Trojan.Win32.VB.astu (Kaspersky), Gen:Trojan.Heur.ZGY.3 (B) (Emsisoft), Gen:Trojan.Heur.ZGY.3 (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: bb0ad6c1eb9fa64d1a48ac4592b5f59e
SHA1: 482fac659b6fe82469c5204403a6fb72e8f60a81
SHA256: afc185cbff2f1086bbf4a4db54617609339c2ceb9c0d59be307390dfd002c75a
SSDeep: 1536:rzU1Gy9DWlKkVQP4spZn6tEPNn5O9i236h7i/Zyt0nouy8:rQ2QPjtO25OH36hmYtEout
Size: 68096 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2011-06-14 05:28:26
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
No files have been created.
Registry activity
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 22881 bytes in size. The following strings are added to the hosts file listed below:
208.109.220.97 | viabcp.com |
208.109.220.97 | www.viabcp.com |
208.109.220.97 | bcpzonasegura.viabcp.com |
68.149.108.231 | iniciorapido.info |
50.14.191.102 | www.iniciorapido.info |
114.215.100.122 | buscalo.in |
190.241.89.155 | www.buscalo.in |
92.25.159.13 | buscafacil.com |
7.145.54.140 | www.buscafacil.com |
70.90.218.91 | emsisoft.com |
147.117.207.192 | ahnlab.com |
48.156.21.238 | antivir.es |
219.20.104.177 | antiy.net |
26.222.12.129 | authentium.com |
103.248.1.161 | avast.com |
5.31.71.19 | avg.com |
175.220.222.214 | bitdefender.com |
239.97.130.166 | quickheal.com |
59.123.119.199 | clamav.net |
217.230.189.56 | comodo.com |
131.95.16.183 | drweb.com |
195.40.181.203 | aladdin.com |
15.254.170.236 | ca.com |
105.106.240.26 | f-prot.com |
88.226.67.221 | f-secure.com |
83.171.43.172 | fortinet.com |
228.198.32.205 | gdata.es |
61.237.34.63 | ikarus.at |
44.101.185.2 | jiangmin.com |
39.47.93.210 | kaspersky.com |
184.73.82.242 | mcafee.com |
18.112.152.100 | microsoft.com |
0.233.235.227 | eset.es |
252.178.211.247 | norman.com |
72.204.200.24 | nprotect.com |
230.243.202.69 | pandasecurity.com |
212.108.97.8 | pctools.com |
208.53.6.216 | prevx.com |
28.79.251.249 | rising-global.com |
186.187.65.107 | sophos.com |
169.51.148.46 | sunbeltsoftware.com |
164.252.56.253 | symantec.com |
241.211.45.30 | hacksoft.com.pe |
142.62.115.144 | trendmicro.com |
125.182.10.15 | anti-virus.by |
120.128.174.35 | hauri.net |
197.86.163.67 | virusbuster.hu |
99.193.233.181 | www.emsisoft.com |
81.58.60.52 | www.ahnlab.com |
77.3.224.4 | www.antivir.es |
153.29.213.37 | www.antiy.net |
55.68.27.150 | www.authentium.com |
37.189.110.89 | www.avast.com |
33.134.87.41 | www.avg.com |
109.160.76.74 | www.bitdefender.com |
11.200.78.188 | www.quickheal.com |
250.64.229.59 | www.clamav.net |
245.9.137.78 | www.comodo.com |
66.36.126.111 | www.drweb.com |
223.75.196.225 | www.aladdin.com |
206.7.23.96 | www.ca.com |
201.209.255.48 | www.f-prot.com |
22.167.244.80 | www.f-secure.com |
180.18.246.194 | www.fortinet.com |
94.139.141.133 | www.gdata.es |
158.84.49.85 | www.ikarus.at |
234.42.38.118 | www.jiangmin.com |
136.149.108.231 | www.kaspersky.com |
50.14.191.102 | www.mcafee.com |
114.215.100.122 | www.microsoft.com |
190.241.89.155 | www.eset.es |
92.25.159.13 | www.norman.com |
7.145.54.140 | www.nprotect.com |
70.90.218.91 | www.pandasecurity.com |
147.117.207.192 | www.pctools.com |
48.156.21.238 | www.prevx.com |
219.20.104.177 | www.rising-global.com |
26.222.12.129 | www.sophos.com |
103.248.1.161 | www.sunbeltsoftware.com |
5.31.71.19 | www.symantec.com |
175.220.222.214 | www.hacksoft.com.pe |
239.97.130.166 | www.trendmicro.com |
59.123.119.199 | www.anti-virus.by |
217.230.189.56 | www.hauri.net |
131.95.16.183 | www.virusbuster.hu |
195.40.181.203 | www.emsisoft.com |
15.254.170.236 | www.anti-trojan.net |
105.106.240.26 | malwarescan.emsisoft.com |
88.226.67.221 | forum.emsisoft.com |
83.171.43.172 | www.emsisoft.net |
228.198.32.205 | www.emsisoft.it |
61.237.34.63 | www.emsisoft.de |
44.101.185.2 | www.anti-trojan-software.net |
39.47.93.210 | mamutu.com |
184.73.82.242 | www.emsisoft.es |
18.112.152.100 | malwarescan.emsisoft.de |
0.233.235.227 | ww.emsisoft.com |
252.178.211.247 | www.emsisoft.fr |
72.204.200.24 | www.emsisoft.nl |
230.243.202.69 | onlinecheck.emsisoft.com |
212.108.97.8 | onlinecheck.emsisoft.de |
208.53.6.216 | www.emsisoft.org |
28.79.251.249 | scan.anti-trojan.net |
186.187.65.107 | www.trojaner.info |
169.51.148.46 | onlinecheck.emsisoft.org |
164.252.56.253 | onlinecheck.emsisoft.net |
