Trojan.Win32.Sasfis_2ce83f1ce6 – Adaware

Susp_Dropper (Kaspersky), Gen:Variant.Kazy.18560 (B) (Emsisoft), Gen:Variant.Kazy.18560 (AdAware), Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan, VirTool

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 2ce83f1ce68c164e31d92e351fb0414e

SHA1: 0f53d12573937598248872bdc34b260c27383ea5

SHA256: 142c116e905b33b68949a0b7da4d80334341967b4f86ac8c7c8a85ae80f33ea0

SSDeep: 12288:9WlCWlbEL7RdoScADc0rSTvTKfYwzAySXq3TT2ghwfYL/OvIMziE:9WUWlbW77D35rSzTVwxVagui

Size: 649216 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 1970-01-01 03:00:00

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1772

The Trojan injects its code into the following process(es):

%original file name%.exe:1852
Explorer.EXE:1988

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1852 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\srtserv\sdata.dll (23 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\srtserv\set.dat (0 bytes)

The process %original file name%.exe:1772 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\srtserv\%original file name%.exe (4185 bytes)

Registry activity

The process %original file name%.exe:1852 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\MSrtn]
"value1" = "%original file name%.exe"
"Value2" = "1852"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 00 EE DF DE DD 4B 55 98 DF BA 6C 07 5F 7B 44"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"srtserv" = "%Documents and Settings%\All Users\Application Data\srtserv\%original file name%.exe"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger]
[HKLM\System\CurrentControlSet\Control\SafeBoot]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1772 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 2E 8C 7E E5 4D 52 87 B5 60 57 D2 F9 42 B5 3C"

Dropped PE files

MD5	File path
03728900440b890fab1e64c5764d20eb	c:\Documents and Settings\All Users\Application Data\srtserv\sdata.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1772
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\All Users\Application Data\srtserv\sdata.dll (23 bytes)
%Documents and Settings%\All Users\Application Data\srtserv\%original file name%.exe (4185 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"srtserv" = "%Documents and Settings%\All Users\Application Data\srtserv\%original file name%.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	466952	467456	5.50479	e9d36b3fdf0e4ea7b20a2d30344c24db
DATA	475136	7764	8192	5.14878	a48ec61e4e06418e2ad395535bb7d51a
BSS	483328	5625	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	491520	9284	9728	5.35827	988121062e80d6af350db2f47f34f375
.tls	503808	16	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	507904	24	512	0.139033	f3dbf8dd4762b6c1c99a7824ce30fae3
.rsrc	512000	102472	102912	5.50649	d98c5196f758866af130c7f600d4e003
.idata	618496	4096	512	0.747477	9e3b99d4a8febe1483c3fe15654b91a4
.text	622592	4096	4096	2.75372	160f79fb13f0709f591475ebfbb5e357
.rsrc	626688	126976	54784	4.67426	cadec1700906ab83ab6da64c295b36af

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
ae6185b74547aac80aea955075273342

Network Activity

URLs

URL	IP
hxxp://eda.ru/data/setx.txt	81.19.88.88
hxxp://a4e0c63f.110mb.com/setx.txt	64.37.76.37
hxxp://8c1a7cdb.x10hosting.com/setx.txt	198.91.80.106
hxxp://bd7925e6.hostei.com/setx.txt	31.170.160.249
hxxp://0e2c06ba.orgfree.com/setx.txt	144.76.99.221
bebd90c0.exofire.net	69.175.6.102

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /setx.txt HTTP/1.1

Content-Type: text/html

Host: 0e2c06ba.orgfree.com

Accept: text/html, */*

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 302 Found

Date: Tue, 24 Jun 2014 05:34:35 GMT

Server: Apache

Location: hXXp://e.freewebhostingarea.com/not-found.html

Content-Length: 230

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://e.freewebhostingarea.com/not-found.html">here</a>.</p>.</body></html>...

GET /setx.txt HTTP/1.1

Content-Type: text/html

Host: bd7925e6.hostei.com

Accept: text/html, */*

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 302 Found

Date: Tue, 24 Jun 2014 05:34:35 GMT

Server: Apache

Location: hXXp://error404.000webhost.com/?

