Trojan.Win32.VB.astu (Kaspersky), Gen:Trojan.Heur.ZGY.3 (B) (Emsisoft), Gen:Trojan.Heur.ZGY.3 (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: bb0ad6c1eb9fa64d1a48ac4592b5f59e
SHA1: 482fac659b6fe82469c5204403a6fb72e8f60a81
SHA256: afc185cbff2f1086bbf4a4db54617609339c2ceb9c0d59be307390dfd002c75a
SSDeep: 1536:rzU1Gy9DWlKkVQP4spZn6tEPNn5O9i236h7i/Zyt0nouy8:rQ2QPjtO25OH36hmYtEout
Size: 68096 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2011-06-14 05:28:26
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
No files have been created.
Registry activity
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 22881 bytes in size. The following strings are added to the hosts file listed below:
| 208.109.220.97 | viabcp.com |
| 208.109.220.97 | www.viabcp.com |
| 208.109.220.97 | bcpzonasegura.viabcp.com |
| 68.149.108.231 | iniciorapido.info |
| 50.14.191.102 | www.iniciorapido.info |
| 114.215.100.122 | buscalo.in |
| 190.241.89.155 | www.buscalo.in |
| 92.25.159.13 | buscafacil.com |
| 7.145.54.140 | www.buscafacil.com |
| 70.90.218.91 | emsisoft.com |
| 147.117.207.192 | ahnlab.com |
| 48.156.21.238 | antivir.es |
| 219.20.104.177 | antiy.net |
| 26.222.12.129 | authentium.com |
| 103.248.1.161 | avast.com |
| 5.31.71.19 | avg.com |
| 175.220.222.214 | bitdefender.com |
| 239.97.130.166 | quickheal.com |
| 59.123.119.199 | clamav.net |
| 217.230.189.56 | comodo.com |
| 131.95.16.183 | drweb.com |
| 195.40.181.203 | aladdin.com |
| 15.254.170.236 | ca.com |
| 105.106.240.26 | f-prot.com |
| 88.226.67.221 | f-secure.com |
| 83.171.43.172 | fortinet.com |
| 228.198.32.205 | gdata.es |
| 61.237.34.63 | ikarus.at |
| 44.101.185.2 | jiangmin.com |
| 39.47.93.210 | kaspersky.com |
| 184.73.82.242 | mcafee.com |
| 18.112.152.100 | microsoft.com |
| 0.233.235.227 | eset.es |
| 252.178.211.247 | norman.com |
| 72.204.200.24 | nprotect.com |
| 230.243.202.69 | pandasecurity.com |
| 212.108.97.8 | pctools.com |
| 208.53.6.216 | prevx.com |
| 28.79.251.249 | rising-global.com |
| 186.187.65.107 | sophos.com |
| 169.51.148.46 | sunbeltsoftware.com |
| 164.252.56.253 | symantec.com |
| 241.211.45.30 | hacksoft.com.pe |
| 142.62.115.144 | trendmicro.com |
| 125.182.10.15 | anti-virus.by |
| 120.128.174.35 | hauri.net |
| 197.86.163.67 | virusbuster.hu |
| 99.193.233.181 | www.emsisoft.com |
| 81.58.60.52 | www.ahnlab.com |
| 77.3.224.4 | www.antivir.es |
| 153.29.213.37 | www.antiy.net |
| 55.68.27.150 | www.authentium.com |
| 37.189.110.89 | www.avast.com |
| 33.134.87.41 | www.avg.com |
| 109.160.76.74 | www.bitdefender.com |
| 11.200.78.188 | www.quickheal.com |
| 250.64.229.59 | www.clamav.net |
| 245.9.137.78 | www.comodo.com |
| 66.36.126.111 | www.drweb.com |
| 223.75.196.225 | www.aladdin.com |
| 206.7.23.96 | www.ca.com |
| 201.209.255.48 | www.f-prot.com |
| 22.167.244.80 | www.f-secure.com |
| 180.18.246.194 | www.fortinet.com |
| 94.139.141.133 | www.gdata.es |
| 158.84.49.85 | www.ikarus.at |
| 234.42.38.118 | www.jiangmin.com |
| 136.149.108.231 | www.kaspersky.com |
| 50.14.191.102 | www.mcafee.com |
| 114.215.100.122 | www.microsoft.com |
| 190.241.89.155 | www.eset.es |
| 92.25.159.13 | www.norman.com |
| 7.145.54.140 | www.nprotect.com |
| 70.90.218.91 | www.pandasecurity.com |
| 147.117.207.192 | www.pctools.com |
| 48.156.21.238 | www.prevx.com |
| 219.20.104.177 | www.rising-global.com |
| 26.222.12.129 | www.sophos.com |
| 103.248.1.161 | www.sunbeltsoftware.com |
| 5.31.71.19 | www.symantec.com |
| 175.220.222.214 | www.hacksoft.com.pe |
| 239.97.130.166 | www.trendmicro.com |
| 59.123.119.199 | www.anti-virus.by |
| 217.230.189.56 | www.hauri.net |
| 131.95.16.183 | www.virusbuster.hu |
| 195.40.181.203 | www.emsisoft.com |
| 15.254.170.236 | www.anti-trojan.net |
| 105.106.240.26 | malwarescan.emsisoft.com |
| 88.226.67.221 | forum.emsisoft.com |
| 83.171.43.172 | www.emsisoft.net |
| 228.198.32.205 | www.emsisoft.it |
| 61.237.34.63 | www.emsisoft.de |
| 44.101.185.2 | www.anti-trojan-software.net |
| 39.47.93.210 | mamutu.com |
| 184.73.82.242 | www.emsisoft.es |
| 18.112.152.100 | malwarescan.emsisoft.de |
| 0.233.235.227 | ww.emsisoft.com |
| 252.178.211.247 | www.emsisoft.fr |
| 72.204.200.24 | www.emsisoft.nl |
| 230.243.202.69 | onlinecheck.emsisoft.com |
| 212.108.97.8 | onlinecheck.emsisoft.de |
| 208.53.6.216 | www.emsisoft.org |
| 28.79.251.249 | scan.anti-trojan.net |
| 186.187.65.107 | www.trojaner.info |
| 169.51.148.46 | onlinecheck.emsisoft.org |
| 164.252.56.253 | onlinecheck.emsisoft.net |
