FakeAV Analysis: Defense Center
Posted by on Wednesday, July 7th, 2010 | 13,334 views
Defense Center is doing the rounds again, but this time seems to be a bit more aggresive!
Lets start off with some screen shots.
Like all rogue AV’s it bombards you with warnings about how your computer is “infected”.
30% off! You’d be a fool not to snap that offer up, wouldn’t you?
Once installed, Defence Center installs a handler in HKCR\.exe\shell\open\command so it can intercept any .exe that is executed, if not removed properly you won’t be able to run any .exe file.
This is a list of strings from the unpacked dropper.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | 0x00002110 0x0000000E UNKNOWN 0x00002120 0x00000014 %s%s%d.tmp 0x00002140 0x00000014 Azerbaijan 0x00002158 0x0000000E Belarus 0x00002168 0x00000014 Kazakhstan 0x00002180 0x00000014 Kyrgyzstan 0x00002198 0x0000000C Russia 0x000021A8 0x00000014 Uzbekistan 0x000021C0 0x0000000E Ukraine 0x000021D0 0x0000001C Czech Republic 0x000021F0 0x0000000C Poland 0x00002210 0x00000018 _favdata.dat 0x00002230 0x00000014 Printers\Connections 0x00002248 0x00000005 affid 0x00002250 0x00000005 subid 0x00002258 0x0000004A \AAB647AB-4C1A-4cf0-9DE5-DD056FABF1F9 0x000022A4 0x0000000C %[^;];%[^;]; 0x000022BC 0x0000000E IsWow64Process 0x000022CC 0x00000008 kernel32 0x000022D8 0x00000015 ObtainUserAgentString 0x000022F0 0x0000000A urlmon.dll 0x000022FC 0x00000037 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 336;landing;-1;.hxxp://Traffic-Photos.com/ms05/ad;hxxp://www.easysecurityscan.com/ms05/ad;hxxp://www.fastanyprime.com/ms05/ad;...hxxp://Traffic-Photos.com/ms05/ad;hxxp://www.easysecurityscan.com/ms05/ad;hxxp://www.fastanyprime.com/ms05/ad |
Here we can see the results of these URL’s on URLVoid.
The small list of country strings are countries the writer of this malware doesn’t want it to execute on.
1 2 3 4 5 6 7 8 9 10 | 0040113A |> 56 /PUSH ESI ; /wstr2 = "United States" 0040113B |. |FF74BD DC |PUSH DWORD PTR SS:[EBP+EDI*4-24] ; |wstr1 = "Azerbaijan" 0040113F |. |E8 5E0A0000 |CALL ; \_wcsicmp 00401144 |. |85C0 |TEST EAX,EAX 00401146 |. |59 |POP ECX 00401147 |. |59 |POP ECX 00401148 |. |74 0C |JE SHORT dump_.00401156 ; eventually goes to ExitProcess. 0040114A |. |47 |INC EDI 0040114B |. |83FF 09 |CMP EDI,9 0040114E |.^\72 EA \JB SHORT dump_.0040113A |
This is a list of strings from the dropped file that now handles all executions of .exe’s.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 | 0x00005044 0x00000011 jour importantes
0x000051F5 0x00000005 jour
0x0000539C 0x00000014 Updates installieren
0x000053B4 0x00000050 Riavviare il computer per completare l'installazione di importanti aggiornamenti
0x0000556C 0x00000016 Installa aggiornamenti
0x000055AB 0x0000002A re installasjonen av viktige oppdateringer
0x000056F4 0x00000017 Installer oppdateringer
0x0000570C 0x00000046 Reinicie su equipo para acabar de instalar actualizaciones importantes
0x000058C4 0x00000018 Instalar actualizaciones
0x000058E0 0x0000003C Restart your computer to finish installing important updates
0x00005920 0x00000018 AUTMGR32.EXE
0x000059FC 0x00000009 1. Click
0x00005A08 0x00000011 "Install Updates"
0x00005A1C 0x00000009 2. Click
0x00005A28 0x00000018 when UAC screen appears
0x00005A44 0x00000007 "Allow"
0x00005A4C 0x0000000E System Failure
0x00005BC0 0x00000012 Pvebbmg)Tlkpkw*gki
0x00005C40 0x00000012 Pvebbmg)Tlkpkw*gki
0x00005CC0 0x00000012 Pvebbmg)Tlkpkw*gki
0x00005D44 0x00000005 ffid_
0x00005D63 0x00000008 heck_vm_
0x00005D83 0x00000006 setid_
0x00005DA0 0x0000000A runas
0x00005DAC 0x00000022 WindowsUpdate.exe
0x00005DD0 0x0000000C \license.dat
0x00005DE0 0x00000017 Software\Defense Center
0x00005DF8 0x00000007 License
0x00005E00 0x0000002C 94804860143697233939975370329435970097710202
0x00005E30 0x0000000C LoadLibraryA
0x00005E40 0x0000000C kernel32.dll
0x00005E50 0x00000030 AcceptedPrivacyStatement
0x00005E84 0x0000005E Software\Classes\Software\Microsoft\Preferences
0x00005EE4 0x00000046 Software\Classes\Software\Microsoft
0x00005F2C 0x00000032 Software\Classes\Software
0x00005F60 0x00000058 Software\Classes\secfile\shell\start\command
0x00005FBC 0x00000048 Software\Classes\secfile\shell\start
0x00006008 0x00000058 Software\Classes\secfile\shell\runas\command
0x00006064 0x00000048 Software\Classes\secfile\shell\runas
0x000060B0 0x00000056 Software\Classes\secfile\shell\open\command
0x00006108 0x00000046 Software\Classes\secfile\shell\open
0x00006150 0x0000003C Software\Classes\secfile\shell
0x00006190 0x00000048 Software\Classes\secfile\DefaultIcon
0x000061DC 0x00000030 Software\Classes\secfile
0x00006210 0x00000016 Application
0x00006228 0x00000052 Software\Classes\.exe\shell\start\command
0x0000627C 0x00000042 Software\Classes\.exe\shell\start
0x000062C0 0x00000052 Software\Classes\.exe\shell\runas\command
0x00006314 0x00000042 Software\Classes\.exe\shell\runas
0x00006358 0x0000001E IsolatedCommand
0x00006378 0x0000000E "%1" %*
0x00006388 0x0000002A "%s" /START "%%1" %%*
0x000063B4 0x00000050 Software\Classes\.exe\shell\open\command
0x00006408 0x00000040 Software\Classes\.exe\shell\open
0x0000644C 0x00000036 Software\Classes\.exe\shell
0x0000648C 0x00000042 Software\Classes\.exe\DefaultIcon
0x000064D0 0x00000018 Content Type
0x000064EC 0x00000030 application/x-msdownload
0x00006520 0x0000000E secfile
0x00006530 0x0000002A Software\Classes\.exe
0x0000655C 0x00000020 Software\Classes
0x0000658C 0x00000039 Software\Microsoft\Windows\CurrentVersion\Policies\System
0x000065C8 0x0000000E DisableTaskMgr
0x000065D8 0x00000014 topwesitjh
0x000065F0 0x00000048 d8bb5910-2d85-489b-8403-803ed25e73bc
0x0000663C 0x00000048 9cf2592c-1832-4358-a0fc-26d6a0c29808
0x00006688 0x00000005 %09lu
0x00006690 0x00000008 wget 3.0
0x0000669C 0x00000048 f7c5da73-b4a5-4947-8f40-08f2871eb36b
0x000066E8 0x00000010 Software
0x00006700 0x0000001B http://%s/any2/%s-direct.ex
0x00006734 0x0000000D \_favdata.dat
0x00006744 0x00000006 French
0x0000674C 0x00000007 Italian
0x00006754 0x00000006 German
0x0000675C 0x00000007 Spanish
0x00006764 0x00000009 Norwegian
0x00006770 0x00000006 Polish
0x00006778 0x00000005 Czech
0x00006780 0x00000009 Ukrainian
0x0000678C 0x00000007 Russian
0x00006794 0x00000006 _Run@0
0x0000679C 0x0000000C Explorer.exe
0x000067AC 0x0000000E mschrt20ex.dll
0x000067C4 0x0000000E /START
0x000067D4 0x0000000C /START
0x0000B350 0x00000005 .text
0x0000B377 0x00000007 `.rdata
0x0000B39F 0x00000006 @.data
0x0000B3C8 0x00000005 .rsrc
0x0000B3EF 0x00000007 @.fasoc
0x0000CF7D 0x00000005 (>T$C
0x0000D12E 0x00000014 ouporn.com
0x0000D144 0x00000018 nudetube.com
0x0000D160 0x0000001A pornotube.com
0x0000D17C 0x0000000A 3.ico
0x0000D188 0x0000000A 2.ico
0x0000D194 0x0000000A 1.ico
0x0000D1A0 0x000000A0 A security threat detected on your computer! This malicious program may steal your private data. Click on the message to ensure
0x0000D248 0x0000009A Harmful viruses detected on your computer. This malicious software may harm your computer. Click on the message to ensure the pr
0x0000D2E8 0x000000C0 You are running a trial antivirus software version. Activate your antivirus software copy to get full-time antivirus protection.