Content-Length: 216

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://error404.000webhost.com/?">here</a>.</p>.</body></html>...

GET /data/setx.txt HTTP/1.1

Content-Type: text/html

Host: eda.ru

Accept: text/html, */*

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 301 Moved Permanently

Server: nginx/1.7.2

Date: Tue, 24 Jun 2014 05:34:08 GMT

Content-Length: 131

Connection: keep-alive

Keep-Alive: timeout=50

Cache-Control: no-store

Location: /data/setx.txt

X-Powered-By: ASP.NET

Set-Cookie: delivery_split=0; path=/

Set-Cookie: ruid=ugsAANANqVNBkjq7AQeaAQB=; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=.eda.ru; path=/

P3P: CP="NON DSP NID ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"

<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="/data/setx.txt">here</a>.</h2>..</body></html>....

GET /setx.txt HTTP/1.1

Content-Type: text/html

Host: 8c1a7cdb.x10hosting.com

Accept: text/html, */*

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 404 Not Found

Server: nginx/1.6.0

Date: Tue, 24 Jun 2014 05:34:09 GMT

Content-Type: text/html

Content-Length: 1571

Connection: keep-alive

ETag: "539a5b77-623"

<!DOCTYPE html>.... <html class="no-js"> . <head>. <meta charset="utf-8">. <meta http-equiv="X-UA-Compatible" content="IE=edge">. <title>Web Hosting − x10Hosting</title>. <meta name="description" content="x10Hosting: Free cPanel web hosting for anyone in the world.">. <meta name="viewport" content="width=device-width, initial-scale=1">..<script>.. (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){.. (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),.. m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m).. })(window,document,'script','//VVV.google-analytics.com/analytics.js','ga');.. ga('create', 'UA-1806325-12', 'auto');. ga('require', 'displayfeatures');.. ga('send', 'pageview');..</script>..<meta http-equiv="refresh" content="6;URL=hXXp://x10hosting.com" />. <link href='http://fonts.googleapis.com/css?family=Open Sans:400,300' rel='stylesheet' type='text/css'>..<style type="text/css">..body { font-family: 'Open Sans', sans-serif; font-size: 16px; }..h1 { font-family

<<< skipped >>>

GET /setx.txt HTTP/1.1

Content-Type: text/html

Host: a4e0c63f.110mb.com

Accept: text/html, */*

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 302 Found

Date: Tue, 24 Jun 2014 05:34:09 GMT

Server: Apache

Location: hXXp://VVV.110mb.com/404.php

Content-Length: 212

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://VVV.110mb.com/404.php">here</a>.</p>.</body></html>...

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1852:

.idata

.rdata

P.rsrc

P.idata

.text

.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

EInvalidGraphicOperation

Uh.AB

USER32.DLL

comctl32.dll

uxtheme.dll

Uh%xB

MAPI32.DLL

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword

crSQLWait

%s (%s)

Uh.MC

imm32.dll

AutoHotkeys

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

OnKeyDownP

OnKeyPress

OnKeyUp(

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

getservbyport

WSAAsyncGetServByPort

WSAJoinLeaf

WS2_32.DLL

127.0.0.1

TIdSocketListWindows

TIdStackWindowsU

IdStackWindows

%s, %d %s %d %s %s

password

Password

IdHTTPHeaderInfo

ProxyPassword<</pre><pre>ProxyPort</pre><pre>Mozilla/3.0 (compatible; Indy Library)</pre><pre>ftpTransfer</pre><pre>ftpReady</pre><pre>ftpAborted</pre><pre>ClientPortMin<</pre><pre>ClientPortMax</pre><pre>Port@</pre><pre>EIdCanNotBindPortInRange</pre><pre>EIdInvalidPortRangeSVW</pre><pre>libeay32.dll</pre><pre>ssleay32.dll</pre><pre>SSL_CTX_use_PrivateKey_file</pre><pre>SSL_CTX_use_certificate_file</pre><pre>SSL_get_peer_certificate</pre><pre>SSL_CTX_set_default_passwd_cb</pre><pre>SSL_CTX_set_default_passwd_cb_userdata</pre><pre>SSL_CTX_check_private_key</pre><pre>X509_STORE_CTX_get_current_cert</pre><pre>des_set_key</pre><pre>saUsernamePassword</pre><pre>Password<</pre><pre>Port</pre><pre>0.0.0.1</pre><pre>TIdTCPConnection</pre><pre>IdTCPConnection</pre><pre>EIdTCPConnectionError</pre><pre>sslvrfFailIfNoPeerCert</pre><pre>TPasswordEvent</pre><pre>Certificate</pre><pre>RootCertFile</pre><pre>CertFile</pre><pre>KeyFile</pre><pre>OnGetPassword<</pre><pre>EIdOSSLLoadingRootCertError</pre><pre>EIdOSSLLoadingCertError</pre><pre>EIdOSSLLoadingKeyError</pre><pre>Uh0%F</pre><pre>TIdTCPClient</pre><pre>TIdTCPClient 3F</pre><pre>IdTCPClient</pre><pre>BoundPort</pre><pre>PortU</pre><pre>CommentURL</pre><pre>Uh.SF</pre><pre>Content-Disposition: form-data; name="%s"</pre><pre>; filename="%s"</pre><pre>Content-Type: %s</pre><pre>Unsupported operation.</pre><pre>TIdHTTPMethod</pre><pre>IdHTTP</pre><pre>TIdHTTPOption</pre><pre>TIdHTTPOptions</pre><pre>TIdHTTPProtocolVersion</pre><pre>TIdHTTPOnRedirectEvent</pre><pre>TIdHTTPResponse</pre><pre>TIdHTTPRequest</pre><pre>TIdHTTPRequest<lF><pre>TIdHTTPProtocolPmF</pre><pre>TIdCustomHTTP</pre><pre>TIdCustomHTTPPmF</pre><pre>TIdHTTP8oF</pre><pre>TIdHTTP</pre><pre>HTTPOptions</pre><pre>EIdHTTPProtocolException</pre><pre>HTTPS</pre><pre>https</pre><pre>This request method is supported in HTTP 1.1</pre><pre>HTTP/1.0 200 OK</pre><pre>HTTP/</pre><pre>http://vesterm.freehostia.com</pre><pre>http://psynergi.dk/data</pre><pre>http://kubusse.ru/data</pre><pre>http://s-elisa.ru/data</pre><pre>http://eda.ru/data</pre><pre>.freehostia.com</pre><pre>.110mb.com</pre><pre>.x10hosting.com</pre><pre>.awardspace.com</pre><pre>.exofire.net</pre><pre>.hostei.com</pre><pre>.orgfree.com</pre><pre>.h18.ru</pre><pre>.eu.pn</pre><pre>http://pushnik.freehostia.com</pre><pre>AXlove_install.exe</pre><pre>Booble-the-Game.exe</pre><pre>DaVinci_code.exe</pre><pre>PlayboyXXX.exe</pre><pre>pornolab_docs.exe</pre><pre>WinRar.exe</pre><pre>Winamp.exe</pre><pre>Snoopy_mult.exe</pre><pre>Tom-and-Jerry.exe</pre><pre>AUTO_BASE2011.exe</pre><pre>bank_transfers_2010.exe</pre><pre>Multi Password Recovery</pre><pre>*.mpf</pre><pre>/mp.exe</pre><pre>\mpr.ini</pre><pre>Key=UksDAAAARkZGCAAAAAcgeBc6NCcxCAAAADzRFyaCP0paNwAAADA1AhkA8gN8smHcJdKj7yYv4 vBIhFf8npvMwTyAhhUDUF4wF7nGPv5Y89Vz JjuWEvGmAr7MUEt7Kg</pre><pre>LeftPane=0</pre><pre>/export</pre><pre>/admin6.php</pre><pre>sdata2.