241.211.45.30 | blitzblank.com |
142.62.115.144 | www.emsisoft.at |
125.182.10.15 | www.emsisoft.jp |
120.128.174.35 | www.mamutu.com |
197.86.163.67 | malwarescan.emsisoft.es |
99.193.233.181 | www.mamutu.de |
81.58.60.52 | download5.emsisoft.com |
77.3.224.4 | download1.emsisoft.com |
153.29.213.37 | download4.emsisoft.com |
55.68.27.150 | global.ahnlab.com |
37.189.110.89 | www.hackshields.com |
33.134.87.41 | www.internationalservicecheck.com |
109.160.76.74 | www.irangoals.com |
11.200.78.188 | ixomodels.com |
250.64.229.59 | www.indielisboa.com |
245.9.137.78 | www.latin-mass-society.org |
66.36.126.111 | www.arpia.be |
223.75.196.225 | www.owen.org |
206.7.23.96 | www.prdouglas.co.uk |
201.209.255.48 | www.zarya.info |
22.167.244.80 | www.willsee.com |
180.18.246.194 | halmapr.com |
94.139.141.133 | karuna-shechen.org |
158.84.49.85 | www.barder.com |
234.42.38.118 | www.antivir.es |
136.149.108.231 | www.buraka.tv |
50.14.191.102 | www.dr-bull.com |
114.215.100.122 | www.manchester-offices.co.uk |
190.241.89.155 | saverssite.com |
176.109.243.97 | canada.karuna-shechen.org |
91.229.138.223 | developmentdrums.org |
154.174.46.175 | www.imddomains.co.uk |
231.201.35.20 | cutlines.org |
132.240.105.66 | elblogdemanu.com |
47.104.188.5 | ruben.bzin.net |
110.50.96.213 | welkam.co.jp |
187.76.85.245 | www.cambridge-steiner-school.co.uk |
88.115.155.103 | naturesimages.net |
3.47.50.42 | www.1stavenuelimousines.co.uk |
67.181.214.250 | www.mtr-design.com |
143.207.203.27 | dev.depeuter.org |
45.58.17.140 | www.emeraldclassic.co.uk |
215.179.100.11 | www.peterhearnwaste.co.uk |
23.124.8.31 | etrr.co.uk |
99.82.254.64 | www.avoncourt.com |
189.190.68.110 | sarahmcconnellphotography.net |
172.54.151.48 | www.ixomodels.com |
167.255.127.0 | natsko.com |
56.26.116.33 | www.nottinghampoetryseries.com |
145.65.118.147 | www.sheffieldmind.co.uk |
128.185.13.86 | ixostore.ixomodels.com |
123.131.177.38 | www.flairweddings.co.uk |
12.157.166.70 | www.fimasys.com |
101.196.236.184 | cohartuk.com |
84.60.63.55 | qqjkw.net |
80.6.39.75 | vivo-austin.com |
156.32.28.108 | www.freeality.com |
58.71.30.153 | bestofewan.com |
40.192.181.92 | www.handwritingforkids.com |
36.137.89.44 | cowsmo.com |
112.163.79.77 | www.2xlgames.com |
14.15.149.191 | kimzimmer.net |
253.135.232.129 | basetendencies.com |
248.80.140.81 | trackingtheworld.com |
69.39.129.114 | www.reviewsofbooks.com |
226.146.199.228 | www.collectedcurios.com |
209.10.94.99 | www.renningers.com |
204.212.2.119 | ccslaughterspdx.com |
25.170.247.151 | www.briarhurst.com |
182.21.61.9 | www.smf.org |
165.141.144.136 | ribbonwarehouse.com |
161.87.52.88 | www.garryowen.com |
237.113.41.121 | 45pounds.com |
139.152.111.234 | isotopecomics.com |
121.17.194.173 | roysephotos.com |
117.218.170.125 | www.stadiumpage.com |
193.244.160.158 | www.elvis-express.com |
95.28.162.16 | www.tomorrowsedge.net |
78.148.57.142 | www.beautybar.com |
73.93.221.162 | pineleafboys.com |
150.120.210.195 | www.mountainlakeslodge.com |
51.159.24.53 | pvtc.org |
34.91.107.180 | bhsbees.com |
29.37.83.132 | baristamagazine.com |
106.251.72.164 | www.gokidding.com |
7.102.74.22 | defalcos.com |
178.222.225.217 | www.celticmerchant.com |
242.168.133.169 | www.hxproduction.com |
62.126.122.202 | www.wellgousa.com |
220.233.192.59 | blog.titanium-jewelry.com |
134.98.19.186 | www.brightoctober.com |
198.43.184.206 | hishomeforchildren.com |
18.69.173.239 | www.phoenixtrikeworks.com |
176.109.243.97 | www.professorbeyer.com |
91.229.138.223 | www.secondchanceboxer.com |
154.174.46.175 | www.residentphotography.com |
231.201.35.20 | woottonfootball.com |
132.240.105.66 | www.deborahshelton.net |
47.104.188.5 | bobbondart.com |
178.118.164.25 | www.authentium.com |
255.144.153.57 | asap.authentium.com |
156.183.223.171 | www.authentium.com.au |
71.115.118.110 | avast.com |
135.249.26.62 | www.avast.com |
211.19.15.95 | files.avast.com |
113.126.85.208 | download535.avast.com |
27.247.168.79 | avg.com |
91.192.76.99 | www.avg.com |
167.150.66.132 | grisoft.com |
1.2.136.178 | www.grisoft.com |
240.122.219.116 | antivirus-tools.com |
235.67.195.68 | archive.bitdefender.com |
124.94.184.101 | avx.rob-have.net |
213.133.186.215 | b-have.orgbitdefender-ar.com |
196.253.81.154 | bitdefender.com |
