Gen.Variant.Zusy.Elzob.22474_fbace3e2dc

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

No files have been created.

Registry activity

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 22836 bytes in size. The following strings are added to the hosts file listed below:

208.109.220.95	viabcp.com
208.109.220.95	www.viabcp.com
208.109.220.95	bcpzonasegura.viabcp.com
17.30.245.112	iniciorapido.info
187.151.72.239	www.iniciorapido.info
251.96.237.3	buscalo.in
71.122.226.36	www.buscalo.in
229.162.40.150	buscafacil.com
144.26.191.21	www.buscafacil.com
207.227.99.228	emsisoft.com
28.254.88.73	ahnlab.com
185.37.158.119	antivir.es
100.157.241.58	antiy.net
163.103.149.10	authentium.com
240.129.138.42	avast.com
141.168.208.156	avg.com
56.100.103.95	bitdefender.com
120.234.11.47	quickheal.com
196.4.0.80	clamav.net
98.111.70.193	comodo.com
12.232.153.64	drweb.com
76.177.62.84	aladdin.com
152.135.51.117	ca.com
242.243.121.163	f-prot.com
225.107.204.102	f-secure.com
220.52.180.53	fortinet.com
109.79.169.86	gdata.es
198.118.171.200	ikarus.at
181.238.66.139	jiangmin.com
176.184.230.91	kaspersky.com
65.210.219.123	mcafee.com
155.249.33.237	microsoft.com
137.113.116.108	eset.es
133.59.92.128	norman.com
209.85.81.161	nprotect.com
111.124.83.206	pandasecurity.com
93.245.234.145	pctools.com
89.190.143.97	prevx.com
165.216.132.130	rising-global.com
67.68.202.244	sophos.com
50.188.29.183	sunbeltsoftware.com
45.133.193.134	symantec.com
122.92.182.167	hacksoft.com.pe
23.199.252.25	trendmicro.com
6.63.147.152	anti-virus.by
1.9.55.172	hauri.net
78.223.44.204	virusbuster.hu
236.74.114.62	www.emsisoft.com
218.194.197.189	www.ahnlab.com
214.140.105.141	www.antivir.es
34.166.94.174	www.antiy.net
192.205.164.31	www.authentium.com
174.70.247.226	www.avast.com
170.15.224.178	www.avg.com
246.41.213.211	www.bitdefender.com
148.81.215.69	www.quickheal.com
131.201.110.196	www.clamav.net
126.146.18.215	www.comodo.com
203.173.7.248	www.drweb.com
104.212.77.106	www.aladdin.com
87.144.160.233	www.ca.com
82.90.136.185	www.f-prot.com
159.48.125.217	www.f-secure.com
60.155.127.75	www.fortinet.com
231.19.22.14	www.gdata.es
39.221.186.222	www.ikarus.at
115.179.175.255	www.jiangmin.com
17.30.245.112	www.kaspersky.com
187.151.72.239	www.mcafee.com
251.96.237.3	www.microsoft.com
71.122.226.36	www.eset.es
229.162.40.150	www.norman.com
144.26.191.21	www.nprotect.com
207.227.99.228	www.pandasecurity.com
28.254.88.73	www.pctools.com
185.37.158.119	www.prevx.com
100.157.241.58	www.rising-global.com
163.103.149.10	www.sophos.com
240.129.138.42	www.sunbeltsoftware.com
141.168.208.156	www.symantec.com
56.100.103.95	www.hacksoft.com.pe
120.234.11.47	www.trendmicro.com
196.4.0.80	www.anti-virus.by
98.111.70.193	www.hauri.net
12.232.153.64	www.virusbuster.hu
76.177.62.84	www.emsisoft.com
152.135.51.117	www.anti-trojan.net
242.243.121.163	malwarescan.emsisoft.com
225.107.204.102	forum.emsisoft.com
