Susp_Dropper (Kaspersky), Gen:Variant.Kazy.18560 (B) (Emsisoft), Gen:Variant.Kazy.18560 (AdAware), Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b38b846f0295c18d82d82937f1cdb675
SHA1: 2a806048375d670a362249af42a7b23a12eaf180
SHA256: 71e9dc62d9341042fac17618637b862d592ab3150a3f20d076231cc6ea9faedf
SSDeep: 12288:FwiBBcJjPtR5tJv5YtZsvCO2z5OlfKLp5 vTimSiwiE:ZmJhR1v2tyaRcmme9iwi
Size: 624128 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AirInstaller
Created at: 1970-01-01 03:00:00
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1500
The Trojan injects its code into the following process(es):
%original file name%.exe:1876
Explorer.EXE:880
Mutexes
The following mutexes were created/opened:
DBWinMutexShimCacheMutexYCS0mRtQ316KAENA_HOOKRasPbFile
File activity
The process %original file name%.exe:1876 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\srtserv\set.dat (638 bytes)
%Documents and Settings%\All Users\Application Data\srtserv\sdata.dll (23 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\srtserv\set.dat (0 bytes)
The process %original file name%.exe:1500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\srtserv\%original file name%.exe (4185 bytes)
Registry activity
The process %original file name%.exe:1876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\MSrtn]
"value1" = "%original file name%.exe"
"Value2" = "1876"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 0D 4C 61 5C 26 00 79 96 FD 66 4A 20 6F 47 58"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"srtserv" = "%Documents and Settings%\All Users\Application Data\srtserv\%original file name%.exe"
The Trojan deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger]
[HKLM\System\CurrentControlSet\Control\SafeBoot]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 32 8F C6 A0 CD 87 43 AF 8C 42 6D 52 08 9E 93"
Dropped PE files
| MD5 | File path |
|---|---|
| 03728900440b890fab1e64c5764d20eb | c:\Documents and Settings\All Users\Application Data\srtserv\sdata.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1500
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\All Users\Application Data\srtserv\set.dat (638 bytes)
%Documents and Settings%\All Users\Application Data\srtserv\sdata.dll (23 bytes)
%Documents and Settings%\All Users\Application Data\srtserv\%original file name%.exe (4185 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"srtserv" = "%Documents and Settings%\All Users\Application Data\srtserv\%original file name%.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| CODE | 4096 | 465004 | 465408 | 5.47981 | b85f84b61bd2ae66e32c31434f14347f |
| DATA | 471040 | 7768 | 8192 | 5.18327 | 48cad813c5fbb74711826ee7d2631e1e |
| BSS | 479232 | 5625 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 487424 | 9284 | 9728 | 5.31958 | 30bad7627271bfce2cda397bb6115688 |
| .tls | 499712 | 16 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 503808 | 24 | 512 | 0.139033 | ce816691f22b5c3afac0e8853257800d |
| .rsrc | 507904 | 79368 | 79872 | 5.48097 | 3f445931b463642f12a52440d66f3e64 |
| .idata | 589824 | 4096 | 512 | 0.676778 | 391185fc7c811b7961a49211af83fac9 |
| .text | 593920 | 4096 | 4096 | 2.53276 | 82ebad904da2bbe4f3af98469295ffe2 |
| .rsrc | 598016 | 131072 | 54784 | 4.67426 | 8e6aa7c317997e1595aa6591f6f91282 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
b005f74876a73ff79858a348e864b65e
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://24stat.ru/data/setx.txt | 148.251.36.54 |
| hxxp://elefant.ru/data/setx.txt | 213.189.197.6 |
| hxxp://d3e7f6a9.110mb.com/setx.txt | |
| hxxp://feddcdda.yourfreehosting.net/setx.txt | 72.52.4.120 |
| hxxp://afa8ae84.h18.ru/setx.txt | 89.108.91.182 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /setx.txt HTTP/1.1
Content-Type: text/html
Host: afa8ae84.h18.ru
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
HTTP/1.1 302 Found
Server: nginx/0.7.62
Date: Sat, 05 Jul 2014 20:14:21 GMT
Content-Type: text/html; charset=windows-1251
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
Location: hXXp://err.h18.ru/error404.shtml
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Last-Modified: Sat, 05 Jul 2014 20:14:21 GMT
11c..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<HTML><HEAD>.<TITLE>302 Found</TITLE>.</HEAD><BODY>.<H1>Found</H1>.The document has moved <A HREF="hXXp://err.h18.ru/error404.shtml">here</A>.<P>.<HR>.<ADDRESS>Apache/1.3.41 Server at afa8ae84.h18.ru Port 80</ADDRESS>.</BODY></HTML>...0..
