Trojan-Downloader.Win32.Agent.btlp (Kaspersky), Trojan.Generic.1748385 (B) (Emsisoft), Trojan.Generic.1748385 (AdAware), GenericAutorunWorm.YR (Lavasoft MAS) Behaviour: Trojan-Downloader, Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 208d08554ff924a9ecfc0797d726d523
SHA1: c762491fd65f1500a087e1b481df06c6a286bb53
SHA256: 7fd33a60b5c90a374c80f0f22c815db41fff30f753ad7a1f64164c9ffe8e65df
SSDeep: 3072:08LcrhCS142TdbjkO5M8hpTPKzCJajPgpg4:DcrhCl8fXpTi92
Size: 114688 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PECompactV2X, PECompactv20, UPolyXv05_v6
Company: no certificate found
Created at: 2007-12-19 15:13:47
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
Regsvr32.exe:3172
%original file name%.exe:3676
The Trojan injects its code into the following process(es):
userinit.exe:1524
system.exe:2764
Mutexes
The following mutexes were created/opened:
No objects were found.File activity
The process Regsvr32.exe:3172 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\MSWINSCK.OCX (110 bytes)
The process %original file name%.exe:3676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\userinit.exe (227 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DF19E6FF282D3255D3.TMP (0 bytes)
The process userinit.exe:1524 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\kdcoms.dll (199 bytes)
C:\Windows\System32\system.exe (227 bytes)
C:\Windows\System32\MSWINSCK.OCX (108 bytes)
Registry activity
The process Regsvr32.exe:3172 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\MSWinsock.Winsock]
"(Default)" = "Microsoft WinSock Control, version 6.0"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\MSWINSCK.OCX, 1"
[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSWINSCK.OCX"
[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1]
"(Default)" = "132497"
[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "IMSWinsockControl"
[HKCR\MSWinsock.Winsock\CLSID]
"(Default)" = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"
[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "Winsock General Property Page Object"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InProcServer32]
"(Default)" = "C:\Windows\system32\MSWINSCK.OCX"
[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"(Default)" = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32]
"(Default)" = "C:\Windows\system32\MSWINSCK.OCX"
[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "DMSWinsockControlEvents"
[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID]
"(Default)" = "MSWinsock.Winsock"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InProcServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"Version" = "1.0"
"(Default)" = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID]
"(Default)" = "MSWinsock.Winsock.1"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "Microsoft WinSock Control, version 6.0"
[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0]
"(Default)" = "Microsoft Winsock Control 6.0"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version]
"(Default)" = "1.0"
[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS]
"(Default)" = "2"
[HKCR\MSWinsock.Winsock\CurVer]
"(Default)" = "MSWinsock.Winsock.1"
[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus]
"(Default)" = "0"
[HKCR\MSWinsock.Winsock.1\CLSID]
"(Default)" = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"
[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR]
"(Default)" = ""
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"(Default)" = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
[HKCR\MSWinsock.Winsock.1]
"(Default)" = "Microsoft WinSock Control, version 6.0"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}]
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}]
The Trojan deletes the following value(s) in system registry:
[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]
"ThreadingModel"
The process userinit.exe:1524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "C:\Windows\userinit.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| 9484c04258830aa3c2f2a70eb041414c | c:\Windows\System32\MSWINSCK.OCX |
HOSTS file anomalies
No changes have been detected.Rootkit activity
No anomalies have been detected.Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Static Analysis
VersionInfo
Company Name:
Product Name: Hav_online
Product Version: 1.00
Legal Copyright:
Legal Trademarks:
Original Filename: task.exe
Internal Name: task
File Version: 1.00
File Description:
Comments:
Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 241664 | 69120 | 5.54305 | fc36098e84c49c98bbea5c66d3091adb |
| .rsrc | 245760 | 45056 | 42496 | 3.22524 | 64cbd44ed7e9127d6194bcb49260ab46 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| scsd.ath.cx | 184.169.145.165 |
| dns.msftncsi.com | 131.107.255.255 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
userinit.exe_1524:
.text
`.rsrc
DL.ctx
333333333
3333330
38/5;;"==#%?@'
!"#$%%26'()*
*+,-./0123456789
!"#$%%26'()
Project1.DL
MSWINSCK.OCX
MSWinsockLib.Winsock
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
GetWindowsDirectoryA
WindowsDir
VBA6.DLL
%System%\msvbvm60.dll\3
szExeFile
advapi32.dll
RegCloseKey
RegCreateKeyA
psapi.dll
y%26gt;;%System%\MSWINSCK.oca
user32.dll
GetAsyncKeyState
GetKeyState
MSVBVM60.DLL
`.data
.rsrc
.reloc
MSWNSK98.chm
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
"255.255.255.255
"6.00.8169
WSOCK32.dll
KERNEL32.dll
USER32.dll
ole32.dll
ADVAPI32.dll
OLEAUT32.dll
GDI32.dll
GetProcessHeap
CreateDialogIndirectParamA
RegCreateKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
GetViewportExtEx
SetViewportExtEx
SetViewportOrgEx
"%s%s.DLL
%s%s.DLL
%u\%s.dll
{%08lX-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
CLSID\%s
%s Object
%s.%s.%ld
%s.%s
%s.%s\CurVer
%s\InprocServer
VERSION.DLL
%ld - %s
stdole2.tlbWWW
hsckTCPProtocolWW
FsckUDPProtocolWWd
}|RemotePortWWd
7LocalPortWWWd
0ZBsckGetNotSupportedWW
sckSetNotSupportedWW
sckUnsupportedWW
sckMsgTooBig
sckPortNotSupportedW
MSWinSck.OcxWW
MSWNSK98.chmWW
TCP protocolWW
UDP protocolWW
Returns/Sets the port to be connected to on the remote computerWWW0
Returns/Sets the port used on the local computerWW*
Binds socket to specific port and adapterW:
Occurs connect operation is completedW4
Occurs after a send operation has completedWWW
The argument passed to a function was not in the correct format or in the specified rangeW
Unsupported variant typesW"
Invalid operation at current state
The operation is canceledW
Socket is non-blocking and the specified operation will blockW+
A blocking winsock operation is in progressWWWA
The operation is completed. No blocking operation is in progress.W
The specified port is not supportedWWW
?$?0?6?%26lt;?
