Worm.Generic.236153_9c635e7f73

September 13, 2021 14:21

Trojan.Win32.Agent2.kzo (Kaspersky), Worm.Generic.236153 (B) (Emsisoft), Worm.Generic.236153 (AdAware), Backdoor.Win32.PcClient.FD, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Worm, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 9c635e7f73019be2d88b085a3e1834b8

SHA1: bff9af8042e6648dc39342b2c36e99e42ccff808

SHA256: bd4f996d409445fabbe29ec276d33664d862277cc6233b9a4b4eaa246b07586d

SSDeep: 12288:cDJcoCUyZtwAvAs4wTCyrPTloHWYUrkf8w0Vnzac1/g/J/vMS:WJfty/wAvN7lrvbkf8w0VnH1/g/J/k

Size: 1033728 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6

Company: no certificate found

Created at: 2009-08-01 14:07:36

Analyzed on: WindowsXPESX SP3 32-bit

Summary: Worm. A program that is primarily replicating on networks or removable drives.

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Worm creates the following process(es):

taskkill.exe:868
taskkill.exe:556
sc.exe:1848
rundll32.exe:312
cacls.exe:1352

The Worm injects its code into the following process(es):

%original file name%.exe:1700

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process rundll32.exe:312 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

%System%\drivers\acpiec.sys (14 bytes)

The process %original file name%.exe:1700 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

C:\ (4 bytes)
C:\autorun.inf (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (388 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Perflib_Perfdata_2a4.dat (100 bytes)
%System%\m1846741.dll (11993590 bytes)
%System%\drivers\etc\hosts (5 bytes)
%WinDir%\Temp\Perflib_Perfdata_124.dat (100 bytes)
%WinDir% (384 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\config (100 bytes)
%System%\drivers (96 bytes)
%WinDir%\s265006334.dll (22141543 bytes)
C:\1.exe (7385 bytes)

Registry activity

The process taskkill.exe:868 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 A6 BC 8C 92 BE D4 35 31 D4 F6 B9 97 05 2B BC"

The process taskkill.exe:556 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B FA 08 70 CB F0 8F BD E4 66 6B 88 AE A3 F2 BE"

The process sc.exe:1848 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 75 84 87 9D C1 9E 4E AD 22 6C 59 05 67 AD EA"

The process rundll32.exe:312 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 79 D1 D1 CE 7B 14 F5 C3 F4 37 E4 49 6C 32 61"

The process cacls.exe:1352 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 F2 64 E8 18 3D A5 FC 3C 30 48 A9 7F 51 3C 0B"

Dropped PE files

MD5	File path
87f9c7296489e829f375f37d3f4b2fe9	c:\WINDOWS\LastGood\system32\drivers\acpiec.sys
1fb22ba33d66c9159ebf0791af8a62e2	c:\WINDOWS\s265006334.dll
9859c0f6936e723e4892d7141b1327d5	c:\WINDOWS\system32\dllcache\acpiec.sys
87f9c7296489e829f375f37d3f4b2fe9	c:\WINDOWS\system32\drivers\OLDB4.tmp
601b3f2466bfa6989b9c7586b5ba54aa	c:\WINDOWS\system32\drivers\pcidump.sys
02e89dc27f4fffd23e1abc5e97d9fdfd	c:\WINDOWS\system32\m1846741.dll

