Skip to main content

Backdoor.Win32.Farfli_8003e1644b


HEUR:Trojan.Win32.Generic (Kaspersky), Packer.Morphine.B (B) (Emsisoft), Packer.Morphine.B (AdAware), Backdoor.Win32.Farfli.FD, GenericEmailWorm.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Backdoor, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 8003e1644b2448254cad8671be23fcb6

SHA1: 5e3ed2c90caf3a5c632a4603278814bacdd8e380

SHA256: 0a80910bd7d7807d9d795a85f759748c8d9140b1129c1dc6650131e697b3cddf

SSDeep: 1536:nQKeJ5YQx8k fmTZDZpYuu7Z6BicRw2zvbu/1AQftI3w103CQUI:ngnxsfGDRuljcLmAuI3K

Size: 74241 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: Morphinev27, UPolyXv05_v6

Company: no certificate found

Created at: 1998-09-28 14:39:39

Analyzed on: WindowsXP SP3 32-bit

Summary: Backdoor. Malware that enables a remote control of victim's machine.

Dynamic Analysis

Payload

Behaviour Description
EmailWormWorm can send e-mails.


Process activity

The Backdoor creates the following process(es):

%original file name%.exe:1316

The Backdoor injects its code into the following process(es):

mdmi386.exe:1064
svchost.exe:1588

File activity

The process mdmi386.exe:1064 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%System%\AUHook.dll (51 bytes)
%WinDir%\win.ini (106 bytes)

The process %original file name%.exe:1316 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%System%\mdmi386.exe (601 bytes)

Registry activity

The process mdmi386.exe:1064 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\DB\06]
"53" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\4C\30\07]
"93" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\30\6E\05]
"F1" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5E\3F\08]
"7A" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3E\60\06]
"C2" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\53\0B\07]
"E8" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3B\A3\06]
"72" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5E\B6\08]
"25" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\54\F0\07]
"F4" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\27\79\05]
"55" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\53\8E\07]
"C0" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5A\AD\08]
"29" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\1E\61\04]
"95" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\4A\3E\07]
"46" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\70\7B\09]
"28" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\74\03\09]
"3e" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\63\83\08]
"89" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\30\77\05]
"F6" = "1"

[HKCR\*\shellex\ContextMenuHandlers\icqlite]
"(Default)" = "{77770022-0D68-4D14-BF25-6747ACFA95DE}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3C\AE\06]
"A2" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\43\47\07]
"19" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\7B\E0\09]
"57" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\55\AD\08]
"12" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\98\06]
"52" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\44\B5\07]
"1a" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\54\AA\07]
"E4" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\29\E2\05]
"7E" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3D\18\06]
"C7" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5A\D7\08]
"2d" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\47\4C\07]
"52" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\29\52\05]
"6E" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\53\0E\07]
"EC" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\4C\FF\07]
"83" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\29\5B\05]
"70" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5B\C8\08]
"31" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\4B\DB\07]
"7D" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2F\77\05]
"DB" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\24\44\05]
"13" = "1"

[HKCR\CLSID\{A4C110AE-0291-F12A-2920-F0E455440770}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\37\02\06]
"59" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\24\56\05]
"1a" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\42\20\06]
"C3" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\14\06]
"4c" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\37\58\06]
"63" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\1D\D0\04]
"95" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\7A\22\09]
"67" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\pi]
"1~" = "573571897"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\6E\5C\09]
"01" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\35\DF\06]
"48" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\B9\5D\0B]
"74" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\22\9A\04]
"F4" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\F3\06]
"5b" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\EA\65\0C]
"F0" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\50\34\07]
"ab" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\7C\0E\09]
"bc" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\49\BC\07]
"31" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\43\A7\07]
"19" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\7E\F5\09]
"aa" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\41\C7\06]
"F8" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3B\0F\06]
"83" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\44\E9\07]
"20" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\63\C9\08]
"00" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5D\9A\08]
"56" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\94\6C\0A]
"7C" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\65\FA\08]
"C7" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\data\pa]
"~01" = "1#ByR0NRZDEFUHSQhFADoaex9y"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2F\5C\05]
"DB" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\57\E1\07]
"80" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\49\14\07]
"38" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\42\12\06]
"F1" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2F\44\05]
"ce" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3B\E2\06]
"A2" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3E\39\06]
"C3" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\73\C2\09]
"31" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\tm\C:]
"(Default)" = "153457"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5A\F4\08]
"43" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\64\90\08]
"6D" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\1F\0C\04]
"C7" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3D\87\06]
"C6" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\30\20\05]
"E3" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\56\B2\08]
"06" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\37\73\06]
"62" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\MRU]
"00" = "pa\~01"
"01" = "pi\1~"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\61\FE\08]
"8E" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5C\DD\08]
"64" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\29\6C\05]
"73" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\30\75\05]
"F0" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\23\84\05]
"05" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2F\89\05]
"D8" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\35\15\06]
"33" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2A\55\05]
"85" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\MRU]
"!2" = "1"
"!1" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\35\BD\06]
"06" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\58\08\07]
"FB" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\95\6D\0A]
"0A" = "1"

