Susp_Dropper (Kaspersky), ZeroAccess.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 0412d082bf67dcce374758bfd571fd4b
SHA1: d2ee614a21d08579e29c46bdffbb8b28e7c6cc2a
SHA256: 66ea8a2f64296054579939c22bf82ae2dd31e7b18c172401d23f8b464c7f57f0
SSDeep: 49152:Ji0bIMuJRKsBFzl44J1uC0dTO1Psqe/VIgU:kFJosBFzRJ5
Size: 2555904 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-12-01 00:27:07
Analyzed on: WindowsXP SP3 32-bit
Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
AdobeARMHelper.exe:1612
AdobeARM.exe:396
%original file name%.exe:1328
The Trojan injects its code into the following process(es):
lWEUMcgA.exe:2016
UOYUAYsk.exe:600
uyoUsggM.exe:700
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process AdobeARMHelper.exe:1612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\AdobeARM.log (503 bytes)
The process AdobeARM.exe:396 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ArmUI.ini (185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AdobeARM.log (1065 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ArmUI.ini (0 bytes)
The process uyoUsggM.exe:700 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\YuogIoUc\xssa.exe (16191 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (16582 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Zcgy.exe (16395 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (22336 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\IYMa.exe (16407 bytes)
%Documents and Settings%\%current user%\YuogIoUc\vEIK.exe (16371 bytes)
%Documents and Settings%\%current user%\YuogIoUc\FoUM.exe (16379 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ooom.exe (16448 bytes)
%Documents and Settings%\%current user%\YuogIoUc\LkkC.exe (16350 bytes)
%Documents and Settings%\%current user%\YuogIoUc\WMUM.exe (14755 bytes)
%Documents and Settings%\%current user%\YuogIoUc\SgAU.exe (16730 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (15278 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (15799 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\XMkq.exe (15954 bytes)
%Documents and Settings%\%current user%\YuogIoUc\mAso.exe (46067 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ooYS.exe (17396 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ZUgu.exe (16354 bytes)
%Documents and Settings%\%current user%\YuogIoUc\SoUQ.exe (16379 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (45817 bytes)
%Documents and Settings%\%current user%\YuogIoUc\TckQ.exe (16436 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (15799 bytes)
%Documents and Settings%\%current user%\YuogIoUc\dwMs.exe (16330 bytes)
%Documents and Settings%\%current user%\YuogIoUc\PAgu.exe (17145 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gQIu.exe (15332 bytes)
%Documents and Settings%\%current user%\YuogIoUc\loou.exe (16383 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (15799 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (15278 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (16158 bytes)
%Documents and Settings%\%current user%\YuogIoUc\XwEy.exe (16428 bytes)
C:\totalcmd\TCUNINST.EXE.exe (15506 bytes)
C:\totalcmd\TcUsbRun.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\WQQC.exe (23365 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gQgA.exe (16399 bytes)
%Documents and Settings%\%current user%\YuogIoUc\MYsw.exe (15344 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kYAS.exe (16424 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sAwS.exe (14726 bytes)
%Documents and Settings%\%current user%\YuogIoUc\VkEQ.exe (16366 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\yIQI.exe (15938 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (15278 bytes)
C:\totalcmd\TCMDX32.EXE.exe (15799 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sMQw.exe (16746 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iAEs.exe (15035 bytes)
%Documents and Settings%\%current user%\YuogIoUc\CYMo.exe (18411 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Qgoe.exe (16763 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kIwY.exe (16061 bytes)
%Documents and Settings%\%current user%\YuogIoUc\NMcG.exe (16048 bytes)
%Documents and Settings%\%current user%\YuogIoUc\qswo.exe (16430 bytes)
%Documents and Settings%\%current user%\YuogIoUc\pkAi.exe (16387 bytes)
%Documents and Settings%\%current user%\YuogIoUc\BcMG.exe (16420 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (16582 bytes)
%Documents and Settings%\%current user%\YuogIoUc\BEAw.exe (16330 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iQQC.exe (18379 bytes)
%Documents and Settings%\%current user%\YuogIoUc\zAAY.exe (16383 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (15799 bytes)
%Documents and Settings%\%current user%\YuogIoUc\HsYG.exe (15982 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (15799 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\EgMy.exe (16407 bytes)
%Documents and Settings%\%current user%\YuogIoUc\jcwa.exe (18354 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\jcgI.exe (16444 bytes)
%Documents and Settings%\%current user%\YuogIoUc\wYUC.exe (16730 bytes)
%Documents and Settings%\%current user%\YuogIoUc\MwEM.exe (16015 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Dkoy.exe (15828 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Jgwg.exe (16403 bytes)
%Documents and Settings%\%current user%\YuogIoUc\JsoQ.exe (20152 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\dsIw.exe (16391 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (15799 bytes)
%Documents and Settings%\%current user%\YuogIoUc\SQwk.exe (16379 bytes)
%Documents and Settings%\%current user%\YuogIoUc\eUgg.exe (17196 bytes)
%Documents and Settings%\%current user%\YuogIoUc\JYIQ.exe (16379 bytes)
%Documents and Settings%\%current user%\YuogIoUc\qwIk.exe (16350 bytes)
%Documents and Settings%\%current user%\YuogIoUc\UwEc.exe (17359 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Dgco.exe (16925 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (16158 bytes)
%Documents and Settings%\%current user%\YuogIoUc\RIsI.exe (36846 bytes)
%Documents and Settings%\%current user%\YuogIoUc\nsMS.exe (14554 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sEkA.exe (16081 bytes)
%Documents and Settings%\%current user%\YuogIoUc\foYI.exe (14742 bytes)
%Documents and Settings%\%current user%\YuogIoUc\HoEu.exe (17130 bytes)
%Documents and Settings%\%current user%\YuogIoUc\BMAO.exe (15974 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (17627 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (20504 bytes)
%Documents and Settings%\All Users\KAYc.txt (55978 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kwwY.exe (15950 bytes)
%Documents and Settings%\%current user%\YuogIoUc\vsYS.exe (15496 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (15506 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\YuogIoUc\xssa.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Zcgy.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\IYMa.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\vEIK.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\FoUM.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ooom.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\LkkC.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\WMUM.exe (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\SgAU.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\wYUC.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\mAso.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ooYS.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ZUgu.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\SoUQ.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\NMcG.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\dwMs.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\PAgu.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gQIu.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\XwEy.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\WQQC.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gQgA.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\MYsw.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kYAS.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sAwS.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\VkEQ.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\yIQI.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\MwEM.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\TckQ.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sMQw.exe (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iAEs.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\CYMo.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Qgoe.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\qswo.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\pkAi.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\BcMG.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\BEAw.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iQQC.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\zAAY.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sEkA.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Dkoy.exe (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\EgMy.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\jcwa.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\loou.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\vsYS.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\XMkq.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\HsYG.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Jgwg.exe (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\JsoQ.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\dsIw.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\SQwk.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\eUgg.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\JYIQ.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\qwIk.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\UwEc.exe (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\RIsI.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\nsMS.exe (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\HoEu.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\BMAO.exe (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kwwY.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\jcgI.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Dgco.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kIwY.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\foYI.exe (0 bytes)