GET /data/setx.txt HTTP/1.1
Content-Type: text/html
Host: elefant.ru
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
HTTP/1.1 404 Not Found
Server: nginx/Zenon
Date: Sat, 05 Jul 2014 20:14:16 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 211
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /data/setx.txt was not found on this server.</p>.</body></html>...
GET /data/setx.txt HTTP/1.1
Content-Type: text/html
Host: 24stat.ru
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
HTTP/1.1 404 Not Found
Server: nginx/1.4.4
Date: Sat, 05 Jul 2014 20:14:13 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 286
Connection: keep-alive
Keep-Alive: timeout=15
Vary: Accept-Encoding
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /data/setx.txt was not found on this server.</p>.<hr>.<address>Apache/2.2.22 (Debian) Server at 24stat.ru Port 80</address>.</body></html>...
GET /setx.txt HTTP/1.1
Content-Type: text/html
Host: feddcdda.yourfreehosting.net
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
HTTP/1.0 200 OK
Date: Sat, 05 Jul 2014 20:14:19 GMT
Server: Apache
X-Powered-By: PHP/5.3.3-7 squeeze17
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 05 Jul 2014 20:14:19 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: tu=056c8adc112525f36082746796cbcf86; expires=Tue, 31-Dec-2019 23:00:00 GMT; path=/; domain=yourfreehosting.net; httponly
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_mTCK17ph7zU2t1Y5v68ZFWfLBqRYOcQLm85MbfRytREA3uXw5WIO2aKsyTf38MC0SV9ipD0RZvUgXZVJH563Iw==
Vary: User-Agent,Accept-Encoding
Content-Type: text/html
X-Cache: MISS from 300819
Connection: close
.<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_mTCK17ph7zU2t1Y5v68ZFWfLBqRYOcQLm85MbfRytREA3uXw5WIO2aKsyTf38MC0SV9ipD0RZvUgXZVJH563Iw=="><head><meta charset="utf-8" /><style type="text/css">/*!normalize.css v1.1.2 | MIT License | git.io/normalize */ article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block;}audio,canvas,video{display:inline-block;*display:inline;*zoom:1;}audio:not([controls]){display:none;height:0;}[hidden]{display:none;}html{font-size:100%;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%;}html,button,input,select,textarea{font-family:sans-serif;}body{margin:0;}a:focus{outline:thin dotted;}a:active,a:hover{outline:0;}h1{font-size:2em;margin:0;}h2{font-size:1.33em;margin:0;}h3{font-size:1.1em;margin:0;}h4{font-size:1em;margin:0;}h5{font-size:.83em;margin:0;}h6{font-size:.67em;margin:0;}abbr[title]{border-bottom:1px dotted;}b,strong{font-weight:bold;}blockquote{margin:.11em 40px;}dfn{font-style:italic;}hr{-moz-box-sizing:content-box;box-sizing:content-box;height:0;}mark{background:#ff0;color:#000;}p,pre{margin:.11em 0;}code,kbd,pre,samp{font-family:monospace,serif;_font-family:'courier new',monospace;font-size:1em;}pre{white-space:pre;white-space:pre-wrap;word-wrap:break-word;}q{quotes:none;}q:before,q:after{content:'';content:none;}small{font-size:80%;}sub,sup{font-size:75%;line-height:0;position:re
<<
<<< skipped >>>
GET /setx.txt HTTP/1.1
Content-Type: text/html
Host: d3e7f6a9.110mb.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
HTTP/1.1 302 Found
Date: Sat, 05 Jul 2014 20:14:18 GMT
Server: Apache
Location: hXXp://VVV.110mb.com/404.php
Content-Length: 212
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://VVV.110mb.com/404.php">here</a>.</p>.</body></html>...