191.199.245.106 | bitdefender.org |
80.225.234.138 | bitdefenderchina.com |
169.8.48.252 | bitdefenderguatemala.com |
152.128.131.123 | bitdefendermalaysia.com |
148.74.107.143 | bitdefendertaiwan.com |
224.100.96.176 | bitdefenderuruguay.com |
126.139.98.221 | bitdefenderusa.com |
108.4.249.160 | buy.bitdefender-es.com |
104.205.157.112 | buy.bitdefender.com |
180.231.147.145 | buy.bitdefender.de |
82.83.217.3 | de.bitdefender.com |
65.203.44.197 | fr.bitdefender.com |
60.148.208.149 | futurenow.bitdefender.com |
189.159.249.234 | it.bitdefender.com |
90.10.63.92 | jobs.bitdefender.com |
73.130.214.219 | kb.bitdefender.com |
68.76.122.239 | kb.bitdefender.de |
145.34.111.15 | kb.bitdefender.us |
46.141.181.129 | latin.bitdefender.com |
29.5.8.0 | linux.bitdefender.com |
25.207.172.208 | malwarecity.com |
101.233.161.241 | malwarecity.netmalwarecity.org |
3.16.231.98 | malwarepedia.com |
241.137.58.37 | neunet.orgnews.bitdefender.com |
237.82.35.245 | nl.bitdefender.com |
57.108.24.22 | renewals.bitdefender.com |
215.148.26.136 | sales.bitdefender.com |
198.12.177.7 | square.bitdefender.com |
193.213.85.26 | store.bitdefender.com |
14.240.74.59 | store.de.bitdefender.com |
171.23.144.173 | us.bitdefender.com |
154.211.227.44 | virusscanonline.net |
149.157.203.252 | wedoantivirus.com |
226.115.192.28 | www.antivirus-tools.com |
127.222.194.142 | www.avx.ro |
42.86.89.81 | www.bit-defender.de |
106.32.253.33 | www.bitdefende.de |
182.246.242.66 | www.bitdefender-es.com |
84.97.56.179 | www.bitdefender.be |
254.218.139.50 | www.bitdefender.cl |
62.163.48.70 | www.bitdefender.co.uk |
138.189.37.103 | www.bitdefender.com |
108.41.175.29 | www.bitdefender.com.au |
23.161.70.155 | www.bitdefender.com.sg |
86.106.234.107 | www.bitdefender.com.tw |
163.133.223.208 | www.bitdefender.com.vn |
64.172.37.254 | www.bitdefender.de |
235.36.120.193 | www.bitdefender.es |
42.238.28.145 | www.bitdefender.fr |
119.8.17.177 | www.bitdefender.hk |
20.47.87.35 | www.bitdefender.us |
191.235.238.230 | www.bitdefenderme.com |
255.113.146.182 | www.malwarecity.com |
75.139.135.215 | www.malwarecity.fr |
233.246.205.72 | quickheal.com |
147.111.32.199 | www.quickheal.com |
211.56.197.219 | www.clamav.net |
31.14.186.252 | cgi.clamav.net |
205.206.84.126 | lurker.clamav.net |
187.70.167.64 | wwws.clamav.net |
183.15.143.16 | lists.clamav.net |
72.42.132.49 | bugs.clamav.net |
161.81.134.163 | system-cleaner.comodo.com |
144.201.29.102 | backup.comodo.com |
139.146.193.53 | www.comodoantispam.com |
28.173.182.86 | easy-vpn.comodo.com |
117.212.252.200 | www.trustlogo.com |
100.76.79.71 | ztl.comodo.com |
96.22.55.91 | www.livepcsupport.com |
172.48.44.124 | www.whichssl.com |
74.87.46.169 | www.trustix.com |
56.208.197.108 | disk-encryption.comodo.com |
52.153.105.60 | speedtest.comodo.com |
128.179.95.93 | www.contentverification.com |
30.31.165.207 | idauthority.com |
12.151.248.145 | www.comodo.tv |
8.96.156.97 | online-backup.comodo.com |
153.123.213.198 | www.testmypcsecurity.com |
54.230.27.56 | www.ccssforum.org |
37.94.178.183 | i-vault.comodo.com |
32.39.86.202 | internetsecurity.comodo.com |
109.254.75.235 | www.comodopartners.com |
10.105.145.93 | timestamp.comodoca.com |
249.225.228.220 | secure-email.comodo.com |
245.171.136.172 | timestamp.wosign.com |
65.197.125.205 | rover800.gaima.co.uk |
223.236.195.62 | www.nsclean.com |
205.101.22.1 | www.contentverification.com |
201.46.254.209 | new-estore.drweb.com |
21.72.243.242 | support.drweb.com |
179.112.246.100 | pda.drweb.com |
161.232.141.226 | updates.drweb.com |
157.177.49.246 | drweb.com |
234.204.38.23 | vms.drweb.com |
135.243.108.137 | solutions.drweb.com |
118.175.191.8 | news.drweb.com |
113.120.167.215 | my.drweb.com |
242.131.208.44 | buy.drweb.com |
143.238.210.158 | products.drweb.com |
58.102.105.97 | new-support.drweb.com |
122.48.13.49 | promotions.drweb.com |
198.6.2.82 | network.drweb.com |
100.113.72.195 | customers.drweb.com |
14.234.155.66 | store.drweb.com |
78.179.63.86 | company.drweb.com |
154.205.53.119 | training.drweb.com |
56.245.123.233 | license.drweb.com |
227.109.18.103 | cureit.ru |
34.54.182.55 | free.drweb.com |
111.81.171.156 | info.drweb.com |
12.120.241.202 | new-partners.drweb.com |
183.240.68.141 | drweb.net |
246.185.232.93 | new-company.drweb.com |
67.212.221.125 | new-beta.drweb.com |
224.251.35.239 | new-forum.drweb.com |
139.183.186.178 | secure.av-desk.com |
203.61.94.130 | www.av-desk.com |
91.155.151.231 | new-solutions.drweb.com |
249.6.221.88 | new-www.drweb.com |
163.127.48.215 | www.freedrweb.ru |
227.72.212.235 | daniloff.net |
47.30.202.12 | drweb-inside.com |
137.138.16.58 | drwebinside.com |
119.2.99.252 | aladdin.com |
115.203.75.204 | alladdin.ru |
4.230.64.237 | chickensroamfree.com |
93.13.66.95 | ealaddin.net |
76.133.217.34 | ealaddin.orgeshop.aladdin.com |
71.78.125.242 | secureme.com |
216.105.114.18 | www.aks.com |
49.144.184.132 | www.aladdin.com |
32.8.11.3 | www.ealaddin.com |
28.210.243.23 | www.ealaddin.com |
104.236.232.56 | auwww.ealaddin.nl |
6.19.234.101 | www.esafe.com |
244.140.129.253 | www.hasp.se |
196.41.250.204 | www.safenet-inc.com |
17.68.239.237 | www3.safenet-inc.com |
174.175.53.95 | www.ca.com |
157.39.136.34 | cacomvip.ca.com |
152.241.44.242 | www.netegrity.com |
229.199.33.18 | search.ca.com |
130.50.103.132 | cai.com |
113.170.254.3 | www.f-prot.com |
109.116.162.23 | frisk-software.com |
185.74.151.56 | www.frisk.is |
87.181.221.169 | www.frisk-software.com |
69.46.48.40 | f-secure.com |
133.59.25.60 | f-secure.frf-secure.hk |
209.85.14.93 | f-secure.nlfsecure.com |
111.125.84.207 | fsecure.nlwebyard.com |
94.245.167.145 | www.f-secure.com |
89.190.143.97 | www.fsecure.com |
166.217.132.130 | www.virus.fi |
67.0.134.40 | fortihero.com |
102.172.81.167 | fortilog.com |
97.118.245.187 | fortinet.co.at |
174.144.234.219 | fortinet.com |
76.183.48.77 | fortiprotect.com |
58.116.131.204 | fortiwifi.com |
54.61.107.156 | www.apsecure.com |
130.19.96.189 | www.fortifed.com |
32.126.98.46 | www.fortiid.com |
202.247.249.241 | www.fortimail.com |
10.192.158.193 | www.fortinet-apac.com |
154.218.215.38 | www.fortinet.ch |
56.70.29.152 | www.fortinet.co.il |
227.190.112.23 | www.fortinet.com |
34.135.20.42 | www.fortinet.com |
111.162.9.75 | arwww.fortinet.cz |
12.201.79.189 | www.fortinet.net |
183.65.230.60 | www.fortinet.nl |
74.94.222.96 | www.fortinet.sg |
151.121.211.196 | www.fortinetuk.com |
52.160.25.242 | www.secure-elements.com |
223.24.108.181 | gdata.es |
31.226.16.133 | www.gdata.es |
175.64.73.234 | ikarus.at |
77.103.143.91 | www.ikarus.at |
247.36.38.30 | global.jiangmin.com |
55.169.202.238 | jiangmin.com.cn |
131.195.192.15 | jiangmin.com |
33.47.6.129 | www.jiangmin.com.cn |
204.167.89.255 | www.kaspersky.com |
63.164.49.71 | forum.kaspersky.com |
140.123.38.104 | support.kaspersky.co |
229.230.108.150 | usa.kaspersky.com |
212.94.191.89 | brazil.kaspersky.com |
207.40.167.41 | latam.kaspersky.com |
96.66.156.73 | kaspersky.com |
185.105.158.187 | me.kaspersky.com |
168.225.53.126 | images.kaspersky.com |
164.171.217.78 | www.mcafee.com |
120.9.18.179 | support.mcafee.com |
210.48.88.36 | msr.mcafee.com |
192.169.171.163 | home.mcafee.com |
188.114.147.183 | networkassociates.com |
8.140.137.216 | us.mcafee.com |
166.180.139.6 | tr.mcafee.com |
149.44.34.200 | au.mcafee.com |
144.245.198.152 | mx.mcafee.com |
221.16.187.185 | networkassociates.nai.com |
122.123.1.43 | go.mcafee.com |
105.243.168.66 | fr.mcafee.com |
184.16.76.17 | uk.mcafee.com |
5.231.65.50 | de.mcafee.com |
162.82.135.164 | obscgi.mcafee.com |
145.202.30.35 | nai.com |
141.148.194.55 | www.entercept.com |
217.106.183.88 | jp.mcafee.com |
119.213.253.13 | mcafeeb2b.com |
169.146.148.140 | cn.mcafee.com |
165.91.56.92 | service.mcafee.com |
241.117.45.125 | br.mcafee.com |
143.157.116.239 | www.mcafee.at |
125.21.199.177 | mcafeeretail.com |
121.222.175.129 | it.mcafee.com |
198.248.164.214 | tw.mcafee.com |
151.84.218.72 | privacy.microsoft.com |
134.204.113.199 | tempuri.org |
129.149.21.219 | schemas.xmlsoap.org |
206.176.10.251 | www.microsoft.com |
107.215.80.109 | specs.xmlsoap.org |
90.147.163.236 | www.eugrantsadvisor.ie |
86.93.139.188 | schemas.microsoft.com |
162.51.128.221 | encarta.msn.com |
64.158.130.78 | www.sysinternals.com |
46.91.93.85 | grv.microsoft.com |
110.36.1.37 | www.xmlsoap.org |
186.250.247.70 | www.eugrantsadvisor.se |
88.102.61.184 | www.eugrantsadvisor.com |
2.222.144.54 | research.microsoft.com |
66.167.52.74 | www.engyro.com |
143.194.41.107 | www.exchangeyourcareer.com |