[HKCR\CLSID\{A4C110AE-0291-F12A-2920-F0E455440770}\InprocServer32]
"(Default)" = "%System%\AUHook.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2A\59\05]
"8D" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\90\E0\0A]
"86" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 9B A0 56 59 F6 35 ED A3 63 73 46 7E 34 33 D7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5A\45\08]
"21" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\30\E2\05]
"E2" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5C\8C\08]
"26" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\39\38\06]
"44" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{77770022-0D68-4D14-BF25-6747ACFA95DE}" = "Shell Extensions for ICQ Lite"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\8E\CC\0A]
"2e" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\23\A7\05]
"0A" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\82\06]
"4d" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\EA\2A\0C]
"F7" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3B\D3\06]
"97" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\71\06]
"53" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc]
"counter" = "1"

[HKCR\CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\74\55\09]
"0C" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\59\78\08]
"12" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\14\CE\03]
"B6" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\AC\DA\0B]
"0E" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\22\C0\04]
"F7" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\24\D5\05]
"23" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\70\41\09]
"2b" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\45\7D\07]
"26" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5D\49\08]
"78" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\98\9E\11]
"4c" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\22\66\04]
"C1" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\AB\8B\0B]
"6F" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\22\D8\04]
"F8" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\71\50\09]
"27" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2F\F8\05]
"eb" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2F\D9\05]
"E3" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\data\pi]
"1~" = "1#cFMDSmlYe29vb29vb29vb29vb2tra2tONJI6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5C\B8\08]
"58" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\29\50\05]
"74" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\35\C1\06]
"3a" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\66\A6\08]
"E6" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\23\60\05]
"02" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2A\6E\05]
"91" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\18\C0\04]
"24" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\BE\94\0B]
"E2" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\0D\A5\0E]
"09" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\tm]
"pi" = "154537"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2F\CB\05]
"E2" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3B\EE\06]
"98" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\32\53\06]
"05" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\27\FD\05]
"57" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\50\29\07]
"86" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\96\35\0A]
"7F" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\48\CF\07]
"3d" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\85\20\0A]
"1f" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2E\BB\05]
"B6" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2E\29\05]
"bf" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2B\E8\05]
"98" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\4D\61\07]
"B2" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\8A\4C\0A]
"13" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3D\F3\06]
"cf" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5C\F5\08]
"63" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\6A\06]
"3a" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\54\29\07]
"F8" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"AUHook" = "{BCBCD383-3E06-11D3-91A9-00C04F68105C}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\14\FB\03]
"ce" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\22\89\04]
"E0" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\84\7C\0A]
"1a" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\83\24\09]
"E6" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5A\2A\08]
"26" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3E\A5\06]
"ca" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\67\6C\08]
"EA" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\CE\2D\0C]
"53" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\23\76\05]
"11" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\24\41\05]
"11" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\A8\54\0B]
"6E" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3D\B1\06]
"D5" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3C\24\06]
"B2" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3C\54\06]
"64" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\35\C2\06]
"40" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\71\02\09]
"46" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\70\6B\09]
"46" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\58\A2\08]
"1d" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3D\45\06]
"af" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\50\EB\07]
"8E" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\71\A2\09]
"0D" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\1E\23\04]
"99" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\6B\1F\08]
"A8" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\43\1F\06]
"D9" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\50\19\07]
"77" = "1"