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1876:
.idata
.idata
.rdata
.rdata
P.rsrc
P.rsrc
P.idata
P.idata
.text
.text
.rsrc
.rsrc
kernel32.dll
kernel32.dll
Windows
Windows
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
ssShift
ssShift
htKeyword
htKeyword
EInvalidOperation
EInvalidOperation
u%CNu
u%CNu
%s[%d]
%s[%d]
%s_%d
%s_%d
EInvalidGraphicOperation
EInvalidGraphicOperation
Uh.AB
Uh.AB
USER32.DLL
USER32.DLL
comctl32.dll
comctl32.dll
uxtheme.dll
uxtheme.dll
Uh%xB
Uh%xB
MAPI32.DLL
MAPI32.DLL
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
JumpID("","%s")
TKeyEvent
TKeyEvent
TKeyPressEvent
TKeyPressEvent
HelpKeyword
HelpKeyword
crSQLWait
crSQLWait
%s (%s)
%s (%s)
Uh.MC
Uh.MC
imm32.dll
imm32.dll
AutoHotkeys
AutoHotkeys
ssHotTrack
ssHotTrack
TWindowState
TWindowState
poProportional
poProportional
TWMKey
TWMKey
KeyPreview
KeyPreview
WindowState
WindowState
OnKeyDownP
OnKeyDownP
OnKeyPress
OnKeyPress
OnKeyUp(
OnKeyUp(
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
vcltest3.dll
User32.dll
User32.dll
getservbyport
getservbyport
WSAAsyncGetServByPort
WSAAsyncGetServByPort
WSAJoinLeaf
WSAJoinLeaf
WS2_32.DLL
WS2_32.DLL
127.0.0.1
127.0.0.1
TIdSocketListWindows
TIdSocketListWindows
TIdStackWindowsU
TIdStackWindowsU
IdStackWindows
IdStackWindows
%s, %d %s %d %s %s
%s, %d %s %d %s %s
password
password
Password
Password
IdHTTPHeaderInfo
IdHTTPHeaderInfo
ProxyPassword<</pre><pre>ProxyPort</pre><pre>Mozilla/3.0 (compatible; Indy Library)</pre><pre>ftpTransfer</pre><pre>ftpReady</pre><pre>ftpAborted</pre><pre>ClientPortMin<</pre><pre>ClientPortMax</pre><pre>Port@</pre><pre>EIdCanNotBindPortInRange</pre><pre>EIdInvalidPortRangeSVW</pre><pre>libeay32.dll</pre><pre>ssleay32.dll</pre><pre>SSL_CTX_use_PrivateKey_file</pre><pre>SSL_CTX_use_certificate_file</pre><pre>SSL_get_peer_certificate</pre><pre>SSL_CTX_set_default_passwd_cb</pre><pre>SSL_CTX_set_default_passwd_cb_userdata</pre><pre>SSL_CTX_check_private_key</pre><pre>X509_STORE_CTX_get_current_cert</pre><pre>des_set_key</pre><pre>saUsernamePassword</pre><pre>Password<</pre><pre>Port</pre><pre>0.0.0.1</pre><pre>TIdTCPConnection</pre><pre>IdTCPConnection</pre><pre>EIdTCPConnectionError</pre><pre>sslvrfFailIfNoPeerCert</pre><pre>TPasswordEvent</pre><pre>Certificate</pre><pre>RootCertFile</pre><pre>CertFile</pre><pre>KeyFile</pre><pre>OnGetPassword<</pre><pre>EIdOSSLLoadingRootCertError</pre><pre>EIdOSSLLoadingCertError</pre><pre>EIdOSSLLoadingKeyError</pre><pre>Uh0%F</pre><pre>TIdTCPClient</pre><pre>TIdTCPClient 3F</pre><pre>IdTCPClient</pre><pre>BoundPort</pre><pre>PortU</pre><pre>CommentURL</pre><pre>Uh.SF</pre><pre>Content-Disposition: form-data; name="%s"</pre><pre>; filename="%s"</pre><pre>Content-Type: %s</pre><pre>Unsupported operation.