Skip to main content

TrojanPSW.Win32.MSNPassword_1f605de28e


Susp_Dropper (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.BHO.FD, BankerGeneric.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Banker, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 1f605de28e3d9e85a620294422df2317

SHA1: f52375143db1eba501a02fdf5bef87712c3469ee

SHA256: 63d79f970884ae1d95a5e6b5279c4eeba950bb7ad317f0cceb71fa0b155ef72e

SSDeep: 24576:jWK2TBOtR0aG8cqYUl3LY Jh3GtB48ag3dtm:j5gAtR0aG8vbfJI4pQtm

Size: 823609 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2014-01-07 10:46:10

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan-PSW. Trojan program intended for stealing users passwords.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):

ctfmon.exe:252
srankingp.exe:3928
srankingp.exe:3612
845eb.tmp:3268
SRankingPopView_05_update_20130611.exe:3276
SRankingPopView_05_update_20130611.exe:3236
79354.exe:3300
79018.tmp:2176
%original file name%.exe:3284
846c6.exe:3248

The Trojan-PSW injects its code into the following process(es):

regsvr32.exe:3776
regsvr32.exe:1936

File activity

The process srankingp.exe:3928 makes changes in the file system.


The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\SRankingPopView_05_update_20130611[1].exe (111866 bytes)
%Documents and Settings%\%current user%\Application Data\SRankingPopView_05_update_20130611.exe (58376 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)

The process 845eb.tmp:3268 makes changes in the file system.


The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\846c6.exe (1616 bytes)
%Documents and Settings%\%current user%\Application Data\SRankingPopView_05_update_20130611.exe (1761 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\SRankingPopView_05_update_20130611.exe (0 bytes)

The process SRankingPopView_05_update_20130611.exe:3276 makes changes in the file system.


The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\UnProtectMode.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp (4 bytes)
C:\DelUS.bat (230 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\KillProcDLL.dll (784 bytes)
%Program Files%\SRankingPopView\srankingdc.exe (34773 bytes)
%Program Files%\SRankingPopView\uninstall.exe (1549 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp (41983 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\IEKill.dll (784 bytes)
%Program Files%\SRankingPopView\sranking.dll (6584 bytes)
%Program Files%\SRankingPopView\srankingp.exe (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\DLLWebCount.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\SelfDelete.dll (784 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\UnProtectMode.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\index[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\KillProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\IEKill.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\DLLWebCount.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\SelfDelete.dll (0 bytes)

The process SRankingPopView_05_update_20130611.exe:3236 makes changes in the file system.


The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\845eb.tmp (5873 bytes)

The process 79354.exe:3300 makes changes in the file system.


The Trojan-PSW creates and/or writes to the following file(s):

C:\PROGRAM FILES (8 bytes)
%System%\drivers\09803160.sys (28 bytes)
C:\ (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ahnmove.bat (163 bytes)
%System%\wbem (1160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D1.zip (18 bytes)
%System%\version.dll (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
%WinDir%\AppPatch (4 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B1.zip (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oqH7qhYYhV.dll (119 bytes)
%System%\config\software.LOG (12072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A1.zip (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\U5ud7by.dll (119 bytes)
%System%\godlion.dll (196 bytes)
%WinDir% (96 bytes)
C:\$Directory (128 bytes)
%System%\vorsion.dll (18 bytes)
%Program Files%\SRankingPopView (4 bytes)
%System%\midimap.dll (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%WinDir%\Temp\Perflib_Perfdata_1e0.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C1.zip (18 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\test.pml (7915 bytes)
%System%\wbem\Repository\FS\OBJECTS.DATA (9678 bytes)
%System%\config (4 bytes)
%System%\drivers\752b04e6.sys (72 bytes)
%System%\drivers (4 bytes)
%System%\config\software (4767 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%System%\wbem\Repository\FS\INDEX.BTR (3632 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp (11197 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
%System% (12320 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\EU882P3A.txt (0 bytes)
%System%\drivers\09803160.sys (0 bytes)
%Documents and Settings%\%current user%\Cookies\JK0ZZRA2.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\MGI9BYQN.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\TVQFYKIK.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\CNLPSAS7.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\MU6TQKFF.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\VTW0E77D.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\9CUEXINV.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\GEW5B9X2.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\HPK4L4V7.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\4NM96XJ2.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\83R0WJES.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\L92RAFFM.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\PY4CQK11.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\KJWHN2KF.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\AFAW0ZJH.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\LMTG02V5.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\J38WTN19.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\AGQF9B5H.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\TQJTOFKH.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\FUZBGJEL.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\86P32JSK.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\21S1S12T.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\UVGQDFD4.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\3XNCDN2V.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\5DO19V3G.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\VI1D65BO.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\282UZDIJ.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\13KJ53OP.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\93J9L024.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\3QE1QHRN.txt (0 bytes)

The process 79018.tmp:2176 makes changes in the file system.