4'484%5-5
mswinsck.dbg
=VVV.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)961%26gt;0%26lt;
'hXXps://VVV.verisign.com/repository/CPS
This certificate incorporates by reference, and its use is strictly
subject to, the VeriSign Certification Practice Statement (CPS)
hXXps://VVV.verisign.com; by E-mail at CPS-requests@verisign.com; or
USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN
WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE
VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY
DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES
BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE
4hXXps://VVV.verisign.com/repository/verisignlogo.gif0
hXXps://VVV.verisign.com/CPS0b
hXXp://VVV.microsoft.com/vbasic 0
kernel32.dll
*\AD:\Documents\Documents11\Secret\Basic\Update\Worm+Trojan\worm.vbp
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
\system32\system.exe
\system32\userinit.exe
\explorer.exe
task.exe
USERINIT.EXE
SYSTEM.EXE
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\system32\userinit.exe,
Explorer.exe
\userinit.exe
\kdcoms.dll
system.exe
\kdcoms32.dll
\system32\task.exe
Scripting.FileSystemObject
Secret.exe
\autorun.inf
Shellexecute=Secret.exe
Nguyen Tu Quang.exe
hXXp://files.myopera.com/hav_online/files/task.rar
\system32\MSWINSCK.OCX
\system32\MSWINSCK.OCX /s
scsd.ath.cx
@*\AD:\Documents\Documents11\Secret\Basic\Update\Worm+Trojan\worm.vbp
RemotePort
LocalPort
YThe argument passed to a function was not in the correct format or in the specified range
6.00.8169
is a registered trademark of Microsoft Corporation. Windows(tm) is a trademark of Microsoft Corporation.
%26LocalPort
Socket has encountered an error:Returns/Sets the name used to identify the remote computer?Returns/Sets the port to be connected to on the remote computer0Returns/Sets the port used on the local computer*Returns the state of the socket connection7Returns the number of bytes received on this connection
TCP protocol
UDP protocol
Error occurred;Occurs when data has been received from the remote computer%Occurs connect operation is completed4Occurs when a remote client is attempting to connect*Occurs when the connection has been closed%Occurs during process of sending data+Occurs after a send operation has completed
Protocol Constants)Binds socket to specific port and adapter
Unsupported variant types
"Invalid operation at current state
Invalid type for %s property,%s property should be in the range %ld - %ld
The operation is canceled
=Socket is non-blocking and the specified operation will block+A blocking winsock operation is in progressAThe operation is completed. No blocking operation is in progress.
Destination address is requiredAThe datagram is too large to fit into the buffer and is truncated3The specified port is the wrong type of this socket
Option unknown, or unsupported#The specified port is not supported0Socket type not supported in this address family%26gt;Socket is not a type that supports connection oriented service
Protocol family not supported
Address Family is not supported
Network subsystem is unavailable WINSOCK.DLL version out of range"WinsockInit should be called first
userinit.exe_1524_rwx_00020000_00002000:
kernel32.dll
The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.
