcard - "%s" skipped by user

Wildcard - START of "%s"

CWD %s

PRET command not accepted: d

Failed to MKD dir: d

MKD %s

QUOT command failed with d

Entry path is '%s'

PROT %c

unsupported parameter to CURLOPT_FTPSSLAUTH: %d

Got a d ftp-server response when 220 was expected

server did not report OK, got %d

Failure sending ABOR command: %s

Remembering we are in dir "%s"

%sAuthorization: Basic %s

%s:%s

%s auth using %s with user '%s'

HTTP/

Avoided giant realloc for header (max is %d)!

The requested URL returned error: %d

The requested URL returned error: %s

If-Unmodified-Since: %s

Last-Modified: %s

If-Modified-Since: %s

%s, d %s M d:d:d GMT

Failed sending HTTP POST request

Content-Type: application/x-www-form-urlencoded

Internal HTTP POST error!

Failed sending HTTP request

%s%s=%s

%s HTTP/%s

%s%s%s%s%s%s%s%s%s%s%s

PTF://%s:%s@%s

Content-Range: bytes %s/%lld

Content-Range: bytes %s%lld/%lld

Range: bytes=%s

PTF://

Host: %s%s%s:%hu

Host: %s%s%s

Chunky upload is not supported by HTTP 1.0

HTTP error before end of send, stop sending

HTTP/1.0 connection set to keep alive!

HTTP/1.1 proxy connection set close!

HTTP/1.0 proxy connection set to keep alive!

HTTP 1.0, assume close after body

RTSP/%d.%d =

HTTP =

HTTP/%d.%d =

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.

SOCKS4%s request granted.

Failed to resolve "%s" for SOCKS4 connect.

No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

SOCKS5 GSSAPI per-message authentication is not supported.

Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)

Failed to resolve "%s" for SOCKS5 connect.

User was rejected by the SOCKS5 server (%d %d).

--:--:--

%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s

Received HTTP code %d from proxy after CONNECT

TUNNEL_STATE switched to: %d

HTTP/1.%d %d

CONNECT %s HTTP/%s

%s%s%s%s

Host: %s

%s%s%s:%hu

%s:%hu

Establish HTTP proxy tunnel to %s:%hu

password

login

Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds

%s, algorithm="%s"

%s, opaque="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop=%s, response="%s"

%s:%s:x:%s:%s:%s

%s:%.*s

%s:%s:%s

d:d

d:d:d

%s xxxxxxxxxxxxxxxx

12345678

00000001

%c%c==

%c%c%c=

0123456789-

.jpeg

.html

--%s--

couldn't open file "%s"

Content-Type: %s

; filename="%s"

Content-Disposition: attachment; filename="%s"

Content-Type: multipart/mixed, boundary=%s

%s; boundary=%s

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

operator

GetProcessWindowStation

?456789:;<=

C:\Work\cpp\nsis_plugins\Extra\ReleaseUnicode\extra.pdb

zcÁ

.?AVHttpGetFileStream@@

.?AVHttpGetFile@@

.?AVHttpRequestResult@@

c:\%original file name%.exe

PeekNamedPipe

GetCPInfo

GetProcessHeap

ShellExecuteW

.LBM'<F'3F'.

]<%Xa6

.text

`.rdata

@.data

.reloc

yKERNEL32.DLL

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

%original file name%.exe_348_rwx_10001000_00007000:

.text

`.rdata

@.data

.rsrc

@.reloc

0x%c%c%c%c

vknasetup.exe_1632:

.text

`.rdata

@.data

.ndata

.rsrc

RegDeleteKeyExW

Kernel32.DLL

PSAPI.DLL

%s=%s

GetWindowsDirectoryW

KERNEL32.dll

ExitWindowsEx

GetAsyncKeyState

USER32.dll

GDI32.dll

SHFileOperationW

ShellExecuteW

SHELL32.dll

RegDeleteKeyW

RegCloseKey

RegEnumKeyW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

g.Qjz_

7P)

sssH&

%x't_

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

logging set to %d

settings logging to %d

created uninstaller: %d, "%s"

WriteReg: error creating key "%s\%s"

WriteReg: error writing into "%s\%s" "%s"

WriteRegBin: "%s\%s" "%s"="%s"

WriteRegDWORD: "%s\%s" "%s"="0xx"

WriteRegExpandStr: "%s\%s" "%s"="%s"

WriteRegStr: "%s\%s" "%s"="%s"

DeleteRegKey: "%s\%s"

DeleteRegValue: "%s\%s" "%s"

WriteINIStr: wrote [%s] %s=%s in %s

CopyFiles "%s"->"%s"

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d

Error registering DLL: Could not load %s

Error registering DLL: %s not found in %s

GetTTFFontName(%s) returned %s

GetTTFVersionString(%s) returned %s

Exec: failed createprocess ("%s")

Exec: success ("%s")

Exec: command="%s"

ExecShell: success ("%s": file:"%s" params:"%s")

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d

Exch: stack < %d elements

RMDir: "%s"

MessageBox: %d,"%s"

Delete: "%s"

File: wrote %d to "%s"

File: skipped: "%s" (overwriteflag=%d)

File: error creating "%s"

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"

Rename failed: %s

Rename on reboot: %s

Rename: %s

IfFileExists: file "%s" does not exist, jumping %d

IfFileExists: file "%s" exists, jumping %d

CreateDirectory: "%s" created

CreateDirectory: can't create "%s" - a file already exists

CreateDirectory: can't create "%s" (err=%d)

CreateDirectory: "%s" (%d)

SetFileAttributes: "%s":X

Sleep(%d)

detailprint: %s

Call: %d

Aborting: "%s"

Jump: %d

verifying installer: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

install.log

%u.%u%s%s

Skipping section: "%s"

Section: "%s"

New install of "%s" to "%s"

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

*?|<>/":

invalid registry key

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

x%c

RMDir: RemoveDirectory failed("%s")

RMDir: RemoveDirectory on Reboot("%s")

RMDir: RemoveDirectory("%s")

RMDir: RemoveDirectory invalid input("%s")

Delete: DeleteFile failed("%s")

Delete: DeleteFile on Reboot("%s")

Delete: DeleteFile("%s")

%s: failed opening file "%s"

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa4.tmp\nsDialogs.dll

1.0.001.271036e719"

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa4.tmp\nsDialogs.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa4.tmp

nsa4.tmp

File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa4.tmp\nsDialogs.dll" (overwriteflag=1)

p\nsDialogs.dll"

1048834

1.0.001.271036e719

knasetup.exe" -x vknotesetup -r "tc266.cwer1.0.001.271036e719"

66.cwer1.0.001.271036e719"

2070664

1-1801674531

Windows

113995698

"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\vknasetup.exe" -x vknotesetup -r "tc266.cwer1.0.001.271036e719"

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

vknasetup.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu3.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\vknasetup.exe

470418122

1048858

1179940

XP.SP3

tc266.cwer1.0.001.271036e719

990184127

537526983

604635844

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\extra.dll (6147 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\vknasetup.exe (7972 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\sign.dll (261 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp\nsJSON.dll (7 bytes)
   %System%\wbem\Logs\wbemprox.log (75 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\extra.dll (6106 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\nsDialogs.dll (9 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\header.bmp (4232 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsa4.tmp\System.dll (11 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.