0x0000D3B0 0x0000008D It is strongly recommended to protect your computer against security threats. Click on the message to ensure the protection of y
0x0000D440 0x000000B5 It is strongly recommended to remove all detected viruses to protect your computer against existing security threats. Click on t
0x0000D4F8 0x00000007 Danger!
0x0000D500 0x0000009D A security threat detected on your computer. TrojanASPX.JS.Win32. It strongly recommended to remove this threat right now. Click
0x0000D5A0 0x0000007A Unauthorized person tries to steal your passwords and private information. Click on the message to prevent identity theft.
0x0000D620 0x00000066 Unauthosrized access to your computer! Click on the message to install up-to-date antivirus software.
0x0000D688 0x00000074 Harmful viruses detected on your computer. Click on the message to scan your computer for security threats for free.
0x0000D700 0x00000005 %09lu
0x0000D708 0x00000034 \Defense Center\defcnt.exe
0x0000D748 0x00000018 wscsvc32.exe
0x0000D768 0x00000048 d8bb5910-2d85-489b-8403-803ed25e73bc
0x0000D7B4 0x0000002C 94804860143697233939975370329435970097710202
0x0000D7E4 0x00000007 License
0x0000D7EC 0x00000017 Software\Defense Center
0x0000D804 0x0000000C \license.dat
0x0000D814 0x0000001A \Defense Center\defcnt.exe
0x0000D830 0x00000016 Windows Security Alert
0x0000D848 0x0000000C /inst
0x0000D860 0x0000001E eiojrthgoeijujwqodiehurisejawu
0x0000D880 0x00000018 \spam001.exe
0x0000D89C 0x00000018 \spam003.exe
0x0000D8B8 0x00000018 \troj000.exe
0x0000D8D4 0x0000000D Shell_TrayWnd
0x0000D8E4 0x00000006 Button
0x0000D8F0 0x00000098 System files of your computer are damaged. Please, restart your system ASAP.
0x0000D994 0x00000014 Printers\Connections
0x0000D9B0 0x0000000D \_favdata.dat
0x0000D9C8 0x0000004E http://%s/readdatagateway.php?type=stats&affid=%s&subid=%s&version=%s&adwareok
0x0000DA18 0x0000000E DisableTaskMgr
0x0000DA28 0x00000039 Software\Microsoft\Windows\CurrentVersion\Policies\System
0x0000DA64 0x0000000C explorer.exe
0x0000DA74 0x00000008 Software
0x0000DA80 0x00000024 dd1c3e54-4b10-4a73-91eb-fa561c094261
0x0000DAA8 0x00000024 24d1ca9a-a864-4f7b-86fe-495eb56529d8
0x0000DAD0 0x00000008 wget 3.0
0x0000DAE0 0x0000003E \Internet Explorer\iexplore.exe
0x0000DB30 0x00000026 SeShutdownPrivilege
0x0000DB58 0x00000014 fiuejsiogj
0x0000DD88 0x00000009 ntdll.dll
0x0000DD94 0x00000008 StrStrIA
0x0000DDA0 0x00000007 StrCatW
0x0000DDAA 0x0000000A wnsprintfA
0x0000DDB8 0x00000007 StrCpyW
0x0000DDC0 0x0000000B SHLWAPI.dll
0x0000DDCE 0x00000010 InternetOpenUrlA
0x0000DDE2 0x00000010 InternetReadFile
0x0000DDF6 0x0000000D InternetOpenA
0x0000DE07 0x00000012 nternetCloseHandle
0x0000DE1A 0x0000000B WININET.dll
0x0000DE28 0x00000017 SHGetSpecialFolderPathA
0x0000DE42 0x00000017 SHGetSpecialFolderPathW
0x0000DE5C 0x00000011 Shell_NotifyIconA
0x0000DE6E 0x0000000B SHELL32.dll
0x0000DE7C 0x00000010 GetComputerNameA
0x0000DE91 0x0000000B reateMutexW
0x0000DEA0 0x00000008 lstrlenA
0x0000DEAC 0x00000009 lstrcpynA
0x0000DEB8 0x00000013 WaitForSingleObject
0x0000DECE 0x0000000C GetTickCount
0x0000DEDE 0x0000000B VirtualFree
0x0000DEEC 0x00000019 InitializeCriticalSection
0x0000DF08 0x00000015 GetVolumeInformationA
0x0000DF20 0x00000005 Sleep
0x0000DF28 0x00000008 lstrcatA
0x0000DF34 0x00000008 lstrlenW
0x0000DF40 0x0000000C GetTempPathW
0x0000DF50 0x00000019 DisableThreadLibraryCalls
0x0000DF6C 0x00000012 GetModuleFileNameA
0x0000DF82 0x00000008 lstrcatW
0x0000DF8E 0x00000015 DeleteCriticalSection
0x0000DFA7 0x0000000B reateThread
0x0000DFB6 0x00000008 lstrcpyA
0x0000DFC2 0x00000010 GetTempFileNameW
0x0000DFD7 0x0000000A reateFileA
0x0000DFE4 0x0000000B GetFileSize
0x0000DFF2 0x0000000E SetFilePointer
0x0000E004 0x0000000D FindResourceW
0x0000E014 0x0000000C LoadResource
0x0000E025 0x0000000D reateProcessW
0x0000E036 0x00000011 GetCurrentProcess
0x0000E04A 0x00000009 WriteFile
0x0000E056 0x0000000E SizeofResource
0x0000E068 0x00000012 GetFileAttributesA
0x0000E07E 0x00000008 ReadFile
0x0000E08B 0x0000000A reateFileW
0x0000E098 0x0000000C GetLastError
0x0000E0A8 0x0000000C VirtualAlloc
0x0000E0B8 0x0000000C LockResource
0x0000E0C9 0x0000000A loseHandle
0x0000E0D4 0x0000000C KERNEL32.dll
0x0000E0E4 0x00000010 DispatchMessageW
0x0000E0F8 0x0000000B FindWindowA
0x0000E106 0x0000000C SendMessageW
0x0000E116 0x0000000C PostMessageA
0x0000E126 0x00000008 IsWindow
0x0000E132 0x0000000A ShowWindow
0x0000E140 0x00000009 EndDialog
0x0000E14C 0x0000000E GetWindowTextW
0x0000E15E 0x00000009 LoadIconW
0x0000E16A 0x00000010 IsDialogMessageW
0x0000E17E 0x00000010 TranslateMessage
0x0000E192 0x0000000B EnumWindows
0x0000E1A0 0x00000009 wsprintfA
0x0000E1AC 0x00000009 KillTimer
0x0000E1B8 0x0000000C PostMessageW
0x0000E1C8 0x0000000B GetMessageW
0x0000E1D7 0x00000011 reateDialogParamA
0x0000E1EC 0x00000008 SetTimer
0x0000E1F6 0x0000000A USER32.dll
0x0000E204 0x00000010 OpenProcessToken
0x0000E218 0x0000000E RegSetValueExA
0x0000E22A 0x00000010 RegQueryValueExA
0x0000E23E 0x0000000D RegCreateKeyA
0x0000E24E 0x00000015 LookupPrivilegeValueW
0x0000E266 0x0000000B RegOpenKeyA
0x0000E274 0x00000015 AdjustTokenPrivileges
0x0000E28C 0x00000017 InitiateSystemShutdownW
0x0000E2A6 0x0000000B RegCloseKey
0x0000E2B2 0x0000000C ADVAPI32.dll
0x0000E2C3 0x0000000B oInitialize
0x0000E2D2 0x00000010 CoCreateInstance
0x0000E2E4 0x00000009 ole32.dll
0x0000E2F0 0x00000006 memset
0x0000E2FA 0x00000007 _chkstk
0x0000E342 0x0000000A Adware.dll
0x0000E34D 0x00000006 _Run@0
0x0000E36C 0x00000036 f:\src\mrs_adware\Adware2\trunk\Dll\release\Adware.pdb
0x00020097 0x00000007 )w2%n%~
0x000234F3 0x00000005 q\MP&
0x000264C7 0x00000005 rX${p
0x00027B44 0x00000005 03uJS
0x0002E1F5 0x00000007 zdC?irU
0x000369EA 0x00000006 g@*jRV
0x000520A2 0x00000009 qE{tDs/id
0x00054406 0x00000005 \6+9'
0x0005AB1F 0x00000005 SI~/W
0x0005AD20 0x0000000C kernel32.dll
0x0005AD2F 0x00000010 GetModuleHandleW
0x0005AD42 0x00000010 GetCurrentThread
0x0005AD55 0x0000000F TerminateThread
0x0005AD75 0x0000000C advapi32.dll
0x0005AD84 0x00000011 AdjustTokenGroups
0x0005AD98 0x0000000D CloseEventLog
0x0005ADA8 0x00000011 CryptSetHashParam
0x0005ADBC 0x00000009 DeleteAce
0x0005ADC8 0x0000000E DuplicateToken
0x0005ADD9 0x00000011 CryptGetHashParam
0x0005AE07 0x0000000A msvcrt.dll
0x0005AE1B 0x00000010 _except_handler2
0x0005AE2E 0x00000007 _CIacos
0x0005AE38 0x00000006 _cexit
0x0006B78A 0x0000001C Windows Update
0x0006B7AA 0x00000018 MS Shell Dlg
0x0006B7DA 0x0000001E Install Updates
0x0006B812 0x0000000C Static
0x0006B83A 0x00000012 1. Click
0x0006B866 0x00000022 "Install Updates"
0x0006B8A2 0x00000010 2. Click
0x0006B8CE 0x0000000E "Allow"
0x0006B8F6 0x0000002E when UAC screen appears |
Notice the compile path for the DLL?