HOSTS file anomalies

The Worm modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 5743 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	v.onondown.com.cn
127.0.0.2	ymsdasdw1.cn
127.0.0.3	h96b.info
127.0.0.0	fuck.zttwp.cn
127.0.0.0	www.hackerbf.cn
127.0.0.0	geekbyfeng.cn
127.0.0.0	121.14.101.68
127.0.0.0	ppp.etimes888.com
127.0.0.0	www.bypk.com
127.0.0.0	CSC3-2004-crl.verisign.com
127.0.0.1	va9sdhun23.cn
127.0.0.0	udp.hjob123.com
127.0.0.2	bnasnd83nd.cn
127.0.0.0	www.gamehacker.com.cn
127.0.0.0	gamehacker.com.cn
127.0.0.3	adlaji.cn
127.0.0.1	858656.com
127.1.1.1	bnasnd83nd.cn
127.0.0.1	my123.com
127.0.0.0	user1.12-27.net
127.0.0.1	8749.com
127.0.0.0	fengent.cn
127.0.0.1	4199.com
127.0.0.1	user1.16-22.net
127.0.0.1	7379.com
127.0.0.1	2be37c5f.3f6e2cc5f0b.com
127.0.0.1	7255.com
127.0.0.1	user1.23-12.net
127.0.0.1	3448.com
127.0.0.1	www.guccia.net
127.0.0.1	7939.com
127.0.0.1	a.o1o1o1.nEt
127.0.0.1	8009.com
127.0.0.1	user1.12-73.cn
127.0.0.1	piaoxue.com
127.0.0.1	3n8nlasd.cn
127.0.0.1	kzdh.com
127.0.0.0	www.sony888.cn
127.0.0.1	about.blank.la
127.0.0.0	user1.asp-33.cn
127.0.0.1	6781.com
127.0.0.0	www.netkwek.cn
127.0.0.1	7322.com
127.0.0.0	ymsdkad6.cn
127.0.0.0	www.lkwueir.cn
127.0.0.1	06.jacai.com
127.0.1.1	user1.23-17.net
127.0.0.1	1.jopenkk.com
127.0.0.0	upa.luzhiai.net
127.0.0.1	1.jopenqc.com
127.0.0.0	www.guccia.net
127.0.0.1	1.joppnqq.com
127.0.0.0	4m9mnlmi.cn
127.0.0.1	1.xqhgm.com
127.0.0.0	mm119mkssd.cn
127.0.0.1	100.332233.com
127.0.0.0	61.128.171.115:8080
127.0.0.1	121.11.90.79
127.0.0.0	www.1119111.com
127.0.0.1	121565.net
127.0.0.0	win.nihao69.cn
127.0.0.1	125.90.88.38
127.0.0.1	16888.6to23.com
127.0.0.1	2.joppnqq.com
127.0.0.0	puc.lianxiac.net
127.0.0.1	204.177.92.68
127.0.0.0	pud.lianxiac.net
127.0.0.1	210.74.145.236
127.0.0.0	210.76.0.133
127.0.0.1	219.129.239.220
127.0.0.0	61.166.32.2
127.0.0.1	219.153.40.221
127.0.0.0	218.92.186.27
127.0.0.1	219.153.46.27
127.0.0.0	www.fsfsfag.cn
127.0.0.1	219.153.52.123
127.0.0.0	ovo.ovovov.cn
127.0.0.1	221.195.42.71
127.0.0.0	dw.com.com
127.0.0.1	222.73.218.115
127.0.0.1	203.110.168.233:80
127.0.0.1	3.joppnqq.com
127.0.0.1	203.110.168.221:80
127.0.0.1	363xx.com
127.0.0.1	www1.ip10086.com.cm
127.0.0.1	4199.com
127.0.0.1	blog.ip10086.com.cn
127.0.0.1	43242.com
127.0.0.1	www.ccji68.cn