220.52.180.53	www.emsisoft.net
109.79.169.86	www.emsisoft.it
198.118.171.200	www.emsisoft.de
181.238.66.139	www.anti-trojan-software.net
176.184.230.91	mamutu.com
65.210.219.123	www.emsisoft.es
155.249.33.237	malwarescan.emsisoft.de
137.113.116.108	ww.emsisoft.com
133.59.92.128	www.emsisoft.fr
209.85.81.161	www.emsisoft.nl
111.124.83.206	onlinecheck.emsisoft.com
93.245.234.145	onlinecheck.emsisoft.de
89.190.143.97	www.emsisoft.org
165.216.132.130	scan.anti-trojan.net
67.68.202.244	www.trojaner.info
50.188.29.183	onlinecheck.emsisoft.org
45.133.193.134	onlinecheck.emsisoft.net
122.92.182.167	blitzblank.com
23.199.252.25	www.emsisoft.at
6.63.147.152	www.emsisoft.jp
1.9.55.172	www.mamutu.com
78.223.44.204	malwarescan.emsisoft.es
236.74.114.62	www.mamutu.de
218.194.197.189	download5.emsisoft.com
214.140.105.141	download1.emsisoft.com
34.166.94.174	download4.emsisoft.com
192.205.164.31	global.ahnlab.com
174.70.247.226	www.hackshields.com
170.15.224.178	www.internationalservicecheck.com
246.41.213.211	www.irangoals.com
148.81.215.69	ixomodels.com
131.201.110.196	www.indielisboa.com
126.146.18.215	www.latin-mass-society.org
203.173.7.248	www.arpia.be
104.212.77.106	www.owen.org
87.144.160.233	www.prdouglas.co.uk
82.90.136.185	www.zarya.info
159.48.125.217	www.willsee.com
60.155.127.75	halmapr.com
231.19.22.14	karuna-shechen.org
39.221.186.222	www.barder.com
115.179.175.255	www.antivir.es
17.30.245.112	www.buraka.tv
187.151.72.239	www.dr-bull.com
251.96.237.3	www.manchester-offices.co.uk
71.122.226.36	saverssite.com
229.162.40.150	canada.karuna-shechen.org
144.26.191.21	developmentdrums.org
207.227.99.228	www.imddomains.co.uk
28.254.88.73	cutlines.org
185.37.158.119	elblogdemanu.com
100.157.241.58	ruben.bzin.net
163.103.149.10	welkam.co.jp
240.129.138.42	www.cambridge-steiner-school.co.uk
141.168.208.156	naturesimages.net
56.100.103.95	www.1stavenuelimousines.co.uk
120.234.11.47	www.mtr-design.com
196.4.0.80	dev.depeuter.org
98.111.70.193	www.emeraldclassic.co.uk
12.232.153.64	www.peterhearnwaste.co.uk
76.177.62.84	etrr.co.uk
152.135.51.117	www.avoncourt.com
242.243.121.163	sarahmcconnellphotography.net
225.107.204.102	www.ixomodels.com
220.52.180.53	natsko.com
109.79.169.86	www.nottinghampoetryseries.com
198.118.171.200	www.sheffieldmind.co.uk
181.238.66.139	ixostore.ixomodels.com
176.184.230.91	www.flairweddings.co.uk
65.210.219.123	www.fimasys.com
155.249.33.237	cohartuk.com
137.113.116.108	qqjkw.net
133.59.92.128	vivo-austin.com
209.85.81.161	www.freeality.com
111.124.83.206	bestofewan.com
93.245.234.145	www.handwritingforkids.com
89.190.143.97	cowsmo.com
165.216.132.130	www.2xlgames.com
67.68.202.244	kimzimmer.net
50.188.29.183	basetendencies.com
45.133.193.134	trackingtheworld.com
122.92.182.167	www.reviewsofbooks.com
23.199.252.25	www.collectedcurios.com
6.63.147.152	www.renningers.com
1.9.55.172	ccslaughterspdx.com
78.223.44.204	www.briarhurst.com
236.74.114.62	www.smf.org
218.194.197.189	ribbonwarehouse.com
214.140.105.141	www.garryowen.com
34.166.94.174	45pounds.com
192.205.164.31	isotopecomics.com
174.70.247.226	roysephotos.com
170.15.224.178	www.stadiumpage.com
246.41.213.211	www.elvis-express.com
148.81.215.69	www.tomorrowsedge.net
131.201.110.196	www.beautybar.com
126.146.18.215	pineleafboys.com
203.173.7.248	www.mountainlakeslodge.com
104.212.77.106	pvtc.org
87.144.160.233	bhsbees.com
82.90.136.185	baristamagazine.com
159.48.125.217	www.gokidding.com
60.155.127.75	defalcos.com
231.19.22.14	www.celticmerchant.com
39.221.186.222	www.hxproduction.com
115.179.175.255	www.wellgousa.com
17.30.245.112	blog.titanium-jewelry.com
187.151.72.239	www.brightoctober.com
251.96.237.3	hishomeforchildren.com
71.122.226.36	www.phoenixtrikeworks.com
229.162.40.150	www.professorbeyer.com
144.26.191.21	www.secondchanceboxer.com
207.227.99.228	www.residentphotography.com
28.254.88.73	woottonfootball.com
185.37.158.119	www.deborahshelton.net
100.157.241.58	bobbondart.com
163.103.149.10	www.authentium.com
240.129.138.42	asap.authentium.com
141.168.208.156	www.authentium.com.au
56.100.103.95	avast.com
120.234.11.47	www.avast.com
196.4.0.80	files.avast.com
98.111.70.193	download535.avast.com
12.232.153.64	avg.com
76.177.62.84	www.avg.com
152.135.51.117	grisoft.com
242.243.121.163	www.grisoft.com
225.107.204.102	antivirus-tools.com
220.52.180.53	archive.bitdefender.com
109.79.169.86	avx.rob-have.net
198.118.171.200	b-have.orgbitdefender-ar.com
181.238.66.139	bitdefender.com
176.184.230.91	bitdefender.org
65.210.219.123	bitdefenderchina.com
155.249.33.237	bitdefenderguatemala.com
137.113.116.108	bitdefendermalaysia.com
133.59.92.128	bitdefendertaiwan.com
209.85.81.161	bitdefenderuruguay.com
111.124.83.206	bitdefenderusa.com
93.245.234.145	buy.bitdefender-es.com
89.190.143.97	buy.bitdefender.com
165.216.132.130	buy.bitdefender.de
67.68.202.244	de.bitdefender.com
50.188.29.183	fr.bitdefender.com
45.133.193.134	futurenow.bitdefender.com
122.92.182.167	it.bitdefender.com
23.199.252.25	jobs.bitdefender.com
6.63.147.152	kb.bitdefender.com
1.9.55.172	kb.bitdefender.de
78.223.44.204	kb.bitdefender.us
236.74.114.62	latin.bitdefender.com
218.194.197.189	linux.bitdefender.com
214.140.105.141	malwarecity.com
34.166.94.174	malwarecity.netmalwarecity.org
192.205.164.31	malwarepedia.com
174.70.247.226	neunet.orgnews.bitdefender.com
170.15.224.178	nl.bitdefender.com
246.41.213.211	renewals.bitdefender.com
148.81.215.69	sales.bitdefender.com
131.201.110.196	square.bitdefender.com
126.146.18.215	store.bitdefender.com
203.173.7.248	store.de.bitdefender.com
104.212.77.106	us.bitdefender.com
87.144.160.233	virusscanonline.net
82.90.136.185	wedoantivirus.com
159.48.125.217	www.antivirus-tools.com
60.155.127.75	www.avx.ro
231.19.22.14	www.bit-defender.de
39.221.186.222	www.bitdefende.de
115.179.175.255	www.bitdefender-es.com
