Susp_Dropper (Kaspersky), Gen:Variant.Kazy.18560 (B) (Emsisoft), Gen:Variant.Kazy.18560 (AdAware), Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 2ce83f1ce68c164e31d92e351fb0414e
SHA1: 0f53d12573937598248872bdc34b260c27383ea5
SHA256: 142c116e905b33b68949a0b7da4d80334341967b4f86ac8c7c8a85ae80f33ea0
SSDeep: 12288:9WlCWlbEL7RdoScADc0rSTvTKfYwzAySXq3TT2ghwfYL/OvIMziE:9WUWlbW77D35rSzTVwxVagui
Size: 649216 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1970-01-01 03:00:00
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1772
The Trojan injects its code into the following process(es):
%original file name%.exe:1852
Explorer.EXE:1988
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1852 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\srtserv\sdata.dll (23 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\srtserv\set.dat (0 bytes)
The process %original file name%.exe:1772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\srtserv\%original file name%.exe (4185 bytes)
Registry activity
The process %original file name%.exe:1852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\MSrtn]
"value1" = "%original file name%.exe"
"Value2" = "1852"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 00 EE DF DE DD 4B 55 98 DF BA 6C 07 5F 7B 44"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"srtserv" = "%Documents and Settings%\All Users\Application Data\srtserv\%original file name%.exe"
The Trojan deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger]
[HKLM\System\CurrentControlSet\Control\SafeBoot]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 2E 8C 7E E5 4D 52 87 B5 60 57 D2 F9 42 B5 3C"
Dropped PE files
MD5 | File path |
---|---|
03728900440b890fab1e64c5764d20eb | c:\Documents and Settings\All Users\Application Data\srtserv\sdata.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1772
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\All Users\Application Data\srtserv\sdata.dll (23 bytes)
%Documents and Settings%\All Users\Application Data\srtserv\%original file name%.exe (4185 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"srtserv" = "%Documents and Settings%\All Users\Application Data\srtserv\%original file name%.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 466952 | 467456 | 5.50479 | e9d36b3fdf0e4ea7b20a2d30344c24db |
DATA | 475136 | 7764 | 8192 | 5.14878 | a48ec61e4e06418e2ad395535bb7d51a |
BSS | 483328 | 5625 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 491520 | 9284 | 9728 | 5.35827 | 988121062e80d6af350db2f47f34f375 |
.tls | 503808 | 16 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 507904 | 24 | 512 | 0.139033 | f3dbf8dd4762b6c1c99a7824ce30fae3 |
.rsrc | 512000 | 102472 | 102912 | 5.50649 | d98c5196f758866af130c7f600d4e003 |
.idata | 618496 | 4096 | 512 | 0.747477 | 9e3b99d4a8febe1483c3fe15654b91a4 |
.text | 622592 | 4096 | 4096 | 2.75372 | 160f79fb13f0709f591475ebfbb5e357 |
.rsrc | 626688 | 126976 | 54784 | 4.67426 | cadec1700906ab83ab6da64c295b36af |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
ae6185b74547aac80aea955075273342
Network Activity
URLs
URL | IP |
---|---|
hxxp://eda.ru/data/setx.txt | 81.19.88.88 |
hxxp://a4e0c63f.110mb.com/setx.txt | 64.37.76.37 |
hxxp://8c1a7cdb.x10hosting.com/setx.txt | 198.91.80.106 |
hxxp://bd7925e6.hostei.com/setx.txt | 31.170.160.249 |
hxxp://0e2c06ba.orgfree.com/setx.txt | 144.76.99.221 |
bebd90c0.exofire.net | 69.175.6.102 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /setx.txt HTTP/1.1
Content-Type: text/html
Host: 0e2c06ba.orgfree.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
HTTP/1.1 302 Found
Date: Tue, 24 Jun 2014 05:34:35 GMT
Server: Apache
Location: hXXp://e.freewebhostingarea.com/not-found.html
Content-Length: 230
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://e.freewebhostingarea.com/not-found.html">here</a>.</p>.</body></html>...
GET /setx.txt HTTP/1.1
Content-Type: text/html
Host: bd7925e6.hostei.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
HTTP/1.1 302 Found
Date: Tue, 24 Jun 2014 05:34:35 GMT
Server: Apache
Location: hXXp://error404.000webhost.com/?
Content-Length: 216
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://error404.000webhost.com/?">here</a>.</p>.</body></html>...
