Trojan.Win32.Inject.kzkj (Kaspersky), Trojan.Agent.BCNE (AdAware), GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: add6d1417b776e53e6168c4336a259be
SHA1: acb2c2bea4db1273d3907e6b7545713212ebbce9
SHA256: b065dd3ff590d37ea64aad14c056a24c49699a8be8064fd113fba1b96eb24f81
SSDeep: 3072:H12lety33LY049YEypfrd1tLrBrNndPwu6tPDhgcYpPiuJmxDWg77PJlgMEtebZf:H16Sh9Y1frvTIu6dPLDWiJlC8NMEWi
Size: 234344 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1970-02-08 21:16:42
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
ehqon.exe:308
ehqon.exe:1024
%original file name%.exe:1348
%original file name%.exe:1112
tmpe67c524a.exe:348
The Backdoor injects its code into the following process(es):
tmpe67c524a.exe:2004
Explorer.EXE:692
File activity
The process %original file name%.exe:1112 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmp10f4e2e1.bat (177 bytes)
%Documents and Settings%\%current user%\Application Data\Incueh\ehqon.exe (234 bytes)
Registry activity
The process ehqon.exe:308 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 9D BB D6 36 55 38 EA 4E 08 19 68 BB 1D F9 71"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process ehqon.exe:1024 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 75 E5 25 DF 7A 12 C7 78 F3 D9 0B 9F A4 8D 65"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process %original file name%.exe:1348 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 13 01 AB 3D 4E DF DF 44 73 82 7D EF 54 7D C8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:1112 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 61 D2 35 67 F7 6E 4D 13 8F 8E 03 D5 1C C5 73"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process tmpe67c524a.exe:348 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D C7 D3 AD 0D A6 4F 8B 77 BC 48 C6 EF 93 B8 9A"
[HKCU\Software\Microsoft\Evki]
"Piohuwus" = "A6 DA 8C BC 5C 22 15 92 01 63 7E C1 D5 88 58 E0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"WarnonBadCertRecving" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Evki]
"Ceyqko" = "D0 82 CF 81 BC BB 31 CF 96 D0 AA 9F 4C C1 56 E4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"EnableSPDY3_0" = "0"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process tmpe67c524a.exe:2004 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 1F 7C 53 B0 90 66 4F D8 F5 7E C5 F7 07 CD 88"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
Dropped PE files
| MD5 | File path |
|---|---|
| 4000e3bbd8062f2eca45283605449963 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Incueh\ehqon.exe |
| f30760c11bc109881f09dd68e0ddfc14 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmpe67c524a.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Backdoor installs the following user-mode hooks in WININET.dll:
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpOpenRequestW
InternetConnectW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
InternetConnectA
HttpOpenRequestA
The Backdoor installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Backdoor installs the following user-mode hooks in USER32.dll:
GetClipboardData
TranslateMessage
The Backdoor installs the following user-mode hooks in WS2_32.dll:
WSASend
WSARecv
send
closesocket
The Backdoor installs the following user-mode hooks in kernel32.dll:
GetFileAttributesExW
The Backdoor installs the following user-mode hooks in ntdll.dll:
NtCreateThread
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
ehqon.exe:308
ehqon.exe:1024
%original file name%.exe:1348
%original file name%.exe:1112
tmpe67c524a.exe:348 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\tmp10f4e2e1.bat (177 bytes)
%Documents and Settings%\%current user%\Application Data\Incueh\ehqon.exe (234 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| 4096 | 18688 | 24576 | 3.91636 | 393239ad5ab74473217dcaebceb3d9b3 | |
| .rdata | 24576 | 8192 | 8192 | 3.10919 | 2b01e57ab818dc0032d03c45ea62ac5d |
| .data | 32768 | 88 | 4096 | 1.63741 | 980f31edbd919841561206877adad727 |
| .rsrc | 36864 | 4866 | 8192 | 2.23014 | 8b4f366165e9400cc42a85bb0240641e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://www.google.com/webhp | 74.125.226.179 |
| hxxp://www.google.ca/webhp?gfe_rd=cr&ei=iM9AU6CzCqSi8wef14GgDg | 74.125.226.191 |
| tmp71.edns.su | 109.235.51.131 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /webhp HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google.com
Cache-Control: no-cache
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.ca/webhp?gfe_rd=cr&ei=iM9AU6CzCqSi8wef14GgDg
Content-Length: 263
Date: Sun, 06 Apr 2014 03:52:40 GMT
Server: GFE/2.0
Alternate-Protocol: 80:quic
Connection: close
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.ca/webhp?gfe_rd=cr&ei=iM9AU6CzCqSi8wef14GgDg">here</A>...</BODY></HTML>....
GET /webhp?gfe_rd=cr&ei=iM9AU6CzCqSi8wef14GgDg HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Cache-Control: no-cache
Host: VVV.google.ca
HTTP/1.1 200 OK
Date: Sun, 06 Apr 2014 03:52:40 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=49db4bf8ef1608fb:FF=0:TM=1396756360:LM=1396756360:S=2ycHA0Y4I0kwb5DP; expires=Tue, 05-Apr-2016 03:52:40 GMT; path=/; domain=.google.ca
Set-Cookie: NID=67=tJzpUdJzWSUpTWwmE0KRAMIOFmhQz-7bx4VAfvp-wf1hhrUdppyPVUnmYccnJQ2trrykhJy2Gp4G-Sia5h6bUDD-T128tDJ4IqeIyTSiiIYUnf0UE_Th4mlvwL9oM64r; expires=Mon, 06-Oct-2014 03:52:40 GMT; path=/; domain=.google.ca; HttpOnly
P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic
Connection: close
<!doctype html><html itemscope="" itemtype="hXXp://schema.org/WebPage" lang="en-CA"><head><meta content="text/html; charset=UTF-8" http-equiv="content-type"><meta content="/images/google_favicon_128.png" itemprop="image"><title>Google</title><script>(function(){.window.google={kEI:"iM9AU5iWEarSsASKn4CICA",getEI:function(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||google.kEI},https:function(){return"https:"==window.location.protocol},kEXPI:"25657,4000116,4007661,4007830,4008067,4008133,4008142,4009033,4009565,4009641,4010806,4010858,4010899,4011228,4011258,4011679,4012373,4012504,4013374,4013414,4013591,4013723,4013747,4013758,4013787,4013823,4013967,4013979,4014016,4014092,4014431,4014515,4014636,4014671,4014813,4014909,4014991,4015119,4015155,4015234,4015260,4015444,4015497,4015514,4015519,4015550,4015589,4015638,4015640,4015642,4015644,4015646,4015685,4015772,4015853,4015899,4016007,4016127,4016284,4016294,4016309,4016323,4016331,4016367,4016372,4016452,4016456,4016466,4016487,4016623,4016642,4016721,4016851,8300015,8300017,8500165,8500223,8500240,8500255,8500283,8500307,10200002,10200012,10200029,10200040,10200048,10200053,10200055,10200066,10200083,10200103,10200120,10200134,10200136,10200155,10200157,10200169",kCSI:{e:"25657,4000116,4007661,4007830,4008067,4008133,4008142,4009033,4009565,4009641,4010806,4010858,4010899,4011228,4011258,4011679,4012373,4012504,4013374,4013414,4013591,4013723,4013747,4013758,4013787,40
<<
<<< skipped >>>
Map
Strings from Dumps
tmpe67c524a.exe_2004:
.text
.text
`.data
`.data
.reloc
.reloc
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
ole32.dll
ole32.dll
gdi32.dll
gdi32.dll
http://www.google.com/webhp
http://www.google.com/webhp
del "%s"
del "%s"
if exist "%s" goto d
if exist "%s" goto d
del /F "%s"
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
HTTP/1.1
HTTP/1.1
urlmon.dll
urlmon.dll
x9E%x$y
x9E%x$y
|'.La
|'.La
cabinet.dll
cabinet.dll
%s: %s
%s: %s
.textbss
.textbss
https
https
%s://%s
%s://%s
%s://%S
%s://%S
%s--use-spdy=off
%s--use-spdy=off
http://
http://
https://
https://
HTTP/1.
