Susp_Dropper (Kaspersky), Win32.Virlock.Gen.8 (B) (Emsisoft), BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: d23e8846dc99071f3b61403cea0e9294
SHA1: 6d244ff9c0738af18299b790d09207c7d44f41e7
SHA256: ac966b21b9fdf43665936d7b40d45d7b6e3d788b284cdeab641cdb4d76dc5554
SSDeep: 49152:4k5utn98Q8/7htj cqrO9TNLcPbks9WTcu0F7nz5L0ns69YZEAo:4k5ut98Q8/7htqrKwPbfu05nz5L0n
Size: 3715072 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-11-25 23:31:10
Analyzed on: WindowsXP SP3 32-bit
Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1092
%original file name%.exe:860
%original file name%.exe:1940
%original file name%.exe:1756
%original file name%.exe:1488
%original file name%.exe:820
The Trojan injects its code into the following process(es):
UOYUAYsk.exe:488
uyoUsggM.exe:1312
lWEUMcgA.exe:1492
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1092 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\KIoEcxMs.bat (4 bytes)
C:\d23e8846dc99071f3b61403cea0e9294 (7972 bytes)
The Trojan deletes the following file(s):
C:\%original file name%.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KIoEcxMs.bat (0 bytes)
The process %original file name%.exe:860 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\d23e8846dc99071f3b61403cea0e9294 (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nmAoIUMY.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nmAoIUMY.bat (0 bytes)
The process %original file name%.exe:1756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe (14803 bytes)
%Documents and Settings%\All Users\NSIsgYEw\lWEUMcgA.exe (14187 bytes)
C:\d23e8846dc99071f3b61403cea0e9294 (7972 bytes)
%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe (14803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bCAEQIkM.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\bCAEQIkM.bat (0 bytes)
The process %original file name%.exe:1488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pGAwYUoU.bat (4 bytes)
C:\d23e8846dc99071f3b61403cea0e9294 (7972 bytes)
The Trojan deletes the following file(s):
C:\%original file name%.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pGAwYUoU.bat (0 bytes)
The process %original file name%.exe:820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\oqoAIoQU.bat (4 bytes)
C:\d23e8846dc99071f3b61403cea0e9294 (7972 bytes)
The Trojan deletes the following file(s):
C:\%original file name%.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oqoAIoQU.bat (0 bytes)
The process UOYUAYsk.exe:488 makes changes in the file system.
The Trojan deletes the following file(s):
C:\%original file name%.exe (0 bytes)
The process uyoUsggM.exe:1312 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\YuogIoUc\QkUe.exe (16317 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gYYE.exe (15962 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (15278 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\aYUC.exe (20128 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (22336 bytes)
%Documents and Settings%\%current user%\YuogIoUc\QkMM.exe (17147 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\uccU.exe (16771 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Mcso.exe (18325 bytes)
%Documents and Settings%\%current user%\YuogIoUc\asca.exe (16880 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\xkkg.exe (16350 bytes)
%Documents and Settings%\%current user%\YuogIoUc\UsQc.exe (15385 bytes)
%Documents and Settings%\%current user%\YuogIoUc\XYAs.exe (16350 bytes)
%Documents and Settings%\%current user%\YuogIoUc\bQQI.exe (16411 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iQgo.exe (16321 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Lsce.exe (15068 bytes)
%Documents and Settings%\%current user%\YuogIoUc\aMww.exe (14501 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (15799 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (45846 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gUIe.exe (16407 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\hEwC.exe (16701 bytes)
%Documents and Settings%\%current user%\YuogIoUc\AgwE.exe (16354 bytes)
%Documents and Settings%\%current user%\YuogIoUc\yski.exe (16375 bytes)
%Documents and Settings%\%current user%\YuogIoUc\YMwi.exe (16346 bytes)
%Documents and Settings%\%current user%\YuogIoUc\VgAY.exe (16383 bytes)
%Documents and Settings%\%current user%\YuogIoUc\wggI.exe (16354 bytes)
%Documents and Settings%\%current user%\YuogIoUc\OMMo.exe (14803 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ZEYu.exe (16015 bytes)
%Documents and Settings%\%current user%\YuogIoUc\bIYu.exe (16125 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\egMk.exe (15962 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (16582 bytes)
C:\totalcmd\TCUNINST.EXE.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\zgkK.exe (15745 bytes)
%Documents and Settings%\%current user%\YuogIoUc\xQkw.exe (16375 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (15278 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\UsEW.exe (18379 bytes)