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\p</pre><pre>/admin5.php</pre><pre>application/x-www-form-urlencoded</pre><pre>/stat.php</pre><pre>http://top-torrent.info/data/save_s.php</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\ProductID</pre><pre>:\aUtoRuN.iNF</pre><pre>Icon=%system%\shell32.dll,4</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srtserv</pre><pre>wininet.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData</pre><pre>explorer.exe</pre><pre>set.dat</pre><pre>/setx.txt</pre><pre>update.dat</pre><pre>http://</pre><pre>\WebMoney</pre><pre>maratl.exe</pre><pre>task.dat</pre><pre>/taskx.txt</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value1</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value2</pre><pre>sdata.dll</pre><pre>?456789:;<=</pre><pre>!"#$%&'()* ,-./0123</pre><pre>user32.dll</pre><pre>GetKeyboardType</pre><pre>advapi32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>RegEnumKeyExA</pre><pre>RegDeleteKeyA</pre><pre>RegCreateKeyExA</pre><pre>GetCPInfo</pre><pre>version.dll</pre><pre>gdi32.dll</pre><pre>SetViewportOrgEx</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyA</pre><pre>LoadKeyboardLayoutA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutList</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>GetKeyNameTextA</pre><pre>EnumWindows</pre><pre>EnumThreadWindows</pre><pre>ActivateKeyboardLayout</pre><pre>32.dllWGetLongPa</pre><pre>.jJX8</pre><pre>c.eDoE,</pre><pre>.VyDR,_</pre><pre>KERNEL32.DLL</pre><pre>ntdll.dll</pre><pre>kernel32.dllWGetLongPathN</pre><pre>nKey</pre><pre>#%'''<[[^^\\]</pre><pre>"%Â<aabm><pre>$-8GGhnsrr}</pre><pre>$-9GGggs}s</pre><pre>.oN4)</pre><pre>F%F@@</pre><pre>tCPl2</pre><pre>%Mgr.RhY4RfE5Qd:f</pre><pre>KWindows</pre><pre>0IdHTTPHeaderInfo</pre><pre> IdTCPServer</pre><pre>IdTCPStream</pre><pre>UrlMon</pre><pre>,1*;=*^\^^^</pre><pre>00000000</pre><b>%original file name%.exe_1852_rwx_00400000_00099000:</b><pre>.idata</pre><pre>.rdata</pre><pre>P.rsrc</pre><pre>P.idata</pre><pre>.text</pre><pre>.rsrc</pre><pre>kernel32.dll</pre><pre>Windows</pre><pre>MSWHEEL_ROLLMSG</pre><pre>MSH_WHEELSUPPORT_MSG</pre><pre>MSH_SCROLL_LINES_MSG</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>oleaut32.dll</pre><pre>EVariantBadIndexError</pre><pre>ssShift</pre><pre>htKeyword</pre><pre>EInvalidOperation</pre><pre>u%CNu</pre><pre>%s[%d]</pre><pre>%s_%d</pre><pre>EInvalidGraphicOperation</pre><pre>Uh.AB</pre><pre>USER32.DLL</pre><pre>comctl32.dll</pre><pre>uxtheme.dll</pre><pre>Uh%xB</pre><pre>MAPI32.DLL</pre><pre>IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")</pre><pre>JumpID("","%s")</pre><pre>TKeyEvent</pre><pre>TKeyPressEvent</pre><pre>HelpKeyword</pre><pre>crSQLWait</pre><pre>%s (%s)</pre><pre>Uh.MC</pre><pre>imm32.dll</pre><pre>AutoHotkeys</pre><pre>ssHotTrack</pre><pre>TWindowState</pre><pre>poProportional</pre><pre>TWMKey</pre><pre>KeyPreview</pre><pre>WindowState</pre><pre>OnKeyDownP</pre><pre>OnKeyPress</pre><pre>OnKeyUp(</pre><pre>System\CurrentControlSet\Control\Keyboard