[HKCR\Directory\shellex\ContextMenuHandlers\icqlite]
"(Default)" = "{77770022-0D68-4D14-BF25-6747ACFA95DE}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\2E\6C\05]
"B8" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\8B\B6\0A]
"1c" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\28\E9\05]
"6D" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\56\AF\08]
"2a" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\21\E7\04]
"C2" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\46\11\07]
"42" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\34\34\06]
"06" = "1"

[HKCR\CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}\InprocServer32]
"(Default)" = "AUHook.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\6F\4C\09]
"29" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\B4\4F\0B]
"6D" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\44\ED\07]
"1c" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\59\AE\08]
"1f" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\5C\3C\08]
"48" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\45\71\07]
"3b" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\52\B6\07]
"cc" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\36\FF\06]
"62" = "1"

[HKCR\CLSID\{BCBCD383-3E06-11D3-91A9-00C04F68105C}\InprocServer32]
"(Default)" = "%System%\AUHook.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\53\2C\07]
"de" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3E\65\06]
"D0" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\3E\1C\06]
"D8" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\1F\84\04]
"D3" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\60\8C\08]
"37" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\hash\em\1B\51\03]
"dd" = "1"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Machine Debug Manager" = "mdmi386.exe"

The process %original file name%.exe:1316 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 E5 3B 0A 96 A2 DD 6B 03 BB 9B 13 35 7D C6 4B"

Dropped PE files

MD5 File path
69cd8f35a41fa1a5c99ee49d9a87bedec:\WINDOWS\system32\AUHook.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1316

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %System%\AUHook.dll (51 bytes)
    %WinDir%\win.ini (106 bytes)
    %System%\mdmi386.exe (601 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Machine Debug Manager" = "mdmi386.exe"

  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text4096229376721925.54111468df37f266b084a63d51d03dbfac71c
.idata23347240965120.7058010f0355ba200199275c0ce3814e0ccd62
.tls23756840965120.1477113ce56d9e00101a6b28ba1cc0cce53e97

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

Strings from Dumps

mdmi386.exe_1064:

.data

.data

.code

.code

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

update.symantec

update.symantec

liveupdate.symantecliveupdate

liveupdate.symantecliveupdate

secure.nai

secure.nai

sandbox.norman

sandbox.norman

uk.trendmicro-europe

uk.trendmicro-europe

HTTP/1.1 403

HTTP/1.1 403

HTTP/1.1 404

HTTP/1.1 404

wsock32.dll

wsock32.dll

svchost.exe

svchost.exe

Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\

Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\

mdmi386.exe

mdmi386.exe

AUHook.dll

AUHook.dll

AUHook.dat

AUHook.dat

7A5417FF-2D82-553C-F326-2861000FFFF3-0E

7A5417FF-2D82-553C-F326-2861000FFFF3-0E

sfc.dll

sfc.dll

cmd /q /c "echo ! && ver && echo. && echo Y | del "%USERPROFILE%\cookies\*.*" && cls "

cmd /q /c "echo ! && ver && echo. && echo Y | del "%USERPROFILE%\cookies\*.*" && cls "

.text

.text

.idata

.idata

.edata

.edata

.XV^x

.XV^x

.b.Im

.b.Im

advapi32.dll

advapi32.dll

RegOpenKeyA

RegOpenKeyA

gdi32.dll

gdi32.dll

ole32.dll

ole32.dll

oleaut32.dll

oleaut32.dll

RASAPI32.dll

RASAPI32.dll

SHLWAPI.DLL

SHLWAPI.DLL

user32.dll

user32.dll

wininet.dll

wininet.dll

core.dll

core.dll

KWindows

KWindows

Porti

Porti

.ex)N

.ex)N

.MS'fc

.MS'fc

"#$%&'()

"#$%&'()

dD.Gz

dD.Gz

P|.Zc

P|.Zc

.Cu`k&

.Cu`k&

.nEZK

.nEZK

adv0pi32x.ql

adv0pi32x.ql

mdmi386.exe_1064_rwx_003B1000_0000C000:

h.dllhel32hkernT

h.dllhel32hkernT

.XV^x

.XV^x

.rsrc

.rsrc

.\kernel32.dll

.\kernel32.dll

@%.lI

@%.lI

,ey.yYeX

,ey.yYeX

auth_loginByP

auth_loginByP

[.kyALFAIBSR/b

[.kyALFAIBSR/b

!!PASSC"T

!!PASSC"T

2z?URL:

2z?URL:

7A5417FF-2D82-553C-F326

7A5417FF-2D82-553C-F326

/show.php HTTP/1.0

/show.php HTTP/1.0

%xt/0R, im}

%xt/0R, im}

-url%c[

-url%c[

.bm a

.bm a

.DirE

.DirE

.tB"d

.tB"d

SPV%Dl

SPV%Dl

=.Ru!