%Documents and Settings%\%current user%\YuogIoUc\OsEK.exe (16787 bytes)
%Documents and Settings%\%current user%\YuogIoUc\mUEk.exe (15941 bytes)
%Documents and Settings%\%current user%\YuogIoUc\OgEs.exe (16321 bytes)
C:\totalcmd\TCMDX32.EXE.exe (15799 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Bgog.exe (16346 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\BIIQ.exe (15435 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\EgkO.exe (16411 bytes)
%Documents and Settings%\%current user%\YuogIoUc\lYIo.exe (16366 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ykEu.exe (23361 bytes)
%Documents and Settings%\%current user%\YuogIoUc\MQAu.exe (16410 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\AIwU.exe (14775 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (15278 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kgMq.exe (45140 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ukso.exe (15999 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\qQcm.exe (16791 bytes)
%Documents and Settings%\%current user%\YuogIoUc\cwsk.exe (16722 bytes)
%Documents and Settings%\%current user%\YuogIoUc\tQgY.exe (16338 bytes)
%Documents and Settings%\%current user%\YuogIoUc\KQEE.exe (16407 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Ikoq.exe (15962 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (16158 bytes)
%Documents and Settings%\%current user%\YuogIoUc\JkkU.exe (16317 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iokC.exe (34572 bytes)
%Documents and Settings%\%current user%\YuogIoUc\DQQq.exe (16375 bytes)
%Documents and Settings%\%current user%\YuogIoUc\uggG.exe (15987 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\fcMw.exe (15547 bytes)
%Documents and Settings%\%current user%\YuogIoUc\eAoe.exe (16362 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\aUIG.exe (16057 bytes)
%Documents and Settings%\%current user%\YuogIoUc\AIIC.exe (16342 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (16158 bytes)
%Documents and Settings%\%current user%\YuogIoUc\KgYI.exe (15950 bytes)
C:\totalcmd\TcUsbRun.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\GwAK.exe (16334 bytes)
%Documents and Settings%\%current user%\YuogIoUc\bQQM.exe (16325 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (17072 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (20504 bytes)
%Documents and Settings%\%current user%\YuogIoUc\LYAC.exe (16019 bytes)
%Documents and Settings%\All Users\KAYc.txt (55978 bytes)
%Documents and Settings%\%current user%\YuogIoUc\twkK.exe (17116 bytes)
%Documents and Settings%\%current user%\YuogIoUc\cgIg.exe (16387 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sYwQ.exe (15365 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (15278 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\nYkG.exe (18346 bytes)
%Documents and Settings%\%current user%\YuogIoUc\YwUq.exe (16338 bytes)
%Documents and Settings%\%current user%\YuogIoUc\LgMq.exe (16375 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\YuogIoUc\QkUe.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gYYE.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\aYUC.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\QkMM.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\uccU.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\OgEs.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\asca.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\xkkg.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\UsQc.exe (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\XYAs.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\bQQI.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
C:\%original file name%.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Lsce.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\aMww.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gUIe.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\hEwC.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\AgwE.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\yski.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\YMwi.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\VgAY.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\wggI.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\OMMo.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ZEYu.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\bIYu.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\egMk.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\zgkK.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\xQkw.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\UsEW.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\OsEK.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\DQQq.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iQgo.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Bgog.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\uggG.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\BIIQ.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\fcMw.exe (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\EgkO.