f:\src\mrs_adware\Adware2\trunk\Dll\release\Adware.pdb
This malware also creates some p0rn shortcuts on the desktop, and three other files, spam001.exe, spam003.exe and troj000.exe, but these files aren’t actually executables.
This is what the payment screen looks like in their so-called “Safebrowser”. Obviously filling out that information could put you in some serious danger, either by them emptying your bank account, and/or using the personal information for identity theft.
This is a sandbox report of the original dropper.
1 2 3 4 5 6 7 8 9 10 11 12 | Detailed report of suspicious malware actions: Created file on defined folder: C:\Documents and Settings\Administrator\Local Settings\Temp\TMP57114.tmp Created file on defined folder: C:\Documents and Settings\Administrator\Local Settings\Temp\topwesitjh Created file on defined folder: C:\Documents and Settings\All Users\Favorites\_favdata.dat Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\AUTMGR32.EXE Defined registry AutoStart location added or modified: user\current_classes\.exe\shell\open\command = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AUTMGR32.EXE" /START "%1" %* Defined registry AutoStart location added or modified: user\current_classes\.exe\shell\open\command\IsolatedCommand = "%1" %* Internet connection: C:\Documents and Settings\Administrator\Desktop\dropper.exe Connects to "91.213.157.69" on port 80 (TCP - HTTP). Query DNS: traffic-photos .com Risk evaluation result: High |
This also downloaded the pragma rootkit, the old(and probably sold) version of TDSS.
pragmacfg.ini:
[common]
botid=414796669-1177238915-152049171-1708537768
affid=336
subid=direct
build=no
[injections]
explorer.exe=pragmaserf
iexplore.exe=pragmaserf;pragmabbr
firefox.exe=pragmabbr
safari.exe=pragmabbr
chrome.exe=pragmabbr
opera.exe=pragmabbr
pragmabbr.dll strings:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 | 0x000001E0 0x00000005 .text 0x00000207 0x00000007 `.rdata 0x0000022F 0x00000006 @.data 0x00000258 0x00000006 .reloc 0x0000027F 0x00000009 B.datatxt 0x000002A7 0x00000007 @.rdata 0x000002CF 0x00000007 @.ldata 0x000002F7 0x00000007 @.rdsec 0x00000320 0x00000005 .rsrc 0x00000347 0x00000007 @.sdata 0x0000036F 0x00000007 @.mdata 0x00000397 0x00000007 @.kdata 0x000003BF 0x00000007 @.edata 0x00001076 0x00000005 D$ Pj 0x000010D5 0x00000005 T$ Rj 0x00001134 0x00000005 L$ Qj 0x00001193 0x00000005 D$ Pj 0x000011F8 0x00000005 tZhHb 0x00001894 0x00000007 UWSPhXc 0x00001AB8 0x00000005 tDj@h 0x00001F36 0x00000005 u|h0d 0x00001F42 0x00000005 uphHd 0x00001F4E 0x00000005 udhXd 0x00001F5A 0x00000005 uXhpd 0x0000257A 0x00000005 D$8Te 0x00002582 0x00000005 D$<de 0x00002662 0x00000005 tFhde 0x00002670 0x00000005 t8hde 0x00002EDC 0x00000005 T$(Rj 0x000032D0 0x00000005 tuh@g 0x000033CB 0x00000007 L$ Qhhk 0x00003412 0x00000007 L$ Qhhk 0x000036F7 0x00000007 D$ Phhk 0x0000393C 0x00000006 Ut7j@h 0x000039D5 0x00000005 t7j@h 0x00003A5D 0x00000005 l( Uj 0x00003BCA 0x00000005 t7j@h 0x000044FE 0x00000007 UUUUh4k 0x00004621 0x00000005 v]j@h 0x00004EF3 0x00000006 u;WhDk 0x00004F95 0x00000005 PQhXk 0x00006178 0x0000000F searchequal.com 0x00006188 0x0000000D findsomup.org 0x00006198 0x0000000D raincfind.org 0x000061A8 0x0000002C 94804860143697233939975370329435970097710202 0x000061D8 0x0000002C 85108357713673677262162845570576027004153211 0x00006208 0x00000007 License 0x00006210 0x0000001A Software\Paladin Antivirus 0x0000622C 0x00000018 Software\Malware Defense 0x00006248 0x0000000C \license.dat 0x00006258 0x0000000D pragmacfg.ini 0x0000626C 0x00000005 affid 0x00006274 0x00000006 common 0x0000627C 0x00000007 default 0x00006284 0x00000005 subid 0x0000628C 0x00000012 [PANEL_SIGN_CHECK] 0x000062A0 0x0000000C [panels_end] 0x000062B0 0x0000000E [panels_begin] 0x000062C8 0x0000000D [referer_end] 0x000062D8 0x0000000F [referer_begin] 0x000062E8 0x00000013 [request_param_end] 0x000062FC 0x00000015 [request_param_begin] 0x00006314 0x0000000A [prov_end] 0x00006320 0x0000000C [prov_begin] 0x00006330 0x00000011 [domens_fake_end] 0x00006344 0x00000013 [domens_fake_begin] 0x00006358 0x0000003E http://%s/?gd=%s&affid=%s&subid=%s&dprov=&mode=cr&v=6&newref=1 0x00006398 0x0000000A OK_INSTALL 0x000063A4 0x0000000A GET_PARAMS 0x000063C8 0x00000053 http://%s/?affid=%s&subid=%s&prov=%s&keyword=%s&ref=%s&direct=1&shurl=1&lastpage=%s 0x0000641C 0x00000010 clients1.google. 0x00006430 0x00000016 toolbarqueries.google. 0x00006448 0x0000000F maps.google.com 0x00006458 0x00000016 suggestqueries.google. 0x00006470 0x00000006 /aclk? 0x00006478 0x00000007 google. 0x00006480 0x00000035 http://www.google.com/tools/toolbar/service/noupdate? 0x000064B8 0x0000000F X-Moz: prefetch 0x000064C8 0x0000001A click-analytics.google.com 0x000064E4 0x0000000C search/cache 0x000064F4 0x0000000E /search/search 0x00006504 0x0000000C search/redir 0x00006514 0x00000009 alexa.com 0x00006520 0x00000009 facebook. 0x0000652C 0x00000011 Accept-Language: 0x00006544 0x0000000C User-Agent: 0x00006554 0x0000000C /gp/product/ 0x0000656C 0x0000000A amazon.com 0x00006580 0x0000000B endless.com 0x00006590 0x00000071 http://www.amazon.com/gp/product/%s?ie=UTF8&tag=peakclick-20&linkCode=as2&camp=1789&creative=9325&creativeASIN=%s 0x00006608 0x00000063 http://www.endless.com/dp/%s?