=.Ru!

1s.Hf] *

1s.Hf] *

Cert

Cert

TALCMD\\

TALCMD\\

OPERA

OPERA

d.lThi

d.lThi

-me}@l

-me}@l

a.cfI

a.cfI

KP.SJ

KP.SJ

y.kpug5

y.kpug5

.bpbk

.bpbk

.FGDV

.FGDV

KERNEL32.DLL

KERNEL32.DLL

advapi32.dll

advapi32.dll

gdi32.dll

gdi32.dll

ole32.dll

ole32.dll

oleaut32.dll

oleaut32.dll

RASAPI32.dll

RASAPI32.dll

SHLWAPI.DLL

SHLWAPI.DLL

user32.dll

user32.dll

wininet.dll

wininet.dll

wsock32.dll

wsock32.dll

RegOpenKeyA

RegOpenKeyA

core.dll

core.dll

mdmi386.exe_1064_rwx_00401000_00012000:

h.dllhel32hkernT

h.dllhel32hkernT

.data

.data

.code

.code

Porti

Porti

.ex)N

.ex)N

.MS'fc

.MS'fc

"#$%&'()

"#$%&'()

dD.Gz

dD.Gz

P|.Zc

P|.Zc

.Cu`k&

.Cu`k&

.nEZK

.nEZK

adv0pi32x.ql

adv0pi32x.ql

kernel32.dll

kernel32.dll

mdmi386.exe_1064_rwx_00B30000_00028000:

`.rsrc

`.rsrc

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

update.symantec

update.symantec

liveupdate.symantecliveupdate

liveupdate.symantecliveupdate

secure.nai

secure.nai

sandbox.norman

sandbox.norman

uk.trendmicro-europe

uk.trendmicro-europe

money.yandex.ru/prepaid-ns.xml

money.yandex.ru/prepaid-ns.xml

command=auth_loginByPassword

command=auth_loginByPassword

https://click.alfabank.ru/ALFAIBSR/ControllerServlet

https://click.alfabank.ru/ALFAIBSR/ControllerServlet

command=auth_loginByPasswordPage

command=auth_loginByPasswordPage

PASS:

PASS:

CERT:

CERT:

ftp://

ftp://

http://

http://

7A5417FF-2D82-553C-F326-2861000FFFF3-0E

7A5417FF-2D82-553C-F326-2861000FFFF3-0E

POST /show.php HTTP/1.0

POST /show.php HTTP/1.0

User-Agent: Mozilla/4.4 (compatible; MSIE 6.0; Windows NT 5.1)

User-Agent: Mozilla/4.4 (compatible; MSIE 6.0; Windows NT 5.1)

Host: www.dllupdates.cn:

Host: www.dllupdates.cn:

Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1

Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1

www.dllupdates.cn

www.dllupdates.cn

/index.html

/index.html

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

:.txf

:.txf

:..tqR

:..tqR

Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\

Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\

.bmp::

.bmp::

ole32.dll

ole32.dll

AUHook.dll

AUHook.dll

{BCBCD383-3E06-11D3-91A9-00C04F68105C}

{BCBCD383-3E06-11D3-91A9-00C04F68105C}

SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\AUHook

SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\AUHook

{A4C110AE-0291-F12A-2920-F0E455440770}

{A4C110AE-0291-F12A-2920-F0E455440770}

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

Software\Microsoft\Windows\CurrentVersion\Run\Machine Debug Manager

Software\Microsoft\Windows\CurrentVersion\Run\Machine Debug Manager

mdmi386.exe

mdmi386.exe

Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{77770022-0D68-4D14-BF25-6747ACFA95DE}

Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{77770022-0D68-4D14-BF25-6747ACFA95DE}

CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}\InprocServer32

CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}\InprocServer32

CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}\InprocServer32\

CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}\InprocServer32\

CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}\InprocServer32\ThreadingModel