17.30.245.112	www.bitdefender.be
187.151.72.239	www.bitdefender.cl
251.96.237.3	www.bitdefender.co.uk
71.122.226.36	www.bitdefender.com
229.162.40.150	www.bitdefender.com.au
144.26.191.21	www.bitdefender.com.sg
207.227.99.228	www.bitdefender.com.tw
216.186.20.5	www.bitdefender.com.vn
117.225.90.51	www.bitdefender.de
32.89.173.246	www.bitdefender.es
95.35.81.198	www.bitdefender.fr
172.61.70.230	www.bitdefender.hk
74.100.140.88	www.bitdefender.us
244.32.35.27	www.bitdefenderme.com
52.166.199.235	www.malwarecity.com
128.192.188.12	www.malwarecity.fr
30.43.2.125	quickheal.com
200.164.85.252	www.quickheal.com
8.109.250.16	www.clamav.net
84.67.239.49	cgi.clamav.net
174.175.53.95	lurker.clamav.net
157.39.136.34	wwws.clamav.net
152.240.112.241	lists.clamav.net
41.11.101.18	bugs.clamav.net
130.50.103.132	system-cleaner.comodo.com
113.170.254.71	backup.comodo.com
108.116.162.23	www.comodoantispam.com
253.142.151.55	easy-vpn.comodo.com
87.181.221.169	www.trustlogo.com
69.46.48.40	ztl.comodo.com
65.247.24.60	www.livepcsupport.com
141.17.13.93	www.whichssl.com
43.56.15.138	www.trustix.com
25.177.166.77	disk-encryption.comodo.com
21.122.75.29	speedtest.comodo.com
97.148.64.62	www.contentverification.com
255.0.134.176	idauthority.com
238.120.217.115	www.comodo.tv
233.65.125.66	online-backup.comodo.com
54.24.114.99	www.testmypcsecurity.com
211.131.184.213	www.ccssforum.org
194.251.79.84	i-vault.comodo.com
189.197.243.104	internetsecurity.comodo.com
10.155.232.136	www.comodopartners.com
168.6.46.250	timestamp.comodoca.com
150.126.129.121	secure-email.comodo.com
146.72.37.73	timestamp.wosign.com
222.98.26.106	rover800.gaima.co.uk
124.137.96.219	www.nsclean.com
106.2.179.158	www.contentverification.com
102.203.156.110	new-estore.drweb.com
178.229.145.143	support.drweb.com
80.13.147.1	pda.drweb.com
63.133.42.128	updates.drweb.com
58.78.206.147	drweb.com
135.105.195.180	vms.drweb.com
36.144.9.38	solutions.drweb.com
19.76.92.165	news.drweb.com
14.22.68.117	my.drweb.com
91.236.57.149	buy.drweb.com
249.87.59.7	products.drweb.com
163.207.210.202	new-support.drweb.com
227.153.118.154	promotions.drweb.com
47.111.107.187	network.drweb.com
205.218.177.44	customers.drweb.com
119.83.4.171	store.drweb.com
183.28.169.191	company.drweb.com
3.54.158.224	training.drweb.com
161.94.228.82	license.drweb.com
76.214.123.209	cureit.ru
139.159.31.160	free.drweb.com
216.186.20.5	info.drweb.com
117.225.90.51	new-partners.drweb.com
32.89.173.246	drweb.net
95.35.81.198	new-company.drweb.com
172.61.70.230	new-beta.drweb.com
74.100.140.88	new-forum.drweb.com
244.32.35.27	secure.av-desk.com
52.166.199.235	www.av-desk.com
128.192.188.12	new-solutions.drweb.com
30.43.2.125	new-www.drweb.com
200.164.85.252	www.freedrweb.ru
8.109.250.16	daniloff.net
84.67.239.49	drweb-inside.com
174.175.53.95	drwebinside.com
157.39.136.34	aladdin.com
152.240.112.241	alladdin.ru
41.11.101.18	chickensroamfree.com
130.50.103.132	ealaddin.net
113.170.254.71	ealaddin.orgeshop.aladdin.com
108.116.162.23	secureme.com
253.142.151.55	www.aks.com
87.181.221.169	www.aladdin.com
69.46.48.40	www.ealaddin.com
65.247.24.60	www.ealaddin.com
141.17.13.93	auwww.ealaddin.nl
43.56.15.138	www.esafe.com
25.177.166.77	www.hasp.se
21.122.75.29	www.safenet-inc.com
97.148.64.62	www3.safenet-inc.com
255.0.134.176	www.ca.com
186.68.165.62	cacomvip.ca.com
181.13.73.14	www.netegrity.com
2.228.62.47	search.ca.com
159.79.132.161	cai.com
142.199.27.32	www.f-prot.com
137.145.191.52	frisk-software.com
214.103.180.84	www.frisk.is
115.210.250.198	www.frisk-software.com
98.74.77.69	f-secure.com
94.20.241.21	f-secure.frf-secure.hk
170.46.230.54	f-secure.nlfsecure.com
72.85.44.167	fsecure.nlwebyard.com
54.206.127.106	www.f-secure.com
50.151.104.58	www.fsecure.com
126.177.93.91	www.virus.fi
28.217.95.205	fortihero.com
11.81.246.75	fortilog.com
6.26.154.95	fortinet.co.at
83.53.143.128	fortinet.com
240.92.213.242	fortiprotect.com
223.24.40.113	fortiwifi.com
218.226.16.65	www.apsecure.com
39.184.5.97	www.fortifed.com
196.35.7.211	www.fortiid.com
111.155.158.150	www.fortimail.com
175.101.66.102	www.fortinet-apac.com
251.59.55.135	www.fortinet.ch
153.166.125.248	www.fortinet.co.il
67.31.208.119	www.fortinet.com
131.232.117.139	www.fortinet.com
207.2.106.172	arwww.fortinet.cz
109.42.176.30	www.fortinet.net
24.162.71.156	www.fortinet.nl
87.107.235.108	www.fortinet.sg
164.134.224.209	www.fortinetuk.com
65.173.38.255	www.secure-elements.com
236.37.121.194	gdata.es
43.239.29.146	www.gdata.es
120.9.18.178	ikarus.at
21.48.88.36	www.ikarus.at
192.236.239.231	global.jiangmin.com
0.114.147.183	jiangmin.com.cn
76.140.136.216	jiangmin.com
234.247.206.73	www.jiangmin.com.cn
148.112.33.200	www.kaspersky.com
212.57.198.220	forum.kaspersky.com
32.15.187.253	support.kaspersky.co
122.123.1.43	usa.kaspersky.com
105.243.84.237	brazil.kaspersky.com
100.188.60.189	latam.kaspersky.com
245.215.49.222	kaspersky.com
78.254.51.80	me.kaspersky.com
61.118.202.19	images.kaspersky.com
56.64.110.227	www.mcafee.com
201.90.99.3	support.mcafee.com
34.129.169.117	msr.mcafee.com
17.249.252.244	home.mcafee.com
13.195.228.8	networkassociates.com
89.221.217.41	us.mcafee.com
247.4.219.86	tr.mcafee.com
229.125.114.25	au.mcafee.com
225.70.23.233	mx.mcafee.com
45.96.12.198	networkassociates.nai.com
135.136.14.56	go.mcafee.com
118.0.97.251	fr.mcafee.com
113.201.5.202	uk.mcafee.com
190.160.250.235	de.mcafee.com
91.11.64.93	obscgi.mcafee.com
74.131.215.220	nai.com
69.77.123.240	www.entercept.com
146.35.112.16	jp.mcafee.com
47.142.182.130	mcafeeb2b.com
30.6.9.1	cn.mcafee.com
26.208.173.209	service.mcafee.com
102.234.162.242	br.mcafee.com
4.17.232.99	www.mcafee.at
242.138.59.38	mcafeeretail.com
238.83.36.246	it.mcafee.com
58.109.25.23	tw.mcafee.com
216.149.27.137	privacy.microsoft.com
199.13.178.8	tempuri.org
194.214.86.27	schemas.xmlsoap.org