</pre><pre>TIdHTTPMethod</pre><pre>IdHTTP</pre><pre>TIdHTTPOption</pre><pre>TIdHTTPOptions</pre><pre>TIdHTTPProtocolVersion</pre><pre>TIdHTTPOnRedirectEvent</pre><pre>TIdHTTPResponse</pre><pre>TIdHTTPRequest</pre><pre>TIdHTTPRequest<lF><pre>TIdHTTPProtocolPmF</pre><pre>TIdCustomHTTP</pre><pre>TIdCustomHTTPPmF</pre><pre>TIdHTTP8oF</pre><pre>TIdHTTP</pre><pre>HTTPOptions</pre><pre>EIdHTTPProtocolException</pre><pre>HTTPS</pre><pre>https</pre><pre>This request method is supported in HTTP 1.1</pre><pre>HTTP/1.0 200 OK</pre><pre>HTTP/</pre><pre>http://defaf663.110mb.com</pre><pre>http://24stat.ru/data</pre><pre>http://student-card.ru/data</pre><pre>http://elefant.ru/data</pre><pre>http://psyherbal.com/data</pre><pre>.110mb.com</pre><pre>.yourfreehosting.net</pre><pre>ucoz.ru</pre><pre>.h18.ru</pre><pre>.eu.pn</pre><pre>.info</pre><pre>.org.ru</pre><pre>http://psynergi.dk/data</pre><pre>http://pushnik.freehostia.com</pre><pre>AXlove_install.exe</pre><pre>Booble-the-Game.exe</pre><pre>DaVinci_code.exe</pre><pre>PlayboyXXX.exe</pre><pre>pornolab_docs.exe</pre><pre>WinRar.exe</pre><pre>Winamp.exe</pre><pre>Snoopy_mult.exe</pre><pre>Tom-and-Jerry.exe</pre><pre>AUTO_BASE2011.exe</pre><pre>bank_transfers_2010.exe</pre><pre>Multi Password Recovery</pre><pre>/admin6.php</pre><pre>*.mpf</pre><pre>/mp.exe</pre><pre>\mpr.ini</pre><pre>Key=UksDAAAARkZGCAAAAAcgeBc6NCcxCAAAADzRFyaCP0paNwAAADA1AhkA8gN8smHcJdKj7yYv4 vBIhFf8npvMwTyAhhUDUF4wF7nGPv5Y89Vz JjuWEvGmAr7MUEt7Kg</pre><pre>LeftPane=0</pre><pre>/export</pre><pre>application/x-www-form-urlencoded</pre><pre>/stat.php</pre><pre>http://top-torrent.info/data/save_s.php</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\ProductID</pre><pre>:\aUtoRuN.iNF</pre><pre>Icon=%system%\shell32.dll,4</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srtserv</pre><pre>wininet.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData</pre><pre>explorer.exe</pre><pre>set.dat</pre><pre>/setx.txt</pre><pre>update.dat</pre><pre>http://</pre><pre>maratl.exe</pre><pre>task.dat</pre><pre>/taskx.txt</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value1</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value2</pre><pre>sdata.dll</pre><pre>?456789:;<=</pre><pre>!"#$%&'()* ,-./0123</pre><pre>%Documents and Settings%\All Users\Application Data\srtserv\set.dat</pre><pre>t