CLSID\{77770022-0D68-4D14-BF25-6747ACFA95DE}\InprocServer32\ThreadingModel

{77770022-0D68-4D14-BF25-6747ACFA95DE}

{77770022-0D68-4D14-BF25-6747ACFA95DE}

.164.KWM::

.164.KWM::

crypt32.dll

crypt32.dll

CertOpenSystemStoreA

CertOpenSystemStoreA

CertCloseStore

CertCloseStore

PFXExportCertStore

PFXExportCertStore

WEBMONEY.EXE

WEBMONEY.EXE

TOTALCMD.EXE

TOTALCMD.EXE

ntdll.dll

ntdll.dll

IEXPLORE.EXE

IEXPLORE.EXE

OPERA.EXE

OPERA.EXE

HttpSendRequestA

HttpSendRequestA

wininet.dll

wininet.dll

EXPLORER.EXE

EXPLORER.EXE

7A5417FF-2D82-553C-F326-2861000FFFF3-01

7A5417FF-2D82-553C-F326-2861000FFFF3-01

dxdiagn.dat

dxdiagn.dat

7A5417FF-2D82-553C-F326-2861000FFFF3

7A5417FF-2D82-553C-F326-2861000FFFF3

More information: http://www.ibsensoftware.com/

More information: http://www.ibsensoftware.com/

217.5.97.137

217.5.97.137

reg_key

reg_key

\loader_name.exe

\loader_name.exe

gdiplus.dll

gdiplus.dll

GdiplusShutdown

GdiplusShutdown

.text

.text

.reloc

.reloc

\cplstub.exe

\cplstub.exe

user32.dll

user32.dll

GetWindowsDirectoryA

GetWindowsDirectoryA

ShellExecuteA

ShellExecuteA

shell32.dll

shell32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HELO %s.net

HELO %s.net

HELO %s.com

HELO %s.com

HELO %s.org

HELO %s.org

MAIL FROM:<%s>

MAIL FROM:<%s>

RCPT TO:<%s>

RCPT TO:<%s>

monica@postcard.ru

monica@postcard.ru

gold-certs@

gold-certs@

certific

certific

.subscribe

.subscribe

certs@

certs@

subscribe.ru

subscribe.ru

.xml@

.xml@

.gif@

.gif@

.png@

.png@

.jpg@

.jpg@

.mso@

.mso@

.bezotveta@

.bezotveta@

.shtm

.shtm

.dhtm

.dhtm

Microsoft Office 2003 Crack, Working!.exe

Microsoft Office 2003 Crack, Working!.exe

Microsoft Windows XP, WinXP Crack, working Keygen.exe

Microsoft Windows XP, WinXP Crack, working Keygen.exe

Microsoft Office XP working Crack, Keygen.exe

Microsoft Office XP working Crack, Keygen.exe

Porno, sex, oral, anal cool, awesome!!.exe

Porno, sex, oral, anal cool, awesome!!.exe

Porno Screensaver.scr

Porno Screensaver.scr

Serials.txt.exe

Serials.txt.exe

KAV 6.0.exe

KAV 6.0.exe

Kaspersky Antivirus 6.0.exe

Kaspersky Antivirus 6.0.exe

Porno pics arhive, xxx.exe

Porno pics arhive, xxx.exe

Windows Sourcecode update.doc.exe

Windows Sourcecode update.doc.exe

Ahead Nero 7.exe

Ahead Nero 7.exe

Windown Longhorn Beta Leak.exe

Windown Longhorn Beta Leak.exe

Opera 9 New!.exe

Opera 9 New!.exe

XXX hardcore images.exe

XXX hardcore images.exe

WinAmp 7 New!.exe

WinAmp 7 New!.exe

WinAmp 7 Pro Keygen Crack Update.exe

WinAmp 7 Pro Keygen Crack Update.exe

Adobe Photoshop 9 full.exe

Adobe Photoshop 9 full.exe

Matrix 3 Revolution English Subtitles.exe

Matrix 3 Revolution English Subtitles.exe

ACDSee 9.exe

ACDSee 9.exe

Date: %s

Date: %s

To: "%s" <%s>

To: "%s" <%s>

From: postcard service <monica></monica>

From: postcard service <monica></monica>

POSTCARD.RU

POSTCARD.RU

Comments: The best postcards in web, http://www.postcard.ru

Comments: The best postcards in web, http://www.postcard.ru

Message-ID: <%s%s>

Message-ID: <%s%s>

boundary="----=_POSTCARD.RU_%s"

boundary="----=_POSTCARD.RU_%s"