15.241.75.60	www.microsoft.com
172.24.145.174	specs.xmlsoap.org
155.212.228.45	www.eugrantsadvisor.ie
150.158.204.253	schemas.microsoft.com
227.116.193.29	encarta.msn.com
128.223.195.143	www.sysinternals.com
43.87.90.82	grv.microsoft.com
107.33.254.34	www.xmlsoap.org
183.247.243.67	www.eugrantsadvisor.se
85.98.57.180	www.eugrantsadvisor.com
255.219.140.51	research.microsoft.com
63.164.49.71	www.engyro.com
139.190.38.104	www.exchangeyourcareer.com
41.230.108.218	www.eugrantsadvisor.de
212.94.3.89	exchangeyourcareer.net
19.39.167.40	eugrantsadvisor.de
96.66.156.141	eugrantsadvisor.cz
253.105.226.187	www.eset.es
168.225.53.126	demos.eset.es
231.171.217.78	descargas.eset.es
52.197.206.110	blogs.protegerse.com
209.236.20.224	eos.eset.es
124.168.171.163	pedidos.protegerse.com
188.46.79.115	reg-int.nod32-es.com
8.72.68.148	reg.eset.es
166.179.138.5	vicentevirtual.com
80.44.221.132	cou85.com
144.245.130.152	www.norman.com
220.203.119.185	fsc.norman.com
54.55.189.231	nprobeta.norman.com
37.175.16.170	register.norman.com
32.120.248.121	webadmin.norman.no
177.147.237.154	sandbox.norman.com
10.186.239.12	www.nprotect.com
249.50.134.207	global.nprotect.com
244.252.42.159	www.nprotect.co.kr
133.22.31.191	www.npin.co.kr
222.61.101.49	siren24.nprotect.com
205.181.184.176	15660808.co.kr
201.127.160.196	biz.nprotect.com
21.153.149.229	nprotect.net
179.192.151.18	www.nprotect.com.br
161.57.46.213	liveprotect.net
105.206.158.113	nprotect.seoul.go.kr
181.232.148.146	chollian.nprotect.co.kr
83.84.218.4	www.pandasecurity.com
66.204.45.198	research.pandasecurity.com
61.149.209.150	support.pandasecurity.com
138.108.198.183	pandalabs.pandasecurity.com
39.215.12.41	pandasecurity.com
22.79.163.168	mop.pandasecurity.com
17.24.71.188	timeforyourbusi.pandasecurity.com
94.239.60.220	cybercrime.pandasecurity.com
251.90.130.78	free.pandasecurity.com
234.210.213.205	cloudprotection.pandasecurity.com
230.156.121.157	shop.pandasecurity.com
50.182.110.190	soporte.pandasecurity.com
208.221.180.47	together.pctools.com
190.86.7.242	www.prevx.com
186.31.239.194	info.prevx.com
6.57.229.227	free.prevx.com
164.97.231.85	spywarefiles.prevx.com
147.217.126.211	spywaredlls.prevx.com
142.162.34.231	shield.prevx.com
219.189.23.8	www.prevx1.com
120.228.93.122	howsafeismypc.com
103.160.176.249	www.retento.com
98.105.152.201	www.freerav.com
175.64.141.233	www.rising-global.com
76.171.143.91	www.risingav.com.au
247.35.38.30	support.rising-global.com
55.237.202.238	superboy2010.com.au
131.195.191.15	www.sophos.com
33.46.5.128	feeds.sophos.com
203.167.88.255	esp.sophos.com
11.112.252.19	cn.sophos.com
87.138.242.52	tw.sophos.com
245.178.56.166	kr.sophos.com
160.42.207.36	sophos.com
223.243.115.244	podcasts.sophos.com
44.14.104.89	www.sunbeltsoftware.com
201.53.174.135	go.sunbeltsoftware.com
116.173.1.74	oem.sunbeltsoftware.com
179.119.165.26	antispam.sunbeltsoftware.com