The Trojan-PSW creates and/or writes to the following file(s):

C:\%original file name%.exe (1756 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\79354.exe (1616 bytes)

The Trojan-PSW deletes the following file(s):

C:\1F605DE28E3D9E85A620294422DF2317.EXE (0 bytes)

The process %original file name%.exe:3284 makes changes in the file system.


The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\KillProcDLL.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\IEKill.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp (4 bytes)
C:\DelUS.bat (138 bytes)
%Program Files%\SRankingPopView\srankingdc.exe (34773 bytes)
%Program Files%\SRankingPopView\uninstall.exe (1549 bytes)
%Program Files%\SRankingPopView\sranking.dll (6584 bytes)
%Program Files%\SRankingPopView\srankingp.exe (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\DLLWebCount.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\SelfDelete.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp (42602 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\UnProtectMode.dll (7192 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\KillProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\IEKill.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\DLLWebCount.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\SelfDelete.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\UnProtectMode.dll (0 bytes)

The process 846c6.exe:3248 makes changes in the file system.


The Trojan-PSW creates and/or writes to the following file(s):

%System%\drivers\09803160.sys (28 bytes)
C:\ (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ahnmove.bat (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%System%\version.dll (58 bytes)
%WinDir%\WinSxS (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (2140 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B1.zip (19 bytes)
%System%\drivers\752b04e6.sys (72 bytes)
%System%\config\software.LOG (12688 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\KillProcDLL.dll (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A1.zip (19 bytes)
%Documents and Settings%\All Users (4 bytes)
%System%\godlion.dll (196 bytes)
%WinDir% (152 bytes)
%Documents and Settings%\%current user%\Application Data (4 bytes)
C:\$Directory (1584 bytes)
%System%\vorsion.dll (18 bytes)
%Program Files%\SRankingPopView (4 bytes)
%System%\midimap.dll (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D1.zip (18 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C1.zip (18 bytes)
C:\PROGRAM FILES (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (25285 bytes)
%System%\config (4 bytes)
%System%\wbem (96 bytes)
%System%\drivers (484 bytes)
%System%\config\software (5443 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%Documents and Settings%\%current user%\IETldCache\index.dat (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awi.dll (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YBDeiyJ.dll (119 bytes)
%System% (3192 bytes)
%Documents and Settings%\%current user%\Cookies (4 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\B1.zip (0 bytes)
%System%\drivers\752b04e6.sys (0 bytes)
%System%\drivers\09803160.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A1.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C1.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D1.zip (0 bytes)

Registry activity

The process ctfmon.exe:252 makes changes in the system registry.


The Trojan-PSW deletes the following value(s) in system registry:


The Trojan-PSW disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

The process srankingp.exe:3928 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKCR\TypeLib\{D931C7FC-C1AF-447D-936E-393DA0253134}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"SRankingPopView_05_update_20130611.exe" = "SRankingPopView_05_update_20130611"

[HKCU\Software\sranking]
"ip" = "184.107.38.38"

[HKCR\TypeLib\{D931C7FC-C1AF-447D-936E-393DA0253134}\1.0\0\win32]
"(Default)" = "%Program Files%\SRankingPopView\srankingp.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\Interface\{40829F0A-C07C-442C-B2E4-98DE600BFBB2}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCR\srankingp.Application]
"(Default)" = "srankingp.Application"

[HKCU\Software\sranking]
"live" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\CLSID\{29437417-824D-4E51-86EE-98925FDC2892}\InprocHandler32]
"(Default)" = "ole32.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\sranking]
"time_1" = "1"

[HKCR\Interface\{40829F0A-C07C-442C-B2E4-98DE600BFBB2}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\sranking]
"time_2" = "9999"