Layouts\%.8x</pre><pre>vcltest3.dll</pre><pre>User32.dll</pre><pre>getservbyport</pre><pre>WSAAsyncGetServByPort</pre><pre>WSAJoinLeaf</pre><pre>WS2_32.DLL</pre><pre>127.0.0.1</pre><pre>TIdSocketListWindows</pre><pre>TIdStackWindowsU</pre><pre>IdStackWindows</pre><pre>%s, %d %s %d %s %s</pre><pre>password</pre><pre>Password</pre><pre>IdHTTPHeaderInfo</pre><pre>ProxyPassword<</pre><pre>ProxyPort</pre><pre>Mozilla/3.0 (compatible; Indy Library)</pre><pre>ftpTransfer</pre><pre>ftpReady</pre><pre>ftpAborted</pre><pre>ClientPortMin<</pre><pre>ClientPortMax</pre><pre>Port@</pre><pre>EIdCanNotBindPortInRange</pre><pre>EIdInvalidPortRangeSVW</pre><pre>libeay32.dll</pre><pre>ssleay32.dll</pre><pre>SSL_CTX_use_PrivateKey_file</pre><pre>SSL_CTX_use_certificate_file</pre><pre>SSL_get_peer_certificate</pre><pre>SSL_CTX_set_default_passwd_cb</pre><pre>SSL_CTX_set_default_passwd_cb_userdata</pre><pre>SSL_CTX_check_private_key</pre><pre>X509_STORE_CTX_get_current_cert</pre><pre>des_set_key</pre><pre>saUsernamePassword</pre><pre>Password<</pre><pre>Port</pre><pre>0.0.0.1</pre><pre>TIdTCPConnection</pre><pre>IdTCPConnection</pre><pre>EIdTCPConnectionError</pre><pre>sslvrfFailIfNoPeerCert</pre><pre>TPasswordEvent</pre><pre>Certificate</pre><pre>RootCertFile</pre><pre>CertFile</pre><pre>KeyFile</pre><pre>OnGetPassword<</pre><pre>EIdOSSLLoadingRootCertError</pre><pre>EIdOSSLLoadingCertError</pre><pre>EIdOSSLLoadingKeyError</pre><pre>Uh0%F</pre><pre>TIdTCPClient</pre><pre>TIdTCPClient 3F</pre><pre>IdTCPClient</pre><pre>BoundPort</pre><pre>PortU</pre><pre>CommentURL</pre><pre>Uh.SF</pre><pre>Content-Disposition: form-data; name="%s"</pre><pre>; filename="%s"</pre><pre>Content-Type: %s</pre><pre>Unsupported operation.</pre><pre>TIdHTTPMethod</pre><pre>IdHTTP</pre><pre>TIdHTTPOption</pre><pre>TIdHTTPOptions</pre><pre>TIdHTTPProtocolVersion</pre><pre>TIdHTTPOnRedirectEvent</pre><pre>TIdHTTPResponse</pre><pre>TIdHTTPRequest</pre><pre>TIdHTTPRequest<lF><pre>TIdHTTPProtocolPmF</pre><pre>TIdCustomHTTP</pre><pre>TIdCustomHTTPPmF</pre><pre>TIdHTTP8oF</pre><pre>TIdHTTP</pre><pre>HTTPOptions</pre><pre>EIdHTTPProtocolException</pre><pre>HTTPS</pre><pre>https</pre><pre>This request method is supported in HTTP 1.1</pre><pre>HTTP/1.0 200 OK</pre><pre>HTTP/</pre><pre>http://vesterm.freehostia.com</pre><pre>http://psynergi.dk/data</pre><pre>http://kubusse.ru/data</pre><pre>http://s-elisa.ru/data</pre><pre>http://eda.ru/data</pre><pre>.freehostia.com</pre><pre>.110mb.com</pre><pre>.x10hosting.com</pre><pre>.awardspace.com</pre><pre>.exofire.net</pre><pre>.hostei.com</pre><pre>.orgfree.com</pre><pre>.h18.ru</pre><pre>.eu.pn</pre><pre>http://pushnik.freehostia.com</pre><pre>AXlove_install.exe</pre><pre>Booble-the-Game.exe</pre><pre>DaVinci_code.exe</pre><pre>PlayboyXXX.exe</pre><pre>pornolab_docs.exe</pre><pre>WinRar.exe</pre><pre>Winamp.exe</pre><pre>Snoopy_mult.exe</pre><pre>Tom-and-Jerry.exe</pre><pre>AUTO_BASE2011.exe</pre><pre>bank_transfers_2010.exe</pre><pre>Multi Password Recovery</pre><pre>*.mpf</pre><pre>/mp.exe</pre><pre>\mpr.ini</pre><pre>Key=UksDAAAARkZGCAAAAAcgeBc6NCcxCAAAADzRFyaCP0paNwAAADA1AhkA8gN8smHcJdKj7yYv4 vBIhFf8npvMwTyAhhUDUF4wF7nGPv5Y89Vz JjuWEvGmAr7MUEt7Kg</pre><pre>LeftPane=0</pre><pre>/export</pre><pre>/admin6.php</pre><pre>sdata2.