44.233.111.221 | www.eugrantsadvisor.de |
215.97.6.92 | exchangeyourcareer.net |
22.42.170.43 | eugrantsadvisor.de |
99.69.159.144 | eugrantsadvisor.cz |
0.108.229.190 | www.eset.es |
171.228.56.213 | demos.eset.es |
62.2.48.165 | descargas.eset.es |
139.28.37.197 | blogs.protegerse.com |
41.67.107.55 | eos.eset.es |
211.0.2.250 | pedidos.protegerse.com |
19.133.166.202 | reg-int.nod32-es.com |
95.159.155.235 | reg.eset.es |
253.11.226.93 | vicentevirtual.com |
235.199.121.31 | cou85.com |
43.144.29.51 | www.norman.com |
120.102.18.84 | fsc.norman.com |
209.210.88.130 | nprobeta.norman.com |
192.74.171.69 | register.norman.com |
187.19.147.20 | webadmin.norman.no |
76.46.136.53 | sandbox.norman.com |
217.137.190.219 | www.nprotect.com |
200.1.85.158 | global.nprotect.com |
196.203.249.110 | www.nprotect.co.kr |
84.229.238.143 | www.npin.co.kr |
174.12.52.0 | siren24.nprotect.com |
224.201.203.195 | 15660808.co.kr |
220.146.179.215 | biz.nprotect.com |
40.172.168.248 | nprotect.net |
198.212.171.38 | www.nprotect.com.br |
180.76.66.232 | liveprotect.net |
176.21.230.184 | nprotect.seoul.go.kr |
253.47.219.217 | chollian.nprotect.co.kr |
154.155.240.26 | www.pandasecurity.com |
88.226.67.221 | research.pandasecurity.com |
83.171.231.173 | support.pandasecurity.com |
160.130.220.205 | pandalabs.pandasecurity.com |
61.237.34.63 | pandasecurity.com |
44.101.185.190 | mop.pandasecurity.com |
40.47.93.210 | timeforyourbusi.pandasecurity.com |
116.5.82.243 | cybercrime.pandasecurity.com |
18.112.152.168 | free.pandasecurity.com |
68.45.47.39 | cloudprotection.pandasecurity.com |
64.246.211.247 | shop.pandasecurity.com |
140.16.201.24 | soporte.pandasecurity.com |
42.56.15.138 | together.pctools.com |
24.176.98.76 | www.prevx.com |
20.121.74.28 | info.prevx.com |
97.148.63.61 | free.prevx.com |
50.239.117.227 | spywarefiles.prevx.com |
33.103.12.98 | spywaredlls.prevx.com |
28.49.176.118 | shield.prevx.com |
105.75.165.150 | www.prevx1.com |
6.114.235.8 | howsafeismypc.com |
245.46.62.203 | www.retento.com |
53.60.106.155 | www.freerav.com |
129.18.95.188 | www.rising-global.com |
31.125.97.45 | www.risingav.com.au |
201.246.248.240 | support.rising-global.com |
9.191.156.192 | superboy2010.com.au |
85.149.146.225 | www.sophos.com |
243.85.44.167 | feeds.sophos.com |
241.205.127.37 | esp.sophos.com |
49.150.35.57 | cn.sophos.com |
126.176.24.90 | tw.sophos.com |
27.216.94.204 | kr.sophos.com |
198.80.245.75 | sophos.com |
5.25.153.26 | podcasts.sophos.com |
150.120.210.195 | www.sunbeltsoftware.com |
171.23.144.105 | go.sunbeltsoftware.com |
86.143.227.44 | oem.sunbeltsoftware.com |
150.89.135.252 | antispam.sunbeltsoftware.com |
226.115.124.29 | antispyware.sunbeltsoftware.com |
128.154.194.142 | antivirus.sunbeltsoftware.com |
42.87.89.81 | sunbeltsoftware.com |
106.220.253.33 | shop.sunbeltsoftware.com |
10.74.70.150 | live.sunbeltsoftware.com |
168.182.140.8 | firewall.sunbeltsoftware.com |
82.46.224.134 | www.symantec.com |
146.247.132.154 | security.symantec.com |
223.205.121.187 | securityrespons.symantec.com |
56.57.191.45 | service1.symantec.com |
107.245.86.240 | enterprisesecur.symantec.com |
102.190.62.191 | eval.symantec.com |
247.217.51.224 | symantec.com |
80.0.53.82 | definitions.symantec.com |
63.120.204.21 | investor.symantec.com |
58.66.112.229 | et.symantec.com |
203.92.101.5 | sfdoccentral.symantec.com |
89.183.223.171 | servicenews.symantec.com |
71.48.50.42 | securityrespons.symantec.com |
67.249.26.62 | sea.symantec.com |
143.19.15.95 | go.symantec.com |
45.59.18.141 | dell.symantec.com |
27.179.169.79 | sun.symantec.com |
23.124.77.31 | marian.symantec.com |
100.150.66.64 | tms.symantec.com |
1.2.136.178 | securitycheck.symantec.com |
52.190.31.185 | smallbiz.symantec.com |
47.135.195.136 | www.symantec.com |
124.94.184.169 | visualtracking.symantec.com |
25.201.254.27 | search.symantec.com |
8.65.149.154 | liveupdate.symantec.com |
3.11.57.174 | sitedirector.symantec.com |
80.225.46.206 | edm.symantec.com |
238.76.116.64 | hostedmailsecur.symantec.com |
220.197.199.191 | www4.symantec.com |
216.142.107.143 | education.symantec.com |
36.168.96.176 | vos.symantec.com |
194.208.167.34 | www.hacksoft.com.pe |
4.156.78.56 | hacksoft.pe |
0.101.54.8 | www.hacksoft.pe |
76.127.43.41 | housecall.trendmicro.com |
234.167.45.155 | www.trendmicro.com |
217.31.196.26 | housecall65.trendmicro.com |
212.232.104.45 | us.trendmicro.com |
33.3.93.78 | blog.trendmicro.com |
2.110.231.4 | emea.trendmicro.com |
241.42.58.131 | housecall60.trendmicro.com |
236.244.34.83 | jp.trendmicro.com |
57.202.23.115 | de.trendmicro.com |
215.53.25.229 | it.trendmicro.com |
129.174.176.168 | itw.trendmicro.com |
193.119.84.120 | esupport.trendmicro.com |
13.77.73.153 | es.trendmicro.com |
171.184.143.10 | br.trendmicro.com |
137.101.23.189 | tw.trendmicro.com |
201.46.187.209 | la.trendmicro.com |
22.72.176.242 | uk.trendmicro.com |
179.112.246.100 | ru.trendmicro.com |
94.232.141.227 | smbstore.trendmicro.com |
157.177.49.178 | apac.trendmicro.com |
234.204.38.23 | store.trendmicro.com |
135.243.108.69 | training.trendmicro.com |
50.107.191.8 | trial.trendmicro.com |
113.53.99.216 | ushousecall02.trendmicro.com |
2.147.156.60 | subwiz.trendmicro.com |
160.186.226.174 | go.trendmicro.com |
74.119.121.113 | feeds.trendmicro.com |
138.252.29.65 | channelpartner.trendmicro.com |
214.22.18.98 | wtc.trendmicro.com |
116.129.88.212 | shop.trendmicro.com |
30.250.172.82 | fr.trendmicro.com |
94.195.80.102 | threatinfo.trendmicro.com |
170.153.69.135 | newsletters.trendmicro.com |
4.5.139.181 | www.anti-virus.by |
243.125.222.120 | bg.virusblokada.com |
238.70.198.71 | www.vba.com.by |
127.97.187.104 | beta.anti-virus.by |
216.136.189.218 | www.bg.virusblokada.com |
199.0.84.157 | www.hauri.net |
194.202.248.109 | www.hauri.co.kr |
39.184.193.98 | company.hauri.net |
129.224.8.212 | www.globalhauri.com |
111.88.91.82 | shop.hauri.co.kr |
107.33.67.102 | hauri.co.kr |
184.59.56.135 | pg.hauri.net |
85.99.58.181 | esecurity.livecall.co.kr |
68.219.209.120 | mall.hauri.co.kr |
63.164.117.71 | company.hauri.co.kr |
140.191.106.104 | haurijapan.com |
41.42.176.218 | virobot.co.kr |
24.162.3.157 | www.virusbuster.hu |
19.108.167.109 | virusbuster.hu |
96.66.156.142 | scanner.novirusthanks.org |
66.241.38.67 | scanner2.novirusthanks.or |
48.106.189.194 | novirusthanks.org |
44.51.97.214 | www.novirusthanks.org |
120.9.86.247 | virustotal.com |
22.117.157.105 | www.virustotal.com |
4.237.240.231 | virscan.org |
0.182.148.183 | www.virscan.org |
77.208.137.216 | virusscan.jotti.org |
234.248.207.74 | jotti.org |
217.112.34.13 | www.jotti.org |
212.57.10.220 | viruschief.com |
33.84.255.253 | www.viruschief.com |
190.123.1.111 | scanner.virus.org |
173.243.152.238 | virus.org |
168.189.60.2 | www.virus.org |
245.215.49.34 | scan4you.net |
147.254.119.148 | www.scan4you.net |
129.187.202.19 | avhide.com |
125.132.178.227 | www.avhide.com |
201.90.167.4 | anubis.iseclab.org |
103.198.170.118 | iseclab.org |
17.62.65.56 | www.iseclab.org |
81.7.229.8 | threatexpert.com |
158.221.218.41 | www.threatexpert.com |
59.73.32.155 | forospyware.com |
230.193.115.26 | www.forospyware.com |
37.138.23.45 | in.answers.yahoo.com |
114.165.12.78 | es.answers.yahoo.com |
15.204.82.192 | kioskea.net |
186.68.29.115 | www.kioskea.net |
46.66.193.67 | es.kioskea.net |
122.92.182.168 | mygeekside.com |
24.131.252.213 | www.mygeekside.com |
194.252.79.152 | www.tecniservicioslys.com |
2.197.243.104 | tecniservicioslys.com |
78.223.232.137 | virusfreezone.info |
236.7.47.251 | www.virusfreezone.info |
150.195.198.189 | intranet.cidiroax.ipn.mx |
214.72.106.141 | spycheck.es |
35.99.95.174 | www.spycheck.es |
192.206.165.32 | antivirus.hispavista.com |
107.70.248.159 | computing.net |
170.15.156.178 | www.computing.net |
247.230.145.211 | spycheck.co.uk |
80.81.215.1 | www.spycheck.co.uk |
63.201.42.196 | midescargas.com |
59.147.18.148 | www.midescargas.com |
203.173.7.181 | static.yoreparo.com |
37.212.9.38 | softfaq.com |
19.77.160.233 | www.softfaq.com |
15.22.68.185 | configurarequipos.com |
159.48.57.218 | www.configurarequipos.com |
61.156.196.144 | seasonsecurity.com |
43.20.23.14 | www.seasonsecurity.com |
39.221.255.34 | removetrojanvirus.org |
116.247.244.67 | www.removetrojanvirus.org |
17.31.246.113 | ibusca.me |
0.151.141.52 | www.ibusca.me |
251.96.49.3 | busco.in |
72.123.38.36 | www.busco.in |
229.230.108.150 | inicioid.com |
212.94.191.89 | www.inicioid.com |
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Delete the original Trojan file.
- Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
4096 | 176128 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e | |
Ò© | 180224 | 65536 | 62976 | 5.53483 | 98cb88a8d3a7f422956acaf15cc701b3 |
245760 | 4096 | 4096 | 1.28112 | 7cc9d0e50ebd0834f096dd1fd718809f |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
cc396d13b30ce74b0dcc1dfb0535c096
Network Activity
URLs
URL | IP |
---|---|
hxxp://pl.intag.co/ttj?id=4454931&size=728x90&cb=1435543899480 | 37.252.163.220 |
hxxp://cdn1.iconfinder.com/static/a998a3cd06a9b50682dc582393c423a0/assets/fonts/Agenda/agendabold-webfont.eot? | 205.234.175.175 |
hxxp://pl.intag.co/ttj?id=4454931&size=300x600&cb=1435543897121 | 37.252.163.220 |
hxxp://cdn.adnxs.com/p/79/c3/7f/ff/79c37fff53760acdec2a87d149be0589.jpg | 87.245.221.112 |
hxxp://ww2.directorio-w.com/ | 141.8.225.161 |
hxxp://cdn2.iconfinder.com/static/66214acbf85a96dcfe0dba9a8103f0e5/assets/fonts/Bariol/bariol_thin-webfont.eot? | 205.234.175.175 |
hxxp://ib.adnxs.com/ttj?id=4454931&size=300x600&cb=1435543906699 | 37.252.163.99 |
hxxp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-oversee32_3ph_xml&domain_name=directorio-w.com&channel=012783,test55&drid=as-drid-2195165742995947&output=html | 173.194.113.218 |
hxxp://www.tecno.im/ | 104.28.7.18 |
hxxp://pl.intag.co/ttj?id=4454931&size=300x600&cb=1435543906699 | 37.252.163.220 |
hxxp://ib.adnxs.com/ttj?id=4454931&size=160x600&cb=1435543907043 | 37.252.163.99 |
hxxp://cdn.adnxs.com/p/81/31/b8/3e/8131b83ee4a45d9e14377510efebe15b.swf | 87.245.221.112 |
hxxp://pl.intag.co/ttj?id=4454931&size=300x250&cb=1435543907324 | 37.252.163.220 |
hxxp://pl.intag.co/ttj?id=4454931&size=160x600&cb=1435543898543 | 37.252.163.220 |
hxxp://ww2.directorio-w.com/?ga=sFGFPOkcNg13PMbdi3zqiIGINNv2XsJLCrQ8LrXymthW394txnYfdvW0r0M6fw6SOoY0vRRGsUdcLTcSS/UIcg==&gerf=PjB65BxeleOoSlMNUxgIc/vimuLSbiiUd5rugjk8HZU=&guro=SHtz1e4Y+YLTNk0fu8x6WCIqZKyhh6yYwh41hRO1fyP+x30RlWSCwHPq4hpatd8I& | 141.8.225.161 |
hxxp://cdn0.iconfinder.com/static/8634111c430e96728cfc4b5479de93e2/assets/img/blog/flat-icons/4/message-top.png | 205.234.175.175 |
hxxp://cdn.adnxs.com/p/ec/18/d6/e4/ec18d6e4dc741d662378c04a71184dde.jpg | 87.245.221.112 |
hxxp://ib.adnxs.com/ttj?ttjb=1&bdc=1435543898&bdh=LpuOoU4BZyE_cIRO_a_wprkaj4g.&bdref=http://www.tecno.im/&bdtop=true&bdifs=1&bstk=http://www.tecno.im/,http://www.tecno.im/&id=4454931&size=160x600&cb=1435543898543 | 37.252.163.99 |
hxxp://bit.ly/9shDTd | 69.58.188.40 |
hxxp://cdn3.iconfinder.com/static/cae879b830d3e826c649c3bac797a9ec/assets/fonts/Bariol/bariol_bold-webfont.eot? | 205.234.175.175 |
hxxp://ib.adnxs.com/ttj?ttjb=1&bdc=1435543906&bdh=dIxJXiPJNwv-KHoYD-VfHJDspas.&bdref=http://www.tecno.im/&bdtop=true&bdifs=1&bstk=http://www.tecno.im/,http://www.tecno.im/&id=4454931&size=160x600&cb=1435543907043 | 37.252.163.99 |
hxxp://cdn0.iconfinder.com/static/838c1ff91b646f8cdee529fd9f02c1dd/assets/fonts/Agenda/agendalight-webfont.eot? | 205.234.175.175 |
hxxp://cdn.adnxs.com/ib/async_usersync.js | 87.245.221.112 |
hxxp://gmtdmp.mookie1.com/t/v2/learn?tagid=164&src.id=Dataxpand&src.rand=6285321069992047 | 208.71.123.98 |
hxxp://cdn.adnxs.com/v/s/20/trk.js | 87.245.221.112 |
hxxp://pub.clicksor.net/newServing/js/show.js | 199.21.148.17 |
hxxp://cdn3.iconfinder.com/static/34e7d4088171083e80067fddb9546644/assets/fonts/Bariol/bariol_light-webfont.eot? | 205.234.175.175 |
hxxp://pl.intag.co/ttj?id=4454931&size=300x250&cb=1435543899137 | 37.252.163.220 |
hxxp://onclickads.net/apu.php?zoneid=302661 | 78.140.191.110 |
hxxp://ib.adnxs.com/ttj?id=4454931&size=300x250&cb=1435543907324 | 37.252.163.99 |