127.0.0.1	5.xqhgm.com
127.0.0.0	t.myblank.cn
127.0.0.1	520.mm5208.com
127.0.0.0	x.myblank.cn
127.0.0.1	59.34.131.54
127.0.0.1	210.51.45.5
127.0.0.1	59.34.198.228
127.0.0.1	www.ew1q.cn
127.0.0.1	59.34.198.88
127.0.0.1	59.34.198.97
127.0.0.1	60.190.114.101
127.0.0.1	60.190.218.34
127.0.0.0	qq-xing.com.cn
127.0.0.1	60.191.124.252
127.0.0.1	61.145.117.212
127.0.0.1	61.157.109.222
127.0.0.1	75.126.3.216
127.0.0.1	75.126.3.217
127.0.0.1	75.126.3.218
127.0.0.0	59.125.231.177:17777
127.0.0.1	75.126.3.220
127.0.0.1	75.126.3.221
127.0.0.1	75.126.3.222
127.0.0.1	772630.com
127.0.0.1	832823.cn
127.0.0.1	8749.com
127.0.0.1	888.jopenqc.com
127.0.0.1	89382.cn
127.0.0.1	8v8.biz
127.0.0.1	97725.com
127.0.0.1	9gg.biz
127.0.0.1	www.9000music.com
127.0.0.1	test.591jx.com
127.0.0.1	a.topxxxx.cn
127.0.0.1	picon.chinaren.com
127.0.0.1	www.5566.net
127.0.0.1	p.qqkx.com
127.0.0.1	news.netandtv.com
127.0.0.1	z.neter888.cn
127.0.0.1	b.myblank.cn
127.0.0.1	wvw.wokutu.com
127.0.0.1	unionch.qyule.com
127.0.0.1	www.qyule.com
127.0.0.1	it.itjc.cn
127.0.0.1	www.linkwww.com
127.0.0.1	vod.kaicn.com
127.0.0.1	www.tx8688.com
127.0.0.1	b.neter888.cn
127.0.0.1	promote.huanqiu.com
127.0.0.1	www.huanqiu.com
127.0.0.1	www.haokanla.com
127.0.0.1	play.unionsky.cn
127.0.0.1	www.52v.com
127.0.0.1	www.gghka.cn
127.0.0.1	icon.ajiang.net
127.0.0.1	new.ete.cn
127.0.0.1	www.stiae.cn
127.0.0.1	o.neter888.cn
127.0.0.1	comm.jinti.com
127.0.0.1	www.google-analytics.com
127.0.0.1	hz.mmstat.com
127.0.0.1	www.game175.cn
127.0.0.1	x.neter888.cn
127.0.0.1	z.neter888.cn
127.0.0.1	p.etimes888.com
127.0.0.1	hx.etimes888.com
127.0.0.1	abc.qqkx.com
127.0.0.1	dm.popdm.cn
127.0.0.1	www.yl9999.com
127.0.0.1	www.dajiadoushe.cn
127.0.0.1	v.onondown.com.cn
127.0.0.1	www.interoo.net
127.0.0.1	bally1.bally-bally.net
127.0.0.1	www.bao5605509.cn
127.0.0.1	www.rty456.cn
127.0.0.1	www.werqwer.cn
127.0.0.1	1.360-1.cn
127.0.0.1	user1.23-16.net
127.0.0.1	www.guccia.net
127.0.0.1	www.interoo.net
127.0.0.1	upa.netsool.net
127.0.0.1	js.users.51.la
127.0.0.1	vip2.51.la
127.0.0.1	web.51.la
127.0.0.1	qq.gong2008.com
127.0.0.1	2008tl.copyip.com
127.0.0.1	tla.laozihuolaile.cn
127.0.0.1	www.tx6868.cn
127.0.0.1	p001.tiloaiai.com
127.0.0.1	s1.tl8tl.com
127.0.0.1	s1.gong2008.com
127.0.0.1	4b3ce56f9g.3f6e2cc5f0b.com

