Backdoor.Win32.PcClient_e3e92b93d7

September 13, 2021 14:41

HEUR:Trojan.Win32.Generic (Kaspersky), Worm.Generic.77398 (B) (Emsisoft), Worm.Generic.77398 (AdAware), Backdoor.Win32.PcClient.FD, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Worm, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: e3e92b93d71987c5d8eb59d6dd325baf

SHA1: 4b1e1140f957ac1e76aedddd508a23b3985031f8

SHA256: c95060c7f6c48848a88e96d96ae6733e3e157084e604ef48f5646037e487c1b5

SSDeep: 1536:9RrC34NnifgjVdXPcFkCK98TNPzV2XhoBDVoFhfyqsZc0pTW:9RrgQPU920VgUyFhl9 W

Size: 147456 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6

Company: Appsinstall

Created at: 2009-06-21 13:18:26

Analyzed on: WindowsXP SP3 32-bit

Summary: Backdoor. Malware that enables a remote control of victim's machine.

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Backdoor creates the following process(es):

taskkill.exe:980
taskkill.exe:680
taskkill.exe:840
sc.exe:1248
rundll32.exe:460
cacls.exe:1948
cacls.exe:828

The Backdoor injects its code into the following process(es):

%original file name%.exe:1320

Mutexes

The following mutexes were created/opened:

RasPbFileWininetStartupMutexWininetProxyRegistryMutexWininetConnectionMutexc:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_c:!documents and settings!adm!local settings!history!history.ie5!ZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexDBWinMutexShimCacheMutex7777UUUU

File activity

The process rundll32.exe:460 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%System%\drivers\acpiec.sys (13 bytes)

The process %original file name%.exe:1320 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

C:\ (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
C:\autorun.inf (21 bytes)
%System%\drivers\etc\hosts (5 bytes)
%WinDir% (1352 bytes)
C:\$Directory (300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O5EF8PY3\desktop.ini (67 bytes)
%WinDir%\inf (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9HM3K1MR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\K5UNSPAJ\desktop.ini (67 bytes)
%System%\config\systemprofile (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4HI389Q3\desktop.ini (67 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%System%\config (192 bytes)
%WinDir%\Temp\Perflib_Perfdata_7ac.dat (8 bytes)
%System%\drivers (776 bytes)
%System%\func.dll (17857847 bytes)
%WinDir%\phpi.dll (22141559 bytes)
%Documents and Settings%\%current user% (4 bytes)
C:\1.exe (673 bytes)
%System%\dllcache (4 bytes)
%System% (1296 bytes)

Registry activity

The process taskkill.exe:980 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 31 F6 BC 60 3D 0F BE F9 A4 07 54 49 24 98 4B"

The process taskkill.exe:680 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 23 ED EA C4 B8 0B 71 06 A0 72 3D 4C 33 20 14"

The process taskkill.exe:840 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 A5 73 3E 1D E1 26 AA B3 A8 23 D9 41 5E E7 C7"

The process sc.exe:1248 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 FB 81 82 51 00 15 E3 84 55 74 C9 69 AB 85 0E"

The process rundll32.exe:460 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 28 EC 48 4D 74 93 C0 18 27 E8 24 38 5D A8 D5"

The process cacls.exe:1948 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 94 0E 72 97 55 84 E7 28 F8 A6 07 8C 09 56 55"

The process cacls.exe:828 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD D1 6E E9 EA 3D 47 CE 77 CD C1 5C CB AA C4 B8"

Dropped PE files

MD5	File path
efdc316017e12aa7c14bc4e82d56f072	c:\WINDOWS\LastGood\system32\drivers\acpiec.sys
ee4c892b8a539da5c5d64bd94b12d054	c:\WINDOWS\phpi.dll
9859c0f6936e723e4892d7141b1327d5	c:\WINDOWS\system32\dllcache\acpiec.sys
efdc316017e12aa7c14bc4e82d56f072	c:\WINDOWS\system32\drivers\OLDEF.tmp
601b3f2466bfa6989b9c7586b5ba54aa	c:\WINDOWS\system32\drivers\pcidump.sys
468efb776946a11b5ef892a9d2758e32	c:\WINDOWS\system32\func.dll