_encoding=UTF8&tag=peakclick-20&linkCode=xm2&camp=1789&creativeASIN=%s 0x00006674 0x00000005 POST 0x0000667C 0x00000034 click-analytics.google.com 0x000066BC 0x00000007 wsock32 0x000066C4 0x00000006 ws2_32 0x000066CC 0x00000007 WSASend 0x000066D4 0x00000007 WSARecv 0x000066DC 0x00000007 connect 0x000066E4 0x0000000B closesocket 0x000066F8 0x0000000A DnsQuery_A 0x00006704 0x00000006 Dnsapi 0x0000670C 0x0000000A DnsQuery_W 0x00006748 0x00000006 200 OK 0x00006768 0x00000010 pragmamainqt.dll 0x0000677C 0x00000020 pragmapdconf.ini 0x000067A0 0x0000000D TabProcGrowth 0x000067B0 0x00000029 Software\Microsoft\Internet Explorer\Main 0x000067E0 0x0000006A User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322) 0x0000684C 0x00000016 Accept-Language: en-us 0x00006864 0x0000000F gesualdo.alexa. 0x00006874 0x00000011 .googlehosted.com 0x00006888 0x00000010 cc.msnscache.com 0x0000689C 0x00000015 searchapi.search.aol. 0x000068B4 0x00000009 askcache. 0x000068C0 0x00000014 microsofttranslator. 0x000068D8 0x0000000A altavista. 0x000068E4 0x0000000A alltheweb. 0x000068F0 0x00000015 scorecardresearch.com 0x00006908 0x0000000E .alexametrics. 0x00006918 0x0000000B googleapis. 0x00006924 0x00000006 .ixnp. 0x0000692C 0x0000000D .everesttech. 0x0000693C 0x00000014 google-analytics.com 0x00006954 0x00000008 i.i.com. 0x00006960 0x0000000C img.youtube. 0x00006970 0x00000009 .gstatic. 0x0000697C 0x00000007 dw.com. 0x00006984 0x00000005 .icq. 0x0000698C 0x00000007 sa.aol. 0x00006994 0x00000008 dmn.aol. 0x000069A0 0x00000005 .aol. 0x000069A8 0x0000000A atwola.com 0x000069B4 0x00000007 aolcdn. 0x000069BC 0x00000006 atdmt. 0x000069C4 0x00000006 yahoo. 0x000069CC 0x00000005 bing. 0x000069D4 0x00000007 .google 0x000069DC 0x0000000A rds.yahoo. 0x000069E8 0x00000005 yimg. 0x000069F0 0x00000007 http:// 0x000069F8 0x00000006 Host: 0x00006A00 0x00000007 HTTP/1. 0x00006A08 0x00000009 Referer: 0x00006A14 0x0000000D googlehosted. 0x00006A40 0x00000018 iexplore.exe 0x00006A5C 0x00000024 Software\Microsoft\Internet Explorer 0x00006A84 0x00000007 Version 0x00006A8C 0x00000016 firefox.exe 0x00006AA4 0x00000012 opera.exe 0x00006AB8 0x00000014 Safari.exe 0x00006AD0 0x00000014 chrome.exe 0x00006AE8 0x00000010 0123456789ABCDEF 0x00006AFC 0x0000000F Software\pragma 0x00006B0C 0x00000024 48a10810-b8c6-442e-b021-2f1a5deb810c 0x00006B34 0x00000008 wget 3.0 0x00006B44 0x00000009 -_.!~*'() 0x00006B50 0x00000006 pragma 0x00006B58 0x0000000E default 0x00006D86 0x00000007 strncpy 0x00006D90 0x00000007 _strlwr 0x00006D9A 0x00000006 strstr 0x00006DA4 0x00000006 strchr 0x00006DAE 0x00000007 isalnum 0x00006DB8 0x00000006 _ultow 0x00006DC2 0x0000001C RtlImageDirectoryEntryToData 0x00006DE2 0x00000010 RtlImageNtHeader 0x00006DF6 0x00000005 _wtol 0x00006DFC 0x00000009 ntdll.dll 0x00006E09 0x0000000A SASetEvent 0x00006E14 0x0000000A WS2_32.dll 0x00006E22 0x00000008 StrStrIA 0x00006E2E 0x00000008 StrCmpIW 0x00006E3A 0x00000007 StrStrA 0x00006E44 0x0000000A wnsprintfA 0x00006E52 0x00000009 StrCmpNIA 0x00006E5E 0x00000008 StrStrIW 0x00006E6A 0x00000008 StrCmpNA 0x00006E76 0x00000007 StrChrA 0x00006E7E 0x0000000B SHLWAPI.dll 0x00006E8D 0x00000017 nternetCanonicalizeUrlA 0x00006EA8 0x00000010 InternetOpenUrlA 0x00006EBC 0x00000010 InternetReadFile 0x00006ED0 0x0000000D InternetOpenA 0x00006EE1 0x00000012 nternetCloseHandle 0x00006EF4 0x0000000B WININET.dll 0x00006F02 0x00000008 lstrcmpA 0x00006F0E 0x00000008 lstrlenA 0x00006F1A 0x00000009 lstrcpynA 0x00006F26 0x0000000C GetTickCount 0x00006F36 0x0000000B VirtualFree 0x00006F44 0x00000019 InitializeCriticalSection 0x00006F60 0x00000005 Sleep 0x00006F68 0x00000014 LeaveCriticalSection 0x00006F80 0x0000000D IsBadWritePtr 0x00006F90 0x00000008 lstrcatA 0x00006F9C 0x00000013 MultiByteToWideChar 0x00006FB2 0x0000000C GetTempPathW 0x00006FC2 0x00000013 InterlockedExchange 0x00006FD8 0x00000018 FreeLibraryAndExitThread 0x00006FF4 0x00000009 lstrcmpiA 0x00007000 0x0000000C VirtualAlloc 0x00007010 0x00000014 EnterCriticalSection 0x00007028 0x00000019 DisableThreadLibraryCalls 0x00007044 0x00000018 GetPrivateProfileStringA 0x00007060 0x0000000C GetLocalTime 0x00007070 0x0000000C LoadLibraryA 0x00007080 0x00000012 GetModuleFileNameA 0x00007096 0x00000008 lstrcatW 0x000070A3 0x0000000A loseHandle 0x000070B0 0x0000000C GetTempPathA 0x000070C0 0x0000000D GetSystemTime 0x000070D0 0x0000000B DeleteFileA 0x000070DF 0x0000000B reateThread 0x000070EE 0x00000008 lstrcpyA 0x000070FA 0x00000012 GetModuleFileNameW 0x00007111 0x0000000A reateFileA 0x0000711E 0x0000000B GetFileSize 0x0000712C 0x00000014 SystemTimeToFileTime 0x00007144 0x00000018 GetPrivateProfileStringW 0x00007160 0x00000009 WriteFile 0x0000716C 0x00000008 ReadFile 0x00007178 0x0000001A WritePrivateProfileStringW 0x00007196 0x00000010 GetTempFileNameA 0x000071AA 0x0000000E VirtualProtect 0x000071BA 0x0000000C KERNEL32.dll 0x000071CA 0x00000010 RegQueryValueExA 0x000071DE 0x0000000D RegOpenKeyExA 0x000071EE 0x0000000B RegCloseKey 0x000071FC 0x0000000E RegSetValueExA 0x0000720E 0x0000000D RegCreateKeyA 0x0000721C 0x0000000C ADVAPI32.dll 0x0000722C 0x00000017 SHGetSpecialFolderPathA 0x00007244 0x0000000B SHELL32.dll 0x00007252 0x00000006 memcpy 0x0000725C 0x00000006 memset 0x00007266 0x00000007 _chkstk 0x00007270 0x00000008 _aulldiv 0x0000727C 0x00000007 _allmul 0x00007286 0x00000008 _aullrem 0x000072C2 0x0000000B Clicker.dll 0x000072CE 0x0000000A _Install@0 0x00008013 0x000000CE <form name="myform" action="%s" method="post"></form><script ty 0x00008123 0x00000056 window.location="%s"; 0x00008193 0x0000009F <a name="redirect" id="redirect" href="%s">ClickMe</a>redirect. 0x00008238 0x00000040 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ 0x00008293 0x000000CE <form name="myform" action="%s" method="post"></form><script ty 0x000083A3 0x00000056 window.location="%s"; 0x00008413 0x0000009F <a name="redirect" id="redirect" href="%s">ClickMe</a>redirect. 0x000084CB 0x000000CE <form name="myform" action="%s" method="post"></form><script ty 0x000085DB 0x00000056 window.location="%s"; 0x0000864B 0x0000009F <a name="redirect" id="redirect" href="%s">ClickMe</a>redirect. 0x00008783 0x000000CE <form name="myform" action="%s" method="post"></form><script ty 0x00008893 0x00000056 window.location="%s"; 0x00008903 0x0000009F <a name="redirect" id="redirect" href="%s">ClickMe</a>redirect. 0x0001E5D4 0x0000000C 63<3B3H3N3T3 0x000260A0 0x0000000C kernel32.dll 0x000260AF 0x0000000F GetCommandLineA 0x000260C1 0x0000000C GetTempPathA 0x000260D0 0x0000000B CloseHandle 0x000260DE 0x0000000F GetStartupInfoA 0x000260F0 0x0000000E VirtualProtect 0x00026101 0x00000009 FatalExit 0x0002610E 0x0000000A user32.dll 0x0002611B 0x00000012 IsDlgButtonChecked 0x00026130 0x0000000C GetUpdateRgn 0x00027032 0x0000000D sciqfvgxk.exe 0x00027040 0x0000000C SetIktawoxpd |
pragmac.dll strings:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 | 0x000001D0 0x00000005 .text 0x000001F7 0x00000007 `.rdata 0x0000021F 0x00000006 @.data 0x00000248 0x00000005 .test 0x00000270 0x00000006 .reloc 0x00000297 0x00000009 B.datatxt 0x000002BF 0x00000007 @.rdata 0x000002E7 0x00000007 @.ldata 0x0000030F 0x00000007 @.rdsec 0x00000338 0x00000005 .rsrc 0x0000035F 0x00000007 @.sdata 0x00000387 0x00000007 @.mdata 0x000003AF 0x00000007 @.kdata 0x000003D7 0x00000007 @.edata 0x000011DF 0x00000008 T$0RVhHD 0x00001E01 0x00000006 SVWj@h 0x00002028 0x00000005 QVj@h 0x000029D9 0x00000005 tGj@h 0x00002D77 0x00000005 SWhhF 0x0000300E 0x00000005 SVhtD 0x000043A7 0x0000000D \license.dat 0x000043B8 0x0000002C 94804860143697233939975370329435970097710202 0x000043E8 0x00000018 ROOT\DEFAULT 0x00004404 0x0000001A SystemRestore 0x00004420 0x00000014 SRRemoveRestorePoint 0x00004438 0x0000000C srclient.dll 0x00004448 0x0000001C SequenceNumber 0x00004468 0x00000008 %s_%s_ok 0x00004480 0x00000054 \registry\machine\software\PRAGMA\injector 0x000044DC 0x0000000A injections 0x000044E8 0x00000005 %s;%s 0x000044F8 0x00000006 PRAGMA 0x00004500 0x00000010 cmddelay 0x00004518 0x00000042 \registry\machine\software\PRAGMA 0x0000455C 0x0000000E PRAGMAsrcr.dat 0x00004570 0x00000054 \registry\machine\software\PRAGMA\versions 0x000045DC 0x00000012 %[^.].%[^(](%[^)]) 0x000045F0 0x00000005 %s/%s 0x000045F8 0x0000000A build 0x00004610 0x0000000A affid 0x0000461C 0x0000000A subid 0x00004628 0x00000007 %s (%d) 0x00004630 0x00000035 file=%s&address=0x%x&image=%s&code=0x%x&info=%s&id=%s 0x00004668 0x00000010 PRAGMAerrors.log 0x0000467C 0x00000018 %[^;];%[^;];%[^;];%[^;]; 0x00004698 0x0000000F software\PRAGMA 0x000046A8 0x00000005 affid 0x000046B0 0x00000005 subid 0x000046B8 0x00000005 botid 0x000046C0 0x00000006 common 0x000046C8 0x00000005 build 0x000046D0 0x0000000E netsvcs 0x000046E0 0x0000004A \ACA9DB5C-7EAB-4026-A9A7-BED05538CE9D 0x0000472C 0x0000001A PRAGMAcfg.ini 0x00004748 0x0000000B PRAGMAc.dll 0x00004754 0x0000000B PRAGMAd.sys 0x00004768 0x0000000A %s%s%x.tmp 0x00004778 0x000000AC software\microsoft\internet explorer\main\featurecontrol\feature_enable_ie_compression 0x00004828 0x0000000A urlmon.dll 0x00004834 0x00000005 .test 0x0000483C 0x00000005 %u-%s 0x0000484C 0x00000022 \\?\globalroot\systemroot\system32 0x00004870 0x00000005 %s\%s 0x00004878 0x0000002F Content-Type: application/x-www-form-urlencoded 0x000048A8 0x0000000C PRAGMA 0x000048B8 0x00000015 ObtainUserAgentString 0x000048D0 0x00000037 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 0x000053DE 0x00000008 tdll.dll 0x000053E7 0x00000007 CmdExec 0x000053EF 0x0000000C CmdExecAffID 0x000053FC 0x0000000C CmdExecBuild 0x00005409 0x0000000C CmdExecSubID 0x00005416 0x0000000B CmdExecType 0x00005422 0x0000000E CmdExecVersion 0x00005431 0x00000008 CmdKnock 0x0000543A 0x0000000C FileDownload 0x00005447 0x00000012 FileDownloadRandom 0x0000545A 0x0000000B InjectorAdd 0x00005466 0x0000000B InjectorSet 0x00005472 0x00000013 ModuleDownloadUnxor 0x00005486 0x0000000A ModuleLoad 0x00005491 0x0000000C ModuleUnload 0x0000549E 0x0000000B SetCmdDelay 0x00007000 0x00000011 336;direct;no;no; 0x0000F0A0 0x0000000C kernel32.dll 0x0000F0AF 0x0000000F GetCommandLineA 0x0000F0C1 0x0000000C GetTempPathA 0x0000F0D0 0x0000000B CloseHandle 0x0000F0DE 0x0000000F GetStartupInfoA 0x0000F0F0 0x0000000E VirtualProtect 0x0000F101 0x00000009 FatalExit 0x0000F10E 0x0000000A user32.dll 0x0000F11B 0x00000012 IsDlgButtonChecked 0x0000F130 0x0000000C GetUpdateRgn 0x0000F432 0x0000000A cseteo.exe 0x0000F43D 0x00000007 Caokyjf |
pragmaserf.dll strings:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 | 0x000001D8 0x00000005 .text 0x000001FF 0x00000007 `.rdata 0x00000227 0x00000006 @.data 0x00000250 0x00000006 .reloc 0x00000277 0x00000009 B.datatxt 0x0000029F 0x00000007 @.rdata 0x000002C7 0x00000007 @.ldata 0x000002EF 0x00000007 @.rdsec 0x00000318 0x00000005 .rsrc 0x0000033F 0x00000007 @.sdata 0x00000367 0x00000007 @.mdata 0x0000038F 0x00000007 @.kdata 0x000003B7 0x00000007 @.edata 0x00001076 0x00000005 D$ Pj 0x000010D5 0x00000005 T$ Rj 0x00001134 0x00000005 L$ Qj 0x00001193 0x00000005 D$ Pj 0x000011F8 0x00000005 tZhHR 0x00001278 0x00000005 $PhXR 0x000012B7 0x00000005 D$$Pj 0x000012F1 0x00000005 D$(Pj 0x0000146F 0x00000006 D$ hTS 0x0000161E 0x00000005 L$DQh 0x000026E3 0x00000007 D$,PSSh 0x00002954 0x00000007 UWSPh<V 0x00002C4C 0x00000005 D$,Pj 0x00002C91 0x00000005 D$,Pj 0x00003092 0x00000007 D$<PSSh 0x000036A1 0x00000005 v]j@h 0x0000413E 0x00000007 UUUUh`] 0x000045B6 0x00000007 l$4VWUj 0x000045E2 0x00000005 D$<Pj 0x0000465D 0x00000005 T$$Rj 0x000046CE 0x00000005 D$4Pj 0x00005178 0x0000000F searchequal.com 0x00005188 0x0000000D findsomup.org 0x00005198 0x0000000D raincfind.org 0x000051A8 0x0000002C 94804860143697233939975370329435970097710202 0x000051D8 0x0000002C 85108357713673677262162845570576027004153211 0x00005208 0x00000007 License 0x00005210 0x0000001A Software\Paladin Antivirus 0x0000522C 0x00000018 Software\Malware Defense 0x00005248 0x0000000C \license.dat 0x00005258 0x00000034 Software\Microsoft\Internet Explorer\Recovery\Active 0x00005290 0x00000012 [PANEL_SIGN_CHECK] 0x000052A4 0x0000000C [panels_end] 0x000052B4 0x0000000E [panels_begin] 0x000052C8 0x0000000F Use FormSuggest 0x000052D8 0x00000029 Software\Microsoft\Internet Explorer\Main 0x00005310 0x00000043 Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 0x00005354 0x00000013 NoReopenLastSession 0x00005368 0x00000036 Software\Policies\Microsoft\Internet Explorer\Recovery 0x000053A0 0x0000000B AutoRecover 0x000053AC 0x0000002D Software\Microsoft\Internet Explorer\Recovery 0x000053E0 0x00000012 Check_Associations 0x000053F4 0x00000016 Play_Background_Sounds 0x0000540C 0x0000003B AppEvents\Schemes\Apps\Explorer\ActivatingDocument\.current 0x0000544C 0x00000033 AppEvents\Schemes\Apps\Explorer\Navigating\.current 0x00005480 0x00000031 AppEvents\Schemes\Apps\.Default\CCSelect\.Current 0x000054B4 0x00000008 test.reg 0x000054C0 0x00000010 \regedit.exe /s 0x000054D4 0x00000009 referer: 0x000054E4 0x0000000E msacm32 0x000054F4 0x00000007 msacm32 0x000054FC 0x0000000B Referer: %s 0x00005508 0x0000000C iexplore.exe 0x00005518 0x0000000E popupcount_end 0x00005528 0x00000012 [popupcount_begin] 0x0000553C 0x00000010 [runs_count_end] 0x00005550 0x00000012 [runs_count_begin] 0x00005564 0x00000012 [urls_to_serf_end] 0x00005578 0x00000014 [urls_to_serf_begin] 0x00005590 0x00000014 [refs_to_change_end] 0x000055A8 0x00000016 [refs_to_change_begin] 0x000055C0 0x0000000F [popupurl2_end] 0x000055D0 0x00000011 [popupurl2_begin] 0x000055E4 0x00000022 \Internet Explorer\iexplore.exe %s 0x00005608 0x0000000D pragmacfg.ini 0x0000561C 0x00000005 affid 0x00005624 0x00000006 common 0x0000562C 0x00000007 default 0x00005634 0x00000005 subid 0x0000563C 0x00000037 http://%s/?gd=%s&affid=%s&subid=%s&prov=&mode=cr&v=6nkr 0x00005674 0x0000000A OK_INSTALL 0x00005680 0x0000000A GET_PARAMS 0x00005694 0x0000000F Software\pragma 0x000056AC 0x00000008 TestDesk 0x000056B8 0x0000000A IEUser.exe 0x000056C4 0x0000000C explorer.exe 0x000056D4 0x0000000A chrome.exe 0x000056E0 0x0000000A Safari.exe 0x000056EC 0x00000009 opera.exe 0x000056F8 0x0000000B firefox.exe 0x00005704 0x0000000A ieuser.exe 0x00005710 0x00000014 \pragmamfeklnmal.dll 0x00005728 0x00000016 HttpAddRequestHeadersA 0x00005740 0x00000007 wininet 0x00005748 0x00000016 HttpAddRequestHeadersW 0x00005760 0x00000010 HttpOpenRequestW 0x00005774 0x00000010 HttpOpenRequestA 0x00005788 0x00000010 InternetConnectW 0x0000579C 0x00000010 InternetConnectA 0x000057B0 0x00000007 http:// 0x000057B8 0x0000000C LoadLibraryW 0x000057C8 0x00000008 kernel32 0x000057D4 0x0000000C LoadLibraryA 0x000057E4 0x00000014 CreateProcessAsUserW 0x000057FC 0x00000008 Advapi32 0x00005808 0x0000000C indobids.com 0x00005818 0x00000011 spywarefixpro.com 0x0000582C 0x00000011 trojan-killer.net 0x00005840 0x0000000D hijackthis.nl 0x00005850 0x00000014 virusremovalguru.com 0x00005868 0x0000000F pc-helpforum.be 0x00005878 0x00000015 howtofixcomputers.com 0x00005890 0x0000000A zimbio.com 0x0000589C 0x0000000C xp-vista.com 0x000058AC 0x00000015 windowsprotection.net 0x000058C4 0x00000015 whois.domaintools.com 0x000058DC 0x00000013 webtoolsandtips.com 0x000058F0 0x0000000E wareseeker.com 0x00005900 0x0000000E tech.yahoo.com 0x00005910 0x0000000F spywarevoid.com 0x00005920 0x00000013 spywares-remove.com 0x00005934 0x00000011 spywareremove.com 0x00005948 0x00000013 spywaredetector.net 0x0000595C 0x00000012 spyware-techie.com 0x00005970 0x00000009 spyna.com 0x0000597C 0x00000008 snpx.com 0x00005988 0x0000001D rogueantispyware.blogspot.com 0x000059A8 0x0000001A rogue-malware.blogspot.com 0x000059C4 0x0000000F removevirus.org 0x000059D4 0x0000000D removeit.info 0x000059E4 0x00000017 remove-spy.blogspot.com 0x000059FC 0x00000012 remove-malware.net 0x00005A10 0x00000010 removal-tool.com 0x00005A24 0x00000013 precisesecurity.com 0x00005A38 0x0000000F powerclickz.com 0x00005A48 0x0000000C pcthreat.com 0x00005A58 0x0000000E pcindanger.com 0x00005A68 0x0000000B pc1news.com 0x00005A74 0x0000000F news.loaris.com 0x00005A84 0x00000011 myantispyware.com 0x00005A98 0x0000000F malwarehelp.org 0x00005AA8 0x0000000C lognrock.com 0x00005AB8 0x0000000C kiguolis.com 0x00005AC8 0x00000009 iobit.com 0x00005AD4 0x0000000F im-infected.com 0x00005AE4 0x00000010 hands-oncorp.com 0x00005AF8 0x0000000D geekstogo.com 0x00005B08 0x00000014 freepcsecurity.co.uk 0x00005B20 0x0000000F forum.drweb.com 0x00005B30 0x0000000E findmysoft.com 0x00005B40 0x0000000B fakeware.ru 0x00005B4C 0x00000011 ezinearticles.com 0x00005B60 0x00000012 exterminate-it.com 0x00005B74 0x00000012 enigmasoftware.com 0x00005B88 0x0000000F downloadbox.org 0x00005B98 0x0000000E comprolive.com 0x00005BA8 0x00000024 cid-556a72d9038a7868.spaces.live.com 0x00005BD0 0x00000018 carnegiecyberacademy.com 0x00005BEC 0x0000000F cantalktech.com 0x00005BFC 0x0000000F brothersoft.com 0x00005C0C 0x0000000F blogcatalog.com 0x00005C1C 0x00000014 bleepingcomputer.com 0x00005C34 0x0000001E bharath-m-narayan.blogspot.com 0x00005C54 0x00000012 beyondsecurity.com 0x00005C68 0x00000010 averyjparker.com 0x00005C7C 0x00000018 antispyware.wetpaint.com 0x00005C98 0x0000000F