Technical Details

This Trojan installs and launches other programs on the infected computer without the user's knowledge. It is a Windows .Net application (PE EXE file). It is 3 889 352 bytes in size.


Once launched, the Trojan decrypts and extracts the following files from its body to the current user's temporary directory:


This file is 479 232 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan.Win32.VB.aaen.

This file is 2 196 545 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-Dropper.Win32.Agent.dvyg.

The Trojan then launches the extracted files for execution and ceases running. The file "KasKeygenRevised.exe", which is detected as Trojan.Win32.VB.aaen, imitates key generation for Kaspersky Lab products such as: Kaspersky Anti-Virus 2010, Kaspersky Internet Security 2010, Kaspersky Simple Scan 2010. The program's main windows look like this:

The file "1234.exe", which is detected as Trojan-Dropper.Win32.Agent.dvyg, has the following payload:

Once launched, the Trojan decrypts and extracts the following files from its body to the current user's temporary directory:


This file is 1 116 397 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan.MSIL.Agent.aor.

This file is 289 792 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan.Win32.Llac.gfu.

The Trojan then launches the extracted files for execution and ceases running. The file "instant.exe", which is detected as Trojan.MSIL.Agent.aor, has the following payload:

The Trojan executes a functionality that prevents the demonstration of its payload when launched in the following virtual environments:


This Trojan program is designed to steal user registration information for the following software products:
Splinter Cell Pandora Tomorrow   
Splinter Cell Chaos Theory  
Call of Duty   
Call of Duty United Offensive   
Call of Duty 2   
Call of Duty 4   
COD4 Steam Version   
Call of Duty WAW   
Dawn of War   
Dawn of War - Dark Crusade   
Medieval II Total War   
Adobe Goolive   
Nero 7   
ACDSystems PicAView   
Act of War   
Adobe Photoshop 7   
Advanced PDF Password Recovery   
Advanced PDF Password Recovery Pro   
Advanced ZIP Password Recovery   
Anno 1701   
Ashamopp WinOptimizer Platinum   
AV Voice Changer   
Battlefield 1942 Secret Weapons of WWII   
Battlefield 1942 The Road to Rome   
Battlefield 2   
Battlefield Vietnam   
Black and White   
Black and White 2   
Boulder Dash Rocks   
Burnout Paradise   
Camtasia Studio 4 
Codec Tweak Tool   
Command and Conquer Generals   
Command and Conquer Generals Zero Hour   
Red Alert 2   
Red Alert   
Command and Conquer Tiberian Sun   
Command and Conquer 3   
Company of Heroes   
CyberLink PowerProducer   
Day of Defeat   
The Battle for Middle-earth II   
The Sims 2   
The Sims 2 University   
The Sims 2 Nightlife   
The Sims 2 Open For Business   
The Sims 2 Pets   
The Sims 2 Seasons   
The Sims 2 Glamour Life Stuff   
The Sims 2 Celebration Stuff   
The Sims 2 H M Fashion Stuff   
The Sims 2 Family Fun Stuff   
DVD Audio Extractor
Empire Earth II   
FIFA 2002   
FIFA 2003   
FIFA 2004   
FIFA 2005   
FIFA 07   
FIFA 08   
Freedom Force   
Frontlines Fuel of War Beta   
Frontlines  Fuel of War   
Global Operations   
Hellgate London   
Hidden & Dangerous 2   
IGI 2 Retail   
InCD Serial   
iPod Converter (Registration Code)   
iPod Converter (User Name)   
James Bond 007 Nightfire   
Status Legends of Might and Magic   
Macromedia Flash 7   
Macromedia Fireworks 7   
Macromedia Dreamweaver 7   
Madden NFL 07   
Matrix Screensave   
Medal of Honor  Airborne   
Medal of Honor  Allied Assault   
Medal of Honor  Allied Assault  Breakthrough   
Medal of Honor  Heroes 2   
Nascar Racing 2002   
Nascar Racing 2003   
NHL 2002   
NBA LIVE 2003   
NBA LIVE 2004   
NBA LIVE 07   
NBA Live 08   
Need for Speed Carbon   
Need For Speed Hot Pursuit 2   
Need for Speed Most Wanted   
Need for Speed ProStreet   
Need For Speed Underground   
Need For Speed Underground 2   
Nero - Burning Rom   
Nero 7   
Nero 8   
NHL 2002   
NHL 2003   
NHL 2004   
NHL 2005   
Numega SmartCheck   
O&O Defrag 8.0 
Partition Magic 8.0   
Passware Encryption Analyzer 
Passware Windows Key 
Pro Evolution Soccer 2008   
Rainbow Six III RavenShield   
Shogun Total War Warlord Edition   
Sid(Meier) 's Pirates!   
Sid(Meier) 's Pirates!   
Sim City 4 Deluxe   
Sim City 4   
Sniffer Pro 4.5   
Soldiers Of Anarchy   
Soldiers Of Anarchy   
Stalker - Shadow of Chernobyl   
Star Wars Battlefront II (v1.0)   
Star Wars Battlefront II (v1.1)   
Steganos Internet Anonym VPN   
Splinter Cell Pandora Tomorrow   
Surpreme Commander   
S.W.A.T 2   
S.W.A.T 3   
S.W.A.T 4   
TechSmith SnagIt 
Texas Calculatem 4 
The Battle for Middle-earth   
The Orange Box   
The Orange Box   
TMPGEnc DVD Author   
TuneUp 2007 
TuneUp 2008 
TuneUp 2009 
The Sims 3   
Mirrors Edge   
FIFA 2009   
Pro Evolution Soccer 2009   
FIFA 2008   
Nero 9   
Orange Box   

In this case, the registration information consists of the values of the parameters named:
Registration Code
User Name
Serial Key

The collected data is saved to the following file:

and sent to the malicious user's email address on the "" server. To determine the infected computer's IP address, the Trojan accesses the following service:

During its operations, the Trojan extracts from its body the following files:
%WorkDir%\System.Data.SQLite.DLL (886 272 bytes)
%Temp%\melt.tmp (6 bytes)

The file "System.Data.SQLite.DLL" is an ADO.NET provider assembly for working with SQLite. The following string is entered into the file "melt.tmp":

The Trojan modifies the file:

entering the following strings into it:
##Do not touch this file, changing it will cause SERIOUS damage to 
your computer 

Thereby, access to the listed resources is blocked.

The file "server.exe", which is detected as Trojan.Win32.Llac.gfu, has the following payload:
  • Installation: Once launched, the Trojan creates a copy of its file in the Windows system directory with the name

    In order to ensure that it is launched automatically each time the system is restarted, the Trojan adds a link to its executable file in the system registry autorun key:
    "Policies" = "%System%\install\server.exe"
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "HKLM" = "%System%\install\server.exe"
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\Run] "Policies" = "%System%\install\server.exe"
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "HKCU" = "%System%\install\server.exe"
    [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ {VOC6T861-UAYF-N871-Y74N-64IK6MMG1C83}] "StubPath" = "%System%\install\server.exe Restart"

  • Payload:

When any of the following conditions are fulfilled, the Trojan ceases running:

  1. Detection of the following libraries in its address space:

  2. Launching of the Trojan on a virtual Vmware machine
  3. Presence of the process:

    thereby the Trojan prevents its body being launched on a virtual Oracle Corporation machine
  4. If the username on the computer is:

  5. If the value of the system registry key parameter
    "ProductId" = 

    is one of the following:

    In addition, the Trojan employs various anti-debugging hooks.
During its execution, it creates unique identifiers with the names:

It creates a file in the current user's Windows temporary directory:
%Temp%\XX—XX--XX.txt — 227744 bytes

This file contains a decrypted configuration file for the Trojan's operations, as well as an executable file, which is injected into the address space of the process:

The Trojan launches the process for the user's default browser. Information about the browser is obtained from the registry key:

Malicious code is also injected into the browser process.

A file is injected into the address space of the processes in order to restore the Trojan's malicious file and execute the commands obtained from the malicious user's server:


The malicious user can obtain the following information from the user's computer:

  • List of files on the user's computer;
  • List of open windows;
  • List of launched processes;
  • List of launched services;
  • Information about the equipment in the user's computer;
  • Information about the registry on the user's computer;
  • Information about installed programs;
  • List of open ports;
  • It has a function for browsing the user's desktop;
  • Web camera display;
  • Sound from the user's microphone;
  • Executing a keylogger function to obtain keys pressed on the keyboard and mouse;
  • Passwords saved in browsers; In addition, it can send commands to execute the following actions:
  • Launch Socks Proxy and HTTP Proxy servers;
  • Open various pages in the user's browser;
  • Download various files to the user's computer and launch them for execution;
  • Obtain access to the command line;
  • Execute a search for files on the user's computer;
  • Obtain access to the clipboard;
  • Obtain access to chat during use of the application Windows Live Messenger;
  • Change the malicious user's server address;
  • Update settings;
  • Relaunch the malicious file;
  • Cease its own execution and delete its files.

This malicious file was created using the program "CyberGate RAT v1.04.8", which is a utility for remote administration. The developers' website:

Removal Instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

  1. Use Task Manager to terminate the following processes:
    iexplore.exe (or the process for the browser used 
    on the computer by default)

  2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  3. Delete the following files:

  4. Delete the following system registry key parameters:
    "Policies" = "%System%\install\server.exe"
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "HKLM" = "%System%\install\server.exe"
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\Run] "Policies" = "%System%\install\server.exe"
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "HKCU" = "%System%\install\server.exe"
    [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ {VOC6T861-UAYF-N871-Y74N-64IK6MMG1C83}] "StubPath" = "%System%\install\server.exe Restart"

  5. Empty the Temporary Internet Files directory:
    %Temporary Internet Files%

  6. Restore the original content of the file:

  7. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).