HOSTS file anomalies

The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 5743 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	v.onondown.com.cn
127.0.0.2	ymsdasdw1.cn
127.0.0.3	h96b.info
127.0.0.0	fuck.zttwp.cn
127.0.0.0	www.hackerbf.cn
127.0.0.0	geekbyfeng.cn
127.0.0.0	121.14.101.68
127.0.0.0	ppp.etimes888.com
127.0.0.0	www.bypk.com
127.0.0.0	CSC3-2004-crl.verisign.com
127.0.0.1	va9sdhun23.cn
127.0.0.0	udp.hjob123.com
127.0.0.2	bnasnd83nd.cn
127.0.0.0	www.gamehacker.com.cn
127.0.0.0	gamehacker.com.cn
127.0.0.3	adlaji.cn
127.0.0.1	858656.com
127.1.1.1	bnasnd83nd.cn
127.0.0.1	my123.com
127.0.0.0	user1.12-27.net
127.0.0.1	8749.com
127.0.0.0	fengent.cn
127.0.0.1	4199.com
127.0.0.1	user1.16-22.net
127.0.0.1	7379.com
127.0.0.1	2be37c5f.3f6e2cc5f0b.com
127.0.0.1	7255.com
127.0.0.1	user1.23-12.net
127.0.0.1	3448.com
127.0.0.1	www.guccia.net
127.0.0.1	7939.com
127.0.0.1	a.o1o1o1.nEt
127.0.0.1	8009.com
127.0.0.1	user1.12-73.cn
127.0.0.1	piaoxue.com
127.0.0.1	3n8nlasd.cn
127.0.0.1	kzdh.com
127.0.0.0	www.sony888.cn
127.0.0.1	about.blank.la
127.0.0.0	user1.asp-33.cn
127.0.0.1	6781.com
127.0.0.0	www.netkwek.cn
127.0.0.1	7322.com
127.0.0.0	ymsdkad6.cn
127.0.0.0	www.lkwueir.cn
127.0.0.1	06.jacai.com
127.0.1.1	user1.23-17.net
127.0.0.1	1.jopenkk.com
127.0.0.0	upa.luzhiai.net
127.0.0.1	1.jopenqc.com
127.0.0.0	www.guccia.net
127.0.0.1	1.joppnqq.com
127.0.0.0	4m9mnlmi.cn
127.0.0.1	1.xqhgm.com
127.0.0.0	mm119mkssd.cn
127.0.0.1	100.332233.com
127.0.0.0	61.128.171.115:8080
127.0.0.1	121.11.90.79
127.0.0.0	www.1119111.com
127.0.0.1	121565.net
127.0.0.0	win.nihao69.cn
127.0.0.1	125.90.88.38
127.0.0.1	16888.6to23.com
127.0.0.1	2.joppnqq.com
127.0.0.0	puc.lianxiac.net
127.0.0.1	204.177.92.68
127.0.0.0	pud.lianxiac.net
127.0.0.1	210.74.145.236
127.0.0.0	210.76.0.133
127.0.0.1	219.129.239.220
127.0.0.0	61.166.32.2
127.0.0.1	219.153.40.221
127.0.0.0	218.92.186.27
127.0.0.1	219.153.46.27
127.0.0.0	www.fsfsfag.cn
127.0.0.1	219.153.52.123
127.0.0.0	ovo.ovovov.cn
127.0.0.1	221.195.42.71
127.0.0.0	dw.com.com
127.0.0.1	222.73.218.115
127.0.0.1	203.110.168.233:80
127.0.0.1	3.joppnqq.com
127.0.0.1	203.110.168.221:80
127.0.0.1	363xx.com
127.0.0.1	www1.ip10086.com.cm
127.0.0.1	4199.com
127.0.0.1	blog.ip10086.com.cn
127.0.0.1	43242.com
127.0.0.1	www.ccji68.cn