HTTP/1.
httponly
httponly
sqlite3_close
sqlite3_close
sqlite3_exec
sqlite3_exec
sqlite3_free
sqlite3_free
sqlite3_open16
sqlite3_open16
- '?) 6(/)
- '?) 6(/)
<59$>‚ 4"
<59$>‚ 4"
)"/(, .,!)2*
)"/(, .,!)2*
6%"::<865<</pre><pre>/$2.1,:)</pre><pre>,'1-2/9*</pre><pre>24=7 %u</pre><pre>;<)1 &*15</pre><pre>u.VWj</pre><pre>FtPj</pre><pre>GetProcessHeap</pre><pre>PeekNamedPipe</pre><pre>CreatePipe</pre><pre>GetWindowsDirectoryW</pre><pre>KERNEL32.dll</pre><pre>MsgWaitForMultipleObjects</pre><pre>ExitWindowsEx</pre><pre>GetKeyboardState</pre><pre>USER32.dll</pre><pre>RegCreateKeyExW</pre><pre>RegOpenKeyExW</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegEnumKeyExW</pre><pre>ADVAPI32.dll</pre><pre>UrlUnescapeA</pre><pre>SHDeleteKeyW</pre><pre>PathIsURLW</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>ShellExecuteExW</pre><pre>SHELL32.dll</pre><pre>Secur32.dll</pre><pre>PSAPI.DLL</pre><pre>WS2_32.dll</pre><pre>PFXImportCertStore</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>CRYPT32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpSendRequestA</pre><pre>HttpSendRequestExA</pre><pre>HttpSendRequestExW</pre><pre>HttpSendRequestW</pre><pre>HttpOpenRequestW</pre><pre>InternetCrackUrlW</pre><pre>HttpAddRequestHeadersA</pre><pre>DeleteUrlCacheEntryA</pre><pre>GetUrlCacheEntryInfoW</pre><pre>HttpAddRequestHeadersW</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>4 4$4(4,40444</pre><pre>6o6K6V6c6p6}6</pre><pre>1,2s2</pre><pre>?&?.?4?:?>?</pre><pre>kernel32.dll</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>%sx.%s</pre><pre>%sx</pre><pre>%s %s</pre><pre>%USERPROFILE%\AppData\LocalLow\</pre><pre>\rundll32.exe</pre><pre>"%s",%s</pre><pre>advapi32.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>%Documents and Settings%\%current user%\Application Data</pre><pre>{72C7D1E4-8BDA-EDF2-8A17-E5AF7534AFB0}</pre><b>tmpe67c524a.exe_2004_rwx_00130000_0002C000:</b><pre>.text</pre><pre>`.data</pre><pre>.reloc</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>ole32.dll</pre><pre>gdi32.dll</pre><pre>http://www.google.com/webhp</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)</pre><pre>HTTP/1.1</pre><pre>urlmon.dll</pre><pre>x9E%x$y</pre><pre>|'.La</pre><pre>cabinet.dll</pre><pre>%s: %s</pre><pre>.textbss</pre><pre>https</pre><pre>%s://%s</pre><pre>%s://%S</pre><pre>%s--use-spdy=off</pre><pre>http://</pre><pre>https://</pre><pre>HTTP/1.</pre><pre>httponly</pre><pre>sqlite3_close</pre><pre>sqlite3_exec</pre><pre>sqlite3_free</pre><pre>sqlite3_open16</pre><pre>- '?) 6(/)</pre><pre><59$>‚ 4"</pre><pre>)"/(, .,!)2*</pre><pre>6%"::<865<</pre><pre>/$2.1,:)</pre><pre>,'1-2/9*</pre><pre>24=7 %u</pre><pre>;<)1 &*15</pre><pre>u.VWj</pre><pre>FtPj</pre><pre>GetProcessHeap</pre><pre>PeekNamedPipe</pre><pre>CreatePipe</pre><pre>GetWindowsDirectoryW</pre><pre>KERNEL32.dll</pre><pre>MsgWaitForMultipleObjects</pre><pre>ExitWindowsEx</pre><pre>GetKeyboardState</pre><pre>USER32.dll</pre><pre>RegCreateKeyExW</pre><pre>RegOpenKeyExW</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegEnumKeyExW</pre><pre>ADVAPI32.dll</pre><pre>UrlUnescapeA</pre><pre>SHDeleteKeyW</pre><pre>PathIsURLW</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>ShellExecuteExW