userinit.exe_1524_rwx_00401000_0003B000:
DL.ctx
333333333
3333330
38/5;;"==#%?@'
!"#$%%26'()*
*+,-./0123456789
!"#$%%26'()
Project1.DL
MSWINSCK.OCX
MSWinsockLib.Winsock
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
GetWindowsDirectoryA
WindowsDir
VBA6.DLL
%System%\msvbvm60.dll\3
szExeFile
advapi32.dll
RegCloseKey
RegCreateKeyA
psapi.dll
y%26gt;;%System%\MSWINSCK.oca
user32.dll
GetAsyncKeyState
GetKeyState
MSVBVM60.DLL
.text
`.data
.rsrc
.reloc
MSWNSK98.chm
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
"255.255.255.255
"6.00.8169
WSOCK32.dll
KERNEL32.dll
USER32.dll
ole32.dll
ADVAPI32.dll
OLEAUT32.dll
GDI32.dll
GetProcessHeap
CreateDialogIndirectParamA
RegCreateKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
GetViewportExtEx
SetViewportExtEx
SetViewportOrgEx
"%s%s.DLL
%s%s.DLL
%u\%s.dll
{%08lX-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
CLSID\%s
%s Object
%s.%s.%ld
%s.%s
%s.%s\CurVer
%s\InprocServer
VERSION.DLL
%ld - %s
stdole2.tlbWWW
hsckTCPProtocolWW
FsckUDPProtocolWWd
}|RemotePortWWd
7LocalPortWWWd
0ZBsckGetNotSupportedWW
sckSetNotSupportedWW
sckUnsupportedWW
sckMsgTooBig
sckPortNotSupportedW
MSWinSck.OcxWW
MSWNSK98.chmWW
TCP protocolWW
UDP protocolWW
Returns/Sets the port to be connected to on the remote computerWWW0
Returns/Sets the port used on the local computerWW*
Binds socket to specific port and adapterW:
Occurs connect operation is completedW4
Occurs after a send operation has completedWWW
The argument passed to a function was not in the correct format or in the specified rangeW
Unsupported variant typesW"
Invalid operation at current state
The operation is canceledW
Socket is non-blocking and the specified operation will blockW+
A blocking winsock operation is in progressWWWA
The operation is completed. No blocking operation is in progress.W
The specified port is not supportedWWW
?$?0?6?%26lt;?
4'484%5-5
mswinsck.dbg
=VVV.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)961%26gt;0%26lt;
'hXXps://VVV.verisign.com/repository/CPS
This certificate incorporates by reference, and its use is strictly
subject to, the VeriSign Certification Practice Statement (CPS)
hXXps://VVV.verisign.com; by E-mail at CPS-requests@verisign.com; or
USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN
WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE
VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY
DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES
BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE
4hXXps://VVV.verisign.com/repository/verisignlogo.gif0
hXXps://VVV.verisign.com/CPS0b
hXXp://VVV.microsoft.com/vbasic 0
*\AD:\Documents\Documents11\Secret\Basic\Update\Worm+Trojan\worm.vbp
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
\system32\system.exe
\system32\userinit.exe
\explorer.exe
task.exe
USERINIT.EXE
SYSTEM.EXE
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\system32\userinit.exe,
Explorer.exe
\userinit.exe
\kdcoms.dll
system.exe
\kdcoms32.dll
\system32\task.exe
Scripting.FileSystemObject
Secret.exe
\autorun.inf
Shellexecute=Secret.exe
Nguyen Tu Quang.exe
hXXp://files.myopera.com/hav_online/files/task.rar
\system32\MSWINSCK.OCX
\system32\MSWINSCK.OCX /s
scsd.ath.cx
@*\AD:\Documents\Documents11\Secret\Basic\Update\Worm+Trojan\worm.vbp
RemotePort
LocalPort
YThe argument passed to a function was not in the correct format or in the specified range
6.00.8169
is a registered trademark of Microsoft Corporation. Windows(tm) is a trademark of Microsoft Corporation.
%26LocalPort
Socket has encountered an error:Returns/Sets the name used to identify the remote computer?Returns/Sets the port to be connected to on the remote computer0Returns/Sets the port used on the local computer*Returns the state of the socket connection7Returns the number of bytes received on this connection
TCP protocol
UDP protocol
Error occurred;Occurs when data has been received from the remote computer%Occurs connect operation is completed4Occurs when a remote client is attempting to connect*Occurs when the connection has been closed%Occurs during process of sending data+Occurs after a send operation has completed
Protocol Constants)Binds socket to specific port and adapter
Unsupported variant types
"Invalid operation at current state
Invalid type for %s property,%s property should be in the range %ld - %ld
The operation is canceled
=Socket is non-blocking and the specified operation will block+A blocking winsock operation is in progressAThe operation is completed. No blocking operation is in progress.
Destination address is requiredAThe datagram is too large to fit into the buffer and is truncated3The specified port is the wrong type of this socket
Option unknown, or unsupported#The specified port is not supported0Socket type not supported in this address family%26gt;Socket is not a type that supports connection oriented service
Protocol family not supported
Address Family is not supported
Network subsystem is unavailable WINSOCK.DLL version out of range"WinsockInit should be called first
userinit.exe_1524_rwx_00445000_00002000:
kernel32.dll
task.exe
explorer.exe_3148:
.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
GDI32.dll
USER32.dll
msvcrt.dll
SHLWAPI.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
EXPLORERFRAME.dll
UxTheme.dll
POWRPROF.dll
dwmapi.dll
slc.dll
gdiplus.dll
Secur32.dll
SSPICLI.DLL
RPCRT4.dll
PROPSYS.dll
QSShM
PSSh^
FtPhq
SSSSh
SShxS
PSSh,
QPSSSShL
t7WSSh
SSShO
tfSSh
Software\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel
kernel32.dll
t.It It
taSSSh
explorer.exe
FtPhO
SSShI
F8SSh
tRSSh
PSSh|$
PSShL$
t}SShV
tKSSSh
t SSSh
?.ulf
.ue9]
TaskDialogIndirect
TSAppCMP.DLL
SSShT
PSSShA
SSSh?
