Skip to main content

DeepScan.Generic.Malware.PTk.DC788440_b716fb5b5e


Trojan-Dropper.Win32.Agent.axza (Kaspersky), Win32.Worm.Autorun.TD (B) (Emsisoft), DeepScan:Generic.Malware.P!Tk.DC788440 (AdAware), Backdoor.Win32.PcClient.FD, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Backdoor, Worm, WormAutorun, Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: b716fb5b5e0ecd14fb839d4d27875601

SHA1: 2862d3c66bdbfb75eac0773da77b56d5e12a93f1

SHA256: 15d5da5c700d8e17a02cf3cb1904215a7b406125219468af3b3b3c6d10b74a8d

SSDeep: 768:s4o oy/qdgQFXfxtaw8E4RYphsyN9AEVCteAe:kbyiiQB5r8E2 AjeAe

Size: 37888 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6

Company:

Created at: 2009-07-25 18:30:12

Analyzed on: WindowsXPESX SP3 32-bit

Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the DeepScan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The DeepScan creates the following process(es):

taskkill.exe:504
taskkill.exe:744
taskkill.exe:1764
sc.exe:1144
rundll32.exe:2008
cacls.exe:1336

The DeepScan injects its code into the following process(es):

%original file name%.exe:368

Mutexes

The following mutexes were created/opened:

RasPbFileWininetProxyRegistryMutexc:!documents and settings!adm!local settings!history!history.ie5!WininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_ZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexDBWinMutexShimCacheMutex135896

File activity

The process %original file name%.exe:368 makes changes in the file system.


The DeepScan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\10A8YH0M\desktop.ini (67 bytes)
C:\ (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0SRP20XU\desktop.ini (67 bytes)
C:\autorun.inf (21 bytes)
%System%\m1846741.dll (12169462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V7JJDNL4\desktop.ini (67 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b0.dat (4 bytes)
%System%\drivers\etc\hosts (5 bytes)
%WinDir% (384 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\94S2IMRP\desktop.ini (67 bytes)
%System% (744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\config (100 bytes)
%System%\drivers (96 bytes)
%WinDir%\s265006334.dll (35485887 bytes)
C:\1.exe (37 bytes)

The process rundll32.exe:2008 makes changes in the file system.


The DeepScan creates and/or writes to the following file(s):

%System%\drivers\acpiec.sys (14 bytes)

Registry activity

The process taskkill.exe:504 makes changes in the system registry.


The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 11 BC C7 61 61 E7 2C 13 31 AC 36 38 11 24 E8"

The process taskkill.exe:744 makes changes in the system registry.


The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C E1 C4 B7 A3 52 FD F5 84 B1 79 5E 56 2E 50 44"

The process taskkill.exe:1764 makes changes in the system registry.


The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 49 62 01 9C 06 C0 5B CF B7 F5 33 E6 7F C1 39"

The process sc.exe:1144 makes changes in the system registry.


The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 35 4D 48 51 80 C1 C9 18 F6 BC E5 FC 88 CF 09"

The process rundll32.exe:2008 makes changes in the system registry.


The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 5A 2B 36 60 61 86 EA A3 42 48 57 EE 97 46 55"

The process cacls.exe:1336 makes changes in the system registry.


The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 EF E8 C7 13 09 BE 1D 37 7D 9F 18 E3 97 83 99"

Dropped PE files

MD5 File path
47ce67ae447dba7ca7349f53812e9f89c:\WINDOWS\LastGood\system32\drivers\acpiec.sys
e5c13e37ada96e76677362a5e870ee7dc:\WINDOWS\s265006334.dll
9859c0f6936e723e4892d7141b1327d5c:\WINDOWS\system32\dllcache\acpiec.sys
47ce67ae447dba7ca7349f53812e9f89c:\WINDOWS\system32\drivers\OLD7F.tmp
601b3f2466bfa6989b9c7586b5ba54aac:\WINDOWS\system32\drivers\pcidump.sys
3e3b8a35aefc6e462746d6689348fa7ec:\WINDOWS\system32\m1846741.dll