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\p</pre><pre>/admin5.php</pre><pre>application/x-www-form-urlencoded</pre><pre>/stat.php</pre><pre>http://top-torrent.info/data/save_s.php</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\ProductID</pre><pre>:\aUtoRuN.iNF</pre><pre>Icon=%system%\shell32.dll,4</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srtserv</pre><pre>wininet.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData</pre><pre>explorer.exe</pre><pre>set.dat</pre><pre>/setx.txt</pre><pre>update.dat</pre><pre>http://</pre><pre>\WebMoney</pre><pre>maratl.exe</pre><pre>task.dat</pre><pre>/taskx.txt</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value1</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value2</pre><pre>sdata.dll</pre><pre>?456789:;<=</pre><pre>!"#$%&'()* ,-./0123</pre><pre>user32.dll</pre><pre>GetKeyboardType</pre><pre>advapi32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>RegEnumKeyExA</pre><pre>RegDeleteKeyA</pre><pre>RegCreateKeyExA</pre><pre>GetCPInfo</pre><pre>version.dll</pre><pre>gdi32.dll</pre><pre>SetViewportOrgEx</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyA</pre><pre>LoadKeyboardLayoutA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutList</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>GetKeyNameTextA</pre><pre>EnumWindows</pre><pre>EnumThreadWindows</pre><pre>ActivateKeyboardLayout</pre><pre>32.dllWGetLongPa</pre><pre>.jJX8</pre><pre>c.eDoE,</pre><pre>.VyDR,_</pre><pre>KERNEL32.DLL</pre><pre>ntdll.dll</pre><pre>kernel32.dllWGetLongPathN</pre><pre>nKey</pre><pre>#%'''<[[^^\\]</pre><pre>"%Â<aabm><pre>$-8GGhnsrr}</pre><pre>$-9GGggs}s</pre><pre>.oN4)</pre><pre>F%F@@</pre><pre>tCPl2</pre><pre>%Mgr.RhY4RfE5Qd:f</pre><pre>KWindows</pre><pre>0IdHTTPHeaderInfo</pre><pre> IdTCPServer</pre><pre>IdTCPStream</pre><pre>UrlMon</pre><pre>,1*;=*^\^^^</pre><b>%original file name%.exe_1852_rwx_00951000_00010000:</b><pre>kernel32.dll</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>mvkmisc.exe</pre><pre>ntdll.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value1</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value2</pre><pre>KWindows</pre><pre>GetCPInfo</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>GetKeyboardType</pre><pre>SetWindowsHookExA</pre><pre>.idata</pre><pre>.reloc</pre><pre>P.rsrc</pre><pre>calc.exe</pre><pre>aUtoRuN.iNF</pre><pre>Invalid variant operation</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre><b>Explorer.EXE_1988_rwx_02101000_00010000:</b><pre>kernel32.dll</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>mvkmisc.exe</pre><pre>ntdll.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value1</pre><pre>Software\Microsoft\Windows\CurrentVersion\MSrtn\value2</pre><pre>KWindows</pre><pre>GetCPInfo</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>GetKeyboardType</pre><pre>SetWindowsHookExA</pre><pre>.idata</pre><pre>.reloc</pre><pre>P.rsrc</pre><pre>calc.exe</pre><pre>aUtoRuN.iNF</pre><pre>Invalid variant operation</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre></aabm></pre></lF></pre></pre></pre></pre></pre></aabm></pre></lF></pre></pre></pre></pre>