SSShB
t.Ht%Ht
SSSShD
WINMM.dll
CFGMGR32.dll
WINSTA.dll
OLEACC.dll
WINBRAND.dll
DUI70.dll
SndVolSSO.DLL
netutils.dll
wkscli.dll
NetGetJoinInformation
ntdll.dll
RegCloseKey
RegCreateKeyW
RegOpenKeyExW
RegCreateKeyExW
RegDeleteKeyExW
RegOpenKeyW
RegQueryInfoKeyW
RegEnumKeyExW
CreateIoCompletionPort
GetWindowsDirectoryW
GetProcessHeap
SetProcessShutdownParameters
OffsetViewportOrgEx
GetViewportOrgEx
SetViewportOrgEx
EnumChildWindows
GetKeyboardLayout
ActivateKeyboardLayout
GetProcessWindowStation
UnhookWindowsHookEx
SetWindowsHookExW
MsgWaitForMultipleObjectsEx
TileWindows
CascadeWindows
EnumWindows
UnregisterHotKey
RegisterHotKey
GetAsyncKeyState
GetKeyState
MsgWaitForMultipleObjects
ExitWindowsEx
_amsg_exit
_wcmdln
SHDeleteKeyW
SHQueryInfoKeyW
AssocQueryKeyW
ShellExecuteExW
ShellExecuteW
SHFileOperationW
SLGetWindowsInformationDWORD
GdiplusShutdown
explorer.pdb
name="Microsoft.Windows.Shell.explorer"
version="5.1.0.0"
%26lt;description%26gt;Windows Shell%26lt;/description%26gt;
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
%26lt;requestedExecutionLevel level="asInvoker" uiAccess="false"/%26gt;
%26lt;windowsSettings%26gt;
%26lt;dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings"%26gt;true%26lt;/dpiAware%26gt;
%26lt;/windowsSettings%26gt;
{;;;;{;;
I51111111111111.1.1.B
46464444
*,,.,,.,'/'....'/
1888661
A1.%26lt;yjjjggbbZYV?=9.=zjjjjgddbabYV%26gt;.=||wwwwpggb_a`X.?0......Tmmkj__.%26lt;S
k}??F.%6F
Ja(%F
uz.In
#-.12220+*!
(-12220+
Knmhe.HH
%Mgr.RhY4RfE5Qd:d
2%26lt;===@@=
%26$%Uooqkezs
['$$#%%26(4
5%26gt;^666^.%26gt;66^6%26gt;%26gt;%26gt;
%26gt;%26gt;^6^.%26gt;^6%26gt;
5^66^6%26gt;66
6%26gt;%26gt;6^6^%26gt;=%26gt;%26gt;6%26gt;6%26gt;
%26gt;%26gt;^66%26gt;6%26gt;^6^6^6
%26gt;=%26gt;%26gt;^6%26gt;%26gt;=
=_%26gt;%26gt;7%26gt;_6_%26gt;%26gt;%26gt;%26gt;
%26gt;^.%26gt;^.6^'
=6^66^66%26gt;%26gt;
7''''))+
3'')))33.
.mnnw
4444444444
288888888882
911111111119
,C%FF%26gt;I
..--11///06
%F|aD
%XX^^
%XXX^
%UXXX
!$$$$'$$#$!!"
6****,@=
!!1.WN
!..WKA@?
::8240-)%2/
,-(%(-(%%*%**17
!#)'%264,-+
=$.VP^
0.rJ)I
\.gh.v(sO
W%3UI
0.aT@
%D%26PJ
1.JV2
t4%CU
uvm%s|
Ep.SU0
kq.kV
njW%c
+!/.!375
@$@:'%26%:
(*),,,0001
!!! ###%%$
n.2.%dddddddddd
*.UGA
%u}} mtt
%26PQMSornurl[
%XR8]
....raK
***.sdR
,-il}
%%%%ccccr`H
./".LMBNmnPPa
.jkL^
45 .WX]n
$$$$!!!!
%%%%$$$$!!!!
%26%26%26%26%%%%$$$$!!!!
@6'~@6'~
=4$|=4$|
$$$$""""
%%%%$$$$""""
%26%26%26%26%%%%$$$$""""
;2${;2${=4$}
####!!!!
$$$$####!!!!
%%%%$$$$####!!!!
%26%26%26%26%%%%$$$$####!!!!