Rootkit activity

The Worm installs the following kernel-mode hooks:

ZwQuerySystemInformation

Using the driver "%System%\drivers\pcidump.sys" the Worm substitutes IRP handlers in a file system driver (NTFS) to control operations with files:

MJ_CREATE

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):
taskkill.exe:868
taskkill.exe:556
sc.exe:1848
rundll32.exe:312
cacls.exe:1352
Delete the original Worm file.
Delete or disinfect the following files created/modified by the Worm:
%System%\drivers\acpiec.sys (14 bytes)
C:\autorun.inf (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (388 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Perflib_Perfdata_2a4.dat (100 bytes)
%System%\m1846741.dll (11993590 bytes)
%System%\drivers\etc\hosts (5 bytes)
%WinDir%\Temp\Perflib_Perfdata_124.dat (100 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\config (100 bytes)
%WinDir%\s265006334.dll (22141543 bytes)
C:\1.exe (7385 bytes)
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Microsoft Corporation
Product Name: Microsoft(R) Windows(R) Operating System
Product Version: 5.1.2600.0
Legal Copyright: (C) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: CALC.EXE
Internal Name: CALC
File Version: 5.1.2600.0 (xpclient.010817-1148)
File Description: Windows Calculator application file
Comments:
Language: English (United Kingdom)

Company Name: Microsoft CorporationProduct Name: Microsoft(R) Windows(R) Operating SystemProduct Version: 5.1.2600.0Legal Copyright: (C) Microsoft Corporation. All rights reserved.Legal Trademarks: Original Filename: CALC.EXEInternal Name: CALCFile Version: 5.1.2600.0 (xpclient.010817-1148)File Description: Windows Calculator application fileComments: Language: English (United Kingdom)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	65536	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	69632	28672	28672	5.46451	51a5a7d9fc901bb9f305f0c864ffec2c
.rsrc	98304	4096	2048	1.91628	f14c5bb69cc1cc95b5f1cf5b0c1cd532

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
e59e813e8662d81d7bcc84869fa63890

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Worm connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1700:

`.rsrc

`.rsrc

%s\s%d

%s\s%d

32.exe

32.exe

:%dm^`[

:%dm^`[

%s\s%d%d.dll

%s\s%d%d.dll

rundll32.exe %s, droqp

rundll32.exe %s, droqp

%s\system32\m%d%d.dll

%s\system32\m%d%d.dll

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cmd /c sc config ekrn start= disabled

cacls %s /e /p everyone:f

cacls %s /e /p everyone:f

cacls "%s" /e /p everyone:f

cacls "%s" /e /p everyone:f

\temp\explorer.exe

\temp\explorer.exe

\drivers\gm.dls

\drivers\gm.dls

explorer.exe

explorer.exe

[ffi][nil:>:,::mn^::K

[ffi][nil:>:,::mn^::K

,1(*(*(

,1(*(*(

,1(*(*(,

,1(*(*(,

,1(*(*(-

,1(*(*(-

,1(*(*(*

,1(*(*(*

, ( .( * (02

, ( .( * (02

,1( ( (

,1( ( (

,1(*( (

,1(*( (

0 ( ,2( 1 ( /42*2*

0 ( ,2( 1 ( /42*2*

, ( (3*(13

, ( (3*(13

,/(3*(22(-2

,/(3*(22(-2

,*.( 11(3,(02

,*.( 11(3,(02

, *(1.( ./(,-0

, *(1.( ./(,-0

, *(10(*( --

, *(10(*( --

, 3( ,3(,-3(,,*

, 3( ,3(,-3(,,*

0 ( 00(-,(,

0 ( 00(-,(,

, 3( /-(.*(,,

, 3( /-(.*(,,

, 2(3,( 20(,1

, 2(3,( 20(,1

, 3( /-(.0(,1

, 3( /-(.0(,1

, 3( /-(/,( ,-

, 3( /-(/,( ,-

,, ( 3/(.,(1

,, ( 3/(.,(1

,,,(1-(, 2( /

,,,(1-(, 2( /

,*-( *( 02(,--42*

,*-( *( 02(,--42*

,*-( *( 02(,, 42*

,*-( *( 02(,, 42*

/3(-.( - (/.

/3(-.( - (/.

, *(/ (./(/

, *(/ (./(/

/3(-.( 32(,,2

/3(-.( 32(,,2

/3(-.( 32(22

/3(-.( 32(22

/3(-.( 32(31

/3(-.( 32(31

0*( 3*( .( *

0*( 3*( .( *

0*( 3*(, 2(-.

0*( 3*(, 2(-.

