Shiz_d61d978ca0

by malwarelabrobot on April 1st, 2014 in Malware Descriptions.

Gen:Variant.Kazy.73641 (BitDefender), VirTool:Win32/Obfuscator.ZV (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Encpk.afj (v) (VIPRE), Trojan.PWS.Ibank.456 (DrWeb), Gen:Variant.Kazy.73641 (B) (Emsisoft), RDN/Generic PWS.y!yw (McAfee), Infostealer.Shiz!gen2 (Symantec), Backdoor.Win32.Shiz (Ikarus), Gen:Variant.Kazy.73641 (FSecure), SHeur4.AFLP (AVG), Win32:MalOb-KM [Trj] (Avast), TROJ_AGENT_044290.TOMB (TrendMicro), Gen:Variant.Kazy.73641 (AdAware), Backdoor.Win32.Shiz.FD, Shiz.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: d61d978ca0d1c53e733948f35e47fb50
SHA1: b3a6186acb9b7c617817dfd08ea4c0d56a453a78
SHA256: 3fa2eaa93aacc810bd677e1a30d079970da49b96be55fd4379b442c2f838e231
SSDeep: 6144:Lr6ijXWSYPgQ9PTG/QfWUUQGeT//5mgWui4ksbiuEm :LtXWS67w/QeUUQf/5mgbkHo
Size: 272976 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1996-11-22 23:31:48
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1668

The Trojan injects its code into the following process(es):

Explorer.EXE:1196

File activity

The process %original file name%.exe:1668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\config\SOFTWARE (135168 bytes)
%System%\config\software.LOG (37376 bytes)
%WinDir%\AppPatch\quvckab.exe (818928 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\83.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC DE AB 68 E7 45 C2 01 26 24 FF F7 AE DB 27 81"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"7077a96b" = "F†Ќ6Јi‚ШљH\Й}o qПЩYU(nЮBЦbј] Нg8y,d…знLИч„$њЕЩ5ЕЁПMH4'ђшхlБнo=mЎИЧеэфЌ-±ЎЅU…toLµЧЙ‘l'№-€=Еm™A…g\Tх µ…Ф™¤Ѕ}ФЊ"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\quvckab.exe_, \??\%WinDir%\apppatch\quvckab.exe"

Dropped PE files

MD5 File path
a44ae17d63f67aed040f260f83a9f10b c:\WINDOWS\AppPatch\quvckab.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in CRYPT32.dll:

CertVerifyCertificateChainPolicy

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFileExA
InternetQueryDataAvailable
HttpSendRequestExW
InternetReadFile
HttpSendRequestA
InternetCloseHandle

The Trojan installs the following user-mode hooks in USER32.dll:

GetWindowTextA
GetClipboardData
SendInput
GetMessageA
GetMessageW
TranslateMessage

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CryptEncrypt

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSASend
recv
gethostbyname
WSARecv
send

The Trojan installs the following user-mode hooks in kernel32.dll:

CreateFileW

Propagation

VersionInfo

Company Name: prestudious
Product Name: Mutteringly
Product Version: 0.7.5.4
Legal Copyright: Overattachment
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 0.3.1.2
File Description: Sesquisulphuret
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.rpoJsSv 4096 32058 2560 0 a371492f16c0940507435909603efe88
.text 36864 16621 16896 4.49822 9d3f3fb1b0450a4b8fb37569199e8b6d
.gsNz 57344 1217 1536 0 53e979547d8c2ea86560ac45de08ae25
.ABWmj 61440 2507 2560 0 a371492f16c0940507435909603efe88
.umGUGts 65536 313 512 0 bf619eac0cdf3f68d496ea9344137e8b
.dHzlnvk 69632 2274 2560 3.89843 d1324f052860847056765f04c3ad3e73
.data 73728 241249 8704 4.95486 fc4d0bb43d9cad311c848394709b36fc
.BLAdep 315392 2300 2560 3.79474 d1f7d8f18d9dac3b4b047a82ee564c85
.rdata 319488 213950 214016 5.54082 ba46036a7ad98c167b8e2c8d555593d7
.HLOV 536576 1431 1536 0 53e979547d8c2ea86560ac45de08ae25
.TJdzA 540672 1997 2048 0 c99a74c555371a433d121f551d6c6398
.rsrc 544768 3264 3584 2.73415 5ddbde082fcafe84eae601985bc26ddf
.gUbLH 548864 1093 1536 0 53e979547d8c2ea86560ac45de08ae25
.ygLJlSm 552960 2752 3072 0 d2a70550489de356a2cd6bfc40711204
.JnTc 557056 439 512 0 bf619eac0cdf3f68d496ea9344137e8b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
67b737f68f06ecef23e1df0efed136af

URLs

URL IP
www.microsoft.com
www.bing.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Explorer.EXE_1196_rwx_023C0000_000B2000:

.text
`.data
.reloc
`.rdata
@.data
<>http
PASSu98V
PASSu08V
FTPQ
12345678
password1
monkey
monkey1
password
Pname.key
\secrets.key
kernel32.dll
\explorer.exe
user32.dll
multi_pot.exe
HookExplorer.exe
proc_analyzer.exe
sckTool.exe
sniff_hit.exe
sysAnalyzer.exe
idag.exe
ollydbg.exe
dumpcap.exe
wireshark.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
sysinfo.log
scr.jpg
minidump.bin
%d.%d.%d.%d
Ý %dh %dm
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
url%i
4.8.14
%dx%d@%d
%c%d:d
{Windows directory:
links.log
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
avast.com
93.191.13.100
drweb
eset.com
z-oleg.com
kltest.org.ru
.comodo.com
google.com
Dnsapi.dll
ws2_32.dll
Referer: http://www.google.com
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
/search.php
Winmm.dll
Kernel32.dll
Gdi32.dll
ntdll.dll
http://
https://
HTTP/1.
nspr4.dll
PR_OpenTCPSocket
[[[URL: %s
Process: %s
User-agent: %s]]]
{{{%s
Crypt32.dll
CertVerifyCertificateChainPolicy
Wininet.dll
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
set_url
microsoft.public.win32.programmer.kernel
\iexplore.exe
\firefox.exe
keygrab
u.jpg
IprivLibEx.dll
\\.\PhysicalDrive%u
/topic.php
keylog.txt
sniff.log
passwords.txt
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: multipart/form-data; boundary=---------------------------%s
www.bing.com
www.microsoft.com
frd.exe
command=config&update_url=
&port=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\svchost.exe
\opera.exe
\cbmain.ex
\iscc.exe
\clmain.exe
\wclnt.exe
internal_wutex_0xx
%s.dbf
%s.DBF
pop2://%s:%s@%s:%i
pop3://%s:%s@%s:%i
nntp://%s:%s@%s:%i
ftp://%s:%s@%s:%i
ftp://anonymous:
AUTHINFO PASS
j_password=
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edUserLogin=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
login=
password=
pass_
ssleay32.dll
advapi32.dll
path.txt
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.jpg
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
private.txt
public.txt
\*.key
\self.cer
self.cer
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.zip
path_ctunnel.txt
header.key
keys99
\header.key
masks2.key
\masks2.key
masks.key
\masks.key
\name.key
primary2.key
\primary2.key
primary.key
\primary.key
keys99.zip
path99.txt
bsi.dll
&domain=letitbit.net&
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
keys\
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
inter.zip
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{BQQQW777-B777-4e47-8B10-69798A04C732}
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
KeysDiskPath
Agava_Client.ini
Agava_keys
keys_path.txt
Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}
mespro.dll
AddPSEPrivateKeyEx
core.exe
data\id.dbf
\data\id.dbf
keys%i.zip
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
cert.pem
Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}
winmm.dll
1.2.5
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
%s\%s
#webcam
#webcam%d
RFB d.d
%s (%s)
d/d/d d:d
password check failed!
WinSCard.dll
SensApi.dll
GetTcpTable
IPHLPAPI.DLL
dbghelp.dll
PSAPI.DLL
NETAPI32.dll
DNSAPI.dll
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpOpenRequestA
WININET.dll
WS2_32.dll
SHFileOperationA
SHELL32.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
WinExec
SetThreadExecutionState
GetWindowsDirectoryA
KERNEL32.dll
GetKeyboardState
MsgWaitForMultipleObjects
GetKeyboardLayoutList
GetAsyncKeyState
GetKeyboardLayout
MapVirtualKeyW
VkKeyScanW
VkKeyScanExW
keybd_event
EnumChildWindows
ActivateKeyboardLayout
SetKeyboardState
USER32.dll
SetViewportOrgEx
GetViewportOrgEx
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegNotifyChangeKeyValue
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
gdiplus.dll
MSVCRT.dll
AVICAP32.dll
MSVFW32.dll
ShellExecuteW
GetProcessHeap
?456789:;<=
!"#$%&'()* ,-./0123
;3 #>6.&
'2, / 0&7!4-)1#
5`6C6Q6}6
55
;";,;6;<;_;{;
6&7-737<7|7
3"33393>3}3
;#;);/;=;
<"=3=9=>=}=
:(:-:8:=:
7#7)7/7=7
9&9,929@9
0!02090>0
>$>*>4>9>
Windows Explorer
mavast.com
ya.ru
serverkey.dat
\windows\
dntdll.dll
.NET CLR Networking_Perf_Library_Lock_PID_0
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0
ASP.NET_2.0.50727_Perf_Library_Lock_PID_0
SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings
iexplore.exe
HighMemoryEvent_x
MSCTF.Shared.MAPPING.x
MSCTF.Shared.EVENT.x
MSCTF.Shared.MUTEX.x
.Prev
.current

Explorer.EXE_1196_rwx_02580000_000B8000:

.text
`.rdata
@.data
.reloc
<>http
PASSu98V
PASSu08V
FTPQ
12345678
password1
monkey
monkey1
password
Pname.key
\secrets.key
kernel32.dll
\explorer.exe
user32.dll
multi_pot.exe
HookExplorer.exe
proc_analyzer.exe
sckTool.exe
sniff_hit.exe
sysAnalyzer.exe
idag.exe
ollydbg.exe
dumpcap.exe
wireshark.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
sysinfo.log
scr.jpg
minidump.bin
%d.%d.%d.%d
Ý %dh %dm
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
url%i
4.8.14
%dx%d@%d
%c%d:d
{Windows directory:
links.log
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
avast.com
93.191.13.100
drweb
eset.com
z-oleg.com
kltest.org.ru
.comodo.com
google.com
Dnsapi.dll
ws2_32.dll
Referer: http://www.google.com
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
/search.php
Winmm.dll
Kernel32.dll
Gdi32.dll
ntdll.dll
http://
https://
HTTP/1.
nspr4.dll
PR_OpenTCPSocket
[[[URL: %s
Process: %s
User-agent: %s]]]
{{{%s
Crypt32.dll
CertVerifyCertificateChainPolicy
Wininet.dll
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
set_url
microsoft.public.win32.programmer.kernel
\iexplore.exe
\firefox.exe
keygrab
u.jpg
IprivLibEx.dll
\\.\PhysicalDrive%u
/topic.php
keylog.txt
sniff.log
passwords.txt
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: multipart/form-data; boundary=---------------------------%s
www.bing.com
www.microsoft.com
frd.exe
command=config&update_url=
&port=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\svchost.exe
\opera.exe
\cbmain.ex
\iscc.exe
\clmain.exe
\wclnt.exe
internal_wutex_0xx
%s.dbf
%s.DBF
pop2://%s:%s@%s:%i
pop3://%s:%s@%s:%i
nntp://%s:%s@%s:%i
ftp://%s:%s@%s:%i
ftp://anonymous:
AUTHINFO PASS
j_password=
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edUserLogin=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
login=
password=
pass_
ssleay32.dll
advapi32.dll
path.txt
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.jpg
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
private.txt
public.txt
\*.key
\self.cer
self.cer
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.zip
path_ctunnel.txt
header.key
keys99
\header.key
masks2.key
\masks2.key
masks.key
\masks.key
\name.key
primary2.key
\primary2.key
primary.key
\primary.key
keys99.zip
path99.txt
bsi.dll
&domain=letitbit.net&
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
keys\
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
inter.zip
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{BQQQW777-B777-4e47-8B10-69798A04C732}
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
KeysDiskPath
Agava_Client.ini
Agava_keys
keys_path.txt
Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}
mespro.dll
AddPSEPrivateKeyEx
core.exe
data\id.dbf
\data\id.dbf
keys%i.zip
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
cert.pem
Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}
winmm.dll
1.2.5
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
%s\%s
#webcam
#webcam%d
RFB d.d
%s (%s)
d/d/d d:d
password check failed!
WinSCard.dll
SensApi.dll
GetTcpTable
IPHLPAPI.DLL
dbghelp.dll
PSAPI.DLL
NETAPI32.dll
DNSAPI.dll
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpOpenRequestA
WININET.dll
WS2_32.dll
SHFileOperationA
SHELL32.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
WinExec
SetThreadExecutionState
GetWindowsDirectoryA
KERNEL32.dll
GetKeyboardState
MsgWaitForMultipleObjects
GetKeyboardLayoutList
GetAsyncKeyState
GetKeyboardLayout
MapVirtualKeyW
VkKeyScanW
VkKeyScanExW
keybd_event
EnumChildWindows
ActivateKeyboardLayout
SetKeyboardState
USER32.dll
SetViewportOrgEx
GetViewportOrgEx
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegNotifyChangeKeyValue
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
gdiplus.dll
MSVCRT.dll
AVICAP32.dll
MSVFW32.dll
ShellExecuteW
GetProcessHeap
?456789:;<=
!"#$%&'()* ,-./0123
;3 #>6.&
'2, / 0&7!4-)1#
SYSTEM!MAS3!34C5CFCE
%WinDir%\apppatch\quvckab.exe
%Documents and Settings%\%current user%\Application Data\
5`6C6Q6}6
55
;";,;6;<;_;{;
6&7-737<7|7
3"33393>3}3
;#;);/;=;
<"=3=9=>=}=
:(:-:8:=:
7#7)7/7=7
9&9,929@9
0!02090>0
>$>*>4>9>
`.data
Windows Explorer
mavast.com
ya.ru
serverkey.dat
\windows\
dntdll.dll
.NET CLR Networking_Perf_Library_Lock_PID_0
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0
ASP.NET_2.0.50727_Perf_Library_Lock_PID_0
SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings
iexplore.exe
HighMemoryEvent_x
MSCTF.Shared.MAPPING.x
MSCTF.Shared.EVENT.x
MSCTF.Shared.MUTEX.x
.Prev
.current


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1668

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %System%\config\SOFTWARE (135168 bytes)
    %System%\config\software.LOG (37376 bytes)
    %WinDir%\AppPatch\quvckab.exe (818928 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.