antispyware.com 0x00005CA8 0x00000014 anti-spyware-101.com 0x00005CC0 0x00000011 answers.yahoo.com 0x00005CD4 0x0000000C PCTHREAT.com 0x00005CE4 0x0000000F 411-spyware.com 0x00005CF4 0x0000000D 2-viruses.com 0x00005D04 0x0000000D 2-spyware.com 0x00005D14 0x0000000A 2-free.net 0x00005D20 0x00000024 dae91b54-7265-4dac-b01e-e4787b4ccaea 0x00005D48 0x00000006 pragma 0x00005D60 0x00000008 wget 3.0 0x00005D6C 0x00000008 Internet 0x00005D78 0x00000020 SeDebugPrivilege 0x00005FC6 0x00000006 strstr 0x00005FD0 0x00000007 strncpy 0x00005FDA 0x00000007 strtoul 0x00005FE4 0x00000007 _strlwr 0x00005FEE 0x0000001C RtlImageDirectoryEntryToData 0x0000600E 0x00000019 ZwQueryInformationProcess 0x0000602A 0x00000010 RtlImageNtHeader 0x0000603C 0x00000009 ntdll.dll 0x00006048 0x00000008 StrStrIA 0x00006054 0x00000008 StrStrIW 0x00006060 0x0000000A wnsprintfA 0x0000606E 0x00000009 StrCmpNIA 0x00006078 0x0000000B SHLWAPI.dll 0x00006087 0x00000010 nternetCrackUrlA 0x0000609A 0x00000010 InternetReadFile 0x000060AE 0x0000000D InternetOpenA 0x000060BF 0x00000012 nternetCloseHandle 0x000060D4 0x00000010 InternetOpenUrlA 0x000060E6 0x0000000B WININET.dll 0x000060F4 0x00000017 SHGetSpecialFolderPathA 0x0000610C 0x0000000B SHELL32.dll 0x0000611A 0x0000000D EnumProcesses 0x0000612A 0x00000014 GetModuleFileNameExA 0x00006140 0x00000009 PSAPI.DLL 0x0000614D 0x0000000A reateFileA 0x0000615A 0x00000008 lstrlenA 0x00006166 0x0000000B VirtualFree 0x00006174 0x00000014 GetWindowsDirectoryA 0x0000618C 0x00000009 WriteFile 0x00006198 0x0000000F GetCommandLineA 0x000061AA 0x00000013 WideCharToMultiByte 0x000061C0 0x00000005 Sleep 0x000061C9 0x0000000D reateProcessA 0x000061DA 0x0000000D IsBadWritePtr 0x000061EA 0x00000010 TerminateProcess 0x000061FE 0x00000008 lstrcatA 0x0000620A 0x00000013 MultiByteToWideChar 0x00006220 0x0000000F GetStartupInfoW 0x00006232 0x00000018 FreeLibraryAndExitThread 0x0000624E 0x00000009 lstrcmpiA 0x0000625A 0x0000000C VirtualAlloc 0x0000626A 0x00000019 DisableThreadLibraryCalls 0x00006286 0x00000018 GetPrivateProfileStringA 0x000062A2 0x0000000C LoadLibraryA 0x000062B2 0x00000012 GetModuleFileNameA 0x000062C8 0x00000012 GetCurrentThreadId 0x000062DE 0x00000007 WinExec 0x000062E9 0x0000000A loseHandle 0x000062F6 0x0000000C GetTempPathA 0x00006306 0x0000000D GetSystemTime 0x00006316 0x0000000B DeleteFileA 0x00006325 0x0000000B reateThread 0x00006334 0x00000008 lstrcpyA 0x00006340 0x0000000B GetFileSize 0x0000634E 0x0000000E SetFilePointer 0x00006360 0x00000009 lstrcpynA 0x0000636C 0x00000011 GetCurrentProcess 0x00006380 0x00000010 GetCurrentThread 0x00006394 0x0000000B OpenProcess 0x000063A2 0x00000011 ReadProcessMemory 0x000063B6 0x0000000D GetVersionExW 0x000063C6 0x00000008 ReadFile 0x000063D2 0x0000000C GetLastError 0x000063E2 0x0000000C SetLastError 0x000063F2 0x00000010 GetTempFileNameA 0x00006406 0x0000000E VirtualProtect 0x00006416 0x0000000C KERNEL32.dll 0x00006427 0x0000000B loseDesktop 0x00006436 0x00000009 wsprintfA 0x00006443 0x0000000D reateDesktopA 0x00006454 0x00000010 GetThreadDesktop 0x00006468 0x00000018 GetWindowThreadProcessId 0x00006484 0x00000010 GetSystemMetrics 0x00006498 0x0000000C SetWindowPos 0x000064A8 0x0000000E GetWindowTextA 0x000064BA 0x0000000B EnumWindows 0x000064C6 0x0000000A USER32.dll 0x000064D4 0x0000000D RegCreateKeyA 0x000064E4 0x0000000F RegDeleteValueA 0x000064F6 0x0000000D RegEnumValueA 0x00006506 0x0000000B RegCloseKey 0x00006514 0x00000010 OpenProcessToken 0x00006528 0x0000000F OpenThreadToken 0x0000653A 0x00000013 GetTokenInformation 0x00006550 0x0000000E RegSetValueExA 0x00006562 0x00000010 RegQueryValueExA 0x00006576 0x00000015 LookupPrivilegeValueW 0x0000658E 0x0000000B RegOpenKeyA 0x0000659C 0x00000015 AdjustTokenPrivileges 0x000065B2 0x0000000C ADVAPI32.dll 0x000065C2 0x00000006 memcpy 0x000065CC 0x00000006 memset 0x000065D6 0x00000007 _chkstk 0x00006612 0x0000000A NkrDll.dll 0x0000661D 0x0000000A _Install@0 0x00007000 0x00000040 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ 0x0000C493 0x0000000B 86<<<B<H<N< 0x0000C513 0x0000001F 1 1$1(1,1014181x>|> 0x000110E4 0x00000005 cuvwx 0x000140A0 0x0000000C kernel32.dll 0x000140AF 0x0000000F GetCommandLineA 0x000140C1 0x0000000C GetTempPathA 0x000140D0 0x0000000B CloseHandle 0x000140DE 0x0000000F GetStartupInfoA 0x000140F0 0x0000000E VirtualProtect 0x00014101 0x00000009 FatalExit 0x0001410E 0x0000000A user32.dll 0x0001411B 0x00000012 IsDlgButtonChecked 0x00014130 0x0000000C GetUpdateRgn 0x00015032 0x00000009 lpoaw.exe 0x0001503C 0x00000007 Mjexfdm |
pragmad.sys strings:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 | 0x000001C0 0x00000005 .text 0x000001E7 0x00000007 `.rdata 0x0000020F 0x00000006 @.data 0x00000238 0x00000005 .test 0x00000260 0x00000006 .reloc 0x00000287 0x00000009 Bsecsct10 0x000002B0 0x00000008 nr7rc660 0x000002D8 0x00000005 idata 0x000002FF 0x00000007 @.idata 0x00000328 0x00000005 .rsrc 0x00004110 0x0000001A PRAGMAcfg.ini 0x0000412C 0x0000000C PRAGMA 0x0000413C 0x0000000E \\?\globalroot 0x0000414C 0x0000000A %s\%s 0x0000415C 0x0000000A start 0x00004174 0x00000012 imagepath 0x00004190 0x0000000B file system 0x0000419C 0x0000000A group 0x000041AC 0x00000010 \\?