| 241.211.45.30 | blitzblank.com |
| 142.62.115.144 | www.emsisoft.at |
| 125.182.10.15 | www.emsisoft.jp |
| 120.128.174.35 | www.mamutu.com |
| 197.86.163.67 | malwarescan.emsisoft.es |
| 99.193.233.181 | www.mamutu.de |
| 81.58.60.52 | download5.emsisoft.com |
| 77.3.224.4 | download1.emsisoft.com |
| 153.29.213.37 | download4.emsisoft.com |
| 55.68.27.150 | global.ahnlab.com |
| 37.189.110.89 | www.hackshields.com |
| 33.134.87.41 | www.internationalservicecheck.com |
| 109.160.76.74 | www.irangoals.com |
| 11.200.78.188 | ixomodels.com |
| 250.64.229.59 | www.indielisboa.com |
| 245.9.137.78 | www.latin-mass-society.org |
| 66.36.126.111 | www.arpia.be |
| 223.75.196.225 | www.owen.org |
| 206.7.23.96 | www.prdouglas.co.uk |
| 201.209.255.48 | www.zarya.info |
| 22.167.244.80 | www.willsee.com |
| 180.18.246.194 | halmapr.com |
| 94.139.141.133 | karuna-shechen.org |
| 158.84.49.85 | www.barder.com |
| 234.42.38.118 | www.antivir.es |
| 136.149.108.231 | www.buraka.tv |
| 50.14.191.102 | www.dr-bull.com |
| 114.215.100.122 | www.manchester-offices.co.uk |
| 190.241.89.155 | saverssite.com |
| 176.109.243.97 | canada.karuna-shechen.org |
| 91.229.138.223 | developmentdrums.org |
| 154.174.46.175 | www.imddomains.co.uk |
| 231.201.35.20 | cutlines.org |
| 132.240.105.66 | elblogdemanu.com |
| 47.104.188.5 | ruben.bzin.net |
| 110.50.96.213 | welkam.co.jp |
| 187.76.85.245 | www.cambridge-steiner-school.co.uk |
| 88.115.155.103 | naturesimages.net |
| 3.47.50.42 | www.1stavenuelimousines.co.uk |
| 67.181.214.250 | www.mtr-design.com |
| 143.207.203.27 | dev.depeuter.org |
| 45.58.17.140 | www.emeraldclassic.co.uk |
| 215.179.100.11 | www.peterhearnwaste.co.uk |
| 23.124.8.31 | etrr.co.uk |
| 99.82.254.64 | www.avoncourt.com |
| 189.190.68.110 | sarahmcconnellphotography.net |
| 172.54.151.48 | www.ixomodels.com |
| 167.255.127.0 | natsko.com |
| 56.26.116.33 | www.nottinghampoetryseries.com |
| 145.65.118.147 | www.sheffieldmind.co.uk |
| 128.185.13.86 | ixostore.ixomodels.com |
| 123.131.177.38 | www.flairweddings.co.uk |
| 12.157.166.70 | www.fimasys.com |
| 101.196.236.184 | cohartuk.com |
| 84.60.63.55 | qqjkw.net |
| 80.6.39.75 | vivo-austin.com |
| 156.32.28.108 | www.freeality.com |
| 58.71.30.153 | bestofewan.com |
| 40.192.181.92 | www.handwritingforkids.com |
| 36.137.89.44 | cowsmo.com |
| 112.163.79.77 | www.2xlgames.com |
| 14.15.149.191 | kimzimmer.net |
| 253.135.232.129 | basetendencies.com |
| 248.80.140.81 | trackingtheworld.com |
| 69.39.129.114 | www.reviewsofbooks.com |
| 226.146.199.228 | www.collectedcurios.com |
| 209.10.94.99 | www.renningers.com |
| 204.212.2.119 | ccslaughterspdx.com |
| 25.170.247.151 | www.briarhurst.com |
| 182.21.61.9 | www.smf.org |
| 165.141.144.136 | ribbonwarehouse.com |
| 161.87.52.88 | www.garryowen.com |
| 237.113.41.121 | 45pounds.com |
| 139.152.111.234 | isotopecomics.com |
| 121.17.194.173 | roysephotos.com |
| 117.218.170.125 | www.stadiumpage.com |
| 193.244.160.158 | www.elvis-express.com |
| 95.28.162.16 | www.tomorrowsedge.net |
| 78.148.57.142 | www.beautybar.com |
| 73.93.221.162 | pineleafboys.com |
| 150.120.210.195 | www.mountainlakeslodge.com |
| 51.159.24.53 | pvtc.org |
| 34.91.107.180 | bhsbees.com |
| 29.37.83.132 | baristamagazine.com |
| 106.251.72.164 | www.gokidding.com |
| 7.102.74.22 | defalcos.com |
| 178.222.225.217 | www.celticmerchant.com |
| 242.168.133.169 | www.hxproduction.com |
| 62.126.122.202 | www.wellgousa.com |
| 220.233.192.59 | blog.titanium-jewelry.com |
| 134.98.19.186 | www.brightoctober.com |
| 198.43.184.206 | hishomeforchildren.com |
| 18.69.173.239 | www.phoenixtrikeworks.com |
| 176.109.243.97 | www.professorbeyer.com |
| 91.229.138.223 | www.secondchanceboxer.com |
| 154.174.46.175 | www.residentphotography.com |
| 231.201.35.20 | woottonfootball.com |
| 132.240.105.66 | www.deborahshelton.net |
| 47.104.188.5 | bobbondart.com |
| 178.118.164.25 | www.authentium.com |
| 255.144.153.57 | asap.authentium.com |
| 156.183.223.171 | www.authentium.com.au |
| 71.115.118.110 | avast.com |
| 135.249.26.62 | www.avast.com |
| 211.19.15.95 | files.avast.com |
| 113.126.85.208 | download535.avast.com |
| 27.247.168.79 | avg.com |
| 91.192.76.99 | www.avg.com |
| 167.150.66.132 | grisoft.com |
| 1.2.136.178 | www.grisoft.com |
| 240.122.219.116 | antivirus-tools.com |
| 235.67.195.68 | archive.bitdefender.com |
| 124.94.184.101 | avx.rob-have.net |
| 213.133.186.215 | b-have.orgbitdefender-ar.com |
| 196.253.81.154 | bitdefender.com |