------=_POSTCARD.RU_%s

------=_POSTCARD.RU_%s

Content-Type: text/html; charset="windows-1251"

Content-Type: text/html; charset="windows-1251"

------=_POSTCARD.RU_%s--

------=_POSTCARD.RU_%s--

<img src="cid:%s.%s" /><br />

<img src="cid:%s.%s" /><br />

Password: %s

Password: %s

Pass - %s

Pass - %s

Password - %s

Password - %s

Re: Msg reply

Re: Msg reply

.ptdm { background:#707075; }

.ptdm { background:#707075; }

.ptdc { background:#90909A; }

.ptdc { background:#90909A; }

.plnm { color:#FFFFFF; font-size:10px; font-weight:bold; font-family:Verdana,Tahoma,Arial,Sans-Serif; text-decoration:none; }

.plnm { color:#FFFFFF; font-size:10px; font-weight:bold; font-family:Verdana,Tahoma,Arial,Sans-Serif; text-decoration:none; }

<a href="http://www.postcard.ru/get/?1%s" target="_blank"><table><tr><td><a href="http://%s?1%s">http://www.postcard.ru/get/?1%s</a></td></tr></table></a>

<a href="http://www.postcard.ru/get/?1%s" target="_blank"><table><tr><td><a href="http://%s?1%s">http://www.postcard.ru/get/?1%s</a></td></tr></table></a>

<a href="http://www.postcard.ru/" target="_blank">http://www.postcard.ru/</a><br />

<a href="http://www.postcard.ru/" target="_blank">http://www.postcard.ru/</a><br />

monica@postcard.ru<br />

monica@postcard.ru<br />

www.aerosib.ru/

www.aerosib.ru/

www.avinyon.com/

www.avinyon.com/

www.basdesign.ru/

www.basdesign.ru/

www.fivestar.spb.ru/www/index.shtml

www.fivestar.spb.ru/www/index.shtml

www.siticom.ru/index.htm

www.siticom.ru/index.htm

www.myamoi.ru/index.html

www.myamoi.ru/index.html

www.firebook.ru/index.html

www.firebook.ru/index.html

www.polistroy.kaluga.ru/

www.polistroy.kaluga.ru/

www.racus.ru/index.html

www.racus.ru/index.html

www.mir-polov.ru/index.html

www.mir-polov.ru/index.html

www.mobyline.info/index.html

www.mobyline.info/index.html

www.imaksi.h15.ru/index.html

www.imaksi.h15.ru/index.html

advapi32.dll

advapi32.dll

iphlpapi.dll

iphlpapi.dll

SOFTWARE\Microsoft\Windows\ShellNoRoam\MUICache

SOFTWARE\Microsoft\Windows\ShellNoRoam\MUICache

C:\out.bin

C:\out.bin

PMODkernel32.dll

PMODkernel32.dll

|shfolder.dll

|shfolder.dll

psapi.dll

psapi.dll

\account.cfg

\account.cfg

\account.cfn

\account.cfn

\*.dat

\*.dat

%s Database

%s Database

Password

Password

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\&RQ

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\&RQ

\&RQ.exe

\&RQ.exe

crypted-password

crypted-password

\andrq.ini

\andrq.ini

\Microsoft\Network\Connections\pbk\rasphone.pbk

\Microsoft\Network\Connections\pbk\rasphone.pbk

RasDialParams!%s#0

RasDialParams!%s#0

SOFTWARE\Far\Plugins\FTP\Hosts

SOFTWARE\Far\Plugins\FTP\Hosts

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian\

\aim.ini

\aim.ini

\users\global\profiles.ini

\users\global\profiles.ini

Software\Ghisler\Windows Commander

Software\Ghisler\Windows Commander

FtpIniName

FtpIniName

\wcx_ftp.ini

\wcx_ftp.ini

password

password

INETCOMM Server Passwords

INETCOMM Server Passwords

Outlook Account Manager Passwords

Outlook Account Manager Passwords

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

%s\%s\%s

%s\%s\%s

%s\%s

%s\%s

SMTP Email Address

SMTP Email Address

POP3 Password

POP3 Password

POP3 Password2

POP3 Password2

IMAP Password

IMAP Password

IMAP Password2

IMAP Password2

pstorec.dll

pstorec.dll

\Mailbox.ini

\Mailbox.ini

PassWd

PassWd

\GlobalSCAPE\CuteFTP\

\GlobalSCAPE\CuteFTP\

\GlobalSCAPE\CuteFTP Pro\

\GlobalSCAPE\CuteFTP Pro\

\cutftp32.exe

\cutftp32.exe

%Program Files%\CuteFTP\

%Program Files%\CuteFTP\

sm.dat

sm.dat

tree.dat

tree.dat

smdata.dat

smdata.dat

PasswordSaved

PasswordSaved

LoginSaved

LoginSaved

\edialer.ini

\edialer.ini

WS_FTP

WS_FTP

\*.ini

\*.ini

\Ipswitch\WS_FTP\Sites

\Ipswitch\WS_FTP\Sites

\Ipswitch\WS_FTP Home\Sites

\Ipswitch\WS_FTP Home\Sites

\win.ini

\win.ini

\ws_ftp.ini

\ws_ftp.ini

\ws_ftp.exe

\ws_ftp.exe

\Opera

\Opera

\Mail\accounts.ini

\Mail\accounts.ini

\profile\wand.dat

\profile\wand.dat

Software\Opera Software

Software\Opera Software

Incoming Password

Incoming Password

\Mozilla\Profiles

\Mozilla\Profiles

%Documents and Settings%\%current user%\Application Data\The Bat!\*.*

%Documents and Settings%\%current user%\Application Data\The Bat!\*.*

d:\Procmon.exe

d:\Procmon.exe

ec.exe

ec.exe

32.exe

32.exe

ore.exe

ore.exe

D.EXE",-208

D.EXE",-208

.dll,-20003

.dll,-20003

%Documents and Settings%\%current user%\Trillian\User Settings\

%Documents and Settings%\%current user%\Trillian\User Settings\

%APPDATA%\GHISLER\wcx_ftp.ini

%APPDATA%\GHISLER\wcx_ftp.ini

Identities\{37E80C13-CB45-4DCE-A438-545B791476AC}\Software\Microsoft\Internet Account Manager\Accounts

Identities\{37E80C13-CB45-4DCE-A438-545B791476AC}\Software\Microsoft\Internet Account Manager\Accounts

Pro\6.0\sm.dat

Pro\6.0\sm.dat

%WinDir%\edialer.ini

%WinDir%\edialer.ini

e\Sites\*.ini

e\Sites\*.ini

%WinDir%\win.ini

%WinDir%\win.ini

%Documents and Settings%\%current user%\Application Data\Opera\*.*\Mail\accounts.ini

%Documents and Settings%\%current user%\Application Data\Opera\*.*\Mail\accounts.ini

%Documents and Settings%\%current user%\Application Data\Mozilla\Profiles\*.*

%Documents and Settings%\%current user%\Application Data\Mozilla\Profiles\*.*

RegOpenKeyExA

RegOpenKeyExA

RegOpenKeyA

RegOpenKeyA

RegEnumKeyExA

RegEnumKeyExA

RegCreateKeyExA

RegCreateKeyExA

RegCreateKeyA

RegCreateKeyA

RegCloseKey

RegCloseKey

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExA

SetWindowsHookExA

GetKeyboardType

GetKeyboardType

.idata

.idata

.edata

.edata

P.reloc

P.reloc

P.rsrc

P.rsrc

.bpbk

.bpbk

.FGDV

.FGDV

KERNEL32.DLL

KERNEL32.DLL

gdi32.dll

gdi32.dll

oleaut32.dll

oleaut32.dll

RASAPI32.dll

RASAPI32.dll

SHLWAPI.DLL

SHLWAPI.DLL

wsock32.dll

wsock32.dll

core.dll

core.dll

export

export

66006666

66006666

iER\wcx_ftp.ini

iER\wcx_ftp.ini

mdmi386.exe_1064_rwx_13140000_00038000:

.data

.data

.code

.code

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

update.symantec

update.symantec

liveupdate.symantecliveupdate

liveupdate.symantecliveupdate

secure.nai

secure.nai

sandbox.norman

sandbox.norman

uk.trendmicro-europe

uk.trendmicro-europe

HTTP/1.1 403

HTTP/1.1 403

HTTP/1.1 404

HTTP/1.1 404

wsock32.dll

wsock32.dll

svchost.exe

svchost.exe

Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\

Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\

mdmi386.exe

mdmi386.exe

AUHook.dll

AUHook.dll

AUHook.dat

AUHook.dat

7A5417FF-2D82-553C-F326-2861000FFFF3-0E

7A5417FF-2D82-553C-F326-2861000FFFF3-0E

sfc.dll

sfc.dll

cmd /q /c "echo ! && ver && echo. && echo Y | del "%USERPROFILE%\cookies\*.*" && cls "

cmd /q /c "echo ! && ver && echo. && echo Y | del "%USERPROFILE%\cookies\*.*" && cls "

.text

.text

.idata

.idata

.edata

.edata

.XV^x

.XV^x

.b.Im

.b.Im

advapi32.dll

advapi32.dll

RegOpenKeyA

RegOpenKeyA

gdi32.dll

gdi32.dll

ole32.dll

ole32.dll

oleaut32.dll

oleaut32.dll

RASAPI32.dll

RASAPI32.dll

SHLWAPI.DLL

SHLWAPI.DLL

user32.dll

user32.dll

wininet.dll

wininet.dll

core.dll

core.dll

KWindows

KWindows

Porti

Porti

.ex)N

.ex)N

.MS'fc

.MS'fc

"#$%&'()

"#$%&'()

dD.Gz

dD.Gz

P|.Zc

P|.Zc

.Cu`k&

.Cu`k&

.nEZK

.nEZK

adv0pi32x.ql

adv0pi32x.ql

svchost.exe_1588:

.text

.text

`.data

`.data

.rsrc

.rsrc

ADVAPI32.dll

ADVAPI32.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

RPCRT4.dll

RPCRT4.dll

NETAPI32.dll

NETAPI32.dll

ole32.dll

ole32.dll

ntdll.dll

ntdll.dll

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

GetProcessHeap

GetProcessHeap

NtOpenKey

NtOpenKey

svchost.pdb

svchost.pdb

\PIPE\

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

svchost.exe

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

svchost.exe_1588_rwx_13140000_00038000:

.data

.data

.code

.code

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

kernel32.dll

kernel32.dll

update.symantec

update.symantec

liveupdate.symantecliveupdate

liveupdate.symantecliveupdate

secure.nai

secure.nai

sandbox.norman

sandbox.norman

uk.trendmicro-europe

uk.trendmicro-europe

HTTP/1.1 403

HTTP/1.1 403

HTTP/1.1 404

HTTP/1.1 404

wsock32.dll

wsock32.dll

svchost.exe

svchost.exe

Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\

Software\Microsoft\Windows\CurrentVersion\Applets\MSSfc\

mdmi386.exe

mdmi386.exe

AUHook.dll

AUHook.dll

AUHook.dat

AUHook.dat

7A5417FF-2D82-553C-F326-2861000FFFF3-0E

7A5417FF-2D82-553C-F326-2861000FFFF3-0E

sfc.dll

sfc.dll

cmd /q /c "echo ! && ver && echo. && echo Y | del "%USERPROFILE%\cookies\*.*" && cls "

cmd /q /c "echo ! && ver && echo. && echo Y | del "%USERPROFILE%\cookies\*.*" && cls "

.text

.text

.idata

.idata

.edata

.edata

.XV^x

.XV^x

.b.Im

.b.Im

advapi32.dll

advapi32.dll

RegOpenKeyA

RegOpenKeyA

gdi32.dll

gdi32.dll

ole32.dll

ole32.dll

oleaut32.dll

oleaut32.dll

RASAPI32.dll

RASAPI32.dll

SHLWAPI.DLL

SHLWAPI.DLL

user32.dll

user32.dll

wininet.dll

wininet.dll

core.dll

core.dll

KWindows

KWindows

Porti

Porti

.ex)N

.ex)N

.MS'fc

.MS'fc

"#$%&'()

"#$%&'()

dD.Gz

dD.Gz

P|.Zc

P|.Zc

.Cu`k&

.Cu`k&

.nEZK

.nEZK

adv0pi32x.ql

adv0pi32x.ql


Related articles