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\lYIo.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ykEu.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\MQAu.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\AIwU.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kgMq.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ukso.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\mUEk.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\qQcm.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\cwsk.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\tQgY.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\KQEE.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Ikoq.exe (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\JkkU.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iokC.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Mcso.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\eAoe.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\aUIG.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\AIIC.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\KgYI.exe (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\GwAK.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\bQQM.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\LYAC.exe (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\twkK.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\cgIg.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sYwQ.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\nYkG.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\YwUq.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\LgMq.exe (0 bytes)
Registry activity
The process %original file name%.exe:1092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 7D B4 CA 13 85 71 97 FA 09 4E 82 27 B0 42 54"
The process %original file name%.exe:860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 9D 3C A8 40 CA 3E AF 0A 9D 76 7F 24 74 28 6A"
The process %original file name%.exe:1940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 2F 7E F7 25 CF 56 45 E9 FB 0D 5B 65 15 7D 8B"
The process %original file name%.exe:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F B2 42 B1 D7 F0 CE A3 35 3E 4A C1 AA 59 37 93"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe,"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"uyoUsggM.exe" = "%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UOYUAYsk.exe" = "%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe"
The process %original file name%.exe:1488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 CF 5C A8 6D 5B C7 FF 02 BE 61 A3 5C F4 FD 8B"
The process %original file name%.exe:820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 66 A1 13 03 69 B7 E2 CA 8F B1 0F F7 B5 C6 50"
The process UOYUAYsk.exe:488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 CE 60 C1 0D 7D 13 CF 8E 75 56 A3 11 65 EE 43"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UOYUAYsk.exe" = "%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe"
The process uyoUsggM.exe:1312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 83 B0 F2 EF CB F2 3C F4 88 4C 52 8C 27 47 CB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"uyoUsggM.exe" = "%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe"
The process lWEUMcgA.exe:1492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 20 FD FC 07 B7 38 78 F7 4D 11 C2 C6 C7 73 59"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UOYUAYsk.exe" = "%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| 54d3bd5918333be2142e54e8a6c974af | c:\Documents and Settings\All Users\AUUoUgAI\UOYUAYsk.exe |
| f374e574b9703fd6f6b32e07070c94b4 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe |
| 49320fa4aa6b6d34bdeb91cb559217b2 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe |
| f802886b75f5372a605212baf369322e | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe |
| 71079a63f751d27f53572c0edf167548 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe |
| f9fbefbd757f9cdc1fb2e8fe058110ee | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe |
| e06bf905023abbec4948f158dee969c6 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe |
| eff0f589102d1ebc83f5f2c5e4361249 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe |
| 6e87b03c712af7bf26af604ee947b5a3 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe |
| 26c17fb49223419c500a9e835285020f | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe |
| bd1fa55de8e99f14611c4821a741b148 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe |
| 1683f0a34140f605c8236ac963364abf | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe |
| b61626fb724c186d1716223f5080440e | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe |
| e3258918f6ded145c4b91cc619e0ea2e | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe |
| 8155f5ee7b2c541d08964f2acaa01fec | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe |
| 639a512d650e7fa3370cb30bb041ee02 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe |
| 94733968204b10e2aec4d44483f52d5a | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe |
| e8542f173bcd87685da43c365ac50599 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe |
| c158e83b96f306af314914b51cb54086 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe |
| 915ec4dd85a2e27ebe23003818ee3404 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe |
| e7fbc641ef67cea60a5f6d7fc08daa79 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe |
| 29014193d8035ffeddb7d4f4eecfe627 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe |
| 2f2eba2c97b2a67350fe3f9a46080121 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe |
| 66e79fb026bcc85a5483401f3855deec | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe |
| 16506c391918d6853af95f16e2ff62c7 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe |
| e7387ea62f0c7ea0afb10bec0cf528cc | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe |
| 92bc6dbcf561ad0d8572e95ba7a563d0 | c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe |
| 138950411fe1990607fc3cb368381d2b | c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe |
| c5b614a9581985c841b5b715fe2e870a | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe |
| 0112c54c0043dcd4f5c8daa905c6e8fd | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe |
| 203c9388fd65ec6bdf3732256fb4bdaf | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe |
| 88b4bb372df4cad9fc6993a228dd0d8b | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe |
| 6d9092eaa6e6cca2e280e3857bedb96d | c:\Documents and Settings\All Users\NSIsgYEw\lWEUMcgA.exe |
| 11eb719cd876f79563752ea7b20d8d45 | c:\Documents and Settings\"%CurrentUserName%"\YuogIoUc\uyoUsggM.exe |
| cc9939b9b584295a8080e735af859c29 | c:\Perl\eg\IEExamples\ie_animated.gif.exe |
| de8cc379ae093af056fa71ab673c6915 | c:\Perl\eg\IEExamples\psbwlogo.gif.exe |
| aefab310117f73dd1475c25748e2a8bf | c:\Perl\eg\aspSamples\ASbanner.gif.exe |
| 258950248fe417bfd93d955833f7f79f | c:\Perl\eg\aspSamples\Main_Banner.gif.exe |
| 4265755f6e37e3c88290ddb1ef481a72 | c:\Perl\eg\aspSamples\psbwlogo.gif.exe |
| d763749a5300eed0f7ba7cc8544eb7e9 | c:\Perl\html\images\AS_logo.gif.exe |
| 3983b2d417fd2aef38920f44d8e38978 | c:\Perl\html\images\PerlCritic_run.png.exe |
| 1fa5ad2cd6598f10887692a25892fe29 | c:\Perl\html\images\aslogo.gif.exe |
| df0a095a96000de54a18ba3793fbe778 | c:\Perl\html\images\ppm_gui.png.exe |
| 6defb268f8bf60a8cf3a45cf7f12e91f | c:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe |
| 67cdc3105280f30e7e38bf19c372088c | c:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe |
| 86ea1f32968b775961ff07ae846da9a5 | c:\Perl\lib\Devel\NYTProf\js\asc.png.exe |
| eb91b3be0b1a3c38e36cfb873fbc5380 | c:\Perl\lib\Devel\NYTProf\js\bg.png.exe |
| beb562487a2a2541cc44caef05401a61 | c:\Perl\lib\Devel\NYTProf\js\desc.png.exe |
| 5adce1166f0bd5dad6ae5046ab3c193a | c:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe |
| c01f9b50f3c808da2ae2fafbd4ffc427 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe |
| 035a5d7e6f5bdd41d0c1c5377550a670 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe |
| 4d1ca8d96754e550df43d2ab168d366d | c:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe |
| f43de3530f0cde62ba977344c0c160be | c:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1092
%original file name%.exe:860
%original file name%.exe:1940
%original file name%.exe:1756
%original file name%.exe:1488
%original file name%.exe:820 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\KIoEcxMs.bat (4 bytes)
C:\d23e8846dc99071f3b61403cea0e9294 (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nmAoIUMY.bat (4 bytes)
%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe (14803 bytes)
%Documents and Settings%\All Users\NSIsgYEw\lWEUMcgA.exe (14187 bytes)
%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe (14803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bCAEQIkM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pGAwYUoU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oqoAIoQU.bat (4 bytes)
%Documents and Settings%\%current user%\YuogIoUc\QkUe.exe (16317 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gYYE.exe (15962 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (15278 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\aYUC.exe (20128 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (22336 bytes)
%Documents and Settings%\%current user%\YuogIoUc\QkMM.exe (17147 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\uccU.exe (16771 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Mcso.exe (18325 bytes)
%Documents and Settings%\%current user%\YuogIoUc\asca.exe (16880 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\xkkg.exe (16350 bytes)
%Documents and Settings%\%current user%\YuogIoUc\UsQc.exe (15385 bytes)
%Documents and Settings%\%current user%\YuogIoUc\XYAs.exe (16350 bytes)
%Documents and Settings%\%current user%\YuogIoUc\bQQI.exe (16411 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iQgo.exe (16321 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Lsce.exe (15068 bytes)