####""""
$$$$####""""
%%%%$$$$####""""
4 4$4(4,4
;#%26lt;+%26lt;8%26lt;%26gt;%26lt;]%26lt;
; ;(;0;8;
1 1$1(1,1014181%26lt;1
3"3)30373%26gt;3
70767%26lt;7}7
%0,090?0
%26lt;$%26lt;/%26lt;8%26lt;]%26lt;
=0%26gt;9%26gt;?%26gt;[%26gt;
5 5%26565%26lt;5
%26lt;%26=+=4=\=
; ;$;(;,;0;4;8;%26lt;;@;
5#5)5:5@5]5
= %26gt;(%26gt;8%26gt;%26gt;%26gt;
; ;$;(;,;0;4;
3%323d3m3
3 3%3:3|3
0 1$1(1,10141
9 9$9(9,9
9(:,:0:4:8:%26lt;:
1 2$2(2,20242
: :$:(:,:
:(;,;0;4;8;%26lt;;
%26lt; %26lt;$%26lt;(%26lt;,%26lt;
%26lt; =$=(=,=0=4=8=%26lt;=
2 3$3(3,30343
; ;$;(;,;
;(%26lt;,%26lt;0%26lt;4%26lt;8%26lt;%26lt;%26lt;
9":,:^:{:
0$0*01070?0
:$:+:1:7:
5"5=5{5=6
UseExecutableForTaskbarGroupIcon
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Software\Microsoft\Windows\CurrentVersion\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage
{59031a47-3f72-44a7-89c5-5595fe6b30ee}
imageres.dll
::{E44E5D18-0652-4508-A4E2-8A090067BCB0}
::{26EE0668-A00A-44D7-9371-BEB064C98683}\5\::{D20EA4E1-3957-11d2-A40B-0C5020524153}
::{26EE0668-A00A-44D7-9371-BEB064C98683}\0\::{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}
::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SearchExtensions
shell:::{e345f35f-9397-435c-8f95-4e922c26259e}
shell:::{daf95313-e44d-46af-be1b-cbacea2c3065}
%s\%s
user.bmp
%s\%s\%s
%s::%s
{A1965210-3A9D-4bca-822B-433645B3F5A2}
%LocalAppData%\Microsoft\Windows\Explorer
Local\ExplorerIsShellMutex
Software\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{EF87B4CB-F2CE-4785-8658-4CA6C63E38C6}\TopViews\{00000000-0000-0000-0000-000000000000}
Software\Policies\Microsoft\Windows\Explorer
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Run
DisabledHotkeys
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DelayedApps
Software\Microsoft\Windows NT\CurrentVersion\Windows,Load
Software\Microsoft\Windows NT\CurrentVersion\Windows
UserChosenExecuteHandlers\%s
Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers
Software\Microsoft\Windows\CurrentVersion\ThemeManager
USER32.DLL
Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband
comctl32.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones
Software\Microsoft\Windows\CurrentVersion\Themes
Software\Microsoft\Windows\CurrentVersion\RunOnceEx
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
system.ini
::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}
::{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}
::{26EE0668-A00A-44D7-9371-BEB064C98683}\2\::{A8A91A66-3A7D-4424-8D24-04E180695C7A}
{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
::{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
{20D04FE0-3AEA-1069-A2D8-08002B30309D}
::{0c39a5cf-1a7a-40c8-ba74-8900e6df5fcd}
Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites
SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Shell\ResponseMonitor
Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
AppEvents\Schemes\Apps\%s\%s\.current
.Default
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\UAS
control.exe
{A4756F80-4AE7-4A1F-A776-F5E9D9B04406}
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
Software\Microsoft\Windows\DWM
Microsoft-Windows-DesktopWindowManager-Core-LivePreviewAllowed
Microsoft.Windows.ControlPanel.Taskbar
%systemRoot%\system32\rundll32.exe %systemRoot%\system32\shell32.dll,Options_RunDLL 1
shell32.dll,-40
@explorer.exe,-810
Microsoft.NotificationAreaIcons
timedate.cpl
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Explorer\ApplicationDestinations\
HELP_ENTRY_ID_START_MENU_HELP_AND_SUPPORT
WindowsLogon
WindowsLogoff
*PID%08x
Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel
install.exe
@themeui.dll,-853
@themeui.dll,-852
@themeui.dll,-851
@themeui.dll,-850
runonce.exe
NoDataExecutionPrevention
UpdateURL
WindowsUpdate
Software\Microsoft\Windows\CurrentVersion\Explorer\NotificationCustomization
Software\Microsoft\Windows\CurrentVersion\Explorer\Remote\%d
Software\Microsoft\Windows NT\CurrentVersion\Windows,Run
Software\Microsoft\Windows\CurrentVersion\OOBE
Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts
shell32.dll
Microsoft.UserAccounts
Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
NewExeName
desk.cpl
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder
Software\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\LastVisitedPidlMRULegacy
Software\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\LastVisitedPidlMRU
Software\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\OpenSavePidlMRU
Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU
Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
Software\Microsoft\Internet Explorer\TypedURLs