</pre><pre>SHELL32.dll</pre><pre>Secur32.dll</pre><pre>PSAPI.DLL</pre><pre>WS2_32.dll</pre><pre>PFXImportCertStore</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>CRYPT32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpSendRequestA</pre><pre>HttpSendRequestExA</pre><pre>HttpSendRequestExW</pre><pre>HttpSendRequestW</pre><pre>HttpOpenRequestW</pre><pre>InternetCrackUrlW</pre><pre>HttpAddRequestHeadersA</pre><pre>DeleteUrlCacheEntryA</pre><pre>GetUrlCacheEntryInfoW</pre><pre>HttpAddRequestHeadersW</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>Q_0,*.pq|</pre><pre>4 4$4(4,40444</pre><pre>6o6K6V6c6p6}6</pre><pre>1,2s2</pre><pre>?&?.?4?:?>?</pre><pre>kernel32.dll</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>%sx.%s</pre><pre>%sx</pre><pre>%s %s</pre><pre>%USERPROFILE%\AppData\LocalLow\</pre><pre>\rundll32.exe</pre><pre>"%s",%s</pre><pre>advapi32.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>:\Documents and Settings\"%CurrentUserName%"\Application Data\Duqi\fazy.eba</pre><pre>%Documents and Settings%\%current user%\Application Data\Duqi</pre><pre>fazy.eba</pre><pre>Global\{84EDEB05-B13B-1BD8-8A17-E5AF7534AFB0}</pre><pre>Global\{72E11EDA-44E4-EDD4-8A17-E5AF7534AFB0}</pre><pre>%Documents and Settings%\%current user%\Application Data</pre><pre>{72C7D1E4-8BDA-EDF2-8A17-E5AF7534AFB0}</pre><b>tmpe67c524a.exe_2004_rwx_00400000_0002C000:</b><pre>.text</pre><pre>`.data</pre><pre>.reloc</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>ole32.dll</pre><pre>gdi32.dll</pre><pre>http://www.google.com/webhp</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)</pre><pre>HTTP/1.1</pre><pre>urlmon.dll</pre><pre>x9E%x$y</pre><pre>|'.La</pre><pre>cabinet.dll</pre><pre>%s: %s</pre><pre>.textbss</pre><pre>https</pre><pre>%s://%s</pre><pre>%s://%S</pre><pre>%s--use-spdy=off</pre><pre>http://</pre><pre>https://</pre><pre>HTTP/1.</pre><pre>httponly</pre><pre>sqlite3_close</pre><pre>sqlite3_exec</pre><pre>sqlite3_free</pre><pre>sqlite3_open16</pre><pre>- '?) 6(/)</pre><pre><59$>‚ 4"</pre><pre>)"/(, .,!)2*</pre><pre>6%"::<865<</pre><pre>/$2.1,:)</pre><pre>,'1-2/9*</pre><pre>24=7 %u</pre><pre>;<)1 &*15</pre><pre>u.VWj</pre><pre>FtPj</pre><pre>GetProcessHeap</pre><pre>PeekNamedPipe</pre><pre>CreatePipe</pre><pre>GetWindowsDirectoryW</pre><pre>KERNEL32.dll</pre><pre>MsgWaitForMultipleObjects</pre><pre>ExitWindowsEx</pre><pre>GetKeyboardState</pre><pre>USER32.dll</pre><pre>RegCreateKeyExW</pre><pre>RegOpenKeyExW</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegEnumKeyExW</pre><pre>ADVAPI32.dll</pre><pre>UrlUnescapeA</pre><pre>SHDeleteKeyW</pre><pre>PathIsURLW</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>ShellExecuteExW</pre><pre>SHELL32.dll</pre><pre>Secur32.dll</pre><pre>PSAPI.DLL</pre><pre>WS2_32.dll</pre><pre>PFXImportCertStore</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>CRYPT32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpSendRequestA</pre><pre>HttpSendRequestExA</pre><pre>HttpSendRequestExW</pre><pre>HttpSendRequestW</pre><pre>HttpOpenRequestW</pre><pre>InternetCrackUrlW</pre><pre>HttpAddRequestHeadersA</pre><pre>DeleteUrlCacheEntryA</pre><pre>GetUrlCacheEntryInfoW</pre><pre>HttpAddRequestHeadersW</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>4 4$4(4,40444</pre><pre>6o6K6V6c6p6}6</pre><pre>1,2s2</pre><pre>?