HOSTS file anomalies

The DeepScan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 5743 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1v.onondown.com.cn
127.0.0.2ymsdasdw1.cn
127.0.0.3h96b.info
127.0.0.0fuck.zttwp.cn
127.0.0.0www.hackerbf.cn
127.0.0.0geekbyfeng.cn
127.0.0.0121.14.101.68
127.0.0.0ppp.etimes888.com
127.0.0.0www.bypk.com
127.0.0.0CSC3-2004-crl.verisign.com
127.0.0.1va9sdhun23.cn
127.0.0.0udp.hjob123.com
127.0.0.2bnasnd83nd.cn
127.0.0.0www.gamehacker.com.cn
127.0.0.0gamehacker.com.cn
127.0.0.3adlaji.cn
127.0.0.1858656.com
127.1.1.1bnasnd83nd.cn
127.0.0.1my123.com
127.0.0.0user1.12-27.net
127.0.0.18749.com
127.0.0.0fengent.cn
127.0.0.14199.com
127.0.0.1user1.16-22.net
127.0.0.17379.com
127.0.0.12be37c5f.3f6e2cc5f0b.com
127.0.0.17255.com
127.0.0.1user1.23-12.net
127.0.0.13448.com
127.0.0.1www.guccia.net
127.0.0.17939.com
127.0.0.1a.o1o1o1.nEt
127.0.0.18009.com
127.0.0.1user1.12-73.cn
127.0.0.1piaoxue.com
127.0.0.13n8nlasd.cn
127.0.0.1kzdh.com
127.0.0.0www.sony888.cn
127.0.0.1about.blank.la
127.0.0.0user1.asp-33.cn
127.0.0.16781.com
127.0.0.0www.netkwek.cn
127.0.0.17322.com
127.0.0.0ymsdkad6.cn
127.0.0.0www.lkwueir.cn
127.0.0.106.jacai.com
127.0.1.1user1.23-17.net
127.0.0.11.jopenkk.com
127.0.0.0upa.luzhiai.net
127.0.0.11.jopenqc.com
127.0.0.0www.guccia.net
127.0.0.11.joppnqq.com
127.0.0.04m9mnlmi.cn
127.0.0.11.xqhgm.com
127.0.0.0mm119mkssd.cn
127.0.0.1100.332233.com
127.0.0.061.128.171.115:8080
127.0.0.1121.11.90.79
127.0.0.0www.1119111.com
127.0.0.1121565.net
127.0.0.0win.nihao69.cn
127.0.0.1125.90.88.38
127.0.0.116888.6to23.com
127.0.0.12.joppnqq.com
127.0.0.0puc.lianxiac.net
127.0.0.1204.177.92.68
127.0.0.0pud.lianxiac.net
127.0.0.1210.74.145.236
127.0.0.0210.76.0.133
127.0.0.1219.129.239.220
127.0.0.061.166.32.2
127.0.0.1219.153.40.221
127.0.0.0218.92.186.27
127.0.0.1219.153.46.27
127.0.0.0www.fsfsfag.cn
127.0.0.1219.153.52.123
127.0.0.0ovo.ovovov.cn
127.0.0.1221.195.42.71
127.0.0.0dw.com.com
127.0.0.1222.73.218.115
127.0.0.1203.110.168.233:80
127.0.0.13.joppnqq.com
127.0.0.1203.110.168.221:80
127.0.0.1363xx.com
127.0.0.1www1.ip10086.com.cm
127.0.0.14199.com
127.0.0.1blog.ip10086.com.cn
127.0.0.143242.com
127.0.0.1www.ccji68.cn