| 191.199.245.106 | bitdefender.org |
| 80.225.234.138 | bitdefenderchina.com |
| 169.8.48.252 | bitdefenderguatemala.com |
| 152.128.131.123 | bitdefendermalaysia.com |
| 148.74.107.143 | bitdefendertaiwan.com |
| 224.100.96.176 | bitdefenderuruguay.com |
| 126.139.98.221 | bitdefenderusa.com |
| 108.4.249.160 | buy.bitdefender-es.com |
| 104.205.157.112 | buy.bitdefender.com |
| 180.231.147.145 | buy.bitdefender.de |
| 82.83.217.3 | de.bitdefender.com |
| 65.203.44.197 | fr.bitdefender.com |
| 60.148.208.149 | futurenow.bitdefender.com |
| 189.159.249.234 | it.bitdefender.com |
| 90.10.63.92 | jobs.bitdefender.com |
| 73.130.214.219 | kb.bitdefender.com |
| 68.76.122.239 | kb.bitdefender.de |
| 145.34.111.15 | kb.bitdefender.us |
| 46.141.181.129 | latin.bitdefender.com |
| 29.5.8.0 | linux.bitdefender.com |
| 25.207.172.208 | malwarecity.com |
| 101.233.161.241 | malwarecity.netmalwarecity.org |
| 3.16.231.98 | malwarepedia.com |
| 241.137.58.37 | neunet.orgnews.bitdefender.com |
| 237.82.35.245 | nl.bitdefender.com |
| 57.108.24.22 | renewals.bitdefender.com |
| 215.148.26.136 | sales.bitdefender.com |
| 198.12.177.7 | square.bitdefender.com |
| 193.213.85.26 | store.bitdefender.com |
| 14.240.74.59 | store.de.bitdefender.com |
| 171.23.144.173 | us.bitdefender.com |
| 154.211.227.44 | virusscanonline.net |
| 149.157.203.252 | wedoantivirus.com |
| 226.115.192.28 | www.antivirus-tools.com |
| 127.222.194.142 | www.avx.ro |
| 42.86.89.81 | www.bit-defender.de |
| 106.32.253.33 | www.bitdefende.de |
| 182.246.242.66 | www.bitdefender-es.com |
| 84.97.56.179 | www.bitdefender.be |
| 254.218.139.50 | www.bitdefender.cl |
| 62.163.48.70 | www.bitdefender.co.uk |
| 138.189.37.103 | www.bitdefender.com |
| 108.41.175.29 | www.bitdefender.com.au |
| 23.161.70.155 | www.bitdefender.com.sg |
| 86.106.234.107 | www.bitdefender.com.tw |
| 163.133.223.208 | www.bitdefender.com.vn |
| 64.172.37.254 | www.bitdefender.de |
| 235.36.120.193 | www.bitdefender.es |
| 42.238.28.145 | www.bitdefender.fr |
| 119.8.17.177 | www.bitdefender.hk |
| 20.47.87.35 | www.bitdefender.us |
| 191.235.238.230 | www.bitdefenderme.com |
| 255.113.146.182 | www.malwarecity.com |
| 75.139.135.215 | www.malwarecity.fr |
| 233.246.205.72 | quickheal.com |
| 147.111.32.199 | www.quickheal.com |
| 211.56.197.219 | www.clamav.net |
| 31.14.186.252 | cgi.clamav.net |
| 205.206.84.126 | lurker.clamav.net |
| 187.70.167.64 | wwws.clamav.net |
| 183.15.143.16 | lists.clamav.net |
| 72.42.132.49 | bugs.clamav.net |
| 161.81.134.163 | system-cleaner.comodo.com |
| 144.201.29.102 | backup.comodo.com |
| 139.146.193.53 | www.comodoantispam.com |
| 28.173.182.86 | easy-vpn.comodo.com |
| 117.212.252.200 | www.trustlogo.com |
| 100.76.79.71 | ztl.comodo.com |
| 96.22.55.91 | www.livepcsupport.com |
| 172.48.44.124 | www.whichssl.com |
| 74.87.46.169 | www.trustix.com |
| 56.208.197.108 | disk-encryption.comodo.com |
| 52.153.105.60 | speedtest.comodo.com |
| 128.179.95.93 | www.contentverification.com |
| 30.31.165.207 | idauthority.com |
| 12.151.248.145 | www.comodo.tv |
| 8.96.156.97 | online-backup.comodo.com |
| 153.123.213.198 | www.testmypcsecurity.com |
| 54.230.27.56 | www.ccssforum.org |
| 37.94.178.183 | i-vault.comodo.com |
| 32.39.86.202 | internetsecurity.comodo.com |
| 109.254.75.235 | www.comodopartners.com |
| 10.105.145.93 | timestamp.comodoca.com |
| 249.225.228.220 | secure-email.comodo.com |
| 245.171.136.172 | timestamp.wosign.com |
| 65.197.125.205 | rover800.gaima.co.uk |
| 223.236.195.62 | www.nsclean.com |
| 205.101.22.1 | www.contentverification.com |
| 201.46.254.209 | new-estore.drweb.com |
| 21.72.243.242 | support.drweb.com |
| 179.112.246.100 | pda.drweb.com |
| 161.232.141.226 | updates.drweb.com |
| 157.177.49.246 | drweb.com |
| 234.204.38.23 | vms.drweb.com |
| 135.243.108.137 | solutions.drweb.com |
| 118.175.191.8 | news.drweb.com |
| 113.120.167.215 | my.drweb.com |
| 242.131.208.44 | buy.drweb.com |
| 143.238.210.158 | products.drweb.com |
| 58.102.105.97 | new-support.drweb.com |
| 122.48.13.49 | promotions.drweb.com |
| 198.6.2.82 | network.drweb.com |
| 100.113.72.195 | customers.drweb.com |
| 14.234.155.66 | store.drweb.com |
| 78.179.63.86 | company.drweb.com |
| 154.205.53.119 | training.drweb.com |
| 56.245.123.233 | license.drweb.com |
| 227.109.18.103 | cureit.ru |
| 34.54.182.55 | free.drweb.com |
| 111.81.171.156 | info.drweb.com |
| 12.120.241.202 | new-partners.drweb.com |
| 183.240.68.141 | drweb.net |
| 246.185.232.93 | new-company.drweb.com |