0*( 3 ( ,.(,/,

0*( 3 ( ,.(,/,

0 ( ./( 1(, ,

0 ( ./( 1(, ,

0 ( /1( *3(,,,

0 ( /1( *3(,,,

1/( ,0(-(, 0

1/( ,0(-(, 0

1/( ,0(-(, 1

1/( ,0(-(, 1

1/( ,0(-(, 2

1/( ,0(-(, 2

/3( ,/(,- ( 114 1111

/3( ,/(,- ( 114 1111

1/( ,0(-(,,*

1/( ,0(-(,,*

1/( ,0(-(,,

1/( ,0(-(,,

1/( ,0(-(,,,

1/( ,0(-(,,,

Ci>_f_n_Msg\ifc]Fche

Ci>_f_n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

windows

windows

webtrap

webtrap

WEBSCANX

WEBSCANX

WEBSCAN

WEBSCAN

smtpsvc

smtpsvc

safeweb

safeweb

Kabackreport

Kabackreport

WinExec

WinExec

GetWindowsDirectoryA

GetWindowsDirectoryA

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

o.lxQSxQJ3b

o.lxQSxQJ3b

7%D%m

7%D%m

B`.rdha

B`.rdha

KERNEL32.DLL

KERNEL32.DLL

MSVCRT.dll

MSVCRT.dll

SHELL32.dll

SHELL32.dll

Windows Calculator application file

Windows Calculator application file

5.1.2600.0 (xpclient.010817-1148)

5.1.2600.0 (xpclient.010817-1148)

CALC.EXE

CALC.EXE

Microsoft(R) Windows(R) Operating System

Microsoft(R) Windows(R) Operating System

5.1.2600.0

5.1.2600.0

%original file name%.exe_1700_rwx_00401000_00016000:

%s\s%d%d.dll

%s\s%d%d.dll

rundll32.exe %s, droqp

rundll32.exe %s, droqp

%s\system32\m%d%d.dll

%s\system32\m%d%d.dll

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cmd /c sc config ekrn start= disabled

cacls %s /e /p everyone:f

cacls %s /e /p everyone:f

cacls "%s" /e /p everyone:f

cacls "%s" /e /p everyone:f

\temp\explorer.exe

\temp\explorer.exe

\drivers\gm.dls

\drivers\gm.dls

explorer.exe

explorer.exe

[ffi][nil:>:,::mn^::K

[ffi][nil:>:,::mn^::K

,1(*(*(

,1(*(*(

,1(*(*(,

,1(*(*(,

,1(*(*(-

,1(*(*(-

,1(*(*(*

,1(*(*(*

, ( .( * (02

, ( .( * (02

,1( ( (

,1( ( (

,1(*( (

,1(*( (

0 ( ,2( 1 ( /42*2*

0 ( ,2( 1 ( /42*2*

, ( (3*(13

, ( (3*(13

,/(3*(22(-2

,/(3*(22(-2

,*.( 11(3,(02

,*.( 11(3,(02

, *(1.( ./(,-0

, *(1.( ./(,-0

, *(10(*( --

, *(10(*( --

, 3( ,3(,-3(,,*

, 3( ,3(,-3(,,*

0 ( 00(-,(,

0 ( 00(-,(,

, 3( /-(.*(,,

, 3( /-(.*(,,

, 2(3,( 20(,1

, 2(3,( 20(,1

, 3( /-(.0(,1

, 3( /-(.0(,1

, 3( /-(/,( ,-

, 3( /-(/,( ,-

,, ( 3/(.,(1

,, ( 3/(.,(1

,,,(1-(, 2( /

,,,(1-(, 2( /

,*-( *( 02(,--42*

,*-( *( 02(,--42*

,*-( *( 02(,, 42*

,*-( *( 02(,, 42*

/3(-.( - (/.

/3(-.( - (/.