[HKCR\TypeLib\{D931C7FC-C1AF-447D-936E-393DA0253134}\1.0]
"(Default)" = "srankingp"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCR\CLSID\{29437417-824D-4E51-86EE-98925FDC2892}\LocalServer32]
"(Default)" = "C:\PROGRA~1\SRANKI~1\SRANKI~2.EXE"

[HKCR\srankingp.Application\CLSID]
"(Default)" = "{29437417-824D-4E51-86EE-98925FDC2892}"

[HKCR\Interface\{40829F0A-C07C-442C-B2E4-98DE600BFBB2}]
"(Default)" = "Isrankingp"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\Interface\{40829F0A-C07C-442C-B2E4-98DE600BFBB2}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\sranking]
"scatterdt" = "20140204"

[HKCR\TypeLib\{D931C7FC-C1AF-447D-936E-393DA0253134}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\Interface\{40829F0A-C07C-442C-B2E4-98DE600BFBB2}\TypeLib]
"(Default)" = "{D931C7FC-C1AF-447D-936E-393DA0253134}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 B6 43 14 24 51 63 C2 AF 15 D9 5F C3 D8 AF 46"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCR\CLSID\{29437417-824D-4E51-86EE-98925FDC2892}\ProgID]
"(Default)" = "srankingp.Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\sranking]
"verup" = "20130611"

[HKCR\CLSID\{29437417-824D-4E51-86EE-98925FDC2892}]
"(Default)" = "srankingp.Application"

[HKCU\Software\sranking]
"srankudt" = "20140204"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\sranking\Queue]
"bz09"
"bz00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\sranking]
"ust"

[HKCU\Software\sranking\Queue]
"sc01"
"sc00"
"bz01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\sranking\Queue]
"bz03"
"bz02"
"bz05"
"bz04"
"bz07"
"bz06"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\sranking\Queue]
"bz08"

[HKCU\Software\sranking]
"ust3"
"ust2"
"wp"

The process srankingp.exe:3612 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 AE C4 52 AB 85 A2 2D A7 F6 B9 BA 99 87 1E D5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\CLSID\{29437417-824D-4E51-86EE-98925FDC2892}\InprocHandler32]
"(Default)" = "ole32.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\CLSID\{29437417-824D-4E51-86EE-98925FDC2892}\ProgID]
"(Default)" = "srankingp.Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 4A 00 00 00 01 00 00 00 00 00 00 00"

[HKCR\CLSID\{29437417-824D-4E51-86EE-98925FDC2892}\LocalServer32]
"(Default)" = "C:\PROGRA~1\SRANKI~1\SRANKI~2.EXE"

[HKCR\srankingp.Application\CLSID]
"(Default)" = "{29437417-824D-4E51-86EE-98925FDC2892}"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 845eb.tmp:3268 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\79018.tmp, , \??\%System%\eowy, \??\%System%\eowy, \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\845eb.tmp,"

The process SRankingPopView_05_update_20130611.exe:3276 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKCR\AppID\{889F12BD-FA8E-4D33-ACE0-EBB68BC44AA3}]
"(Default)" = "scattertap"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCR\scattertap.scattertapSO\CLSID]
"(Default)" = "{4486A2C8-DAE1-4862-9265-2F4948F9F980}"

[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\ProgID]
"(Default)" = "scattertap.scattertapSO.1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F973817F-8D70-4b6b-BB7E-AAB4DB45463C}]
"Policy" = "3"
"AppName" = "srankingp.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\scattertap.scattertapSO]
"(Default)" = "scattertapSO Class"

[HKCR\scattertap.scattertapSO\CurVer]
"(Default)" = "scattertap.scattertapSO.1"

[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\VersionIndependentProgID]
"(Default)" = "scattertap.scattertapSO"

[HKCU\Software\sranking\dcdata]
"Ver_Sb2" = "20130611"

[HKCU\Software\sranking]
"nid" = "sranking05"

[HKCU\Software\sranking\dcdata]
"Ver_Sb1" = "20130611"

[HKCR\AppID\scattertap.DLL]
"AppID" = "{889F12BD-FA8E-4D33-ACE0-EBB68BC44AA3}"

[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\InprocServer32]
"(Default)" = "%Program Files%\SRankingPopView\sranking.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\TypeLib]
"(Default)" = "{6F820A4F-7B46-4DA8-B296-E736C79135CD}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4486A2C8-DAE1-4862-9265-2F4948F9F980}]
"NoExplorer" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\scattertap.scattertapSO.1]
"(Default)" = "scattertapSO Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SRankingPopView uninstall]
"DisplayIcon" = "%Program Files%\SRankingPopView\uninstall.exe"

