Trojan.Win32.VBKrypt.xiz (Kaspersky), Gen:Variant.Zusy.Elzob.22474 (B) (Emsisoft), Gen:Variant.Zusy.Elzob.22474 (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: fbace3e2dc45c3c30ae9cb4773740a9b
SHA1: f2107f06ed9e7334e9ba9381f7dcd47cc2b719d3
SHA256: c0ff91b05ae51c5c69269ddced822d345a6a4dec9f44ae7206e0597882790ee1
SSDeep: 1536:Zcjd75QPYyM haVCpR/orFNbXV8l0ByhuhgpHFr3 nouy8o0X6Pufu:ejdiPYydUVCptoZJC6pilr3eoutoJQu
Size: 73728 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 1983-01-15 13:23:20
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
No files have been created.
Registry activity
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 22836 bytes in size. The following strings are added to the hosts file listed below:
208.109.220.95 | viabcp.com |
208.109.220.95 | www.viabcp.com |
208.109.220.95 | bcpzonasegura.viabcp.com |
17.30.245.112 | iniciorapido.info |
187.151.72.239 | www.iniciorapido.info |
251.96.237.3 | buscalo.in |
71.122.226.36 | www.buscalo.in |
229.162.40.150 | buscafacil.com |
144.26.191.21 | www.buscafacil.com |
207.227.99.228 | emsisoft.com |
28.254.88.73 | ahnlab.com |
185.37.158.119 | antivir.es |
100.157.241.58 | antiy.net |
163.103.149.10 | authentium.com |
240.129.138.42 | avast.com |
141.168.208.156 | avg.com |
56.100.103.95 | bitdefender.com |
120.234.11.47 | quickheal.com |
196.4.0.80 | clamav.net |
98.111.70.193 | comodo.com |
12.232.153.64 | drweb.com |
76.177.62.84 | aladdin.com |
152.135.51.117 | ca.com |
242.243.121.163 | f-prot.com |
225.107.204.102 | f-secure.com |
220.52.180.53 | fortinet.com |
109.79.169.86 | gdata.es |
198.118.171.200 | ikarus.at |
181.238.66.139 | jiangmin.com |
176.184.230.91 | kaspersky.com |
65.210.219.123 | mcafee.com |
155.249.33.237 | microsoft.com |
137.113.116.108 | eset.es |
133.59.92.128 | norman.com |
209.85.81.161 | nprotect.com |
111.124.83.206 | pandasecurity.com |
93.245.234.145 | pctools.com |
89.190.143.97 | prevx.com |
165.216.132.130 | rising-global.com |
67.68.202.244 | sophos.com |
50.188.29.183 | sunbeltsoftware.com |
45.133.193.134 | symantec.com |
122.92.182.167 | hacksoft.com.pe |
23.199.252.25 | trendmicro.com |
6.63.147.152 | anti-virus.by |
1.9.55.172 | hauri.net |
78.223.44.204 | virusbuster.hu |
236.74.114.62 | www.emsisoft.com |
218.194.197.189 | www.ahnlab.com |
214.140.105.141 | www.antivir.es |
34.166.94.174 | www.antiy.net |
192.205.164.31 | www.authentium.com |
174.70.247.226 | www.avast.com |
170.15.224.178 | www.avg.com |
246.41.213.211 | www.bitdefender.com |
148.81.215.69 | www.quickheal.com |
131.201.110.196 | www.clamav.net |
126.146.18.215 | www.comodo.com |
203.173.7.248 | www.drweb.com |
104.212.77.106 | www.aladdin.com |
87.144.160.233 | www.ca.com |
82.90.136.185 | www.f-prot.com |
159.48.125.217 | www.f-secure.com |
60.155.127.75 | www.fortinet.com |
231.19.22.14 | www.gdata.es |
39.221.186.222 | www.ikarus.at |
115.179.175.255 | www.jiangmin.com |
17.30.245.112 | www.kaspersky.com |
187.151.72.239 | www.mcafee.com |
251.96.237.3 | www.microsoft.com |
71.122.226.36 | www.eset.es |
229.162.40.150 | www.norman.com |
144.26.191.21 | www.nprotect.com |
207.227.99.228 | www.pandasecurity.com |
28.254.88.73 | www.pctools.com |
185.37.158.119 | www.prevx.com |
100.157.241.58 | www.rising-global.com |