127.0.0.1	5.xqhgm.com
127.0.0.0	t.myblank.cn
127.0.0.1	520.mm5208.com
127.0.0.0	x.myblank.cn
127.0.0.1	59.34.131.54
127.0.0.1	210.51.45.5
127.0.0.1	59.34.198.228
127.0.0.1	www.ew1q.cn
127.0.0.1	59.34.198.88
127.0.0.1	59.34.198.97
127.0.0.1	60.190.114.101
127.0.0.1	60.190.218.34
127.0.0.0	qq-xing.com.cn
127.0.0.1	60.191.124.252
127.0.0.1	61.145.117.212
127.0.0.1	61.157.109.222
127.0.0.1	75.126.3.216
127.0.0.1	75.126.3.217
127.0.0.1	75.126.3.218
127.0.0.0	59.125.231.177:17777
127.0.0.1	75.126.3.220
127.0.0.1	75.126.3.221
127.0.0.1	75.126.3.222
127.0.0.1	772630.com
127.0.0.1	832823.cn
127.0.0.1	8749.com
127.0.0.1	888.jopenqc.com
127.0.0.1	89382.cn
127.0.0.1	8v8.biz
127.0.0.1	97725.com
127.0.0.1	9gg.biz
127.0.0.1	www.9000music.com
127.0.0.1	test.591jx.com
127.0.0.1	a.topxxxx.cn
127.0.0.1	picon.chinaren.com
127.0.0.1	www.5566.net
127.0.0.1	p.qqkx.com
127.0.0.1	news.netandtv.com
127.0.0.1	z.neter888.cn
127.0.0.1	b.myblank.cn
127.0.0.1	wvw.wokutu.com
127.0.0.1	unionch.qyule.com
127.0.0.1	www.qyule.com
127.0.0.1	it.itjc.cn
127.0.0.1	www.linkwww.com
127.0.0.1	vod.kaicn.com
127.0.0.1	www.tx8688.com
127.0.0.1	b.neter888.cn
127.0.0.1	promote.huanqiu.com
127.0.0.1	www.huanqiu.com
127.0.0.1	www.haokanla.com
127.0.0.1	play.unionsky.cn
127.0.0.1	www.52v.com
127.0.0.1	www.gghka.cn
127.0.0.1	icon.ajiang.net
127.0.0.1	new.ete.cn
127.0.0.1	www.stiae.cn
127.0.0.1	o.neter888.cn
127.0.0.1	comm.jinti.com
127.0.0.1	www.google-analytics.com
127.0.0.1	hz.mmstat.com
127.0.0.1	www.game175.cn
127.0.0.1	x.neter888.cn
127.0.0.1	z.neter888.cn
127.0.0.1	p.etimes888.com
127.0.0.1	hx.etimes888.com
127.0.0.1	abc.qqkx.com
127.0.0.1	dm.popdm.cn
127.0.0.1	www.yl9999.com
127.0.0.1	www.dajiadoushe.cn
127.0.0.1	v.onondown.com.cn
127.0.0.1	www.interoo.net
127.0.0.1	bally1.bally-bally.net
127.0.0.1	www.bao5605509.cn
127.0.0.1	www.rty456.cn
127.0.0.1	www.werqwer.cn
127.0.0.1	1.360-1.cn
127.0.0.1	user1.23-16.net
127.0.0.1	www.guccia.net
127.0.0.1	www.interoo.net
127.0.0.1	upa.netsool.net
127.0.0.1	js.users.51.la
127.0.0.1	vip2.51.la
127.0.0.1	web.51.la
127.0.0.1	qq.gong2008.com
127.0.0.1	2008tl.copyip.com
127.0.0.1	tla.laozihuolaile.cn
127.0.0.1	www.tx6868.cn
127.0.0.1	p001.tiloaiai.com
127.0.0.1	s1.tl8tl.com
127.0.0.1	s1.gong2008.com
127.0.0.1	4b3ce56f9g.3f6e2cc5f0b.com

Rootkit activity

The Backdoor installs the following kernel-mode hooks:

ZwQuerySystemInformation

Using the driver "%System%\drivers\pcidump.sys" the Backdoor substitutes IRP handlers in a file system driver (NTFS) to control operations with files:

MJ_CREATE

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):
taskkill.exe:980
taskkill.exe:680
taskkill.exe:840
sc.exe:1248
rundll32.exe:460
cacls.exe:1948
cacls.exe:828
Delete the original Backdoor file.
Delete or disinfect the following files created/modified by the Backdoor:
%System%\drivers\acpiec.sys (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
C:\autorun.inf (21 bytes)
%System%\drivers\etc\hosts (5 bytes)
C:\$Directory (300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O5EF8PY3\desktop.ini (67 bytes)
%WinDir%\inf (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9HM3K1MR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\K5UNSPAJ\desktop.ini (67 bytes)
%System%\config\systemprofile (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4HI389Q3\desktop.ini (67 bytes)
%System%\drivers\pcidump.sys (5404535 bytes)
%WinDir%\Temp\Perflib_Perfdata_7ac.dat (8 bytes)
%System%\func.dll (17857847 bytes)
%WinDir%\phpi.dll (22141559 bytes)
C:\1.exe (673 bytes)
%System%\dllcache (4 bytes)
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: ????
Product Version: 4, 3, 1, 1
Legal Copyright: ???? (C) 2009
Legal Trademarks:
Original Filename: notepad.EXE
Internal Name: test
File Version: 1, 0, 0, 1
File Description: Microsoft ???????
Comments:
Language: Language Neutral

Company Name: Product Name: ????Product Version: 4, 3, 1, 1Legal Copyright: ???? (C) 2009Legal Trademarks: Original Filename: notepad.EXEInternal Name: testFile Version: 1, 0, 0, 1File Description: Microsoft ???????Comments: Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.nsp0	4096	98304	98304	4.23803	65b2d749250730cc6fd94a8c2e523716
.nsp1	102400	32768	32768	5.32321	2b3514d03efcfc7873ee8acc63552283
.nsp2	135168	12288	12288	0.161351	d24bfc9f82464a89fd17a66d06723de5

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Backdoor connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1320:

.nsp0

.nsp0

.nsp1

.nsp1

.nsp2

.nsp2

GetWindowsDirectoryA

GetWindowsDirectoryA

WinExec

WinExec

\phpi.dll

\phpi.dll

rundll32.exe func.dll, droqp

rundll32.exe func.dll, droqp

\system32\func.dll

\system32\func.dll

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cmd /c sc config ekrn start= disabled

cmd /c cacls "%s" /e /p everyone:f

cmd /c cacls "%s" /e /p everyone:f

cmd /c cacls %s /e /p everyone:f

cmd /c cacls %s /e /p everyone:f

\temp\explorer.exe

\temp\explorer.exe

\drivers\gm.dls

\drivers\gm.dls

Explorer.EXE

Explorer.EXE

explorer.EXE

explorer.EXE

EXPLORER.EXE

EXPLORER.EXE

EXPLORER.exe

EXPLORER.exe

Explorer.exe

Explorer.exe

explorer.exe

explorer.exe

GetProcAddressLoadLibraryACloseHandleGetSystemTimeGetModuleHandleASleepGetTempPathACopyFileAGetWindowsDirectoryAGetSystemDirectoryAGetModuleFileNameACreateMutexAGlobalAddAtomAOpenMutexAGlobalFindAtomAmemsetsprintfstrcatstrstrstrcpy

GetProcAddressLoadLibraryACloseHandleGetSystemTimeGetModuleHandleASleepGetTempPathACopyFileAGetWindowsDirectoryAGetSystemDirectoryAGetModuleFileNameACreateMutexAGlobalAddAtomAOpenMutexAGlobalFindAtomAmemsetsprintfstrcatstrstrstrcpy

Ci=l_[n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

,-2) ) ),

,-2) ) ),

,-2) ) )-

,-2) ) )-

,-2) ) ).

,-2) ) ).

,-2) ) )

,-2) ) )

,-,),/), ,)13

,-,),/), ,)13

,-2),),),

,-2),),),

,-2) ),),

,-2) ),),

1,),-3),2,),,053 3

1,),-3),2,),,053 3

,-,),,)4 )24

,-,),,)4 )24

,-0)4 )33).3

,-0)4 )33).3

- /),22)4-)13

- /),22)4-)13

-, )2/),/0)-.1

-, )2/),/0)-.1

-, )21) ),..

-, )21) ),..

-,4),-4)-.4)--

-,4),-4)-.4)--

1,),11).-)-

1,),11).-)-

-,4),0.)/ )--,

-,4),0.)/ )--,

-,3)4-),31)-2

-,3)4-),31)-2

-,4),0.)/1)-2

-,4),0.)/1)-2

-,4),0.)0-),-.

-,4),0.)0-),-.

--,),40)/-)2,

--,),40)/-)2,

---)2.)-,3),,0

---)2.)-,3),,0

- .),, ),13)-..53

- .),, ),13)-..53

- .),, ),13)--,53

- .),, ),13)--,53

.1.ss)^jh

.1.ss)^jh

04)./),.,)0/

04)./),.,)0/

-, )0,)/0)0

-, )0,)/0)0

04)./),43)--3

04)./),43)--3

04)./),43)33

04)./),43)33

04)./),43)42

04)./),43)42

1 ),4 ),,/), ,

1 ),4 ),,/), ,

1 ),4 )-,3)./

1 ),4 )-,3)./

1 ),4,),-/)-0-

1 ),4,),-/)-0-

1,),/0),,2)-,-

1,),/0),,2)-,-

1,),02), 4)---

1,),02), 4)---

20),-1).)-,1

20),-1).)-,1

20),-1).)-,2

20),-1).)-,2

20),-1).)-,3

20),-1).)-,3

04),-0)-.,),225,2222

04),-0)-.,),225,2222

20),-1).)--

20),-1).)--

20),-1).)--,

20),-1).)--,

20),-1).)---

20),-1).)---

kjk.om\k)`s`

kjk.om\k)`s`

KERNEL32.DLL

KERNEL32.DLL

MSVCRT.DLL

MSVCRT.DLL

1, 0, 0, 1

1, 0, 0, 1

notepad.EXE

notepad.EXE

4, 3, 1, 1

4, 3, 1, 1

%original file name%.exe_1320_rwx_00401000_00018000:

GetWindowsDirectoryA

GetWindowsDirectoryA

WinExec

WinExec

\phpi.dll

\phpi.dll

rundll32.exe func.dll, droqp

rundll32.exe func.dll, droqp

\system32\func.dll

\system32\func.dll

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im ScanFrm.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im egui.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c taskkill /im ekrn.exe /f

cmd /c sc config ekrn start= disabled

cmd /c sc config ekrn start= disabled

cmd /c cacls "%s" /e /p everyone:f

cmd /c cacls "%s" /e /p everyone:f

cmd /c cacls %s /e /p everyone:f

cmd /c cacls %s /e /p everyone:f

\temp\explorer.exe

\temp\explorer.exe

\drivers\gm.dls

\drivers\gm.dls

Explorer.EXE

Explorer.EXE

explorer.EXE

explorer.EXE

EXPLORER.EXE

EXPLORER.EXE

EXPLORER.exe

EXPLORER.exe

Explorer.exe

Explorer.exe

explorer.exe

explorer.exe

GetProcAddressLoadLibraryACloseHandleGetSystemTimeGetModuleHandleASleepGetTempPathACopyFileAGetWindowsDirectoryAGetSystemDirectoryAGetModuleFileNameACreateMutexAGlobalAddAtomAOpenMutexAGlobalFindAtomAmemsetsprintfstrcatstrstrstrcpy

GetProcAddressLoadLibraryACloseHandleGetSystemTimeGetModuleHandleASleepGetTempPathACopyFileAGetWindowsDirectoryAGetSystemDirectoryAGetModuleFileNameACreateMutexAGlobalAddAtomAOpenMutexAGlobalFindAtomAmemsetsprintfstrcatstrstrstrcpy

Ci=l_[n_Msg\ifc]Fche

Ci=l_[n_Msg\ifc]Fche

,-2) ) ),

,-2) ) ),

,-2) ) )-

,-2) ) )-

,-2) ) ).

,-2) ) ).

,-2) ) )

,-2) ) )

,-,),/), ,)13

,-,),/), ,)13

,-2),),),

,-2),),),

,-2) ),),

,-2) ),),

1,),-3),2,),,053 3

1,),-3),2,),,053 3

,-,),,)4 )24

,-,),,)4 )24

,-0)4 )33).3

,-0)4 )33).3

- /),22)4-)13

- /),22)4-)13

-, )2/),/0)-.1

-, )2/),/0)-.1

-, )21) ),..

-, )21) ),..

-,4),-4)-.4)--

-,4),-4)-.4)--

1,),11).-)-

1,),11).-)-

-,4),0.)/ )--,

-,4),0.)/ )--,

-,3)4-),31)-2

-,3)4-),31)-2

-,4),0.)/1)-2

-,4),0.)/1)-2

-,4),0.)0-),-.

-,4),0.)0-),-.

--,),40)/-)2,

--,),40)/-)2,

---)2.)-,3),,0

---)2.)-,3),,0

- .),, ),13)-..53

- .),, ),13)-..53

- .),, ),13)--,53

- .),, ),13)--,53

.1.ss)^jh

.1.ss)^jh

04)./),.,)0/

04)./),.,)0/

-, )0,)/0)0

-, )0,)/0)0

04)./),43)--3

04)./),43)--3

04)./),43)33

04)./),43)33

04)./),43)42

04)./),43)42

1 ),4 ),,/), ,

1 ),4 ),,/), ,

1 ),4 )-,3)./

1 ),4 )-,3)./

1 ),4,),-/)-0-

1 ),4,),-/)-0-

1,),/0),,2)-,-

1,),/0),,2)-,-

1,),02), 4)---

1,),02), 4)---

20),-1).)-,1

20),-1).)-,1

20),-1).)-,2

20),-1).)-,2

20),-1).)-,3

20),-1).)-,3

04),-0)-.,),225,2222

04),-0)-.,),225,2222

20),-1).)--

20),-1).)--

20),-1).)--,

20),-1).)--,

20),-1).)---

20),-1).)---

kjk.om\k)`s`

kjk.om\k)`s`

%original file name%.exe_1320_rwx_10000000_00001000:

.data

.data

.rsrc

.rsrc

@.reloc

@.reloc

psapi.dll

psapi.dll

\patch.exe

\patch.exe

\dstdisk.exe

\dstdisk.exe

\defence.exe

\defence.exe

192yuioealdjfiefjsdfas.txt

192yuioealdjfiefjsdfas.txt

%SystemRoot%\System32\DRIVERS\puid.sys

%SystemRoot%\System32\DRIVERS\puid.sys

\drivers\pcidump.sys

\drivers\pcidump.sys

System32\DRIVERS\pcidump.sys

System32\DRIVERS\pcidump.sys

%SystemRoot%\system32\drivers\puid.sys

%SystemRoot%\system32\drivers\puid.sys

\\.\pcidump

\\.\pcidump

\drivers\gm.dls

\drivers\gm.dls

Windows

Windows

1.exe

1.exe

autorun.inf

autorun.inf

Open=1.exe

Open=1.exe

urlmon

urlmon

\setup.exe

\setup.exe

?mac=%s&ver=%s&key=%d&os=windows

?mac=%s&ver=%s&key=%d&os=windows

.html

.html

.hhqg

.hhqg

qq.exe

qq.exe

360safe.exe

360safe.exe

\explorer.exe

\explorer.exe

\temp\explorer.exe

\temp\explorer.exe

infect_exe

infect_exe

rundll32.exe_460:

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

GDI32.dll

GDI32.dll

USER32.dll

USER32.dll

IMAGEHLP.dll

IMAGEHLP.dll

rundll32.pdb

rundll32.pdb

.....eZXnnnnnnnnnnnn3

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

O3$dS7"%U9

.manifest

.manifest

5.1.2600.5512 (xpsp.080413-2105)

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

RUNDLL.EXE

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

YThere is not enough memory to run the file %s.

YThere is not enough memory to run the file %s.

Please close other windows and try again.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Error in %s

Missing entry:%s

Missing entry:%s

Error loading %s

Error loading %s

%original file name%.exe_1320_rwx_10005000_00001000:

\??\c:\%original file name%.exe

\??\c:\%original file name%.exe

\??\%WinDir%\explorer.exe

\??\%WinDir%\explorer.exe

ers\gm.dls

ers\gm.dls

WinExec

WinExec

CreatePipe

CreatePipe

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

ADVAPI32.dll

ADVAPI32.dll

InternetOpenUrlA

InternetOpenUrlA

WININET.dll

WININET.dll