GET /data/setx.txt HTTP/1.1
Content-Type: text/html
Host: eda.ru
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
HTTP/1.1 301 Moved Permanently
Server: nginx/1.7.2
Date: Tue, 24 Jun 2014 05:34:08 GMT
Content-Length: 131
Connection: keep-alive
Keep-Alive: timeout=50
Cache-Control: no-store
Location: /data/setx.txt
X-Powered-By: ASP.NET
Set-Cookie: delivery_split=0; path=/
Set-Cookie: ruid=ugsAANANqVNBkjq7AQeaAQB=; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=.eda.ru; path=/
P3P: CP="NON DSP NID ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="/data/setx.txt">here</a>.</h2>..</body></html>....
GET /setx.txt HTTP/1.1
Content-Type: text/html
Host: 8c1a7cdb.x10hosting.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
HTTP/1.1 404 Not Found
Server: nginx/1.6.0
Date: Tue, 24 Jun 2014 05:34:09 GMT
Content-Type: text/html
Content-Length: 1571
Connection: keep-alive
ETag: "539a5b77-623"
<!DOCTYPE html>.<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->.<!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8"> <![endif]-->.<!--[if IE 8]> <html class="no-js lt-ie9"> <![endif]-->.<!--[if gt IE 8]><!--> <html class="no-js"> <!--<![endif]-->. <head>. <meta charset="utf-8">. <meta http-equiv="X-UA-Compatible" content="IE=edge">. <title>Web Hosting − x10Hosting</title>. <meta name="description" content="x10Hosting: Free cPanel web hosting for anyone in the world.">. <meta name="viewport" content="width=device-width, initial-scale=1">..<script>.. (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){.. (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),.. m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m).. })(window,document,'script','//VVV.google-analytics.com/analytics.js','ga');.. ga('create', 'UA-1806325-12', 'auto');. ga('require', 'displayfeatures');.. ga('send', 'pageview');..</script>..<meta http-equiv="refresh" content="6;URL=hXXp://x10hosting.com" />. <link href='http://fonts.googleapis.com/css?family=Open Sans:400,300' rel='stylesheet' type='text/css'>..<style type="text/css">..body { font-family: 'Open Sans', sans-serif; font-size: 16px; }..h1 { font-family
<<
<<< skipped >>>
GET /setx.txt HTTP/1.1
Content-Type: text/html
Host: a4e0c63f.110mb.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
HTTP/1.1 302 Found
Date: Tue, 24 Jun 2014 05:34:09 GMT
Server: Apache
Location: hXXp://VVV.110mb.com/404.php
Content-Length: 212
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://VVV.110mb.com/404.php">here</a>.</p>.</body></html>...
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1852:
.idata
.idata
.rdata
.rdata
P.rsrc
P.rsrc
P.idata
P.idata
.text
.text
.rsrc
.rsrc
kernel32.dll
kernel32.dll
Windows
Windows
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
ssShift
ssShift
htKeyword
htKeyword
EInvalidOperation
EInvalidOperation
u%CNu
u%CNu
%s[%d]
%s[%d]
%s_%d
%s_%d
EInvalidGraphicOperation
EInvalidGraphicOperation
Uh.AB
Uh.AB
USER32.DLL
USER32.DLL
comctl32.dll
comctl32.dll
uxtheme.dll
uxtheme.dll
Uh%xB
Uh%xB
MAPI32.DLL
MAPI32.DLL
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
JumpID("","%s")
TKeyEvent
TKeyEvent
TKeyPressEvent
TKeyPressEvent
HelpKeyword
HelpKeyword
crSQLWait
crSQLWait
%s (%s)
%s (%s)
Uh.MC
Uh.MC
imm32.dll
imm32.dll
AutoHotkeys
