Gen.Variant.FAkeAlert.105_124a93177b

by malwarelabrobot on August 7th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.FAkeAlert.105 (B) (Emsisoft), Gen:Variant.FAkeAlert.105 (AdAware), SpyTool.Win32.Ardamax.FD, GenericEmailWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm, SpyTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 124a93177b6a7c6adf8978db3fdc8ceb
SHA1: 4b515cf003c6beba9c9a25589e191cad096f3ead
SHA256: b971d1e176234a60658e942d8de30cbf09b8af3e150ef6f1c8ed23d37de75624
SSDeep: 49152:cqmPtNumDP1h9XGofdOTCNYFPWzNF7KUG:xmSmD79XLOSYFuzNVm
Size: 2126848 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: of even tools itself
Created at: 2014-05-21 08:08:03
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:348

The Trojan injects its code into the following process(es):

YTS.exe:1508

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\NMLSNO\YTS.exe (15801 bytes)
%Documents and Settings%\All Users\Application Data\NMLSNO\YTS.02 (56 bytes)
%Documents and Settings%\All Users\Application Data\NMLSNO\YTS.01 (82 bytes)
%Documents and Settings%\All Users\Application Data\NMLSNO\YTS.00 (2 bytes)

The process YTS.exe:1508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\PMG\YTS.005 (2399 bytes)

Registry activity

The process %original file name%.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 81 83 84 56 2C D2 30 B0 8E EE 55 1D A7 31 56"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\NMLSNO]
"YTS.exe" = "YTS"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process YTS.exe:1508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D D7 14 72 69 D5 02 3B D5 50 F6 13 FC 95 6F F5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YTS Start" = "%Documents and Settings%\All Users\Application Data\NMLSNO\YTS.exe"

Dropped PE files

MD5 File path
29164ede25dc60648de505abcb56a8b4 c:\Documents and Settings\All Users\Application Data\NMLSNO\YTS.01
7e4a3954609fa7aab966a7dfef23ba39 c:\Documents and Settings\All Users\Application Data\NMLSNO\YTS.02
53883bf3b374dbacfad4f63e1bad74a6 c:\Documents and Settings\All Users\Application Data\NMLSNO\YTS.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 40804 40960 4.75466 5968532880f212cc5e6384efa2a39488
.rdata 45056 9182 9216 3.85352 f535e05ebf941b1fdd990d0361ff1a30
.data 57344 8032 3584 1.58992 8f83bbd22817a195306cd7bc472b9f37
.rsrc 65536 2066900 2066944 5.33838 c4aa334f9179c4154344c21b05a4c651
.reloc 2134016 4756 5120 2.51484 abdc5a1fc656aabf18368eedf719ed51

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

YTS.exe_1508:

.text
`.rdata
@.data
.rsrc
udPh
SSh0FS
PSSSSSSh
PSSSSSSh!
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
.EKSWU
FTPG
FTPj
FtPS
=KNILw.tT=RCNEw
_0 _8 _4;_,
SHA1 block transform for x86, CRYPTOGAMS by <appro@openssl.org>
SHA256 block transform for x86, CRYPTOGAMS by <appro@openssl.org>
DlSHA512 block transform for x86, CRYPTOGAMS by <appro@openssl.org>
Montgomery Multiplication for x86, CRYPTOGAMS by <appro@openssl.org>