127.0.0.15.xqhgm.com
127.0.0.0t.myblank.cn
127.0.0.1520.mm5208.com
127.0.0.0x.myblank.cn
127.0.0.159.34.131.54
127.0.0.1210.51.45.5
127.0.0.159.34.198.228
127.0.0.1www.ew1q.cn
127.0.0.159.34.198.88
127.0.0.159.34.198.97
127.0.0.160.190.114.101
127.0.0.160.190.218.34
127.0.0.0qq-xing.com.cn
127.0.0.160.191.124.252
127.0.0.161.145.117.212
127.0.0.161.157.109.222
127.0.0.175.126.3.216
127.0.0.175.126.3.217
127.0.0.175.126.3.218
127.0.0.059.125.231.177:17777
127.0.0.175.126.3.220
127.0.0.175.126.3.221
127.0.0.175.126.3.222
127.0.0.1772630.com
127.0.0.1832823.cn
127.0.0.18749.com
127.0.0.1888.jopenqc.com
127.0.0.189382.cn
127.0.0.18v8.biz
127.0.0.197725.com
127.0.0.19gg.biz
127.0.0.1www.9000music.com
127.0.0.1test.591jx.com
127.0.0.1a.topxxxx.cn
127.0.0.1picon.chinaren.com
127.0.0.1www.5566.net
127.0.0.1p.qqkx.com
127.0.0.1news.netandtv.com
127.0.0.1z.neter888.cn
127.0.0.1b.myblank.cn
127.0.0.1wvw.wokutu.com
127.0.0.1unionch.qyule.com
127.0.0.1www.qyule.com
127.0.0.1it.itjc.cn
127.0.0.1www.linkwww.com
127.0.0.1vod.kaicn.com
127.0.0.1www.tx8688.com
127.0.0.1b.neter888.cn
127.0.0.1promote.huanqiu.com
127.0.0.1www.huanqiu.com
127.0.0.1www.haokanla.com
127.0.0.1play.unionsky.cn
127.0.0.1www.52v.com
127.0.0.1www.gghka.cn
127.0.0.1icon.ajiang.net
127.0.0.1new.ete.cn
127.0.0.1www.stiae.cn
127.0.0.1o.neter888.cn
127.0.0.1comm.jinti.com
127.0.0.1www.google-analytics.com
127.0.0.1hz.mmstat.com
127.0.0.1www.game175.cn
127.0.0.1x.neter888.cn
127.0.0.1z.neter888.cn
127.0.0.1p.etimes888.com
127.0.0.1hx.etimes888.com
127.0.0.1abc.qqkx.com
127.0.0.1dm.popdm.cn
127.0.0.1www.yl9999.com
127.0.0.1www.dajiadoushe.cn
127.0.0.1v.onondown.com.cn
127.0.0.1www.interoo.net
127.0.0.1bally1.bally-bally.net
127.0.0.1www.bao5605509.cn
127.0.0.1www.rty456.cn
127.0.0.1www.werqwer.cn
127.0.0.11.360-1.cn
127.0.0.1user1.23-16.net
127.0.0.1www.guccia.net
127.0.0.1www.interoo.net
127.0.0.1upa.netsool.net
127.0.0.1js.users.51.la
127.0.0.1vip2.51.la
127.0.0.1web.51.la
127.0.0.1qq.gong2008.com
127.0.0.12008tl.copyip.com
127.0.0.1tla.laozihuolaile.cn
127.0.0.1www.tx6868.cn
127.0.0.1p001.tiloaiai.com
127.0.0.1s1.tl8tl.com
127.0.0.1s1.gong2008.com
127.0.0.14b3ce56f9g.3f6e2cc5f0b.com