AutoHotkeys
ssHotTrack
ssHotTrack
TWindowState
TWindowState
poProportional
poProportional
TWMKey
TWMKey
KeyPreview
KeyPreview
WindowState
WindowState
OnKeyDownP
OnKeyDownP
OnKeyPress
OnKeyPress
OnKeyUp(
OnKeyUp(
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
vcltest3.dll
User32.dll
User32.dll
getservbyport
getservbyport
WSAAsyncGetServByPort
WSAAsyncGetServByPort
WSAJoinLeaf
WSAJoinLeaf
WS2_32.DLL
WS2_32.DLL
127.0.0.1
127.0.0.1
TIdSocketListWindows
TIdSocketListWindows
TIdStackWindowsU
TIdStackWindowsU
IdStackWindows
IdStackWindows
%s, %d %s %d %s %s
%s, %d %s %d %s %s
password
password
Password
Password
IdHTTPHeaderInfo
IdHTTPHeaderInfo
ProxyPassword<</pre><pre>ProxyPort</pre><pre>Mozilla/3.0 (compatible; Indy Library)</pre><pre>ftpTransfer</pre><pre>ftpReady</pre><pre>ftpAborted</pre><pre>ClientPortMin<</pre><pre>ClientPortMax</pre><pre>Port@</pre><pre>EIdCanNotBindPortInRange</pre><pre>EIdInvalidPortRangeSVW</pre><pre>libeay32.dll</pre><pre>ssleay32.dll</pre><pre>SSL_CTX_use_PrivateKey_file</pre><pre>SSL_CTX_use_certificate_file</pre><pre>SSL_get_peer_certificate</pre><pre>SSL_CTX_set_default_passwd_cb</pre><pre>SSL_CTX_set_default_passwd_cb_userdata</pre><pre>SSL_CTX_check_private_key</pre><pre>X509_STORE_CTX_get_current_cert</pre><pre>des_set_key</pre><pre>saUsernamePassword</pre><pre>Password<</pre><pre>Port</pre><pre>0.0.0.1</pre><pre>TIdTCPConnection</pre><pre>IdTCPConnection</pre><pre>EIdTCPConnectionError</pre><pre>sslvrfFailIfNoPeerCert</pre><pre>TPasswordEvent</pre><pre>Certificate</pre><pre>RootCertFile</pre><pre>CertFile</pre><pre>KeyFile</pre><pre>OnGetPassword<</pre><pre>EIdOSSLLoadingRootCertError</pre><pre>EIdOSSLLoadingCertError</pre><pre>EIdOSSLLoadingKeyError</pre><pre>Uh0%F</pre><pre>TIdTCPClient</pre><pre>TIdTCPClient 3F</pre><pre>IdTCPClient</pre><pre>BoundPort</pre><pre>PortU</pre><pre>CommentURL</pre><pre>Uh.SF</pre><pre>Content-Disposition: form-data; name="%s"</pre><pre>; filename="%s"</pre><pre>Content-Type: %s</pre><pre>Unsupported operation.</pre><pre>TIdHTTPMethod</pre><pre>IdHTTP</pre><pre>TIdHTTPOption</pre><pre>TIdHTTPOptions</pre><pre>TIdHTTPProtocolVersion</pre><pre>TIdHTTPOnRedirectEvent</pre><pre>TIdHTTPResponse</pre><pre>TIdHTTPRequest</pre><pre>TIdHTTPRequest<lF><pre>TIdHTTPProtocolPmF</pre><pre>TIdCustomHTTP</pre><pre>TIdCustomHTTPPmF</pre><pre>TIdHTTP8oF</pre><pre>TIdHTTP</pre><pre>HTTPOptions</pre><pre>EIdHTTPProtocolException</pre><pre>HTTPS</pre><pre>https</pre><pre>This request method is supported in HTTP 1.1</pre><pre>HTTP/1.0 200 OK</pre><pre>HTTP/</pre><pre>http://vesterm.freehostia.com</pre><pre>http://psynergi.dk/data</pre><pre>http://kubusse.ru/data</pre><pre>http://s-elisa.ru/data</pre><pre>http://eda.ru/data</pre><pre>.freehostia.com</pre><pre>.110mb.com</pre><pre>.x10hosting.com</pre><pre>.awardspace.com</pre><pre>.exofire.net</pre><pre>.hostei.com</pre><pre>.orgfree.com</pre><pre>.h18.ru</pre><pre>.eu.pn</pre><pre>http://pushnik.freehostia.com</pre><pre>AXlove_install.exe</pre><pre>Booble-the-Game.exe</pre><pre>DaVinci_code.exe</pre><pre>PlayboyXXX.exe</pre><pre>pornolab_docs.exe</pre><pre>WinRar.exe</pre><pre>Winamp.exe</pre><pre>Snoopy_mult.exe</pre><pre>Tom-and-Jerry.exe</pre><pre>AUTO_BASE2011.exe</pre><pre>bank_transfers_2010.exe</pre><pre>Multi Password Recovery</pre><pre>*.mpf</pre><pre>/mp.exe</pre><pre>\mpr.ini</pre><pre>Key=UksDAAAARkZGCAAAAAcgeBc6NCcxCAAAADzRFyaCP0paNwAAADA1AhkA8gN8smHcJdKj7yYv4 vBIhFf8npvMwTyAhhUDUF4wF7nGPv5Y89Vz JjuWEvGmAr7MUEt7Kg</pre><pre>LeftPane=0</pre><pre>/export</pre><pre>/admin6.php</pre><pre>sdata2.