type="text/javascript" src="http://img.sedoparking.com/js/jquery-1.4.2.min.js" ><script></pre><pre>user32.dll</pre><pre>GetKeyboardType</pre><pre>advapi32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>RegEnumKeyExA</pre><pre>RegDeleteKeyA</pre><pre>RegCreateKeyExA</pre><pre>GetCPInfo</pre><pre>version.dll</pre><pre>gdi32.dll</pre><pre>SetViewportOrgEx</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyA</pre><pre>LoadKeyboardLayoutA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutList</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>GetKeyNameTextA</pre><pre>EnumWindows</pre><pre>EnumThreadWindows</pre><pre>ActivateKeyboardLayout</pre><pre>32.dllWGetLongPa</pre><pre>.jJX8</pre><pre>c.eDoE,</pre><pre>.VyDR,_</pre><pre>KERNEL32.DLL</pre><pre>ntdll.dll</pre><pre>#%'''<[[^^\\]</pre><pre>"%Â<aabm^^m</pre><pre>$-8GGhnsrr}</pre><pre>$-9GGggs}s</pre><pre>.oN4)</pre><pre>F%F@@</pre><pre>tCPl2</pre><pre>%Mgr.RhY4RfE5Qd:f</pre><pre>KWindows</pre><pre>0IdHTTPHeaderInfo</pre><pre> IdTCPServer</pre><pre>IdTCPStream</pre><pre>UrlMon</pre><pre>S[[7a^ECBV[gEXCRTC75777o_</pre><pre>00000000</pre><b>%original file name%.exe_1876_rwx_00400000_00092000:</b><pre>.idata</pre><pre>.rdata</pre><pre>P.rsrc</pre><pre>P.idata</pre><pre>.text</pre><pre>.rsrc</pre><pre>kernel32.dll</pre><pre>Windows</pre><pre>MSWHEEL_ROLLMSG</pre><pre>MSH_WHEELSUPPORT_MSG</pre><pre>MSH_SCROLL_LINES_MSG</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>oleaut32.dll</pre><pre>EVariantBadIndexError</pre><pre>ssShift</pre><pre>htKeyword</pre><pre>EInvalidOperation</pre><pre>u%CNu</pre><pre>%s[%d]</pre><pre>%s_%d</pre><pre>EInvalidGraphicOperation</pre><pre>Uh.AB</pre><pre>USER32.DLL</pre><pre>comctl32.dll</pre><pre>uxtheme.dll</pre><pre>Uh%xB</pre><pre>MAPI32.DLL</pre><pre>IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")</pre><pre>JumpID("","%s")</pre><pre>TKeyEvent</pre><pre>TKeyPressEvent</pre><pre>HelpKeyword</pre><pre>crSQLWait</pre><pre>%s (%s)</pre><pre>Uh.MC</pre><pre>imm32.dll</pre><pre>AutoHotkeys</pre><pre>ssHotTrack</pre><pre>TWindowState</pre><pre>poProportional</pre><pre>TWMKey</pre><pre>KeyPreview</pre><pre>WindowState</pre><pre>OnKeyDownP</pre><pre>OnKeyPress</pre><pre>OnKeyUp(</pre><pre>System\CurrentControlSet\Control\Keyboard Layouts\%.8x</pre><pre>vcltest3.dll</pre><pre>User32.dll</pre><pre>getservbyport</pre><pre>WSAAsyncGetServByPort</pre><pre>WSAJoinLeaf</pre><pre>WS2_32.DLL</pre><pre>127.0.0.1</pre><pre>TIdSocketListWindows</pre><pre>TIdStackWindowsU</pre><pre>IdStackWindows</pre><pre>%s, %d %s %d %s %s</pre><pre>password</pre><pre>Password</pre><pre>IdHTTPHeaderInfo</pre><pre>ProxyPassword<</pre><pre>ProxyPort</pre><pre>Mozilla/3.0 (compatible; Indy Library)</pre><pre>ftpTransfer</pre><pre>ftpReady</pre><pre>ftpAborted</pre><pre>ClientPortMin<</pre><pre>ClientPortMax</pre><pre>Port@</pre><pre>EIdCanNotBindPortInRange</pre><pre>EIdInvalidPortRangeSVW</pre><pre>libeay32.dll</pre><pre>ssleay32.dll</pre><pre>SSL_CTX_use_PrivateKey_file</pre><pre>SSL_CTX_use_certificate_file</pre><pre>SSL_get_peer_certificate</pre><pre>SSL_CTX_set_default_passwd_cb</pre><pre>SSL_CTX_set_default_passwd_cb_userdata</pre