| 67.212.221.125 | new-beta.drweb.com |
| 224.251.35.239 | new-forum.drweb.com |
| 139.183.186.178 | secure.av-desk.com |
| 203.61.94.130 | www.av-desk.com |
| 91.155.151.231 | new-solutions.drweb.com |
| 249.6.221.88 | new-www.drweb.com |
| 163.127.48.215 | www.freedrweb.ru |
| 227.72.212.235 | daniloff.net |
| 47.30.202.12 | drweb-inside.com |
| 137.138.16.58 | drwebinside.com |
| 119.2.99.252 | aladdin.com |
| 115.203.75.204 | alladdin.ru |
| 4.230.64.237 | chickensroamfree.com |
| 93.13.66.95 | ealaddin.net |
| 76.133.217.34 | ealaddin.orgeshop.aladdin.com |
| 71.78.125.242 | secureme.com |
| 216.105.114.18 | www.aks.com |
| 49.144.184.132 | www.aladdin.com |
| 32.8.11.3 | www.ealaddin.com |
| 28.210.243.23 | www.ealaddin.com |
| 104.236.232.56 | auwww.ealaddin.nl |
| 6.19.234.101 | www.esafe.com |
| 244.140.129.253 | www.hasp.se |
| 196.41.250.204 | www.safenet-inc.com |
| 17.68.239.237 | www3.safenet-inc.com |
| 174.175.53.95 | www.ca.com |
| 157.39.136.34 | cacomvip.ca.com |
| 152.241.44.242 | www.netegrity.com |
| 229.199.33.18 | search.ca.com |
| 130.50.103.132 | cai.com |
| 113.170.254.3 | www.f-prot.com |
| 109.116.162.23 | frisk-software.com |
| 185.74.151.56 | www.frisk.is |
| 87.181.221.169 | www.frisk-software.com |
| 69.46.48.40 | f-secure.com |
| 133.59.25.60 | f-secure.frf-secure.hk |
| 209.85.14.93 | f-secure.nlfsecure.com |
| 111.125.84.207 | fsecure.nlwebyard.com |
| 94.245.167.145 | www.f-secure.com |
| 89.190.143.97 | www.fsecure.com |
| 166.217.132.130 | www.virus.fi |
| 67.0.134.40 | fortihero.com |
| 102.172.81.167 | fortilog.com |
| 97.118.245.187 | fortinet.co.at |
| 174.144.234.219 | fortinet.com |
| 76.183.48.77 | fortiprotect.com |
| 58.116.131.204 | fortiwifi.com |
| 54.61.107.156 | www.apsecure.com |
| 130.19.96.189 | www.fortifed.com |
| 32.126.98.46 | www.fortiid.com |
| 202.247.249.241 | www.fortimail.com |
| 10.192.158.193 | www.fortinet-apac.com |
| 154.218.215.38 | www.fortinet.ch |
| 56.70.29.152 | www.fortinet.co.il |
| 227.190.112.23 | www.fortinet.com |
| 34.135.20.42 | www.fortinet.com |
| 111.162.9.75 | arwww.fortinet.cz |
| 12.201.79.189 | www.fortinet.net |
| 183.65.230.60 | www.fortinet.nl |
| 74.94.222.96 | www.fortinet.sg |
| 151.121.211.196 | www.fortinetuk.com |
| 52.160.25.242 | www.secure-elements.com |
| 223.24.108.181 | gdata.es |
| 31.226.16.133 | www.gdata.es |
| 175.64.73.234 | ikarus.at |
| 77.103.143.91 | www.ikarus.at |
| 247.36.38.30 | global.jiangmin.com |
| 55.169.202.238 | jiangmin.com.cn |
| 131.195.192.15 | jiangmin.com |
| 33.47.6.129 | www.jiangmin.com.cn |
| 204.167.89.255 | www.kaspersky.com |
| 63.164.49.71 | forum.kaspersky.com |
| 140.123.38.104 | support.kaspersky.co |
| 229.230.108.150 | usa.kaspersky.com |
| 212.94.191.89 | brazil.kaspersky.com |
| 207.40.167.41 | latam.kaspersky.com |
| 96.66.156.73 | kaspersky.com |
| 185.105.158.187 | me.kaspersky.com |
| 168.225.53.126 | images.kaspersky.com |
| 164.171.217.78 | www.mcafee.com |
| 120.9.18.179 | support.mcafee.com |
| 210.48.88.36 | msr.mcafee.com |
| 192.169.171.163 | home.mcafee.com |
| 188.114.147.183 | networkassociates.com |
| 8.140.137.216 | us.mcafee.com |
| 166.180.139.6 | tr.mcafee.com |
| 149.44.34.200 | au.mcafee.com |
| 144.245.198.152 | mx.mcafee.com |
| 221.16.187.185 | networkassociates.nai.com |
| 122.123.1.43 | go.mcafee.com |
| 105.243.168.66 | fr.mcafee.com |
| 184.16.76.17 | uk.mcafee.com |
| 5.231.65.50 | de.mcafee.com |
| 162.82.135.164 | obscgi.mcafee.com |
| 145.202.30.35 | nai.com |
| 141.148.194.55 | www.entercept.com |
| 217.106.183.88 | jp.mcafee.com |
| 119.213.253.13 | mcafeeb2b.com |
| 169.146.148.140 | cn.mcafee.com |
| 165.91.56.92 | service.mcafee.com |
| 241.117.45.125 | br.mcafee.com |
| 143.157.116.239 | www.mcafee.at |
| 125.21.199.177 | mcafeeretail.com |
| 121.222.175.129 | it.mcafee.com |
| 198.248.164.214 | tw.mcafee.com |
| 151.84.218.72 | privacy.microsoft.com |
| 134.204.113.199 | tempuri.org |
| 129.149.21.219 | schemas.xmlsoap.org |
| 206.176.10.251 | www.microsoft.com |
| 107.215.80.109 | specs.xmlsoap.org |
| 90.147.163.236 | www.eugrantsadvisor.ie |
| 86.93.139.188 | schemas.microsoft.com |
| 162.51.128.221 | encarta.msn.com |
| 64.158.130.78 | www.sysinternals.com |
| 46.91.93.85 | grv.microsoft.com |
| 110.36.1.37 | www.xmlsoap.org |
| 186.250.247.70 | www.eugrantsadvisor.se |
| 88.102.61.184 | www.eugrantsadvisor.com |
| 2.222.144.54 | research.microsoft.com |
| 66.167.52.74 | www.engyro.com |
| 143.194.41.107 | www.exchangeyourcareer.com |
| 44.233.111.221 | www.eugrantsadvisor.de |
| 215.97.6.92 | exchangeyourcareer.net |
| 22.42.170.43 | eugrantsadvisor.de |
| 99.69.159.144 | eugrantsadvisor.cz |
| 0.108.229.190 | www.eset.es |
| 171.228.56.213 | demos.eset.es |
| 62.2.48.165 | descargas.eset.es |
| 139.28.37.197 | blogs.protegerse.com |
| 41.67.107.55 | eos.eset.es |
| 211.0.2.250 | pedidos.protegerse.com |
| 19.133.166.202 | reg-int.nod32-es.com |
| 95.159.155.235 | reg.eset.es |
| 253.11.226.93 | vicentevirtual.com |
| 235.199.121.31 | cou85.com |
| 43.144.29.51 | www.norman.com |
| 120.102.18.84 | fsc.norman.com |
| 209.210.88.130 | nprobeta.norman.com |
| 192.74.171.69 | register.norman.com |
| 187.19.147.20 | webadmin.norman.no |
| 76.46.136.53 | sandbox.norman.com |
| 217.137.190.219 | www.nprotect.com |
| 200.1.85.158 | global.nprotect.com |
| 196.203.249.110 | www.nprotect.co.kr |
| 84.229.238.143 | www.npin.co.kr |
| 174.12.52.0 | siren24.nprotect.com |
| 224.201.203.195 | 15660808.co.kr |
| 220.146.179.215 | biz.nprotect.com |
| 40.172.168.248 | nprotect.net |
| 198.212.171.38 | www.nprotect.com.br |
| 180.76.66.232 | liveprotect.net |
| 176.21.230.184 | nprotect.seoul.go.kr |
| 253.47.219.217 | chollian.nprotect.co.kr |
| 154.155.240.26 | www.pandasecurity.com |
| 88.226.67.221 | research.pandasecurity.com |
| 83.171.231.173 | support.pandasecurity.com |
| 160.130.220.205 | pandalabs.pandasecurity.com |
| 61.237.34.63 | pandasecurity.com |
| 44.101.185.190 | mop.pandasecurity.com |
| 40.47.93.210 | timeforyourbusi.pandasecurity.com |
| 116.5.82.243 | cybercrime.pandasecurity.com |
| 18.112.152.168 | free.pandasecurity.com |
| 68.45.47.39 | cloudprotection.pandasecurity.com |
| 64.246.211.247 | shop.pandasecurity.com |
| 140.16.201.24 | soporte.pandasecurity.com |
| 42.56.15.138 | together.pctools.com |
| 24.176.98.76 | www.prevx.com |
| 20.121.74.28 | info.prevx.com |
| 97.148.63.61 | free.prevx.com |
| 50.239.117.227 | spywarefiles.prevx.com |
| 33.103.12.98 | spywaredlls.prevx.com |
| 28.49.176.118 | shield.prevx.com |
| 105.75.165.150 | www.prevx1.com |
| 6.114.235.8 | howsafeismypc.com |
| 245.46.62.203 | www.retento.com |
| 53.60.106.155 | www.freerav.com |
| 129.18.95.188 | www.rising-global.com |
| 31.125.97.45 | www.risingav.com.au |
| 201.246.248.240 | support.rising-global.com |
| 9.191.156.192 | superboy2010.com.au |
| 85.149.146.225 | www.sophos.com |
| 243.85.44.167 | feeds.sophos.com |
| 241.205.127.37 | esp.sophos.com |
| 49.150.35.57 | cn.sophos.com |
| 126.176.24.90 | tw.sophos.com |
| 27.216.94.204 | kr.sophos.com |
| 198.80.245.75 | sophos.com |
| 5.25.153.26 | podcasts.sophos.com |
| 150.120.210.195 | www.sunbeltsoftware.com |
| 171.23.144.105 | go.sunbeltsoftware.com |
| 86.143.227.44 | oem.sunbeltsoftware.com |
| 150.89.135.252 | antispam.sunbeltsoftware.com |
| 226.115.124.29 | antispyware.sunbeltsoftware.com |
| 128.154.194.142 | antivirus.sunbeltsoftware.com |
| 42.87.89.81 | sunbeltsoftware.com |
| 106.220.253.33 | shop.sunbeltsoftware.com |
| 10.74.70.150 | live.sunbeltsoftware.com |
| 168.182.140.8 | firewall.sunbeltsoftware.com |
| 82.46.224.134 | www.symantec.com |
| 146.247.132.154 | security.symantec.com |
| 223.205.121.187 | securityrespons.symantec.com |
| 56.57.191.45 | service1.symantec.com |
| 107.245.86.240 | enterprisesecur.symantec.com |
| 102.190.62.191 | eval.symantec.com |
| 247.217.51.224 | symantec.com |
| 80.0.53.82 | definitions.symantec.com |
| 63.120.204.21 | investor.symantec.com |
| 58.66.112.229 | et.symantec.com |
| 203.92.101.5 | sfdoccentral.symantec.com |
| 89.183.223.171 | servicenews.symantec.com |
| 71.48.50.42 | securityrespons.symantec.com |
| 67.249.26.62 | sea.symantec.com |
| 143.19.15.95 | go.symantec.com |
| 45.59.18.141 | dell.symantec.com |
| 27.179.169.79 | sun.symantec.com |
| 23.124.77.31 | marian.symantec.com |
| 100.150.66.64 | tms.symantec.com |
| 1.2.136.178 | securitycheck.symantec.com |
| 52.190.31.185 | smallbiz.symantec.com |
| 47.135.195.136 | www.symantec.com |
| 124.94.184.169 | visualtracking.symantec.com |
| 25.201.254.27 | search.symantec.com |
| 8.65.149.154 | liveupdate.symantec.com |
| 3.11.57.174 | sitedirector.symantec.com |
| 80.225.46.206 | edm.symantec.com |
| 238.76.116.64 | hostedmailsecur.symantec.com |
| 220.197.199.191 | www4.symantec.com |
| 216.142.107.143 | education.symantec.com |
| 36.168.96.176 | vos.symantec.com |
| 194.208.167.34 | www.hacksoft.com.pe |
| 4.156.78.56 | hacksoft.pe |
| 0.101.54.8 | www.hacksoft.pe |
| 76.127.43.41 | housecall.trendmicro.com |
| 234.167.45.155 | www.trendmicro.com |
| 217.31.196.26 | housecall65.trendmicro.com |
| 212.232.104.45 | us.trendmicro.com |
| 33.3.93.78 | blog.trendmicro.com |
| 2.110.231.4 | emea.trendmicro.com |
| 241.42.58.131 | housecall60.trendmicro.com |
| 236.244.34.83 | jp.trendmicro.com |
| 57.202.23.115 | de.trendmicro.com |
| 215.53.25.229 | it.trendmicro.com |
| 129.174.176.168 | itw.trendmicro.com |
| 193.119.84.120 | esupport.trendmicro.com |
| 13.77.73.153 | es.trendmicro.com |
| 171.184.143.10 | br.trendmicro.com |
| 137.101.23.189 | tw.trendmicro.com |
| 201.46.187.209 | la.trendmicro.com |
| 22.72.176.242 | uk.trendmicro.com |
| 179.112.246.100 | ru.trendmicro.com |
| 94.232.141.227 | smbstore.trendmicro.com |
| 157.177.49.178 | apac.trendmicro.com |
| 234.204.38.23 | store.trendmicro.com |
| 135.243.108.69 | training.trendmicro.com |
| 50.107.191.8 | trial.trendmicro.com |
| 113.53.99.216 | ushousecall02.trendmicro.com |
| 2.147.156.60 | subwiz.trendmicro.com |
| 160.186.226.174 | go.trendmicro.com |
| 74.119.121.113 | feeds.trendmicro.com |
| 138.252.29.65 | channelpartner.trendmicro.com |
| 214.22.18.98 | wtc.trendmicro.com |
| 116.129.88.212 | shop.trendmicro.com |
| 30.250.172.82 | fr.trendmicro.com |
| 94.195.80.102 | threatinfo.trendmicro.com |
| 170.153.69.135 | newsletters.trendmicro.com |
| 4.5.139.181 | www.anti-virus.by |
| 243.125.222.120 | bg.virusblokada.com |
| 238.70.198.71 | www.vba.com.by |
| 127.97.187.104 | beta.anti-virus.by |
| 216.136.189.218 | www.bg.virusblokada.com |
| 199.0.84.157 | www.hauri.net |
| 194.202.248.109 | www.hauri.co.kr |
| 39.184.193.98 | company.hauri.net |
| 129.224.8.212 | www.globalhauri.com |
| 111.88.91.82 | shop.hauri.co.kr |
| 107.33.67.102 | hauri.co.kr |
| 184.59.56.135 | pg.hauri.net |
| 85.99.58.181 | esecurity.livecall.co.kr |
| 68.219.209.120 | mall.hauri.co.kr |
| 63.164.117.71 | company.hauri.co.kr |
| 140.191.106.104 | haurijapan.com |
| 41.42.176.218 | virobot.co.kr |
| 24.162.3.157 | www.virusbuster.hu |
| 19.108.167.109 | virusbuster.hu |
| 96.66.156.142 | scanner.novirusthanks.org |
| 66.241.38.67 | scanner2.novirusthanks.or |
| 48.106.189.194 | novirusthanks.org |
| 44.51.97.214 | www.novirusthanks.org |
| 120.9.86.247 | virustotal.com |
| 22.117.157.105 | www.virustotal.com |
| 4.237.240.231 | virscan.org |
| 0.182.148.183 | www.virscan.org |
| 77.208.137.216 | virusscan.jotti.org |
| 234.248.207.74 | jotti.org |
| 217.112.34.13 | www.jotti.org |
| 212.57.10.220 | viruschief.com |
| 33.84.255.253 | www.viruschief.com |
| 190.123.1.111 | scanner.virus.org |
| 173.243.152.238 | virus.org |
| 168.189.60.2 | www.virus.org |
| 245.215.49.34 | scan4you.net |
| 147.254.119.148 | www.scan4you.net |
| 129.187.202.19 | avhide.com |
| 125.132.178.227 | www.avhide.com |
| 201.90.167.4 | anubis.iseclab.org |
| 103.198.170.118 | iseclab.org |
| 17.62.65.56 | www.iseclab.org |
| 81.7.229.8 | threatexpert.com |
| 158.221.218.41 | www.threatexpert.com |
| 59.73.32.155 | forospyware.com |
| 230.193.115.26 | www.forospyware.com |
| 37.138.23.45 | in.answers.yahoo.com |
| 114.165.12.78 | es.answers.yahoo.com |
| 15.204.82.192 | kioskea.net |
| 186.68.29.115 | www.kioskea.net |
| 46.66.193.67 | es.kioskea.net |
| 122.92.182.168 | mygeekside.com |
| 24.131.252.213 | www.mygeekside.com |
| 194.252.79.152 | www.tecniservicioslys.com |
| 2.197.243.104 | tecniservicioslys.com |
| 78.223.232.137 | virusfreezone.info |
| 236.7.47.251 | www.virusfreezone.info |
| 150.195.198.189 | intranet.cidiroax.ipn.mx |
| 214.72.106.141 | spycheck.es |
| 35.99.95.174 | www.spycheck.es |
| 192.206.165.32 | antivirus.hispavista.com |
| 107.70.248.159 | computing.net |
| 170.15.156.178 | www.computing.net |
| 247.230.145.211 | spycheck.co.uk |
| 80.81.215.1 | www.spycheck.co.uk |
| 63.201.42.196 | midescargas.com |
| 59.147.18.148 | www.midescargas.com |
| 203.173.7.181 | static.yoreparo.com |
| 37.212.9.38 | softfaq.com |
| 19.77.160.233 | www.softfaq.com |
| 15.22.68.185 | configurarequipos.com |
| 159.48.57.218 | www.configurarequipos.com |
| 61.156.196.144 | seasonsecurity.com |
| 43.20.23.14 | www.seasonsecurity.com |
| 39.221.255.34 | removetrojanvirus.org |
| 116.247.244.67 | www.removetrojanvirus.org |
| 17.31.246.113 | ibusca.me |
| 0.151.141.52 | www.ibusca.me |
| 251.96.49.3 | busco.in |
| 72.123.38.36 | www.busco.in |
| 229.230.108.150 | inicioid.com |
| 212.94.191.89 | www.inicioid.com |
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Delete the original Trojan file.
- Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| 4096 | 176128 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e | |
| Ò© | 180224 | 65536 | 62976 | 5.53483 | 98cb88a8d3a7f422956acaf15cc701b3 |
| 245760 | 4096 | 4096 | 1.28112 | 7cc9d0e50ebd0834f096dd1fd718809f |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
cc396d13b30ce74b0dcc1dfb0535c096
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://pl.intag.co/ttj?id=4454931&size=728x90&cb=1435543899480 | 37.252.163.220 |
| hxxp://cdn1.iconfinder.com/static/a998a3cd06a9b50682dc582393c423a0/assets/fonts/Agenda/agendabold-webfont.eot? | 205.234.175.175 |
| hxxp://pl.intag.co/ttj?id=4454931&size=300x600&cb=1435543897121 | 37.252.163.220 |
| hxxp://cdn.adnxs.com/p/79/c3/7f/ff/79c37fff53760acdec2a87d149be0589.jpg | 87.245.221.112 |
| hxxp://ww2.directorio-w.com/ | 141.8.225.161 |
| hxxp://cdn2.iconfinder.com/static/66214acbf85a96dcfe0dba9a8103f0e5/assets/fonts/Bariol/bariol_thin-webfont.eot? | 205.234.175.175 |
| hxxp://ib.adnxs.com/ttj?id=4454931&size=300x600&cb=1435543906699 | 37.252.163.99 |
| hxxp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-oversee32_3ph_xml&domain_name=directorio-w.com&channel=012783,test55&drid=as-drid-2195165742995947&output=html | 173.194.113.218 |
| hxxp://www.tecno.im/ | 104.28.7.18 |
| hxxp://pl.intag.co/ttj?id=4454931&size=300x600&cb=1435543906699 | 37.252.163.220 |
| hxxp://ib.adnxs.com/ttj?id=4454931&size=160x600&cb=1435543907043 | 37.252.163.99 |
| hxxp://cdn.adnxs.com/p/81/31/b8/3e/8131b83ee4a45d9e14377510efebe15b.swf | 87.245.221.112 |
| hxxp://pl.intag.co/ttj?id=4454931&size=300x250&cb=1435543907324 | 37.252.163.220 |
| hxxp://pl.intag.co/ttj?id=4454931&size=160x600&cb=1435543898543 | 37.252.163.220 |
| hxxp://ww2.directorio-w.com/?ga=sFGFPOkcNg13PMbdi3zqiIGINNv2XsJLCrQ8LrXymthW394txnYfdvW0r0M6fw6SOoY0vRRGsUdcLTcSS/UIcg==&gerf=PjB65BxeleOoSlMNUxgIc/vimuLSbiiUd5rugjk8HZU=&guro=SHtz1e4Y+YLTNk0fu8x6WCIqZKyhh6yYwh41hRO1fyP+x30RlWSCwHPq4hpatd8I& | 141.8.225.161 |
| hxxp://cdn0.iconfinder.com/static/8634111c430e96728cfc4b5479de93e2/assets/img/blog/flat-icons/4/message-top.png | 205.234.175.175 |
| hxxp://cdn.adnxs.com/p/ec/18/d6/e4/ec18d6e4dc741d662378c04a71184dde.jpg | 87.245.221.112 |
| hxxp://ib.adnxs.com/ttj?ttjb=1&bdc=1435543898&bdh=LpuOoU4BZyE_cIRO_a_wprkaj4g.&bdref=http://www.tecno.im/&bdtop=true&bdifs=1&bstk=http://www.tecno.im/,http://www.tecno.im/&id=4454931&size=160x600&cb=1435543898543 | 37.252.163.99 |
| hxxp://bit.ly/9shDTd | 69.58.188.40 |
| hxxp://cdn3.iconfinder.com/static/cae879b830d3e826c649c3bac797a9ec/assets/fonts/Bariol/bariol_bold-webfont.eot? | 205.234.175.175 |
| hxxp://ib.adnxs.com/ttj?ttjb=1&bdc=1435543906&bdh=dIxJXiPJNwv-KHoYD-VfHJDspas.&bdref=http://www.tecno.im/&bdtop=true&bdifs=1&bstk=http://www.tecno.im/,http://www.tecno.im/&id=4454931&size=160x600&cb=1435543907043 | 37.252.163.99 |
| hxxp://cdn0.iconfinder.com/static/838c1ff91b646f8cdee529fd9f02c1dd/assets/fonts/Agenda/agendalight-webfont.eot? | 205.234.175.175 |
| hxxp://cdn.adnxs.com/ib/async_usersync.js | 87.245.221.112 |
| hxxp://gmtdmp.mookie1.com/t/v2/learn?tagid=164&src.id=Dataxpand&src.rand=6285321069992047 | 208.71.123.98 |
| hxxp://cdn.adnxs.com/v/s/20/trk.js | 87.245.221.112 |
| hxxp://pub.clicksor.net/newServing/js/show.js | 199.21.148.17 |
| hxxp://cdn3.iconfinder.com/static/34e7d4088171083e80067fddb9546644/assets/fonts/Bariol/bariol_light-webfont.eot? | 205.234.175.175 |
| hxxp://pl.intag.co/ttj?id=4454931&size=300x250&cb=1435543899137 | 37.252.163.220 |
| hxxp://onclickads.net/apu.php?zoneid=302661 | 78.140.191.110 |
| hxxp://ib.adnxs.com/ttj?id=4454931&size=300x250&cb=1435543907324 | 37.252.163.99 |
| hxxp://cdn1.iconfinder.com/static/1f64bd2a5a284b059e1b46d49b80d07d/assets/fonts/Agenda/agendamedium-webfont.eot? | 205.234.175.175 |
| hxxp://ib.adnxs.com/bounce?/ttj?id=4454931&size=300x600&cb=1435543897121 | 37.252.163.99 |
| hxxp://ib.adnxs.com/ttj?id=4454931&size=728x90&cb=1435543899480 | 37.252.163.99 |
| hxxp://ib.adnxs.com/ttj?ttjb=1&bdc=1435543899&bdh=Ef8WSopfUAqAdmOH-4VEssTfQdM.&bdref=http://www.tecno.im/&bdtop=true&bdifs=1&bstk=http://www.tecno.im/,http://www.tecno.im/&id=4454931&size=300x250&cb=1435543899137 | 37.252.163.99 |
| hxxp://pl.intag.co/ttj?id=4454931&size=160x600&cb=1435543907043 | 37.252.163.220 |
| hxxp://cdn.adnxs.com/p/81/31/b8/3e/8131b83ee4a45d9e14377510efebe15b.swf?clickTag=http://ams1.ib.adnxs.com/click?ZY_EVP5Mfz_v96-k8PF3P23n-6nx0s0_7_evpPDxdz9kj8RU_kx_P6YvdLcAAdB9ZWlRqOFFXwhaqZBVAAAAABP6QwCrCAAASwYAAAIAAACNw6MBCmEJAAAAAQBVU0QAVVNEAKAAWAIpggAAF9MAAgUAAQIAAKAA6StX-gAAAAA./cnd=%216wW_OQjPytsDEI2Hjw0YisIlIAI./referrer=http%3A%2F%2Fwww.tecno.im%2F/clickenc=http%3A%2F%2Fwww.freelotto.com%2Foffer.asp%3Foffer%3D1064776%26affiliateid%3D%26tid%3D | 87.245.221.112 |
| hxxp://tr1.myroitracking.com/newServing/tracking_id.php?d=b.yu0123456.com&r=http://b.yu0123456.com/newServing/tracking_id.php?b=1&>ruid=1 | 199.21.148.123 |
| hxxp://ib.adnxs.com/ttj?ttjb=1&bdc=1435543899&bdh=Ef8WSopfUAqAdmOH-4VEssTfQdM.&bdref=http://www.tecno.im/&bdtop=true&bdifs=1&bstk=http://www.tecno.im/,http://www.tecno.im/&id=4454931&size=728x90&cb=1435543899480 | 37.252.163.99 |
| hxxp://ib.adnxs.com/ttj?id=4454931&size=160x600&cb=1435543898543 | 37.252.163.99 |
| hxxp://g01.a.alicdn.com/kf/HTB1BCyqHXXXXXaiXpXXq6xXFXXXg/160x600.jpg | 87.245.221.82 |
| hxxp://b.yu0123456.com/newServing/searchTrack.php?nid=1&sid=452799&random=233896686 | 199.21.148.98 |
| hxxp://b.yu0123456.com/newServing/getkey.php?cb=getkey&ob=Yesup.clicksor.Code[0]&nid=1&pid=278617&sid=452799&spid=&ns=0&nw=1&zone=0&url=http://www.tecno.im/&lb=0&ext=0&oe=utf-8&t7812684&txt=Search Engine | 199.21.148.98 |
| hxxp://www.qseach.com/ | 199.175.53.69 |
| hxxp://b.yu0123456.com/show.php?nid=1&pid=278617&sid=452799 | 199.21.148.98 |
| hxxp://cdn0.iconfinder.com/static/4e9a074acfe29ddb22561e5ec0e8a755/assets/fonts/Bariol/bariol_regular-webfont.eot? | 205.234.175.175 |
| hxxp://b.yu0123456.com/newServing/tracking_id.php?b=1&UID=14355439032978&TRSTR=1&RTID= | 199.21.148.98 |
| hxxp://ib.adnxs.com/ttj?ttjb=1&bdc=1435543906&bdh=dIxJXiPJNwv-KHoYD-VfHJDspas.&bdref=http://www.tecno.im/&bdtop=true&bdifs=1&bstk=http://www.tecno.im/,http://www.tecno.im/&id=4454931&size=300x600&cb=1435543906699 | 37.252.163.99 |
| hxxp://ib.adnxs.com/ttj?ttjb=1&bdc=1435543897&bdh=CLJtQyJ8JQ34JMyCf2ipx-SXaII.&bdref=http://www.tecno.im/&bdtop=true&bdifs=1&bstk=http://www.tecno.im/,http://www.tecno.im/&id=4454931&size=300x600&cb=1435543897121 | 37.252.163.99 |
| hxxp://dev.dna.mobra.in:8080/425e2w1?debug=1&pixel=1 | 54.86.249.221 |
| hxxp://www.tecno.im/iconfinder.css | 104.28.7.18 |
| hxxp://ib.adnxs.com/ttj?id=4454931&size=300x250&cb=1435543899137 | 37.252.163.99 |
| hxxp://cdn.adnxs.com/p/f7/90/c3/da/f790c3dab707138e35b8b2f09161b977.jpg | 87.245.221.112 |
| hxxp://cdn.adnxs.com/p/3d/71/41/ac/3d7141ac22052046983507e33f92a4e8.jpg | 87.245.221.112 |
| hxxp://www.google.com/images/cleardot.gif | 173.194.113.209 |
| hxxp://ib.adnxs.com/ttj?id=4454931&size=300x600&cb=1435543897121 | 37.252.163.99 |
| hxxp://go.onclasrv.com/apu.php?zoneid=302661 | 78.140.191.112 |
| hxxp://www.directorio-w.com/ | 74.200.250.151 |
| hxxp://4l3dvtv114s.ipcheker.com/ | 199.59.243.120 |
| dev.cs.mobra.in | 54.86.249.221 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):