6-9'6-9'
$6.:$6.:
*?#1*?#1
>8$4,8$4,
AES for x86, CRYPTOGAMS by <appro@openssl.org>
Camellia for x86 by <appro@openssl.org>
RC4 for x86, CRYPTOGAMS by <appro@openssl.org>
FRegDeleteKeyExW
MARGIN-BOTTOM: 11px; BORDER-STYLE: solid; BORDER-COLOR: #DFDFE5; BORDER-WIDTH: 2px; BACKGROUND-COLOR: #DFDFE5; }H2 { COLOR: black; BACKGROUND-COLOR: #FFFFF; FONT-SIZE: 12pt; FONT-WEIGHT: normal; MARGIN-BOTTOM: 0px; MARGIN-TOP: 10px;}</STYLE></HEAD><META http-equiv=Content-Type content="text/html; charset=utf-8"><BODY>
mail@domain.com
Date: %d %s %d %d:%d:%d
EHLO %s
,qop=%s
,response=%s
,digest-uri="%s"
,cnonce="%s"
,nc=%s
,nonce="%s"
,realm="%s"
charset=utf-8,username="%s"
smtp/
AUTH PLAIN %s
^%s^%s
AUTH LOGIN
LOGIN
--%s--
RCPT TO:<%s>
MAIL FROM:<%s>
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
GetProcessWindowStation
USER32.DLL
portuguese-brazilian
ADVAPI32.DLL
kernel32.dll
UxTheme.dll
OLEACC.dll
passed a null parameter
DSO support routines
x509 certificate routines
error:lX:%s:%s:%s
ssl_sess_cert
ssl_cert
evp_pkey
x509_pkey
%s(%d): OpenSSL internal error, assertion failed: %s
lhash part of OpenSSL 1.0.0d 8 Feb 2011
Stack part of OpenSSL 1.0.0d 8 Feb 2011
supportedAlgorithms
crossCertificatePair
certificateRevocationList
cACertificate
userCertificate
userPassword
supportedApplicationContext
Microsoft Local Key set
LocalKeySet
id-Gost28147-89-None-KeyMeshing
id-Gost28147-89-CryptoPro-KeyMeshing
password based MAC
id-PasswordBasedMAC
X509v3 Certificate Issuer
certificateIssuer
certicom-arc
Proxy Certificate Information
proxyCertInfo
Microsoft Smartcardlogin
msSmartcardLogin
joint-iso-itu-t
JOINT-ISO-ITU-T
set-rootKeyThumb
setAttr-Cert
setCext-cCertRequired
setCext-certType
setct-CertResTBE
setct-CertReqTBEX
setct-CertReqTBE
setct-AcqCardCodeMsgTBE
setct-CertInqReqTBS
setct-CertResData
setct-CertReqTBS
setct-CertReqData
setct-PCertResTBS
setct-PCertReqData
setct-AcqCardCodeMsg
certificate extensions
set-certExt
set-msgExt
id-ecPublicKey
id-cmc-confirmCertAcceptance
id-cmc-getCert
id-regInfo-certReq
id-regCtrl-protocolEncrKey
id-regCtrl-oldCertID
id-it-revPassphrase
id-it-keyPairParamRep
id-it-keyPairParamReq
id-it-unsupportedOIDs
id-it-caKeyUpdateInfo
id-it-encKeyPairTypes
id-it-signKeyPairTypes
id-it-caProtEncCert
id-mod-attribute-cert
id-mod-qualified-cert-93
id-mod-qualified-cert-88
id-smime-aa-ets-certCRLTimestamp
id-smime-aa-ets-certValues
id-smime-aa-ets-CertificateRefs
id-smime-aa-ets-otherSigCert
id-smime-aa-smimeEncryptCerts
id-smime-aa-signingCertificate
id-smime-aa-encrypKeyPref
id-smime-aa-msgSigDigest
id-smime-ct-publishCert
id-smime-mod-msg-v3
sdsiCertificate
x509Certificate
localKeyID
certBag
pkcs8ShroudedKeyBag
keyBag
pbeWithSHA1And2-KeyTripleDES-CBC
pbeWithSHA1And3-KeyTripleDES-CBC
TLS Web Client Authentication
TLS Web Server Authentication
X509v3 Extended Key Usage
extendedKeyUsage
X509v3 Authority Key Identifier
authorityKeyIdentifier
X509v3 Certificate Policies
certificatePolicies
X509v3 Private Key Usage Period
privateKeyUsagePeriod
X509v3 Key Usage
keyUsage
X509v3 Subject Key Identifier
subjectKeyIdentifier
Netscape Certificate Sequence
nsCertSequence
Netscape CA Policy Url
nsCaPolicyUrl
Netscape Renewal Url
nsRenewalUrl
Netscape CA Revocation Url
nsCaRevocationUrl
Netscape Revocation Url
nsRevocationUrl
Netscape Base Url
nsBaseUrl
Netscape Cert Type
nsCertType
Netscape Certificate Extension
nsCertExt
extendedCertificateAttributes
challengePassword
dhKeyAgreement
Big Number part of OpenSSL 1.0.0d 8 Feb 2011
ASN.1 part of OpenSSL 1.0.0d 8 Feb 2011
keylen <= sizeof key
EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)
len>=0 && len<=(int)sizeof(ctx->key)
j <= (int)sizeof(ctx->key)
keylength
keyfunc
EVP part of OpenSSL 1.0.0d 8 Feb 2011
.\crypto\pkcs12\p12_key.c
SHA1 part of OpenSSL 1.0.0d 8 Feb 2011
SHA-256 part of OpenSSL 1.0.0d 8 Feb 2011
SHA-512 part of OpenSSL 1.0.0d 8 Feb 2011
RSA part of OpenSSL 1.0.0d 8 Feb 2011
RAND part of OpenSSL 1.0.0d 8 Feb 2011
You need to read the OpenSSL FAQ, hXXp://VVV.openssl.org/support/faq.html
value.bag
value.safes
value.shkeybag
value.keybag
value.sdsicert
value.x509cert
value.other
cert_info
hexkey
rsa_keygen_pubexp
rsa_keygen_bits
NETAPI32.DLL
KERNEL32.DLL
value.single
value.set
PKCS8_PRIV_KEY_INFO
pkey
pkeyalg
enc_key
key_enc_algor
cert
d.encrypted
d.digest
d.signed_and_enveloped
d.enveloped
d.sign
d.data
d.other
X509_PUBKEY
public_key
.\crypto\asn1\x_pubkey.c
%d.%d.%d.%d/%d.%d.%d.%d
%*s%s:
d.registeredID
d.iPAddress
d.uniformResourceIdentifier
d.ediPartyName
d.directoryName
d.dNSName
d.rfc822Name
d.otherName
name.relativename
name.fullname
certificateHold
Certificate Hold
cessationOfOperation
Cessation Of Operation
keyCompromise
Key Compromise
%*sOnly Attribute Certificates
%*sOnly CA Certificates
%*sOnly User Certificates
AUTHORITY_KEYID
keyid
X509_CERT_PAIR
X509_CERT_AUX
%d.%d.%d.%d
EC part of OpenSSL 1.0.0d 8 Feb 2011
ECDSA part of OpenSSL 1.0.0d 8 Feb 2011
.\crypto\ec\ec_key.c
DSA part of OpenSSL 1.0.0d 8 Feb 2011
Diffie-Hellman part of OpenSSL 1.0.0d 8 Feb 2011
.\crypto\dh\dh_key.c
\X
<unsupported>
IP Address:%d.%d.%d.%d
URI:%s
DNS:%s
email:%s
EdiPartyName:<unsupported>
X400Name:<unsupported>
othername:<unsupported>
d.usernotice
d.cpsuri
CERTIFICATEPOLICIES
%*sExplicit Text: %s
%*sNumber%s:
%*sOrganization: %s
%*sCPS: %s
ddddddZ
ddddddZ
pubkey
priv_key
pub_key
EC_PRIVATEKEY
publicKey
privateKey
value.implicitlyCA
value.parameters
value.named_curve
p.char_two
p.prime
p.ppBasis
p.tpBasis
p.onBasis
p.other
.\crypto\evp\evp_pkey.c
ECDH part of OpenSSL 1.0.0d 8 Feb 2011
%'%1%=%C%K%O%s%
.%.-.3.7.9.?.W.[.o.y.
C%C'C3C7C9COCWCiC
%s: (%d bit)
Public-Key
Private-Key
recommended-private-length: %d bits
public-key:
private-key:
PKCS#3 DH Public-Key
PKCS#3 DH Private-Key
Public-Key: (%d bit)
Private-Key: (%d bit)
X.509 part of OpenSSL 1.0.0d 8 Feb 2011
OPENSSL_ALLOW_PROXY_CERTS
x%s
%s - d:d:d%.*s %d%s
'() ,-./:=?
CONF part of OpenSSL 1.0.0d 8 Feb 2011
%*sPolicy Text: %s
%*scrlUrl:
EXTENDED_KEY_USAGE
%*sZone: %s, User:
.\crypto\x509v3\v3_akey.c
PKEY_USAGE_PERIOD
keyCertSign
Certificate Sign
keyAgreement
Key Agreement
keyEncipherment
Key Encipherment
.\crypto\x509v3\v3_skey.c
MD5 part of OpenSSL 1.0.0d 8 Feb 2011
PROXY_CERT_INFO_EXTENSION
D:/Projects/openssl-10.0d/ssl/certs
D:/Projects/openssl-10.0d/ssl/cert.pem
SSL_CERT_DIR
SSL_CERT_FILE
Basis Type: %s
Field Type: %s
ASN1 OID: %s
%s %s%lu (%s0x%lx)
%lu:%s:%s:%d:%s
CONF_def part of OpenSSL 1.0.0d 8 Feb 2011
[[%s]]
[%s] %s=%s
crlUrl
certStatus
certId
OCSP_CERTSTATUS
value.unknown
value.revoked
value.good
value.byKey
value.byName
reqCert
OCSP_CERTID
issuerKeyHash
certs
d.receiptList
d.allOrFirstTier
d.compressedData
d.authenticatedData
d.encryptedData
d.digestedData
d.envelopedData
d.signedData
d.ori
d.pwri
d.kekri
d.kari
d.ktri
CMS_PasswordRecipientInfo
keyDerivationAlgorithm
keyIdentifier
CMS_KeyAgreeRecipientInfo
recipientEncryptedKeys
CMS_OriginatorIdentifierOrKey
d.originatorKey
CMS_OriginatorPublicKey
CMS_RecipientEncryptedKey
CMS_KeyAgreeRecipientIdentifier
d.rKeyId
CMS_RecipientKeyIdentifier
CMS_OtherKeyAttribute
keyAttr
keyAttrId
CMS_KeyTransRecipientInfo
encryptedKey
keyEncryptionAlgorithm
certificates
d.crl
d.subjectKeyIdentifier
d.issuerAndSerialNumber
CMS_CertificateChoices
d.v2AttrCert
d.v1AttrCert
d.extendedCertificate
d.certificate
CMS_OtherCertificateFormat
otherCert
otherCertFormat
%s.dll
PEM part of OpenSSL 1.0.0d 8 Feb 2011
phrase is too short, needs to be at least %d chars
Enter PEM pass phrase:
TRUSTED CERTIFICATE
CERTIFICATE REQUEST
NEW CERTIFICATE REQUEST
CERTIFICATE
X509 CERTIFICATE
PRIVATE KEY
ENCRYPTED PRIVATE KEY
ANY PRIVATE KEY
.\crypto\evp\evp_key.c
nkey <= EVP_MAX_KEY_LENGTH
?456789:;<=
!"#$%&'()* ,-./0123
Verifying - %s
OpenSSL 1.0.0d 8 Feb 2011
%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s
EXPORT56
EXPORT40
EXPORT
.\ssl\ssl_cert.c
SSLv3 part of OpenSSL 1.0.0d 8 Feb 2011
TLSv1 part of OpenSSL 1.0.0d 8 Feb 2011
SSLv2 part of OpenSSL 1.0.0d 8 Feb 2011
s->session->master_key_length >= 0 && s->session->master_key_length < (int)sizeof(s->session->master_key)
wrong number of key bits
unsupported status type
unsupported ssl version
unsupported protocol
unsupported elliptic curve
unsupported digest type
unsupported compression algorithm
unsupported cipher
unknown pkey type
unknown key exchange type
unknown certificate type
unable to find public key parameters
unable to extract public key
unable to decode ecdh certs
unable to decode dh certs
tried to use unsupported cipher
tls peer did not respond with certificate list
tls client cert req with anon cipher
tlsv1 unsupported extension
tlsv1 certificate unobtainable
tlsv1 bad certificate status response
tlsv1 bad certificate hash value
tlsv1 alert export restriction
sslv3 alert unsupported certificate
sslv3 alert no certificate
sslv3 alert certificate unknown
sslv3 alert certificate revoked
sslv3 alert certificate expired
sslv3 alert bad certificate
signature for non signing certificate
reuse cert type not zero
reuse cert length not zero
public key not rsa
public key is not rsa
public key encrypt error
peer error unsupported certificate type
peer error no certificate
peer error certificate
peer did not return a certificate
null ssl method passed
no publickey
no private key assigned
no privatekey
Peer haven't sent GOST certificate, required for selected ciphersuite
no client cert received
no client cert method
no ciphers passed
no certificate specified
no certificate set
no certificate returned
no certificate assigned
no certificates returned
missing tmp rsa pkey
missing tmp rsa key
missing tmp ecdh key
missing tmp dh key
missing rsa signing cert
missing rsa encrypting cert
missing rsa certificate
missing export tmp rsa key
missing export tmp dh key
missing dsa signing cert
missing dh rsa cert
missing dh key
missing dh dsa cert
krb5 server rd_req (keytab perms?)