hxxp://cdn1.iconfinder.com/static/1f64bd2a5a284b059e1b46d49b80d07d/assets/fonts/Agenda/agendamedium-webfont.eot? | 205.234.175.175 |
hxxp://ib.adnxs.com/bounce?/ttj?id=4454931&size=300x600&cb=1435543897121 | 37.252.163.99 |
hxxp://ib.adnxs.com/ttj?id=4454931&size=728x90&cb=1435543899480 | 37.252.163.99 |
hxxp://ib.adnxs.com/ttj?ttjb=1&bdc=1435543899&bdh=Ef8WSopfUAqAdmOH-4VEssTfQdM.&bdref=http://www.tecno.im/&bdtop=true&bdifs=1&bstk=http://www.tecno.im/,http://www.tecno.im/&id=4454931&size=300x250&cb=1435543899137 | 37.252.163.99 |
hxxp://pl.intag.co/ttj?id=4454931&size=160x600&cb=1435543907043 | 37.252.163.220 |
hxxp://cdn.adnxs.com/p/81/31/b8/3e/8131b83ee4a45d9e14377510efebe15b.swf?clickTag=http://ams1.ib.adnxs.com/click?ZY_EVP5Mfz_v96-k8PF3P23n-6nx0s0_7_evpPDxdz9kj8RU_kx_P6YvdLcAAdB9ZWlRqOFFXwhaqZBVAAAAABP6QwCrCAAASwYAAAIAAACNw6MBCmEJAAAAAQBVU0QAVVNEAKAAWAIpggAAF9MAAgUAAQIAAKAA6StX-gAAAAA./cnd=%216wW_OQjPytsDEI2Hjw0YisIlIAI./referrer=http%3A%2F%2Fwww.tecno.im%2F/clickenc=http%3A%2F%2Fwww.freelotto.com%2Foffer.asp%3Foffer%3D1064776%26affiliateid%3D%26tid%3D | 87.245.221.112 |
hxxp://tr1.myroitracking.com/newServing/tracking_id.php?d=b.yu0123456.com&r=http://b.yu0123456.com/newServing/tracking_id.php?b=1&>ruid=1 | 199.21.148.123 |
hxxp://ib.adnxs.com/ttj?ttjb=1&bdc=1435543899&bdh=Ef8WSopfUAqAdmOH-4VEssTfQdM.&bdref=http://www.tecno.im/&bdtop=true&bdifs=1&bstk=http://www.tecno.im/,http://www.tecno.im/&id=4454931&size=728x90&cb=1435543899480 | 37.252.163.99 |
hxxp://ib.adnxs.com/ttj?id=4454931&size=160x600&cb=1435543898543 | 37.252.163.99 |
hxxp://g01.a.alicdn.com/kf/HTB1BCyqHXXXXXaiXpXXq6xXFXXXg/160x600.jpg | 87.245.221.82 |
hxxp://b.yu0123456.com/newServing/searchTrack.php?nid=1&sid=452799&random=233896686 | 199.21.148.98 |
hxxp://b.yu0123456.com/newServing/getkey.php?cb=getkey&ob=Yesup.clicksor.Code[0]&nid=1&pid=278617&sid=452799&spid=&ns=0&nw=1&zone=0&url=http://www.tecno.im/&lb=0&ext=0&oe=utf-8&t7812684&txt=Search Engine | 199.21.148.98 |
hxxp://www.qseach.com/ | 199.175.53.69 |
hxxp://b.yu0123456.com/show.php?nid=1&pid=278617&sid=452799 | 199.21.148.98 |
hxxp://cdn0.iconfinder.com/static/4e9a074acfe29ddb22561e5ec0e8a755/assets/fonts/Bariol/bariol_regular-webfont.eot? | 205.234.175.175 |
hxxp://b.yu0123456.com/newServing/tracking_id.php?b=1&UID=14355439032978&TRSTR=1&RTID= | 199.21.148.98 |
hxxp://ib.adnxs.com/ttj?ttjb=1&bdc=1435543906&bdh=dIxJXiPJNwv-KHoYD-VfHJDspas.&bdref=http://www.tecno.im/&bdtop=true&bdifs=1&bstk=http://www.tecno.im/,http://www.tecno.im/&id=4454931&size=300x600&cb=1435543906699 | 37.252.163.99 |
hxxp://ib.adnxs.com/ttj?ttjb=1&bdc=1435543897&bdh=CLJtQyJ8JQ34JMyCf2ipx-SXaII.&bdref=http://www.tecno.im/&bdtop=true&bdifs=1&bstk=http://www.tecno.im/,http://www.tecno.im/&id=4454931&size=300x600&cb=1435543897121 | 37.252.163.99 |
hxxp://dev.dna.mobra.in:8080/425e2w1?debug=1&pixel=1 | 54.86.249.221 |
hxxp://www.tecno.im/iconfinder.css | 104.28.7.18 |
hxxp://ib.adnxs.com/ttj?id=4454931&size=300x250&cb=1435543899137 | 37.252.163.99 |
hxxp://cdn.adnxs.com/p/f7/90/c3/da/f790c3dab707138e35b8b2f09161b977.jpg | 87.245.221.112 |
hxxp://cdn.adnxs.com/p/3d/71/41/ac/3d7141ac22052046983507e33f92a4e8.jpg | 87.245.221.112 |
hxxp://www.google.com/images/cleardot.gif | 173.194.113.209 |
hxxp://ib.adnxs.com/ttj?id=4454931&size=300x600&cb=1435543897121 | 37.252.163.99 |
hxxp://go.onclasrv.com/apu.php?zoneid=302661 | 78.140.191.112 |
hxxp://www.directorio-w.com/ | 74.200.250.151 |
hxxp://4l3dvtv114s.ipcheker.com/ | 199.59.243.120 |
dev.cs.mobra.in | 54.86.249.221 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):