[HKCR\scattertap.scattertapSO.1\CLSID]
"(Default)" = "{4486A2C8-DAE1-4862-9265-2F4948F9F980}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SRankingPopView uninstall]
"DisplayName" = "Windows SRankingPopView"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 48 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4486A2C8-DAE1-4862-9265-2F4948F9F980}]
"(Default)" = "Styleranking Popview Class"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 97 3F 8A 34 01 84 55 20 76 78 5A 29 68 B6 43"

[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}]
"(Default)" = "Styleranking Popview Class"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F973817F-8D70-4b6b-BB7E-AAB4DB45463C}]
"AppPath" = "%Program Files%\SRankingPopView\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SRankingPopView uninstall]
"UninstallString" = "%Program Files%\SRankingPopView\uninstall.exe"

[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}]
"AppID" = "{889F12BD-FA8E-4D33-ACE0-EBB68BC44AA3}"

To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SRankingPopView" = "%Program Files%\SRankingPopView\srankingp.exe Runcmd"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SRankingPopViewupdate" = "%Program Files%\SRankingPopView\srankingdc.exe"

The Trojan-PSW deletes the following registry key(s):

[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\ProgID]
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\TypeLib]
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}]
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\InprocServer32]
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\VersionIndependentProgID]
[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\Programmable]

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 79354.exe:3300 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F E4 A6 1D 01 D1 A1 31 61 31 91 D5 6C 8C 00 72"

[HKCR\CLSID\SYS_DLL]
"name" = "U5ud7by.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\CLSID\HOOK_ID]
"name" = "79354.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\79018.tmp, , \??\%System%\eowy, \??\%System%\eowy"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-PSW deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

"ProxyOverride"
"ProxyServer"

The Trojan-PSW disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"

The process 79018.tmp:2176 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\79018.tmp,"

The process regsvr32.exe:3776 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKCR\IEHelper.IEHlprObj\CurVer]
"(Default)" = "IEHelper.IEHlprObj.1"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\VersionIndependentProgID]
"(Default)" = "IEHelper.IEHlprObj"

[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\0\win32]
"(Default)" = "%System%\godlion.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\ProgID]
"(Default)" = "IEHelper.IEHlprObj.1"

[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}]
"(Default)" = "IEHlprObj Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\IEHelper.IEHlprObj]
"(Default)" = "IEHlprObj Class"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32]
"(Default)" = "%System%\godlion.dll"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\TypeLib]
"(Default)" = "{D42047D9-38C2-4FD1-8337-F69C8F835A30}"

[HKCR\IEHelper.IEHlprObj\CLSID]
"(Default)" = "{DAF9F01C-30F0-4A52-AF52-E236961977F4}"

[HKCR\IEHelper.IEHlprObj.1]
"(Default)" = "IEHlprObj Class"

[HKCR\IEHelper.IEHlprObj.1\CLSID]
"(Default)" = "{DAF9F01C-30F0-4A52-AF52-E236961977F4}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 BD 3F EC 76 A8 23 63 F1 FD AD 65 B6 1B 2E 65"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}]
"(Default)" = "IIEHlprObj"

[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\HELPDIR]
"(Default)" = "%System%\"

[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0]
"(Default)" = "IEHelper 1.0 Type Library"

[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib]
"(Default)" = "{D42047D9-38C2-4FD1-8337-F69C8F835A30}"

[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\FLAGS]
"(Default)" = "0"

The process regsvr32.exe:1936 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 32 E7 67 D0 E9 12 53 46 AC F2 2F B2 77 65 09"

[HKCR\IEHelper.IEHlprObj\CurVer]
"(Default)" = "IEHelper.IEHlprObj.1"

[HKCR\IEHelper.IEHlprObj]
"(Default)" = "IEHlprObj Class"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32]
"(Default)" = "%System%\godlion.dll"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\ProgID]
"(Default)" = "IEHelper.IEHlprObj.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\TypeLib]
"(Default)" = "{D42047D9-38C2-4FD1-8337-F69C8F835A30}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\IEHelper.IEHlprObj\CLSID]
"(Default)" = "{DAF9F01C-30F0-4A52-AF52-E236961977F4}"