%Documents and Settings%\%current user%\YuogIoUc\aMww.exe (14501 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (15799 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (45846 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gUIe.exe (16407 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\hEwC.exe (16701 bytes)
%Documents and Settings%\%current user%\YuogIoUc\AgwE.exe (16354 bytes)
%Documents and Settings%\%current user%\YuogIoUc\yski.exe (16375 bytes)
%Documents and Settings%\%current user%\YuogIoUc\YMwi.exe (16346 bytes)
%Documents and Settings%\%current user%\YuogIoUc\VgAY.exe (16383 bytes)
%Documents and Settings%\%current user%\YuogIoUc\wggI.exe (16354 bytes)
%Documents and Settings%\%current user%\YuogIoUc\OMMo.exe (14803 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ZEYu.exe (16015 bytes)
%Documents and Settings%\%current user%\YuogIoUc\bIYu.exe (16125 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\egMk.exe (15962 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (16582 bytes)
C:\totalcmd\TCUNINST.EXE.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\zgkK.exe (15745 bytes)
%Documents and Settings%\%current user%\YuogIoUc\xQkw.exe (16375 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (15278 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\UsEW.exe (18379 bytes)
%Documents and Settings%\%current user%\YuogIoUc\OsEK.exe (16787 bytes)
%Documents and Settings%\%current user%\YuogIoUc\mUEk.exe (15941 bytes)
%Documents and Settings%\%current user%\YuogIoUc\OgEs.exe (16321 bytes)
C:\totalcmd\TCMDX32.EXE.exe (15799 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Bgog.exe (16346 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\BIIQ.exe (15435 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\EgkO.exe (16411 bytes)
%Documents and Settings%\%current user%\YuogIoUc\lYIo.exe (16366 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ykEu.exe (23361 bytes)
%Documents and Settings%\%current user%\YuogIoUc\MQAu.exe (16410 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\AIwU.exe (14775 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (15278 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kgMq.exe (45140 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ukso.exe (15999 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\qQcm.exe (16791 bytes)
%Documents and Settings%\%current user%\YuogIoUc\cwsk.exe (16722 bytes)
%Documents and Settings%\%current user%\YuogIoUc\tQgY.exe (16338 bytes)
%Documents and Settings%\%current user%\YuogIoUc\KQEE.exe (16407 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Ikoq.exe (15962 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (16158 bytes)
%Documents and Settings%\%current user%\YuogIoUc\JkkU.exe (16317 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iokC.exe (34572 bytes)
%Documents and Settings%\%current user%\YuogIoUc\DQQq.exe (16375 bytes)
%Documents and Settings%\%current user%\YuogIoUc\uggG.exe (15987 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\fcMw.exe (15547 bytes)
%Documents and Settings%\%current user%\YuogIoUc\eAoe.exe (16362 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\aUIG.exe (16057 bytes)
%Documents and Settings%\%current user%\YuogIoUc\AIIC.exe (16342 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (16158 bytes)
%Documents and Settings%\%current user%\YuogIoUc\KgYI.exe (15950 bytes)
C:\totalcmd\TcUsbRun.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\GwAK.exe (16334 bytes)
%Documents and Settings%\%current user%\YuogIoUc\bQQM.exe (16325 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (17072 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (20504 bytes)
%Documents and Settings%\%current user%\YuogIoUc\LYAC.exe (16019 bytes)
%Documents and Settings%\All Users\KAYc.txt (55978 bytes)
%Documents and Settings%\%current user%\YuogIoUc\twkK.exe (17116 bytes)
%Documents and Settings%\%current user%\YuogIoUc\cgIg.exe (16387 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sYwQ.exe (15365 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (15278 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\nYkG.exe (18346 bytes)
%Documents and Settings%\%current user%\YuogIoUc\YwUq.exe (16338 bytes)
%Documents and Settings%\%current user%\YuogIoUc\LgMq.exe (16375 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"uyoUsggM.exe" = "%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UOYUAYsk.exe" = "%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe" - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe," - Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 2199552 | 2199552 | 5.42129 | aa35a221e10962a5c59782f84a8b651f |
| .rdata | 2203648 | 8192 | 10240 | 0.158459 | 2dd1661ede7e6f9277c24c1ca1efad30 |
| .data | 2211840 | 1499136 | 1499136 | 4.06382 | 69557aac6e0675416e37c0ac04db057e |
| .rsrc | 3710976 | 4608 | 4608 | 3.07545 | 59465b1d9824ce562746fca68ad3a437 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):