163.103.149.10 | www.sophos.com |
240.129.138.42 | www.sunbeltsoftware.com |
141.168.208.156 | www.symantec.com |
56.100.103.95 | www.hacksoft.com.pe |
120.234.11.47 | www.trendmicro.com |
196.4.0.80 | www.anti-virus.by |
98.111.70.193 | www.hauri.net |
12.232.153.64 | www.virusbuster.hu |
76.177.62.84 | www.emsisoft.com |
152.135.51.117 | www.anti-trojan.net |
242.243.121.163 | malwarescan.emsisoft.com |
225.107.204.102 | forum.emsisoft.com |
220.52.180.53 | www.emsisoft.net |
109.79.169.86 | www.emsisoft.it |
198.118.171.200 | www.emsisoft.de |
181.238.66.139 | www.anti-trojan-software.net |
176.184.230.91 | mamutu.com |
65.210.219.123 | www.emsisoft.es |
155.249.33.237 | malwarescan.emsisoft.de |
137.113.116.108 | ww.emsisoft.com |
133.59.92.128 | www.emsisoft.fr |
209.85.81.161 | www.emsisoft.nl |
111.124.83.206 | onlinecheck.emsisoft.com |
93.245.234.145 | onlinecheck.emsisoft.de |
89.190.143.97 | www.emsisoft.org |
165.216.132.130 | scan.anti-trojan.net |
67.68.202.244 | www.trojaner.info |
50.188.29.183 | onlinecheck.emsisoft.org |
45.133.193.134 | onlinecheck.emsisoft.net |
122.92.182.167 | blitzblank.com |
23.199.252.25 | www.emsisoft.at |
6.63.147.152 | www.emsisoft.jp |
1.9.55.172 | www.mamutu.com |
78.223.44.204 | malwarescan.emsisoft.es |
236.74.114.62 | www.mamutu.de |
218.194.197.189 | download5.emsisoft.com |
214.140.105.141 | download1.emsisoft.com |
34.166.94.174 | download4.emsisoft.com |
192.205.164.31 | global.ahnlab.com |
174.70.247.226 | www.hackshields.com |
170.15.224.178 | www.internationalservicecheck.com |
246.41.213.211 | www.irangoals.com |
148.81.215.69 | ixomodels.com |
131.201.110.196 | www.indielisboa.com |
126.146.18.215 | www.latin-mass-society.org |
203.173.7.248 | www.arpia.be |
104.212.77.106 | www.owen.org |
87.144.160.233 | www.prdouglas.co.uk |
82.90.136.185 | www.zarya.info |
159.48.125.217 | www.willsee.com |
60.155.127.75 | halmapr.com |
231.19.22.14 | karuna-shechen.org |
39.221.186.222 | www.barder.com |
115.179.175.255 | www.antivir.es |
17.30.245.112 | www.buraka.tv |
187.151.72.239 | www.dr-bull.com |
251.96.237.3 | www.manchester-offices.co.uk |
71.122.226.36 | saverssite.com |
229.162.40.150 | canada.karuna-shechen.org |
144.26.191.21 | developmentdrums.org |
207.227.99.228 | www.imddomains.co.uk |
28.254.88.73 | cutlines.org |
185.37.158.119 | elblogdemanu.com |
100.157.241.58 | ruben.bzin.net |
163.103.149.10 | welkam.co.jp |
240.129.138.42 | www.cambridge-steiner-school.co.uk |
141.168.208.156 | naturesimages.net |
56.100.103.95 | www.1stavenuelimousines.co.uk |
120.234.11.47 | www.mtr-design.com |
196.4.0.80 | dev.depeuter.org |
98.111.70.193 | www.emeraldclassic.co.uk |
12.232.153.64 | www.peterhearnwaste.co.uk |
76.177.62.84 | etrr.co.uk |
152.135.51.117 | www.avoncourt.com |
242.243.121.163 | sarahmcconnellphotography.net |
225.107.204.102 | www.ixomodels.com |
220.52.180.53 | natsko.com |
109.79.169.86 | www.nottinghampoetryseries.com |
198.118.171.200 | www.sheffieldmind.co.uk |
181.238.66.139 | ixostore.ixomodels.com |
176.184.230.91 | www.flairweddings.co.uk |
65.210.219.123 | www.fimasys.com |
155.249.33.237 | cohartuk.com |
137.113.116.108 | qqjkw.net |
133.59.92.128 | vivo-austin.com |
209.85.81.161 | www.freeality.com |
111.124.83.206 | bestofewan.com |
93.245.234.145 | www.handwritingforkids.com |
89.190.143.97 | cowsmo.com |
165.216.132.130 | www.2xlgames.com |
67.68.202.244 | kimzimmer.net |
50.188.29.183 | basetendencies.com |
45.133.193.134 | trackingtheworld.com |
122.92.182.167 | www.reviewsofbooks.com |
23.199.252.25 | www.collectedcurios.com |
6.63.147.152 | www.renningers.com |
1.9.55.172 | ccslaughterspdx.com |
78.223.44.204 | www.briarhurst.com |
236.74.114.62 | www.smf.org |
218.194.197.189 | ribbonwarehouse.com |
214.140.105.141 | www.garryowen.com |
34.166.94.174 | 45pounds.com |
192.205.164.31 | isotopecomics.com |
174.70.247.226 | roysephotos.com |
170.15.224.178 | www.stadiumpage.com |
246.41.213.211 | www.elvis-express.com |
148.81.215.69 | www.tomorrowsedge.net |
131.201.110.196 | www.beautybar.com |
126.146.18.215 | pineleafboys.com |
203.173.7.248 | www.mountainlakeslodge.com |
104.212.77.106 | pvtc.org |
87.144.160.233 | bhsbees.com |
82.90.136.185 | baristamagazine.com |
159.48.125.217 | www.gokidding.com |
60.155.127.75 | defalcos.com |
231.19.22.14 | www.celticmerchant.com |
39.221.186.222 | www.hxproduction.com |
115.179.175.255 | www.wellgousa.com |
17.30.245.112 | blog.titanium-jewelry.com |
187.151.72.239 | www.brightoctober.com |
251.96.237.3 | hishomeforchildren.com |
71.122.226.36 | www.phoenixtrikeworks.com |
229.162.40.150 | www.professorbeyer.com |
144.26.191.21 | www.secondchanceboxer.com |
207.227.99.228 | www.residentphotography.com |
28.254.88.73 | woottonfootball.com |
185.37.158.119 | www.deborahshelton.net |
100.157.241.58 | bobbondart.com |
163.103.149.10 | www.authentium.com |
240.129.138.42 | asap.authentium.com |
141.168.208.156 | www.authentium.com.au |
56.100.103.95 | avast.com |
120.234.11.47 | www.avast.com |
196.4.0.80 | files.avast.com |
98.111.70.193 | download535.avast.com |
12.232.153.64 | avg.com |
76.177.62.84 | www.avg.com |
152.135.51.117 | grisoft.com |
242.243.121.163 | www.grisoft.com |
225.107.204.102 | antivirus-tools.com |
220.52.180.53 | archive.bitdefender.com |
109.79.169.86 | avx.rob-have.net |
198.118.171.200 | b-have.orgbitdefender-ar.com |
181.238.66.139 | bitdefender.com |
176.184.230.91 | bitdefender.org |
65.210.219.123 | bitdefenderchina.com |
155.249.33.237 | bitdefenderguatemala.com |
137.113.116.108 | bitdefendermalaysia.com |
133.59.92.128 | bitdefendertaiwan.com |
209.85.81.161 | bitdefenderuruguay.com |
111.124.83.206 | bitdefenderusa.com |
93.245.234.145 | buy.bitdefender-es.com |
89.190.143.97 | buy.bitdefender.com |
165.216.132.130 | buy.bitdefender.de |
67.68.202.244 | de.bitdefender.com |
50.188.29.183 | fr.bitdefender.com |
45.133.193.134 | futurenow.bitdefender.com |
122.92.182.167 | it.bitdefender.com |
23.199.252.25 | jobs.bitdefender.com |
6.63.147.152 | kb.bitdefender.com |
1.9.55.172 | kb.bitdefender.de |
78.223.44.204 | kb.bitdefender.us |
236.74.114.62 | latin.bitdefender.com |
218.194.197.189 | linux.bitdefender.com |
214.140.105.141 | malwarecity.com |
34.166.94.174 | malwarecity.netmalwarecity.org |
192.205.164.31 | malwarepedia.com |
174.70.247.226 | neunet.orgnews.bitdefender.com |
170.15.224.178 | nl.bitdefender.com |
246.41.213.211 | renewals.bitdefender.com |
148.81.215.69 | sales.bitdefender.com |
131.201.110.196 | square.bitdefender.com |
126.146.18.215 | store.bitdefender.com |
203.173.7.248 | store.de.bitdefender.com |
104.212.77.106 | us.bitdefender.com |
87.144.160.233 | virusscanonline.net |
82.90.136.185 | wedoantivirus.com |
159.48.125.217 | www.antivirus-tools.com |
60.155.127.75 | www.avx.ro |
231.19.22.14 | www.bit-defender.de |
39.221.186.222 | www.bitdefende.de |
115.179.175.255 | www.bitdefender-es.com |
17.30.245.112 | www.bitdefender.be |
187.151.72.239 | www.bitdefender.cl |
251.96.237.3 | www.bitdefender.co.uk |
71.122.226.36 | www.bitdefender.com |
229.162.40.150 | www.bitdefender.com.au |
144.26.191.21 | www.bitdefender.com.sg |
207.227.99.228 | www.bitdefender.com.tw |
216.186.20.5 | www.bitdefender.com.vn |
117.225.90.51 | www.bitdefender.de |
32.89.173.246 | www.bitdefender.es |
95.35.81.198 | www.bitdefender.fr |
172.61.70.230 | www.bitdefender.hk |
74.100.140.88 | www.bitdefender.us |
244.32.35.27 | www.bitdefenderme.com |
52.166.199.235 | www.malwarecity.com |
128.192.188.12 | www.malwarecity.fr |
30.43.2.125 | quickheal.com |
200.164.85.252 | www.quickheal.com |
8.109.250.16 | www.clamav.net |
84.67.239.49 | cgi.clamav.net |
174.175.53.95 | lurker.clamav.net |
157.39.136.34 | wwws.clamav.net |
152.240.112.241 | lists.clamav.net |
41.11.101.18 | bugs.clamav.net |
130.50.103.132 | system-cleaner.comodo.com |
113.170.254.71 | backup.comodo.com |
108.116.162.23 | www.comodoantispam.com |
253.142.151.55 | easy-vpn.comodo.com |
87.181.221.169 | www.trustlogo.com |
69.46.48.40 | ztl.comodo.com |
65.247.24.60 | www.livepcsupport.com |
141.17.13.93 | www.whichssl.com |
43.56.15.138 | www.trustix.com |
25.177.166.77 | disk-encryption.comodo.com |
21.122.75.29 | speedtest.comodo.com |
97.148.64.62 | www.contentverification.com |
255.0.134.176 | idauthority.com |
238.120.217.115 | www.comodo.tv |
233.65.125.66 | online-backup.comodo.com |
54.24.114.99 | www.testmypcsecurity.com |
211.131.184.213 | www.ccssforum.org |
194.251.79.84 | i-vault.comodo.com |
189.197.243.104 | internetsecurity.comodo.com |
10.155.232.136 | www.comodopartners.com |
168.6.46.250 | timestamp.comodoca.com |
150.126.129.121 | secure-email.comodo.com |
146.72.37.73 | timestamp.wosign.com |
222.98.26.106 | rover800.gaima.co.uk |
124.137.96.219 | www.nsclean.com |
106.2.179.158 | www.contentverification.com |
102.203.156.110 | new-estore.drweb.com |
178.229.145.143 | support.drweb.com |
80.13.147.1 | pda.drweb.com |
63.133.42.128 | updates.drweb.com |
58.78.206.147 | drweb.com |
135.105.195.180 | vms.drweb.com |
36.144.9.38 | solutions.drweb.com |
19.76.92.165 | news.drweb.com |
14.22.68.117 | my.drweb.com |
91.236.57.149 | buy.drweb.com |
249.87.59.7 | products.drweb.com |
163.207.210.202 | new-support.drweb.com |
227.153.118.154 | promotions.drweb.com |
47.111.107.187 | network.drweb.com |
205.218.177.44 | customers.drweb.com |
119.83.4.171 | store.drweb.com |
183.28.169.191 | company.drweb.com |
3.54.158.224 | training.drweb.com |
161.94.228.82 | license.drweb.com |
76.214.123.209 | cureit.ru |
139.159.31.160 | free.drweb.com |
216.186.20.5 | info.drweb.com |
117.225.90.51 | new-partners.drweb.com |
32.89.173.246 | drweb.net |
95.35.81.198 | new-company.drweb.com |
172.61.70.230 | new-beta.drweb.com |
74.100.140.88 | new-forum.drweb.com |
244.32.35.27 | secure.av-desk.com |
52.166.199.235 | www.av-desk.com |
128.192.188.12 | new-solutions.drweb.com |
30.43.2.125 | new-www.drweb.com |
200.164.85.252 | www.freedrweb.ru |
8.109.250.16 | daniloff.net |
84.67.239.49 | drweb-inside.com |
174.175.53.95 | drwebinside.com |
157.39.136.34 | aladdin.com |
152.240.112.241 | alladdin.ru |
41.11.101.18 | chickensroamfree.com |
130.50.103.132 | ealaddin.net |
113.170.254.71 | ealaddin.orgeshop.aladdin.com |
108.116.162.23 | secureme.com |
253.142.151.55 | www.aks.com |
87.181.221.169 | www.aladdin.com |
69.46.48.40 | www.ealaddin.com |
65.247.24.60 | www.ealaddin.com |
141.17.13.93 | auwww.ealaddin.nl |
43.56.15.138 | www.esafe.com |
25.177.166.77 | www.hasp.se |
21.122.75.29 | www.safenet-inc.com |
97.148.64.62 | www3.safenet-inc.com |
255.0.134.176 | www.ca.com |
186.68.165.62 | cacomvip.ca.com |
181.13.73.14 | www.netegrity.com |
2.228.62.47 | search.ca.com |
159.79.132.161 | cai.com |
142.199.27.32 | www.f-prot.com |
137.145.191.52 | frisk-software.com |
214.103.180.84 | www.frisk.is |
115.210.250.198 | www.frisk-software.com |
98.74.77.69 | f-secure.com |
94.20.241.21 | f-secure.frf-secure.hk |
170.46.230.54 | f-secure.nlfsecure.com |
72.85.44.167 | fsecure.nlwebyard.com |
54.206.127.106 | www.f-secure.com |
50.151.104.58 | www.fsecure.com |
126.177.93.91 | www.virus.fi |
28.217.95.205 | fortihero.com |
11.81.246.75 | fortilog.com |
6.26.154.95 | fortinet.co.at |
83.53.143.128 | fortinet.com |
240.92.213.242 | fortiprotect.com |
223.24.40.113 | fortiwifi.com |
218.226.16.65 | www.apsecure.com |
39.184.5.97 | www.fortifed.com |
196.35.7.211 | www.fortiid.com |
111.155.158.150 | www.fortimail.com |
175.101.66.102 | www.fortinet-apac.com |
251.59.55.135 | www.fortinet.ch |
153.166.125.248 | www.fortinet.co.il |
67.31.208.119 | www.fortinet.com |
131.232.117.139 | www.fortinet.com |
207.2.106.172 | arwww.fortinet.cz |
109.42.176.30 | www.fortinet.net |
24.162.71.156 | www.fortinet.nl |
87.107.235.108 | www.fortinet.sg |
164.134.224.209 | www.fortinetuk.com |
65.173.38.255 | www.secure-elements.com |
236.37.121.194 | gdata.es |
43.239.29.146 | www.gdata.es |
120.9.18.178 | ikarus.at |
21.48.88.36 | www.ikarus.at |
192.236.239.231 | global.jiangmin.com |
0.114.147.183 | jiangmin.com.cn |
76.140.136.216 | jiangmin.com |
234.247.206.73 | www.jiangmin.com.cn |
148.112.33.200 | www.kaspersky.com |
212.57.198.220 | forum.kaspersky.com |
32.15.187.253 | support.kaspersky.co |
122.123.1.43 | usa.kaspersky.com |
105.243.84.237 | brazil.kaspersky.com |
100.188.60.189 | latam.kaspersky.com |
245.215.49.222 | kaspersky.com |
78.254.51.80 | me.kaspersky.com |
61.118.202.19 | images.kaspersky.com |
56.64.110.227 | www.mcafee.com |
201.90.99.3 | support.mcafee.com |
34.129.169.117 | msr.mcafee.com |
17.249.252.244 | home.mcafee.com |
13.195.228.8 | networkassociates.com |
89.221.217.41 | us.mcafee.com |
247.4.219.86 | tr.mcafee.com |
229.125.114.25 | au.mcafee.com |
225.70.23.233 | mx.mcafee.com |
45.96.12.198 | networkassociates.nai.com |
135.136.14.56 | go.mcafee.com |
118.0.97.251 | fr.mcafee.com |
113.201.5.202 | uk.mcafee.com |
190.160.250.235 | de.mcafee.com |
91.11.64.93 | obscgi.mcafee.com |
74.131.215.220 | nai.com |
69.77.123.240 | www.entercept.com |
146.35.112.16 | jp.mcafee.com |
47.142.182.130 | mcafeeb2b.com |
30.6.9.1 | cn.mcafee.com |
