Trojan-Dropper.Win32.Agent.zuz (Kaspersky), Generic.Palevo.4.B16E9B30 (B) (Emsisoft), Generic.Palevo.4.B16E9B30 (AdAware), GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: baded12134e3e146644f0b7ba7ef7bbe
SHA1: 74d57a3aa20db240a5f75a7e605a98bbf5931ebd
SHA256: 12f31cdfb88ab5483a0c4b2f0dfa30f0b1a06ffe3e9e0c7c5c7a0849d09e616a
SSDeep: 6144:DlrtwKs6FpaPyP8 YC3GPQhm7gQa9UQty:RyJPyNz2xp
Size: 232448 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Generic's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Generic creates the following process(es):
Host Booter bot.exe:1676
bot.exe:576
%original file name%.exe:196
The Generic injects its code into the following process(es):
Xr HoSt BooTer.exe:1704
iexplore.exe:1052
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process Xr HoSt BooTer.exe:1704 makes changes in the file system.
The Generic creates and/or writes to the following file(s):
%System%\vcmgcd32.dll (1568 bytes)
%System%\vcmgcd32.dl_ (17 bytes)
%WinDir%\system.ini (78 bytes)
The Generic deletes the following file(s):
C:\KUKU300a (0 bytes)
The process bot.exe:576 makes changes in the file system.
The Generic creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe (601 bytes)
The process %original file name%.exe:196 makes changes in the file system.
The Generic creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Host Booter bot.exe (84 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Xr HoSt BooTer.exe (212 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bot.exe (125 bytes)
Registry activity
The process Host Booter bot.exe:1676 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 B8 39 97 C8 37 EC 8B 28 8D D7 EF 3D D0 FD 2D"
[HKCU\Software\VeGaS iZ SiK Youtube1]
"FileNameAtual" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Host Booter bot.exe"
The process Xr HoSt BooTer.exe:1704 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC A0 0D F3 9A E7 F2 5F 99 5B 08 F6 A8 D7 19 38"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Generic modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Generic modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Generic modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Generic deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process bot.exe:576 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B E8 D6 84 6B DD AD 93 4E 57 65 95 CE D1 F9 57"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Microsoft]
"svchost.exe" = "svchost"
The Generic modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Generic adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe"
The Generic modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Generic modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process %original file name%.exe:196 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E CB 02 A4 CC 9A 82 ED 8B 92 96 81 F5 B4 90 96"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"Xr HoSt BooTer.exe" = "Xr HoSt BooTer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"Host Booter bot.exe" = "Host Booter bot"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"bot.exe" = "bot"
The Generic modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Generic modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Generic modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Dropped PE files
MD5 | File path |
---|---|
49e17a08fde2dc17462f97194220a0d8 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\svchost.exe |
6ebf6e3875db3dfad9a85ebe2c2f98da | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Host Booter bot.exe |
558d0867bf4c786e1a0142188ab52773 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Xr HoSt BooTer.exe |
49e17a08fde2dc17462f97194220a0d8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\bot.exe |
5facec93ec966a2577075d44e2ba63c7 | c:\WINDOWS\system32\Cerberus\server.exe |
ae22ca9f11ade8e362254b452cc07f78 | c:\WINDOWS\system32\vcmgcd32.dll |
3d0f7adfc75103a1902392c9fd39ed4f | c:\%original file name%.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Generic's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
Host Booter bot.exe:1676
bot.exe:576
%original file name%.exe:196 - Delete the original Generic file.
- Delete or disinfect the following files created/modified by the Generic:
%System%\vcmgcd32.dll (1568 bytes)
%System%\vcmgcd32.dl_ (17 bytes)
%WinDir%\system.ini (78 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Host Booter bot.exe (84 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Xr HoSt BooTer.exe (212 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bot.exe (125 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 270336 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 274432 | 221184 | 217600 | 5.43823 | aa4e34921c6d21139b95027c2595f82d |
.rsrc | 495616 | 24576 | 13824 | 3.25579 | 5a3e9955070a8ff7f774b88ddcb0c1a1 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://www.he3ns1k.info/mrow_pin/?id1398046enwbl8378&rnd=1410734 | 166.78.144.80 |
hxxp://www.he3ns1k.info/mrow_pin/?id1398046enwbl8378&rnd=1415500 | 166.78.144.80 |
hxxp://www.informat1onupd.info/mrow_pin/?id1398046enwbl8378&rnd=1420140 | 192.155.89.148 |
hxxp://www.g1ikdcvns3sdsal.info/mrow_pin/?id1398046enwbl8378&rnd=1415500 | 166.78.144.80 |
www.microsoft.com | 23.64.223.148 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /mrow_pin/?id1398046enwbl8378&rnd=1415500 HTTP/1.1
User-Agent: KUKU v3.09 exp
Host: VVV.g1ikdcvns3sdsal.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 15 Apr 2015 22:22:15 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Sinkhole: malware-sinkhole
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html
HTTP/1.1 200 OK..Date: Wed, 15 Apr 2015 22:22:15 GMT..Server: Apache/2.2.20 (Ubuntu)..X-Sinkhole: malware-sinkhole..Vary: Accept-Encoding..Content-Length: 0..Content-Type: text/html..
GET /mrow_pin/?id1398046enwbl8378&rnd=1410734 HTTP/1.1
User-Agent: KUKU v3.09 exp
Host: VVV.he3ns1k.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 15 Apr 2015 22:22:10 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Sinkhole: malware-sinkhole
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html
HTTP/1.1 200 OK..Date: Wed, 15 Apr 2015 22:22:10 GMT..Server: Apache/2.2.20 (Ubuntu)..X-Sinkhole: malware-sinkhole..Vary: Accept-Encoding..Content-Length: 0..Content-Type: text/html..
Map
The Generic connects to the servers at the folowing location(s):
Strings from Dumps
Xr HoSt BooTer.exe_1704:
.text
.text
.data
.data
.rsrc
.rsrc
@.rdata
@.rdata
MSVBVM60.DLL
MSVBVM60.DLL
!"3"2"2''(
!"3"2"2''(
Gh.AJ
Gh.AJ
MSComctlLib.StatusBar
MSComctlLib.StatusBar
MSComctlLib.ProgressBar
MSComctlLib.ProgressBar
Port!
Port!
MSComctlLib.ListView
MSComctlLib.ListView
(7),01444
(7),01444
'9=82<.342>
'9=82<.342>
MSWinsockLib.Winsock
MSWinsockLib.Winsock
PoRT
PoRT
MSWINSCK.OCX
MSWINSCK.OCX
mscomctl.ocx
mscomctl.ocx
%WinDir%\System32\MSWINSCK.oca
%WinDir%\System32\MSWINSCK.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files%\SpliT Productions\FPD By SpliT\mscomctl.oca
%Program Files%\SpliT Productions\FPD By SpliT\mscomctl.oca
VBA6.DLL
VBA6.DLL
%System%\vcmgcd32.dll
%System%\vcmgcd32.dll
\vcmgcd32.dl_
\vcmgcd32.dl_
Win32.HLLP.Kuku v3.09 stub=->KERNEL32
Win32.HLLP.Kuku v3.09 stub=->KERNEL32
.reloc
.reloc
NEL32.dl
NEL32.dl
;@") '/(
;@") '/(
D2.KB99
D2.KB99
LL5Ad%s%d
LL5Ad%s%d
.%c%s
.%c%s
0
0
5&6_ 647
5&6_ 647
@,000408
@,000408
(2,20242
(2,20242
*\A%Documents and Settings%\Ash.ASH-46SWIJD8EAP\Desktop\projects\Visual Basic\X-R Host Boot\Project1.vbp
*\A%Documents and Settings%\Ash.ASH-46SWIJD8EAP\Desktop\projects\Visual Basic\X-R Host Boot\Project1.vbp
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
9368265E-85FE-11d1-8BE3-0000F8754DA1
9368265E-85FE-11d1-8BE3-0000F8754DA1
Port
Port
HTTP-
HTTP-
PORTFLOOD-
PORTFLOOD-
A*\A%Documents and Settings%\Ash.ASH-46SWIJD8EAP\Desktop\projects\Visual Basic\X-R Host Boot\Project1.vbp
A*\A%Documents and Settings%\Ash.ASH-46SWIJD8EAP\Desktop\projects\Visual Basic\X-R Host Boot\Project1.vbp
Host Booter 2.exe
Host Booter 2.exe
Xr HoSt BooTer.exe_1704_rwx_00401000_00001000:
!"3"2"2''(
!"3"2"2''(
Xr HoSt BooTer.exe_1704_rwx_00430000_00005000:
%System%\vcmgcd32.dll
%System%\vcmgcd32.dll
\vcmgcd32.dl_
\vcmgcd32.dl_
Win32.HLLP.Kuku v3.09 stub=->KERNEL32
Win32.HLLP.Kuku v3.09 stub=->KERNEL32
.reloc
.reloc
NEL32.dl
NEL32.dl
;@") '/(
;@") '/(
D2.KB99
D2.KB99
LL5Ad%s%d
LL5Ad%s%d
.%c%s
.%c%s
0
0
5&6_ 647
5&6_ 647
@,000408
@,000408
(2,20242
(2,20242
iexplore.exe_1052:
%?9-*09,*19}*09
%?9-*09,*19}*09
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
SHDOCVW.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
IE-X-X
rsabase.dll
rsabase.dll
System\CurrentControlSet\Control\Windows
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
dw15 -x -s %u
watson.microsoft.com
watson.microsoft.com
IEWatsonURL
IEWatsonURL
%s -h %u
%s -h %u
iedw.exe
iedw.exe
Iexplore.XPExceptionFilter
Iexplore.XPExceptionFilter
jscript.DLL
jscript.DLL
mshtml.dll
mshtml.dll
mlang.dll
mlang.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
shdocvw.DLL
shdocvw.DLL
browseui.DLL
browseui.DLL
comctl32.DLL
comctl32.DLL
IEXPLORE.EXE
IEXPLORE.EXE
iexplore.pdb
iexplore.pdb
ADVAPI32.dll
ADVAPI32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
IExplorer.EXE
IExplorer.EXE
IIIIIB(II<.fg>
IIIIIB(II<.fg>
7?_____ZZSSH%
7?_____ZZSSH%
)z.UUUUUUUU
)z.UUUUUUUU
,....Qym
,....Qym
````2```
````2```
{.QLQIIIKGKGKGKGKGKG
{.QLQIIIKGKGKGKGKGKG
;33;33;0
;33;33;0
8888880
8888880
8887080
8887080
browseui.dll
browseui.dll
shdocvw.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5512 (xpsp.080413-2105)
Windows
Windows
Operating System
Operating System
6.00.2900.5512
6.00.2900.5512
iexplore.exe_1052_rwx_00150000_00001000:
KERNEL32.DLL
KERNEL32.DLL
iexplore.exe_1052_rwx_00290000_00001000:
KERNEL32.DLL
KERNEL32.DLL
iexplore.exe_1052_rwx_002D0000_00001000:
KERNEL32.DLL
KERNEL32.DLL
svchost.exe_664:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
kernel32.dll
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
SQL error or missing database
SQL error or missing database
An internal logic error in SQLite
An internal logic error in SQLite
Operation terminated by sqlite3_interrupt()
Operation terminated by sqlite3_interrupt()
Uses OS features not supported on host
Uses OS features not supported on host
2nd parameter to sqlite3_bind out of range
2nd parameter to sqlite3_bind out of range
sqlite3_step() has another row ready
sqlite3_step() has another row ready
sqlite3_step() has finished executing
sqlite3_step() has finished executing
Unknown SQLite Error Code "
Unknown SQLite Error Code "
ESQLiteException
ESQLiteException
TSQLiteDatabaselHA
TSQLiteDatabaselHA
TSQLiteTable
TSQLiteTable
sqlite3_open
sqlite3_open
sqlite3_errmsg
sqlite3_errmsg
sqlite3_free
sqlite3_free
sqlite3_close
sqlite3_close
sqlite3_last_insert_rowid
sqlite3_last_insert_rowid
sqlite3_total_changes
sqlite3_total_changes
sqlite3_errcode
sqlite3_errcode
sqlite3_bind_text
sqlite3_bind_text
sqlite3_bind_int
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_int64
sqlite3_bind_double
sqlite3_bind_double
sqlite3_bind_null
sqlite3_bind_null
sqlite3_bind_blob
sqlite3_bind_blob
sqlite3_prepare_v2
sqlite3_prepare_v2
sqlite3_step
sqlite3_step
sqlite3_reset
sqlite3_reset
sqlite3_finalize
sqlite3_finalize
sqlite3_prepare
sqlite3_prepare
sqlite3_busy_timeout
sqlite3_busy_timeout
sqlite3_libversion
sqlite3_libversion
sqlite3_create_collation
sqlite3_create_collation
sqlite3_bind_parameter_index
sqlite3_bind_parameter_index
sqlite3_changes
sqlite3_changes
sqlite3_column_count
sqlite3_column_count
sqlite3_column_name
sqlite3_column_name
sqlite3_column_decltype
sqlite3_column_decltype
sqlite3_column_type
sqlite3_column_type
sqlite3_column_int64
sqlite3_column_int64
sqlite3_column_double
sqlite3_column_double
sqlite3_column_bytes
sqlite3_column_bytes
sqlite3_column_blob
sqlite3_column_blob
sqlite3_column_text
sqlite3_column_text
Failed to open database "%s" : %s
Failed to open database "%s" : %s
Failed to open database "%s" : unknown error
Failed to open database "%s" : unknown error
Error [%d]: %s.
Error [%d]: %s.
"%s": %s
"%s": %s
Error executing SQL
Error executing SQL
Could not prepare SQL statement
Could not prepare SQL statement
Error executing SQL statement
Error executing SQL statement
SQLite is Busy
SQLite is Busy
udprec
udprec
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
:\autorun.inf
:\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
icon=%SystemRoot%\system32\SHELL32.dll,4
\Mozilla Firefox\
\Mozilla Firefox\
nss3.dll
nss3.dll
mozcrt19.dll
mozcrt19.dll
sqlite3.dll
sqlite3.dll
nspr4.dll
nspr4.dll
plc4.dll
plc4.dll
plds4.dll
plds4.dll
nssutil3.dll
nssutil3.dll
softokn3.dll
softokn3.dll
PK11_GetInternalKeySlot
PK11_GetInternalKeySlot
userenv.dll
userenv.dll
\Mozilla\Firefox\
\Mozilla\Firefox\
profiles.ini
profiles.ini
\signons3.txt
\signons3.txt
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\profiles.ini
signons.sqlite
signons.sqlite
SELECT * FROM moz_logins
SELECT * FROM moz_logins
encryptedPassword
encryptedPassword
Urlmon.dll
Urlmon.dll
Shell32.dll
Shell32.dll
URLDownloadToFileA
URLDownloadToFileA
ShellExecuteA
ShellExecuteA
Future Windows version (unknown)
Future Windows version (unknown)
Windows
Windows
MSGBOX
MSGBOX
UDPStart|
UDPStart|
SOFTWARE\Mozilla\Mozilla Firefox\
SOFTWARE\Mozilla\Mozilla Firefox\
WEBDL
WEBDL
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
svchost.exe
svchost.exe
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
GetCPInfo
GetCPInfo
wsock32.dll
wsock32.dll
shell32.dll
shell32.dll
SQLite3
SQLite3
KWindows
KWindows
UrlMon
UrlMon
SQLiteTable3
SQLiteTable3
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
List index out of bounds (%d) Out of memory while expanding memory stream
Failed to get data for '%s'
Failed to get data for '%s'
Failed to set data for '%s'
Failed to set data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
%s.Seek not implemented$Operation not allowed on sorted list
Cannot assign a %s to a %s%String list does not allow duplicates
Cannot assign a %s to a %s%String list does not allow duplicates
Cannot create file "%s". %s
Cannot create file "%s". %s
Cannot open file "%s". %s
Cannot open file "%s". %s
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Operation not supported
External exception %x
External exception %x
Interface not supported
Interface not supported
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
iexplore.exe_1052_rwx_00310000_00001000:
KERNEL32.DLL
KERNEL32.DLL
iexplore.exe_1052_rwx_00350000_00001000:
KERNEL32.DLL
KERNEL32.DLL
iexplore.exe_1052_rwx_00390000_00001000:
KERNEL32.DLL
KERNEL32.DLL
iexplore.exe_1052_rwx_00C40000_00001000:
advapi32.dll
advapi32.dll
iexplore.exe_1052_rwx_00D80000_00001000:
advapi32.dll
advapi32.dll
iexplore.exe_1052_rwx_00DB0000_00001000:
crypt32.dll
crypt32.dll
iexplore.exe_1052_rwx_00EF0000_00001000:
crypt32.dll
crypt32.dll
iexplore.exe_1052_rwx_00F20000_00001000:
gdi32.dll
gdi32.dll
iexplore.exe_1052_rwx_01060000_00001000:
gdi32.dll
gdi32.dll
iexplore.exe_1052_rwx_01090000_00001000:
ntdll.dll
ntdll.dll
iexplore.exe_1052_rwx_011D0000_00001000:
ntdll.dll
ntdll.dll
iexplore.exe_1052_rwx_01200000_00001000:
ole32.dll
ole32.dll
iexplore.exe_1052_rwx_01340000_00001000:
ole32.dll
ole32.dll
iexplore.exe_1052_rwx_01370000_00001000:
oleaut32.dll
oleaut32.dll
iexplore.exe_1052_rwx_014B0000_00001000:
oleaut32.dll
oleaut32.dll
iexplore.exe_1052_rwx_014E0000_00001000:
pstorec.dll
pstorec.dll
iexplore.exe_1052_rwx_01620000_00001000:
pstorec.dll
pstorec.dll
iexplore.exe_1052_rwx_01650000_00001000:
rasapi32.dll
rasapi32.dll
iexplore.exe_1052_rwx_01790000_00001000:
rasapi32.dll
rasapi32.dll
iexplore.exe_1052_rwx_017C0000_00001000:
shell32.dll
shell32.dll
iexplore.exe_1052_rwx_01910000_00001000:
shell32.dll
shell32.dll
iexplore.exe_1052_rwx_01940000_00001000:
user32.dll
user32.dll
iexplore.exe_1052_rwx_01980000_00001000:
user32.dll
user32.dll
iexplore.exe_1052_rwx_019B0000_00001000:
wsock32.dll
wsock32.dll
iexplore.exe_1052_rwx_019F0000_00001000:
wsock32.dll
wsock32.dll
iexplore.exe_1052_rwx_10410000_00036000:
`.rsrc
`.rsrc
Portions Copyright (c) 1999,2003 Avenger by NhT
Portions Copyright (c) 1999,2003 Avenger by NhT
%s -- %s
%s -- %s
SHFileOperationA
SHFileOperationA
shell32.dll
shell32.dll
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
AVICAP32.dll
AVICAP32.dll
ntdll.dll
ntdll.dll
http\shell\open\command
http\shell\open\command
\Internet Explorer\iexplore.exe
\Internet Explorer\iexplore.exe
kernel32.dll
kernel32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
ShellExecuteA
ShellExecuteA
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
####@####
####@####
BuildImportTable: can't load library:
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
BTMemoryGetProcAddress: exported symbol not found
ReadTCPTable
ReadTCPTable
ReadUdpTable
ReadUdpTable
CloseTcpConnect
CloseTcpConnect
dllpass
dllpass
StartTransferWebcam
StartTransferWebcam
StopTransferWebcam
StopTransferWebcam
CarregarVariaveisWebCam
CarregarVariaveisWebCam
WindowsExit
WindowsExit
LowLevelKeybdHookProc
LowLevelKeybdHookProc
CarregarVariaveisWindows
CarregarVariaveisWindows
teste.vbs
teste.vbs
teste.txt
teste.txt
Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")
Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")
Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)
Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)
Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)
Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)
Set objFileSystem = CreateObject("Scripting.fileSystemObject")
Set objFileSystem = CreateObject("Scripting.fileSystemObject")
Set objFile = objFileSystem.CreateTextFile("
Set objFile = objFileSystem.CreateTextFile("
Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter
Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter
Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter
Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter
objFile.WriteLine(Info)
objFile.WriteLine(Info)
objFile.Close
objFile.Close
cscript.exe
cscript.exe
Windows NT 4.0
Windows NT 4.0
Windows 2000
Windows 2000
Windows XP
Windows XP
Windows Server 2003
Windows Server 2003
Windows Vista
Windows Vista
Windows 7
Windows 7
Windows 95
Windows 95
Windows 98
Windows 98
Windows Me
Windows Me
Cerberus_LOG.txt
Cerberus_LOG.txt
Cerberus Keylogger
Cerberus Keylogger
] ---> [
] ---> [
Password
Password
UnitPasswords
UnitPasswords
advapi32.dll
advapi32.dll
WindowsLive:name=*
WindowsLive:name=*
xxxyyyzzz.dat
xxxyyyzzz.dat
\Mozilla Firefox\
\Mozilla Firefox\
mozcrt19.dll
mozcrt19.dll
sqlite3.dll
sqlite3.dll
nspr4.dll
nspr4.dll
plc4.dll
plc4.dll
plds4.dll
plds4.dll
nssutil3.dll
nssutil3.dll
softokn3.dll
softokn3.dll
nss3.dll
nss3.dll
PK11_GetInternalKeySlot
PK11_GetInternalKeySlot
userenv.dll
userenv.dll
\Mozilla\Firefox\
\Mozilla\Firefox\
profiles.ini
profiles.ini
\signons3.txt
\signons3.txt
\signons2.txt
\signons2.txt
\signons1.txt
\signons1.txt
\signons.txt
\signons.txt
(unnamed password)
(unnamed password)
uURLHistory
uURLHistory
Password:
Password:
Microsoft\Network\Connections\pbk\rasphone.pbk
Microsoft\Network\Connections\pbk\rasphone.pbk
rasapi32.dll
rasapi32.dll
rnaph.dll
rnaph.dll
RAS Passwords |
RAS Passwords |
1.1.1.1
1.1.1.1
0.0.0.0
0.0.0.0
LogErros_server.txt
LogErros_server.txt
windowslistar
windowslistar
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
FirstExecution
FirstExecution
getpassword|getmsn|
getpassword|getmsn|
getpassword|getfirefox|
getpassword|getfirefox|
getpassword|getras|
getpassword|getras|
getpassword|getie|
getpassword|getie|
getpassword|getnoip|
getpassword|getnoip|
openweb
openweb
getpassword
getpassword
windowsmanager|mensagens|
windowsmanager|mensagens|
windowsmanager|windowslistar|
windowsmanager|windowslistar|
windowsfechar
windowsfechar
windowsmax
windowsmax
windowsmin
windowsmin
windowsmostrar
windowsmostrar
windowsocultar
windowsocultar
windowsmintodas
windowsmintodas
windowscaption
windowscaption
xxyyzz.dat
xxyyzz.dat
xyzxyz.dat
xyzxyz.dat
keyloggersituacao
keyloggersituacao
keylogger|keyloggersituacao|keyloggerativar|
keylogger|keyloggersituacao|keyloggerativar|
keylogger|keyloggersituacao|keyloggerdesativar|
keylogger|keyloggersituacao|keyloggerdesativar|
keyloggerativar
keyloggerativar
keyloggerdesativar
keyloggerdesativar
keyloggerdeletar
keyloggerdeletar
keyloggerenviar
keyloggerenviar
keylogger|mensagens|zero|
keylogger|mensagens|zero|
keylogger
keylogger
keyloggerenviar|
keyloggerenviar|
remotewebcamenviar
remotewebcamenviar
remotewebcamparar
remotewebcamparar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
listarportasdns
listarportasdns
portasativas|mensagens|
portasativas|mensagens|
portasativas|listarportas|
portasativas|listarportas|
listarportas
listarportas
(##()@@ (##()@@ (##()@@
(##()@@ (##()@@ (##()@@
Config.Cerberus
Config.Cerberus
%SYS%
%SYS%
ÞSKTOP%
ÞSKTOP%
plugin.dat
plugin.dat
logs.dat
logs.dat
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
####@####
####@####
####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@####
####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@####
####@#### ####@#### ####@####
####@#### ####@#### ####@####
####@#### ####@####
####@#### ####@####
KWindows
KWindows
UnitExecuteCommand
UnitExecuteCommand
IEpasswords
IEpasswords
KuURLHistory
KuURLHistory
UnitKeylogger
UnitKeylogger
WinExec
WinExec
SetNamedPipeHandleState
SetNamedPipeHandleState
GetProcessHeap
GetProcessHeap
CreatePipe
CreatePipe
RegOpenKeyExA
RegOpenKeyExA
RegOpenKeyA
RegOpenKeyA
RegDeleteKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCreateKeyA
RegCreateKeyA
RegCloseKey
RegCloseKey
keybd_event
keybd_event
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
MapVirtualKeyA
MapVirtualKeyA
GetKeyboardState
GetKeyboardState
GetKeyState
GetKeyState
GetAsyncKeyState
GetAsyncKeyState
5&&&-&
5&&&-&
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
.melRBy
.melRBy
]~c.gD
]~c.gD
.id\I7v
.id\I7v
KERNEL32.DLL
KERNEL32.DLL
crypt32.dll
crypt32.dll
gdi32.dll
gdi32.dll
ole32.dll
ole32.dll
oleaut32.dll
oleaut32.dll
pstorec.dll
pstorec.dll
user32.dll
user32.dll
wsock32.dll
wsock32.dll