For a Limited Time: Get HUGE savings on Pro and Sticky Password Premium! Act now & save 60%! BUY NOW >
  • Stay aware

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • How to get the best

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Help us

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Forum

    Inquietari sueti praenturis et stationibus servabantur agrariis

Sat, 04/01/2017 - 03:05

Gen.Variant.Razy.91228_7fb39c905b

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Razy.91228 (B) (Emsisoft), Gen:Variant.Razy.91228 (AdAware), Backdoor.Win32.Xtrat.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS) Behaviour: Trojan, Backdoor, Worm, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

Summary

MD5: 7fb39c905bd5e82697d330e24826af51

SHA1: a8b911680a4b942dc7912128a3e9f22d050d87c2

SHA256: 4b81c549e258ba69155b9a704d0b597a93d4251f25a4d3ee81a934e52be7c643

SSDeep: 1536:txz5QDav0/4aox9jm/F/Tf20abr3H0lQG:tx92dox9W/TfAbzUlQ

Size: 90112 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6

Company: no certificate found

Created at: 2017-03-10 15:09:37

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:2696
%original file name%.exe:1048

The Trojan injects its code into the following process(es):

svchost.exe:2548
iexplore.exe:2968

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process %original file name%.exe:2696 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe (601 bytes)

The process %original file name%.exe:1048 makes changes in the file system.


The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\x.html (0 bytes)

Registry activity

The process %original file name%.exe:2696 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
"WindowClassName" = "DDEMLMom"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"18.exe" = "C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"18.exe" = "C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe"

The process %original file name%.exe:1048 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\XtremeRAT]
"Mutex" = "--((Mutex))--"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2696
    %original file name%.exe:1048

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe (601 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "18.exe" = "C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "18.exe" = "C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version: 0.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: ingsgfsd.exe
Internal Name: ingsgfsd.exe
File Version: 0.0.0.0
File Description:
Comments:
Language: Chinese (Simplified, PRC)

Company Name: Product Name: Product Version: 0.0.0.0 Legal Copyright: Legal Trademarks: Original Filename: ingsgfsd.exe Internal Name: ingsgfsd.exe File Version: 0.0.0.0 File Description: Comments: Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text819270468737284.77458b4cb5a50c3cfcbcbe6cf3ca93bc44018
.sdata8192010340960.17733eb8888836e61c24d10eaf77133d71668
.rsrc9011268040960.47096830eef3fbcaf74211943e4232c5adebc9
.reloc983041240960.0113731a0748cb79dd392e61372c45e3d83325

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://www.google.com/172.217.20.196
micropdz13.ddns.net41.100.192.252
www.google.com.ua

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.google.com

Connection: Keep-Alive

Cookie: NID=88=C6CEKO82itAhdU0twN6URqunh6Sn9EPCs-teRRQ4QRgNCJP-EG6VgSTOkC7BafUzPUi-GjuRAoRi6F4Sx78Gd_cLieG7apk740DNnT0oV6phUdJTT3H8MUyjxWiFq3Dm

HTTP/1.1 302 Found

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=cNLdWNOoJ83i8Aea_qWADA

Content-Length: 262

Date: Fri, 31 Mar 2017 03:52:16 GMT

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=cNLdWNOoJ83i8Aea_qWADA">here</A>...</BODY></HTML>..HTTP/1.1 302 Found..Cache-Control: private..Content-Type: text/html; charset=UTF-8..Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=cNLdWNOoJ83i8Aea_qWADA..Content-Length: 262..Date: Fri, 31 Mar 2017 03:52:16 GMT..<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=cNLdWNOoJ83i8Aea_qWADA">here</A>...</BODY></HTML>....

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

iexplore.exe_2544:

.text

.text

`.data

`.data

.rsrc

.rsrc

@.reloc

@.reloc

Bv.TBv

Bv.TBv

>.uzf

>.uzf

.us;}

.us;}

IEFRAME.dll

IEFRAME.dll

MLANG.dll

MLANG.dll

iertutil.dll

iertutil.dll

urlmon.dll

urlmon.dll

ole32.dll

ole32.dll

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

msvcrt.dll

msvcrt.dll

USER32.dll

USER32.dll

KERNEL32.dll

KERNEL32.dll

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

GetWindowsDirectoryW

GetWindowsDirectoryW

_amsg_exit

_amsg_exit

_wcmdln

_wcmdln

UrlApplySchemeW

UrlApplySchemeW

PathIsURLW

PathIsURLW

UrlCanonicalizeW

UrlCanonicalizeW

UrlCreateFromPathW

UrlCreateFromPathW

iexplore.pdb

iexplore.pdb

KEYW

KEYW

KEYWh

KEYWh

KEYWD

KEYWD

.ENNNG.

