HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.180241 (AdAware), Backdoor.Win32.Farfli.FD, Trojan.Win32.IEDummy.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: da5411b25b4df1554b38595c8d9c6bba
SHA1: 4f29269d10541e29a4291b67b8bec4bac062bfa3
SHA256: bf9ee98f5f9737bf8ea51a5ee5d02b416098e43fd466b02e8b1edc84b9696304
SSDeep: 6144:VZXBsWqsE/Ao mv8Qv0LVmwq4FU0nN876c3/BZBVWM1m8:TXmwRo mv8QD4 0N46c35ZBV5c8
Size: 237211 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1564
Protect.exe:1192
Protect.exe:2020
The Trojan injects its code into the following process(es):
svchost.exe:812
iexplore.exe:1908
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (104 bytes)
%Program Files%\Company\NewProduct\Protect.exe (2104 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\$inst (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (0 bytes)
The process Protect.exe:2020 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\((Mutex)).cfg (2 bytes)
%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe (601 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\x.html (0 bytes)
Registry activity
The process %original file name%.exe:1564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00]
"HelpLink" = "mailto:support@company.com"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Company\NewProduct]
"protect.exe" = "kek"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00]
"InstallSource" = "c:\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00]
"InstallLocation" = "%Program Files%\Company\NewProduct\"
"NoRepair" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00]
"UninstallString" = "%Program Files%\Company\NewProduct\Uninstall.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00]
"NoModify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00]
"InstallDate" = "20160722"
"EstimatedSize" = "91"
"DisplayName" = "NewProduct 1.00"
"URLInfoAbout" = "http://www.company.com/"
"VersionMinor" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE E9 05 0D CD 1F 15 5C AA 76 AA 02 D2 CB 19 08"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00]
"Publisher" = "Company"
"VersionMajor" = "1"
"DisplayVersion" = "1.00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00]
"DisplayIcon" = "%Program Files%\Company\NewProduct\Uninstall.exe"
"Language" = "1049"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process Protect.exe:1192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 4B F9 F0 73 FA 98 79 83 DA 1B 40 6F 70 47 76"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process Protect.exe:2020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 5D 7D 5D DD 48 D6 F2 75 32 CC E4 71 71 14 A1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\((Mutex))]
"InstalledServer" = "%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"NetHood" = "%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\((Mutex))]
"ServerStarted" = "7/22/2016 21:45:20 PM"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"NetHood" = "%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{I7N2485J-HB53-U45G-J1Y0-335P5T2BY6YJ}]
"StubPath" = "%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe restart"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"NetHood" = "%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NetHood" = "%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| 0cbd55d5184fd87a488d4551c10b4674 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\NetHood\Host.exe |
| 0cbd55d5184fd87a488d4551c10b4674 | c:\Program Files\Company\NewProduct\Protect.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1564
Protect.exe:1192
Protect.exe:2020 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (104 bytes)
%Program Files%\Company\NewProduct\Protect.exe (2104 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\((Mutex)).cfg (2 bytes)
%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe (601 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"NetHood" = "%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NetHood" = "%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe" - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %Documents and Settings%\%current user%\Application Data\NetHood\Host.exe" - Reboot the computer.
Static Analysis
VersionInfo
Company Name: Company
Product Name:
Product Version:
Legal Copyright: Company
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.00
File Description: NewProduct 1.00 Installation
Comments:
Language: Language Neutral
Company Name: CompanyProduct Name: Product Version: Legal Copyright: Company Legal Trademarks: Original Filename: Internal Name: File Version: 1.00File Description: NewProduct 1.00 Installation Comments: Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| CODE | 4096 | 148684 | 148992 | 4.57087 | bac8bae7a5e5326cf49943b90d1c062a |
| DATA | 155648 | 10388 | 10752 | 2.62963 | abafcbfbd7f8ac0226ca496a92a0cf06 |
| BSS | 167936 | 4341 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 176128 | 6040 | 6144 | 3.38637 | 7a4934595db0efc364c3982c4e335d8c |
| .tls | 184320 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 188416 | 24 | 512 | 0.14174 | c4fdd0c5c9efb616fcc85d66056ca490 |
| .reloc | 192512 | 6276 | 6656 | 4.56552 | 867a1120317d51734587a74f6ee70016 |
| .rsrc | 200704 | 7388 | 7680 | 3.29739 | 5b088a613c5b2805c28352211bf683a9 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 23
f1053f153ec861d1dd6df3fa723f330a
c5213199b362eb77855c7f0f4c5f7afb
5268d6346e25eb3da97640e2c63400be
b48d3ddf100c38bd9080788c9af3d20e
b3b567431f0ca351486399100145b134
14064f7d87d36e843ea9bdff87718b66
d15e588df6107240a5cd5333b08ed242
5cf0c3f8ba466233a38d90d46605b8c9
f9004cb0871c4564e2c064b8744aaf70
e8481d3825b2c0af156d0e69f36c5a85
dba73e2b51b48a9be9e342b85c2ba185
8a1364b9f462bed07009a391ba94d100
f2ba9fd59d6630fea6116cf0d2f7ce9e
3a10d1a68475d5c015c04f35d1457d27
7ae79bc42133cd8f9cdebeae3802f454
55f1dc28b44f574ecbbb89b8f764ee08
c5e55dfd40c5ac5443a01583fef03d46
e12c5a02e13955cf2c6f66f8d994ce51
e116823f0156126916c873c214662537
410027d66b6807cddae984b2ee7465cb
94d71a07985a52739c0bbc45b664c5ba
aad0c4baaf76e6fb6b429912924445d1
22296b588105990996698f1fc4b39813
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_812:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
svchost.exe_812_rwx_00C80000_00017000:
`.rsrc
`.rsrc
Portions Copyright (c) 1999,2003 Avenger by NhT
Portions Copyright (c) 1999,2003 Avenger by NhT
Kernel32.dll
Kernel32.dll
ntdll.dll
ntdll.dll
kernel32.dll
kernel32.dll
789:;
789:;
user32.dll
user32.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
advapi32.dll
advapi32.dll
Shell32.dll
Shell32.dll
shell32.dll
shell32.dll
shlwapi.dll
shlwapi.dll
KWindows
KWindows
UnitKeylogger
UnitKeylogger
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyW
RegCreateKeyW
RegCloseKey
RegCloseKey
FindExecutableW
FindExecutableW
ShellExecuteW
ShellExecuteW
SHDeleteKeyW
SHDeleteKeyW
URLDownloadToFileW
URLDownloadToFileW
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyboardState
GetKeyboardState
FtpPutFileW
FtpPutFileW
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryW
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
Keylogg
Keylogg
DURLD
DURLD
KERNEL32.DLL
KERNEL32.DLL
oleaut32.dll
oleaut32.dll
PSAPI.dll
PSAPI.dll
x.html
x.html
explorer.exe
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows NT\CurrentVersion\Windows
Software\Microsoft\Windows NT\CurrentVersion\Windows
explorer.exe
explorer.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
[Execute]
[Execute]
KeyDelBackspace
KeyDelBackspace
XtremeKeylogger
XtremeKeylogger
hXXp://
hXXp://
.functions
.functions
ÞFAULTBROWSER%
ÞFAULTBROWSER%
\Microsoft\Windows\
\Microsoft\Windows\
svchost.exe
svchost.exe
kingbosman12.no-ip.biz
kingbosman12.no-ip.biz
C:\User
C:\User
)EXEmpire
)EXEmpire
Host.exe
Host.exe
kbd{I7N2485J-HB53-U45G-J1Y0-335P5T2BY6YJ}
kbd{I7N2485J-HB53-U45G-J1Y0-335P5T2BY6YJ}
PTF.ftpserver.com
PTF.ftpserver.com
C:\Users\
C:\Users\
ftpuser
ftpuser
nel32.dll
nel32.dll
kftppass
kftppass
keyiso.dll
keyiso.dll
%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe
%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe
%Documents and Settings%\%current user%\Application Data\NetHood\
%Documents and Settings%\%current user%\Application Data\NetHood\
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\((Mutex)).cfg
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\((Mutex)).cfg
Software\Microsoft\Active Setup\Installed Components\{I7N2485J-HB53-U45G-J1Y0-335P5T2BY6YJ}
Software\Microsoft\Active Setup\Installed Components\{I7N2485J-HB53-U45G-J1Y0-335P5T2BY6YJ}
iexplore.exe_1908:
%?9-*09,*19}*09
%?9-*09,*19}*09
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
SHDOCVW.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
IE-X-X
rsabase.dll
rsabase.dll
System\CurrentControlSet\Control\Windows
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
dw15 -x -s %u
watson.microsoft.com
watson.microsoft.com
IEWatsonURL
IEWatsonURL
%s -h %u
%s -h %u
iedw.exe
iedw.exe
Iexplore.XPExceptionFilter
Iexplore.XPExceptionFilter
jscript.DLL
jscript.DLL
mshtml.dll
mshtml.dll
mlang.dll
mlang.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
shdocvw.DLL
shdocvw.DLL
browseui.DLL
browseui.DLL
comctl32.DLL
comctl32.DLL
IEXPLORE.EXE
IEXPLORE.EXE
iexplore.pdb
iexplore.pdb
ADVAPI32.dll
ADVAPI32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
IExplorer.EXE
IExplorer.EXE
IIIIIB(II<.fg>
IIIIIB(II<.fg>
7?_____ZZSSH%
7?_____ZZSSH%
)z.UUUUUUUU
)z.UUUUUUUU
,....Qym
,....Qym
````2```
````2```
{.QLQIIIKGKGKGKGKGKG
{.QLQIIIKGKGKGKGKGKG
;33;33;0
;33;33;0
8888880
8888880
8887080
8887080
browseui.dll
browseui.dll
shdocvw.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5512 (xpsp.080413-2105)
Windows
Windows
Operating System
Operating System
6.00.2900.5512
6.00.2900.5512
iexplore.exe_1908_rwx_00C80000_00017000:
`.rsrc
`.rsrc
Portions Copyright (c) 1999,2003 Avenger by NhT
Portions Copyright (c) 1999,2003 Avenger by NhT
Kernel32.dll
Kernel32.dll
ntdll.dll
ntdll.dll
kernel32.dll
kernel32.dll
789:;
789:;
user32.dll
user32.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
advapi32.dll
advapi32.dll
Shell32.dll
Shell32.dll
shell32.dll
shell32.dll
shlwapi.dll
shlwapi.dll
KWindows
KWindows
UnitKeylogger
UnitKeylogger
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyW
RegCreateKeyW
RegCloseKey
RegCloseKey
FindExecutableW
FindExecutableW
ShellExecuteW
ShellExecuteW
SHDeleteKeyW
SHDeleteKeyW
URLDownloadToFileW
URLDownloadToFileW
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyboardState
GetKeyboardState
FtpPutFileW
FtpPutFileW
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryW
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
Keylogg
Keylogg
DURLD
DURLD
KERNEL32.DLL
KERNEL32.DLL
oleaut32.dll
oleaut32.dll
PSAPI.dll
PSAPI.dll
x.html
x.html
explorer.exe
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows NT\CurrentVersion\Windows
Software\Microsoft\Windows NT\CurrentVersion\Windows
explorer.exe
explorer.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
[Execute]
[Execute]
KeyDelBackspace
KeyDelBackspace
XtremeKeylogger
XtremeKeylogger
hXXp://
hXXp://
.functions
.functions
ÞFAULTBROWSER%
ÞFAULTBROWSER%
\Microsoft\Windows\
\Microsoft\Windows\
svchost.exe
svchost.exe
kingbosman12.no-ip.biz
kingbosman12.no-ip.biz
C:\User
C:\User
)EXEmpire
)EXEmpire
Host.exe
Host.exe
kbd{I7N2485J-HB53-U45G-J1Y0-335P5T2BY6YJ}
kbd{I7N2485J-HB53-U45G-J1Y0-335P5T2BY6YJ}
PTF.ftpserver.com
PTF.ftpserver.com
C:\Users\
C:\Users\
ftpuser
ftpuser
nel32.dll
nel32.dll
kftppass
kftppass
keyiso.dll
keyiso.dll
%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe
%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe
%Documents and Settings%\%current user%\Application Data\NetHood\
%Documents and Settings%\%current user%\Application Data\NetHood\
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\((Mutex)).cfg
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\((Mutex)).cfg
Software\Microsoft\Active Setup\Installed Components\{I7N2485J-HB53-U45G-J1Y0-335P5T2BY6YJ}
Software\Microsoft\Active Setup\Installed Components\{I7N2485J-HB53-U45G-J1Y0-335P5T2BY6YJ}