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\p</pre><pre>/admin5.php</pre><pre>application/x-www-form-urlencoded</pre><pre>/stat.php</pre><pre>http://top-torrent.info/data/save_s.php</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\ProductID</pre><pre>:\aUtoRuN.iNF</pre><pre>Icon=%system%\shell32.dll,4</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srtserv</pre><pre>wininet.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData</pre><pre>explorer.exe</pre><pre>set.dat</pre><pre>/setx.txt</pre><pre>update.dat</pre><pre>http://</pre><pre>\WebMoney</pre><pre>maratl.exe</pre><pre>task.dat</pre><pre>/taskx.txt</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value1</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value2</pre><pre>sdata.dll</pre><pre>?456789:;<=</pre><pre>!"#$%&'()* ,-./0123</pre><pre>user32.dll</pre><pre>GetKeyboardType</pre><pre>advapi32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>RegEnumKeyExA</pre><pre>RegDeleteKeyA</pre><pre>RegCreateKeyExA</pre><pre>GetCPInfo</pre><pre>version.dll</pre><pre>gdi32.dll</pre><pre>SetViewportOrgEx</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyA</pre><pre>LoadKeyboardLayoutA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutList</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>GetKeyNameTextA</pre><pre>EnumWindows</pre><pre>EnumThreadWindows</pre><pre>ActivateKeyboardLayout</pre><pre>32.dllWGetLongPa</pre><pre>.jJX8</pre><pre>c.eDoE,</pre><pre>.VyDR,_</pre><pre>KERNEL32.DLL</pre><pre>ntdll.dll</pre><pre>kernel32.dllWGetLongPathN</pre><pre>nKey</pre><pre>#%'''<[[^^\\]</pre><pre>"%Â<aabm><pre>$-8GGhnsrr}</pre><pre>$-9GGggs}s</pre><pre>.oN4)</pre><pre>F%F@@</pre><pre>tCPl2</pre><pre>%Mgr.RhY4RfE5Qd:f</pre><pre>KWindows</pre><pre>0IdHTTPHeaderInfo</pre><pre> IdTCPServer</pre><pre>IdTCPStream</pre><pre>UrlMon</pre><pre>,1*;=*^\^^^</pre><pre>00000000</pre><b>%original file name%.exe_1852_rwx_00400000_00099000:</b><pre>.idata</pre><pre>.rdata</pre><pre>P.rsrc</pre><pre>P.idata</pre><pre>.text</pre><pre>.rsrc</pre><pre>kernel32.dll</pre><pre>Windows</pre><pre>MSWHEEL_ROLLMSG</pre><pre>MSH_WHEELSUPPORT_MSG</pre><pre>MSH_SCROLL_LINES_MSG</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>oleaut32.dll</pre><pre>EVariantBadIndexError</pre><pre>ssShift</pre><pre>htKeyword</pre><pre>EInvalidOperation</pre><pre>u%CNu</pre><pre>%s[%d]</pre><pre>%s_%d</pre><pre>EInvalidGraphicOperation</pre><pre>Uh.AB</pre><pre>USER32.DLL</pre><pre>comctl32.dll</pre><pre>uxtheme.dll</pre><pre>Uh%xB</pre><pre>MAPI32.DLL</pre><pre>IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")</pre><pre>JumpID("","%s")</pre><pre>TKeyEvent</pre><pre>TKeyPressEvent</pre><pre>HelpKeyword</pre><pre>crSQLWait</pre><pre>%s (%s)</pre><pre>Uh.MC</pre><pre>imm32.dll</pre><pre>AutoHotkeys</pre><pre>ssHotTrack</pre><pre>TWindowState</pre><pre>poProportional</pre><pre>TWMKey</pre><pre>KeyPreview</pre><pre>WindowState</pre><pre>OnKeyDownP</pre><pre>OnKeyPress</pre><pre>OnKeyUp(</pre><pre>System\CurrentControlSet\Control\Keyboard