26.208.173.209 | service.mcafee.com |
102.234.162.242 | br.mcafee.com |
4.17.232.99 | www.mcafee.at |
242.138.59.38 | mcafeeretail.com |
238.83.36.246 | it.mcafee.com |
58.109.25.23 | tw.mcafee.com |
216.149.27.137 | privacy.microsoft.com |
199.13.178.8 | tempuri.org |
194.214.86.27 | schemas.xmlsoap.org |
15.241.75.60 | www.microsoft.com |
172.24.145.174 | specs.xmlsoap.org |
155.212.228.45 | www.eugrantsadvisor.ie |
150.158.204.253 | schemas.microsoft.com |
227.116.193.29 | encarta.msn.com |
128.223.195.143 | www.sysinternals.com |
43.87.90.82 | grv.microsoft.com |
107.33.254.34 | www.xmlsoap.org |
183.247.243.67 | www.eugrantsadvisor.se |
85.98.57.180 | www.eugrantsadvisor.com |
255.219.140.51 | research.microsoft.com |
63.164.49.71 | www.engyro.com |
139.190.38.104 | www.exchangeyourcareer.com |
41.230.108.218 | www.eugrantsadvisor.de |
212.94.3.89 | exchangeyourcareer.net |
19.39.167.40 | eugrantsadvisor.de |
96.66.156.141 | eugrantsadvisor.cz |
253.105.226.187 | www.eset.es |
168.225.53.126 | demos.eset.es |
231.171.217.78 | descargas.eset.es |
52.197.206.110 | blogs.protegerse.com |
209.236.20.224 | eos.eset.es |
124.168.171.163 | pedidos.protegerse.com |
188.46.79.115 | reg-int.nod32-es.com |
8.72.68.148 | reg.eset.es |
166.179.138.5 | vicentevirtual.com |
80.44.221.132 | cou85.com |
144.245.130.152 | www.norman.com |
220.203.119.185 | fsc.norman.com |
54.55.189.231 | nprobeta.norman.com |
37.175.16.170 | register.norman.com |
32.120.248.121 | webadmin.norman.no |
177.147.237.154 | sandbox.norman.com |
10.186.239.12 | www.nprotect.com |
249.50.134.207 | global.nprotect.com |
244.252.42.159 | www.nprotect.co.kr |
133.22.31.191 | www.npin.co.kr |
222.61.101.49 | siren24.nprotect.com |
205.181.184.176 | 15660808.co.kr |
201.127.160.196 | biz.nprotect.com |
21.153.149.229 | nprotect.net |
179.192.151.18 | www.nprotect.com.br |
161.57.46.213 | liveprotect.net |
105.206.158.113 | nprotect.seoul.go.kr |
181.232.148.146 | chollian.nprotect.co.kr |
83.84.218.4 | www.pandasecurity.com |
66.204.45.198 | research.pandasecurity.com |
61.149.209.150 | support.pandasecurity.com |
138.108.198.183 | pandalabs.pandasecurity.com |
39.215.12.41 | pandasecurity.com |
22.79.163.168 | mop.pandasecurity.com |
17.24.71.188 | timeforyourbusi.pandasecurity.com |
94.239.60.220 | cybercrime.pandasecurity.com |
251.90.130.78 | free.pandasecurity.com |
234.210.213.205 | cloudprotection.pandasecurity.com |
230.156.121.157 | shop.pandasecurity.com |
50.182.110.190 | soporte.pandasecurity.com |
208.221.180.47 | together.pctools.com |
190.86.7.242 | www.prevx.com |
186.31.239.194 | info.prevx.com |
6.57.229.227 | free.prevx.com |
164.97.231.85 | spywarefiles.prevx.com |
147.217.126.211 | spywaredlls.prevx.com |
142.162.34.231 | shield.prevx.com |
219.189.23.8 | www.prevx1.com |
120.228.93.122 | howsafeismypc.com |
103.160.176.249 | www.retento.com |
98.105.152.201 | www.freerav.com |
175.64.141.233 | www.rising-global.com |
76.171.143.91 | www.risingav.com.au |
247.35.38.30 | support.rising-global.com |
55.237.202.238 | superboy2010.com.au |
131.195.191.15 | www.sophos.com |
33.46.5.128 | feeds.sophos.com |
203.167.88.255 | esp.sophos.com |
11.112.252.19 | cn.sophos.com |
87.138.242.52 | tw.sophos.com |
245.178.56.166 | kr.sophos.com |
160.42.207.36 | sophos.com |
223.243.115.244 | podcasts.sophos.com |
44.14.104.89 | www.sunbeltsoftware.com |
201.53.174.135 | go.sunbeltsoftware.com |
116.173.1.74 | oem.sunbeltsoftware.com |
179.119.165.26 | antispam.sunbeltsoftware.com |
0.145.154.58 | antispyware.sunbeltsoftware.com |
157.184.224.172 | antivirus.sunbeltsoftware.com |
72.116.119.111 | sunbeltsoftware.com |
136.250.27.63 | shop.sunbeltsoftware.com |
212.20.16.96 | live.sunbeltsoftware.com |
114.127.86.209 | firewall.sunbeltsoftware.com |
28.248.169.80 | www.symantec.com |
92.193.77.100 | security.symantec.com |
168.151.67.133 | securityrespons.symantec.com |
2.3.137.179 | service1.symantec.com |
241.123.220.117 | enterprisesecur.symantec.com |
236.68.196.69 | eval.symantec.com |
125.95.185.102 | symantec.com |
214.134.187.216 | definitions.symantec.com |
129.186.14.87 | investor.symantec.com |
124.132.178.39 | et.symantec.com |
13.158.167.71 | sfdoccentral.symantec.com |
102.197.237.185 | servicenews.symantec.com |
85.61.64.56 | securityrespons.symantec.com |
81.7.40.76 | sea.symantec.com |
157.33.29.109 | go.symantec.com |
59.72.31.154 | dell.symantec.com |
41.193.182.93 | sun.symantec.com |
37.138.90.45 | marian.symantec.com |
113.164.80.78 | tms.symantec.com |
15.16.150.192 | securitycheck.symantec.com |
254.136.233.130 | smallbiz.symantec.com |
249.81.141.82 | www.symantec.com |
70.40.130.115 | visualtracking.symantec.com |
227.147.200.229 | search.symantec.com |
210.11.95.100 | liveupdate.symantec.com |
205.213.3.120 | sitedirector.symantec.com |
26.171.248.152 | edm.symantec.com |
183.22.62.10 | hostedmailsecur.symantec.com |
166.142.145.137 | www4.symantec.com |
162.88.53.89 | education.symantec.com |
238.114.42.122 | vos.symantec.com |
140.153.112.235 | www.hacksoft.com.pe |
122.18.195.174 | hacksoft.pe |
118.219.171.126 | www.hacksoft.pe |
194.245.161.159 | housecall.trendmicro.com |
96.29.163.17 | www.trendmicro.com |
79.149.58.143 | housecall65.trendmicro.com |
74.94.222.163 | us.trendmicro.com |
151.121.211.196 | blog.trendmicro.com |
52.160.25.54 | emea.trendmicro.com |
35.92.108.181 | housecall60.trendmicro.com |
30.38.84.133 | jp.trendmicro.com |
107.252.73.165 | de.trendmicro.com |
8.103.75.23 | it.trendmicro.com |
179.223.226.218 | itw.trendmicro.com |
243.169.134.170 | esupport.trendmicro.com |
63.127.123.203 | es.trendmicro.com |
221.234.193.60 | br.trendmicro.com |
135.99.20.187 | tw.trendmicro.com |
199.44.185.207 | la.trendmicro.com |
19.70.174.240 | uk.trendmicro.com |
177.110.244.98 | ru.trendmicro.com |
92.230.139.224 | smbstore.trendmicro.com |
155.175.47.176 | apac.trendmicro.com |
232.202.36.21 | store.trendmicro.com |
133.241.106.67 | training.trendmicro.com |
48.105.137.210 | trial.trendmicro.com |
59.254.45.162 | ushousecall02.trendmicro.com |
136.25.34.194 | subwiz.trendmicro.com |
37.64.104.52 | go.trendmicro.com |
208.252.255.247 | feeds.trendmicro.com |
16.130.163.199 | channelpartner.trendmicro.com |
92.156.152.232 | wtc.trendmicro.com |
250.7.222.89 | shop.trendmicro.com |
164.128.49.216 | fr.trendmicro.com |
228.73.213.236 | threatinfo.trendmicro.com |
48.31.203.13 | newsletters.trendmicro.com |
138.139.17.59 | www.anti-virus.by |
120.3.100.253 | bg.virusblokada.com |
116.204.76.205 | www.vba.com.by |