key arg too long
invalid ticket keys length
http request
https proxy request
error generating tmp rsa key
ecc cert should have sha1 signature
ecc cert should have rsa signature
ecc cert not for signing
ecc cert not for key agreement
cert length mismatch
certificate verify failed
bad ecc cert
bad dh pub key length
TLS1_SETUP_KEY_BLOCK
tls1_cert_verify_mac
SSL_VERIFY_CERT_CHAIN
SSL_use_RSAPrivateKey_file
SSL_use_RSAPrivateKey_ASN1
SSL_use_RSAPrivateKey
SSL_use_PrivateKey_file
SSL_use_PrivateKey_ASN1
SSL_use_PrivateKey
SSL_use_certificate_file
SSL_use_certificate_ASN1
SSL_use_certificate
SSL_SET_PKEY
SSL_SET_CERT
SSL_SESS_CERT_NEW
SSL_GET_SIGN_PKEY
SSL_GET_SERVER_SEND_CERT
SSL_CTX_use_RSAPrivateKey_file
SSL_CTX_use_RSAPrivateKey_ASN1
SSL_CTX_use_RSAPrivateKey
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_PrivateKey_ASN1
SSL_CTX_use_PrivateKey
SSL_CTX_use_certificate_file
SSL_CTX_use_certificate_chain_file
SSL_CTX_use_certificate_ASN1
SSL_CTX_use_certificate
SSL_CTX_set_client_cert_engine
SSL_CTX_check_private_key
SSL_CHECK_SRVR_ECC_CERT_AND_ALG
SSL_check_private_key
SSL_CERT_NEW
SSL_CERT_INSTANTIATE
SSL_CERT_INST
SSL_CERT_DUP
SSL_add_file_cert_subjects_to_stack
SSL_add_dir_cert_subjects_to_stack
SSL3_SETUP_KEY_BLOCK
SSL3_SEND_SERVER_KEY_EXCHANGE
SSL3_SEND_SERVER_CERTIFICATE
SSL3_SEND_CLIENT_KEY_EXCHANGE
SSL3_SEND_CLIENT_CERTIFICATE
SSL3_SEND_CERTIFICATE_REQUEST
SSL3_OUTPUT_CERT_CHAIN
SSL3_GET_SERVER_CERTIFICATE
SSL3_GET_KEY_EXCHANGE
SSL3_GET_CLIENT_KEY_EXCHANGE
SSL3_GET_CLIENT_CERTIFICATE
SSL3_GET_CERT_VERIFY
SSL3_GET_CERT_STATUS
SSL3_GET_CERTIFICATE_REQUEST
SSL3_GENERATE_KEY_BLOCK
SSL3_CHECK_CERT_AND_ALGORITHM
SSL3_ADD_CERT_TO_BUF
SSL2_SET_CERTIFICATE
SSL2_GENERATE_KEY_MATERIAL
REQUEST_CERTIFICATE
GET_CLIENT_MASTER_KEY
DTLS1_SEND_SERVER_KEY_EXCHANGE
DTLS1_SEND_SERVER_CERTIFICATE
DTLS1_SEND_CLIENT_KEY_EXCHANGE
DTLS1_SEND_CLIENT_CERTIFICATE
DTLS1_SEND_CERTIFICATE_REQUEST
DTLS1_OUTPUT_CERT_CHAIN
DTLS1_ADD_CERT_TO_BUF
CLIENT_MASTER_KEY
CLIENT_CERTIFICATE
key expansion
client write key
server write key
c->iv_len <= (int)sizeof(s->session->key_arg)
s->s2->key_material_length <= sizeof s->s2->key_material
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
RST%d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
Obtained EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC index %d
Unsupported color conversion request
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
IDCT output block size %d not supported
Invalid component ID %d in SOS
Bogus message code %d
;Warning: highpass filter disabled. highpass frequency too small
hXXp://lame.sf.net
3.99.5
Opera
?INTERNAL ERROR IN VBR NEW CODE, please send bug report
@INTERNAL ERROR IN VBR NEW CODE (986), please send bug report
INTERNAL ERROR IN VBR NEW CODE (1313), please send bug report
maxbits=%d usedbits=%d
hip: invalid layer %d
hip: error audio data exceeds framesize by %d bytes
hip: bitstream problem, resyncing skipping %d bytes...
Sorry, layer %d not supported
hip: Can't rewind stream by %d bits!
hip: Bogus region length (%d)
ADVAPI32.dll
F%D,3
QVisual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
%S#[k
?#%X.y
.\crypto\engine\eng_pkey.c
RSA PRIVATE KEY
DSA PRIVATE KEY
EC PRIVATE KEY
Load certs from files in a directory
%s%clx.%s%d
unsupported type
unsupported recpientinfo type
unsupported recipient type
unsupported kek algorithm
unsupported content type
signer certificate not found
private key does not match certificate
no public key
no private key
no msgsigdigest
no key or cert
no key
not supported for this key type
not key transport
msgsigdigest wrong length
msgsigdigest verification failure
msgsigdigest error
invalid key length
invalid encrypted key length
error setting key
error getting public key
certificate verify error
certificate has no keyid
certificate already present
CMS_SIGNERINFO_VERIFY_CERT
CMS_RecipientInfo_set0_pkey
CMS_RecipientInfo_set0_key
CMS_RecipientInfo_ktri_cert_cmp
cms_msgSigDigest_add1
CMS_GET0_CERTIFICATE_CHOICES
CMS_EncryptedData_set1_key
CMS_decrypt_set1_pkey
CMS_decrypt_set1_key
CMS_add1_recipient_cert
CMS_add0_recipient_key
CMS_add0_cert
unsupported requestorname type
no certificates in chain
error parsing url
PARSE_HTTP_LINE1
OCSP_parse_url
OCSP_cert_id_new
unimplemented public key method
invalid cmd number
invalid cmd name
failed loading public key
failed loading private key
cmd not executable
ENGINE_UNLOAD_KEY
ENGINE_load_ssl_client_cert
ENGINE_load_public_key
ENGINE_load_private_key
ENGINE_get_pkey_meth
ENGINE_get_pkey_asn1_meth
ENGINE_ctrl_cmd_string
ENGINE_ctrl_cmd
ENGINE_cmd_is_executable
unsupported version
unsupported md algorithm
invalid signer certificate purpose
ess signing certificate error
ess add signing cert error
TS_VERIFY_CERT
TS_TST_INFO_set_msg_imprint
TS_RESP_CTX_set_signer_cert
TS_RESP_CTX_set_certs
TS_REQ_set_msg_imprint
TS_MSG_IMPRINT_set_algo
TS_CHECK_SIGNING_CERTS
ESS_SIGNING_CERT_NEW_INIT
ESS_CERT_ID_NEW_INIT
ESS_ADD_SIGNING_CERT
functionality not supported
WIN32_JOINER
unsupported pkcs12 mode
key gen error
PKCS8_add_keyusage
PKCS12_PBE_keyivgen
PKCS12_newpass
PKCS12_MAKE_SHKEYBAG
PKCS12_MAKE_KEYBAG
PKCS12_key_gen_uni
PKCS12_key_gen_asc
PKCS12_add_localkeyid
unsupported option
unable to get issuer keyid
policy syntax not currently supported
operation not defined
no proxy cert policy language defined
no issuer certificate
extension setting not supported
V2I_EXTENDED_KEY_USAGE
V2I_AUTHORITY_KEYID
S2I_SKEY_ID
S2I_ASN1_SKEY_ID
R2I_CERTPOL
unsupported cipher type
unknown operation
unable to find certificate
signing not supported for this key type
operation not supported on this type
no recipient matches key
no recipient matches certificate
encryption not supported for this key type
decrypted key is wrong length
PKCS7_add_certificate
unsupported method
no port specified
no port defined
no accept port specified
broken pipe
BIO_get_port
ECDH_compute_key
data too large for key size
unsupported field
passed null parameter
not a supported NIST prime
missing private key
keys not set
invalid private key
PKEY_EC_SIGN
PKEY_EC_PARAMGEN
PKEY_EC_KEYGEN
PKEY_EC_DERIVE
PKEY_EC_CTRL_STR
PKEY_EC_CTRL
o2i_ECPublicKey
i2o_ECPublicKey
i2d_ECPrivateKey
EC_KEY_print_fp
EC_KEY_print
EC_KEY_new
EC_KEY_generate_key
EC_KEY_copy
EC_KEY_check_key
ECKEY_TYPE2PARAM
ECKEY_PUB_ENCODE
ECKEY_PUB_DECODE
ECKEY_PRIV_ENCODE
ECKEY_PRIV_DECODE
ECKEY_PARAM_DECODE
ECKEY_PARAM2TYPE
DO_EC_KEY_PRINT
d2i_ECPrivateKey
zlib not supported
wrong public key type
unsupported public key type
unsupported encryption algorithm
unsupported any defined by type
unknown public key type
unable to decode rsa private key
unable to decode rsa key
streaming not supported
private key header missing
digest and key type not supported
bad password read
X509_PKEY_new
i2d_RSA_PUBKEY
i2d_PublicKey
i2d_PrivateKey
i2d_EC_PUBKEY
i2d_DSA_PUBKEY
d2i_X509_PKEY
d2i_PublicKey
d2i_PrivateKey
d2i_AutoPrivateKey
unsupported algorithm
unknown key type
unable to get certs public key
public key encode error
public key decode error
no cert set for us to verify
method not supported
loading cert dir
key values mismatch
key type mismatch
cert already in hash table
cant check dh key
X509_verify_cert
X509_STORE_add_cert
X509_REQ_check_private_key
X509_PUBKEY_set
X509_PUBKEY_get
X509_load_cert_file
X509_load_cert_crl_file
X509_get_pubkey_parameters
X509_check_private_key
GET_CERT_BY_SUBJECT
ADD_CERT_DIR
PKEY_DSA_KEYGEN
PKEY_DSA_CTRL
unsupported key components
unsupported encryption
read key
public key no rsa
problems getting password
keyblob too short
keyblob header parse error
expecting public key blob
expecting private key blob
error converting private key
PEM_WRITE_PRIVATEKEY
PEM_READ_PRIVATEKEY
PEM_READ_BIO_PRIVATEKEY
PEM_PK8PKEY
PEM_F_PEM_WRITE_PKCS8PRIVATEKEY
DO_PK8PKEY_FP
DO_PK8PKEY
d2i_PKCS8PrivateKey_fp
d2i_PKCS8PrivateKey_bio
unsupported salt type
unsupported private key algorithm
unsupported prf
unsupported key size
unsupported key derivation function
unsupported keylength
unsuported number of rounds
private key encode error
private key decode error
operaton not initialized
operation not supported for this keytype
no operation set
no key set
keygen failure
invalid operation
expecting a ec key
expecting a ecdsa key
expecting a dsa key
expecting a dh key
expecting an rsa key
different key types
ctrl operation not implemented
command not supported
camellia key setup failed
bn pubkey error
bad key length
aes key setup failed
PKEY_SET_TYPE
PKCS5_v2_PBE_keyivgen
PKCS5_PBE_keyivgen
EVP_PKEY_verify_recover_init
EVP_PKEY_verify_recover
EVP_PKEY_verify_init
EVP_PKEY_verify
EVP_PKEY_sign_init
EVP_PKEY_sign
EVP_PKEY_paramgen_init
EVP_PKEY_paramgen
EVP_PKEY_new
EVP_PKEY_keygen_init
EVP_PKEY_keygen
EVP_PKEY_get1_RSA
EVP_PKEY_get1_EC_KEY
EVP_PKEY_GET1_ECDSA
EVP_PKEY_get1_DSA
EVP_PKEY_get1_DH
EVP_PKEY_encrypt_old
EVP_PKEY_encrypt_init
EVP_PKEY_encrypt
EVP_PKEY_derive_set_peer
EVP_PKEY_derive_init
EVP_PKEY_derive
EVP_PKEY_decrypt_old
EVP_PKEY_decrypt_init
EVP_PKEY_decrypt
EVP_PKEY_CTX_dup
EVP_PKEY_CTX_ctrl_str
EVP_PKEY_CTX_ctrl
EVP_PKEY_copy_parameters
EVP_PKEY2PKCS8_broken
EVP_PKCS82PKEY_BROKEN
EVP_PKCS82PKEY
EVP_CIPHER_CTX_set_key_length
ECKEY_PKEY2PKCS8
ECDSA_PKEY2PKCS8
DSA_PKEY2PKCS8
DSAPKEY2PKCS8
D2I_PKEY
CAMELLIA_INIT_KEY
AES_INIT_KEY
invalid public key
PKEY_DH_KEYGEN
PKEY_DH_DERIVE
GENERATE_KEY
COMPUTE_KEY
rsa operations not supported
key size too small
invalid keybits
illegal or unsupported padding mode
digest too big for rsa key
data too small for key size
RSA_generate_key
RSA_check_key
RSA_BUILTIN_KEYGEN
PKEY_RSA_VERIFYRECOVER
PKEY_RSA_SIGN
PKEY_RSA_CTRL_STR
PKEY_RSA_CTRL
.pp@0
aEÐ
 (#EÚ
ÚE<<0
RC2 part of OpenSSL 1.0.0d 8 Feb 2011
IDEA part of OpenSSL 1.0.0d 8 Feb 2011
libdes part of OpenSSL 1.0.0d 8 Feb 2011
DES part of OpenSSL 1.0.0d 8 Feb 2011
NETSCAPE_CERT_SEQUENCE
.\crypto\asn1\x_pkey.c
RegDeleteKeyW
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventA
UrlIsW
SHLWAPI.dll
PSAPI.DLL
WS2_32.dll
COMCTL32.dll
ShellExecuteW
ShellExecuteExW
SHELL32.dll
FtpPutFileW
FtpCreateDirectoryW
FtpRemoveDirectoryW
FtpDeleteFileW
FtpSetCurrentDirectoryW
WININET.dll
MPR.dll
WINMM.dll
VERSION.dll
GetWindowsDirectoryW
GetCPInfo
GetConsoleOutputCP
GetProcessHeap
KERNEL32.dll
UnregisterHotKey
RegisterHotKey
GetKeyNameTextW
MapVirtualKeyW
EnumWindows
EnumChildWindows
UnhookWindowsHookEx
SetWindowsHookExW
GetKeyState
USER32.dll
GDI32.dll
COMDLG32.dll
ole32.dll
OLEAUT32.dll
.?AVECSmtp@@
zcÁ
H%X|Z
bRdd.zZ
.uEdx
BOCRT
U.eCb
A.fCX
%dL W:<
6--\&|-::
\cmd'
.GL#!