.ENNNG.

a.ry.v

a.ry.v

l.igM4

l.igM4

?1%SGf

?1%SGf

xh.JW^

xh.JW^

.97777"7" " " !

.97777"7" " " !

3.... ))

3.... ))

8888888888888

8888888888888

8888888888

8888888888

.lPV)

.lPV)

úW1

úW1

.ApX/

.ApX/

H.ZAf

H.ZAf

ð[U

ð[U

%s!FK

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

888777777

Y.hilkRROMLK=C,

Y.hilkRROMLK=C,

..(((($$

..(((($$

3...((((%

3...((((%

3....(.''$

3....(.''$

3.2...((((%

3.2...((((%

33.2....(,'

33.2....(,'

55323222...

55323222...

(%&'00443445?

(%&'00443445?

00.,,,4(

00.,,,4(

000.,,9(

000.,,9(

0020..9(

0020..9(

003200;(

003200;(

(#'( (''''!'!

(#'( (''''!'!

Microsoft.InternetExplorer.Default

Microsoft.InternetExplorer.Default

9user32.dll

9user32.dll

Kernel32.DLL

Kernel32.DLL

9xfire.exe

9xfire.exe

wlmail.exe

wlmail.exe

winamp.exe

winamp.exe

waol.exe

waol.exe

sidebar.exe

sidebar.exe

psocdesigner.exe

psocdesigner.exe

np.exe

np.exe

netscape.exe

netscape.exe

netcaptor.exe

netcaptor.exe

neoplanet.exe

neoplanet.exe

msn.exe

msn.exe

mshtmpad.exe

mshtmpad.exe

mshta.exe

mshta.exe

loader42.exe

loader42.exe

infopath.exe

infopath.exe

iexplore.exe

iexplore.exe

iepreview.exe

iepreview.exe

groove.exe

groove.exe

explorer.exe

explorer.exe

dreamweaver.exe

dreamweaver.exe

contribute.exe

contribute.exe

aol.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

"%s" %s

Kernel32.dll

Kernel32.dll

\AppPatch\sysmain.sdb

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

kernel32.dll

{00000000-0000-0000-0000-000000000000}

{00000000-0000-0000-0000-000000000000}

\\?\Volume

\\?\Volume

shell:%s

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Frame_URLEntered

Imaging_CreateWebPagePreview

Imaging_CreateWebPagePreview

WS_ExecuteQuery

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

IEXPLORE.EXE

Windows

Windows

9.00.8112.16421

9.00.8112.16421

svchost.exe_2548:

.text

.text

`.data

`.data

.rsrc

.rsrc

@.reloc

@.reloc

msvcrt.dll

msvcrt.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

API-MS-Win-Security-Base-L1-1-0.dll

API-MS-Win-Security-Base-L1-1-0.dll

API-MS-WIN-Service-Core-L1-1-0.dll

API-MS-WIN-Service-Core-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

RPCRT4.dll

RPCRT4.dll

ole32.dll

ole32.dll

ntdll.dll

ntdll.dll

_amsg_exit

_amsg_exit

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

GetProcessHeap

GetProcessHeap

svchost.pdb

svchost.pdb

version="5.1.0.0"

version="5.1.0.0"

name="Microsoft.Windows.Services.SvcHost"

name="Microsoft.Windows.Services.SvcHost"

Host Process for Windows Services

Host Process for Windows Services

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost

Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost

\PIPE\

\PIPE\

Host Process for Windows Services

Host Process for Windows Services

6.1.7600.16385 (win7_rtm.090713-1255)

6.1.7600.16385 (win7_rtm.090713-1255)

svchost.exe

svchost.exe

Windows

Windows

Operating System

Operating System

6.1.7600.16385

6.1.7600.16385

svchost.exe_2548_rwx_10000000_0004D000:

`.rsrc

`.rsrc

ServerKeyloggerU

ServerKeyloggerU

789:;

789:;

%SERVER%

%SERVER%

URLMON.DLL

URLMON.DLL

shell32.dll

shell32.dll

hXXp://

hXXp://

advapi32.dll

advapi32.dll

kernel32.dll

kernel32.dll

mpr.dll

mpr.dll

version.dll

version.dll

comctl32.dll

comctl32.dll

gdi32.dll

gdi32.dll

opengl32.dll

opengl32.dll

user32.dll

user32.dll

wintrust.dll

wintrust.dll

msimg32.dll

msimg32.dll

KWindows

KWindows

TServerKeylogger

TServerKeylogger

GetWindowsDirectoryW

GetWindowsDirectoryW

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyW

RegCreateKeyW

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

FindExecutableW

FindExecutableW

ShellExecuteW

ShellExecuteW

SHDeleteKeyW

SHDeleteKeyW

URLDownloadToCacheFileW

URLDownloadToCacheFileW

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExW

SetWindowsHookExW

MapVirtualKeyW

MapVirtualKeyW

GetKeyboardLayout

GetKeyboardLayout

GetKeyState

GetKeyState

GetKeyboardType

GetKeyboardType

GetKeyboardState

GetKeyboardState

FtpPutFileW

FtpPutFileW

FtpSetCurrentDirectoryW

FtpSetCurrentDirectoryW

.idata

.idata

.rdata

.rdata

P.reloc

P.reloc

P.rsrc

P.rsrc

.LzraryAk

.LzraryAk

URLD

URLD

KERNEL32.DLL

KERNEL32.DLL

ntdll.dll

ntdll.dll

oleaut32.dll

oleaut32.dll

shlwapi.dll

shlwapi.dll

wininet.dll

wininet.dll

x.html

x.html

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_USERS

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

[Execute]

[Execute]

KeyDelBackspace

KeyDelBackspace

.html

.html

XtremeKeylogger

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

.functions

.functions

icon=shell32.dll,4

icon=shell32.dll,4

shellexecute=

shellexecute=

autorun.inf

autorun.inf

\Microsoft\Windows\

\Microsoft\Windows\

ÞFAULTBROWSER%

ÞFAULTBROWSER%

svchost.exe

svchost.exe

micropdz13.ddns.net

micropdz13.ddns.net

%Servers

%Servers

Server.exe

Server.exe

ÞFA

ÞFA

{5460C4DF-B266-909E-CB58-E32B79832EB2}

{5460C4DF-B266-909E-CB58-E32B79832EB2}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

127.0.0.1

127.0.0.1

PTF.ftpserver.com

PTF.ftpserver.com

ftpuser

ftpuser

iexplore.exe_2592:

.text

.text

`.data

`.data

.rsrc

.rsrc

@.reloc

@.reloc

Bv.TBv

Bv.TBv

>.uzf

>.uzf

.us;}

.us;}

IEFRAME.dll

IEFRAME.dll

MLANG.dll

MLANG.dll

iertutil.dll

iertutil.dll

urlmon.dll

urlmon.dll

ole32.dll

ole32.dll

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

msvcrt.dll

msvcrt.dll

USER32.dll

USER32.dll

KERNEL32.dll

KERNEL32.dll

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

GetWindowsDirectoryW

GetWindowsDirectoryW

_amsg_exit

_amsg_exit

_wcmdln

_wcmdln

UrlApplySchemeW

UrlApplySchemeW

PathIsURLW

PathIsURLW

UrlCanonicalizeW

UrlCanonicalizeW

UrlCreateFromPathW

UrlCreateFromPathW

iexplore.pdb

iexplore.pdb

KEYW

KEYW

KEYWh

KEYWh

KEYWD

KEYWD

.ENNNG.

.ENNNG.

a.ry.v

a.ry.v

l.igM4

l.igM4

?1%SGf

?1%SGf

xh.JW^

xh.JW^

.97777"7" " " !

.97777"7" " " !

3.... ))

3.... ))

8888888888888

8888888888888

8888888888

8888888888

.lPV)

.lPV)

úW1

úW1

.ApX/

.ApX/

H.ZAf

H.ZAf

ð[U

ð[U

%s!FK

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

888777777

Y.hilkRROMLK=C,

Y.hilkRROMLK=C,

..(((($$

..(((($$

3...((((%

3...((((%

3....(.''$

3....(.''$

3.2...((((%

3.2...((((%

33.2....(,'

33.2....(,'

55323222...

