BKDR_DARKOMET.ENG
Ransom:Win32/Teerac.A (Microsoft); RDN/Ransom!ex (McAfee); Trojan.Cryptolocker.F (Symantec); Trojan.Win32.Deshacop.du (Kaspersky); Trojan.Win32.Generic!BT (Sunbelt); Trojan horse Inject2.BZET (AVG)
Windows
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor creates the following folders:
- %User Profile%\Application Data\yfysozezamyhirug
- %User Profile%\Microsoft\Address Book
- %User Profile%\CryptnetUrlCache\MetaData
- %User Profile%\Microsoft\CryptnetUrlCache
- %User Profile%\CryptnetUrlCache\Content
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
eqevemaq = "%Windows%\evuxowox.exe "
Other System Modifications
This backdoor adds the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter
HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4\Wab File Name
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Active Directory GC
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Bigfoot
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\VeriSign
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\WhoWhere
It adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter
EnabledV8 = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter
EnabledV9 = "0"
HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4
OlkContactRefresh = "0"
HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4
OlkFolderRefresh = "0"
HKEY_CURRENT_USER\Identities\{8A24C031-62FE-4BF5-94F0-BFD4FBCD674B}
Identity Ordinal = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts
AssociatedID = "{random values}"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Active Directory GC
LDAP Server ID = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Bigfoot
LDAP Server ID = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\VeriSign
LDAP Server ID = "2"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\WhoWhere
LDAP Server ID = "3"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager
Server ID = "4"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts
PreConfigVer = "4"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts
PreConfigVerNTDS = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Active Directory GC
Account Name = "Active Directory"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Active Directory GC
LDAP Server = "NULL"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Active Directory GC
LDAP Search Return = "64"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Active Directory GC
LDAP Timeout = "3c"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Active Directory GC
LDAP Authentication = "2"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Active Directory GC
LDAP Simple Search = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Active Directory GC
LDAP Bind DN = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Active Directory GC
LDAP Port = "cc4"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Active Directory GC
LDAP Resolve Flag = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Active Directory GC
LDAP Secure Connection = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Active Directory GC
LDAP User Name = "NULL"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Active Directory GC
LDAP Search Base = "NULL"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Bigfoot
Account Name = "Bigfoot Internet Directory Service"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Bigfoot
LDAP Server = "ldap.bigfoot.com"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Bigfoot
LDAP URL = "http://www.{BLOCKED}t.com"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Bigfoot
LDAP Search Return = "64"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Bigfoot
LDAP Timeout = "3c"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Bigfoot
LDAP Authentication = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Bigfoot
LDAP Simple Search = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\Bigfoot
LDAP Logo = "%ProgramFiles%\Common Files\Services\bigfoot.bmp"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\VeriSign
Account Name = "VeriSign Internet Directory Service"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\VeriSign
LDAP Server = "directory.verisign.com"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\VeriSign
LDAP URL = "http://www.{BLOCKED}gn.com"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\VeriSign
LDAP Search Return = "64"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\VeriSign
LDAP Timeout = "3c"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\VeriSign
LDAP Authentication = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\VeriSign
LDAP Search Base = "NULL"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\VeriSign
LDAP Simple Search = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\VeriSign
LDAP Logo = "%ProgramFiles%\Common Files\Services\verisign.bmp"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\WhoWhere
Account Name = "WhoWhere Internet Directory Service"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\WhoWhere
LDAP Server = "ldap.whowhere.com"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\WhoWhere
LDAP URL = "http://www.{BLOCKED}re.com"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\WhoWhere
LDAP Search Return = "64"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\WhoWhere
LDAP Timeout = "3c"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\WhoWhere
LDAP Authentication = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\WhoWhere
LDAP Simple Search = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\WhoWhere
LDAP Logo = "%ProgramFiles%\Common Files\Services\whowhere.bmp"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager
Default LDAP Account = "Active Directory GC"
HKEY_CURRENT_USER\Software\Microsoft\
WAB
Server ID = "1f5"
It modifies the following registry entries:
HKEY_CURRENT_USER\Identities
Identity Ordinal = "2"
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4EFCED9C6BDD0C985CA3C7D253063C5BE6FC620C
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4EF2E6670AC9B5091FE06BE0E5483EAAD6BA32D9
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4C95A9902ABE0777CED18D6ACCC3372D2748381E
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4BA7B9DDD68788E12FF852E1A024204BF286A8F6
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4B421F7515F6AE8A6ECEF97F6982A400A4D9224E
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
47AFB915CDA26D82467B97FA42914468726138DD
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4463C531D7CCC1006794612BB656D3BF8257846F
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
43F9B110D5BAFD48225231B0D0082B372FEF9A54
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
43DDB1FFF3B49B73831407F6BC8B975023D07C50
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
40E78C1D523D1CD9954FAC1A1AB3BD3CBAA15BFC
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
4072BA31FEC351438480F62E6CB95508461EAB2F
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
3F85F2BB4A62B0B58BE1614ABB0D4631B4BEF8BA
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
394FF6850B06BE52E51856CC10E180E882B385CC
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
36863563FD5128C7BEA6F005CFE9B43668086CCE
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
2F173F7DE99667AFA57AF80AA2D1B12FAC830338
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
284F55C41A1A7A3F8328D4C262FB376ED6096F24
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
273EE12457FDC4F90C55E82B56167F62F532E547
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
24BA6D6C8A5B5837A48DB5FAE919EA675C94D217
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
24A40A1F573643A67F0A4B0749F6A22BF28ABB6B
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
23E594945195F2414803B4D564D2A3A3F5D88B8C
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
216B2A29E62A00CE820146D8244141B92511B279
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
209900B63D955728140CD13622D8C687A4EB0085
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
1F55E8839BAC30728BE7108EDE7B0BB0D3298224
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
1331F48A5DA8E01DAACA1BB0C17044ACFEF755BB
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
0B77BEBBCB7AA24705DECC0FBD6A02FC7ABD9B52
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
049811056AFE9FD0F5BE01685AACE6A5D1C4454C
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
0483ED3399AC3608058722EDBC5E4600E3BEF9D7
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
00EA522C8A9C06AA3ECCE0B4FA6CDC21D92E8099
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\AuthRoot\Certificates\
0048F8D37B153F6EA2798C323EF4F318A5624A9E
Blob = "{random values}"
(Note: The default value data of the said registry entry is {random values}.)
Dropping Routine
This backdoor drops the following files:
- %User Profile%\yfysozezamyhirug\01000000
- %Windows%\evuxowox.exe
- %User Profile%\yfysozezamyhirug\02000000
- %User Profile%\yfysozezamyhirug\00000000
- %User Profile%\Address Book\Wilbert.wab
- %User Profile%\MetaData\2BF68F4714092295550497DD56F57004
- %User Profile%\Content\2BF68F4714092295550497DD56F57004
- %User Profile%\MetaData\94308059B57B3142E455B38A6EB92015
- %User Profile%\Content\94308059B57B3142E455B38A6EB92015
- %User Temp%\Cab12.tmp
- %User Temp%\Tar14.tmp
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
Other Details
This backdoor connects to the following possibly malicious URL:
- http://{BLOCKED}ck.ru
- {BLOCKED}.145.212
- {BLOCKED}.8.186
This report is generated via an automated analysis system.
SOLUTION
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Restart in Safe Mode
Step 3
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
- PhishingFilter
- In HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4
- Wab File Name
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager
- Accounts
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
- Active Directory GC
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
- Bigfoot
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
- VeriSign
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
- WhoWhere
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- eqevemaq = "%Windows%\evuxowox.exe "
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
- EnabledV8 = "0"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
- EnabledV9 = "0"
- In HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4
- OlkContactRefresh = "0"
- In HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4
- OlkFolderRefresh = "0"
- In HKEY_CURRENT_USER\Identities\{8A24C031-62FE-4BF5-94F0-BFD4FBCD674B}
- Identity Ordinal = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
- AssociatedID = "{random values}"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
- LDAP Server ID = "0"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
- LDAP Server ID = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
- LDAP Server ID = "2"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
- LDAP Server ID = "3"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager
- Server ID = "4"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
- PreConfigVer = "4"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
- PreConfigVerNTDS = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
- Account Name = "Active Directory"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
- LDAP Server = "NULL"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
- LDAP Search Return = "64"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
- LDAP Timeout = "3c"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
- LDAP Authentication = "2"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
- LDAP Simple Search = "0"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
- LDAP Bind DN = "0"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
- LDAP Port = "cc4"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
- LDAP Resolve Flag = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
- LDAP Secure Connection = "0"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
- LDAP User Name = "NULL"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
- LDAP Search Base = "NULL"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
- Account Name = "Bigfoot Internet Directory Service"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
- LDAP Server = "ldap.bigfoot.com"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
- LDAP URL = "http://www.{BLOCKED}t.com"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
- LDAP Search Return = "64"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
- LDAP Timeout = "3c"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
- LDAP Authentication = "0"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
- LDAP Simple Search = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
- LDAP Logo = "%ProgramFiles%\Common Files\Services\bigfoot.bmp"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
- Account Name = "VeriSign Internet Directory Service"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
- LDAP Server = "directory.verisign.com"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
- LDAP URL = "http://www.{BLOCKED}gn.com"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
- LDAP Search Return = "64"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
- LDAP Timeout = "3c"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
- LDAP Authentication = "0"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
- LDAP Search Base = "NULL"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
- LDAP Simple Search = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
- LDAP Logo = "%ProgramFiles%\Common Files\Services\verisign.bmp"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
- Account Name = "WhoWhere Internet Directory Service"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
- LDAP Server = "ldap.whowhere.com"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
- LDAP URL = "http://www.{BLOCKED}re.com"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
- LDAP Search Return = "64"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
- LDAP Timeout = "3c"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
- LDAP Authentication = "0"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
- LDAP Simple Search = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
- LDAP Logo = "%ProgramFiles%\Common Files\Services\whowhere.bmp"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager
- Default LDAP Account = "Active Directory GC"
- In HKEY_CURRENT_USER\Software\Microsoft\WAB
- Server ID = "1f5"
Step 5
Restore these modified registry values
Important:Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator's help. You may also check out this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Identities
- From: Identity Ordinal = "2"
To: Identity Ordinal = ""1""
- From: Identity Ordinal = "2"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFCED9C6BDD0C985CA3C7D253063C5BE6FC620C
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EF2E6670AC9B5091FE06BE0E5483EAAD6BA32D9
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4C95A9902ABE0777CED18D6ACCC3372D2748381E
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4BA7B9DDD68788E12FF852E1A024204BF286A8F6
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4B421F7515F6AE8A6ECEF97F6982A400A4D9224E
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47AFB915CDA26D82467B97FA42914468726138DD
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4463C531D7CCC1006794612BB656D3BF8257846F
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\43F9B110D5BAFD48225231B0D0082B372FEF9A54
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\43DDB1FFF3B49B73831407F6BC8B975023D07C50
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\40E78C1D523D1CD9954FAC1A1AB3BD3CBAA15BFC
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4072BA31FEC351438480F62E6CB95508461EAB2F
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3F85F2BB4A62B0B58BE1614ABB0D4631B4BEF8BA
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\394FF6850B06BE52E51856CC10E180E882B385CC
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\36863563FD5128C7BEA6F005CFE9B43668086CCE
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2F173F7DE99667AFA57AF80AA2D1B12FAC830338
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\284F55C41A1A7A3F8328D4C262FB376ED6096F24
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\273EE12457FDC4F90C55E82B56167F62F532E547
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\24BA6D6C8A5B5837A48DB5FAE919EA675C94D217
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\24A40A1F573643A67F0A4B0749F6A22BF28ABB6B
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\23E594945195F2414803B4D564D2A3A3F5D88B8C
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\216B2A29E62A00CE820146D8244141B92511B279
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\209900B63D955728140CD13622D8C687A4EB0085
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\1F55E8839BAC30728BE7108EDE7B0BB0D3298224
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\1331F48A5DA8E01DAACA1BB0C17044ACFEF755BB
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0B77BEBBCB7AA24705DECC0FBD6A02FC7ABD9B52
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\049811056AFE9FD0F5BE01685AACE6A5D1C4454C
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0483ED3399AC3608058722EDBC5E4600E3BEF9D7
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\00EA522C8A9C06AA3ECCE0B4FA6CDC21D92E8099
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0048F8D37B153F6EA2798C323EF4F318A5624A9E
- From: Blob = "{random values}"
To: Blob = ""{random values}""
- From: Blob = "{random values}"
Step 6
Search and delete these components
- %User Profile%\yfysozezamyhirug\01000000
- %Windows%\evuxowox.exe
- %User Profile%\yfysozezamyhirug\02000000
- %User Profile%\yfysozezamyhirug\00000000
- %User Profile%\Address Book\Wilbert.wab
- %User Profile%\MetaData\2BF68F4714092295550497DD56F57004
- %User Profile%\Content\2BF68F4714092295550497DD56F57004
- %User Profile%\MetaData\94308059B57B3142E455B38A6EB92015
- %User Profile%\Content\94308059B57B3142E455B38A6EB92015
- %User Temp%\Cab12.tmp
- %User Temp%\Tar14.tmp
Step 7
Search and delete these folders
- %User Profile%\Application Data\yfysozezamyhirug
- %User Profile%\Microsoft\Address Book
- %User Profile%\CryptnetUrlCache\MetaData
- %User Profile%\Microsoft\CryptnetUrlCache
- %User Profile%\CryptnetUrlCache\Content
Step 8
Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_DARKOMET.ENG. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.