Trojan.Win32.Agentb.aanb (Kaspersky), Win32.Sality.3 (B) (Emsisoft), Win32.Sality.3 (AdAware), Trojan.Win32.Swrort.3.FD, Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 90a914dd9913e7158f5c079030668d5d
SHA1: 0be834a9e2d3badbb543321e56e10290b2831596
SHA256: 2ab4b5f6b1d98c7dfd68581e4057ca2d2a9b83336c88d68589d9054bd70ba29d
SSDeep: 12288:VTyjXW 48qWywrU4kGFezOAVuJ5PINww7F5DO3HYffh2vTH:ZIXW/8yw1ez54lItF5SXYHh0H
Size: 758427 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-01-18 16:44:33
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:704
The Trojan injects its code into the following process(es):
rundll32.exe:1056
Explorer.EXE:532
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe (5441 bytes)
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB0C7_Rar\%original file name%.exe (5441 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\000CB0C7_Rar\%original file name%.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB0C7_Rar (0 bytes)
The process rundll32.exe:1056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\000CBB85_Rar\rundll32.exe (5441 bytes)
Registry activity
The process %original file name%.exe:704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Aas]
"a4_116" = "831618036"
"a3_149" = "1051199068"
"a3_148" = "1044210237"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\Aas]
"a3_78" = "542637991"
"a3_79" = "549622726"
"a3_72" = "533156193"
"a3_73" = "506656128"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Aas]
"a3_71" = "525712590"
"a3_76" = "561686245"
"a3_77" = "568613636"
"a3_74" = "513568291"
"a3_75" = "554631746"
"a3_152" = "1106310065"
"a3_153" = "1080268752"
"a4_108" = "774265068"
"a4_109" = "781434189"
"a3_154" = "1087178867"
"a3_155" = "1127787666"
"a4_102" = "731250342"
"a4_103" = "738419463"
"a4_100" = "716912100"
"a4_101" = "724081221"
"a4_106" = "759926826"
"a4_107" = "767095947"
"a4_104" = "745588584"
"a4_105" = "752757705"
"a2_59" = "422982872"
"a2_58" = "415799606"
"a2_53" = "379969460"
"a2_52" = "372801337"
"a2_51" = "365618531"
"a2_50" = "358453144"
"a2_57" = "408633617"
"a2_56" = "401468839"
"a2_55" = "394299472"
"a2_54" = "387134097"
"a4_55" = "394301655"
"a4_54" = "387132534"
"a4_57" = "408639897"
"a4_56" = "401470776"
"a4_51" = "365625171"
"a4_50" = "358456050"
"a4_53" = "379963413"
"a4_52" = "372794292"
[HKCU\Software\Aas\695404737]
"50183847" = "7374DA7B4CB6B8BEA6353FFA4E6A0EBD13A1BBA13D882624F171304B4452F2B6D354D7AF2253C465A533BE00222BFE3FF7E8F1F2A055267764C0820B45B0D6343781D54D569FBFF3F20A9EC53F3B06F20E30DA8DE1B970E96E0A2E102FDF1BBB4F8917852ECD77AE573144FB4CA9F7D9E600166CD9DF1E1AF69E566E24112410"
[HKCU\Software\Aas]
"a4_59" = "422978139"
"a4_58" = "415809018"
"a3_135" = "950830350"
[HKCU\Software\Aas\695404737]
"21507363" = "0"
[HKCU\Software\Aas]
"a3_94" = "690598327"
"a3_95" = "698045910"
"a3_96" = "671534665"
"a3_97" = "678453992"
"a3_90" = "662052915"
"a3_91" = "669107282"
"a3_92" = "643004661"
"a3_93" = "649993492"
"a3_98" = "685967115"
"a3_99" = "726580138"
"a1_138" = "3767915578"
"a1_139" = "4098051861"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Aas]
"a1_130" = "4248472063"
"a2_155" = "1111220172"
"a1_131" = "3414221539"
"a2_153" = "1096868927"
"a2_152" = "1089701710"
"a2_99" = "709739566"
"a2_98" = "702575871"
"a2_97" = "695408273"
"a2_96" = "688242367"
"a2_95" = "681060116"
"a2_94" = "673906260"
"a2_93" = "666722820"
"a2_92" = "659557127"
"a2_91" = "652392892"
"a2_90" = "645223498"
"a4_151" = "1082537271"
"a4_150" = "1075368150"
"a4_153" = "1096875513"
"a4_152" = "1089706392"
"a4_155" = "1111213755"
"a4_154" = "1104044634"
"a1_58" = "2978767031"
"a1_59" = "1948942902"
"a1_56" = "2342288737"
"a1_57" = "2858909479"
"a1_54" = "2042258888"
"a1_55" = "1495675559"
"a1_52" = "4048879594"
"a1_53" = "1473469772"
"a1_50" = "2111704480"
"a1_51" = "3695325421"
"a3_136" = "991836577"
"a1_155" = "1945735382"
"a3_43" = "324843106"
"a3_42" = "284237251"
"a3_41" = "277248416"
"a3_40" = "269796609"
"a3_47" = "353765350"
"a3_46" = "313221959"
"a3_45" = "305778468"
"a3_44" = "332278405"
"a1_132" = "1117229897"
"a1_133" = "3874582488"
"a3_49" = "368270520"
"a3_48" = "360822809"
"a1_136" = "463649362"
"a2_119" = "853130768"
"a1_134" = "4278971016"
"a1_135" = "2772783844"
"a4_99" = "709742979"
"a4_98" = "702573858"
"a2_118" = "845959889"
"a4_91" = "652390011"
"a4_90" = "645220890"
"a4_93" = "666728253"
"a4_92" = "659559132"
"a4_95" = "681066495"
"a4_94" = "673897374"
"a4_97" = "695404737"
"a4_96" = "688235616"
"a3_109" = "798021476"
"a3_108" = "790966981"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\Aas]
"a3_101" = "707522668"
"a3_100" = "733503437"
"a3_103" = "754977070"
"a3_102" = "714511503"
"a3_105" = "769475040"
"a3_104" = "762555713"
"a3_107" = "750493346"
"a3_106" = "742980099"
"a2_113" = "810118713"
"a2_112" = "802933559"
"a3_70" = "485103791"
"a2_110" = "788610250"
"a2_117" = "838794664"