Rootkit activity

The DeepScan installs the following kernel-mode hooks:

ZwQuerySystemInformation

Using the driver "%System%\drivers\pcidump.sys" the DeepScan substitutes IRP handlers in a file system driver (NTFS) to control operations with files:

MJ_CREATE

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the DeepScan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    taskkill.exe:504
    taskkill.exe:744
    taskkill.exe:1764
    sc.exe:1144
    rundll32.exe:2008
    cacls.exe:1336

  3. Delete the original DeepScan file.
  4. Delete or disinfect the following files created/modified by the DeepScan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\10A8YH0M\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0SRP20XU\desktop.ini (67 bytes)
    C:\autorun.inf (21 bytes)
    %System%\m1846741.dll (12169462 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\V7JJDNL4\desktop.ini (67 bytes)
    %WinDir%\Temp\Perflib_Perfdata_7b0.dat (4 bytes)
    %System%\drivers\etc\hosts (5 bytes)
    %System%\drivers\pcidump.sys (5404535 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\94S2IMRP\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %System%\config (100 bytes)
    %WinDir%\s265006334.dll (35485887 bytes)
    C:\1.exe (37 bytes)
    %System%\drivers\acpiec.sys (14 bytes)

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Microsoft Corporation
Product Name: Microsoft(R) Windows(R) Operating System
Product Version: 5.1.2600.0
Legal Copyright: (C) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: CALC.EXE
Internal Name: CALC
File Version: 5.1.2600.0 (xpclient.010817-1148)
File Description: Windows Calculator application file
Comments:
Language: English (United States)

Company Name: Microsoft CorporationProduct Name: Microsoft(R) Windows(R) Operating SystemProduct Version: 5.1.2600.0Legal Copyright: (C) Microsoft Corporation. All rights reserved.Legal Trademarks: Original Filename: CALC.EXEInternal Name: CALCFile Version: 5.1.2600.0 (xpclient.010817-1148)File Description: Windows Calculator application fileComments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX040968601600d41d8cd98f00b204e9800998ecf8427e
UPX19011236864348165.46762f1bba76e65088c04ba69ed62b67d8c64
.rsrc126976409620481.919250b2c49604cc338a65a6b41dff3b6d7f9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 1
24e75bde7d18226edd597ae697d87e7e

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The DeepScan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_368:

`.rsrc

`.rsrc

%s\s%d

%s\s%d

32.exe m

32.exe m

:%dm^`[

:%dm^`[

%s\s%d%d.dll

%s\s%d%d.dll

rundll32.exe %s, droqp

rundll32.exe %s, droqp

%s\system32\m%d%d.dll

%s\system32\m%d%d.dll

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cmd /c sc config ekrn start= disabled

cacls %s /e /p everyone:f

cacls %s /e /p everyone:f

cacls "%s" /e /p everyone:f

cacls "%s" /e /p everyone:f

\temp\explorer.exe

\temp\explorer.exe

\drivers\gm.dls

\drivers\gm.dls

explorer.exe

explorer.exe

[ffi][nil:>:,::mn^::K

[ffi][nil:>:,::mn^::K

,1(*(*(

,1(*(*(

,1(*(*(,

,1(*(*(,

,1(*(*(-

,1(*(*(-

,1(*(*(*

,1(*(*(*

, ( .( * (02

, ( .( * (02

,1( ( (

,1( ( (

,1(*( (

,1(*( (

0 ( ,2( 1 ( /42*2*

0 ( ,2( 1 ( /42*2*

, ( (3*(13

, ( (3*(13

,/(3*(22(-2

,/(3*(22(-2

,*.( 11(3,(02

,*.( 11(3,(02

, *(1.( ./(,-0

, *(1.( ./(,-0

, *(10(*( --

, *(10(*( --

, 3( ,3(,-3(,,*

, 3( ,3(,-3(,,*

0 ( 00(-,(,

0 ( 00(-,(,

, 3( /-(.*(,,

, 3( /-(.*(,,

, 2(3,( 20(,1

, 2(3,( 20(,1

, 3( /-(.0(,1

, 3( /-(.0(,1

, 3( /-(/,( ,-

, 3( /-(/,( ,-

,, ( 3/(.,(1

,, ( 3/(.,(1

,,,(1-(, 2( /

,,,(1-(, 2( /

,*-( *( 02(,--42*

,*-( *( 02(,--42*

,*-( *( 02(,, 42*

,*-( *( 02(,, 42*

/3(-.( - (/.

/3(-.( - (/.

, *(/ (./(/

, *(/ (./(/

/3(-.( 32(,,2

/3(-.( 32(,,2

/3(-.( 32(22

/3(-.( 32(22

/3(-.( 32(31

/3(-.( 32(31

0*( 3*( .( *

0*( 3*( .( *

0*( 3*(, 2(-.

0*( 3*(, 2(-.