[HKCR\IEHelper.IEHlprObj.1]
"(Default)" = "IEHlprObj Class"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}]
"(Default)" = "IEHlprObj Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\IEHelper.IEHlprObj.1\CLSID]
"(Default)" = "{DAF9F01C-30F0-4A52-AF52-E236961977F4}"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\VersionIndependentProgID]
"(Default)" = "IEHelper.IEHlprObj"

The Trojan-PSW deletes the following registry key(s):

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\TypeLib]
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\Programmable]
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32]
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\ProgID]
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}]
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\VersionIndependentProgID]

The process %original file name%.exe:3284 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKCR\Interface\{D28445FF-A45D-486F-B682-2FE8196555F7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{889F12BD-FA8E-4D33-ACE0-EBB68BC44AA3}]
"(Default)" = "scattertap"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCR\scattertap.scattertapSO\CLSID]
"(Default)" = "{4486A2C8-DAE1-4862-9265-2F4948F9F980}"

[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\ProgID]
"(Default)" = "scattertap.scattertapSO.1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F973817F-8D70-4b6b-BB7E-AAB4DB45463C}]
"Policy" = "3"
"AppName" = "srankingp.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\TypeLib\{6F820A4F-7B46-4DA8-B296-E736C79135CD}\1.0\HELPDIR]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 01 00 00 00 00 00 00 00"

[HKCR\scattertap.scattertapSO]
"(Default)" = "scattertapSO Class"

[HKCR\scattertap.scattertapSO\CurVer]
"(Default)" = "scattertap.scattertapSO.1"

[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\VersionIndependentProgID]
"(Default)" = "scattertap.scattertapSO"

[HKCU\Software\sranking\dcdata]
"Ver_Sb2" = "20130513"

[HKCU\Software\sranking]
"nid" = "sranking05"

[HKCU\Software\sranking\dcdata]
"Ver_Sb1" = "20130513"

[HKCR\AppID\scattertap.DLL]
"AppID" = "{889F12BD-FA8E-4D33-ACE0-EBB68BC44AA3}"

[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\InprocServer32]
"(Default)" = "%Program Files%\SRankingPopView\sranking.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\TypeLib\{6F820A4F-7B46-4DA8-B296-E736C79135CD}\1.0]
"(Default)" = "scattertap 1.0 Çü½Ä ¶óÀ̺귯¸®"

[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\TypeLib]
"(Default)" = "{6F820A4F-7B46-4DA8-B296-E736C79135CD}"

[HKCR\TypeLib\{6F820A4F-7B46-4DA8-B296-E736C79135CD}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{D28445FF-A45D-486F-B682-2FE8196555F7}]
"(Default)" = "IscattertapSO"

[HKCR\Interface\{D28445FF-A45D-486F-B682-2FE8196555F7}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4486A2C8-DAE1-4862-9265-2F4948F9F980}]
"NoExplorer" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\scattertap.scattertapSO.1]
"(Default)" = "scattertapSO Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SRankingPopView uninstall]
"DisplayIcon" = "%Program Files%\SRankingPopView\uninstall.exe"

[HKCR\scattertap.scattertapSO.1\CLSID]
"(Default)" = "{4486A2C8-DAE1-4862-9265-2F4948F9F980}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SRankingPopView uninstall]
"DisplayName" = "Windows SRankingPopView"

[HKCR\TypeLib\{6F820A4F-7B46-4DA8-B296-E736C79135CD}\1.0\0\win32]
"(Default)" = "%Program Files%\SRankingPopView\sranking.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4486A2C8-DAE1-4862-9265-2F4948F9F980}]
"(Default)" = "Styleranking Popview Class"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 7D 60 E6 21 4A 2C 79 B3 EB 3B B9 BF B6 89 DF"

[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}]
"(Default)" = "Styleranking Popview Class"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F973817F-8D70-4b6b-BB7E-AAB4DB45463C}]
"AppPath" = "%Program Files%\SRankingPopView\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SRankingPopView uninstall]
"UninstallString" = "%Program Files%\SRankingPopView\uninstall.exe"

[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{D28445FF-A45D-486F-B682-2FE8196555F7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{D28445FF-A45D-486F-B682-2FE8196555F7}\TypeLib]
"(Default)" = "{6F820A4F-7B46-4DA8-B296-E736C79135CD}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\CLSID\{4486A2C8-DAE1-4862-9265-2F4948F9F980}]
"AppID" = "{889F12BD-FA8E-4D33-ACE0-EBB68BC44AA3}"