Layouts\%.8x</pre><pre>vcltest3.dll</pre><pre>User32.dll</pre><pre>getservbyport</pre><pre>WSAAsyncGetServByPort</pre><pre>WSAJoinLeaf</pre><pre>WS2_32.DLL</pre><pre>127.0.0.1</pre><pre>TIdSocketListWindows</pre><pre>TIdStackWindowsU</pre><pre>IdStackWindows</pre><pre>%s, %d %s %d %s %s</pre><pre>password</pre><pre>Password</pre><pre>IdHTTPHeaderInfo</pre><pre>ProxyPassword<</pre><pre>ProxyPort</pre><pre>Mozilla/3.0 (compatible; Indy Library)</pre><pre>ftpTransfer</pre><pre>ftpReady</pre><pre>ftpAborted</pre><pre>ClientPortMin<</pre><pre>ClientPortMax</pre><pre>Port@</pre><pre>EIdCanNotBindPortInRange</pre><pre>EIdInvalidPortRangeSVW</pre><pre>libeay32.dll</pre><pre>ssleay32.dll</pre><pre>SSL_CTX_use_PrivateKey_file</pre><pre>SSL_CTX_use_certificate_file</pre><pre>SSL_get_peer_certificate</pre><pre>SSL_CTX_set_default_passwd_cb</pre><pre>SSL_CTX_set_default_passwd_cb_userdata</pre><pre>SSL_CTX_check_private_key</pre><pre>X509_STORE_CTX_get_current_cert</pre><pre>des_set_key</pre><pre>saUsernamePassword</pre><pre>Password<</pre><pre>Port</pre><pre>0.0.0.1</pre><pre>TIdTCPConnection</pre><pre>IdTCPConnection</pre><pre>EIdTCPConnectionError</pre><pre>sslvrfFailIfNoPeerCert</pre><pre>TPasswordEvent</pre><pre>Certificate</pre><pre>RootCertFile</pre><pre>CertFile</pre><pre>KeyFile</pre><pre>OnGetPassword<</pre><pre>EIdOSSLLoadingRootCertError</pre><pre>EIdOSSLLoadingCertError</pre><pre>EIdOSSLLoadingKeyError</pre><pre>Uh0%F</pre><pre>TIdTCPClient</pre><pre>TIdTCPClient 3F</pre><pre>IdTCPClient</pre><pre>BoundPort</pre><pre>PortU</pre><pre>CommentURL</pre><pre>Uh.SF</pre><pre>Content-Disposition: form-data; name="%s"</pre><pre>; filename="%s"</pre><pre>Content-Type: %s</pre><pre>Unsupported operation.</pre><pre>TIdHTTPMethod</pre><pre>IdHTTP</pre><pre>TIdHTTPOption</pre><pre>TIdHTTPOptions</pre><pre>TIdHTTPProtocolVersion</pre><pre>TIdHTTPOnRedirectEvent</pre><pre>TIdHTTPResponse</pre><pre>TIdHTTPRequest</pre><pre>TIdHTTPRequest<lF><pre>TIdHTTPProtocolPmF</pre><pre>TIdCustomHTTP</pre><pre>TIdCustomHTTPPmF</pre><pre>TIdHTTP8oF</pre><pre>TIdHTTP</pre><pre>HTTPOptions</pre><pre>EIdHTTPProtocolException</pre><pre>HTTPS</pre><pre>https</pre><pre>This request method is supported in HTTP 1.1</pre><pre>HTTP/1.0 200 OK</pre><pre>HTTP/</pre><pre>http://vesterm.freehostia.com</pre><pre>http://psynergi.dk/data</pre><pre>http://kubusse.ru/data</pre><pre>http://s-elisa.ru/data</pre><pre>http://eda.ru/data</pre><pre>.freehostia.com</pre><pre>.110mb.com</pre><pre>.x10hosting.com</pre><pre>.awardspace.com</pre><pre>.exofire.net</pre><pre>.hostei.com</pre><pre>.orgfree.com</pre><pre>.h18.ru</pre><pre>.eu.pn</pre><pre>http://pushnik.freehostia.com</pre><pre>AXlove_install.exe</pre><pre>Booble-the-Game.exe</pre><pre>DaVinci_code.exe</pre><pre>PlayboyXXX.exe</pre><pre>pornolab_docs.exe</pre><pre>WinRar.exe</pre><pre>Winamp.exe</pre><pre>Snoopy_mult.exe</pre><pre>Tom-and-Jerry.exe</pre><pre>AUTO_BASE2011.exe</pre><pre>bank_transfers_2010.exe</pre><pre>Multi Password Recovery</pre><pre>*.mpf</pre><pre>/mp.exe</pre><pre>\mpr.ini</pre><pre>Key=UksDAAAARkZGCAAAAAcgeBc6NCcxCAAAADzRFyaCP0paNwAAADA1AhkA8gN8smHcJdKj7yYv4 vBIhFf8npvMwTyAhhUDUF4wF7nGPv5Y89Vz JjuWEvGmAr7MUEt7Kg</pre><pre>LeftPane=0</pre><pre>/export</pre><pre>/admin6.php</pre><pre>sdata2.