*%S_A
nÂzj
.CI,.
.EW,4
.BdOW
.LN,4
.LI,=
1Um%c~
I2.qZ
.uB]D3
.CxH<
J.lVY
O.fA]
.CA,=
.CE =
.Cy/=
.Ca(=
D.dLS
Z.lj]
K.lFy
C.fA<
N.ZG_
Z.ldU
F.lrS
\-eG}
N.lkR
.Cs"<
.Ca8=
.CA8=
.Cmh=
.BA"<
`%X6@
i.zcP
L.fQI
k.eo]
K.lc<
n.eM_
C y|.NAB
O.lE:
F.ll]
K.laS
{.zqY
].fAW
F.lvU
.Ba&<
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="x86" name="Test" type="win32"></assemblyIdentity><description>
</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>PA
\StringFileInfo\lx\%s
%Y-%m-%d_%H-%M-%S.mp3
smtps.uol.com.br
*@uol.com.br
smtp.hotpop.com
*@hotpop.com
smtp.gawab.com
*@gawab.com
smtp.gmx.com
*@gmx.com;*@gmx.us
smtp.aim.com
*@aim.com
mail.messagingengine.com
*@fastmail.fm
smtp.aol.com
*@aol.com
smtp.mail.yahoo.com.br
*@yahoo.com.br
smtp.comcast.net
*@comcast.net
smtp.live.com
*@hotmail.com
smtp.ig.com.br
*@ig.com.br
smtps.bol.com.br
*@bol.com.br
smtp.mail.yahoo.com
*@yahoo.com
smtp.googlemail.com
*@gmail.com;*@googlemail.com
Shell32.dll
RICHED20.DLL
WAdvapi32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
@uxtheme.dll
@()<>,;:\"[]
@Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion
test818.txt
TEST863.txt
TEST863.txt/test818.txt
All Files (*.*)
*.exe
Viewer.exe
\TEST202.txt
@USER32.DLL
®key=
\Install.exe
(*.exe)
S.ICO
\WinInit.Ini
wininet.dll
netmsg.dll
%Y-%m-%d_%H-%M-%S.jpg
@hXXp://
S%Y-%m-%d_%H-%M-%S
CWebcam_
Keys_
.html
comctl32.dll
DNSAPI.DLL
WTL_CmdBar_InternalAutoPopupMsg
WTL_CmdBar_InternalGetBarMsg
mscoree.dll
V*(%F@4 F7*
72.JA1'
[,'&"?4-
%Documents and Settings%\All Users\Application Data\NMLSNO\YTS.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:348

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\All Users\Application Data\NMLSNO\YTS.exe (15801 bytes)
    %Documents and Settings%\All Users\Application Data\NMLSNO\YTS.02 (56 bytes)
    %Documents and Settings%\All Users\Application Data\NMLSNO\YTS.01 (82 bytes)
    %Documents and Settings%\All Users\Application Data\NMLSNO\YTS.00 (2 bytes)
    %Documents and Settings%\All Users\Application Data\PMG\YTS.005 (2399 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "YTS Start" = "%Documents and Settings%\All Users\Application Data\NMLSNO\YTS.exe"

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.