To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SRankingPopView" = "%Program Files%\SRankingPopView\srankingp.exe Runcmd"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SRankingPopViewupdate" = "%Program Files%\SRankingPopView\srankingdc.exe"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 846c6.exe:3248 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 0E 3D F8 A9 0E D9 20 80 A6 AF A8 EA 2A 83 DA"

[HKCR\CLSID\SYS_DLL]
"name" = "awi.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\CLSID\HOOK_ID]
"name" = "846c6.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 46 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\79018.tmp, , \??\%System%\eowy, \??\%System%\eowy, \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\845eb.tmp, , \??\%System%\fGwAk, \??\%System%\fGwAk"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-PSW deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DAF9F01C-30F0-4A52-AF52-E236961977F4}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4486A2C8-DAE1-4862-9265-2F4948F9F980}]

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Network activity (URLs)

URL IP
hxxp://121.78.93.6/_sadmin/cnt/index.php?pid=sranking05&type=11
hxxp://121.78.93.6/ranking/set.php
hxxp://sranking.co.kr/_sadmin/cnt/index.php?pid=sranking05&type=7121.78.93.6


HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\drivers\752b04e6.sys" the Trojan-PSW controls loading executable images into a memory by installing the Load image notifier.



The Trojan-PSW installs the following kernel-mode hooks:

ZwCreateFile

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    srankingp.exe:3928
    srankingp.exe:3612
    845eb.tmp:3268
    SRankingPopView_05_update_20130611.exe:3276
    SRankingPopView_05_update_20130611.exe:3236
    79354.exe:3300
    79018.tmp:2176
    %original file name%.exe:3284
    846c6.exe:3248

  3. Delete the original Trojan-PSW file.
  4. Delete or disinfect the following files created/modified by the Trojan-PSW:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\SRankingPopView_05_update_20130611[1].exe (111866 bytes)
    %Documents and Settings%\%current user%\Application Data\SRankingPopView_05_update_20130611.exe (58376 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\846c6.exe (1616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\UnProtectMode.dll (7192 bytes)
    C:\DelUS.bat (230 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\KillProcDLL.dll (784 bytes)
    %Program Files%\SRankingPopView\srankingdc.exe (34773 bytes)
    %Program Files%\SRankingPopView\uninstall.exe (1549 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp (41983 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\IEKill.dll (784 bytes)
    %Program Files%\SRankingPopView\sranking.dll (6584 bytes)
    %Program Files%\SRankingPopView\srankingp.exe (15536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\DLLWebCount.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\SelfDelete.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\845eb.tmp (5873 bytes)
    C:\PROGRAM FILES (8 bytes)
    %System%\drivers\09803160.sys (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ahnmove.bat (163 bytes)
    %System%\wbem (1160 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\D1.zip (18 bytes)
    %System%\version.dll (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
    %WinDir%\AppPatch (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B1.zip (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oqH7qhYYhV.dll (119 bytes)
    %System%\config\software.LOG (12072 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\A1.zip (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\U5ud7by.dll (119 bytes)
    %System%\godlion.dll (196 bytes)
    C:\$Directory (128 bytes)
    %System%\vorsion.dll (18 bytes)
    %System%\midimap.dll (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %WinDir%\Temp\Perflib_Perfdata_1e0.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\C1.zip (18 bytes)
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\test.pml (7915 bytes)
    %System%\wbem\Repository\FS\OBJECTS.DATA (9678 bytes)
    %System%\drivers\752b04e6.sys (72 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
    %System%\wbem\Repository\FS\INDEX.BTR (3632 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp (11197 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
    C:\%original file name%.exe (1756 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\79354.exe (1616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\KillProcDLL.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\IEKill.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\DLLWebCount.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\SelfDelete.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv3.tmp\UnProtectMode.dll (7192 bytes)
    %WinDir%\WinSxS (12 bytes)
    %Documents and Settings%\All Users (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\test.pml (25285 bytes)
    %Documents and Settings%\%current user%\IETldCache\index.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\awi.dll (119 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YBDeiyJ.dll (119 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "SRankingPopView" = "%Program Files%\SRankingPopView\srankingp.exe Runcmd"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "SRankingPopViewupdate" = "%Program Files%\SRankingPopView\srankingdc.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps