Worm.Win32.Ainslot_VariantOfZeus_66468df02a

by malwarelabrobot on December 26th, 2015 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Alureon.FD, Worm.Win32.Ainslot.VB.FD, GenericAutorunWorm.YR, WormAinslot_VariantOfZeus.YR, TrojanDropperVtimrun.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 66468df02a0b30400259109943a0682d
SHA1: 204419456becad0fc20cc228ef92a3e6a99e283f
SHA256: 0ac488a2d3c855b9e3985b788430d033376603c94733535d84ffcf41742170de
SSDeep: 98304:fa6BcJlh57t67 Ecd/M8xOFn1MusXtxA7tqzoMtE8TIkSza5akxa:faqEtj3d98MTXDApqdG8TSe5aG
Size: 5368832 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-07-14 02:42:43
Analyzed on: WindowsXP SP3 32-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Worm creates the following process(es):

MAGICZ~1.EXE:912
wscript.exe:2044
file.exe:464
%original file name%.exe:468

The Worm injects its code into the following process(es):

cvtres.exe:140

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process MAGICZ~1.EXE:912 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DV1.tmp (98 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{C13C2459-F547-4158-9A74-6F46C4C5B098}\setup.msi (82162 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DV1.tmp (0 bytes)

The process wscript.exe:2044 makes changes in the file system.
The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\MyFolder\9345.txt (0 bytes)

The process cvtres.exe:140 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Khichiii.exe (35 bytes)
%Documents and Settings%\%current user%\Application Data\setup (34 bytes)

The process file.exe:464 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\MyFolder\ixpress.aan (1852 bytes)
%Documents and Settings%\%current user%\Application Data\MyFolder\9345.txt (1 bytes)

The process %original file name%.exe:468 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\file.exe (10504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\MAGICZ~1.EXE (91182 bytes)

Registry activity

The process MAGICZ~1.EXE:912 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 0B E2 5C 4B 99 0A FB A7 DB 81 CB 9E BB 76 EE"

The process wscript.exe:2044 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 DA DB 72 16 6F F7 E7 EE F2 C2 2E 68 AA EE DA"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ixpress" = "%Documents and Settings%\%current user%\Application Data\MyFolder\ixpress.exe"

The process cvtres.exe:140 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 32 C3 6D 41 97 59 FB F7 8B 8C 85 30 FC F4 A5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\VB and VBA Program Settings\SrvID\ID]
"BLV9AIUA7T" = "Black"

[HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
"BLV9AIUA7T" = "December 25, 2015"

The process file.exe:464 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 B3 01 46 05 86 78 C7 AB C8 73 33 80 70 DF 3D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"wscript.exe" = "Microsoft (R) Windows Based Script Host"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process %original file name%.exe:468 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 6E C0 66 B3 13 FB 91 09 ED 46 AD 00 C0 44 D6"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

Dropped PE files

MD5 File path
e0d21bee6dae44a7c6e1896d7a8c7463 c:\Documents and Settings\"%CurrentUserName%"\Application Data\Khichiii.exe
342c3700830edc86d51059d0ecf26306 c:\Documents and Settings\"%CurrentUserName%"\Application Data\MyFolder\ixpress.exe
74d0cf0c36c435f01b33dd4a53d66010 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\MAGICZ~1.EXE
342c3700830edc86d51059d0ecf26306 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\file.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 8.00.7600.16385
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE .MUI
Internal Name: Wextract
File Version: 8.00.7600.16385 (win7_rtm.090713-1255)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 43748 44032 4.53606 3aeb6fb8fe8ab95f2462e3afb8b8acd3
.data 49152 8796 1536 4.57321 f3764284f4d25ed35f75b9c16e1ab608
.rsrc 61440 5318271 5318656 5.54275 dc5b32476a3f6fee97fb2bc0fc615319
.reloc 5382144 3480 3584 3.33168 bc74eb2a181cf1029262828db6ac5b5d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Worm connects to the servers at the folowing location(s):

%original file name%.exe_468:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
KERNEL32.dll
GDI32.dll
USER32.dll
msvcrt.dll
COMCTL32.dll
VERSION.dll
advapi32.dll
wininit.ini
advpack.dll
Software\Microsoft\Windows\CurrentVersion\App Paths
setupapi.dll
setupx.dll
IXPd.TMP
TMP4351$.TMP
FINISHMSG
USRQCMD
ADMQCMD
msdownld.tmp
wextract.pdb
PSSSSSSh
RegCloseKey
RegOpenKeyExA
RegQueryInfoKeyA
RegCreateKeyExA
GetWindowsDirectoryA
ExitWindowsEx
MsgWaitForMultipleObjects
_acmdln
_amsg_exit
rundll32.exe %s,InstallHinfSection %s 128 %s
SHELL32.DLL
Software\Microsoft\Windows\CurrentVersion\RunOnce
PendingFileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
wextract_cleanup%d
%s /D:%s
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
Command.com /c %s
zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\
)%u]Q
Bp.Dx
gA`0)%UJ
file.exe
MAGICZ~1.EXE
;.KHE
C~c8Lv.nD
Cs\%F
"/I%S
}.Myd
eH)*%Fr
8].pP;~
.SV1t
yiD%F
@U'fA.nr>
\!xGP.zT
tJ.IY]
%cI]L
IC.wWX
?y÷
P'%dn
h=g%xD
MCX%u
=jexe.h
%c-1s
}.eYT
3%uVlOz
ULe%sy
#5.oJ]!.Z
.cLS 
S.iZ~=t
N%XTM
IY.jI
1@%u1v@x
i3%j%C
W%XZ&7
S.XzY
sAVG%U
% B%c
FX.pJ
UßNQe~
Iga{%s/
s.nWh
x.vs:rpg
p2.Ew5f
}`\ \<~#
C;0%U
].Fg=
Q%c_y
P.Hf=Q
a.Biv
Z.qZ<#
,5.Pu
D.tQ2oA
A|7%ua
s%x\T
.Vh$Z
Zf%f 
34L%f,
@Q%dw4
6[7.PY
%DwJe
;R.Hf^
7%UcW
Çcb6
z.mS~
.ndjvy-n
8%F&F~\ib
$.Kn}O
.aB5j
k.GpJ
setup.msi
3.Zw!5
DÂavR
x.yoa
cJL:2.cw
.CA'D
Sql?/
Ozvw-y}y
.tr9fG
E.NU&O-c
y1Iv%u
~!!.oo
h.mX3w
6S:o.sKKN^
jKX_^.SHQhm
=C.lj
.GilG
cWeB^
D/%cVE
~%X$X
q6.Tyi
\<M%u
rd.sM
>.IT<
.FQw(k
|.sT*d
\n)%u
iH%Dn
=_!.PI.}
.YFab
.Ef]-
"J.Ml?
.VXc5g
HH.iC
H%u,N
V/.jz
JxN~.%f
^N~.nQ1$
j]H.PUN
{%cg.
Y2.Dc
yv.hN
9.Ctm7
/5sSh~
%s'?i*
Gr.lLB
.rSaa.
5Ti%Ft
U?t%S
.gA!QU^=
k(.GAn
rt,%c.y
.Rhgq
CE%F?
{;n.Nu
y-.np$
.fGbH&PnO*
^|,%x
d.hqM
dBvJh.si
<.Bu>
>U_%s
p%d"eq4
O.ll&
..YIw
6".Mj
.dNeb
D%!.Dr6
-.LMhO
:G%Fvg
ii.qz/
.CgN2|
4K-%U[c|
2.Bvu
%Smmp
4.Qq/
Fw%%sI9
.se|`
bP.hL
&Dj.qv<
!dZ/
7;]%U
@&.qr
L)/.Fc
fO.Tko
,L.Jd2
%F>GLf
JsK%F
'4e%dLx,
1AÀ
)Ê&a
7Z.sZ#
Z.wn&
Uf}.WY
6y}
kEYE
x.ZY"
%u>mx
.Pl,B9
.wNuU=(
l.xhJ[#
%cM_LX
UMIs%F*;
.CTwq
-Ww}G*
0J.cs
zM.pT
U.cqAa
r.Wgn
Yv%Sr<
.Pe>#
!i`b%U
S.qoJ
a.lP3
{/.FV
SG.iu.@
[.qId
y#%U!
.Pvv:
.8.DT
.Reef%;
7mhx.WhF
hnF.iv
.jB/<
L.um/
.Vl:#
-4}}l1
1Jl%s`
H.rsl
J;.Gs
`R%C)Q
ep.Qf
R=G%xsQ
Rd.uL])
Ez1F.jS*
k4m%U
.DmrxSi~
`(.Ua>
o<.uf
.Bz&a
hv4%C
þ,I
5%Cr }Th
.Tx-'<
&U;/.SFR
A.clgK
.OIKC
j.uvr
.pa,\
uguK-5E}[
w=_.fe
.TYi\
).xw><
IW%s"
{%SXn
$.pR:|
y%u$rx
%1Xnh
t.VbU4
r.ot`
%cvXj
iH.%S
.uzKR
.tZhmu
<9%u0
n-j}BoVE
F.nd=C
mwX.UtKB
.grKRH!
c"FBLs1%d
&%suN
}16%F
7SO.fb^
.oOd,s
-8}1U
.qZ|l
.zMDx
6Z^.dPH
I.Pn>nZ<
.yHU.7
.bQ4_A
Xf4%s
%CWGG
5%0U=
`jE%X
.qi)9
N%Xg*
S.Uu[
u-{%U,8
Qd= |.MR
oi.np
;ELq.Ys^.
B~\.fM2
_fM%C<
.LF>]
x.Oq&
J.Vol
y%ur7
9_E.Mue
F H.yA$C
p@`Î
9%6udgS
ICh=%f
EH.bZ
z%C>o
e-Ñ
m.jI2
s{.Rf
fd.hY
.qg{~
(gn.Ty
C.sz@
$n%f"
^VN.aA
Y$.rE
kA:h.ay
)]-q}?
! s^.TLCGG
S=.SKLd|g<1
$9(%UY[9
.TTad
Rq.Vw~Vd}f
.INYA
l.xCE
:.iOx
_?.aZ{
.cw1Q:'
%u>v|u
$^~.Uc
@%S=-
"{%s)
.DHs:W
.siz'
ry6-JHw}
)<SUo.qR
6;#>>~95
;*.qz
.sI|g
Jg.yo
[c.awL
x^A%SX
cMdo
%FXwn
jp.Ic
.-%dM
1065700
.YfNV
o.rnv
OO^%F
, t~%x`
nu%CT
7;%Cw
M4.BD
X&%cK
.RG>F
-k})|
sek%f
.RkSX
JE4%u,
~;N k.oc
.mJh{
.wNh)`
</j%c
.LP!,B-
"Ê.)w
'3.Pw
I$.hh
c.Qm2
.ZdA9G
n.xa$H
.kzNv
%u~yS
%F i?
QV.XAL
[d.Yq7j
xX.NBR
r.FCk_
m%va%F
^&?.KS
uE.PK
%UN>N
.nk|9
0.inm]:
-.Qna
.mnGR
%C`3J
#`%U'
%uiXn
SS.RI
F@l%c
cy.qt
}(g%s
Nb.qW
,_ÇA
^>X%d
Gb.%sl
Egxw.vI
K$r'.At
sV1%C
m-Q}0
R_%F<A
#v-uLenP}>)
.GjXH
Y`%f|o(
\.bwm
(9%x0
_%dJ4
g.hhc
.7.tK
]..RY`
{=D&%X:
[.BE2
332#232###
R%s[H
.lb\x
.tJtp?F
%.D]6
8Vb{%d
 .ytC
m=%c-.b
C.aEK
*8Q%sS
.oN6j5
hQ.WD
aF.Yk
.BH&B
.aeOX
%fS\_>
.YCSX
L.cwG
'%FQF
f%f&%
# =) 50-%7/
k[Q;' ek}.Os
X`|.P$hT:t`h.iYv
Z5%X.
7%Syu
W;!$.RCDT8
 .odXF
.yKn,
%G%Dyt
eSDM.hF-
-gB3m}
5uz<c.ic
.ELx#9
.sIHx
rsQl;
.CEKsh
r.WNe
&.QQe
%FH\c
Y.jPo
$.zD3
GVF.mm
ri;%fG
3y%F"
MxV%x
?%C:(
Wp8uRlH
.in9C
QUDP
/.QT"
/%D ~
m.oO*(
.qq/)
V.gXdw
.TwTl
H.SKv
O%D U
.cU^]
fNQ%d
-.iU[<
cHf.dkhg
Y 1 >.rAU
Yy5.mZ
r.yfr
5E-"
~<6{2%x
.qv"K%^
.ey]#zT
=s%sh
Y&%S&
>e.Yp
pQ*%D
zm%ST
%SH9v$
H:\r5-
wextract.manifest
Manifest to support IExpress WExtract.exe.
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
Kernel32.dll
Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.
CFailed to get disk space information from: %s.
System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?
8Unable to retrieve operating system version information.!Memory allocation request failed.
Filetable full.Ên not change to destination folder.
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.
(Error creating process <%s>. Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install
Could not create folder '%s'
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.
Error retrieving Windows folder
$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .
System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.
/C:<Cmd> -- Override Install Command defined by author.
eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?
Could not find the file: %s.
:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.
8.00.7600.16385 (win7_rtm.090713-1255)
WEXTRACT.EXE .MUI
Windows
8.00.7600.16385

cvtres.exe_140:

.text
`.data
.rsrc
MSVBVM60.DLL
bss_server.usrReverseRelay
tmrWebHide
bss_server.Socket
bss_server.usrRelay
mswinsck.ocx
MSWinsockLib.Winsock
ieframe.dll
SHDocVwCtl.WebBrowser
WebBrowser
modLaunchWeb
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
C:\Windows\SysWOW64\ieframe.dll
winmm.dll
user32.dll
advapi32.dll
shell32.dll
kernel32.dll
avicap32.dll
advpack.dll
GetAsyncKeyState
SetWindowsHookExA
UnhookWindowsHookEx
GetKeyboardLayout
GetKeyboardState
GetKeyState
SHFileOperationA
CreatePipe
PSAPI.DLL
GetTcpTable
ExitWindowsEx
EnumWindows
WinInet.dll
DeleteUrlCacheEntryA
urlmon
URLDownloadToFileA
ShellExecuteA
keybd_event
AddMsg
CHAT_ADDMSG
VBA6.DLL
C:\Windows\SysWow64\msvbvm60.dll\3
ws2_32.dll
olepro32.dll
GdiplusShutdown
RemotePort
LocalPort
WSOCK32.DLL
RegCloseKey
RegOpenKeyExA
ntdll.dll
C:\Windows\SysWOW64\ieframe.oca
6tmrTCP
%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca
tmrUDP
UDPSocket
UDPFlood
ole32.dll
crypt32.dll
oleaut32.dll
RegOpenKeyA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
txtPassword
imgLoginPressed
imgLogin
RegCreateKeyA
RegDeleteKeyA
RegEnumKeyExA
gdi32.dll
FtpDownload
InternetOpenUrlA
FtpUpload
FtpGetFileA
FtpPutFileA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpOpenFileA
FtpGetFileSize
FtpDeleteFileA
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpRenameFileA
FtpGetDirectory
Http_DownloadFile
cmdShowfiles
msvbvm60.dll
tmrTCP
?8??8??8??8??8?
2>e%Xdq
uMsg
strMsg
MsgNum
AllMsgs
lngPort
URL_TARGET
Port
Password
WebURL
Returns/Sets the port to be connected to on the remote computer
Returns/Sets the port used on the local computer
Binds socket to specific port and adapter
Occurs after a send operation has completed
khichikhalid.no-ip.org
Khichiii.exe
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5
{00020404-0000-0000-C000-000000000046}
\nir_cmd.bss speak text
\nir_cmd.bss setsysvolume 65535
\nir_cmd.bss mutesysvolume 1
\nir_cmd.bss mutesysvolume 0
\nir_cmd.bss screensaver
\nir_cmd.bss monitor off
\nir_cmd.bss monitor on
PORT
TRANSFERPORT
\rsout.tmp
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
Keylog
Wscript.Shell
HKEY_CLASSES_ROOT\HTTP\shell\open\command\
\winlogon.exe
iexplore.exe
ADVAPI32.dll
hXXp://VVV.facebook.com/?ref=home
hXXp://VVV.facebook.com
Windows Firewall/Internet Connection Sharing (ICS)
WebCamCapture
\Vuze\Azureus.exe
\LimeWire\LimeWire.exe
\uTorrent\uTorrent.exe
\uTorrent\uTorrent.exe /HIDE
\BitTorrent\bittorrent.exe
\MSWINSCK.OCX
\cmd.exe
\data.dat
\steam\steam.exe
nkey
dkey
regsvr32.exe
\pws_mail.bss
\pws_mess.bss
\pws_cdk.bss
\pws_ff.bss
\pws_chro.bss
\nir_cmd.bss
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "
:*:Enabled:Windows Messanger" /f
winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2
00000000
winmgmts:\\.\root\cimv2
Select * from Win32_Keyboard
api.ipinfodb.com
GET /v2/ip_query.php?key=
&timezone=off HTTP/1.1
Host: api.ipinfodb.com
GET /v2/ip_query_country.php?key=
Portable
WScript.Shell
winmgmts:\\.\root\SecurityCenter
\wallpaper.bmp
\wallpaper.jpg
WinServer 2003, Web Edition
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
__oxFrame.class__
Scripting.FileSystemObject
Autorun.ini
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
Address family not supported by protocol family.
Operation already in progress.
Operation now in progress.
Socket operation on nonsocket.
Operation not supported.
Protocol family not supported.
Protocol not supported.
Socket type not supported.
Winsock.dll version out of range.
CSocketMaster.SocketExists
CSocketMaster.PostSocket
CSocketMaster.ConnectToIP
CSocketMaster.ResolveIfHostname
CSocketMaster.SendBufferedDataUDP
CSocketMaster.SendBufferedData
abe2869f-9b47-4cd9-a358-c22904dba7f7
/stext mess.dat
\mess.dat
/stext mail.dat
\mail.dat
/stext ffpw.dat
\ffpw.dat
Web Site
Password
/stext chro.dat
\chro.dat
Action URL
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion
Windows
SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command
http\shell\open\command
127.0.0.1
\dump.txt
\uTorrent\uTorrent.exe /DIRECTORY
255.255.255.255
finalizarprocessoportas
CONNECT %s:%i HTTP/1.0
SOFTWARE\Classes\http\shell\open\command
Software\Classes\http\shell\open\command
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
code.is.a.winner
Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId
bps1.exe
bhookpl.dll
bnfa.exe
drvloadn.dll
drvloadx.dll
VNCHooks.dll
xr4tdwa.exe
shutdown.exe
TCnRawKeyBoard
HuntHTTPDownload
autorun.inf
hXXps://onlineeast#.bankofamerica.com
winlogon.exe
moz_logins
WEBCAMLIVE
explorer.exe
\system32\userinit.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\system32\userinit.exe,
notepad.exe
steam.exe
hl.exe
\rspad.dat

cvtres.exe_140_rwx_00400000_00078000:

.text
`.data
.rsrc
MSVBVM60.DLL
bss_server.usrReverseRelay
tmrWebHide
bss_server.Socket
bss_server.usrRelay
mswinsck.ocx
MSWinsockLib.Winsock
ieframe.dll
SHDocVwCtl.WebBrowser
WebBrowser
modLaunchWeb
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
C:\Windows\SysWOW64\ieframe.dll
winmm.dll
user32.dll
advapi32.dll
shell32.dll
kernel32.dll
avicap32.dll
advpack.dll
GetAsyncKeyState
SetWindowsHookExA
UnhookWindowsHookEx
GetKeyboardLayout
GetKeyboardState
GetKeyState
SHFileOperationA
CreatePipe
PSAPI.DLL
GetTcpTable
ExitWindowsEx
EnumWindows
WinInet.dll
DeleteUrlCacheEntryA
urlmon
URLDownloadToFileA
ShellExecuteA
keybd_event
AddMsg
CHAT_ADDMSG
VBA6.DLL
C:\Windows\SysWow64\msvbvm60.dll\3
ws2_32.dll
olepro32.dll
GdiplusShutdown
RemotePort
LocalPort
WSOCK32.DLL
RegCloseKey
RegOpenKeyExA
ntdll.dll
C:\Windows\SysWOW64\ieframe.oca
6tmrTCP
%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca
tmrUDP
UDPSocket
UDPFlood
ole32.dll
crypt32.dll
oleaut32.dll
RegOpenKeyA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
txtPassword
imgLoginPressed
imgLogin
RegCreateKeyA
RegDeleteKeyA
RegEnumKeyExA
gdi32.dll
FtpDownload
InternetOpenUrlA
FtpUpload
FtpGetFileA
FtpPutFileA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpOpenFileA
FtpGetFileSize
FtpDeleteFileA
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpRenameFileA
FtpGetDirectory
Http_DownloadFile
cmdShowfiles
msvbvm60.dll
tmrTCP
?8??8??8??8??8?
2>e%Xdq
uMsg
strMsg
MsgNum
AllMsgs
lngPort
URL_TARGET
Port
Password
WebURL
Returns/Sets the port to be connected to on the remote computer
Returns/Sets the port used on the local computer
Binds socket to specific port and adapter
Occurs after a send operation has completed
khichikhalid.no-ip.org
Khichiii.exe
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5
{00020404-0000-0000-C000-000000000046}
\nir_cmd.bss speak text
\nir_cmd.bss setsysvolume 65535
\nir_cmd.bss mutesysvolume 1
\nir_cmd.bss mutesysvolume 0
\nir_cmd.bss screensaver
\nir_cmd.bss monitor off
\nir_cmd.bss monitor on
PORT
TRANSFERPORT
\rsout.tmp
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
Keylog
Wscript.Shell
HKEY_CLASSES_ROOT\HTTP\shell\open\command\
\winlogon.exe
iexplore.exe
ADVAPI32.dll
hXXp://VVV.facebook.com/?ref=home
hXXp://VVV.facebook.com
Windows Firewall/Internet Connection Sharing (ICS)
WebCamCapture
\Vuze\Azureus.exe
\LimeWire\LimeWire.exe
\uTorrent\uTorrent.exe
\uTorrent\uTorrent.exe /HIDE
\BitTorrent\bittorrent.exe
\MSWINSCK.OCX
\cmd.exe
\data.dat
\steam\steam.exe
nkey
dkey
regsvr32.exe
\pws_mail.bss
\pws_mess.bss
\pws_cdk.bss
\pws_ff.bss
\pws_chro.bss
\nir_cmd.bss
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "
:*:Enabled:Windows Messanger" /f
winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2
00000000
winmgmts:\\.\root\cimv2
Select * from Win32_Keyboard
api.ipinfodb.com
GET /v2/ip_query.php?key=
&timezone=off HTTP/1.1
Host: api.ipinfodb.com
GET /v2/ip_query_country.php?key=
Portable
WScript.Shell
winmgmts:\\.\root\SecurityCenter
\wallpaper.bmp
\wallpaper.jpg
WinServer 2003, Web Edition
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
__oxFrame.class__
Scripting.FileSystemObject
Autorun.ini
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
Address family not supported by protocol family.
Operation already in progress.
Operation now in progress.
Socket operation on nonsocket.
Operation not supported.
Protocol family not supported.
Protocol not supported.
Socket type not supported.
Winsock.dll version out of range.
CSocketMaster.SocketExists
CSocketMaster.PostSocket
CSocketMaster.ConnectToIP
CSocketMaster.ResolveIfHostname
CSocketMaster.SendBufferedDataUDP
CSocketMaster.SendBufferedData
abe2869f-9b47-4cd9-a358-c22904dba7f7
/stext mess.dat
\mess.dat
/stext mail.dat
\mail.dat
/stext ffpw.dat
\ffpw.dat
Web Site
Password
/stext chro.dat
\chro.dat
Action URL
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion
Windows
SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command
http\shell\open\command
127.0.0.1
\dump.txt
\uTorrent\uTorrent.exe /DIRECTORY
255.255.255.255
finalizarprocessoportas
CONNECT %s:%i HTTP/1.0
SOFTWARE\Classes\http\shell\open\command
Software\Classes\http\shell\open\command
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
code.is.a.winner
Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId
bps1.exe
bhookpl.dll
bnfa.exe
drvloadn.dll
drvloadx.dll
VNCHooks.dll
xr4tdwa.exe
shutdown.exe
TCnRawKeyBoard
HuntHTTPDownload
autorun.inf
hXXps://onlineeast#.bankofamerica.com
winlogon.exe
moz_logins
WEBCAMLIVE
explorer.exe
\system32\userinit.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\system32\userinit.exe,
notepad.exe
steam.exe
hl.exe
\rspad.dat

MAGICZ~1.EXE_912:

.text
`.rdata
@.data
.rsrc
v SSh
FtPh
PSSSSSSh
u$SShe
s%j.Zf
vSSSh
tGHt.Ht&
FTPjK
FtPj;
C.PjRV
gdi32.dll
user32.dll
kernel32.dll
shell32.dll
setupapi.dll
msvfw32.dll
sensapi.dll
oledlg.dll
oleacc.dll
secur32.dll
avicap32.dll
winspool.drv
winmm.dll
rasapi32.dll
mpr.dll
version.dll
comdlg32.dll
advapi32.dll
unicows.dll
security.dll
ntdll.dll
GetCPInfo
</%s>
<!--%s-->
&#xX;
<![CDATA[%s]]>
%s='%s'
%s="%s"
standalone="%s"
encoding="%s"
version="%s"
GDI32.DLL
hhctrl.ocx
CCmdTarget
CNotSupportedException
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
operator
portuguese-brazilian
SetWindowsHookExW
GetWindowsDirectoryW
GetSystemWindowsDirectoryW
ShellExecuteW
ShellExecuteExW
RegOpenKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegQueryInfoKeyW
RegEnumKeyExW
CreateDialogIndirectParamW
RegEnumKeyW
RegOpenKeyW
GetKeyNameTextW
MapVirtualKeyW
RegCreateKeyW
OLEACC.dll
Unsupported dialog_default_button:
failed_exec_command_continue
supports_install
supports_uninstall
reboot_cmd
%Y-%m-%d %H:%M:%S
Configuration supports neither install nor uninstall.
Configuration doesn't support uninstall.
Configuration doesn't support install.
and rebooting Windows.
Skipping complete command, not all components reported installed.
installedcheckoperator
Invalid check operator "
cmdparameters
cmdparameters_silent
cmdparameters_basic
uninstall_cmdparameters
uninstall_cmdparameters_silent
uninstall_cmdparameters_basic
uninstall_executable
uninstall_executable_silent
uninstall_executable_basic
uninstall_exeparameters
uninstall_exeparameters_silent
uninstall_exeparameters_basic
sourceurl
sourceurl64
DeleteUrlCacheEntryW
rootkey
Unsupported registry type:
Unknown HKEY:
f:\Workspace\Deployment\dotnetinstaller\dotNetInstaller\Release\dotNetInstaller.pdb
KERNEL32.dll
USER32.dll
GDI32.dll
SHELL32.dll
COMCTL32.dll
SHLWAPI.dll
ole32.dll
OLEAUT32.dll
URLDownloadToFileW
urlmon.dll
GetConsoleOutputCP
GetProcessHeap
RegCloseKey
ADVAPI32.dll
UnhookWindowsHookEx
ExitWindowsEx
GetKeyState
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
WINSPOOL.DRV
msi.dll
.PAVCResourceException@@
.PAVCSimpleException@@
.PAVCObject@@
.PAVCUserException@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.PAVCOleException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.PAVCArchiveException@@
zcÁ
.?AVCCmdTarget@@
.PAVCException@@
.?AVIExecuteCallback@@
.?AVInstalledCheckOperator@@
.?AVCmdComponent@@
.?AVExeComponent@@
<configurations description="support 2.0 or 4.0" lcid_type="UserExe" show_language_selector="False" language_selector_title="" language_selector_ok="OK" language_selector_cancel="Cancel" configuration_no_match_message="" ui_level="full" fileversion="2.0.0.0" productversion="2.0.0.0" log_enabled="False" log_file="#TEMPPATH\dotNetInstallerLog.txt">
<schema version="2.0.5970.0" generator="dotNetInstaller InstallerEditor" />
<fileattribute name="FileDescription" value="Magic Zip Password Recovery Installer" />
<fileattribute name="ProductName" value="Magic Zip Password Recovery" />
<configuration dialog_caption="Magic Zip Password Recovery Installer" dialog_message="In order to install Magic Zip Password Recovery you must first install these components:" dialog_message_uninstall="" dialog_bitmap="#CABPATH\banner.bmp" skip_caption="Skip" install_caption="Install" uninstall_caption="Uninstall" cancel_caption="Close" status_installed=" (Installed)" status_notinstalled="" failed_exec_command_continue="Failed to install %s. Continue with other components?" installation_completed="" uninstallation_completed="Magic Zip Password Recovery uninstalled successfully!" installation_none="" uninstallation_none="Magic Zip Password Recovery is not installed!" installing_component_wait="Installing %s. Wait, this operation could take some time ..." uninstalling_component_wait="Uninstalling %s. Wait, this operation could take some time ..." reboot_required="To continue the installation you must restart your computer. Restart now?" must_reboot_required="False" dialog_otherinfo_caption="iWesoft Website" dialog_otherinfo_link="hXXp://VVV.iwesoft.com" complete_command="msiexec.exe /i
"#CABPATH\setup.msi"" nonadmin_complete_command_args="INSTALLDIR="#LOCALAPPDATA\Magic Zip Password Recovery"" complete_command_silent="" complete_command_basic="" wait_for_complete_command="True" hide_when_complete_command="True" auto_close_if_installed="True" auto_close_on_error="False" reload_on_error="True" dialog_show_installed="False" dialog_show_uninstalled="True" dialog_show_required="True" cab_dialog_message="%s" cab_cancelled_message="" cab_dialog_caption="" cab_path="#TEMPPATH\#GUID" cab_path_autodelete="True" dialog_default_button="install" dialog_position="" dialog_components_list_position="" dialog_message_position="" dialog_bitmap_position="" dialog_otherinfo_link_position="" dialog_osinfo_position="" dialog_install_button_position="" dialog_cancel_button_position="" dialog_skip_button_position="" auto_start="True" auto_continue_on_reboot="False" reboot_cmd="" show_progress_dialog="False" show_cab_dialog="True" disable_wow64_fs_redirection="False" administrator_required="False" administrator_required_message="Magic Zip Password Recovery installation requires administration rights." type="install" lcid_filter="" language_id="" language="" os_filter="" os_filter_min="" os_filter_max="" processor_architecture_filter="" supports_install="True" supports_uninstall="False">
<component command=""#TEMPPATH\dotNetRuntime_Download_#PID\dotnetfx20setup.exe" "/q"" command_silent="" command_basic="" uninstall_command="" uninstall_command_silent="" uninstall_command_basic="" returncodes_success="" returncodes_reboot="3010" disable_wow64_fs_redirection="False" id="Microsoft .NET Framework 2.0 SP2" display_name="Microsoft .NET Framework 2.0 SP2" uninstall_display_name="" os_filter="" os_filter_min="winXPsp2" os_filter_max="" os_filter_lcid="" type="cmd" installcompletemessage="" uninstallcompletemessage="" mustreboot="False" reboot_required="" must_reboot_required="False" failed_exec_command_continue="" allow_continue_on_error="False" default_continue_on_error="False" required_install="True" required_uninstall="False" selected_install="True" selected_uninstall="False" note="English - WebSetup - .NET Framework 3.5 SP1 for all operating system since Windows XP SP2 (Install check)" processor_architecture_filter="" status_installed="" status_notinstalled="" supports_install="True" supports_uninstall="False" show_progress_dialog="False" show_cab_dialog="False">
<installedcheckoperator type="Or" description="Installed Check Operator">
<installedcheck path="SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client" fieldname="Install" fieldvalue="1" defaultvalue="False" fieldtype="REG_DWORD" comparison="match" rootkey="HKEY_LOCAL_MACHINE" wowoption="NONE" type="check_registry_value" description="Installed Check" />
<installedcheck path="Software\Microsoft\NET Framework Setup\NDP\v2.0.50727" fieldname="Install" fieldvalue="1" defaultvalue="False" fieldtype="REG_DWORD" comparison="match" rootkey="HKEY_LOCAL_MACHINE" wowoption="NONE" type="check_registry_value" description="Installed Check" />
</installedcheckoperator>
<downloaddialog dialog_caption="Microsoft .NET Framework 2.0 - Download Components" dialog_message="Press 'Start' to download the required components for installing Microsoft .NET Framework 2.0." dialog_message_downloading="Download in progress. Please wait..." dialog_message_copying="Files are downloaded. Please wait ..." dialog_message_connecting="Connecting ..." dialog_message_sendingrequest="Sending request ..." autostartdownload="True" buttonstart_caption="Start" buttoncancel_caption="Cancel">
<download componentname="Microsoft .NET Framework 2.0 SP2" sourceurl="hXXp://download.microsoft.com/download/5/6/7/567758a3-759e-473e-bf8f-52154438565a/dotnetfx.exe" sourceurl64="hXXp://download.microsoft.com/download/a/3/f/a3f1bf98-18f3-4036-9b68-8e6de530ce0a/NetFx64.exe" sourcepath="" destinationpath="#TEMPPATH\dotNetRuntime_Download_#PID" destinationfilename="dotnetfx20setup.exe" alwaysdownload="True" clear_cache="False" />
<embedfile sourcefilepath="F:\Workspace\OpenSource\Products\Passware\ZipPasswordRecovery\installer\bin\Release\2.0.0.0.msi" targetfilepath="setup.msi" />
<!--<component package="#CABPATH\setup.msi" cmdparameters="" cmdparameters_silent="" cmdparameters_basic="" uninstall_package="" uninstall_cmdparameters="/qb-" uninstall_cmdparameters_silent="/qn" uninstall_cmdparameters_basic="/qb-" id="Magic Zip Password Recovery" display_name="Magic Zip Password Recovery" uninstall_display_name="" os_filter="" os_filter_min="" os_filter_max="" os_filter_lcid="" type="msi" installcompletemessage="" uninstallcompletemessage="" mustreboot="False" reboot_required="" must_reboot_required="False" failed_exec_command_continue="" allow_continue_on_error="True" default_continue_on_error="True" required_install="True" required_uninstall="True" selected_install="True" selected_uninstall="True" note="" processor_architecture_filter="" status_installed="" status_notinstalled="" supports_install="True" supports_uninstall="True" show_progress_dialog="True" show_cab_dialog="True">
<installedcheck id="1A6B9728-02D3-4DD2-BD77-5C009CF8B1F9" id_type="upgradecode" propertyname="VersionString" propertyvalue="2.0.0.0" comparison="version" defaultvalue="False" type="check_product" description="Installed Check" />
<embedfile sourcefilepath="F:\Workspace\OpenSource\Products\Passware\ZipPasswordRecovery\installer\bin\Release\2.0.0.0.msi" targetfilepath="setup.msi" />
setup.msi
3.Zw!5
DÂavR
x.yoa
cJL:2.cw
.CA'D
Sql?/
Ozvw-y}y
.tr9fG
E.NU&O-c
y1Iv%u
~!!.oo
h.mX3w
6S:o.sKKN^
jKX_^.SHQhm
=C.lj
.GilG
cWeB^
D/%cVE
~%X$X
q6.Tyi
\<M%u
rd.sM
>.IT<
.FQw(k
|.sT*d
\n)%u
iH%Dn
=_!.PI.}
.YFab
.Ef]-
"J.Ml?
.VXc5g
HH.iC
H%u,N
V/.jz
JxN~.%f
^N~.nQ1$
j]H.PUN
{%cg.
Y2.Dc
yv.hN
9.Ctm7
/5sSh~
%s'?i*
Gr.lLB
.rSaa.
5Ti%Ft
U?t%S
.gA!QU^=
k(.GAn
rt,%c.y
.Rhgq
CE%F?
{;n.Nu
y-.np$
.fGbH&PnO*
^|,%x
d.hqM
dBvJh.si
<.Bu>
>U_%s
p%d"eq4
O.ll&
..YIw
6".Mj
.dNeb
D%!.Dr6
-.LMhO
:G%Fvg
ii.qz/
.CgN2|
4K-%U[c|
2.Bvu
%Smmp
4.Qq/
Fw%%sI9
.se|`
bP.hL
&Dj.qv<
!dZ/
7;]%U
@&.qr
L)/.Fc
fO.Tko
,L.Jd2
%F>GLf
JsK%F
'4e%dLx,
1AÀ
)Ê&a
7Z.sZ#
Z.wn&
Uf}.WY
6y}
kEYE
x.ZY"
%u>mx
.Pl,B9
.wNuU=(
l.xhJ[#
%cM_LX
UMIs%F*;
.CTwq
-Ww}G*
0J.cs
zM.pT
U.cqAa
r.Wgn
Yv%Sr<
.Pe>#
!i`b%U
S.qoJ
a.lP3
{/.FV
SG.iu.@
[.qId
y#%U!
.Pvv:
.8.DT
.Reef%;
7mhx.WhF
hnF.iv
.jB/<
L.um/
.Vl:#
-4}}l1
1Jl%s`
H.rsl
J;.Gs
`R%C)Q
ep.Qf
R=G%xsQ
Rd.uL])
Ez1F.jS*
k4m%U
fE!QY.WV
nq.nq
w>.XB
Sz.Lw
Y.AL9
A.clgK
.OIKC
j.uvr
.pa,\
uguK-5E}[
w=_.fe
.TYi\
).xw><
IW%s"
{%SXn
$.pR:|
y%u$rx
%1Xnh
t.VbU4
r.ot`
%cvXj
iH.%S
.uzKR
.tZhmu
<9%u0
n-j}BoVE
F.nd=C
mwX.UtKB
.grKRH!
c"FBLs1%d
&%suN
}16%F
7SO.fb^
.oOd,s
-8}1U
.qZ|l
.zMDx
6Z^.dPH
I.Pn>nZ<
.yHU.7
.bQ4_A
Xf4%s
%CWGG
5%0U=
`jE%X
.qi)9
N%Xg*
S.Uu[
u-{%U,8
Qd= |.MR
oi.np
;ELq.Ys^.
B~\.fM2
_fM%C<
.LF>]
x.Oq&
J.Vol
y%ur7
9_E.Mue
F H.yA$C
p@`Î
9%6udgS
ICh=%f
EH.bZ
z%C>o
e-Ñ
m.jI2
s{.Rf
fd.hY
.qg{~
(gn.Ty
C.sz@
$n%f"
^VN.aA
Y$.rE
kA:h.ay
)]-q}?
! s^.TLCGG
S=.SKLd|g<1
$9(%UY[9
.TTad
Rq.Vw~Vd}f
.INYA
l.xCE
:.iOx
_?.aZ{
.cw1Q:'
%u>v|u
$^~.Uc
@%S=-
"{%s)
.DHs:W
.siz'
ry6-JHw}
)<SUo.qR
6;#>>~95
;*.qz
.sI|g
Jg.yo
[c.awL
x^A%SX
cMdo
%FXwn
jp.Ic
.-%dM
1065700
.YfNV
o.rnv
OO^%F
, t~%x`
nu%CT
7;%Cw
M4.BD
X&%cK
.RG>F
-k})|
sek%f
.RkSX
JE4%u,
~;N k.oc
.mJh{
.wNh)`
</j%c
.LP!,B-
"Ê.)w
'3.Pw
I$.hh
c.Qm2
.ZdA9G
n.xa$H
.kzNv
%u~yS
%F i?
QV.XAL
[d.Yq7j
xX.NBR
r.FCk_
m%va%F
^&?.KS
uE.PK
%UN>N
.nk|9
0.inm]:
-.Qna
.mnGR
%C`3J
#`%U'
%uiXn
SS.RI
F@l%c
cy.qt
}(g%s
Nb.qW
,_ÇA
^>X%d
Gb.%sl
Egxw.vI
K$r'.At
sV1%C
m-Q}0
R_%F<A
#v-uLenP}>)
.GjXH
Y`%f|o(
\.bwm
(9%x0
_%dJ4
g.hhc
.7.tK
]..RY`
{=D&%X:
[.BE2
332#232###
R%s[H
.lb\x
.tJtp?F
%.D]6
8Vb{%d
 .ytC
m=%c-.b
C.aEK
*8Q%sS
.oN6j5
hQ.WD
aF.Yk
.BH&B
.aeOX
%fS\_>
.YCSX
L.cwG
'%FQF
f%f&%
# =) 50-%7/
k[Q;' ek}.Os
X`|.P$hT:t`h.iYv
Z5%X.
7%Syu
W;!$.RCDT8
 .odXF
.yKn,
%G%Dyt
eSDM.hF-
-gB3m}
5uz<c.ic
.ELx#9
.sIHx
rsQl;
.CEKsh
r.WNe
&.QQe
%FH\c
Y.jPo
$.zD3
GVF.mm
ri;%fG
3y%F"
MxV%x
?%C:(
Wp8uRlH
.in9C
QUDP
/.QT"
/%D ~
m.oO*(
.qq/)
V.gXdw
.TwTl
H.SKv
O%D U
.cU^]
fNQ%d
-.iU[<
cHf.dkhg
Y 1 >.rAU
Yy5.mZ
r.yfr
5E-"
~<6{2%x
.qv"K%^
.ey]#zT
=s%sh
Y&%S&
>e.Yp
pQ*%D
zm%ST
%SH9v$
123456789:;<=
%&'()* ,-./0
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="dotNetInstaller" type="win32"></assemblyIdentity><description>dotNetInstaller</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
accKeyboardShortcut
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
eShell32.dll
comctl32.dll
Ecomdlg32.dll
Eshell32.dll
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
UxTheme.dll
H.INI
mscoree.dll
KERNEL32.DLL
All Files (*.*)|*.*||
F:\Development Softwares\Environment\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl
%s (%s:%d)
H): EXECUTING
@2.0.5970.0
Configuration %s version %s does not match bootstrapper version.
Open and re-save configuration.xml with editor version %s.
Operating system:
(0x%x)
\SupportFiles
EHKEY_USERS
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
Unsupported install sequence:
Unsupported component type:
Unsupported control type:
AdotNetInstallerLog.txt
AError in UnhookWindowsHookEx
configuration.xml
Operating system language id:
No configuration matching locale and operating system found within
-- Loading supported configurations (lcid=
Writing RunOnReboot registry key, /noRunOnReboot was not specified.
.Exiting with
Unsupported UI level:
WINDOWSPATH
SYSTEMWINDOWSPATH
STARTEXE
' is of unsupported type
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Writing HKEY_LOCAL_MACHINE\
Error initializing cabinet.dll:
%.f%%
The server returned HTTP status error %d: %s
Could not retrieve the server error message for the failed operation.
HTTP/1.1: keep same verb
Unsupported media type
Required not supported
HTTP version not supported
Unknown HTTP Status Code
Error %d: %s
Could not load Cabinet.dll
Could not load Wininet.dll
Invalid parameters passed to extraction function. Read the documentation!
The CAB archive is not encrypted but a decryption key was set.
The CAB archive is encrypted but no decryption key was set.
Cabinet.dll does not support calling the same CAB context from two different threads.
Invalid parameters passed to compression function. Read the documentation!
Cabinet.dll does not support compressing files bigger than 2 GB.
Cabinet.dll
-- Loading supported components (lcid=
supported component(s)
' installed check operator
Bmsiexec
(Error executing '
Awusa.exe
Error executing component '
B-- Executable:
Unsupported response file format:
Ckernel32.dll
', missing source url or path
%s (%s)
wininet.dll
%s (%s of %s)
*** No registry key found:
Registry key '
Checking whether registry key '
Opening 64-bit registry view (KEY_WOW64_64KEY)
Opening 32-bit registry view (KEY_WOW64_32KEY)
key_exists
Windows Latest
Windows 8 Server 
Windows 8 Server
Windows 8 
Windows 8
Windows 7 
Windows 7 SP1
Windows 7
Windows Vista 
Windows Vista SP2
Windows Vista SP1
Windows Vista
Windows Server 2008 
Windows Server 2008 R2
Windows Server 2008 SP2
Windows Server 2008
Windows Server 2003 
Windows Server 2003 R2 SP2
Windows Server 2003 R2 SP1
Windows Server 2003 R2
Windows Server 2003 SP2
Windows Server 2003 SP1
Windows Server 2003
Windows XP 
Windows XP SP3
Windows XP SP2
Windows XP SP1
Windows XP
Windows 2000 
Windows 2000 SP4
Windows 2000 SP3
Windows 2000 SP2
Windows 2000 SP1
Windows 2000
Windows NT 4 
Windows NT 4 SP6a
Windows NT 4 SP6
Windows NT 4
Windows ME 
Windows ME
Windows 98 
Windows 98 Second Edition
Windows 98
Windows 95 
Windows 95 OSR2
Windows 95
UserExe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
Unsupported operating system, major=
user.exe
Unsupported OS filter:
Unsupported operating system code:
Unsupported operating system, os=
ShellElevated: not running Windows Vista or later
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\MAGICZ~1.EXE
SETUP_1.CAB
setup.msi - 4.9MB
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
Magic Zip Password Recovery Installer
2.0.0.0
iWesoft.com
Magic Zip Password Recovery


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    MAGICZ~1.EXE:912
    wscript.exe:2044
    file.exe:464
    %original file name%.exe:468

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\Local Settings\Temp\DV1.tmp (98 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{C13C2459-F547-4158-9A74-6F46C4C5B098}\setup.msi (82162 bytes)
    %Documents and Settings%\%current user%\Application Data\Khichiii.exe (35 bytes)
    %Documents and Settings%\%current user%\Application Data\setup (34 bytes)
    %Documents and Settings%\%current user%\Application Data\MyFolder\ixpress.aan (1852 bytes)
    %Documents and Settings%\%current user%\Application Data\MyFolder\9345.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\file.exe (10504 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\MAGICZ~1.EXE (91182 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "ixpress" = "%Documents and Settings%\%current user%\Application Data\MyFolder\ixpress.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now