&?.?4?:?>?</pre><pre>kernel32.dll</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>%sx.%s</pre><pre>%sx</pre><pre>%s %s</pre><pre>%USERPROFILE%\AppData\LocalLow\</pre><pre>\rundll32.exe</pre><pre>"%s",%s</pre><pre>advapi32.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>%Documents and Settings%\%current user%\Application Data</pre><pre>{72C7D1E4-8BDA-EDF2-8A17-E5AF7534AFB0}</pre><b>Explorer.EXE_692_rwx_00E70000_0002C000:</b><pre>.text</pre><pre>`.data</pre><pre>.reloc</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>ole32.dll</pre><pre>gdi32.dll</pre><pre>http://www.google.com/webhp</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)</pre><pre>HTTP/1.1</pre><pre>urlmon.dll</pre><pre>x9E%x$y</pre><pre>|'.La</pre><pre>cabinet.dll</pre><pre>%s: %s</pre><pre>.textbss</pre><pre>https</pre><pre>%s://%s</pre><pre>%s://%S</pre><pre>%s--use-spdy=off</pre><pre>http://</pre><pre>https://</pre><pre>HTTP/1.</pre><pre>httponly</pre><pre>sqlite3_close</pre><pre>sqlite3_exec</pre><pre>sqlite3_free</pre><pre>sqlite3_open16</pre><pre>- '?) 6(/)</pre><pre><59$>‚ 4"</pre><pre>)"/(, .,!)2*</pre><pre>6%"::<865<</pre><pre>/$2.1,:)</pre><pre>,'1-2/9*</pre><pre>24=7 %u</pre><pre>;<)1 &*15</pre><pre>u.VWj</pre><pre>FtPj</pre><pre>GetProcessHeap</pre><pre>PeekNamedPipe</pre><pre>CreatePipe</pre><pre>GetWindowsDirectoryW</pre><pre>KERNEL32.dll</pre><pre>MsgWaitForMultipleObjects</pre><pre>ExitWindowsEx</pre><pre>GetKeyboardState</pre><pre>USER32.dll</pre><pre>RegCreateKeyExW</pre><pre>RegOpenKeyExW</pre><pre>RegCloseKey</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegEnumKeyExW</pre><pre>ADVAPI32.dll</pre><pre>UrlUnescapeA</pre><pre>SHDeleteKeyW</pre><pre>PathIsURLW</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>ShellExecuteExW</pre><pre>SHELL32.dll</pre><pre>Secur32.dll</pre><pre>PSAPI.DLL</pre><pre>WS2_32.dll</pre><pre>PFXImportCertStore</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>CRYPT32.dll</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpSendRequestA</pre><pre>HttpSendRequestExA</pre><pre>HttpSendRequestExW</pre><pre>HttpSendRequestW</pre><pre>HttpOpenRequestW</pre><pre>InternetCrackUrlW</pre><pre>HttpAddRequestHeadersA</pre><pre>DeleteUrlCacheEntryA</pre><pre>GetUrlCacheEntryInfoW</pre><pre>HttpAddRequestHeadersW</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>4 4$4(4,40444</pre><pre>6o6K6V6c6p6}6</pre><pre>1,2s2</pre><pre>?&?.?4?:?>?</pre><pre>kernel32.dll</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>%sx.%s</pre><pre>%sx</pre><pre>%s %s</pre><pre>%USERPROFILE%\AppData\LocalLow\</pre><pre>\rundll32.exe</pre><pre>"%s",%s</pre><pre>advapi32.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>%Documents and Settings%\%current user%\Application Data\Duqi\fazy.eba</pre><pre>%Documents and Settings%\%current user%\Application Data\Duqi</pre><pre>fazy.eba</pre><pre>Global\{84EDEB05-B13B-1BD8-8A17-E5AF7534AFB0}</pre><pre>Global\{72E11EDA-44E4-EDD4-8A17-E5AF7534AFB0}</pre><pre>%Documents and Settings%\%current user%\Application Data</pre><pre>{72C7D1E4-8BDA-EDF2-8A17-E5AF7534AFB0}</pre></pre></pre></pre>