Susp_Dropper (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.BHO.FD, BankerGeneric.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Banker, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 1f605de28e3d9e85a620294422df2317
SHA1: f52375143db1eba501a02fdf5bef87712c3469ee
SHA256: 63d79f970884ae1d95a5e6b5279c4eeba950bb7ad317f0cceb71fa0b155ef72e
SSDeep: 24576:jWK2TBOtR0aG8cqYUl3LY Jh3GtB48ag3dtm:j5gAtR0aG8vbfJI4pQtm
Size: 823609 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-01-07 10:46:10
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-PSW creates the following process(es):
ctfmon.exe:252
srankingp.exe:3928
srankingp.exe:3612
845eb.tmp:3268
SRankingPopView_05_update_20130611.exe:3276
SRankingPopView_05_update_20130611.exe:3236
79354.exe:3300
79018.tmp:2176
%original file name%.exe:3284
846c6.exe:3248
The Trojan-PSW injects its code into the following process(es):
regsvr32.exe:3776
regsvr32.exe:1936
File activity
The process srankingp.exe:3928 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\SRankingPopView_05_update_20130611[1].exe (111866 bytes)
%Documents and Settings%\%current user%\Application Data\SRankingPopView_05_update_20130611.exe (58376 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
The process 845eb.tmp:3268 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\846c6.exe (1616 bytes)
%Documents and Settings%\%current user%\Application Data\SRankingPopView_05_update_20130611.exe (1761 bytes)
The Trojan-PSW deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\SRankingPopView_05_update_20130611.exe (0 bytes)
The process SRankingPopView_05_update_20130611.exe:3276 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\UnProtectMode.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp (4 bytes)
C:\DelUS.bat (230 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\KillProcDLL.dll (784 bytes)
%Program Files%\SRankingPopView\srankingdc.exe (34773 bytes)
%Program Files%\SRankingPopView\uninstall.exe (1549 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp (41983 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\IEKill.dll (784 bytes)
%Program Files%\SRankingPopView\sranking.dll (6584 bytes)
%Program Files%\SRankingPopView\srankingp.exe (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\DLLWebCount.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\SelfDelete.dll (784 bytes)
The Trojan-PSW deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\UnProtectMode.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\index[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\KillProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\IEKill.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\DLLWebCount.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\SelfDelete.dll (0 bytes)
The process SRankingPopView_05_update_20130611.exe:3236 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\845eb.tmp (5873 bytes)
The process 79354.exe:3300 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
C:\PROGRAM FILES (8 bytes)
%System%\drivers\09803160.sys (28 bytes)
C:\ (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ahnmove.bat (163 bytes)
%System%\wbem (1160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D1.zip (18 bytes)
%System%\version.dll (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
%WinDir%\AppPatch (4 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B1.zip (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oqH7qhYYhV.dll (119 bytes)
%System%\config\software.LOG (12072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A1.zip (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\U5ud7by.dll (119 bytes)
%System%\godlion.dll (196 bytes)
%WinDir% (96 bytes)
C:\$Directory (128 bytes)
%System%\vorsion.dll (18 bytes)
%Program Files%\SRankingPopView (4 bytes)
%System%\midimap.dll (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%WinDir%\Temp\Perflib_Perfdata_1e0.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C1.zip (18 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\test.pml (7915 bytes)
%System%\wbem\Repository\FS\OBJECTS.DATA (9678 bytes)
%System%\config (4 bytes)
%System%\drivers\752b04e6.sys (72 bytes)
%System%\drivers (4 bytes)
%System%\config\software (4767 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%System%\wbem\Repository\FS\INDEX.BTR (3632 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp (11197 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
%System% (12320 bytes)
The Trojan-PSW deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\EU882P3A.txt (0 bytes)
%System%\drivers\09803160.sys (0 bytes)