mshelp://windows/?id=c45acd5d-98b5-4245-8ce6-1f7bba654767
System.StructuredQueryType.AllBitsSet
System.StructuredQueryType.AnyBitsSet
System.StructuredQueryType.SortKeyDescription
Accessories\Windows PowerShell\Windows PowerShell.lnk
Administrative Tools\Server Manager.lnk
Windows Media Player.lnk
Accessories\Windows Explorer.lnk
Internet Explorer.lnk
Accessories\Notepad.lnk
Accessories\Command Prompt.lnk
Windows Fax and Scan.lnk
XPS Viewer.lnk
Accessories\displayswitch.lnk
Accessories\Wordpad.lnk
Windows Anytime Upgrade.lnk
{00D8862B-6453-4957-A821-3D98D74C76BE}
Accessories\Accessibility\Magnify.lnk
Accessories\Remote Desktop Connection.lnk
Accessories\Paint.lnk
Accessories\Snipping Tool.lnk
Accessories\Sticky Notes.lnk
Accessories\Calculator.lnk
Media Center.lnk
Accessories\Welcome Center.lnk
Microsoft.Windows.ControlPanel
CLSID\%s\ShellExplorerRoot
AlwaysShowMenus
WebView
AltTab_KeyHookWnd
/globalhotkey
"%systemroot%\system32\magnify.exe"
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
shell32.dll,WaitForExplorerRestart "
"%systemroot%\system32\rundll32.exe"
%s%d%s
%s, %s, %s
Software\Microsoft\Windows\CurrentVersion\Explorer\NotificationArea\PromotedIcon2
Software\Microsoft\Windows\CurrentVersion\Explorer\NotificationArea\PromotedIcon1
?guid=%s%26hwnd=%lu%26id=%lu%26ecrc=%lu
{00000000-0000-0000-0000-000000000000}
\\?\Volume
mshelp://windows/?id=5de7c31f-1b8b-4431-9d3d-c0994939b186
\\?\UNC\
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
taskmgr.exe
ShellExecute
Software\Microsoft\Windows\CurrentVersion\Explorer\AppKey\%d
AppEvents\Schemes\Apps\.Default\%ws\.Current
D:(A;;GA;;;SY)(A;;0x%x;;;%s)
D:(A;;GA;;;SY)(A;;0x%x;;;%s)S:(ML;;1;;;LW)
%s%I64u%s
%s%g%s
%s%I64d%s
RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL ?0x%X?%s
RunDLL32.EXE
SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ControlPanel\NameSpace\{5ea4f148-308c-46d7-98a9-49041b1dd468}
Software\Microsoft\Windows\CurrentVersion\SMDEn
SOFTWARE\Microsoft\Windows\Tablet PC
OEM%d
%s %s
%SystemRoot%\system32\GettingStarted.exe
Microsoft.Windows.GettingStarted
SBOEM%d
Software\Microsoft\Windows\CurrentVersion\Explorer\TBDEn
Software\Microsoft\Windows\CurrentVersion\Explorer\OEMWC
Accessories\Mobility Center.lnk
@%s,%d
WCOEM%d
Software\Microsoft\Windows\CurrentVersion\Explorer\WCDEn
{00021401-0000-0000-C000-000000000046}
Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
StartMenuKeyBoard
StartMenuKeyBoardComposited
201ef99a-7fa0-444c-9399-19ba84f12a1a
%WINDOWS_LONG%
mshelp://windows/?id=83f968d5-844e-408c-a7c4-69ff50f0ff54
@tzres.dll,
\tzres.dll
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
guest.bmp
"? %s"
hXXps://
hXXp://
Windows Explorer
6.1.7601.17567 (win7sp1_gdr.110224-1502)
EXPLORER.EXE
Windows
Operating System
6.1.7601.17567
system.exe_2764:
.text
`.rsrc
DL.ctx
333333333
3333330
38/5;;"==#%?@'
!"#$%%26'()*
*+,-./0123456789
!"#$%%26'()
Project1.DL
MSWINSCK.OCX
MSWinsockLib.Winsock
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
GetWindowsDirectoryA
WindowsDir
VBA6.DLL
%System%\msvbvm60.dll\3
szExeFile
advapi32.dll
RegCloseKey
RegCreateKeyA
psapi.dll
y%26gt;;%System%\MSWINSCK.oca
user32.dll
GetAsyncKeyState
GetKeyState
MSVBVM60.DLL
`.data
.rsrc
.reloc
MSWNSK98.chm
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
"255.255.255.255
"6.00.8169
WSOCK32.dll
KERNEL32.dll
USER32.dll
ole32.dll
ADVAPI32.dll
OLEAUT32.dll
GDI32.dll
GetProcessHeap
CreateDialogIndirectParamA
RegCreateKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
GetViewportExtEx
SetViewportExtEx
SetViewportOrgEx
"%s%s.DLL
%s%s.DLL
%u\%s.dll
{%08lX-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
CLSID\%s
%s Object
%s.%s.%ld
%s.%s
%s.%s\CurVer
%s\InprocServer
VERSION.DLL
%ld - %s
stdole2.tlbWWW
hsckTCPProtocolWW
FsckUDPProtocolWWd
}|RemotePortWWd
7LocalPortWWWd
0ZBsckGetNotSupportedWW
sckSetNotSupportedWW
sckUnsupportedWW
sckMsgTooBig
sckPortNotSupportedW
MSWinSck.OcxWW
MSWNSK98.chmWW
TCP protocolWW
UDP protocolWW
Returns/Sets the port to be connected to on the remote computerWWW0
Returns/Sets the port used on the local computerWW*
Binds socket to specific port and adapterW:
Occurs connect operation is completedW4
Occurs after a send operation has completedWWW
The argument passed to a function was not in the correct format or in the specified rangeW
Unsupported variant typesW"
Invalid operation at current state
The operation is canceledW
Socket is non-blocking and the specified operation will blockW+
A blocking winsock operation is in progressWWWA
The operation is completed. No blocking operation is in progress.W
The specified port is not supportedWWW
?$?0?6?%26lt;?