0.145.154.58	antispyware.sunbeltsoftware.com
157.184.224.172	antivirus.sunbeltsoftware.com
72.116.119.111	sunbeltsoftware.com
136.250.27.63	shop.sunbeltsoftware.com
212.20.16.96	live.sunbeltsoftware.com
114.127.86.209	firewall.sunbeltsoftware.com
28.248.169.80	www.symantec.com
92.193.77.100	security.symantec.com
168.151.67.133	securityrespons.symantec.com
2.3.137.179	service1.symantec.com
241.123.220.117	enterprisesecur.symantec.com
236.68.196.69	eval.symantec.com
125.95.185.102	symantec.com
214.134.187.216	definitions.symantec.com
129.186.14.87	investor.symantec.com
124.132.178.39	et.symantec.com
13.158.167.71	sfdoccentral.symantec.com
102.197.237.185	servicenews.symantec.com
85.61.64.56	securityrespons.symantec.com
81.7.40.76	sea.symantec.com
157.33.29.109	go.symantec.com
59.72.31.154	dell.symantec.com
41.193.182.93	sun.symantec.com
37.138.90.45	marian.symantec.com
113.164.80.78	tms.symantec.com
15.16.150.192	securitycheck.symantec.com
254.136.233.130	smallbiz.symantec.com
249.81.141.82	www.symantec.com
70.40.130.115	visualtracking.symantec.com
227.147.200.229	search.symantec.com
210.11.95.100	liveupdate.symantec.com
205.213.3.120	sitedirector.symantec.com
26.171.248.152	edm.symantec.com
183.22.62.10	hostedmailsecur.symantec.com
166.142.145.137	www4.symantec.com
162.88.53.89	education.symantec.com
238.114.42.122	vos.symantec.com
140.153.112.235	www.hacksoft.com.pe
122.18.195.174	hacksoft.pe
118.219.171.126	www.hacksoft.pe
194.245.161.159	housecall.trendmicro.com
96.29.163.17	www.trendmicro.com
79.149.58.143	housecall65.trendmicro.com
74.94.222.163	us.trendmicro.com
151.121.211.196	blog.trendmicro.com
52.160.25.54	emea.trendmicro.com
35.92.108.181	housecall60.trendmicro.com
30.38.84.133	jp.trendmicro.com
107.252.73.165	de.trendmicro.com
8.103.75.23	it.trendmicro.com
179.223.226.218	itw.trendmicro.com
243.169.134.170	esupport.trendmicro.com
63.127.123.203	es.trendmicro.com
221.234.193.60	br.trendmicro.com
135.99.20.187	tw.trendmicro.com
199.44.185.207	la.trendmicro.com
19.70.174.240	uk.trendmicro.com
177.110.244.98	ru.trendmicro.com
92.230.139.224	smbstore.trendmicro.com
155.175.47.176	apac.trendmicro.com
232.202.36.21	store.trendmicro.com
133.241.106.67	training.trendmicro.com
48.105.137.210	trial.trendmicro.com
59.254.45.162	ushousecall02.trendmicro.com
136.25.34.194	subwiz.trendmicro.com
37.64.104.52	go.trendmicro.com
208.252.255.247	feeds.trendmicro.com
16.130.163.199	channelpartner.trendmicro.com
92.156.152.232	wtc.trendmicro.com
250.7.222.89	shop.trendmicro.com
164.128.49.216	fr.trendmicro.com
228.73.213.236	threatinfo.trendmicro.com
48.31.203.13	newsletters.trendmicro.com
138.139.17.59	www.anti-virus.by
120.3.100.253	bg.virusblokada.com
116.204.76.205	www.vba.com.by
5.231.65.238	beta.anti-virus.by
94.14.67.96	www.bg.virusblokada.com
77.134.218.35	www.hauri.net
72.79.126.243	www.hauri.co.kr
217.106.115.19	company.hauri.net
50.145.185.133	www.globalhauri.com