"a2_116" = "831612363"
"a2_115" = "824446666"
"a2_114" = "817277599"
"a2_144" = "1032350139"
"a1_104" = "607441841"
"a2_145" = "1039517531"
"a2_146" = "1046685741"
"a2_147" = "1053866261"
"a2_140" = "1003679905"
"a2_141" = "1010854322"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a2_142" = "1018016234"
"a2_143" = "1025181667"
"a3_150" = "1092336383"
"a3_151" = "1099259678"
"a3_133" = "970345548"
[HKCU\Software\Aas\695404737]
"35845605" = "367"
[HKCU\Software\Aas]
"a3_116" = "814879197"
"a3_117" = "821922428"
"a3_114" = "834001179"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a3_115" = "807894458"
"a1_89" = "288499719"
"a1_88" = "3725461814"
"a1_85" = "858988136"
"a1_84" = "2359230873"
"a1_87" = "3000977484"
"a1_86" = "406110915"
"a1_81" = "2863634940"
"a1_80" = "1372199662"
"a1_83" = "1124493734"
"a3_110" = "771902343"
"a2_128" = "917646045"
"a2_129" = "924824056"
"a2_126" = "903315333"
"a2_127" = "910487346"
"a2_124" = "888965297"
"a3_111" = "778955814"
"a2_122" = "874630552"
"a2_123" = "881794635"
"a2_120" = "860297772"
"a2_121" = "867461936"
"a1_67" = "461340971"
"a1_66" = "4106376505"
"a1_65" = "3170945634"
"a1_64" = "2950582829"
"a1_63" = "2219207046"
"a1_62" = "3487412795"
"a1_61" = "211409830"
"a1_60" = "873425128"
"a3_138" = "1006335587"
"a3_139" = "979823234"
"a1_69" = "1899251483"
"a1_68" = "2682665734"
"a1_12" = "1327564497"
"a1_13" = "3304576595"
"a1_10" = "2829770515"
"a1_11" = "2198744957"
"a1_16" = "83704404"
"a1_17" = "669489697"
"a1_14" = "718236021"
"a1_15" = "1199964620"
"a4_115" = "824448915"
"a4_114" = "817279794"
"a1_18" = "2018944401"
"a1_19" = "4255909989"
"a4_111" = "795772431"
"a4_110" = "788603310"
"a4_113" = "810110673"
"a4_112" = "802941552"
"a2_48" = "344116878"
"a2_49" = "351281456"
"a4_140" = "1003676940"
"a2_40" = "286765770"
"a2_41" = "293930310"
"a2_42" = "301099450"
"a2_43" = "308266732"
"a2_44" = "315449595"
"a2_45" = "322616222"
"a2_46" = "329785186"
"a2_47" = "336951016"
"a4_148" = "1061029908"
"a4_146" = "1046691666"
"a4_42" = "301103082"
"a4_43" = "308272203"
"a4_40" = "286764840"
"a4_41" = "293933961"
"a4_46" = "329779566"
"a4_47" = "336948687"
"a4_44" = "315441324"
"a4_45" = "322610445"
"a4_48" = "344117808"
"a4_49" = "351286929"
"a4_137" = "982169577"
"a4_136" = "975000456"
"a4_147" = "1053860787"
"a3_140" = "986812197"
"a3_18" = "112354555"
"a3_19" = "152901914"
"a3_14" = "83367783"
"a3_15" = "124488582"
"a3_16" = "131411001"
"a3_17" = "104906840"
"a3_10" = "88506851"
"a3_11" = "95435266"
"a3_12" = "69459621"
"a3_13" = "76378820"
"a4_37" = "265257477"
"a4_36" = "258088356"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_33" = "236580993"
"a4_32" = "229411872"
"a4_31" = "222242751"
"a4_30" = "215073630"
"a4_39" = "279595719"
"a4_38" = "272426598"
"a1_103" = "2165118280"
"a4_145" = "1039522545"
"a4_139" = "996507819"
"a1_102" = "3973547763"
"a4_138" = "989338698"
[HKCU\Software\Aas\695404737]
"28676484" = "35"
[HKCU\Software\Aas]
"a4_131" = "939154851"
"a1_101" = "1590031870"
"a4_149" = "1068199029"
"a3_141" = "1027810116"
"a2_88" = "630887589"
"a2_89" = "638058068"
"a2_84" = "602209011"
"a2_85" = "609373463"
"a2_86" = "616541761"
"a2_87" = "623720765"
"a2_80" = "573537141"
"a3_34" = "260325067"
"a2_82" = "587859737"
"a2_83" = "595045156"
"a4_124" = "888971004"
"a4_125" = "896140125"
"a1_29" = "3519163567"
"a1_28" = "2874283239"
"a4_120" = "860294520"
"a4_121" = "867463641"
"a4_122" = "874632762"
"a4_123" = "881801883"
"a1_23" = "334921463"
"a1_22" = "3523662351"
"a1_21" = "3268050597"
"a1_20" = "287967198"
"a1_27" = "919025986"
"a1_26" = "1083642280"
"a1_25" = "437289997"
"a1_24" = "1427379021"
"a4_141" = "1010846061"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Msversion" = "2007"
[HKCU\Software\Aas]
"a3_50" = "341766363"
"a3_51" = "348755322"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a3_53" = "396796476"
"a3_54" = "370165343"
"a3_55" = "377748222"
"a3_56" = "384737041"
"a3_57" = "425210800"
"a3_58" = "432789459"
"a3_59" = "406145138"
"a1_127" = "554158038"
"a1_126" = "1543010176"
"a1_121" = "3161097861"
"a1_120" = "1179115185"
"a1_123" = "2259162590"
"a1_122" = "652688995"
"a2_111" = "795778256"
"a2_31" = "222248128"
"a2_30" = "215079437"
"a2_33" = "236580234"
"a2_32" = "229420462"
"a2_35" = "250913388"
"a2_34" = "243748455"
"a2_37" = "265264233"
"a2_36" = "258082523"
"a2_39" = "279612292"
"a2_38" = "272431906"
"a4_79" = "566360559"
"a4_78" = "559191438"
"a4_73" = "523345833"
"a4_72" = "516176712"
"a4_71" = "509007591"
"a4_70" = "501838470"
"a4_77" = "552022317"
"a4_76" = "544853196"
"a4_75" = "537684075"
"a4_74" = "530514954"
"a1_137" = "3758288211"
"a4_86" = "616544406"
"a4_87" = "623713527"
"a4_84" = "602206164"
"a4_85" = "609375285"
"a4_82" = "587867922"
"a4_83" = "595037043"
"a4_80" = "573529680"
"a4_81" = "580698801"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKCU\Software\Aas]
"a4_88" = "630882648"