4'484%5-5
mswinsck.dbg
=VVV.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)961%26gt;0%26lt;
'hXXps://VVV.verisign.com/repository/CPS
This certificate incorporates by reference, and its use is strictly
subject to, the VeriSign Certification Practice Statement (CPS)
hXXps://VVV.verisign.com; by E-mail at CPS-requests@verisign.com; or
USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN
WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE
VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY
DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES
BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE
4hXXps://VVV.verisign.com/repository/verisignlogo.gif0
hXXps://VVV.verisign.com/CPS0b
hXXp://VVV.microsoft.com/vbasic 0
kernel32.dll
*\AD:\Documents\Documents11\Secret\Basic\Update\Worm+Trojan\worm.vbp
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
\system32\system.exe
\system32\userinit.exe
\explorer.exe
task.exe
USERINIT.EXE
SYSTEM.EXE
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\system32\userinit.exe,
Explorer.exe
\userinit.exe
\kdcoms.dll
system.exe
\kdcoms32.dll
\system32\task.exe
Scripting.FileSystemObject
Secret.exe
\autorun.inf
Shellexecute=Secret.exe
Nguyen Tu Quang.exe
hXXp://files.myopera.com/hav_online/files/task.rar
\system32\MSWINSCK.OCX
\system32\MSWINSCK.OCX /s
scsd.ath.cx
@*\AD:\Documents\Documents11\Secret\Basic\Update\Worm+Trojan\worm.vbp
RemotePort
LocalPort
YThe argument passed to a function was not in the correct format or in the specified range
6.00.8169
is a registered trademark of Microsoft Corporation. Windows(tm) is a trademark of Microsoft Corporation.
%26LocalPort
Socket has encountered an error:Returns/Sets the name used to identify the remote computer?Returns/Sets the port to be connected to on the remote computer0Returns/Sets the port used on the local computer*Returns the state of the socket connection7Returns the number of bytes received on this connection
TCP protocol
UDP protocol
Error occurred;Occurs when data has been received from the remote computer%Occurs connect operation is completed4Occurs when a remote client is attempting to connect*Occurs when the connection has been closed%Occurs during process of sending data+Occurs after a send operation has completed
Protocol Constants)Binds socket to specific port and adapter
Unsupported variant types
"Invalid operation at current state
Invalid type for %s property,%s property should be in the range %ld - %ld
The operation is canceled
=Socket is non-blocking and the specified operation will block+A blocking winsock operation is in progressAThe operation is completed. No blocking operation is in progress.
Destination address is requiredAThe datagram is too large to fit into the buffer and is truncated3The specified port is the wrong type of this socket
Option unknown, or unsupported#The specified port is not supported0Socket type not supported in this address family%26gt;Socket is not a type that supports connection oriented service
Protocol family not supported
Address Family is not supported
Network subsystem is unavailable WINSOCK.DLL version out of range"WinsockInit should be called first
system.exe_2764_rwx_00020000_00002000:
kernel32.dll
The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.