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\p</pre><pre>/admin5.php</pre><pre>application/x-www-form-urlencoded</pre><pre>/stat.php</pre><pre>http://top-torrent.info/data/save_s.php</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\ProductID</pre><pre>:\aUtoRuN.iNF</pre><pre>Icon=%system%\shell32.dll,4</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srtserv</pre><pre>wininet.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData</pre><pre>explorer.exe</pre><pre>set.dat</pre><pre>/setx.txt</pre><pre>update.dat</pre><pre>http://</pre><pre>\WebMoney</pre><pre>maratl.exe</pre><pre>task.dat</pre><pre>/taskx.txt</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value1</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value2</pre><pre>sdata.dll</pre><pre>?456789:;<=</pre><pre>!"#$%&'()* ,-./0123</pre><pre>user32.dll</pre><pre>GetKeyboardType</pre><pre>advapi32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>RegEnumKeyExA</pre><pre>RegDeleteKeyA</pre><pre>RegCreateKeyExA</pre><pre>GetCPInfo</pre><pre>version.dll</pre><pre>gdi32.dll</pre><pre>SetViewportOrgEx</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyA</pre><pre>LoadKeyboardLayoutA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutList</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>GetKeyNameTextA</pre><pre>EnumWindows</pre><pre>EnumThreadWindows</pre><pre>ActivateKeyboardLayout</pre><pre>32.dllWGetLongPa</pre><pre>.jJX8</pre><pre>c.eDoE,</pre><pre>.VyDR,_</pre><pre>KERNEL32.DLL</pre><pre>ntdll.dll</pre><pre>kernel32.dllWGetLongPathN</pre><pre>nKey</pre><pre>#%'''<[[^^\\]</pre><pre>"%Â<aabm><pre>$-8GGhnsrr}</pre><pre>$-9GGggs}s</pre><pre>.oN4)</pre><pre>F%F@@</pre><pre>tCPl2</pre><pre>%Mgr.RhY4RfE5Qd:f</pre><pre>KWindows</pre><pre>0IdHTTPHeaderInfo</pre><pre> IdTCPServer</pre><pre>IdTCPStream</pre><pre>UrlMon</pre><pre>,1*;=*^\^^^</pre><b>%original file name%.exe_1852_rwx_00951000_00010000:</b><pre>kernel32.dll</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>mvkmisc.exe</pre><pre>ntdll.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value1</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value2</pre><pre>KWindows</pre><pre>GetCPInfo</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>GetKeyboardType</pre><pre>SetWindowsHookExA</pre><pre>.idata</pre><pre>.reloc</pre><pre>P.rsrc</pre><pre>calc.exe</pre><pre>aUtoRuN.iNF</pre><pre>Invalid variant operation</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre><b>Explorer.EXE_1988_rwx_02101000_00010000:</b><pre>kernel32.dll</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>mvkmisc.exe</pre><pre>ntdll.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value1</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value2</pre><pre>KWindows</pre><pre>GetCPInfo</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>GetKeyboardType</pre><pre>SetWindowsHookExA</pre><pre>.idata</pre><pre>.reloc</pre><pre>P.rsrc</pre><pre>calc.exe</pre><pre>aUtoRuN.iNF</pre><pre>Invalid variant operation</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre></aabm></pre></lF></pre></pre></pre></pre></pre></aabm></pre></lF></pre></pre></pre></pre>