0*( 3 ( ,.(,/,

0*( 3 ( ,.(,/,

0 ( ./( 1(, ,

0 ( ./( 1(, ,

0 ( /1( *3(,,,

0 ( /1( *3(,,,

1/( ,0(-(, 0

1/( ,0(-(, 0

1/( ,0(-(, 1

1/( ,0(-(, 1

1/( ,0(-(, 2

1/( ,0(-(, 2

/3( ,/(,- ( 114 1111

/3( ,/(,- ( 114 1111

1/( ,0(-(,,*

1/( ,0(-(,,*

1/( ,0(-(,,

1/( ,0(-(,,

1/( ,0(-(,,,

1/( ,0(-(,,,

3-3?3\3{3

3-3?3\3{3

/!/-/6/`0~0

/!/-/6/`0~0

Ci>_f_n_Msg\ifc]Fche

Ci>_f_n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

windows

windows

webtrap

webtrap

WEBSCANX

WEBSCANX

WEBSCAN

WEBSCAN

smtpsvc

smtpsvc

safeweb

safeweb

Kabackreport

Kabackreport

WinExec

WinExec

GetWindowsDirectoryA

GetWindowsDirectoryA

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

.CJ66

.CJ66

aMSg3u

aMSg3u

O`.rdha

O`.rdha

KERNEL32.DLL

KERNEL32.DLL

MSVCRT.dll

MSVCRT.dll

SHELL32.dll

SHELL32.dll

Windows Calculator application file

Windows Calculator application file

5.1.2600.0 (xpclient.010817-1148)

5.1.2600.0 (xpclient.010817-1148)

CALC.EXE

CALC.EXE

Microsoft(R) Windows(R) Operating System

Microsoft(R) Windows(R) Operating System

5.1.2600.0

5.1.2600.0

%original file name%.exe_368_rwx_00401000_0001D000:

%s\s%d%d.dll

%s\s%d%d.dll

rundll32.exe %s, droqp

rundll32.exe %s, droqp

%s\system32\m%d%d.dll

%s\system32\m%d%d.dll

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cmd /c sc config ekrn start= disabled

cacls %s /e /p everyone:f

cacls %s /e /p everyone:f

cacls "%s" /e /p everyone:f

cacls "%s" /e /p everyone:f

\temp\explorer.exe

\temp\explorer.exe

\drivers\gm.dls

\drivers\gm.dls

explorer.exe

explorer.exe

[ffi][nil:>:,::mn^::K

[ffi][nil:>:,::mn^::K

,1(*(*(

,1(*(*(

,1(*(*(,

,1(*(*(,

,1(*(*(-

,1(*(*(-

,1(*(*(*

,1(*(*(*

, ( .( * (02

, ( .( * (02

,1( ( (

,1( ( (

,1(*( (

,1(*( (

0 ( ,2( 1 ( /42*2*

0 ( ,2( 1 ( /42*2*

, ( (3*(13

, ( (3*(13

,/(3*(22(-2

,/(3*(22(-2

,*.( 11(3,(02

,*.( 11(3,(02

, *(1.( ./(,-0

, *(1.( ./(,-0

, *(10(*( --

, *(10(*( --

, 3( ,3(,-3(,,*

, 3( ,3(,-3(,,*

0 ( 00(-,(,

0 ( 00(-,(,

, 3( /-(.*(,,

, 3( /-(.*(,,

, 2(3,( 20(,1

, 2(3,( 20(,1

, 3( /-(.0(,1

, 3( /-(.0(,1

, 3( /-(/,( ,-

, 3( /-(/,( ,-

,, ( 3/(.,(1

,, ( 3/(.,(1

,,,(1-(, 2( /

,,,(1-(, 2( /

,*-( *( 02(,--42*

,*-( *( 02(,--42*

,*-( *( 02(,, 42*

,*-( *( 02(,, 42*

/3(-.( - (/.

/3(-.( - (/.

, *(/ (./(/

, *(/ (./(/

/3(-.( 32(,,2

/3(-.( 32(,,2

/3(-.( 32(22

/3(-.( 32(22

/3(-.( 32(31

/3(-.( 32(31

0*( 3*( .( *

0*( 3*( .( *

0*( 3*(, 2(-.

0*( 3*(, 2(-.

0*( 3 ( ,.(,/,

0*( 3 ( ,.(,/,

0 ( ./( 1(, ,

0 ( ./( 1(, ,

0 ( /1( *3(,,,

0 ( /1( *3(,,,

1/( ,0(-(, 0

1/( ,0(-(, 0

1/( ,0(-(, 1

1/( ,0(-(, 1

1/( ,0(-(, 2

1/( ,0(-(, 2

/3( ,/(,- ( 114 1111

/3( ,/(,- ( 114 1111

1/( ,0(-(,,*

1/( ,0(-(,,*

1/( ,0(-(,,

1/( ,0(-(,,

1/( ,0(-(,,,

1/( ,0(-(,,,

3-3?3\3{3

3-3?3\3{3

/!/-/6/`0~0

/!/-/6/`0~0

Ci>_f_n_Msg\ifc]Fche

Ci>_f_n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

windows

windows

webtrap

webtrap

WEBSCANX

WEBSCANX

WEBSCAN

WEBSCAN

smtpsvc

smtpsvc

safeweb

safeweb

Kabackreport

Kabackreport

WinExec

WinExec

GetWindowsDirectoryA

GetWindowsDirectoryA

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

.CJ66

.CJ66

aMSg3u

aMSg3u

%original file name%.exe_368_rwx_10000000_00001000:

.data

.data

.rsrc

.rsrc

@.reloc

@.reloc

psapi.dll

psapi.dll

\patch.exe

\patch.exe

\dstdisk.exe

\dstdisk.exe

\defence.exe

\defence.exe

192yuioealdjfiefjsdfas.txt

192yuioealdjfiefjsdfas.txt

%SystemRoot%\System32\DRIVERS\puid.sys

%SystemRoot%\System32\DRIVERS\puid.sys

\drivers\pcidump.sys

\drivers\pcidump.sys

System32\DRIVERS\pcidump.sys

System32\DRIVERS\pcidump.sys

%SystemRoot%\system32\drivers\puid.sys

%SystemRoot%\system32\drivers\puid.sys

\\.\pcidump

\\.\pcidump

\drivers\gm.dls

\drivers\gm.dls

%s%d.txt

%s%d.txt

>>tmp.tmp

>>tmp.tmp

@echo rcx>>tmp.tmp

@echo rcx>>tmp.tmp

@echo %X>>tmp.tmp

@echo %X>>tmp.tmp

@echo n tmp2>>tmp.tmp

@echo n tmp2>>tmp.tmp

@echo w>>tmp.tmp

@echo w>>tmp.tmp

@echo q>>tmp.tmp

@echo q>>tmp.tmp

@debugnul

@debugnul

@rename tmp2 tmp2.exe

@rename tmp2 tmp2.exe

tmp2.exe

tmp2.exe

Windows

Windows

1.exe

1.exe

autorun.inf

autorun.inf

Open=1.exe

Open=1.exe

urlmon

urlmon

\setup.exe

\setup.exe

?mac=%s&ver=%s&key=%d&os=windows

?mac=%s&ver=%s&key=%d&os=windows

.html

.html

.hhqg

.hhqg

qq.exe

qq.exe

360safe.exe

360safe.exe

\explorer.exe

\explorer.exe

\temp\explorer.exe

\temp\explorer.exe

nfect_exe

nfect_exe

\pipe\browser

\pipe\browser

\\%s\IPC$

\\%s\IPC$

Bd

Bd

%original file name%.exe_368_rwx_1000A000_00002000:

\??\c:\%original file name%.exe

\??\c:\%original file name%.exe

\??\%WinDir%\explorer.exe

\??\%WinDir%\explorer.exe

ers\gm.dls

ers\gm.dls

WinExec

WinExec

CreatePipe

CreatePipe

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

ADVAPI32.dll

ADVAPI32.dll

WS2_32.dll

WS2_32.dll

InternetOpenUrlA

InternetOpenUrlA

WININET.dll

WININET.dll

rundll32.exe_2008:

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

GDI32.dll

GDI32.dll

USER32.dll

USER32.dll

IMAGEHLP.dll

IMAGEHLP.dll

rundll32.pdb

rundll32.pdb

.....eZXnnnnnnnnnnnn3

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

O3$dS7"%U9

.manifest

.manifest

5.1.2600.5512 (xpsp.080413-2105)

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

RUNDLL.EXE

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

YThere is not enough memory to run the file %s.

YThere is not enough memory to run the file %s.

Please close other windows and try again.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Error in %s

Missing entry:%s

Missing entry:%s

Error loading %s

Error loading %s