5.231.65.238 | beta.anti-virus.by |
94.14.67.96 | www.bg.virusblokada.com |
77.134.218.35 | www.hauri.net |
72.79.126.243 | www.hauri.co.kr |
217.106.115.19 | company.hauri.net |
50.145.185.133 | www.globalhauri.com |
33.9.12.4 | shop.hauri.co.kr |
29.211.244.24 | hauri.co.kr |
105.237.233.57 | pg.hauri.net |
7.20.235.102 | esecurity.livecall.co.kr |
245.141.130.41 | mall.hauri.co.kr |
241.86.38.249 | company.hauri.co.kr |
61.112.28.26 | haurijapan.com |
219.220.98.140 | virobot.co.kr |
201.84.181.78 | www.virusbuster.hu |
197.29.89.30 | virusbuster.hu |
18.244.78.63 | scanner.novirusthanks.org |
175.95.148.177 | scanner2.novirusthanks.or |
158.215.43.48 | novirusthanks.org |
85.92.139.0 | www.novirusthanks.org |
162.51.128.32 | virustotal.com |
63.158.198.146 | www.virustotal.com |
46.22.25.17 | virscan.org |
42.224.189.225 | www.virscan.org |
118.250.178.2 | virusscan.jotti.org |
20.33.248.115 | jotti.org |
2.154.75.54 | www.jotti.org |
254.99.51.6 | viruschief.com |
74.125.41.39 | www.viruschief.com |
232.165.43.153 | scanner.virus.org |
215.29.194.23 | virus.org |
210.230.102.43 | www.virus.org |
31.1.91.76 | scan4you.net |
188.40.161.190 | www.scan4you.net |
171.228.244.61 | avhide.com |
166.173.220.13 | www.avhide.com |
243.132.209.45 | anubis.iseclab.org |
144.239.211.159 | iseclab.org |
59.103.106.98 | www.iseclab.org |
123.49.14.50 | threatexpert.com |
199.7.3.83 | www.threatexpert.com |
101.114.73.196 | forospyware.com |
15.235.156.67 | www.forospyware.com |
27.128.12.35 | in.answers.yahoo.com |
103.154.2.68 | es.answers.yahoo.com |
5.194.72.182 | kioskea.net |
175.58.223.52 | www.kioskea.net |
239.3.131.4 | es.kioskea.net |
60.30.120.105 | mygeekside.com |
217.69.190.151 | www.mygeekside.com |
132.189.17.90 | www.tecniservicioslys.com |
195.134.181.41 | tecniservicioslys.com |
16.161.170.74 | virusfreezone.info |
173.200.240.188 | www.virusfreezone.info |
88.132.135.127 | intranet.cidiroax.ipn.mx |
152.10.43.79 | spycheck.es |
228.36.32.112 | www.spycheck.es |
130.143.102.225 | antivirus.hispavista.com |
44.8.185.96 | computing.net |
108.209.93.116 | www.computing.net |
184.167.83.149 | spycheck.co.uk |
18.19.153.195 | www.spycheck.co.uk |
0.139.236.133 | midescargas.com |
252.84.212.85 | www.midescargas.com |
141.111.201.118 | static.yoreparo.com |
230.150.203.232 | softfaq.com |
213.202.30.103 | www.softfaq.com |
140.147.194.54 | configurarequipos.com |
29.174.183.87 | www.configurarequipos.com |
118.213.253.201 | seasonsecurity.com |
101.77.80.72 | www.seasonsecurity.com |
97.23.56.92 | removetrojanvirus.org |
173.49.45.125 | www.removetrojanvirus.org |
75.88.47.170 | ibusca.me |
57.209.198.109 | www.ibusca.me |
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Delete the original Trojan file.
- Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 172032 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 176128 | 61440 | 61440 | 5.5336 | 585425e899c82a7721b9961afd417da4 |
.rsrc | 237568 | 24576 | 11264 | 4.60291 | c58ca94a63088c8e563d496bdbb08fab |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://www.ip-adress.com/ | 64.34.169.244 |
hxxp://whos.amung.us/swidget/cpbyzvl1vh6r | 67.202.94.94 |
hxxp://widgets.amung.us/small/00/1.png | 173.192.170.82 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):