system.exe_2764_rwx_00401000_0003B000:
DL.ctx
333333333
3333330
38/5;;"==#%?@'
!"#$%%26'()*
*+,-./0123456789
!"#$%%26'()
Project1.DL
MSWINSCK.OCX
MSWinsockLib.Winsock
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
GetWindowsDirectoryA
WindowsDir
VBA6.DLL
%System%\msvbvm60.dll\3
szExeFile
advapi32.dll
RegCloseKey
RegCreateKeyA
psapi.dll
y%26gt;;%System%\MSWINSCK.oca
user32.dll
GetAsyncKeyState
GetKeyState
MSVBVM60.DLL
.text
`.data
.rsrc
.reloc
MSWNSK98.chm
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
"255.255.255.255
"6.00.8169
WSOCK32.dll
KERNEL32.dll
USER32.dll
ole32.dll
ADVAPI32.dll
OLEAUT32.dll
GDI32.dll
GetProcessHeap
CreateDialogIndirectParamA
RegCreateKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
GetViewportExtEx
SetViewportExtEx
SetViewportOrgEx
"%s%s.DLL
%s%s.DLL
%u\%s.dll
{%08lX-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
CLSID\%s
%s Object
%s.%s.%ld
%s.%s
%s.%s\CurVer
%s\InprocServer
VERSION.DLL
%ld - %s
stdole2.tlbWWW
hsckTCPProtocolWW
FsckUDPProtocolWWd
}|RemotePortWWd
7LocalPortWWWd
0ZBsckGetNotSupportedWW
sckSetNotSupportedWW
sckUnsupportedWW
sckMsgTooBig
sckPortNotSupportedW
MSWinSck.OcxWW
MSWNSK98.chmWW
TCP protocolWW
UDP protocolWW
Returns/Sets the port to be connected to on the remote computerWWW0
Returns/Sets the port used on the local computerWW*
Binds socket to specific port and adapterW:
Occurs connect operation is completedW4
Occurs after a send operation has completedWWW
The argument passed to a function was not in the correct format or in the specified rangeW
Unsupported variant typesW"
Invalid operation at current state
The operation is canceledW
Socket is non-blocking and the specified operation will blockW+
A blocking winsock operation is in progressWWWA
The operation is completed. No blocking operation is in progress.W
The specified port is not supportedWWW
?$?0?6?%26lt;?
4'484%5-5
mswinsck.dbg
=VVV.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)961%26gt;0%26lt;
'hXXps://VVV.verisign.com/repository/CPS
This certificate incorporates by reference, and its use is strictly
subject to, the VeriSign Certification Practice Statement (CPS)
hXXps://VVV.verisign.com; by E-mail at CPS-requests@verisign.com; or
USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN
WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE
VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY
DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES
BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE
4hXXps://VVV.verisign.com/repository/verisignlogo.gif0
hXXps://VVV.verisign.com/CPS0b
hXXp://VVV.microsoft.com/vbasic 0
*\AD:\Documents\Documents11\Secret\Basic\Update\Worm+Trojan\worm.vbp
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
\system32\system.exe
\system32\userinit.exe
\explorer.exe
task.exe
USERINIT.EXE
SYSTEM.EXE
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\system32\userinit.exe,
Explorer.exe
\userinit.exe
\kdcoms.dll
system.exe
\kdcoms32.dll
\system32\task.exe
Scripting.FileSystemObject
Secret.exe
\autorun.inf
Shellexecute=Secret.exe
Nguyen Tu Quang.exe
hXXp://files.myopera.com/hav_online/files/task.rar
\system32\MSWINSCK.OCX
\system32\MSWINSCK.OCX /s
scsd.ath.cx
@*\AD:\Documents\Documents11\Secret\Basic\Update\Worm+Trojan\worm.vbp
RemotePort
LocalPort
YThe argument passed to a function was not in the correct format or in the specified range
6.00.8169
is a registered trademark of Microsoft Corporation. Windows(tm) is a trademark of Microsoft Corporation.
%26LocalPort
Socket has encountered an error:Returns/Sets the name used to identify the remote computer?Returns/Sets the port to be connected to on the remote computer0Returns/Sets the port used on the local computer*Returns the state of the socket connection7Returns the number of bytes received on this connection
TCP protocol
UDP protocol
Error occurred;Occurs when data has been received from the remote computer%Occurs connect operation is completed4Occurs when a remote client is attempting to connect*Occurs when the connection has been closed%Occurs during process of sending data+Occurs after a send operation has completed
Protocol Constants)Binds socket to specific port and adapter
Unsupported variant types
"Invalid operation at current state
Invalid type for %s property,%s property should be in the range %ld - %ld
The operation is canceled
=Socket is non-blocking and the specified operation will block+A blocking winsock operation is in progressAThe operation is completed. No blocking operation is in progress.
Destination address is requiredAThe datagram is too large to fit into the buffer and is truncated3The specified port is the wrong type of this socket
Option unknown, or unsupported#The specified port is not supported0Socket type not supported in this address family%26gt;Socket is not a type that supports connection oriented service
Protocol family not supported
Address Family is not supported
Network subsystem is unavailable WINSOCK.DLL version out of range"WinsockInit should be called first
system.exe_2764_rwx_00445000_00002000:
kernel32.dll
task.exe
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
Regsvr32.exe:3172
%original file name%.exe:3676
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\System32\MSWINSCK.OCX (110 bytes)
C:\Windows\userinit.exe (227 bytes)
C:\Windows\kdcoms.dll (199 bytes)
C:\Windows\System32\system.exe (227 bytes)
- Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "C:\Windows\userinit.exe"
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.