><pre>SSL_CTX_check_private_key</pre><pre>X509_STORE_CTX_get_current_cert</pre><pre>des_set_key</pre><pre>saUsernamePassword</pre><pre>Password<</pre><pre>Port</pre><pre>0.0.0.1</pre><pre>TIdTCPConnection</pre><pre>IdTCPConnection</pre><pre>EIdTCPConnectionError</pre><pre>sslvrfFailIfNoPeerCert</pre><pre>TPasswordEvent</pre><pre>Certificate</pre><pre>RootCertFile</pre><pre>CertFile</pre><pre>KeyFile</pre><pre>OnGetPassword<</pre><pre>EIdOSSLLoadingRootCertError</pre><pre>EIdOSSLLoadingCertError</pre><pre>EIdOSSLLoadingKeyError</pre><pre>Uh0%F</pre><pre>TIdTCPClient</pre><pre>TIdTCPClient 3F</pre><pre>IdTCPClient</pre><pre>BoundPort</pre><pre>PortU</pre><pre>CommentURL</pre><pre>Uh.SF</pre><pre>Content-Disposition: form-data; name="%s"</pre><pre>; filename="%s"</pre><pre>Content-Type: %s</pre><pre>Unsupported operation.</pre><pre>TIdHTTPMethod</pre><pre>IdHTTP</pre><pre>TIdHTTPOption</pre><pre>TIdHTTPOptions</pre><pre>TIdHTTPProtocolVersion</pre><pre>TIdHTTPOnRedirectEvent</pre><pre>TIdHTTPResponse</pre><pre>TIdHTTPRequest</pre><pre>TIdHTTPRequest<lF</pre><pre>TIdHTTPProtocolPmF</pre><pre>TIdCustomHTTP</pre><pre>TIdCustomHTTPPmF</pre><pre>TIdHTTP8oF</pre><pre>TIdHTTP</pre><pre>HTTPOptions</pre><pre>EIdHTTPProtocolException</pre><pre>HTTPS</pre><pre>https</pre><pre>This request method is supported in HTTP 1.1</pre><pre>HTTP/1.0 200 OK</pre><pre>HTTP/</pre><pre>http://defaf663.110mb.com</pre><pre>http://24stat.ru/data</pre><pre>http://student-card.ru/data</pre><pre>http://elefant.ru/data</pre><pre>http://psyherbal.com/data</pre><pre>.110mb.com</pre><pre>.yourfreehosting.net</pre><pre>ucoz.ru</pre><pre>.h18.ru</pre><pre>.eu.pn</pre><pre>.info</pre><pre>.org.ru</pre><pre>http://psynergi.dk/data</pre><pre>http://pushnik.freehostia.com</pre><pre>AXlove_install.exe</pre><pre>Booble-the-Game.exe</pre><pre>DaVinci_code.exe</pre><pre>PlayboyXXX.exe</pre><pre>pornolab_docs.exe</pre><pre>WinRar.exe</pre><pre>Winamp.exe</pre><pre>Snoopy_mult.exe</pre><pre>Tom-and-Jerry.exe</pre><pre>AUTO_BASE2011.exe</pre><pre>bank_transfers_2010.exe</pre><pre>Multi Password Recovery</pre><pre>/admin6.php</pre><pre>*.mpf</pre><pre>/mp.exe</pre><pre>\mpr.ini</pre><pre>Key=UksDAAAARkZGCAAAAAcgeBc6NCcxCAAAADzRFyaCP0paNwAAADA1AhkA8gN8smHcJdKj7yYv4 vBIhFf8npvMwTyAhhUDUF4wF7nGPv5Y89Vz JjuWEvGmAr7MUEt7Kg</pre><pre>LeftPane=0</pre><pre>/export</pre><pre>application/x-www-form-urlencoded</pre><pre>/stat.php</pre><pre>http://top-torrent.info/data/save_s.php</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\ProductID</pre><pre>:\aUtoRuN.iNF</pre><pre>Icon=%system%\shell32.dll,4</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srtserv</pre><pre>wininet.