, *(/ (./(/

, *(/ (./(/

/3(-.( 32(,,2

/3(-.( 32(,,2

/3(-.( 32(22

/3(-.( 32(22

/3(-.( 32(31

/3(-.( 32(31

0*( 3*( .( *

0*( 3*( .( *

0*( 3*(, 2(-.

0*( 3*(, 2(-.

0*( 3 ( ,.(,/,

0*( 3 ( ,.(,/,

0 ( ./( 1(, ,

0 ( ./( 1(, ,

0 ( /1( *3(,,,

0 ( /1( *3(,,,

1/( ,0(-(, 0

1/( ,0(-(, 0

1/( ,0(-(, 1

1/( ,0(-(, 1

1/( ,0(-(, 2

1/( ,0(-(, 2

/3( ,/(,- ( 114 1111

/3( ,/(,- ( 114 1111

1/( ,0(-(,,*

1/( ,0(-(,,*

1/( ,0(-(,,

1/( ,0(-(,,

1/( ,0(-(,,,

1/( ,0(-(,,,

Ci>_f_n_Msg\ifc]Fche

Ci>_f_n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

windows

windows

webtrap

webtrap

WEBSCANX

WEBSCANX

WEBSCAN

WEBSCAN

smtpsvc

smtpsvc

safeweb

safeweb

Kabackreport

Kabackreport

WinExec

WinExec

GetWindowsDirectoryA

GetWindowsDirectoryA

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

o.lxQSxQJ3b

o.lxQSxQJ3b

7%D%m

7%D%m

%original file name%.exe_1700_rwx_10000000_00001000:

.data

.data

.rsrc

.rsrc

@.reloc

@.reloc

psapi.dll

psapi.dll

\patch.exe

\patch.exe

\dstdisk.exe

\dstdisk.exe

\defence.exe

\defence.exe

192yuioealdjfiefjsdfas.txt

192yuioealdjfiefjsdfas.txt

%SystemRoot%\System32\DRIVERS\puid.sys

%SystemRoot%\System32\DRIVERS\puid.sys

\drivers\pcidump.sys

\drivers\pcidump.sys

System32\DRIVERS\pcidump.sys

System32\DRIVERS\pcidump.sys

%SystemRoot%\system32\drivers\puid.sys

%SystemRoot%\system32\drivers\puid.sys

\\.\pcidump

\\.\pcidump

\drivers\gm.dls

\drivers\gm.dls

Windows

Windows

1.exe

1.exe

autorun.inf

autorun.inf

Open=1.exe

Open=1.exe

urlmon

urlmon

\setup.exe

\setup.exe

?mac=%s&ver=%s&key=%d&os=windows

?mac=%s&ver=%s&key=%d&os=windows

.html

.html

.hhqg

.hhqg

qq.exe

qq.exe

360safe.exe

360safe.exe

\explorer.exe

\explorer.exe

\temp\explorer.exe

\temp\explorer.exe

nfect_exe

nfect_exe

rundll32.exe_312:

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

GDI32.dll

GDI32.dll

USER32.dll

USER32.dll

IMAGEHLP.dll

IMAGEHLP.dll

rundll32.pdb

rundll32.pdb

.....eZXnnnnnnnnnnnn3

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

O3$dS7"%U9

.manifest

.manifest

5.1.2600.5512 (xpsp.080413-2105)

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

RUNDLL.EXE

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

YThere is not enough memory to run the file %s.

YThere is not enough memory to run the file %s.

Please close other windows and try again.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Error in %s

Missing entry:%s

Missing entry:%s

Error loading %s

Error loading %s

%original file name%.exe_1700_rwx_10005000_00001000:

\??\c:\%original file name%.exe

\??\c:\%original file name%.exe

\??\%WinDir%\explorer.exe

\??\%WinDir%\explorer.exe

ers\gm.dls

ers\gm.dls

WinExec

WinExec

CreatePipe

CreatePipe

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

ADVAPI32.dll

ADVAPI32.dll

InternetOpenUrlA

InternetOpenUrlA

WININET.dll

WININET.dll