%Documents and Settings%\%current user%\Cookies\JK0ZZRA2.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\MGI9BYQN.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\TVQFYKIK.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\CNLPSAS7.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\MU6TQKFF.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\VTW0E77D.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\9CUEXINV.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\GEW5B9X2.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\HPK4L4V7.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\4NM96XJ2.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\83R0WJES.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\L92RAFFM.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\PY4CQK11.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\KJWHN2KF.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\AFAW0ZJH.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\LMTG02V5.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\J38WTN19.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\AGQF9B5H.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\TQJTOFKH.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\FUZBGJEL.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\86P32JSK.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\21S1S12T.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\UVGQDFD4.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\3XNCDN2V.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\5DO19V3G.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\VI1D65BO.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\282UZDIJ.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\13KJ53OP.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\93J9L024.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\3QE1QHRN.txt (0 bytes)
The process 79018.tmp:2176 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
C:\%original file name%.exe (1756 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\79354.exe (1616 bytes)
The Trojan-PSW deletes the following file(s):
C:\1F605DE28E3D9E85A620294422DF2317.EXE (0 bytes)
The process %original file name%.exe:3284 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\KillProcDLL.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\IEKill.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp (4 bytes)
C:\DelUS.bat (138 bytes)
%Program Files%\SRankingPopView\srankingdc.exe (34773 bytes)
%Program Files%\SRankingPopView\uninstall.exe (1549 bytes)
%Program Files%\SRankingPopView\sranking.dll (6584 bytes)
%Program Files%\SRankingPopView\srankingp.exe (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\DLLWebCount.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\SelfDelete.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp (42602 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\UnProtectMode.dll (7192 bytes)
The Trojan-PSW deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\KillProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\IEKill.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\DLLWebCount.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\SelfDelete.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\UnProtectMode.dll (0 bytes)
The process 846c6.exe:3248 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%System%\drivers\09803160.sys (28 bytes)
C:\ (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ahnmove.bat (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%System%\version.dll (58 bytes)
%WinDir%\WinSxS (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (2140 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B1.zip (19 bytes)
%System%\drivers\752b04e6.sys (72 bytes)
%System%\config\software.LOG (12688 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\KillProcDLL.dll (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A1.zip (19 bytes)
%Documents and Settings%\All Users (4 bytes)
%System%\godlion.dll (196 bytes)
%WinDir% (152 bytes)
%Documents and Settings%\%current user%\Application Data (4 bytes)
C:\$Directory (1584 bytes)
%System%\vorsion.dll (18 bytes)
%Program Files%\SRankingPopView (4 bytes)
%System%\midimap.dll (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D1.zip (18 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C1.zip (18 bytes)
C:\PROGRAM FILES (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (25285 bytes)
%System%\config (4 bytes)
%System%\wbem (96 bytes)
%System%\drivers (484 bytes)
%System%\config\software (5443 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%Documents and Settings%\%current user%\IETldCache\index.dat (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awi.dll (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YBDeiyJ.dll (119 bytes)
%System% (3192 bytes)
%Documents and Settings%\%current user%\Cookies (4 bytes)
The Trojan-PSW deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\B1.zip (0 bytes)
%System%\drivers\752b04e6.sys (0 bytes)
%System%\drivers\09803160.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A1.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C1.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D1.zip (0 bytes)
Registry activity
The process ctfmon.exe:252 makes changes in the system registry.
The Trojan-PSW deletes the following value(s) in system registry:
The Trojan-PSW disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
The process srankingp.exe:3928 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKCR\TypeLib\{D931C7FC-C1AF-447D-936E-393DA0253134}\1.0\FLAGS]
"(Default)" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"SRankingPopView_05_update_20130611.exe" = "SRankingPopView_05_update_20130611"
[HKCU\Software\sranking]
"ip" = "184.107.38.38"
[HKCR\TypeLib\{D931C7FC-C1AF-447D-936E-393DA0253134}\1.0\0\win32]
"(Default)" = "%Program Files%\SRankingPopView\srankingp.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\Interface\{40829F0A-C07C-442C-B2E4-98DE600BFBB2}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCR\srankingp.Application]
"(Default)" = "srankingp.Application"
[HKCU\Software\sranking]
"live" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\CLSID\{29437417-824D-4E51-86EE-98925FDC2892}\InprocHandler32]
"(Default)" = "ole32.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\sranking]
"time_1" = "1"
[HKCR\Interface\{40829F0A-C07C-442C-B2E4-98DE600BFBB2}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCU\Software\sranking]
"time_2" = "9999"
[HKCR\TypeLib\{D931C7FC-C1AF-447D-936E-393DA0253134}\1.0]
"(Default)" = "srankingp"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCR\CLSID\{29437417-824D-4E51-86EE-98925FDC2892}\LocalServer32]
"(Default)" = "C:\PROGRA~1\SRANKI~1\SRANKI~2.EXE"
[HKCR\srankingp.Application\CLSID]
"(Default)" = "{29437417-824D-4E51-86EE-98925FDC2892}"
[HKCR\Interface\{40829F0A-C07C-442C-B2E4-98DE600BFBB2}]
"(Default)" = "Isrankingp"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCR\Interface\{40829F0A-C07C-442C-B2E4-98DE600BFBB2}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\sranking]
"scatterdt" = "20140204"
[HKCR\TypeLib\{D931C7FC-C1AF-447D-936E-393DA0253134}\1.0\HELPDIR]
"(Default)" = ""
[HKCR\Interface\{40829F0A-C07C-442C-B2E4-98DE600BFBB2}\TypeLib]
"(Default)" = "{D931C7FC-C1AF-447D-936E-393DA0253134}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 B6 43 14 24 51 63 C2 AF 15 D9 5F C3 D8 AF 46"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCR\CLSID\{29437417-824D-4E51-86EE-98925FDC2892}\ProgID]
"(Default)" = "srankingp.Application"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\sranking]
"verup" = "20130611"
[HKCR\CLSID\{29437417-824D-4E51-86EE-98925FDC2892}]
"(Default)" = "srankingp.Application"
[HKCU\Software\sranking]
"srankudt" = "20140204"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\sranking\Queue]
"bz09"
"bz00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\sranking]
"ust"
[HKCU\Software\sranking\Queue]
"sc01"
"sc00"
"bz01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\sranking\Queue]
"bz03"
"bz02"
"bz05"
"bz04"
"bz07"
"bz06"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\sranking\Queue]
"bz08"
[HKCU\Software\sranking]
"ust3"
"ust2"
"wp"
The process srankingp.exe:3612 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 AE C4 52 AB 85 A2 2D A7 F6 B9 BA 99 87 1E D5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\CLSID\{29437417-824D-4E51-86EE-98925FDC2892}\InprocHandler32]
"(Default)" = "ole32.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCR\CLSID\{29437417-824D-4E51-86EE-98925FDC2892}\ProgID]
"(Default)" = "srankingp.Application"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 4A 00 00 00 01 00 00 00 00 00 00 00"
[HKCR\CLSID\{29437417-824D-4E51-86EE-98925FDC2892}\LocalServer32]
"(Default)" = "C:\PROGRA~1\SRANKI~1\SRANKI~2.EXE"
[HKCR\srankingp.Application\CLSID]
"(Default)" = "{29437417-824D-4E51-86EE-98925FDC2892}"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process 845eb.tmp:3268 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\79018.tmp, , \??\%System%\eowy, \??\%System%\eowy, \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\845eb.tmp,"
The process SRankingPopView_05_update_20130611.exe:3276 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKCR\AppID\{889F12BD-FA8E-4D33-ACE0-EBB68BC44AA3}]
"(Default)" = "scattertap"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCR\scattertap.scattertapSO\CLSID]
"(Default)" = "{4486A2C8-DAE1-4862-9265-2F4948F9F980}"
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\ProgID]
"(Default)" = "scattertap.scattertapSO.1"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F973817F-8D70-4b6b-BB7E-AAB4DB45463C}]
"Policy" = "3"
"AppName" = "srankingp.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\scattertap.scattertapSO]
"(Default)" = "scattertapSO Class"
[HKCR\scattertap.scattertapSO\CurVer]
"(Default)" = "scattertap.scattertapSO.1"
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\VersionIndependentProgID]
"(Default)" = "scattertap.scattertapSO"
[HKCU\Software\sranking\dcdata]
"Ver_Sb2" = "20130611"
[HKCU\Software\sranking]
"nid" = "sranking05"
[HKCU\Software\sranking\dcdata]
"Ver_Sb1" = "20130611"
[HKCR\AppID\scattertap.DLL]
"AppID" = "{889F12BD-FA8E-4D33-ACE0-EBB68BC44AA3}"
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\InprocServer32]