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData</pre><pre>explorer.exe</pre><pre>set.dat</pre><pre>/setx.txt</pre><pre>update.dat</pre><pre>http://</pre><pre>maratl.exe</pre><pre>task.dat</pre><pre>/taskx.txt</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value1</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value2</pre><pre>sdata.dll</pre><pre>?456789:;<=</pre><pre>!"#$%&'()* ,-./0123</pre><pre>%Documents and Settings%\All Users\Application Data\srtserv\set.dat</pre><pre>t type="text/javascript" src="http://img.sedoparking.com/js/jquery-1.4.2.min.js" ></script></pre><pre>user32.dll</pre><pre>GetKeyboardType</pre><pre>advapi32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>RegEnumKeyExA</pre><pre>RegDeleteKeyA</pre><pre>RegCreateKeyExA</pre><pre>GetCPInfo</pre><pre>version.dll</pre><pre>gdi32.dll</pre><pre>SetViewportOrgEx</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyA</pre><pre>LoadKeyboardLayoutA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutList</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>GetKeyNameTextA</pre><pre>EnumWindows</pre><pre>EnumThreadWindows</pre><pre>ActivateKeyboardLayout</pre><pre>32.dllWGetLongPa</pre><pre>.jJX8</pre><pre>c.eDoE,</pre><pre>.VyDR,_</pre><pre>KERNEL32.DLL</pre><pre>ntdll.dll</pre><pre>#%'''<[[^^\\]</pre><pre>"%Â<aabm><pre>$-8GGhnsrr}</pre><pre>$-9GGggs}s</pre><pre>.oN4)</pre><pre>F%F@@</pre><pre>tCPl2</pre><pre>%Mgr.RhY4RfE5Qd:f</pre><pre>KWindows</pre><pre>0IdHTTPHeaderInfo</pre><pre> IdTCPServer</pre><pre>IdTCPStream</pre><pre>UrlMon</pre><pre>S[[7a^ECBV[gEXCRTC75777o_</pre><b>%original file name%.exe_1876_rwx_00951000_00010000:</b><pre>kernel32.dll</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>mvkmisc.exe</pre><pre>ntdll.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value1</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value2</pre><pre>KWindows</pre><pre>GetCPInfo</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>GetKeyboardType</pre><pre>SetWindowsHookExA</pre><pre>.idata</pre><pre>.reloc</pre><pre>P.rsrc</pre><pre>calc.exe</pre><pre>aUtoRuN.iNF</pre><pre>Invalid variant operation</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre><b>Explorer.EXE_880_rwx_02141000_00010000:</b><pre>kernel32.dll</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>mvkmisc.exe</pre><pre>ntdll.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value1</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value2</pre><pre>KWindows</pre><pre>GetCPInfo</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>GetKeyboardType</pre><pre>SetWindowsHookExA</pre><pre>.idata</pre><pre>.reloc</pre><pre>P.rsrc</pre><pre>calc.exe</pre><pre>aUtoRuN.iNF</pre><pre>Invalid variant operation</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre></aabm></pre></lF></pre></pre></pre></pre>