"a4_89" = "638051769"
"a2_100" = "716906516"
[HKCU\Software\Aas\695404737]
"14338242" = "0"
[HKCU\Software\Aas]
"a1_150" = "2389226232"
"a1_151" = "3878438399"
[HKCU\Software\Aas\695404737]
"7169121" = "123"
[HKCU\Software\Aas]
"a1_153" = "2635771470"
"a1_154" = "2304537359"
"a2_102" = "731242634"
"a2_103" = "738423864"
"a2_104" = "745594442"
"a2_105" = "752760363"
"a2_106" = "759924717"
"a2_107" = "767093650"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"
[HKCU\Software\Aas]
"a1_96" = "2706232892"
"a2_131" = "939148475"
"a2_130" = "931977839"
"a2_133" = "953497608"
"a2_132" = "946330345"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Aas]
"a2_135" = "967833655"
"a2_134" = "960667564"
"a1_107" = "782952190"
"a2_137" = "982166078"
"a1_106" = "1330558835"
"a2_136" = "974996571"
"a1_105" = "374304375"
"a1_98" = "4140502380"
"a1_99" = "576557497"
"a1_92" = "3342425486"
"a1_93" = "1586062086"
"a1_90" = "3772481185"
"a1_91" = "2605829941"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_97" = "243029257"
"a1_94" = "2923823450"
"a1_95" = "1751234470"
"a2_75" = "537686819"
"a2_74" = "530520955"
"a2_77" = "552021916"
"a2_76" = "544855771"
"a2_71" = "509001822"
"a2_70" = "501830171"
"a2_73" = "523338838"
"a2_72" = "516168479"
"a2_139" = "996515073"
"a2_138" = "989333167"
"a1_100" = "666273977"
"a2_79" = "566355000"
"a2_78" = "559188494"
"a1_74" = "1130615635"
"a1_75" = "690686929"
"a1_76" = "1473609080"
"a1_77" = "1415501028"
"a1_70" = "3708589279"
"a1_71" = "406658711"
"a1_72" = "2609427981"
"a1_73" = "1914291475"
"a3_129" = "907869896"
"a3_128" = "934369961"
"a1_78" = "2047195226"
"a1_79" = "3775692182"
"a3_123" = "898388146"
"a3_122" = "891468819"
"a3_121" = "850861040"
"a3_120" = "843343697"
"a1_109" = "4039422960"
"a3_127" = "927442486"
"a1_108" = "3707482032"
"a3_126" = "886312343"
"a1_0" = "3299283285"
"a3_125" = "879323508"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKCU\Software\Aas]
"a3_124" = "905966805"
"a1_2" = "919573244"
"a1_3" = "828583069"
"a1_4" = "1716250833"
"a1_5" = "3190497201"
"a1_6" = "4262868475"
"a1_7" = "3989152233"
"a3_29" = "224867540"
"a3_28" = "183865525"
"a1_116" = "3400036303"
"a1_117" = "2274793752"
"a1_110" = "3972584301"
"a1_111" = "4274369659"
"a1_112" = "2328916030"
"a1_9" = "2841996467"
"a3_21" = "167399900"
"a3_20" = "159956413"
"a3_23" = "148336286"
"a3_22" = "140888703"
"a3_25" = "195929936"
"a3_24" = "188875569"
"a3_27" = "176880658"
"a3_26" = "169827315"
"a4_24" = "172058904"
"a4_25" = "179228025"
"a4_26" = "186397146"
"a4_27" = "193566267"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a2_81" = "580705275"
"a4_126" = "903309246"
"a4_127" = "910478367"
"a3_112" = "785940569"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
[HKCU\Software\Aas]
"a4_128" = "917647488"
"a4_129" = "924816609"
"a3_113" = "826942712"
"a2_101" = "724078348"
"a1_38" = "1132573485"
"a1_39" = "1539644586"
"a4_135" = "967831335"
"a4_134" = "960662214"
"a4_133" = "953493093"
"a4_132" = "946323972"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_130" = "931985730"
"a1_30" = "529336622"
"a1_31" = "2422352769"
"a1_32" = "4085025691"
"a1_33" = "1907857644"
"a1_34" = "3810007350"
"a1_35" = "2438776411"
"a1_36" = "1432891901"
"a1_37" = "2377724742"
"a2_108" = "774273145"
"a2_109" = "781428138"
"a3_69" = "478110732"
"a3_68" = "470664173"
"a3_65" = "449123976"
"a3_64" = "442135145"
"a3_67" = "497168202"
"a3_66" = "489720619"
"a3_61" = "454263092"
"a3_60" = "413199509"
"a3_63" = "468244982"
"a3_62" = "461186391"
"a1_1" = "1129195820"
"a2_28" = "200730131"
"a2_29" = "207912552"
"a2_26" = "186389520"
"a2_27" = "193560706"
"a2_24" = "172051666"
"a2_25" = "179236332"
"a2_22" = "157725604"
"a2_23" = "164897149"
"a2_20" = "143379590"
"a2_21" = "150546381"
"a4_68" = "487500228"
"a4_69" = "494669349"
"a4_60" = "430147260"
"a4_61" = "437316381"
"a4_62" = "444485502"
"a4_63" = "451654623"
"a4_64" = "458823744"
"a4_65" = "465992865"
"a4_66" = "473161986"
"a4_67" = "480331107"
"a2_7" = "50176139"
"a2_6" = "43022529"
"a2_5" = "35843210"
"a2_4" = "28675097"
"a2_3" = "21510054"
"a2_2" = "14341597"
"a2_1" = "7175664"
"a2_0" = "9832"
"a2_9" = "64524712"
"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a1_143" = "2964332635"
"a1_142" = "146780567"
"a1_141" = "3395938350"
"a1_140" = "3014508375"
"a4_9" = "64522089"
"a4_8" = "57352968"
"a1_145" = "2303971897"
"a1_144" = "2222538468"
"a3_52" = "389745053"
"a1_129" = "995106232"
"a2_8" = "57360237"
"a1_128" = "652215625"
"a3_87" = "607024862"
"a3_86" = "633131711"
"a3_85" = "626081308"
"a3_84" = "585598461"
"a3_83" = "578085210"
"a3_82" = "571034939"
"a3_81" = "597665944"
"a3_80" = "590099577"
"a2_154" = "1104036235"
"a1_149" = "778815788"
"a3_89" = "654610320"
"a3_88" = "614067057"
"a1_125" = "2391700498"
"a1_148" = "3272558557"
"a1_124" = "1282967730"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 4F AF 14 B9 B4 62 24 30 7A BF 83 80 16 7D B2"
[HKCU\Software\Aas]
"a2_125" = "896147114"
"a1_147" = "2152383229"
"a1_146" = "1203558022"
"a1_8" = "4063377757"
"a1_82" = "3641669083"
"a2_62" = "444487128"
"a2_63" = "451646997"
"a2_60" = "430152535"
"a2_61" = "437319392"
"a2_66" = "473169273"
"a2_67" = "480339762"
"a2_64" = "458833036"
"a2_65" = "465987462"
"a2_68" = "487492329"
"a2_69" = "494671494"
"a2_148" = "1061035752"
"a2_149" = "1068200424"
"a1_41" = "2467347674"
"a1_40" = "1971514006"
"a1_43" = "1653158786"
"a1_42" = "83234739"
"a1_45" = "404128563"
"a1_44" = "3231434740"
"a1_47" = "3068893843"
"a1_46" = "1480344229"
"a1_49" = "2276740806"
"a1_48" = "2207619950"
"a4_144" = "1032353424"
[HKCU\Software\Aas\695404737]
"43014726" = "0900687474703A2F2F70656C63706177656C2E666D2E696E74657269612E706C2F6C6F676F732E67696600687474703A2F2F636869636F73746172612E636F6D2F6C6F676F662E67696600687474703A2F2F73756577796C6C69652E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F646577706F696E742D65672E636F6D2F696D616765732F6C6F676F73612E67696600687474703A2F2F7777772E6365796C616E6F67756C6C6172692E636F6D2F6C6F676F662E67696600687474703A2F2F7777772E626C7565637562656372656174697665732E636F6D2F6C6F676F732E67696600687474703A2F2F37323468697A6D6574677275702E636F6D2F696D616765732F6C6F676F73612E67696600687474703A2F2F796176757A74756E63696C2E79612E66756E7069632E64652F696D616765732F6C6F676F732E67696600687474703A2F2F6365766174706173612E636F6D2F696D616765732F6C6F676F732E676966"
[HKCU\Software\Aas]
"a4_142" = "1018015182"
"a4_143" = "1025184303"
"a3_118" = "862924447"
"a3_119" = "869974846"
"a1_114" = "4010823525"
"a1_115" = "1713967243"
"a3_36" = "241268621"
"a3_37" = "248309804"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a3_35" = "267899754"
"a3_32" = "212854281"
"a3_33" = "253401768"
"a3_30" = "231909751"
"a3_31" = "205278614"
"a1_113" = "630860932"
"a3_38" = "289377359"
"a3_39" = "296296686"
"a3_130" = "915379051"
"a3_131" = "922302346"
"a1_118" = "1153902031"
"a3_132" = "962897965"
"a1_119" = "3599727070"
"a2_17" = "121878223"
"a2_16" = "114711323"
"a2_15" = "107528834"
"a2_14" = "100363147"
"a2_13" = "93192567"
"a2_12" = "86026347"
"a2_11" = "78858924"
"a2_10" = "71683025"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKCU\Software\Aas]
"a3_134" = "943841519"
"a2_19" = "136212468"
"a2_18" = "129044565"
"a4_11" = "78860331"
"a4_10" = "71691210"
"a4_13" = "93198573"
"a4_12" = "86029452"
"a4_15" = "107536815"
"a4_14" = "100367694"
"a4_17" = "121875057"
"a4_16" = "114705936"
"a4_19" = "136213299"
"a4_18" = "129044178"
"a3_137" = "998890944"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Aas]
"a3_8" = "40388897"
"a3_9" = "47967552"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_4" = "11991981"
"a3_5" = "52535244"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"
"a2_151" = "1082532560"
"a2_150" = "1075365891"
"a3_145" = "1022800088"
"a3_144" = "1015749817"
"a3_147" = "1070844314"
"a3_146" = "1063277947"
"a4_119" = "853125399"
"a4_118" = "845956278"
"a3_143" = "1008236550"
"a3_142" = "1034864615"
"a1_152" = "3769055733"
"a4_117" = "838787157"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
The process rundll32.exe:1056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 6C 4D AB 83 CA 5A 1F 86 73 98 FE 70 ED 9F DA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"
Dropped PE files
MD5 | File path |
---|---|
82005fbde52b06c6744ad8176be2033b | c:\jogxxk.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:704
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe (5441 bytes)
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB0C7_Rar\%original file name%.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBB85_Rar\rundll32.exe (5441 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 569841 | 569856 | 4.61292 | 0fd9e616a22ca25c8dd4ffc4fe8d4bb7 |
.rdata | 577536 | 58474 | 58880 | 3.75497 | e40dfac2aa919c953afc3e5f529b3350 |
.data | 638976 | 36632 | 10752 | 2.54749 | e27b8dce8893e88554c3004d7188b557 |
.rsrc | 675840 | 114688 | 113664 | 5.13211 | 082e6788da8a78037318b9731b0f74f2 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
0765c49460a50e4d83dd490686641e45
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
rundll32.exe_1056:
.text
.text
.rdata
.rdata
.data
.data
.rsrc
.rsrc
!"#$%%&'())* ,-./0123456789:;
!"#$%%&'())* ,-./0123456789:;
T$%UR
T$%UR
RSSh
RSSh
RSSh@SI
RSSh@SI
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
portuguese-brazilian
portuguese-brazilian
GetProcessWindowStation
GetProcessWindowStation
operator
operator
AutoHotkey
AutoHotkey
AppsKey
AppsKey
ListHotkeys
ListHotkeys
KeyHistory
KeyHistory
DetectHiddenWindows
DetectHiddenWindows
SetKeyDelay
SetKeyDelay
KeyWait
KeyWait
GetKeyState
GetKeyState
URLDownloadToFile
URLDownloadToFile
MsgBox
MsgBox
IfMsgBox
IfMsgBox
Hotkey
Hotkey
AHK Keybd
AHK Keybd
Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.
Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.
Modifiers (Hook's Logical) = %s
Modifiers (Hook's Logical) = %s
Modifiers (Hook's Physical) = %s
Modifiers (Hook's Physical) = %s
Prefix key is down: %s
Prefix key is down: %s
NOTE: Only the script's own keyboard events are shown
NOTE: Only the script's own keyboard events are shown
(not the user's), because the keyboard hook isn't installed.
(not the user's), because the keyboard hook isn't installed.
NOTE: To disable the key history shown below, add the line "#KeyHistory 0" anywhere in the script. The same method can be used to change the size of the history buffer. For example: #KeyHistory 100 (Default is 40, Max is 500)
NOTE: To disable the key history shown below, add the line "#KeyHistory 0" anywhere in the script. The same method can be used to change the size of the history buffer. For example: #KeyHistory 100 (Default is 40, Max is 500)
The oldest are listed first. VK=Virtual Key, SC=Scan Code, Elapsed=Seconds since the previous event. Types: h=Hook Hotkey, s=Suppressed (blocked), i=Ignored because it was generated by an AHK script, a=Artificial, #=Disabled via #IfWinActive/Exist, U=Unicode character (SendInput).
The oldest are listed first. VK=Virtual Key, SC=Scan Code, Elapsed=Seconds since the previous event. Types: h=Hook Hotkey, s=Suppressed (blocked), i=Ignored because it was generated by an AHK script, a=Artificial, #=Disabled via #IfWinActive/Exist, U=Unicode character (SendInput).
E7 X
E7 X
X X
X X
%u hotkeys have been received in the last %ums.
%u hotkeys have been received in the last %ums.
(see #MaxHotkeysPerInterval in the help file)
(see #MaxHotkeysPerInterval in the help file)
Nonexistent hotkey. The current thread will exit.
Nonexistent hotkey. The current thread will exit.
Nonexistent hotkey variant (IfWin). The current thread will exit.
Nonexistent hotkey variant (IfWin). The current thread will exit.
Max hotkeys.
Max hotkeys.
The AltTab hotkey "%s" must specify which key (L or R).
The AltTab hotkey "%s" must specify which key (L or R).
The AltTab hotkey "%s" must have exactly one modifier/prefix.
The AltTab hotkey "%s" must have exactly one modifier/prefix.
"%s" is not allowed as a prefix key.
"%s" is not allowed as a prefix key.
"%s" is not a valid key name. The current thread will exit.
"%s" is not a valid key name. The current thread will exit.
SCx
SCx
%s[%Iu of %Iu]: %-1.60s%s
%s[%Iu of %Iu]: %-1.60s%s
%s[Object]: 0x%p
%s[Object]: 0x%p
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_USERS
HKEY_USERS
%s\%s
%s\%s
AutoHotkey2
AutoHotkey2
Critical Error: %s
Critical Error: %s
=/|^,:*&~!()[] -?."'\;`{}
=/|^,:*&~!()[] -?."'\;`{}
>AUTOHOTKEY SCRIPT
>AUTOHOTKEY SCRIPT
Could not extract script from EXE.
Could not extract script from EXE.
=/|^,:
=/|^,:
=/|^,:. -*&!?~
=/|^,:. -*&!?~
Join
Join
Hotkeys/hotstrings are not allowed inside functions.
Hotkeys/hotstrings are not allowed inside functions.
Duplicate hotkey.
Duplicate hotkey.
Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.
Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.
*%s::
*%s::
if not GetKeyState("%s")
if not GetKeyState("%s")
{Blind}%s%s{%s DownTemp}
{Blind}%s%s{%s DownTemp}
*%s up::
*%s up::
{Blind}{%s Up}
{Blind}{%s Up}
#InstallKeybdHook
#InstallKeybdHook
#HotkeyModifierTimeout
#HotkeyModifierTimeout
#HotkeyInterval
#HotkeyInterval
#MaxHotkeysPerInterval
#MaxHotkeysPerInterval
#MaxThreadsPerHotkey
#MaxThreadsPerHotkey
#KeyHistory
#KeyHistory
#MenuMaskKey
#MenuMaskKey
: -*/|&^.
: -*/|&^.
=/|^,:*&~!()[] -?."
=/|^,:*&~!()[] -?."
Invalid hotkey.
Invalid hotkey.
"%s" requires at least %d parameter%s.
"%s" requires at least %d parameter%s.
"%s" requires that parameter #%u be non-blank.
"%s" requires that parameter #%u be non-blank.
=/|^,:*&~!()[]"
=/|^,:*&~!()[]"
=/|^,:*&~!()[] -?
=/|^,:*&~!()[] -?
Unsupported use of "."
Unsupported use of "."
=/|^,:*&~!()[] -?.
=/|^,:*&~!()[] -?.
Unsupported parameter default.
Unsupported parameter default.
HasKey
HasKey
detecthiddenwindows
detecthiddenwindows
keydelay
keydelay
subkey
subkey
thishotkey
thishotkey
priorhotkey
priorhotkey
timesincethishotkey
timesincethishotkey
timesincepriorhotkey
timesincepriorhotkey
Unsupported use of "["
Unsupported use of "["
Too many parameters passed to function.
Too many parameters passed to function.
Too few parameters passed to function.
Too few parameters passed to function.
%s%s%s
%s%s%s
%%%s%s%s
%%%s%s%s
Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after it is in parentheses to the right (if not 0). The bottommost line's elapsed time is the number of seconds since it executed.
Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after it is in parentheses to the right (if not 0). The bottommost line's elapsed time is the number of seconds since it executed.
u:
u:
if %s %s %s and %s
if %s %s %s and %s
%s%s %s %s
%s%s %s %s
For %s,%s in %s
For %s,%s in %s
%s (%d) : ==> %s
%s (%d) : ==> %s
Specifically: %s
Specifically: %s
in #include file "%s"
in #include file "%s"
%s%s:%s %-1.500s
%s%s:%s %-1.500s
Specifically: %-1.100s%s
Specifically: %-1.100s%s
Error at line %u
Error at line %u
Line Text: %-1.100s%s
Line Text: %-1.100s%s
Local Variables for %s()%s
Local Variables for %s()%s
%sGlobal Variables (alphabetical)%s
%sGlobal Variables (alphabetical)%s
Window: %s
Window: %s
Keybd hook: %s
Keybd hook: %s
Mouse hook: %s
Mouse hook: %s
Enabled Timers: %u of %u (%s)
Enabled Timers: %u of %u (%s)
Interrupted threads: %d%s
Interrupted threads: %d%s
Paused threads: %d of %d (%d layers)
Paused threads: %d of %d (%d layers)
Modifiers (GetKeyState() now) = %s
Modifiers (GetKeyState() now) = %s
Key History has been disabled via #KeyHistory 0.
Key History has been disabled via #KeyHistory 0.
System verbs unsupported with RunAs. The current thread will exit.
System verbs unsupported with RunAs. The current thread will exit.
%s %s
%s %s
.exe.bat.com.cmd.hta
.exe.bat.com.cmd.hta
Verb:
Verb:
Action: %s
Action: %s
Params:
Params:
EndKey:
EndKey:
0xX
0xX
0xX
0xX
%sLeft
%sLeft
%sTop
%sTop
%sRight
%sRight
%sBottom
%sBottom
\AU3_Spy.exe"
\AU3_Spy.exe"
%sAU3_Spy.exe"
%sAU3_Spy.exe"
\AutoHotkey.chm"
\AutoHotkey.chm"
%sAutoHotkey.chm"
%sAutoHotkey.chm"
hh.exe
hh.exe
hXXp://VVV.autohotkey.com
hXXp://VVV.autohotkey.com
Could not open URL hXXp://VVV.autohotkey.com in default browser.
Could not open URL hXXp://VVV.autohotkey.com in default browser.
SOFTWARE\AutoHotkey
SOFTWARE\AutoHotkey
AutoHotkey v1.0.92.02
AutoHotkey v1.0.92.02
set cdaudio door %s wait
set cdaudio door %s wait
open %s type cdaudio alias cd wait shareable
open %s type cdaudio alias cd wait shareable
set cd door %s wait
set cd door %s wait
\\.\%c:
\\.\%c:
Mixer Doesn't Support This Component Type
Mixer Doesn't Support This Component Type
Component Doesn't Support This Control Type
Component Doesn't Support This Control Type
open "%s" alias AHK_PlayMe
open "%s" alias AHK_PlayMe
Select File - %s
Select File - %s
%s%c%sÊll Files (*.*)%c*.*%c
%s%c%sÊll Files (*.*)%c*.*%c
All Files (*.*)
All Files (*.*)
Text Documents (*.txt)
Text Documents (*.txt)
*.txt
*.txt
1.0.92.02
1.0.92.02
\AutoHotkey.exe
\AutoHotkey.exe
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Pos%s
Pos%s
Len%s
Len%s
Pos%d
Pos%d
Len%d
Len%d
Compile error %d at offset %d: %s
Compile error %d at offset %d: %s
RunAs: Missing advapi32.dll. The current thread will exit.
RunAs: Missing advapi32.dll. The current thread will exit.
0.0.0.0
0.0.0.0
InternetOpenUrlA
InternetOpenUrlA
Select Folder - %s
Select Folder - %s
%u.%u.%u.%u
%u.%u.%u.%u
0xX -
0xX -
%s%ws
%s%ws
AutoHotkeyGUI
AutoHotkeyGUI
%dGui
%dGui
Button%s
Button%s
msctls_hotkey32
msctls_hotkey32
Report
Report
Password
Password
vkX
vkX
Supported only for the tray menu The current thread will exit.
Supported only for the tray menu The current thread will exit.
&Suspend Hotkeys
&Suspend Hotkeys
dd
dd
dddddd
dddddd
GdiplusShutdown
GdiplusShutdown
The following %s name contains an illegal character:
The following %s name contains an illegal character:
"%-1.300s"%s
"%-1.300s"%s
The maximum number of MsgBoxes has been reached.
The maximum number of MsgBoxes has been reached.
operand of unlimited repeat could match the empty string
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
POSIX named classes are supported only within a class
erroffset passed as NULL
erroffset passed as NULL
POSIX collating elements are not supported
POSIX collating elements are not supported
this version of PCRE is not compiled with PCRE_UTF8 support
this version of PCRE is not compiled with PCRE_UTF8 support
PCRE does not support \L, \l, \N{name}, \U, or \u
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with PCRE_UCP support
this version of PCRE is not compiled with PCRE_UCP support
Error text not found (please report)
Error text not found (please report)
WSOCK32.dll
WSOCK32.dll
WINMM.dll
WINMM.dll
VERSION.dll
VERSION.dll
COMCTL32.dll
COMCTL32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
GetKeyboardLayout
GetKeyboardLayout
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
RegisterHotKey
RegisterHotKey
UnregisterHotKey
UnregisterHotKey
GetAsyncKeyState
GetAsyncKeyState
GetKeyboardState
GetKeyboardState
SetKeyboardState
SetKeyboardState
keybd_event
keybd_event
VkKeyScanExA
VkKeyScanExA
GetKeyNameTextA
GetKeyNameTextA
MapVirtualKeyA
MapVirtualKeyA
EnumChildWindows
EnumChildWindows
EnumWindows
EnumWindows
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
COMDLG32.dll
COMDLG32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegEnumKeyExA
RegEnumKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteExA
ShellExecuteExA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
zcÃ
zcÃ
-()[]{}:;'"/\,.?!
-()[]{}:;'"/\,.?!
%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Office
%Documents and Settings%\%current user%\Application Data\Microsoft\Office
#%'''
#%'''
"%Â
"%Â
$-8GGhnsrr}
$-8GGhnsrr}
$-9GGggs}s
$-9GGggs}s
%Mgr.RhY4RfE5Qd:f
%Mgr.RhY4RfE5Qd:f
PAPADDINGXXPADDINGPADD
PAPADDINGXXPADDINGPADD
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\000CBB85_Rar\rundll32.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\000CBB85_Rar\rundll32.exe
rundll32.exe
rundll32.exe
%UzU_
%UzU_
hXXp://pelcpawel.fm.interia.pl/logos.gif
hXXp://pelcpawel.fm.interia.pl/logos.gif
hXXp://chicostara.com/logof.gif
hXXp://chicostara.com/logof.gif
hXXp://suewyllie.com/images/logos.gif
hXXp://suewyllie.com/images/logos.gif
hXXp://dewpoint-eg.com/images/logosa.gif
hXXp://dewpoint-eg.com/images/logosa.gif
hXXp://VVV.ceylanogullari.com/logof.gif
hXXp://VVV.ceylanogullari.com/logof.gif
hXXp://VVV.bluecubecreatives.com/logos.gif
hXXp://VVV.bluecubecreatives.com/logos.gif
hXXp://724hizmetgrup.com/images/logosa.gif
hXXp://724hizmetgrup.com/images/logosa.gif
hXXp://yavuztuncil.ya.funpic.de/images/logos.gif
hXXp://yavuztuncil.ya.funpic.de/images/logos.gif
hXXp://cevatpasa.com/images/logos.gif
hXXp://cevatpasa.com/images/logos.gif
4/images/logos.gif
4/images/logos.gif
uCo9%f
uCo9%f
%F`;O
%F`;O
hXXp://89.11
hXXp://89.11
.info/home.gifI
.info/home.gifI
W.text
W.text
L32.dll
L32.dll
^p.At%
^p.At%
rnl.exe?
rnl.exe?
= =$=(=,=0=4=8=
= =$=(=,=0=4=8=
rv:1.9.2.3)
rv:1.9.2.3)
.NEtCLR
.NEtCLR
.klkjw:9fqwiBu
.klkjw:9fqwiBu
f3a.sysB
f3a.sysB
D6c.pBTab
D6c.pBTab
drfig%s:*:
drfig%s:*:
0}.T&?%x=
0}.T&?%x=
~UrlA'W
~UrlA'W
\'Web%
\'Web%
HTTP)s'PJ
HTTP)s'PJ
o.ENHCD
o.ENHCD
KPCKwWEBWUPD
KPCKwWEBWUPD
>*?456789:;
>*?456789:;
!"#$%&'()* ,-./01230 0
!"#$%&'()* ,-./01230 0
MSVCRT.dll
MSVCRT.dll
WS2_32.dll
WS2_32.dll
[y$%f
[y$%f
0%s?\5
0%s?\5
mscoree.dll
mscoree.dll
nKERNEL32.DLL
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
&Lines most recently executed
&Lines most recently executed
&Hotkeys and their methods
&Hotkeys and their methods
&Key history and script info
&Key history and script info
&Web Site
&Web Site
rundll32.exe_1056_rwx_003C0000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.rsrc
.rsrc
.text
.text
%UzU_
%UzU_
rundll32.exe_1056_rwx_003D0000_00001000:
|rundll32.exeM_1056_
|rundll32.exeM_1056_
rundll32.exe_1056_rwx_004AE000_00011000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\000CBB85_Rar\rundll32.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\000CBB85_Rar\rundll32.exe
rundll32.exe
rundll32.exe
.rsrc
.rsrc
.text
.text
%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe
%UzU_
%UzU_
hXXp://pelcpawel.fm.interia.pl/logos.gif
hXXp://pelcpawel.fm.interia.pl/logos.gif
hXXp://chicostara.com/logof.gif
hXXp://chicostara.com/logof.gif
hXXp://suewyllie.com/images/logos.gif
hXXp://suewyllie.com/images/logos.gif
hXXp://dewpoint-eg.com/images/logosa.gif
hXXp://dewpoint-eg.com/images/logosa.gif
hXXp://VVV.ceylanogullari.com/logof.gif
hXXp://VVV.ceylanogullari.com/logof.gif
hXXp://VVV.bluecubecreatives.com/logos.gif
hXXp://VVV.bluecubecreatives.com/logos.gif
hXXp://724hizmetgrup.com/images/logosa.gif
hXXp://724hizmetgrup.com/images/logosa.gif
hXXp://yavuztuncil.ya.funpic.de/images/logos.gif
hXXp://yavuztuncil.ya.funpic.de/images/logos.gif
hXXp://cevatpasa.com/images/logos.gif
hXXp://cevatpasa.com/images/logos.gif
4/images/logos.gif
4/images/logos.gif
uCo9%f
uCo9%f
%F`;O
%F`;O
hXXp://89.11
hXXp://89.11
.info/home.gifI
.info/home.gifI
W.text
W.text
L32.dll
L32.dll
^p.At%
^p.At%
rnl.exe?
rnl.exe?
= =$=(=,=0=4=8=
= =$=(=,=0=4=8=
rv:1.9.2.3)
rv:1.9.2.3)
.NEtCLR
.NEtCLR
.klkjw:9fqwiBu
.klkjw:9fqwiBu
f3a.sysB
f3a.sysB
D6c.pBTab
D6c.pBTab
drfig%s:*:
drfig%s:*:
0}.T&?%x=
0}.T&?%x=
~UrlA'W
~UrlA'W
\'Web%
\'Web%
HTTP)s'PJ
HTTP)s'PJ
o.ENHCD
o.ENHCD
KPCKwWEBWUPD
KPCKwWEBWUPD
>*?456789:;
>*?456789:;
!"#$%&'()* ,-./01230 0
!"#$%&'()* ,-./01230 0
ADVAPI32.dll
ADVAPI32.dll
MSVCRT.dll
MSVCRT.dll
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
WS2_32.dll
WS2_32.dll
RegCloseKey
RegCloseKey
SHFileOperationA
SHFileOperationA
Explorer.EXE_532_rwx_00FF0000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.rsrc
.rsrc
.text
.text
%UzU_
%UzU_
Explorer.EXE_532_rwx_01E00000_00001000:
|explorer.exeM_532_
|explorer.exeM_532_
Explorer.EXE_532_rwx_03CF0000_0108E000:
c:\windows
c:\windows
hXXp://pelcpawel.fm.interia.pl/logos.gif
hXXp://pelcpawel.fm.interia.pl/logos.gif
hXXp://chicostara.com/logof.gif
hXXp://chicostara.com/logof.gif
hXXp://suewyllie.com/images/logos.gif
hXXp://suewyllie.com/images/logos.gif
hXXp://dewpoint-eg.com/images/logosa.gif
hXXp://dewpoint-eg.com/images/logosa.gif
hXXp://VVV.ceylanogullari.com/logof.gif
hXXp://VVV.ceylanogullari.com/logof.gif
hXXp://VVV.bluecubecreatives.com/logos.gif
hXXp://VVV.bluecubecreatives.com/logos.gif
hXXp://724hizmetgrup.com/images/logosa.gif
hXXp://724hizmetgrup.com/images/logosa.gif
hXXp://yavuztuncil.ya.funpic.de/images/logos.gif
hXXp://yavuztuncil.ya.funpic.de/images/logos.gif
hXXp://cevatpasa.com/images/logos.gif
hXXp://cevatpasa.com/images/logos.gif
%System%\drivers\okskr.sys
%System%\drivers\okskr.sys
%UzU_
%UzU_
8316872595
8316872595
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.rsrc
.rsrc
.text
.text
hXXp://89.119.67.154/testo5/
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
hXXp://kukutrustnet987.info/home.gif
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
h.rdata
h.rdata
H.data
H.data
.reloc
.reloc
ntoskrnl.exe
ntoskrnl.exe
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
GdiPlus.dll
hXXp://
hXXp://
ipfltdrv.sys
ipfltdrv.sys
VVV.microsoft.com
VVV.microsoft.com
?%x=%d
?%x=%d
&%x=%d
&%x=%d
SYSTEM.INI
SYSTEM.INI
USER32.DLL
USER32.DLL
.%c%s
.%c%s
\\.\amsint32
\\.\amsint32
NTDLL.DLL
NTDLL.DLL
autorun.inf
autorun.inf
ADVAPI32.DLL
ADVAPI32.DLL
win%s.exe
win%s.exe
%s.exe
%s.exe
WININET.DLL
WININET.DLL
InternetOpenUrlA
InternetOpenUrlA
avast! Web Scanner
avast! Web Scanner
Avira AntiVir Premium WebGuard
Avira AntiVir Premium WebGuard
cmdGuard
cmdGuard
cmdAgent
cmdAgent
Eset HTTP Server
Eset HTTP Server
ProtoPort Firewall service
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
SpIDer FS Monitor for Windows NT
Symantec Password Validation
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootDesktopFirewallDataService
WebrootFirewall
WebrootFirewall
%d%d.tmp
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
Explorer.exe
A2CMD.
A2CMD.
ASHWEBSV.
ASHWEBSV.
AVGCC.AVGCHSVX.
AVGCC.AVGCHSVX.
DRWEB
DRWEB
DWEBLLIO
DWEBLLIO
DWEBIO
DWEBIO
FSGUIEXE.
FSGUIEXE.
MCVSSHLD.
MCVSSHLD.
NPFMSG.
NPFMSG.
SYMSPORT.
SYMSPORT.
WEBSCANX.
WEBSCANX.
.adata
.adata
M_%d_
M_%d_
%c%d_%d
%c%d_%d
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryA
GetWindowsDirectoryA
RegEnumKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyA
RegCloseKey
RegCloseKey
SHFileOperationA
SHFileOperationA
&3&3&3&389
&3&3&3&389
.rdata
.rdata
.data
.data
rnl.exe?
rnl.exe?
= =$=(=,=0=4=8=
= =$=(=,=0=4=8=
rv:1.9.2.3)
rv:1.9.2.3)
.NEtCLR
.NEtCLR
.klkjw:9fqwiBu
.klkjw:9fqwiBu
f3a.sysB
f3a.sysB
D6c.pBTab
D6c.pBTab
drfig%s:*:
drfig%s:*:
0}.T&?%x=
0}.T&?%x=
~UrlA'W
~UrlA'W
\'Web%
\'Web%
HTTP)s'PJ
HTTP)s'PJ
o.ENHCD
o.ENHCD
KPCKwWEBWUPD
KPCKwWEBWUPD
>*?456789:;
>*?456789:;
!"#$%&'()* ,-./01230 0
!"#$%&'()* ,-./01230 0
ADVAPI32.dll
ADVAPI32.dll
MSVCRT.dll
MSVCRT.dll
SHELL32.dll
SHELL32.dll
WS2_32.dll
WS2_32.dll