"(Default)" = "%Program Files%\SRankingPopView\sranking.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\TypeLib]
"(Default)" = "{6F820A4F-7B46-4DA8-B296-E736C79135CD}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4486A2C8-DAE1-4862-9265-2F4948F9F980}]
"NoExplorer" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\scattertap.scattertapSO.1]
"(Default)" = "scattertapSO Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SRankingPopView uninstall]
"DisplayIcon" = "%Program Files%\SRankingPopView\uninstall.exe"
[HKCR\scattertap.scattertapSO.1\CLSID]
"(Default)" = "{4486A2C8-DAE1-4862-9265-2F4948F9F980}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SRankingPopView uninstall]
"DisplayName" = "Windows SRankingPopView"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 48 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4486A2C8-DAE1-4862-9265-2F4948F9F980}]
"(Default)" = "Styleranking Popview Class"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 97 3F 8A 34 01 84 55 20 76 78 5A 29 68 B6 43"
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}]
"(Default)" = "Styleranking Popview Class"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F973817F-8D70-4b6b-BB7E-AAB4DB45463C}]
"AppPath" = "%Program Files%\SRankingPopView\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SRankingPopView uninstall]
"UninstallString" = "%Program Files%\SRankingPopView\uninstall.exe"
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}]
"AppID" = "{889F12BD-FA8E-4D33-ACE0-EBB68BC44AA3}"
To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SRankingPopView" = "%Program Files%\SRankingPopView\srankingp.exe Runcmd"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SRankingPopViewupdate" = "%Program Files%\SRankingPopView\srankingdc.exe"
The Trojan-PSW deletes the following registry key(s):
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\ProgID]
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\TypeLib]
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}]
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\InprocServer32]
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\VersionIndependentProgID]
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\Programmable]
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process 79354.exe:3300 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F E4 A6 1D 01 D1 A1 31 61 31 91 D5 6C 8C 00 72"
[HKCR\CLSID\SYS_DLL]
"name" = "U5ud7by.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\CLSID\HOOK_ID]
"name" = "79354.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\79018.tmp, , \??\%System%\eowy, \??\%System%\eowy"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyOverride"
"ProxyServer"
The Trojan-PSW disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"
The process 79018.tmp:2176 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\79018.tmp,"
The process regsvr32.exe:3776 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKCR\IEHelper.IEHlprObj\CurVer]
"(Default)" = "IEHelper.IEHlprObj.1"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\VersionIndependentProgID]
"(Default)" = "IEHelper.IEHlprObj"
[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\0\win32]
"(Default)" = "%System%\godlion.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\ProgID]
"(Default)" = "IEHelper.IEHlprObj.1"
[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}]
"(Default)" = "IEHlprObj Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\IEHelper.IEHlprObj]
"(Default)" = "IEHlprObj Class"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32]
"(Default)" = "%System%\godlion.dll"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\TypeLib]
"(Default)" = "{D42047D9-38C2-4FD1-8337-F69C8F835A30}"
[HKCR\IEHelper.IEHlprObj\CLSID]
"(Default)" = "{DAF9F01C-30F0-4A52-AF52-E236961977F4}"
[HKCR\IEHelper.IEHlprObj.1]
"(Default)" = "IEHlprObj Class"
[HKCR\IEHelper.IEHlprObj.1\CLSID]
"(Default)" = "{DAF9F01C-30F0-4A52-AF52-E236961977F4}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 BD 3F EC 76 A8 23 63 F1 FD AD 65 B6 1B 2E 65"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}]
"(Default)" = "IIEHlprObj"
[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\HELPDIR]
"(Default)" = "%System%\"
[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0]
"(Default)" = "IEHelper 1.0 Type Library"
[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib]
"(Default)" = "{D42047D9-38C2-4FD1-8337-F69C8F835A30}"
[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\FLAGS]
"(Default)" = "0"
The process regsvr32.exe:1936 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 32 E7 67 D0 E9 12 53 46 AC F2 2F B2 77 65 09"
[HKCR\IEHelper.IEHlprObj\CurVer]
"(Default)" = "IEHelper.IEHlprObj.1"
[HKCR\IEHelper.IEHlprObj]
"(Default)" = "IEHlprObj Class"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32]
"(Default)" = "%System%\godlion.dll"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\ProgID]
"(Default)" = "IEHelper.IEHlprObj.1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\TypeLib]
"(Default)" = "{D42047D9-38C2-4FD1-8337-F69C8F835A30}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\IEHelper.IEHlprObj\CLSID]
"(Default)" = "{DAF9F01C-30F0-4A52-AF52-E236961977F4}"
[HKCR\IEHelper.IEHlprObj.1]
"(Default)" = "IEHlprObj Class"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}]
"(Default)" = "IEHlprObj Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\IEHelper.IEHlprObj.1\CLSID]
"(Default)" = "{DAF9F01C-30F0-4A52-AF52-E236961977F4}"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\VersionIndependentProgID]
"(Default)" = "IEHelper.IEHlprObj"
The Trojan-PSW deletes the following registry key(s):
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\TypeLib]
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\Programmable]
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32]
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\ProgID]
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}]
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\VersionIndependentProgID]
The process %original file name%.exe:3284 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKCR\Interface\{D28445FF-A45D-486F-B682-2FE8196555F7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{889F12BD-FA8E-4D33-ACE0-EBB68BC44AA3}]
"(Default)" = "scattertap"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCR\scattertap.scattertapSO\CLSID]
"(Default)" = "{4486A2C8-DAE1-4862-9265-2F4948F9F980}"
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\ProgID]
"(Default)" = "scattertap.scattertapSO.1"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F973817F-8D70-4b6b-BB7E-AAB4DB45463C}]
"Policy" = "3"
"AppName" = "srankingp.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\TypeLib\{6F820A4F-7B46-4DA8-B296-E736C79135CD}\1.0\HELPDIR]
"(Default)" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 01 00 00 00 00 00 00 00"
[HKCR\scattertap.scattertapSO]
"(Default)" = "scattertapSO Class"
[HKCR\scattertap.scattertapSO\CurVer]
"(Default)" = "scattertap.scattertapSO.1"
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\VersionIndependentProgID]
"(Default)" = "scattertap.scattertapSO"
[HKCU\Software\sranking\dcdata]
"Ver_Sb2" = "20130513"
[HKCU\Software\sranking]
"nid" = "sranking05"
[HKCU\Software\sranking\dcdata]
"Ver_Sb1" = "20130513"
[HKCR\AppID\scattertap.DLL]
"AppID" = "{889F12BD-FA8E-4D33-ACE0-EBB68BC44AA3}"
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\InprocServer32]
"(Default)" = "%Program Files%\SRankingPopView\sranking.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCR\TypeLib\{6F820A4F-7B46-4DA8-B296-E736C79135CD}\1.0]
"(Default)" = "scattertap 1.0 Çü½Ä ¶óÀ̺귯¸®"
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\TypeLib]
"(Default)" = "{6F820A4F-7B46-4DA8-B296-E736C79135CD}"
[HKCR\TypeLib\{6F820A4F-7B46-4DA8-B296-E736C79135CD}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{D28445FF-A45D-486F-B682-2FE8196555F7}]
"(Default)" = "IscattertapSO"
[HKCR\Interface\{D28445FF-A45D-486F-B682-2FE8196555F7}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4486A2C8-DAE1-4862-9265-2F4948F9F980}]
"NoExplorer" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\scattertap.scattertapSO.1]
"(Default)" = "scattertapSO Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SRankingPopView uninstall]
"DisplayIcon" = "%Program Files%\SRankingPopView\uninstall.exe"
[HKCR\scattertap.scattertapSO.1\CLSID]
"(Default)" = "{4486A2C8-DAE1-4862-9265-2F4948F9F980}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SRankingPopView uninstall]
"DisplayName" = "Windows SRankingPopView"
[HKCR\TypeLib\{6F820A4F-7B46-4DA8-B296-E736C79135CD}\1.0\0\win32]
"(Default)" = "%Program Files%\SRankingPopView\sranking.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4486A2C8-DAE1-4862-9265-2F4948F9F980}]
"(Default)" = "Styleranking Popview Class"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 7D 60 E6 21 4A 2C 79 B3 EB 3B B9 BF B6 89 DF"
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}]
"(Default)" = "Styleranking Popview Class"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F973817F-8D70-4b6b-BB7E-AAB4DB45463C}]
"AppPath" = "%Program Files%\SRankingPopView\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SRankingPopView uninstall]
"UninstallString" = "%Program Files%\SRankingPopView\uninstall.exe"
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{D28445FF-A45D-486F-B682-2FE8196555F7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\Interface\{D28445FF-A45D-486F-B682-2FE8196555F7}\TypeLib]
"(Default)" = "{6F820A4F-7B46-4DA8-B296-E736C79135CD}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}]
"AppID" = "{889F12BD-FA8E-4D33-ACE0-EBB68BC44AA3}"
To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SRankingPopView" = "%Program Files%\SRankingPopView\srankingp.exe Runcmd"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SRankingPopViewupdate" = "%Program Files%\SRankingPopView\srankingdc.exe"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process 846c6.exe:3248 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 0E 3D F8 A9 0E D9 20 80 A6 AF A8 EA 2A 83 DA"