55323222...

(%&'00443445?

(%&'00443445?

00.,,,4(

00.,,,4(

000.,,9(

000.,,9(

0020..9(

0020..9(

003200;(

003200;(

(#'( (''''!'!

(#'( (''''!'!

Microsoft.InternetExplorer.Default

Microsoft.InternetExplorer.Default

9user32.dll

9user32.dll

Kernel32.DLL

Kernel32.DLL

9xfire.exe

9xfire.exe

wlmail.exe

wlmail.exe

winamp.exe

winamp.exe

waol.exe

waol.exe

sidebar.exe

sidebar.exe

psocdesigner.exe

psocdesigner.exe

np.exe

np.exe

netscape.exe

netscape.exe

netcaptor.exe

netcaptor.exe

neoplanet.exe

neoplanet.exe

msn.exe

msn.exe

mshtmpad.exe

mshtmpad.exe

mshta.exe

mshta.exe

loader42.exe

loader42.exe

infopath.exe

infopath.exe

iexplore.exe

iexplore.exe

iepreview.exe

iepreview.exe

groove.exe

groove.exe

explorer.exe

explorer.exe

dreamweaver.exe

dreamweaver.exe

contribute.exe

contribute.exe

aol.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

"%s" %s

Kernel32.dll

Kernel32.dll

\AppPatch\sysmain.sdb

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

kernel32.dll

{00000000-0000-0000-0000-000000000000}

{00000000-0000-0000-0000-000000000000}

\\?\Volume

\\?\Volume

shell:%s

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Frame_URLEntered

Imaging_CreateWebPagePreview

Imaging_CreateWebPagePreview

WS_ExecuteQuery

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

IEXPLORE.EXE

Windows

Windows

9.00.8112.16421

9.00.8112.16421

iexplore.exe_2968:

.text

.text

`.data

`.data

.rsrc

.rsrc

@.reloc

@.reloc

Bv.TBv

Bv.TBv

>.uzf

>.uzf

.us;}

.us;}

IEFRAME.dll

IEFRAME.dll

MLANG.dll

MLANG.dll

iertutil.dll

iertutil.dll

urlmon.dll

urlmon.dll

ole32.dll

ole32.dll

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

msvcrt.dll

msvcrt.dll

USER32.dll

USER32.dll

KERNEL32.dll

KERNEL32.dll

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

GetWindowsDirectoryW

GetWindowsDirectoryW

_amsg_exit

_amsg_exit

_wcmdln

_wcmdln

UrlApplySchemeW

UrlApplySchemeW

PathIsURLW

PathIsURLW

UrlCanonicalizeW

UrlCanonicalizeW

UrlCreateFromPathW

UrlCreateFromPathW

iexplore.pdb

iexplore.pdb

KEYW

KEYW

KEYWh

KEYWh

KEYWD

KEYWD

.ENNNG.

.ENNNG.

a.ry.v

a.ry.v

l.igM4

l.igM4

?1%SGf

?1%SGf

xh.JW^

xh.JW^

.97777"7" " " !

.97777"7" " " !

3.... ))

3.... ))

8888888888888

8888888888888

8888888888

8888888888

.lPV)

.lPV)

úW1

úW1

.ApX/

.ApX/

H.ZAf

H.ZAf

ð[U

ð[U

%s!FK

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

888777777

Y.hilkRROMLK=C,

Y.hilkRROMLK=C,

..(((($$

..(((($$

3...((((%

3...((((%

3....(.''$

3....(.''$

3.2...((((%

3.2...((((%

33.2....(,'

33.2....(,'

55323222...

55323222...

(%&'00443445?

(%&'00443445?

00.,,,4(

00.,,,4(

000.,,9(

000.,,9(

0020..9(

0020..9(

003200;(

003200;(

(#'( (''''!'!

(#'( (''''!'!

Microsoft.InternetExplorer.Default

Microsoft.InternetExplorer.Default

9user32.dll

9user32.dll

Kernel32.DLL

Kernel32.DLL

9xfire.exe

9xfire.exe

wlmail.exe

wlmail.exe

winamp.exe

winamp.exe

waol.exe

waol.exe

sidebar.exe

sidebar.exe

psocdesigner.exe

psocdesigner.exe

np.exe

np.exe

netscape.exe

netscape.exe

netcaptor.exe

netcaptor.exe

neoplanet.exe

neoplanet.exe

msn.exe

msn.exe

mshtmpad.exe

mshtmpad.exe

mshta.exe

mshta.exe

loader42.exe

loader42.exe

infopath.exe

infopath.exe

iexplore.exe

iexplore.exe

iepreview.exe

iepreview.exe

groove.exe

groove.exe

explorer.exe

explorer.exe

dreamweaver.exe

dreamweaver.exe

contribute.exe

contribute.exe

aol.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

"%s" %s

Kernel32.dll

Kernel32.dll

\AppPatch\sysmain.sdb

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

kernel32.dll

{00000000-0000-0000-0000-000000000000}

{00000000-0000-0000-0000-000000000000}

\\?\Volume

\\?\Volume

shell:%s

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Frame_URLEntered

Imaging_CreateWebPagePreview

Imaging_CreateWebPagePreview

WS_ExecuteQuery

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

IEXPLORE.EXE

Windows

Windows

9.00.8112.16421

9.00.8112.16421

iexplore.exe_2968_rwx_10000000_0004D000:

`.rsrc

`.rsrc

ServerKeyloggerU

ServerKeyloggerU

789:;

789:;

%SERVER%

%SERVER%

URLMON.DLL

URLMON.DLL

shell32.dll

shell32.dll

hXXp://

hXXp://

advapi32.dll

advapi32.dll

kernel32.dll

kernel32.dll

mpr.dll

mpr.dll

version.dll

version.dll

comctl32.dll

comctl32.dll

gdi32.dll

gdi32.dll

opengl32.dll

opengl32.dll

user32.dll

user32.dll

wintrust.dll

wintrust.dll

msimg32.dll

msimg32.dll

KWindows

KWindows

TServerKeylogger

TServerKeylogger

GetWindowsDirectoryW

GetWindowsDirectoryW

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyW

RegCreateKeyW

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

FindExecutableW

FindExecutableW

ShellExecuteW

ShellExecuteW

SHDeleteKeyW

SHDeleteKeyW

URLDownloadToCacheFileW

URLDownloadToCacheFileW

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExW

SetWindowsHookExW

MapVirtualKeyW

MapVirtualKeyW

GetKeyboardLayout

GetKeyboardLayout

GetKeyState

GetKeyState

GetKeyboardType

GetKeyboardType

GetKeyboardState

GetKeyboardState

FtpPutFileW

FtpPutFileW

FtpSetCurrentDirectoryW

FtpSetCurrentDirectoryW

.idata

.idata

.rdata

.rdata

P.reloc

P.reloc

P.rsrc

P.rsrc

.LzraryAk

.LzraryAk

URLD

URLD

KERNEL32.DLL

KERNEL32.DLL

ntdll.dll

ntdll.dll

oleaut32.dll

oleaut32.dll

shlwapi.dll

shlwapi.dll

wininet.dll

wininet.dll

x.html

x.html

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_USERS

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

[Execute]

[Execute]

KeyDelBackspace

KeyDelBackspace

.html

.html

XtremeKeylogger

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

.functions

.functions

icon=shell32.dll,4

icon=shell32.dll,4

shellexecute=

shellexecute=

autorun.inf

autorun.inf

\Microsoft\Windows\

\Microsoft\Windows\

ÞFAULTBROWSER%

ÞFAULTBROWSER%

svchost.exe

svchost.exe

micropdz13.ddns.net

micropdz13.ddns.net

%Servers

%Servers

Server.exe

Server.exe

ÞFA

ÞFA

{5460C4DF-B266-909E-CB58-E32B79832EB2}

{5460C4DF-B266-909E-CB58-E32B79832EB2}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

127.0.0.1

127.0.0.1

PTF.ftpserver.com

PTF.ftpserver.com

ftpuser

ftpuser

c:\%original file name%.exe

c:\%original file name%.exe

%Program Files%\Internet Explorer\iexplore.exe

%Program Files%\Internet Explorer\iexplore.exe