The process %original file name%.exe:1328 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe (14803 bytes)
%Documents and Settings%\All Users\NSIsgYEw\lWEUMcgA.exe (14803 bytes)
%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe (14803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AdobeARMHelper.exe (1634 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dWscgEwY.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\dWscgEwY.bat (0 bytes)
Registry activity
The process AdobeARMHelper.exe:1612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B F7 25 BB 2A D8 2A ED B4 55 E7 27 21 04 BF FF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Adobe\Adobe ARM\1.0\ARM]
"iCanExit" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Adobe\Adobe ARM\1.0\ARM]
"iCanExit"
The process AdobeARM.exe:396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 E4 54 1C 0C 30 C2 B2 A1 F8 7B 2E E7 C0 C0 59"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Adobe\Adobe ARM\1.0\ARM]
"iLastSvcSuccess"
[HKCU\Software\Adobe\Adobe ARM\1.0\ARM]
"iNotify"
The process lWEUMcgA.exe:2016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 BC 61 80 4E 31 F4 E0 30 DA 93 90 63 61 E2 01"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UOYUAYsk.exe" = "%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe"
The process UOYUAYsk.exe:600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 03 CE 55 94 EE 54 0C 54 8B D2 7B 0F ED 0A 0F"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UOYUAYsk.exe" = "%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe"
The process uyoUsggM.exe:700 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 84 10 4A CB 43 3F 95 3B 9B 40 A0 7A B9 09 C6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"uyoUsggM.exe" = "%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe"
The process %original file name%.exe:1328 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 82 BB 80 50 8D E4 DA 16 18 F5 3C A2 21 B6 22"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe,"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"uyoUsggM.exe" = "%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UOYUAYsk.exe" = "%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| a3b6be5e3fcbc030e49ebb501f3b5258 | c:\Documents and Settings\All Users\AUUoUgAI\UOYUAYsk.exe |
| 5aaff46755273301096219d56f74430a | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe |
| 9f5e05cc601bdd66b9c7cd3d1dca6c28 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe |
| 551a04109ef2637cc1957670e986201c | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe |
| ca645dcde349db2b3b4219ed69d70bef | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe |
| 21aded81738c449ffc0e62d0efdd9a4c | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe |
| 8e59e8e8b6f1a197f664a52a52752bb5 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe |
| 13026542aa880884ff9fc3470c2bcacd | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe |
| 00c5991b3d66ebe5c7a6e9b75a025f8d | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe |
| b6e76b386e58bf22710698bd007c116f | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe |
| eff266eae0a1aa996bdb4a5adac5dbd6 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe |
| 0a664bc1200d677b9c082de06ec01e08 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe |
| cda2f6a17bf73d8c22f6c5f38a8250eb | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe |
| 1e3fb37482589cf77897dbfb9d2bed76 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe |
| e6f511aedfd6af9a07395cc36bf5b683 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe |
| 63bad564da735b1ce06959531d66ea82 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe |
| 76034a3f80a2169b99a65034486c1e12 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe |
| ee07ffd7d1d9f8f9b01dc4d88164f422 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe |
| 8bd30c0d1b2d666c0a31c72d37c9d5ad | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe |
| 21b756962cf88f374dbc20a3d4d5babe | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe |
| 26d16490c1fcd8fb219fa0b34bb52385 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe |
| cf61287b9338e7a7656c0e617b281403 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe |
| c4e524fdd677b386ed23282837446149 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe |
| e706e0b7020df309c626b37bc269b72d | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe |
| 493ea372b890d04d55af7d33e96049f0 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe |
| 2e47b37b934b882874c959588249f75b | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe |
| fbbe87dfb825ed1be767304f01daab36 | c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe |
| d3878d78c8b24ccc9fe74605fbc11233 | c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe |
| 3af0323e21c8fc46cecbc6386850cd80 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe |
| 33fb3d18a61d412dd2622f8be4ebbf01 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe |
| f041fd1c376bae6f8c5e5efd6c3ffbaa | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe |
| 4a5f2fc00097176516047f45f4f5b142 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe |
| 7d9d4b8991ab32f2b8dbe80a9eb55bab | c:\Documents and Settings\All Users\NSIsgYEw\lWEUMcgA.exe |
| 88f161f0976b37f3ff0edf9fffc93837 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AdobeARMHelper.exe |
| d31a08baf3d00ba5ff327b7104d61a47 | c:\Documents and Settings\"%CurrentUserName%"\YuogIoUc\uyoUsggM.exe |
| b7adf6998a934e7ecad20851511c9571 | c:\Perl\eg\IEExamples\ie_animated.gif.exe |
| 982bd6812d3917598913acfd861b8d64 | c:\Perl\eg\IEExamples\psbwlogo.gif.exe |
| dd767f25805a7cf89788956c5d875032 | c:\Perl\eg\aspSamples\ASbanner.gif.exe |
| 66e74e332b610b9446904159eb9e00ef | c:\Perl\eg\aspSamples\Main_Banner.gif.exe |
| e95633a2fa4525bb29c92a409fc92d8b | c:\Perl\eg\aspSamples\psbwlogo.gif.exe |
| 31a5c865f8e6d0e905b2a97bb39de37a | c:\Perl\html\images\AS_logo.gif.exe |
| 74f18e12347d1a81427b800de42927a7 | c:\Perl\html\images\PerlCritic_run.png.exe |
| 6f211a61982e9d77c8939d692367ab4f | c:\Perl\html\images\aslogo.gif.exe |
| 16b31f9bec6edb732d1d78964edc9d81 | c:\Perl\html\images\ppm_gui.png.exe |
| 73f5dd6501aab4e1f819eae0b85d7999 | c:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe |
| 808deab36854ac494cb24ca34e4b7bad | c:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe |
| 7c44205bf45acd94610dc7a2f043e952 | c:\Perl\lib\Devel\NYTProf\js\asc.png.exe |
| c0a19fa5bb6943ffb7cae6142239a192 | c:\Perl\lib\Devel\NYTProf\js\bg.png.exe |
| 9d9ae6c1168f0cc32445417c59e65562 | c:\Perl\lib\Devel\NYTProf\js\desc.png.exe |
| f6c46a594d15cbdbaa67e504454a1568 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe |
| 25d4bcb56cde6b8d22116480552728bb | c:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe |
| a93b96c44ebab73087528261e5162b70 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe |
| 44474b2a7401b84f5603d19d5c7e1f02 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe |
| 871faad61eed7c45b08a71ab24021bc1 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe |
| f98eda11062f41c74a7c4573947ed35b | c:\Perl\lib\Mozilla\CA\cacert.pem.exe |
| 716d842d4d6c251aa22fe86e115f93a3 | c:\totalcmd\TCMADMIN.EXE.exe |
| ea84f93599363aa6f78c379a04668a56 | c:\totalcmd\TCMDX32.EXE.exe |
| 4825eb7fc6c31c180e3195f2ec80422f | c:\totalcmd\TCUNINST.EXE.exe |
| eff7a5517bcaf9f1b31dbead37dfc5ea | c:\totalcmd\TOTALCMD.EXE.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
AdobeARMHelper.exe:1612
AdobeARM.exe:396
%original file name%.exe:1328 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\AdobeARM.log (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ArmUI.ini (185 bytes)
%Documents and Settings%\%current user%\YuogIoUc\xssa.exe (16191 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (16582 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Zcgy.exe (16395 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (22336 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\IYMa.exe (16407 bytes)
%Documents and Settings%\%current user%\YuogIoUc\vEIK.exe (16371 bytes)
%Documents and Settings%\%current user%\YuogIoUc\FoUM.exe (16379 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ooom.exe (16448 bytes)
%Documents and Settings%\%current user%\YuogIoUc\LkkC.exe (16350 bytes)
%Documents and Settings%\%current user%\YuogIoUc\WMUM.exe (14755 bytes)
%Documents and Settings%\%current user%\YuogIoUc\SgAU.exe (16730 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (15278 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (15799 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\XMkq.exe (15954 bytes)
%Documents and Settings%\%current user%\YuogIoUc\mAso.exe (46067 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ooYS.exe (17396 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ZUgu.exe (16354 bytes)
%Documents and Settings%\%current user%\YuogIoUc\SoUQ.exe (16379 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (45817 bytes)
%Documents and Settings%\%current user%\YuogIoUc\TckQ.exe (16436 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (15799 bytes)
%Documents and Settings%\%current user%\YuogIoUc\dwMs.exe (16330 bytes)
%Documents and Settings%\%current user%\YuogIoUc\PAgu.exe (17145 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gQIu.exe (15332 bytes)
%Documents and Settings%\%current user%\YuogIoUc\loou.exe (16383 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (15799 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (15278 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (16158 bytes)
%Documents and Settings%\%current user%\YuogIoUc\XwEy.exe (16428 bytes)
C:\totalcmd\TCUNINST.EXE.exe (15506 bytes)
C:\totalcmd\TcUsbRun.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\WQQC.exe (23365 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gQgA.exe (16399 bytes)
%Documents and Settings%\%current user%\YuogIoUc\MYsw.exe (15344 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kYAS.exe (16424 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sAwS.exe (14726 bytes)
%Documents and Settings%\%current user%\YuogIoUc\VkEQ.exe (16366 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\yIQI.exe (15938 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (15278 bytes)
C:\totalcmd\TCMDX32.EXE.exe (15799 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sMQw.exe (16746 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iAEs.exe (15035 bytes)
%Documents and Settings%\%current user%\YuogIoUc\CYMo.exe (18411 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Qgoe.exe (16763 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kIwY.exe (16061 bytes)
%Documents and Settings%\%current user%\YuogIoUc\NMcG.exe (16048 bytes)
%Documents and Settings%\%current user%\YuogIoUc\qswo.exe (16430 bytes)
%Documents and Settings%\%current user%\YuogIoUc\pkAi.exe (16387 bytes)
%Documents and Settings%\%current user%\YuogIoUc\BcMG.exe (16420 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (16582 bytes)
%Documents and Settings%\%current user%\YuogIoUc\BEAw.exe (16330 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iQQC.exe (18379 bytes)
%Documents and Settings%\%current user%\YuogIoUc\zAAY.exe (16383 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (15799 bytes)
%Documents and Settings%\%current user%\YuogIoUc\HsYG.exe (15982 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (15799 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\EgMy.exe (16407 bytes)
%Documents and Settings%\%current user%\YuogIoUc\jcwa.exe (18354 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\jcgI.exe (16444 bytes)
%Documents and Settings%\%current user%\YuogIoUc\wYUC.exe (16730 bytes)
%Documents and Settings%\%current user%\YuogIoUc\MwEM.exe (16015 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Dkoy.exe (15828 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Jgwg.exe (16403 bytes)
%Documents and Settings%\%current user%\YuogIoUc\JsoQ.exe (20152 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\dsIw.exe (16391 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (15799 bytes)
%Documents and Settings%\%current user%\YuogIoUc\SQwk.exe (16379 bytes)
%Documents and Settings%\%current user%\YuogIoUc\eUgg.exe (17196 bytes)
%Documents and Settings%\%current user%\YuogIoUc\JYIQ.exe (16379 bytes)
%Documents and Settings%\%current user%\YuogIoUc\qwIk.exe (16350 bytes)
%Documents and Settings%\%current user%\YuogIoUc\UwEc.exe (17359 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Dgco.exe (16925 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (16158 bytes)
%Documents and Settings%\%current user%\YuogIoUc\RIsI.exe (36846 bytes)
%Documents and Settings%\%current user%\YuogIoUc\nsMS.exe (14554 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sEkA.exe (16081 bytes)
%Documents and Settings%\%current user%\YuogIoUc\foYI.exe (14742 bytes)
%Documents and Settings%\%current user%\YuogIoUc\HoEu.exe (17130 bytes)
%Documents and Settings%\%current user%\YuogIoUc\BMAO.exe (15974 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (17627 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (20504 bytes)
%Documents and Settings%\All Users\KAYc.txt (55978 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kwwY.exe (15950 bytes)
%Documents and Settings%\%current user%\YuogIoUc\vsYS.exe (15496 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe (14803 bytes)
%Documents and Settings%\All Users\NSIsgYEw\lWEUMcgA.exe (14803 bytes)
%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe (14803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AdobeARMHelper.exe (1634 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dWscgEwY.bat (4 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UOYUAYsk.exe" = "%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"uyoUsggM.exe" = "%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe" - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe," - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 1114112 | 1114112 | 5.19191 | 6ce628eeb2d5e2f25764d12b6e2f6600 |
| .rdata | 1118208 | 8192 | 10240 | 0.143865 | 049a9ea5d87c84662715ac687aebb74a |
| .data | 1126400 | 1425408 | 1425408 | 4.08022 | 00329234eb7678fa576d9b0dbb1e464f |
| .rsrc | 2551808 | 4608 | 4608 | 3.32253 | 80dfbd00c9dcb8f55b3a54b44887762f |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://google.com/ | 173.194.71.139 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):