\globalroot%s 0x000041C0 0x00000054 \registry\machine\software\PRAGMA\injector 0x00004224 0x0000000B svchost.exe 0x00004230 0x0000000B PRAGMAc.dll 0x0000423C 0x0000001C *\KERNEL32.DLL 0x0000425C 0x00000016 *\NTDLL.DLL 0x00004274 0x00000017 NtFlushInstructionCache 0x0000428C 0x0000000E LoadLibraryExA 0x000042A4 0x00000024 \FileSystem\FltMgr 0x000042CC 0x00000012 *\PRAGMA* 0x000042E0 0x0000001C *\TEMP\PRAGMA* 0x00004300 0x00000030 *\SYSTEM32\CONFIG\SYSTEM 0x00004334 0x00000034 *\SYSTEM32\CONFIG\SOFTWARE 0x0000436C 0x0000000A chkdsk.exe 0x00004378 0x00000026 \filesystem\fastfat 0x000043A0 0x00000020 \filesystem\ntfs 0x000043C4 0x0000001A \driver\tcpip 0x000043E0 0x0000001C \driver\ftdisk 0x00004400 0x00000018 \driver\disk 0x0000441C 0x0000001A \driver\atapi 0x00004438 0x0000001E \driver\volsnap 0x00004458 0x0000001E \driver\partmgr 0x00004478 0x0000001E \filesystem\raw 0x00004498 0x00000016 svchost.exe 0x000044B0 0x00000006 System 0x000044B8 0x00000012 ntdll.dll 0x000044CC 0x00000018 kernel32.dll 0x000044E8 0x00000005 .test 0x000044F0 0x00000072 \registry\machine\system\currentcontrolset\services\luafv 0x00004568 0x00000074 \registry\machine\system\currentcontrolset\services\wscsvc 0x000045E8 0x0000000E modules 0x000045F8 0x00000016 PRAGMAc.dll 0x00004610 0x000000A8 \registry\machine\system\currentcontrolset\enum\root\legacy_PRAGMAd.sys000\control 0x000046C0 0x00000098 \registry\machine\system\currentcontrolset\enum\root\legacy_PRAGMAd.sys000 0x00004760 0x0000008E \registry\machine\system\currentcontrolset\enum\root\legacy_PRAGMAd.sys 0x000047F8 0x0000002E \systemroot\system32\%S 0x00004828 0x00000018 KeServiceDescriptorTable 0x00004992 0x00000007 wcsrchr 0x0000499C 0x00000007 wcsncpy 0x000049A6 0x00000014 RtlInitUnicodeString 0x000049BE 0x0000000A ZwOpenFile 0x000049CC 0x00000007 ZwClose 0x000049D6 0x00000008 _stricmp 0x000049E2 0x00000008 _wcsicmp 0x000049EE 0x00000006 strstr 0x000049F8 0x00000007 strrchr 0x00004A02 0x00000006 strchr 0x00004A0C 0x00000009 _snprintf 0x00004A18 0x00000007 strncpy 0x00004A22 0x00000009 ZwOpenKey 0x00004A2E 0x0000000F ZwQueryValueKey 0x00004A40 0x0000000A _snwprintf 0x00004A4E 0x0000000B ZwCreateKey 0x00004A5C 0x00000013 ZwSetSecurityObject 0x00004A72 0x00000014 RtlCreateRegistryKey 0x00004A8A 0x00000015 RtlWriteRegistryValue 0x00004AA2 0x00000017 ObReferenceObjectByName 0x00004ABC 0x00000012 IoDriverObjectType 0x00004AD2 0x00000014 ObfDereferenceObject 0x00004AEB 0x00000010 xFreePoolWithTag 0x00004AFE 0x00000017 ZwAllocateVirtualMemory 0x00004B18 0x00000007 sprintf 0x00004B22 0x00000012 KeGetCurrentThread 0x00004B38 0x00000016 KeDelayExecutionThread 0x00004B52 0x00000013 IoGetCurrentProcess 0x00004B68 0x00000017 FsRtlIsNameInExpression 0x00004B82 0x0000001C MmMapLockedPagesSpecifyCache 0x00004BA2 0x00000015 RtlEqualUnicodeString 0x00004BBA 0x00000016 IoQueryFileInformation 0x00004BD4 0x00000010 IoCancelFileOpen 0x00004BE8 0x00000008 swprintf 0x00004BF5 0x0000000D xAllocatePool 0x00004C06 0x00000012 IofCompleteRequest 0x00004C1C 0x0000000D IofCallDriver 0x00004C2C 0x0000000E ZwEnumerateKey 0x00004C3E 0x00000017 ZwFlushInstructionCache 0x00004C58 0x0000000D ZwQueryObject 0x00004C68 0x00000010 RtlCompareMemory 0x00004C7C 0x0000001A PsLookupProcessByProcessId 0x00004C9A 0x00000014 KeStackAttachProcess 0x00004CB2 0x00000016 KeUnstackDetachProcess 0x00004CCC 0x00000010 RtlImageNtHeader 0x00004CE0 0x0000000C ZwCreateFile 0x00004CF0 0x0000000B ZwWriteFile 0x00004CFE 0x00000018 PsLookupThreadByThreadId 0x00004D1A 0x00000018 KeServiceDescriptorTable 0x00004D36 0x00000012 ObfReferenceObject 0x00004D4C 0x00000015 ObMakeTemporaryObject 0x00004D64 0x0000001B PsSetLoadImageNotifyRoutine 0x00004D83 0x0000000E xQueueWorkItem 0x00004D92 0x0000000C ntoskrnl.exe 0x00004DA2 0x0000000B ZwDeleteKey 0x00004DB0 0x00000019 ZwQueryInformationProcess 0x00004DCC 0x00000018 ZwQuerySystemInformation 0x00004DE8 0x0000001C RtlImageDirectoryEntryToData 0x00004E08 0x0000000F KeInitializeApc 0x00004E1A 0x00000010 KeInsertQueueApc 0x00004E2E 0x0000000F ZwCreateSection 0x00004E40 0x00000012 ZwMapViewOfSection 0x00004E56 0x00000014 ZwUnmapViewOfSection 0x00004E6F 0x0000000A fLowerIrql 0x00004E7D 0x00000014 eRaiseIrqlToDpcLevel 0x00004E92 0x00000007 HAL.dll 0x00004E9C 0x00000006 memcpy 0x00004EA6 0x00000006 memset 0x000091B8 0x00000028 \systemroot\PRAGMAtisvbvxtng\PRAGMAd.sys 0x000092C0 0x00000010 PRAGMAtisvbvxtng 0x000093C8 0x0000000B PRAGMAd.sys 0x000094D0 0x00000050 \systemroot\PRAGMAtisvbvxtng\PRAGMAd.sys 0x000096D8 0x00000020 PRAGMAtisvbvxtng 0x000098E0 0x00000016 PRAGMAd.sys 0x00009CF8 0x00000090 \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PRAGMAtisvbvxtng\modules 0x00009F00 0x00000080 \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PRAGMAtisvbvxtng 0x0000A108 0x00000028 \systemroot\PRAGMAtisvbvxtng\PRAGMAc.dll 0x0000A210 0x00000050 \systemroot\PRAGMAtisvbvxtng\PRAGMAc.dll 0x0000B1D0 0x00000005 .text 0x0000B1F7 0x00000009 `.datatxt 0x0000B21F 0x00000007 @.rdata 0x0000B247 0x00000007 @.ldata 0x0000B26F 0x00000007 @.rdsec 0x0000B298 0x00000005 .rsrc 0x0000B2BF 0x00000007 @.sdata 0x0000B2E7 0x00000007 @.mdata 0x0000B30F 0x00000007 @.kdata 0x0000B337 0x00000007 @.edata 0x0000FB0D 0x00000006 9^_t\` 0x000124A0 0x0000000C kernel32.dll 0x000124AF 0x0000000F GetCommandLineA 0x000124C1 0x0000000C GetTempPathA 0x000124D0 0x0000000B CloseHandle 0x000124DE 0x0000000F GetStartupInfoA 0x000124F0 0x0000000E VirtualProtect 0x00012501 0x00000009 FatalExit 0x0001250E 0x0000000A user32.dll 0x0001251B 0x00000012 IsDlgButtonChecked 0x00012530 0x0000000C GetUpdateRgn 0x00012832 0x0000000A cseteo.exe 0x0001283D 0x00000007 Caokyjf 0x00015E60 0x00000005 .text 0x00015E87 0x00000007 `.rdata 0x00015EAF 0x00000006 @.data 0x00015ED8 0x00000005 .test 0x00015F00 0x00000006 .reloc 0x0001F3C9 0x00000005 }GijY |
So in conclusion, FakeAV’s often download other nastiness, only use reputable applications and only download them from their creators websites.
Leave a Reply