Skip to main content

Trojan.NSIS.StartPage_b8e98783b2


not-a-virus:AdWare.Win32.OutBrowse.g (Kaspersky), Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: b8e98783b2c26aa2defbba363852676b

SHA1: cd5b9d5aed2be2b013f203d62b5f902455f18a4e

SHA256: 154386a0feb227ce0ec9dd8b90cb070ca4e8ae74ac666a1012c50c2e55edba07

SSDeep: 12288:79RUJg96 7RAA5OfkogdMfJBYMYevPIMZB8y7RP:7/UepP5Qg2nPfZB8

Size: 575776 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2009-12-06 00:50:52

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

wmic.exe:832
Setup_product_8181.exe:452
dwwin.exe:1776
%original file name%.exe:1652
MiniGet.exe:204
mscorsvw.exe:1912

The Trojan injects its code into the following process(es):

rdm.exe:988

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process wmic.exe:832 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\91406596235.txt (238 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\91406596235.txt (0 bytes)

The process Setup_product_8181.exe:452 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Desktop\MiniGet.lnk (666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj81.tmp (48331 bytes)
%Program Files%\MiniGet\uninst.exe (314 bytes)
%Program Files%\MiniGet\MiniGetHelper1.11.dll (5064 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\MiniGet\Uninstall.lnk (499 bytes)
%Program Files%\MiniGet\MiniGet.url (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\Internet.dll (4 bytes)
%Program Files%\MiniGet\MiniGet.exe (51840 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\MiniGet\Website.lnk (678 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\UserInfo.dll (4 bytes)
%Program Files%\MiniGet\Language.dat (3312 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\MiniGet\MiniGet.lnk (678 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst80.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\Internet.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp (0 bytes)

The process dwwin.exe:1776 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\2885B7.dmp (173147 bytes)

The process %original file name%.exe:1652 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\instructionsBv3.exe (398737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\instructionsBv3.dat (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw7F.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw7F.tmp\Convert.dll (3767 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rdm.zip (57028 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\instructionsBv3.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl7E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rdm.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw7F.tmp (0 bytes)

The process rdm.exe:988 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\bottomLine[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\topLine[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\topComp[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Setup_product_8181[1].exe (104889 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\jquery-ui.min[1].js (7055 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\834b_appcompat.txt (5890 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\bgImg[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery.min[1].js (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ui-bg_gloss-wave_75_2191c0_500x100[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery-ui-1.8.19.custom[1].css (5521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\914065962350\Setup_product_8181.exe (74898 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DynamicOfferScreen[1].htm (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery-ui[1].css (33 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\91406596235.txt (0 bytes)

The process MiniGet.exe:204 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\MiniGet\Config\geturl.html (3 bytes)

Registry activity

The process wmic.exe:832 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD E3 09 17 92 FB 9E DE 43 05 94 7B 5D 57 61 26"

The process Setup_product_8181.exe:452 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\BhoPlugin.MiniGetBHO.1]
"(Default)" = "MiniGetBHO Class"

[HKCR\Torrent\DefaultIcon]
"(Default)" = "%Program Files%\MiniGet\MiniGet.exe,0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCR\BhoPlugin.MiniGetBHO\CurVer]
"(Default)" = "BhoPlugin.MiniGetBHO.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MiniGet]
"Publisher" = "MiniGet"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MiniGet.exe]
"(Default)" = "%Program Files%\MiniGet\MiniGet.exe"

[HKCR\CLSID\{10E1725C-7237-41A9-954A-04DCCB1FD16C}\ProgID]
"(Default)" = "BhoPlugin.MiniGetBHO.1"

[HKCR\BhoPlugin.MiniGetBHO.1\CLSID]
"(Default)" = "{10E1725C-7237-41A9-954A-04DCCB1FD16C}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\.torrent]
"(Default)" = "Torrent"

[HKCR\TypeLib\{3C8BF053-0A65-46FE-A757-2187BD66EF34}\1.0]
"(Default)" = "BhoPlugin 1.0 Type Library"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4E38368B-9E70-487b-9D85-400D462A20AC}]
"Policy" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCR\BhoPlugin.MiniGetBHO]
"(Default)" = "MiniGetBHO Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCR\Interface\{49859A6F-2284-4F06-9F8E-BFE56B35BA09}\TypeLib]
"(Default)" = "{3C8BF053-0A65-46FE-A757-2187BD66EF34}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCR\TypeLib\{3C8BF053-0A65-46FE-A757-2187BD66EF34}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Torrent\shell\open\command]
"(Default)" = "%Program Files%\MiniGet\MiniGet.exe %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MiniGet]
"DisplayName" = "MiniGet 1.0.8.2504"

[HKCR\Interface\{49859A6F-2284-4F06-9F8E-BFE56B35BA09}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4E38368B-9E70-487b-9D85-400D462A20AC}]
"AppName" = "MiniGet.exe"
"AppPath" = "%Program Files%\MiniGet\MiniGet.exe"

[HKCR\Interface\{49859A6F-2284-4F06-9F8E-BFE56B35BA09}]
"(Default)" = "IMiniGetBHO"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MiniGet]
"DisplayIcon" = "%Program Files%\MiniGet\MiniGet.exe"

[HKCR\Torrent]
"(Default)" = "Torrent"

[HKCR\Torrent\shell]
"(Default)" = "open"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\CLSID\{10E1725C-7237-41A9-954A-04DCCB1FD16C}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MiniGet]
"UninstallString" = "%Program Files%\MiniGet\uninst.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCR\BhoPlugin.MiniGetBHO\CLSID]
"(Default)" = "{10E1725C-7237-41A9-954A-04DCCB1FD16C}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCR\Torrent\shell\edit]
"(Default)" = "Edit Torrent"

[HKCR\CLSID\{10E1725C-7237-41A9-954A-04DCCB1FD16C}\InprocServer32]
"(Default)" = "%Program Files%\MiniGet\MiniGetHelper1.11.dll"

[HKCR\TypeLib\{3C8BF053-0A65-46FE-A757-2187BD66EF34}\1.0\0\win32]
"(Default)" = "%Program Files%\MiniGet\MiniGetHelper1.11.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MiniGet]
"URLInfoAbout" = "http://www.miniget001.com"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 4C 43 42 11 B9 69 25 A1 E0 C8 D5 16 D4 6C 1F"

[HKCR\Interface\{49859A6F-2284-4F06-9F8E-BFE56B35BA09}\TypeLib]
"Version" = "1.0"

[HKCR\Torrent\shell\edit\command]
"(Default)" = "%Program Files%\MiniGet\MiniGet.exe %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCR\Interface\{49859A6F-2284-4F06-9F8E-BFE56B35BA09}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCR\CLSID\{10E1725C-7237-41A9-954A-04DCCB1FD16C}]
"(Default)" = "MiniGetBHO Class"

[HKCR\CLSID\{10E1725C-7237-41A9-954A-04DCCB1FD16C}\TypeLib]
"(Default)" = "{3C8BF053-0A65-46FE-A757-2187BD66EF34}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCR\TypeLib\{3C8BF053-0A65-46FE-A757-2187BD66EF34}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MiniGet"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MiniGet]
"DisplayVersion" = "1.0.8.2504"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\CLSID\{10E1725C-7237-41A9-954A-04DCCB1FD16C}\VersionIndependentProgID]
"(Default)" = "BhoPlugin.MiniGetBHO"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10E1725C-7237-41A9-954A-04DCCB1FD16C}]
"(Default)" = "MiniGetHelper"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10E1725C-7237-41A9-954A-04DCCB1FD16C}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

"ProxyOverride"
"ProxyServer"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MiniGet"

The process dwwin.exe:1776 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 70 42 FB FE 4A B2 B8 12 4F 24 3D B6 D7 79 02"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1652 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 61 7B AB 3F 0F 23 F9 40 14 F1 7D 46 3B 07 B9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rdm.exe:988 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\rdm.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}]
"(Default)" = "CBrowserExternal Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version]
"(Default)" = "1.0"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0]
"(Default)" = "SmartInstallerLib"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}]
"(Default)" = "IBrowserExternals"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\rdm.exe"
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\rdm.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A E5 3A DE C9 EA B4 47 01 FC B0 A4 D8 00 34 D7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS]
"(Default)" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

The process MiniGet.exe:204 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{3C465DCB-2BE0-4444-95DA-B62726035134}\TypeLib]
"(Default)" = "{8D1D099E-10E3-4A58-B430-0743E92DD35A}"

[HKCR\WtlEasyDownload.MiniGet\CurVer]
"(Default)" = "WtlEasyDownload.MiniGet.1"

[HKCR\WtlEasyDownload.MiniGet.1\CLSID]
"(Default)" = "{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}"

[HKCU\Software\Microsoft\Internet Explorer\MenuExt\Download by MiniGet]
"(Default)" = "%Program Files%\MiniGet\Config\geturl.html"

[HKCR\TypeLib\{8D1D099E-10E3-4A58-B430-0743E92DD35A}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}]
"AppID" = ""

[HKCR\TypeLib\{8D1D099E-10E3-4A58-B430-0743E92DD35A}\1.0]
"(Default)" = "WtlEasyDownload 1.0 typelib"

[HKCR\AppID\MiniGet.exe]
"AppID" = "{FB842EEC-64FD-4F93-9AA4-2B5ED5967833}"

[HKCR\WtlEasyDownload.MiniGet]
"(Default)" = "MiniGet Class"

[HKCR\WtlEasyDownload.MiniGet\CLSID]
"(Default)" = "{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}"

[HKCR\CLSID\{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}\Version]
"(Default)" = "1.0"

[HKCR\WtlEasyDownload.MiniGet.1]
"(Default)" = "MiniGet Class"

[HKCR\Interface\{3C465DCB-2BE0-4444-95DA-B62726035134}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}\VersionIndependentProgID]
"(Default)" = "WtlEasyDownload.MiniGet"

[HKCR\TypeLib\{8D1D099E-10E3-4A58-B430-0743E92DD35A}\1.0\HELPDIR]
"(Default)" = "%Program Files%\MiniGet"

[HKCR\Interface\{3C465DCB-2BE0-4444-95DA-B62726035134}]
"(Default)" = "IMiniGet"

[HKCR\CLSID\{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\AppID\{FB842EEC-64FD-4F93-9AA4-2B5ED5967833}]
"(Default)" = "MiniGet.exe"

[HKCR\CLSID\{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}\TypeLib]
"(Default)" = "{8D1D099E-10E3-4A58-B430-0743E92DD35A}"

[HKCR\Interface\{3C465DCB-2BE0-4444-95DA-B62726035134}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Internet Explorer\MenuExt\Download by MiniGet]
"Contexts" = "34"

[HKCR\TypeLib\{8D1D099E-10E3-4A58-B430-0743E92DD35A}\1.0\0\win32]
"(Default)" = "%Program Files%\MiniGet\MiniGet.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 65 BE 4C 2B 3D FF 4C 6A 2F 54 78 CD D0 BC 1F"

[HKCR\CLSID\{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}\ToolboxBitmap32]
"(Default)" = "%Program Files%\MiniGet\MiniGet.exe, 102"

[HKCR\CLSID\{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}\LocalServer32]
"(Default)" = "%Program Files%\MiniGet\MiniGet.exe"

[HKCR\CLSID\{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}]
"(Default)" = "MiniGet Class"

[HKCR\CLSID\{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}\MiscStatus]
"(Default)" = "0"

[HKCR\Interface\{3C465DCB-2BE0-4444-95DA-B62726035134}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{70F1E7CC-3E8E-45F0-904C-8D16C1F92720}\ProgID]
"(Default)" = "WtlEasyDownload.MiniGet.1"

The process mscorsvw.exe:1912 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "2340000"

Dropped PE files

MD5 File path
3b59515d6422423c08f40792b281fa18c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\914065962350\Setup_product_8181.exe
d6e0ddfb07ce57131822da50e4683913c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsw7F.tmp\Convert.dll
5f13dbc378792f23e598079fc1e4422bc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsw7F.tmp\nsisunz.dll
262baaa1c13e12792aa4e4ae1d8adf6ec:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\rdm.exe
3b59515d6422423c08f40792b281fa18c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Setup_product_8181[1].exe
06a9f7c6a2c0888eed6ed76ef868b26dc:\Program Files\MiniGet\MiniGet.exe
629c73313668a099bcf7901c0736ed4ac:\Program Files\MiniGet\MiniGetHelper1.11.dll
fcc1b73023b0e939934782e217de53cbc:\Program Files\MiniGet\uninst.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Static Analysis

VersionInfo

Company Name:
Product Name: MiniGetSmartDownloader
Product Version: 5.0
Legal Copyright: MiniGetSmartDownloader
Legal Trademarks: MiniGetSmartDownloader
Original Filename:
Internal Name:
File Version:
File Description: MiniGetSmartDownloader
Comments: setup Installer
Language: English (United States)

Company Name: Product Name: MiniGetSmartDownloaderProduct Version: 5.0Legal Copyright: MiniGetSmartDownloaderLegal Trademarks: MiniGetSmartDownloaderOriginal Filename: Internal Name: File Version: File Description: MiniGetSmartDownloaderComments: setup InstallerLanguage: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409623628240644.46394856b32eb77dfd6fb67f21d6543272da5
.rdata28672476451203.4982dc77f8a1e6985a4361c55642680ddb4f
.data3686415471210243.32787922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata1925123686400d41d8cd98f00b204e9800998ecf8427e
.rsrc229376330435842.83326550717244b27c3883eae8c7b64ece48e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 22
5cc69dc58b1346cf23749986ae796b7c
49289cbc4310ffe886146d521d7b082d
fd0d0a6bece4326345d2ee96b281888b
fcbba6f30b0e4d42025a3ee736271e3e
29de71ac44e376bd0d98b84c1d23b7e4
ad10be0743fbe2d15515b27747c29514
b586d5a9c7a5b7d8d12667675ab965ef
f446d63fbaa6ae523b61e1f524f4b56b
af454d0d4ddf9304e9881d7251ef2f21
296586b670b1c6941d30cd68380522de
4591d0f929504003a4275809dd26aa55
b66346f025e03d6cb27e7c0fe6c641c6
267f703131ee0797f1ff1897c00161a5
40138d8f5cfd8c4edd506693f7866bf8
679c5fc02b97f50c32daec1d9307699d
bbc7316634ebbd060a87cb086d77851f
65743159432f5bf946a43073eca2db27
9f15c6681e672da21e85000c5801ffe8
5b2d970322724d3f4c0f1c04695f92cd
d1771516c531cc8c7ef3f2aff2555ff0
8a865f2235ec6911cad1b83acc6e49a0
e2360edefe73ae09bfa0d666e3c2823b

Network Activity

URLs

URL IP
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Flow?pubid=5654&distid=8701&productid=8181&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:7C:CD:1F&netv=&d1=1500000&d2=1&d3=-1&d4=-1&d5=-1&ds1=&hb=0&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&version=4.3
hxxp://dlrevenyou.outbrowse.netdna-cdn.com/Files//Setup_product_8181.exe
hxxp://smartinstaller.elasticbeanstalk.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0&
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Track?pubid=5654&distid=8701&productid=8181&subpubid=0&campaignid=0&networkid=1&reqid=127431706&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:7C:CD:1F&netv=&d1=1500000&d2=1&d3=-1&d4=-1&d5=-1&ds1=&hb=0&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&status=0&installedid=8181&offerscreenid=&offerorder=15&downloadduration=1281&installduration=454&issecond=0
hxxp://dlrevenyou.outbrowse.netdna-cdn.com/offers/ui/css/start/jquery-ui-1.8.19.custom.css
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.5/jquery.min.js
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css
hxxp://www.miniget001.com/report.php?action=0&ver=1.0.8.250450.116.42.156
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js
hxxp://dlrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme7/topLine.jpg
hxxp://dlrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme7/bgImg.jpg
hxxp://dlrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme7/topComp.png
hxxp://dlrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme7/bottomLine.jpg
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png
hxxp://static.revenyou.com/offers/images/Theme7/topComp.png198.232.124.224
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png64.233.171.95
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png64.233.171.95
hxxp://dl.revenyou.com/Files//Setup_product_8181.exe198.232.124.224
hxxp://data.getserverinfo.com/Installer/Flow?pubid=5654&distid=8701&productid=8181&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:7C:CD:1F&netv=&d1=1500000&d2=1&d3=-1&d4=-1&d5=-1&ds1=&hb=0&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&version=4.354.204.28.81
hxxp://data.getserverinfo.com/Installer/Track?pubid=5654&distid=8701&productid=8181&subpubid=0&campaignid=0&networkid=1&reqid=127431706&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:7C:CD:1F&netv=&d1=1500000&d2=1&d3=-1&d4=-1&d5=-1&ds1=&hb=0&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&status=0&installedid=8181&offerscreenid=&offerorder=15&downloadduration=1281&installduration=454&issecond=054.204.28.81
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.5/jquery.min.js64.233.171.95
hxxp://static.revenyou.com/offers/images/Theme7/bottomLine.jpg198.232.124.224
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css64.233.171.95
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js64.233.171.95
hxxp://static.revenyou.com/offers/images/Theme7/bgImg.jpg198.232.124.224
hxxp://static.revenyou.com/offers/ui/css/start/jquery-ui-1.8.19.custom.css198.232.124.224
hxxp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0&54.204.28.81
hxxp://static.revenyou.com/offers/images/Theme7/topLine.jpg198.232.124.224

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css HTTP/1.1

Accept: */*

Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/css; charset=UTF-8

Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT

Date: Tue, 29 Jul 2014 05:18:10 GMT

Expires: Tue, 29 Jul 2014 06:18:10 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 6091

X-XSS-Protection: 1; mode=block

Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600

Age: 3019

Alternate-Protocol: 80:quic

...........=k.....3...E...yl.=.=.....7@..6..~...e.#K.$.#A..=.!%J|iz...;@Z.:...y..}..........X.H~{G...O~......-.M^M....@o..c.....Og.s............!/.Ms.\\...'t.&qy..........hN.,fE..r*.V.f..O.>.."...G._.... s.WO8f....v...dJ>O...H ..o..>..! v.o~y...gg.....#.D.,?BwgQ...&.,B.h.%. .'.d.1...R...&.M...1..l.3.?.u..t.B.u...F....e....&q..7.bq.bv| ........... V..z;.j.A_.kr.I.J...e.z..A.yV0........0..5i.C.%,. .L..iY4Q.}...t......y..U.q.h.f..-K.....3.6...H..Y..|..u.....\d[T.........>......|...Y...T.*...<..X..F.S.:.4..G.<.r`k.&?........0.p.w gEcN..=.'8a...E......~...$OXJOy.s)...ud..\tQ.Z$$;..|.}g@G..m^...S2.gn.h......;V.yy.!...{4..U%D>x....{...2.SV....!Y<....3..e...cMTb.5.,f...r..$Or..%X...78.I.>..Y.99@.........U......4....5.......2.......UY.<.W EY.h.<.U.l2c.....V.J..T.^...owo.....(...|...Sh..~x..l..ovyY.7...M... ..v2.%.j....Np1_....4...M...9.~.,y.V..b.-...i.&i.q...W7......*1.QP.k:C..^.k6..T.\.u,..LW.(S<)5.............X...ZW...#.UC*.:nT;.....\<._.. J.YK.:9.H}3....U.B..$..W..f$l]^m....@..c..........0.h...l.q.,(."......l.%........:.A..y.'n.. ..j:.q2.]r..M...j.JSQ....i.8...J...".iZ.V.....5..'S:.*..C..V.Y.!S.k*.:FT.tv...1.P.A.e..r.h......-..uGZ6.(.....l..!5....z....2M!.?.G.........'....U>..-aH/ .E.D.T{J..C!...tK.!.a.v..~......$....5 ..xj.u...P...x.@ F{..S..R.O.<d#.E%PS.//......5fV.4...1..S.......mw..#..o Q. .....p_yI..ox.....UM.uP....b.v0GE.....A....X.!pX4.......Y-o..f9.....L.p$.........;..P...Q.b........mZe..$s..].8..t...M...o......X...S".>..1A*.....2h......D.j8Y..wL..^.| ....1...`C

<<

<<< skipped >>>

GET /ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png HTTP/1.1

Accept: */*

Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT

Date: Tue, 29 Jul 2014 05:46:41 GMT

Expires: Tue, 29 Jul 2014 06:46:41 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 88

X-XSS-Protection: 1; mode=block

Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600

Age: 1312

Alternate-Protocol: 80:quic

.PNG........IHDR.......d.....G,Z`....IDAT..c.....&.....G0..ed.......w...........IEND.B`.....

GET /ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png HTTP/1.1

Accept: */*

Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Fri, 12 Oct 2012 18:27:19 GMT

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Date: Tue, 29 Jul 2014 05:29:16 GMT

Expires: Tue, 29 Jul 2014 06:29:16 GMT

Age: 2358

Server: GFE/2.0

Alternate-Protocol: 80:quic

GET /Files//Setup_product_8181.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dl.revenyou.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 29 Jul 2014 06:08:28 GMT

Content-Type: application/octet-stream

Content-Length: 697949

Connection: keep-alive

Cache-Control: max-age=604800

Last-Modified: Thu, 27 Feb 2014 09:31:46 GMT

ETag: "19acebb9e33cf1:0"

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

Expires: Tue, 05 Aug 2014 06:08:28 GMT

X-Cache: HIT

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s..........(............................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc...(............v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..

<<

<<< skipped >>>

GET /Installer/Flow?pubid=5654&distid=8701&productid=8181&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:7C:CD:1F&netv=&d1=1500000&d2=1&d3=-1&d4=-1&d5=-1&ds1=&hb=0&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&version=4.3 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19

Host: data.getserverinfo.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Date: Tue, 29 Jul 2014 06:08:27 GMT

Server: Microsoft-IIS/8.0

X-AspNet-Version: 4.0.30319

X-AspNetMvc-Version: 4.0

X-Powered-By: ASP.NET

Content-Length: 18943

Connection: keep-alive

..Sv.NlmsAxc.2..*.JqaEv`.5. ).Bkmnjf`grQsoa"8 $.Fmkcsez_oajgRvjdo"8.*(, ).QagI`q.3 EEDU_APJM>LQYTOEP.Kj_rt[qa\ZN]\kaeJqktc^lRL ).QagI`q1- 7.GGEWZ;PKPBHS[UQ@J.Lmcnv]rcWTN^_o]gLrmo]^mUP. .RckgmmL^gd.: N]\kaeJqktc^l.PQ/. .Ppj\p\rF>!6153,-% >fv]yqJ^a^p.4/("GnO\brCiqEnqoYge 7 .Ev`MME 7.gptn5'*]j.(ckwln]moco,-_ok*Ailr^fkar-N]\kaeJqktc^lB^lblh_/Q`Ym\fMlnpeao?`gcocb..cs].% BrdQRJ-.5.fqno6/-_d,'blqmoepq]m ,`il Ilnl\ejbl.Oe_m[cIplnd_tE`f`kg`)Raap^`Kkmq_bpGci]mba/(dte '.>hkj[m`Lgi].3 .)QAG;RK...,=SED;>L.,03,21"*.Ga_coOQH"8.`omn7).`ip`[o're_,]pnn%ok_`e-_ok*'j_dblr DwiYhbaL`earQ^j`^l<iebepd\8*/4 onobp[obb: 6440!\dlrf^<47.,.g^_aj<416,.^hsknquib8/,.qvmaet;.*!]d_7/"h`8(.% O[sa"8()'.?a^hpimiYg=_q[!6" '.<grfphnuq`kM^eH_xo"8..'.N^snqt 5%,% B`eacrdn`.8* .PpjejmglhQ]tc.2(**.>hocp`h\gavL`pe 5%,% Pfdap?al`kGkms]lj.2 v*x.Oksr@p`.8.. .Pp`=s^ 7.!("AjekhlbhsPyn`.5)*.Gnjirdr\mglhSupcn.5.0*-,-5 '.M^eH_x.: CC@R]@OQNELOWPLCO.RkfrrYm^ZYMd]racHmhrb]sENR-.'.PbaJay4/.5.FH?X[CSMJ@GR\ORAR.Ngamu^ldX\Q`Ym\fMlnpeaoAIM0.&!NenjjoG_j_!6"Q`Ym\fMlnpeaoAIM0.&!Lrm_m^mGA.9014-$.:jt[xoOda]m.8-&!EsU\ao?moCmot_gd.3/).DteSMD.3 ensl:-*\g*,aivjscmn`k/ ]ni/GikoZji_q Sc\j^aNoisacrB]i^pf].Oe_m[cIplnd_tE`f`kg`.Ratsk&`qc.&!AxcPJG 7.gptn5'*]j.(ckwln]moco -_ok*Ailr^fkar-N]\kaeJqktc^lB^lblh_/Q`Ym\fMlnpeao?`gcocb0Scomk'cu_!("AjehZlaFhje 5..(PBA<ENR-..(AQCC9CR. ,250-!("Ma^`kSOF!6"folk3-,^hneao&oac*[

<<

<<< skipped >>>

GET /Installer/Track?pubid=5654&distid=8701&productid=8181&subpubid=0&campaignid=0&networkid=1&reqid=127431706&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:7C:CD:1F&netv=&d1=1500000&d2=1&d3=-1&d4=-1&d5=-1&ds1=&hb=0&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&status=0&installedid=8181&offerscreenid=&offerorder=15&downloadduration=1281&installduration=454&issecond=0 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19

Host: data.getserverinfo.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Date: Tue, 29 Jul 2014 06:08:27 GMT

Server: Microsoft-IIS/8.0

X-AspNet-Version: 4.0.30319

X-AspNetMvc-Version: 4.0

X-Powered-By: ASP.NET

Content-Length: 8

Connection: keep-alive

..OK..HTTP/1.1 200 OK..Cache-Control: private..Content-Type: text/html; charset=utf-8..Date: Tue, 29 Jul 2014 06:08:27 GMT..Server: Microsoft-IIS/8.0..X-AspNet-Version: 4.0.30319..X-AspNetMvc-Version: 4.0..X-Powered-By: ASP.NET..Content-Length: 8..Connection: keep-alive....OK....

GET /report.php?action=0&ver=1.0.8.2504 HTTP/1.1

User-Agent: Lobo Lunar

Host: VVV.miniget001.com

HTTP/1.1 200 OK

Date: Tue, 29 Jul 2014 06:08:32 GMT

Server: Apache/2.2.14 (Ubuntu)

X-Powered-By: PHP/5.3.2-1ubuntu4.19

Vary: Accept-Encoding

Content-Length: 2

Content-Type: text/html

1...

GET //offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0& HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: direct.the-apps-track.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Date: Tue, 29 Jul 2014 06:08:27 GMT

Server: Microsoft-IIS/8.0

X-AspNet-Version: 4.0.30319

X-AspNetMvc-Version: 4.0

X-Powered-By: ASP.NET

Content-Length: 7095

Connection: keep-alive

.<html>. <head>. . <style type="text/css">. .ui-progressbar-value { background-image: url(images/pbar-ani.gif); }. </style>. . <link type="text/css" href="hXXp://static.revenyou.com/offers/ui/css/start/jquery-ui-1.8.19.custom.css" rel="stylesheet" />. <link href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css" rel="stylesheet" type="text/css" />. <script type="text/javascript" src="hXXp://ajax.googleapis.com/ajax/libs/jquery/1.5/jquery.min.js"></script>. <script type="text/javascript" src="hXXp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js"></script>.. <title>2 - NonProduct (MiniGet Smart Downloader)</title><script type='text/javascript'></script><style type='text/css'>body { width:100%; height:100%; margin:0px; padding:0px; font-size:font-family:helvetica; font-size:12px; } .divLeadpName { margin-left:61px; margin-top:9px; font-size:font-family:helvetica; font-style:italic; font-size:25px; font-weight:bold; color:black; position:absolute; } .divOnNext { position:absolute; bottom:11px; right:28px; width:124px; height:35px; cursor:pointer; background:url("hXXp://static.revenyou.com/offers/images/Theme7/button.png");} .divAccept { text-align:center; f

<<

<<< skipped >>>

GET /offers/ui/css/start/jquery-ui-1.8.19.custom.css HTTP/1.1

Accept: */*

Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 29 Jul 2014 06:08:29 GMT

Content-Type: text/css

Content-Length: 20706

Connection: keep-alive

Cache-Control: max-age=604800

Last-Modified: Thu, 26 Apr 2012 17:23:56 GMT

ETag: "ca38195cd123cd1:0"

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

Expires: Tue, 05 Aug 2014 06:08:29 GMT

X-Cache: HIT

Accept-Ranges: bytes

/*!. * jQuery UI CSS Framework 1.8.19. *. * Copyright 2012, AUTHORS.txt (hXXp://jqueryui.com/about). * Dual licensed under the MIT or GPL Version 2 licenses.. * hXXp://jquery.org/license. *. * hXXp://docs.jquery.com/UI/Theming/API. */../* Layout helpers.----------------------------------*/..ui-helper-hidden { display: none; }..ui-helper-hidden-accessible { position: absolute !important; clip: rect(1px 1px 1px 1px); clip: rect(1px,1px,1px,1px); }..ui-helper-reset { margin: 0; padding: 0; border: 0; outline: 0; line-height: 1.3; text-decoration: none; font-size: 100%; list-style: none; }..ui-helper-clearfix:before, .ui-helper-clearfix:after { content: ""; display: table; }..ui-helper-clearfix:after { clear: both; }..ui-helper-clearfix { zoom: 1; }..ui-helper-zfix { width: 100%; height: 100%; top: 0; left: 0; position: absolute; opacity: 0; filter:Alpha(Opacity=0); }.../* Interaction Cues.----------------------------------*/..ui-state-disabled { cursor: default !important; }.../* Icons.----------------------------------*/../* states and images */..ui-icon { display: block; text-indent: -99999px; overflow: hidden; background-repeat: no-repeat; }.../* Misc visuals.----------------------------------*/../* Overlays */..ui-widget-overlay { position: absolute; top: 0; left: 0; width: 100%; height: 100%; }.../*!. * jQuery UI CSS Framework 1.8.19. *. * Copyright 2012, AUTHORS.txt (hXXp://jqueryui.com/about). * Dual licensed under the MIT or GPL Version 2 licenses.. * hXXp://jquery.org/license. *. * hXXp://docs.jquery.com/

<<

<<< skipped >>>

GET /offers/images/Theme7/topLine.jpg HTTP/1.1

Accept: */*

Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 29 Jul 2014 06:08:33 GMT

Content-Type: image/jpeg

Content-Length: 1785

Connection: keep-alive

Cache-Control: max-age=604800

Last-Modified: Tue, 12 Mar 2013 18:05:10 GMT

ETag: "0fac224c1fce1:0"

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

Expires: Tue, 05 Aug 2014 06:08:33 GMT

X-Cache: HIT

Accept-Ranges: bytes

......JFIF.....d.d......Ducky.......<......Adobe.d.................................................................................................................................................2.N.............\.................................................................R..T.................................?.....mmd.@<..kk%2....[Y)../....L.y}f..Jd...6..S ._Y...............mmd.@<..kk%2....[Y)../....L.y}f..Jd...6..S ._Y...............mmd.@<..kk%2....[Y)../....L.y}f..Jd...6..S ._Y...............mmd.@<..kk%2....[Y)../....L.y}f..Jd...6..S ._Y...............mmd.@<..kk%2....[Y)../....L.y}f..Jd...6..S ._Y...............mmd.@<..kk%2....[Y)../....L.y}f..Jd...6..S ._Y...............mmd.@<..kk%2....[Y)../....L.y}f..Jd...6..S ._Y...............mmd.@<..kk%2....[Y)../....L.y}f..Jd...6..S ._Y...............mmd.@<..kk%2....[Y)../....L.y}f..Jd...6..S ._Y...............mmd.@<..kk%2................................................................................................................ ................................................................................................................... 5.qD...(..].......Qw.@j....E.Q.... 5.qD...(..].......Qw.@j....E.Q.... 5.qD...(..].......Qw.@j....E.Q.... 5.qD...(..].......Qw.@j....E.Q.... 5.qD...(..].......Qw.@j....E.Q.... 5.qD...(..].......Qw.@j....E.Q.... 5.qD...(..].......Qw.@j....E.Q.... 5.qD...(..].......Qw.@j....E.Q.... 5.qD...(..].......Qw.@j....E.Q.... 5.qD.(......P..@(......P..@(......P..@(......P..@(......P..@(......P..@(......

<<

<<< skipped >>>

GET /offers/images/Theme7/bgImg.jpg HTTP/1.1

Accept: */*

Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 29 Jul 2014 06:08:33 GMT

Content-Type: image/jpeg

Content-Length: 2801

Connection: keep-alive

Cache-Control: max-age=604800

Last-Modified: Tue, 12 Mar 2013 18:05:10 GMT

ETag: "0fac224c1fce1:0"

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

Expires: Tue, 05 Aug 2014 06:08:33 GMT

X-Cache: HIT

Accept-Ranges: bytes

......JFIF.....d.d......Ducky.......<......Adobe.d.................................................................................................................................................,.N.............Q...........................................................................................?..H........ ... .U..@E.....@@............( .PE..E...@P...............................%.A..D...@.@@...."......"..%.P...@..E.@................- ..... ........@..D...@.@@....".......(...(......". ................FZ....P...QA...@..D...@.@@.....P.@.P@........E...........................(. ... ........... ..... .. .( ...."..."... (... ..............Q......@.T.@.P...P...............A......@.......D..................j2..........%P...P.......... .. .. ."..%Q...P..D..@...................- .. .... .E............( ..............@..E..A.....@...............j2.(.......P....@.A......... . . .."..%.P...@..E.@...................i................... .....(. .( ........".........................4.i.........A.@.A......@....@.P@........E............................H ... .(...(...................... ...............................e@.EA..@...@.@.....J.............. . .............................I..E.@........ ........@P.@T...A...(.....".. ......................4.i...J(. .(...(........A@A.AA.E..J....".. ..... ....................E........@.A......... . . ..".. ".......(.........................4YP.E..E...E........A@A.AA.@..@.@.......@.........................,........ ..... ..........( .(. .(..".............................U..A....

<<

<<< skipped >>>

GET /offers/images/Theme7/bottomLine.jpg HTTP/1.1

Accept: */*

Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 29 Jul 2014 06:08:33 GMT

Content-Type: image/jpeg

Content-Length: 1654

Connection: keep-alive

Cache-Control: max-age=604800

Last-Modified: Wed, 13 Mar 2013 13:08:16 GMT

ETag: "35420d3eb1fce1:0"

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

Expires: Tue, 05 Aug 2014 06:08:33 GMT

X-Cache: HIT

Accept-Ranges: bytes

......JFIF.....d.d......Ducky.......<......Adobe.d.................................................................................................................................................2.N.............[..............................................................Q.....T................................?..?/.........V...<.........qZ...... X[@._Y.k.h...8.am.y}g..-../.........V...<.........qZ...... X[@._Y.k.h...8.am.y}g..-../.........V...<.........qZ...... X[@._Y.k.h...8.am.y}g..-../.........V...<.........qZ...... X[@._Y.k.h...8.am.y}g..-../.........V...<.........qZ...... X[@._Y.k.h...8.am.y}g..-../.........V...<.........qZ...... X[@._Y.k.h...8.am.y}g..-../.........V...<.........qZ...... X[@._Y.k.h...8.am.y}g..-../.........V...<.........qZ...... X[@._Y.k.h...8.am.y}g..-../.........V...<.........qZ...... X[@._Y.k.h...8.am.y}g..-../.........V...\................................................................................................................@..5.j.....P...@..5.j.....P...@..5.j.....P...@..5.j.....P...@..5.j.....P...@..5.j.....P...@..5.j.....P...@..5.j.....P...@..5.j.....P...@..j.N......;0..f.t..n.......v`7N......;0..f.t..n.......v`7N......;0..f.t..n.......v`7N......;0..f.t..n.......v`7N......;0..f.t..n.......v`7N......;0..f.t..n.......v`7N......;0..f.t..n.......v`7N......;0..f.t..n.......v`7N......;0..f.t..n.......v`7N...................................................................................................................................................

<<

<<< skipped >>>

GET /ajax/libs/jquery/1.5/jquery.min.js HTTP/1.1

Accept: */*

Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript; charset=UTF-8

Last-Modified: Mon, 02 Apr 2012 18:24:28 GMT

Date: Tue, 29 Jul 2014 05:23:35 GMT

Expires: Tue, 29 Jul 2014 06:23:35 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 29947

X-XSS-Protection: 1; mode=block

Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600

Age: 2694

Alternate-Protocol: 80:quic

...............F....>..R..1.d...j0!^Y....l..jW....@..w.Le.I............@0.....$..}9[.......O....f.O.......6......6...W.?..!.t............C...r....'.}.Y..J5.....?g.|...n.Ec...j.....Q.m..Y..w...m..?}...l.....3.o.>mp..t.g..w.tq;.v...o.-..l...q.lg:z..w..W....zM.....d.9[d.IOU....T#^....;..1..,..o.o.m.......g...}.m5.._u........*ES~.....5.....m......v..%_..w......Z..w.6Y.E.....l......gw.C....l...a..X.:F...o&...a...z.D#...Zq.{...x..V.wk.K..O^..(i.......f.SR/io...c..=.,.^x..*...~..4...:.{=n(J.z(..t(.q..i.p...Y.N.tD..J.=........vXn.K..e.-xH..i..F.1..f.....e.o?..\ew....>~...c2........z..............Gj.zB.;:....2..M.sF.s../..*8..o....x.;....>& n.... .....y......4Ui.@......b.m/.h...?U.....=T.EE.N.i..DMU.e.E....j..Q6...B-.J....>M....:.MZ-.4.Z..._..i.%..m..]..........o.........~.......3...HN..t.................E/[....-..vq..y....-....j......0.xO..U4W..&Jx.ktt.<..u.6oNK..x..h....p.Oh.......P...6...R.C..\.n..m..?..W....6..G.....hn..h.o......!.ep6...T..N..$.......5.)P...3.V......_.O...5..gl.5........c......6.m...^..b...c.y.r..$.....L..p...o.................(,uB..T.2_28....d..us.f1.L..=..&..bV..m<..=........3D..\.Y..r3....A_.Y.G.%.....7|.$t.Z.k..C..\.8?.h...q....naF.i-.......B..`6t.._..h12n....v..".pq..C.h.......x...N.L...p..............f`E@.ha.....m..zj.] h........v..(i....|mv....7.......t......j..j...c.K2...;.4.$;Ve...-o4.~.;..h.M...(*N....m0T.G]5.......K`#.&..Z.V...3......m2.Z.hJ;..F...`Q.QM.?.,..E........@......=.b.........._.Fi.h6........l....2.}$...>.=.N.M)....$eP..]..p%M....|.e......&jJ...x.u...:..

<<

<<< skipped >>>

GET /ajax/libs/jqueryui/1.8/jquery-ui.min.js HTTP/1.1

Accept: */*

Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript; charset=UTF-8

Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT

Date: Tue, 29 Jul 2014 05:34:22 GMT

Expires: Tue, 29 Jul 2014 06:34:22 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 51558

X-XSS-Protection: 1; mode=block

Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600

Age: 2051

Alternate-Protocol: 80:quic

............iw...0....d...-.@......."...x{,y.<....n.M....ZB...w...AP...9.L,.k_n..n.{.......V..G..<........}......n.........l..Y....z3..................E1.-.uz..........ZXI..rZm....../X...4.......@..Z......yUlB..U#..L...1p.>...2...].....M(...J.....e..I......5...9...e.....&.........W..y...f./..j..}^....r...n.._7.j.o..v.i./a.7uq......r.%.,......j9..Y.s......@..$...... \...H...=....?....y...}W..b].G..|-....wG.N.O<.H.Q...'w......H.....*.....?..Uo..n..Z=..U...I...*..,....J.@.b.....l.[@E1.....jq<..V.d.=.n......,..o... .gY.G....N%$f..u..."J.....xvrR..$.q..i....l..m7....p...]./!.......JF0..^.. ...Q.....H..q...._wr"9..S].I/_.....~M...Z..U5..^q.z..U...k..........Q.........v...[.v..`:UJvIo^-...........n.;..{o....p.CliS-J..w27...F.....v .{...t..........g._._...~z......wz.......gP.K.....W....w/.ym......B.cH....?~..~/.~..../...._.........4..s........x..z|...^|.../.._..?.z..............?.......?=......N......_<...3.n..I/..../ e.Rd../U...|...O.....Pi.~.....=.5..%~z...oh..?.._~J.?.?.....0....g.. ....0....W...x....W.k|)....h....n...7Y....c..l.Y..._...3.D.f.,n..G?.'h...*.l...ZN...R...q..F.;.*/f6T.q-3........Z.n..y\&.].......*.C..p..I.U.Z/....`..W..k<.Pn]....OtJR...P...j.n...z]W''..z.o.b.....m...K...u.)..%.v{.8p9..T....4U......X..U.o'...T.....D...G.tc.3o....8./.a.NK^...........q?I.0.....)-..m.\..m...@.0......\..{.>........D..n..Gp..)R:...>.D ....d.nV.......C....pWe.?Xl.B.....6} .Q.4...j....^.6q..3..>5w\.....'.@....&6...?ok..$.;....[...!Vo........vx}{s.L.dA...6......8.r......bt.>"a........0...I~;....

<<

<<< skipped >>>

GET /ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png HTTP/1.1

Accept: */*

Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=8701&leadp=8181&countryid=71&sysbit=32&dfb=0&hb=0&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT

Date: Tue, 29 Jul 2014 05:29:16 GMT

Expires: Tue, 29 Jul 2014 06:29:16 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 3457

X-XSS-Protection: 1; mode=block

Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600

Age: 2357

Alternate-Protocol: 80:quic

.PNG........IHDR.......d.....p..}...HIDATx...K..N................q..B....6...._.d.c.......*...V......|U.......w-...p..>Z..........`............`............`............`............`............`............`............`.......@.....:n.K>.u.....X..V..G........l.9......j6.x..xu..y...I... gZ.D.L...........4[OG.8.|d.....;.N[O..lz.M....{..ne.Z1..VlO...e..k.g.........k.6.r..........be'`t#..zu39.|[..6=9....4..H."...-Cd.D.z.3c.g...S.,..D7.h.H=O.F6.{7.....H6G...S.......U.9.%w....`C.....y.G^@......O..........0.l.....0.Z.4..H..[.k..Z..Z..zm].v.......J.$ZMZ..yK.....Z.4.Z.Z.Z.Gr..M..j.b..Z^.1c.E........,....6&.9....3)....[W.vH...a...k~....,.........1..k.R..........iWd....M.V..O)..?y.....W...._<....p.p....`............`..b.......:............:.............Xj)...w.....-?M.bE|[...I.eki......&.U.6.........l4.[..N.F.....|...qc.Zj.7.....;.f/..w..=......}L[...k.E.S/.x....3-...^.R....."Z.........[........:.;...n.Z..~.....;.....%w....P7...'R^....E[?.C...X.$.^Y.Yj...}...iS.O.....m........r%..4yy.r..I.....Io...'i..;..._....K.7.%.Q../.\......X....3;_........[...[..ti.........._.-..Z.l;j)e.L.lyf"Dm..^4...-.|G.E VdRD..M....S[.{.i6G...~/7V.h....M..;^.1~.}.;......=9.]S2....y.w|Y.#s(..X..;....:=....Y_#.\r......RkY.$.e.mk..n.E|..m|....kk...O.......'......-..n.z..XZ}m\H.._e.....V.x9........!.../.xs......f.......5.Zl .......x.....].?/..9r......h...]^}M....<....;..........p.p....`........}.....n..~....4............. ^=..kc...|j..4{u[.......H.2...Y1......R..|x.5M......j..4.%..x......!ij....bXcT..^ file.

  • Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\91406596235.txt (238 bytes)%Documents and Settings%\%current user%\Desktop\MiniGet.lnk (666 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsj81.tmp (48331 bytes)%Program Files%\MiniGet\uninst.exe (314 bytes)%Program Files%\MiniGet\MiniGetHelper1.11.dll (5064 bytes)%Documents and Settings%\%current user%\Start Menu\Programs\MiniGet\Uninstall.lnk (499 bytes)%Program Files%\MiniGet\MiniGet.url (51 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\Internet.dll (4 bytes)%Program Files%\MiniGet\MiniGet.exe (51840 bytes)%Documents and Settings%\%current user%\Start Menu\Programs\MiniGet\Website.lnk (678 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsz82.tmp\UserInfo.dll (4 bytes)%Program Files%\MiniGet\Language.dat (3312 bytes)%Documents and Settings%\%current user%\Start Menu\Programs\MiniGet\MiniGet.lnk (678 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\2885B7.dmp (173147 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\instructionsBv3.exe (398737 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\instructionsBv3.dat (8368 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsw7F.tmp\nsisunz.dll (211 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsw7F.tmp\Convert.dll (3767 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\rdm.zip (57028 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\bottomLine[1].jpg (1 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\topLine[1].jpg (1 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\topComp[1].png (1 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Setup_product_8181[1].exe (104889 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\jquery-ui.min[1].js (7055 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\834b_appcompat.txt (5890 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\bgImg[1].jpg (2 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (88 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery.min[1].js (2321 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ui-bg_gloss-wave_75_2191c0_500x100[1].png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery-ui-1.8.19.custom[1].css (5521 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\914065962350\Setup_product_8181.exe (74898 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DynamicOfferScreen[1].htm (948 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery-ui[1].css (33 bytes)%Program Files%\MiniGet\Config\geturl.html (3 bytes)

  • Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  • Reboot the computer.
    • *Manual removal may cause unexpected system behaviour and should be performed at your own risk.

    Map

    Strings from Dumps