33.9.12.4	shop.hauri.co.kr
29.211.244.24	hauri.co.kr
105.237.233.57	pg.hauri.net
7.20.235.102	esecurity.livecall.co.kr
245.141.130.41	mall.hauri.co.kr
241.86.38.249	company.hauri.co.kr
61.112.28.26	haurijapan.com
219.220.98.140	virobot.co.kr
201.84.181.78	www.virusbuster.hu
197.29.89.30	virusbuster.hu
18.244.78.63	scanner.novirusthanks.org
175.95.148.177	scanner2.novirusthanks.or
158.215.43.48	novirusthanks.org
85.92.139.0	www.novirusthanks.org
162.51.128.32	virustotal.com
63.158.198.146	www.virustotal.com
46.22.25.17	virscan.org
42.224.189.225	www.virscan.org
118.250.178.2	virusscan.jotti.org
20.33.248.115	jotti.org
2.154.75.54	www.jotti.org
254.99.51.6	viruschief.com
74.125.41.39	www.viruschief.com
232.165.43.153	scanner.virus.org
215.29.194.23	virus.org
210.230.102.43	www.virus.org
31.1.91.76	scan4you.net
188.40.161.190	www.scan4you.net
171.228.244.61	avhide.com
166.173.220.13	www.avhide.com
243.132.209.45	anubis.iseclab.org
144.239.211.159	iseclab.org
59.103.106.98	www.iseclab.org
123.49.14.50	threatexpert.com
199.7.3.83	www.threatexpert.com
101.114.73.196	forospyware.com
15.235.156.67	www.forospyware.com
27.128.12.35	in.answers.yahoo.com
103.154.2.68	es.answers.yahoo.com
5.194.72.182	kioskea.net
175.58.223.52	www.kioskea.net
239.3.131.4	es.kioskea.net
60.30.120.105	mygeekside.com
217.69.190.151	www.mygeekside.com
132.189.17.90	www.tecniservicioslys.com
195.134.181.41	tecniservicioslys.com
16.161.170.74	virusfreezone.info
173.200.240.188	www.virusfreezone.info
88.132.135.127	intranet.cidiroax.ipn.mx
152.10.43.79	spycheck.es
228.36.32.112	www.spycheck.es
130.143.102.225	antivirus.hispavista.com
44.8.185.96	computing.net
108.209.93.116	www.computing.net
184.167.83.149	spycheck.co.uk
18.19.153.195	www.spycheck.co.uk
0.139.236.133	midescargas.com
252.84.212.85	www.midescargas.com
141.111.201.118	static.yoreparo.com
230.150.203.232	softfaq.com
213.202.30.103	www.softfaq.com
140.147.194.54	configurarequipos.com
29.174.183.87	www.configurarequipos.com
118.213.253.201	seasonsecurity.com
101.77.80.72	www.seasonsecurity.com
97.23.56.92	removetrojanvirus.org
173.49.45.125	www.removetrojanvirus.org
75.88.47.170	ibusca.me
57.209.198.109	www.ibusca.me

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Delete the original Trojan file.
   
2. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
   
3. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
4. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	172032	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	176128	61440	61440	5.5336	585425e899c82a7721b9961afd417da4
.rsrc	237568	24576	11264	4.60291	c58ca94a63088c8e563d496bdbb08fab

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://www.ip-adress.com/	64.34.169.244
hxxp://whos.amung.us/swidget/cpbyzvl1vh6r	67.202.94.94
hxxp://widgets.amung.us/small/00/1.png	173.192.170.82

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps