Warning! We are currently in recovery mode. The complete archive is not available.

Sample details: f8ace76c19bddd2283bb046b40d7c7e3 --

Hashes
MD5: f8ace76c19bddd2283bb046b40d7c7e3
SHA1: f0f89c3897f7b7f06281c29684ac1cbca59a8258
SHA256: 27751171c6e8a7f2dd95e28e2517e650cdeafcaa8d496565826e77f874f61d71
SSDEEP: 768:TkbrBkX2gL27gtq6VRq3/xL/TYVP7fKlq9edXBWEm:Sa7iMtq73/R/kN7fKK2xBm
Details
File Type: PE32
Yara Hits
YRP/Armadillo_v171 | YRP/Microsoft_Visual_Cpp_v60 | YRP/Microsoft_Visual_Cpp_v50v60_MFC_additional | YRP/Microsoft_Visual_Cpp_50 | YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Armadillo_v171_additional | YRP/Microsoft_Visual_Cpp | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsBeyondImageSize | YRP/HasRichSignature | YRP/domain | YRP/url | YRP/contentis_base64 | YRP/Antivirus | YRP/Misc_Suspicious_Strings | YRP/screenshot | YRP/win_registry | YRP/win_files_operation |
Parent Files
07461f2dc74c80e6345684fdebb4f135
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
tJHt8HHt&
YYh4j@
PWVWWW
YVVVVP
t4<"u	
t$ h a@
PVhxm@
_WVh(R@
GetModuleHandleA
lstrcatA
lstrcpyA
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
lstrlenA
GlobalDeleteAtom
GlobalAddAtomA
SizeofResource
LockResource
LoadResource
FindResourceA
lstrcmpA
GetModuleFileNameA
LoadLibraryA
FreeLibrary
ExpandEnvironmentStringsA
lstrcmpiA
GetEnvironmentVariableA
GetTempPathA
CloseHandle
WaitForSingleObject
CreateProcessA
OpenProcess
GetCurrentProcessId
CreateFileA
CopyFileA
GetTempFileNameA
RemoveDirectoryA
DeleteFileA
FindClose
FindNextFileA
FindFirstFileA
CreateDirectoryA
MultiByteToWideChar
GetFileAttributesA
GetCurrentDirectoryA
KERNEL32.dll
DestroyWindow
SendMessageA
CreateDialogParamA
FreeDDElParam
UnpackDDElParam
PostMessageA
DialogBoxParamA
LoadBitmapA
GetSysColor
EndDialog
MessageBeep
SetWindowLongA
SetFocus
SetWindowTextA
EnableWindow
SetDlgItemTextA
ReleaseDC
GetClientRect
GetDlgItem
SetWindowPos
CallWindowProcA
GetWindowLongA
UpdateWindow
LoadImageA
GetDlgItemTextA
SendDlgItemMessageA
InvalidateRect
HideCaret
WaitForInputIdle
ShowWindow
RegisterClassA
LoadIconA
GetClassInfoA
UnregisterClassA
InvertRect
DrawFocusRect
FillRect
MessageBoxA
wsprintfA
USER32.dll
CreateSolidBrush
DeleteObject
GetTextExtentPoint32A
SetBkColor
SetTextColor
DeleteDC
SelectObject
CreateCompatibleDC
CreateFontIndirectA
BitBlt
TextOutA
GDI32.dll
GetOpenFileNameA
comdlg32.dll
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
RegSetValueExA
RegCreateKeyExA
RegEnumKeyExA
RegEnumValueA
RegDeleteValueA
RegDeleteKeyA
ADVAPI32.dll
ShellExecuteA
ShellExecuteExA
SHELL32.dll
CoInitialize
CoCreateInstance
ole32.dll
??3@YAXPAX@Z
strstr
??2@YAPAXI@Z
_splitpath
_makepath
strncmp
MSVCRT.dll
__dllonexit
_onexit
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
GetStartupInfoA
_strnicmp
Application
mailto
ScripTrap
Software\KeirNet
Filter
\Shell\Open\
command
ddeexec
Uninstall
Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\
Options
Uninstall 
RICHED32
Disabled
Enabled
Locate anti-virus application
exe files (*.exe)
All files (*.*)
MS Sans Serif
#32770
UninstallString
DisplayName
%s has been successfully uninstalled
%s "%s" %s %d
The shortcut folder for %s was not found at the original installation location.
However, the following shortcut folder of the same name was found:
Do you want to remove the shortcuts from this folder?
Are you sure you want to uninstall %s?
The folder that %s was installed in is now empty.
Do you want to remove it?
Programs
Start Menu
wwwwwwwwwwwwp
wwwwwwwwwwwwp
{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fprq2 Arial;}{\f1\fswiss\fprq2\fcharset0 Arial;}{\f2\fnil\fcharset2 Symbol;}}{\colortbl ;\red255\green0\blue0;\red128\green0\blue0;\red0\green0\blue0;\red0\green0\blue128;\red128\green128\blue128;}\viewkind4\uc1\pard\li40\ri40\qc\cf1\b\f0\fs44 ScripTrap\par \cf2\fs29 Script File Trapper\par \pard\li40\ri40\cf3\b0\fs22 \par \cf4\fs23 Scripts are small programs that are written in a variety of simple computer languages. They can perform useful functions but they can also be used for less useful and sometimes damaging purposes, the prime examples being computer viruses and trojan-horse programs.\par \par The worst thing about many types of scripts is that they can operate without warning as a legitimate part or extension of another program. Most damaging of all are email attachments that contain scripts. If you open them in an email program that allows scripting they may execute before you even realize what you have done.\par \par \i ScripTrap\i0  traps scripts when they attempt to run on your computer and provides the option of blocking them or letting them continue to run. \f1 You can also check the intercepted script with your anti-virus program before you decide to run it or not. \f0 This provides you with a chance of catching possibly malicious code before it causes damage. \i ScripTrap\i0  is particularly useful for trapping scripts that arrive in email attachments.\par \par As always, having a good anti-virus program installed on your computer is highly recommended. Even if you do not have one installed there are several free anti-virus applications that can run from over the Web. Try \lnkd http://www.antivirus.com/pc-cillin/\lnkd0 .\par \par \pard\li40\ri40\qc\cf5\fs29 _______________________\par \pard\li40\ri40\cf4\fs23 \par \par This is the list of file types that \i ScripTrap\i0  intercepts:\par \cf3 \par \pard\li325\ri40\cf2 .DOC\tab\tab Microsoft Word\f1\fs17\'a9\f0\fs23  Document\par .HTA\tab\tab HTML Applications\par .INS\tab\tab Internet Communication Settings\par .ISP\tab\tab Internet Communication Settings\par .JS\tab\tab\tab Script\f1\fs17\'ae\f0\fs23  File\par .JSE\tab\tab JScript Encoded Script File\par .REG\tab\tab Registration Entries\par .SHS\tab\tab Shell Scrap Object\par .VB\tab\tab\tab VBScript File\par .VBE\tab\tab VBScript Encoded Script File\par .VBS\tab\tab VBScript Script File\par .WSF\tab\tab Windows Script File\par .WSH\tab\tab Windows Scripting Host Settings File\par .XLS\tab\tab Microsoft Excel\f1\fs17\'a9\f0\fs23  document\par \pard\li40\ri40\cf5\fs29 \par \cf4\fs23 Although \i Microsoft Word \i0 and \i Microsoft Excel\i0  documents are not scripts as such, they can contain macros, short script-like programs that are potentially just as dangerous as standalone scripts and so I chose to include \b\i .doc \b0\i0 and \b\i .xls \b0\i0 files in the list.\par \par I have intentionally \ul not\ulnone  included the ability to add extra file types. Programs can execute using many different techniques and intercepting the execution of certain poorly chosen file types can cause unexpected behavior and problems with the normal operation of the computer. The list above should suffice for practically all of your needs and covers most if not all of the malicious script types encountered.\par \par \par \cf2\b Starting ScripTrap\cf4\b0 \par \par This is simple. Just run the program!\par \par When run for the first time, \i ScripTrap\i0  will place a convenient shortcut in your \b Start menu > Programs\b0  section under the heading \b ScripTrap\b0 .\par \par All \i ScripTrap\i0  operations are contained in the one executable file, \i ScripTrap.exe\i0 . This single file takes care of the installation, interception of scripts, configuration options and uninstalling. There are no extra files involved to clutter up your disk and the program will add and remove \ul all\ulnone  registry entries as needed. You may safely place \i ScripTrap\i0  anywhere you like on your hard drive; it will run from any location.\par \par You can access this help information from within \i ScripTrap\i0  by clicking the \b Help\b0  button.\par \cf1\b \par \cf2 How to use ScripTrap\par \cf4\b0 \par The first time you run the program you will see a window with a message on a red background telling you that \i ScripTrap\i0  is currently disabled. When the program is in this state no scripts will be intercepted and your system will operate as if \i ScripTrap\i0  were not there at all.\par \par \b Before you enable \i ScripTrap\i0  for the first time you should disable or uninstall any similar products (I do \ul not\ulnone  mean virus scanners). Failure to do this may result in incorrect operation of the program!\par \b0 \par To enable \i ScripTrap\i0 , click the \b Enable\b0  button. The display will change to show \b Enabled\b0  on a green background. \i ScripTrap\i0  is now ready to intercept the running of script files. Click \b OK\b0  to close the window.\par \b \par \b0 Note that \i ScripTrap\i0  does \ul not\ulnone  need to be running to intercept scripts. Once you have clicked the \b Enable\b0  button and closed the window by clicking \b OK\b0  you are ready to continue using your computer as normal. You only need run \i ScripTrap\i0  again if you want to change the program options that are detailed later on in this document.\par \par \cf2\b When ScripTrap intercepts a script\par \cf4\b0 \par \i ScripTrap\i0  will bring up a warning window whenever it intercepts a script. The warning window will show the full path name of the script that is attempting to run and ask you if you want to allow it to execute.\par \par You now have \f1 three\f0  options:\par \par \pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent173{\pntxtb\'B7}}\fi-173\li213\ri40 You can click \b Yes\b0  and the script will execute as normal\par {\pntext\f2\'B7\tab}You can choose \b No\b0  and the script will be blocked. It will not run.\par {\pntext\f2\'B7\tab}\f1 You can click \b Scan first\b0  to have your anti-virus program scan the script and then decide to click \b Yes \b0 or \b No\b0 .\f0 \par {\pntext\f2\'B7\tab}\pard\li40\ri40\'b7\tab \par \i\f1 (This last option will only be available if you have configured an anti-virus program. See Configuring ScripTrap below).\f0 \par \i0\f1\'b7\tab\'b7\tab\'b7\f0\tab\f1\'b7\f0\tab\f1\'b7\f0\tab\f1\'b7\f0\tab\f1\'b7\f0\tab \par Obviously, if you choose \b Yes\b0  to let the script run you should be absolutely certain that it is safe.\f1  You should configure an anti-virus program and scan the file first if you have any doubts.\f0  You should never run a script (or any program) that came from an uncertain origin and even then it is wise to run a virus check on the file before you let it go about its business.\par \par You may find yourself wanting to always allow a particular script to run or perhaps always prevent one from running. If this is the case you should click in the checkbox where it says \b\i Add this file name to my list and don't ask me about it again\b0\i0  so that the checkmark is visible. Then, after you choose \b Yes\b0  or \b No\b0  you will never again be prompted when that particular script file is run. \i ScripTrap\i0  adds the script file name to its internal list together with your choice of whether you are allowing it to run or blocking it. To change items in this list you should choose the \b More...\b0  button on the warning window or select the \b Program options...\b0  button from the main window.\par \par There is an exception to the rule of when you can add items to your auto accept/reject list. If the script file that has been intercepted is located in a \i temporary\i0  directory (usually your \i Windows\\Temp\b  \b0\i0 directory) you will \ul not\ulnone  be given the chance to add it to your list. This is because scripts in your temporary directory are most likely to have been placed there after having been opened directly from an email attachment. By their nature these script files are likely to be named in some unique obscure manner typical of temporary files but more importantly these scripts opened from email attachments are the most likely files to contain viruses and so you wouldn't want to always accept these files.\par \par \cf2\b Configuring ScripTrap\par \cf4\b0 \par From the \i ScripTrap\i0  main window select the \b Program options...\b0  button. You will be presented with the program options window.\par \par The first option you will see is a checkbox asking if you only want to intercept \i temporary\i0  scripts. As mentioned above, \i temporary\i0  scripts are saved in to a temporary folder on your hard drive (usually \i Windows\\Temp\i0 ) and are most likely to have been placed there after having been opened from an email attachment. For this reason they are obviously more likely to contain viruses. If your primary concern is to trap scripts that you inadvertently run from email attachments this is a good option to activate.\par \pard\li40\ri40\qc\f1 ________________\par \pard\li40\ri40\f0 \par \f1 In the middle of \f0 the options window it shows the contents of \i ScripTrap's\i0  auto accept/reject list, the list of scripts that you have chosen to allow to run or block without prompting. If there are any items in this list, script files that you chose to allow to run will have a green check mark next to them and scripts you chose to always block will have a red cross next to them. Note that if you have chosen to only intercept \i temporary\i0  scripts you cannot change this list.\par \par You can change whether a script runs or is blocked by double-clicking the item in the list.\par \par If you want to remove a script from the list, select it so that it is highlighted then click the \b Remove selected item\b0  button.\par \pard\li40\ri40\qc\f1 ________________\par \pard\li40\ri40\f0 \par \f1 At the bottom of the options window is where you can specify the location of your anti-virus program, if you have one. If you don't you can leave these entries blank.\par \par In the \b Anti-virus program\b0  box enter the full path name to your anti-virus program. You can click the \b ...\b0  button to browse for the file or simply type the name into the box. Here are the default locations for two of the most common anti-virus applications:\par \f0 \par \i\f1 McAfee Virus Scan:\par \cf2\i0 C:\\Program Files\\Network Associates\\McAfee VirusScan\\scan.exe\par \par \cf4\i Norton Anti-virus:\par \cf2\i0 C:\\Program Files\\Norton AntiVirus\\navw32.exe\par \cf4\f0 \par \f1 The \b Options\b0  box next to the anti-virus location box is where you can enter any additional options for your anti-virus application. Most of the time this can be left blank. Consult the documentation for your anti-virus program if you require further information.\par \f0 \par Permanent changes \f1 to the configuration of \i ScripTrap \i0\f0 won't be made until you click the \b OK\b0  button to confirm them or click \b Cancel\b0  to abandon your changes.\par \par \cf2\b Uninstalling\cf4 \par \b0 \par To uninstall \i ScripTrap\i0  you should either use the uninstall shortcut placed in your \b Start menu > Programs\b0  section under \b ScripTrap\b0 , or use the \b Add/Remove Programs\b0  option in the \b Control Panel\b0 . This can be reached by clicking the \b Start\b0  button, selecting \b Settings\b0  then \b Control Panel\b0 . Select \b Add/Remove Programs\b0 , find \i ScripTrap\i0  in the list then click on \b Add/Remove\b0 .\par \par \i ScripTrap\i0  leaves no trace of itself in the registry after uninstalling and there are no other files it uses other than the main executable file \i ScripTrap.exe\i0  that will be removed automatically.\par \cf5\fs29 \par \cf1\b\fs23 Attempting to uninstall ScripTrap by using a method other than those just described will result in your script files being unable to run. You must uninstall ScripTrap this way to ensure all script file interceptions are removed.\par \cf5\b0\fs29 _______________________________________\par \fs17 \par \pard\li80\ri40\cf4\fs20 Written by Robin Keir, June 2000\par \lnkd http://keir.net/\lnkd0 \par \lnkd mailto:robin@keir.net\lnkd0 \par }