[HKCR\CLSID\SYS_DLL]
"name" = "awi.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\CLSID\HOOK_ID]
"name" = "846c6.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 46 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\79018.tmp, , \??\%System%\eowy, \??\%System%\eowy, \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\845eb.tmp, , \??\%System%\fGwAk, \??\%System%\fGwAk"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DAF9F01C-30F0-4A52-AF52-E236961977F4}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4486A2C8-DAE1-4862-9265-2F4948F9F980}]
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Network activity (URLs)
URL | IP |
---|---|
hxxp://121.78.93.6/_sadmin/cnt/index.php?pid=sranking05&type=11 | |
hxxp://121.78.93.6/ranking/set.php | |
hxxp://sranking.co.kr/_sadmin/cnt/index.php?pid=sranking05&type=7 | 121.78.93.6 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "%System%\drivers\752b04e6.sys" the Trojan-PSW controls loading executable images into a memory by installing the Load image notifier.
The Trojan-PSW installs the following kernel-mode hooks:
ZwCreateFile
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
srankingp.exe:3928
srankingp.exe:3612
845eb.tmp:3268
SRankingPopView_05_update_20130611.exe:3276
SRankingPopView_05_update_20130611.exe:3236
79354.exe:3300
79018.tmp:2176
%original file name%.exe:3284
846c6.exe:3248 - Delete the original Trojan-PSW file.
- Delete or disinfect the following files created/modified by the Trojan-PSW:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\SRankingPopView_05_update_20130611[1].exe (111866 bytes)
%Documents and Settings%\%current user%\Application Data\SRankingPopView_05_update_20130611.exe (58376 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\846c6.exe (1616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\UnProtectMode.dll (7192 bytes)
C:\DelUS.bat (230 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\KillProcDLL.dll (784 bytes)
%Program Files%\SRankingPopView\srankingdc.exe (34773 bytes)
%Program Files%\SRankingPopView\uninstall.exe (1549 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp (41983 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\IEKill.dll (784 bytes)
%Program Files%\SRankingPopView\sranking.dll (6584 bytes)
%Program Files%\SRankingPopView\srankingp.exe (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\DLLWebCount.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\SelfDelete.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\845eb.tmp (5873 bytes)
C:\PROGRAM FILES (8 bytes)
%System%\drivers\09803160.sys (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ahnmove.bat (163 bytes)
%System%\wbem (1160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D1.zip (18 bytes)
%System%\version.dll (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
%WinDir%\AppPatch (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B1.zip (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oqH7qhYYhV.dll (119 bytes)
%System%\config\software.LOG (12072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A1.zip (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\U5ud7by.dll (119 bytes)
%System%\godlion.dll (196 bytes)
C:\$Directory (128 bytes)
%System%\vorsion.dll (18 bytes)
%System%\midimap.dll (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%WinDir%\Temp\Perflib_Perfdata_1e0.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C1.zip (18 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\test.pml (7915 bytes)
%System%\wbem\Repository\FS\OBJECTS.DATA (9678 bytes)
%System%\drivers\752b04e6.sys (72 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%System%\wbem\Repository\FS\INDEX.BTR (3632 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp (11197 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
C:\%original file name%.exe (1756 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\79354.exe (1616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\KillProcDLL.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\IEKill.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\DLLWebCount.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\SelfDelete.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\UnProtectMode.dll (7192 bytes)
%WinDir%\WinSxS (12 bytes)
%Documents and Settings%\All Users (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (25285 bytes)
%Documents and Settings%\%current user%\IETldCache\index.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awi.dll (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YBDeiyJ.dll (119 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SRankingPopView" = "%Program Files%\SRankingPopView\srankingp.exe Runcmd"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SRankingPopViewupdate" = "%Program Files%\SRankingPopView\srankingdc.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.