Trojan.Win32.IEDummy.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: ba7ec741916acf6265a8a48c89c19261
SHA1: e6198cf787aec26d72c05c1ea1d1ff077f47ec5b
SHA256: c792c886022b78e123676ee96cfd8dd8135db31f64a828cc6df0fffc28b4f7db
SSDeep: 196608:8qmHbnswxJohAk7W1E5l8WQeUEQ8d9J6PooTzdvcErRdvdmFfL9pQf8JBtWej:yohA5y5ODeFQ8d9w3zdVXlmFBLxWW
Size: 12138496 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-02-16 13:50:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
nsjA.exe:440
%original file name%.exe:1088
regsvr32.exe:176
regsvr32.exe:884
PWRISOVM.EXE:388
Setup.exe:432
SPIdentifier.exe:224
nss6.tmp.exe:1256
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process nsjA.exe:440 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp\inetc.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp\SPtool.dll (49229 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (590 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp\SPtool.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp\inetc.dll (0 bytes)
The process %original file name%.exe:1088 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (758 bytes)
%Program Files%\Common Files\Setup.exe (43956 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iwdqkkj (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (47161 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
%Program Files%\Common Files\Setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iwdqkkj (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (0 bytes)
The process Setup.exe:432 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\PowerISO\PowerISO Virtual Drive Manager.lnk (1 bytes)
%Program Files%\PowerISO\Readme.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PowerISO\Uninstall PowerISO.lnk (1 bytes)
%Program Files%\PowerISO\PowerISO.chm (15536 bytes)
%Program Files%\PowerISO\Lang\Slovak.lng (1856 bytes)
%Program Files%\PowerISO\License.txt (3 bytes)
%Program Files%\PowerISO\Lang\Urdu(Pakistan).lng (1856 bytes)
%Program Files%\PowerISO\Lang\Lithuanian.lng (1552 bytes)
%Documents and Settings%\All Users\Desktop\PowerISO.lnk (682 bytes)
%Program Files%\PowerISO\Lang\TradChinese.lng (784 bytes)
%Program Files%\PowerISO\Lang\Norsk.lng (1552 bytes)
%Program Files%\PowerISO\Lang\italian.lng (1552 bytes)
%Program Files%\PowerISO\Lang\Ukrainian.lng (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb4.tmp (288986 bytes)
%Program Files%\PowerISO\libFLAC.dll (5520 bytes)
%Program Files%\PowerISO\PowerISO.exe (85410 bytes)
%Program Files%\PowerISO\Lang\Malay.lng (1856 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PowerISO\PowerISO Help.lnk (1 bytes)
%Program Files%\PowerISO\Lang\Indonesian.lng (1856 bytes)
%Program Files%\PowerISO\Lang\Swedish.lng (1856 bytes)
%Program Files%\PowerISO\lame_enc.dll (9320 bytes)
%Program Files%\PowerISO\Lang\Japanese.lng (784 bytes)
%Program Files%\PowerISO\Lang\Hungarian.lng (1856 bytes)
%Program Files%\PowerISO\Lang\Vietnamese.lng (1552 bytes)
%Program Files%\PowerISO\Lang\czech.lng (1856 bytes)
%Program Files%\PowerISO\Lang\Greek.lng (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\System.dll (11 bytes)
%Program Files%\PowerISO\Lang\Slovenian.lng (784 bytes)
%Program Files%\PowerISO\Lang\German.lng (1856 bytes)
%Program Files%\PowerISO\Lang\SimpChinese.lng (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss6.tmp.exe (85410 bytes)
%Program Files%\PowerISO\Lang\Bosnian.lng (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\InstOpt.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sp-downloader.exe (2392 bytes)
%Program Files%\PowerISO\Lang\Thai.lng (1552 bytes)
%System%\drivers\scdemu.sys (3616 bytes)
%Program Files%\PowerISO\Lang\Korean.lng (1552 bytes)
%Program Files%\PowerISO\PWRISOSH.DLL (6360 bytes)
%Program Files%\PowerISO\piso.exe (11 bytes)
%Program Files%\PowerISO\PWRISOVM.EXE (12024 bytes)
%Program Files%\PowerISO\Lang\Farsi.lng (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SPIdentifier.exe (1856 bytes)
%Program Files%\PowerISO\uninstall.exe (2571 bytes)
%Program Files%\PowerISO\Lang\Portuguese(Brazil).lng (1856 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PowerISO\PowerISO.lnk (1 bytes)
%Program Files%\PowerISO\Lang\Dutch.lng (1856 bytes)
%Program Files%\PowerISO\Lang\danish.lng (1856 bytes)
%Program Files%\PowerISO\Lang\Russian.lng (784 bytes)
%Program Files%\PowerISO\Lang\Spanish.lng (1856 bytes)
%Program Files%\PowerISO\Lang\french.lng (1856 bytes)
%Program Files%\PowerISO\Lang\Armenian.lng (1552 bytes)
%Program Files%\PowerISO\History.txt (7 bytes)
%Program Files%\PowerISO\Lang\Azerbaijani.lng (1552 bytes)
%Program Files%\PowerISO\Lang\Belarusian.lng (1856 bytes)
%Program Files%\PowerISO\MACDll.dll (6584 bytes)
%Program Files%\PowerISO\Lang\Serbian(cyrl).lng (1552 bytes)
%Program Files%\PowerISO\Lang\Arabic.lng (1552 bytes)
%Program Files%\PowerISO\Lang\Bulgarian.lng (1856 bytes)
%Program Files%\PowerISO\Lang\Polish.lng (1552 bytes)
%Program Files%\PowerISO\Lang\croatian.lng (1856 bytes)
%Program Files%\PowerISO\Lang\kazakh.lng (1856 bytes)
%Program Files%\PowerISO\Lang\Turkish.lng (1552 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\InstOpt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp (0 bytes)
The process SPIdentifier.exe:224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SPIdentifierImpl[1].exe (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst9.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjA.exe (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse8.tmp (2820 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nst9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjA.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst9.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse7.tmp (0 bytes)
The process nss6.tmp.exe:1256 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\PowerISO_Setup.txt (2 bytes)
Registry activity
The process nsjA.exe:440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 74 5F 33 53 C9 8D D2 56 D5 73 65 9E 55 B2 AB"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 37 F5 08 42 B5 13 E1 15 B6 62 E3 69 57 D3 90"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\PowerISO]
"CheckUpgrade" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\PowerISO]
"Language" = "1055"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\PowerISO]
"User" = "00 16 53 6F 6C 69 64 53 68 61 72 65 20 50 72 6F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Common Files]
"setup.exe" = "PowerISO Setup"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process regsvr32.exe:176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 D9 8F 2A 65 FC 4A 5C 78 41 16 EE 7A 17 2D B5"
[HKCR\*\shellex\ContextMenuHandlers\PowerISO]
"(Default)" = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
[HKCR\Directory\shellex\ContextMenuHandlers\PowerISO]
"(Default)" = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
[HKCR\Folder\shellex\ContextMenuHandlers\PowerISO]
"(Default)" = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
[HKCR\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}]
"(Default)" = "PowerISO"
[HKCR\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32]
"(Default)" = "%Program Files%\PowerISO\PWRISOSH.DLL"
"ThreadingModel" = "Apartment"
The process regsvr32.exe:884 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 BB B7 2D 60 0E BC AB 57 C8 A0 56 8E 4A C6 A2"
The process PWRISOVM.EXE:388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 4A F4 1B 88 42 5C F5 01 AE 54 24 57 0C 0E D0"
The process Setup.exe:432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\PowerISO]
"ShellIntegration" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCR\.dmg]
"(Default)" = ""
[HKCR\.bin]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\PowerISO]
"CheckUpgrade" = "0"
[HKCR\.cue]
"(Default)" = "PowerISO"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PowerISO]
"UninstallString" = "%Program Files%\PowerISO\uninstall.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\.iso]
"(Default)" = "PowerISO"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\PowerISO]
"TbInstallFlag2" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\PowerISO]
"PWRISOVM.EXE" = "PowerISO Virtual Drive Manager"
[HKCR\.gi]
"(Default)" = ""
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\PowerISO\SCDEmu]
"DiskCount" = "1"
[HKCR\PowerISO\DefaultIcon]
"(Default)" = "%Program Files%\PowerISO\PowerISO.exe,0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PowerISO]
"NoModify" = "1"
[HKCR\.flp]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PowerISO]
"Publisher" = "Power Software Ltd"
[HKCR\.daa]
"(Default)" = "PowerISO"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\PowerISO\SCDEmu]
"Flags" = "5"
[HKCR\.cif]
"(Default)" = ""
[HKCU\Software\PowerISO]
"Install_Dir" = "%Program Files%\PowerISO"
[HKCR\.lcd]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 E7 4A EE 39 CA 24 F3 F0 52 4E 33 37 5F AB 97"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\PowerISO]
"Install_Dir" = "%Program Files%\PowerISO"
[HKCR\.fcd]
"(Default)" = ""
[HKCR\.ashdisc]
"(Default)" = ""
[HKCU\Software\PowerISO]
"ConduitFlag" = "10"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PowerISO]
"DisplayVersion" = "5.9"
"VersionMajor" = "5"
[HKCR\.cdi]
"(Default)" = ""
[HKCR\PowerISO]
"(Default)" = "PowerISO File"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PowerISO]
"DisplayIcon" = "%Program Files%\PowerISO\PowerISO.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCR\.ncd]
"(Default)" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCR\.vcd]
"(Default)" = ""
[HKCR\.mds]
"(Default)" = ""
[HKCU\Software\PowerISO]
"TbInstallFlag" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PowerISO]
"NoRepair" = "1"
[HKCR\.pxi]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\SCDEmu]
"ErrorControl" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\.c2d]
"(Default)" = ""
[HKCR\PowerISO\shell\open\command]
"(Default)" = "%Program Files%\PowerISO\PowerISO.exe %1"
[HKCR\.p01]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PowerISO]
"DisplayName" = "PowerISO"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCR\.b5i]
"(Default)" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\PowerISO]
"TbShowFlag" = "2"
[HKCR\.uif]
"(Default)" = "PowerISO"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCR\.bwi]
"(Default)" = ""
[HKLM\System\CurrentControlSet\Services\SCDEmu]
"Type" = "1"
[HKCR\.bif]
"(Default)" = ""
[HKCR\.img]
"(Default)" = "PowerISO"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKCR\.ima]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCR\.pdi]
"(Default)" = ""
[HKCU\Software\PowerISO]
"Language" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PowerISO]
"VersionMinor" = "9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PowerISO]
"InstallLocation" = "%Program Files%\PowerISO"
[HKCR\.mdf]
"(Default)" = ""
[HKCR\.isz]
"(Default)" = "PowerISO"
[HKCR\.wim]
"(Default)" = ""
[HKCR\.nrg]
"(Default)" = ""
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE" = "%Program Files%\PowerISO\PWRISOVM.EXE -startup"
The following driver will be automatically launched by the NT Native code (IoInitSystem method):
[HKLM\System\CurrentControlSet\Services\SCDEmu]
"Start" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following registry key(s):
[HKCR\.bin\PersistentHandler]
[HKCR\.bin]
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SCDEmuApp.exe"
The process SPIdentifier.exe:224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst9.tmp\,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 79 BE 20 DF 1C 51 53 DF B1 EE D9 36 3E 38 0B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nss6.tmp.exe:1256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 AF 2F AC B7 8F 75 84 58 28 E9 2A 05 D1 3A 3E"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| 73554f3944811c0c4b393826943be2ca | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SPIdentifier.exe |
| 92a80f5eb8fb3b821175a031b3d0b976 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nss6.tmp.exe |
| 9fb9d49c2db7edd1084ab765d619f5c6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\sp-downloader.exe |
| d96290ac80c0696023d8a2378bd89efa | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SPIdentifierImpl[1].exe |
| 30ae564b315b18be68d4975a083939d5 | c:\Program Files\PowerISO\MACDll.dll |
| acd1def89e513fef4ba1a29bcad78c91 | c:\Program Files\PowerISO\PWRISOSH.DLL |
| 3dde61df866b70543a953c77765d8edc | c:\Program Files\PowerISO\PWRISOVM.EXE |
| 92a80f5eb8fb3b821175a031b3d0b976 | c:\Program Files\PowerISO\PowerISO.exe |
| b415d99733681b7ebd6f0cb923adc27b | c:\Program Files\PowerISO\lame_enc.dll |
| ebbc719e881f2311d352ade3b5e48aee | c:\Program Files\PowerISO\libFLAC.dll |
| 24e825fbf90999b564c24d676c299a72 | c:\Program Files\PowerISO\piso.exe |
| c622d80e6d183fdd0e405163e29dfcc0 | c:\Program Files\PowerISO\uninstall.exe |
| 61fa09e5fc13b46d5e5495165aa38dc2 | c:\WINDOWS\system32\drivers\scdemu.sys |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
nsjA.exe:440
%original file name%.exe:1088
regsvr32.exe:176
regsvr32.exe:884
PWRISOVM.EXE:388
Setup.exe:432
SPIdentifier.exe:224
nss6.tmp.exe:1256 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp\inetc.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp\SPtool.dll (49229 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (590 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (758 bytes)
%Program Files%\Common Files\Setup.exe (43956 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iwdqkkj (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (47161 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PowerISO\PowerISO Virtual Drive Manager.lnk (1 bytes)
%Program Files%\PowerISO\Readme.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PowerISO\Uninstall PowerISO.lnk (1 bytes)
%Program Files%\PowerISO\PowerISO.chm (15536 bytes)
%Program Files%\PowerISO\Lang\Slovak.lng (1856 bytes)
%Program Files%\PowerISO\License.txt (3 bytes)
%Program Files%\PowerISO\Lang\Urdu(Pakistan).lng (1856 bytes)
%Program Files%\PowerISO\Lang\Lithuanian.lng (1552 bytes)
%Documents and Settings%\All Users\Desktop\PowerISO.lnk (682 bytes)
%Program Files%\PowerISO\Lang\TradChinese.lng (784 bytes)
%Program Files%\PowerISO\Lang\Norsk.lng (1552 bytes)
%Program Files%\PowerISO\Lang\italian.lng (1552 bytes)
%Program Files%\PowerISO\Lang\Ukrainian.lng (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb4.tmp (288986 bytes)
%Program Files%\PowerISO\libFLAC.dll (5520 bytes)
%Program Files%\PowerISO\PowerISO.exe (85410 bytes)
%Program Files%\PowerISO\Lang\Malay.lng (1856 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PowerISO\PowerISO Help.lnk (1 bytes)
%Program Files%\PowerISO\Lang\Indonesian.lng (1856 bytes)
%Program Files%\PowerISO\Lang\Swedish.lng (1856 bytes)
%Program Files%\PowerISO\lame_enc.dll (9320 bytes)
%Program Files%\PowerISO\Lang\Japanese.lng (784 bytes)
%Program Files%\PowerISO\Lang\Hungarian.lng (1856 bytes)
%Program Files%\PowerISO\Lang\Vietnamese.lng (1552 bytes)
%Program Files%\PowerISO\Lang\czech.lng (1856 bytes)
%Program Files%\PowerISO\Lang\Greek.lng (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\System.dll (11 bytes)
%Program Files%\PowerISO\Lang\Slovenian.lng (784 bytes)
%Program Files%\PowerISO\Lang\German.lng (1856 bytes)
%Program Files%\PowerISO\Lang\SimpChinese.lng (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss6.tmp.exe (85410 bytes)
%Program Files%\PowerISO\Lang\Bosnian.lng (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\InstOpt.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sp-downloader.exe (2392 bytes)
%Program Files%\PowerISO\Lang\Thai.lng (1552 bytes)
%System%\drivers\scdemu.sys (3616 bytes)
%Program Files%\PowerISO\Lang\Korean.lng (1552 bytes)
%Program Files%\PowerISO\PWRISOSH.DLL (6360 bytes)
%Program Files%\PowerISO\piso.exe (11 bytes)
%Program Files%\PowerISO\PWRISOVM.EXE (12024 bytes)
%Program Files%\PowerISO\Lang\Farsi.lng (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SPIdentifier.exe (1856 bytes)
%Program Files%\PowerISO\uninstall.exe (2571 bytes)
%Program Files%\PowerISO\Lang\Portuguese(Brazil).lng (1856 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PowerISO\PowerISO.lnk (1 bytes)
%Program Files%\PowerISO\Lang\Dutch.lng (1856 bytes)
%Program Files%\PowerISO\Lang\danish.lng (1856 bytes)
%Program Files%\PowerISO\Lang\Russian.lng (784 bytes)
%Program Files%\PowerISO\Lang\Spanish.lng (1856 bytes)
%Program Files%\PowerISO\Lang\french.lng (1856 bytes)
%Program Files%\PowerISO\Lang\Armenian.lng (1552 bytes)
%Program Files%\PowerISO\History.txt (7 bytes)
%Program Files%\PowerISO\Lang\Azerbaijani.lng (1552 bytes)
%Program Files%\PowerISO\Lang\Belarusian.lng (1856 bytes)
%Program Files%\PowerISO\MACDll.dll (6584 bytes)
%Program Files%\PowerISO\Lang\Serbian(cyrl).lng (1552 bytes)
%Program Files%\PowerISO\Lang\Arabic.lng (1552 bytes)
%Program Files%\PowerISO\Lang\Bulgarian.lng (1856 bytes)
%Program Files%\PowerISO\Lang\Polish.lng (1552 bytes)
%Program Files%\PowerISO\Lang\croatian.lng (1856 bytes)
%Program Files%\PowerISO\Lang\kazakh.lng (1856 bytes)
%Program Files%\PowerISO\Lang\Turkish.lng (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SPIdentifierImpl[1].exe (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst9.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjA.exe (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse8.tmp (2820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PowerISO_Setup.txt (2 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE" = "%Program Files%\PowerISO\PWRISOVM.EXE -startup" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: SolidShare Ekibi
Product Name: PowerISO
Product Version: 5.9.0.0
Legal Copyright: (c) 2014 By Progressive
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.9.0.0
File Description:
Comments:
Language: English (United States)
Company Name: SolidShare EkibiProduct Name: PowerISOProduct Version: 5.9.0.0Legal Copyright: (c) 2014 By ProgressiveLegal Trademarks: Original Filename: Internal Name: File Version: 5.9.0.0File Description: Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 12316672 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 12320768 | 352256 | 349696 | 5.49668 | f1fc5eb83665ca22e19f7b03630415c1 |
| .rsrc | 12673024 | 11788288 | 11787776 | 5.54311 | 0bc1ac9b4fb5a766ac45af07654202df |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://e6337.g.akamaiedge.net/spidentifier/SPIdentifierImpl.exe | |
| hxxp://poweriso.com/getip.php | |
| hxxp://jazz-1846647836.us-east-1.elb.amazonaws.com/ | |
| hxxp://poweriso.com/thankyou.htm | |
| hxxp://poweriso.com/images/thank-you-bg.gif | |
| hxxp://poweriso.com/images/thank-you-bg1.gif | |
| hxxp://www-google-analytics.l.google.com/ga.js | |
| hxxp://poweriso.com/images/blank.gif | |
| hxxp://poweriso.com/images/thank-you-logo.gif | |
| hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.5.3&utms=1&utmn=320095788&utmhn=www.poweriso.com&utmcs=windows-1252&utmsr=1024x768&utmvp=1004x615&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Thank you for installing PowerISO!&utmhid=1155959389&utmr=-&utmp=/thankyou.htm&utmht=1404105600036&utmac=UA-26195659-1&utmcc=__utma=12986422.1178804117.1404105600.1404105600.1404105600.1;+__utmz=12986422.1404105600.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=q~ | |
| hxxp://poweriso.com/images/check.gif | |
| hxxp://www.poweriso.com/images/check.gif | 66.39.117.230 |
| hxxp://www.google-analytics.com/__utm.gif?utmwv=5.5.3&utms=1&utmn=320095788&utmhn=www.poweriso.com&utmcs=windows-1252&utmsr=1024x768&utmvp=1004x615&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Thank you for installing PowerISO!&utmhid=1155959389&utmr=-&utmp=/thankyou.htm&utmht=1404105600036&utmac=UA-26195659-1&utmcc=__utma=12986422.1178804117.1404105600.1404105600.1404105600.1;+__utmz=12986422.1404105600.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=q~ | 173.194.113.192 |
| hxxp://www.poweriso.com/images/thank-you-logo.gif | 66.39.117.230 |
| hxxp://www.poweriso.com/images/thank-you-bg.gif | 66.39.117.230 |
| hxxp://www.poweriso.com/images/blank.gif | 66.39.117.230 |
| hxxp://www.poweriso.com/thankyou.htm | 66.39.117.230 |
| hxxp://www.google-analytics.com/ga.js | 173.194.113.192 |
| hxxp://sp-storage.conduit-services.com/spidentifier/SPIdentifierImpl.exe | 23.215.122.68 |
| hxxp://www.poweriso.com/images/thank-you-bg1.gif | 66.39.117.230 |
| hxxp://www.poweriso.com/getip.php | 66.39.117.230 |
| hxxp://sp-installer.conduit-data.com/ | 54.235.66.89 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /thankyou.htm HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.poweriso.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 30 Jun 2014 05:19:59 GMT
Server: Apache/2.2.27
Last-Modified: Thu, 22 Mar 2012 05:28:07 GMT
ETag: "116d-4bbce2c41a7c0"
Accept-Ranges: bytes
Content-Length: 4461
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<html>.<head>..<meta http-equiv=Content-Type content="text/html; charset=windows-1252">.<meta content="PowerISO" name=description>.<meta content="Microsoft FrontPage 4.0" name="GENERATOR">.<meta content="FrontPage.Editor.Document" name="ProgId">.<title>Thank you for installing PowerISO!</title>..<STYLE type=text/css>P {FONT-SIZE: 9pt; FONT-FAMILY: "Arial"}.B {.FONT-SIZE: 9pt; FONT-FAMILY: "Arial"}.A:link {FONT-SIZE: 9pt; FONT-FAMILY: "Arial"; TEXT-DECORATION: none}.A:visited {FONT-SIZE: 9pt; FONT-FAMILY: "Arial"; TEXT-DECORATION: none}.A:active {FONT-SIZE: 9pt; FONT-FAMILY: "Arial"; TEXT-DECORATION: none}.A:hover {FONT-SIZE: 9pt; FONT-FAMILY: "Arial"; TEXT-DECORATION: none}.</STYLE>..</head>..<body topMargin=0 bgcolor="#808080" leftmargin="0" background="images/thank-you-bg1.gif">..<table align="center" border="0" cellpadding="0" cellspacing="0" width="614" height="154" background="images/thank-you-bg.gif">..<tr><td width="100%" height="141"><p align="center"> </td></tr>..<td width="604" height="392">..<table align="center" border="0" cellpadding="0" cellspacing="0" width="585" height="12">. <tr><td width="535" height="64" colspan="4"><p align="center"><b><font color="#FFFFFF" size="5">Thank you for installing PowerISO!</font></b></td></tr>. <tr><td width="535" bgcolor="#FFFFFF" height="1" colspan="4"> </td><
<<
<<< skipped >>>
GET /images/thank-you-bg.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.poweriso.com/thankyou.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.poweriso.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 30 Jun 2014 05:20:00 GMT
Server: Apache/2.2.27
Last-Modified: Thu, 22 Mar 2012 04:05:37 GMT
ETag: "2e5d-4bbcd0536a640"
Accept-Ranges: bytes
Content-Length: 11869
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: image/gif
GIF89ah.&..........c..`..]...............................................Z...........D..C........a................................................o..p..o.!u..r."v..q..o..p..o.#w. t.5.....-..U..&z.H...........1..... .....A..O..`..b..[.....\..0..e..C..(}.)}.~..'{.$x.%y.K..F..2...s.>..=../..6..4..<..*..E.....,...q.7.........s....;...........h.....r..)~....8.....@..............M..{..&z. t.7..^.....Y...n..t.9.. .....(|..q.'{.V.....%x.N..J.....G..B.....X..R..S...r.......?..=..:..4..3..I..1../..,........l........x.....u..Q..n........z........F....................................................................................................................................................................................................................z..........................!.......,....h.&........H......*\......#J.H.....3j...... C..8....(S.\.....0c..I....8s.......@...J....H.*].....P.J.JU%..X.j......`...K....h..].....p...K....x............L...... ^......#..A.....3k.......C..M.....S.^......c..M.....s.................. _.......K.N......k...........O......._.........O..............ZG....h...&....6....F(...Vh...f....v... .(..$.h..(....,....0.(#.-.h..8....<....@.)..D.i..H&...L6...PF)..TVi..Xf...\v...`.)..d.i..h....l....E. ..t.i..x....|......*....j...&....6....F*...Vj...f....v.....z....j...............*....j.............. ....z...&....6....F ...Vk...f....v..... ....k.............. ....k..............,....l...'....7....G,...Wl...g.n%.w... .,..$.l..(....,....0.,..4.l..8....<....@.-..D.m..H'...L7...PG-..TWm..Xg.
<<
<<< skipped >>>
GET /images/thank-you-logo.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.poweriso.com/thankyou.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.poweriso.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 30 Jun 2014 05:20:00 GMT
Server: Apache/2.2.27
Last-Modified: Fri, 16 Mar 2012 10:56:08 GMT
ETag: "512a-4bb5a0e49a200"
Accept-Ranges: bytes
Content-Length: 20778
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: image/gif
GIF89a0.U.....f.r........l.....a..[...../@Lf........ ....bI..C.....1.......vU...................K............x.......7.................................=......................."..x...................................}.. .........................,...............7....q.........&....T.....8..........................%...G..........^.........V.....)........................................ ...w..g.......b......P..........8......J....................:.......................[..Z........f.......4....................................(....................D..M...................6}..j.....-....................1.....M........m.......Y........................$..|..............S..o....u.....M......t................._..X...........@..w..0.......... ...............F...../..=y.........C;.....!.......,....0.U........H......*\.0...$"..@.C...2..q.c...$.. ..... .|....Y..U.Y.....r....'..........!@....d..S9r..!....1&L...k.z[.D.....*?N..Rb...T.)..E../....../.$J.......3|..(.......I...re~.3k...r...!?n...i..Rk..z....>|..d.]._....i..f.J..B......n... W.Z.R.*#j.S...`..hQ.D....J.....n..Y!..Y-..L..EI)#%..xec.o.eP.E......%....6....:x........y.R~...AJ...SL4...N>.5.xB}..RNe..uQ]5AV..0.Y.-.U...e.Z......l.B..}...*.%.`..F.l.........h.x..g..i..gvf...y..b....k8....~...n....p..u\rQ..\W.E'.UQa...L)5.w..E^y<.g"M....J..t_~ 5..F6d......P....*....z`..b..GW...I(.."K/.W.z....x/*...M.c]U.b.c.`}.\.@........\...$._@...T......6Xa.....>x.%h.m........`.FZ.q..Z.v..gmz..[o..&......r......U[.u.n..wEUj)P.iz.{1y.i.'...H......VT....-..D?8a..........H...jK/.(.L...
<<
<<< skipped >>>
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-installer.conduit-data.com
Content-Length: 263
Connection: Keep-Alive
Cache-Control: no-cache
{"event_type":"SPidentifier", "environment":"", "machine_ID":"HOBCTMHJRTJGD8Y1M4RW8ILGSWFTKX5IX/EAFIKGEAD MYIWJKOIXSWGHN8FWICHX0NAMR4ZBCORZD7UDJJKEG", "result": "success", "failure_reason": "clean_machine", "SP_version": "", "carrier_ID": "", "carrier_type": ""}
HTTP/1.1 202 Accepted
Date: Mon, 30 Jun 2014 05:20:21 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
GET /getip.php HTTP/1.1
User-Agent: PowerISO(v5.1)
Accept: */*
Host: VVV.poweriso.com
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Date: Mon, 30 Jun 2014 05:19:50 GMT
Server: Apache/2.2.27
Content-Length: 207
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /getip.php was not found on this server.</p>.</body></html>...
GET /ga.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.poweriso.com/thankyou.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 30 Jun 2014 01:16:59 GMT
Expires: Mon, 30 Jun 2014 13:16:59 GMT
Last-Modified: Tue, 17 Jun 2014 01:05:58 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 15810
Age: 14580
Cache-Control: public, max-age=43200
Alternate-Protocol: 80:quic
...........}kW.:..w~....c...pk..f..-mii..%...e9..q.........$[NB.s.Y.........h43v..Pd.d.z..|..y ."........(..a.B........1..Tf..K.L2....~...ep...&y....MS...t9.....&..2... .Q.N.(o....8..q..L.!...a..0...$.pX..N&..a. ..zB:l.8c9.p.....;l..x.$c.]BP\.....B...&..*pz.H.~......g...Ap..!....K......V;l.H.....V.a.....s.$p....5.39...a.a7P'9.b.[H>N.$..A..... ..^..;h.h...2l_......w9..d.@.`...N.....|....%.d.%........{.....&.A.I..:....F.;..c..{P*..~..JzP.Kl...F..y.U8(&.......}.BH@..ZC...Ty. u.Y...!..R.h.F..`./>5...*{P..(..:A.}..v.} ..u...k......w\..d....he.q..U.u..yE..J.Re.....Y.2!.J.a..i^R....p..LG4.d.6U..........E..%..5.kz<....[..!2o.tV.V.....|..p7o..?N&..].o>.|...../..a.\...vL3].._....q.....C.].JG..\.[9...hp....w.Y^1..>..`..Q..!w0.U..}x.;^.......w.I................R..aQ2R..<..%....A%|.E...j...L..j..\.\.D.<.g....^Y)...L.*D........2....-..%F.T..j..,F...C.....m_.$..2..2.g...B.{.....\c......*5..c..J.{@...Q.....j..........E..Z...#>.....>...g{...t.....i1..Yk..@m..v.Cf..)..7.....(.......$\.S.......>......a..r..N. ........o;>...A..>...U...J'.....X....B.q..E....()..3. .... A".uss.;.......W.....k-..zF.\`Qp?........\d..a..A.1....5......Z.H...M"tf.GM. .X[.YU...T.._.lH......n@=1.5N....?Z...V>&."..Q$.....&.sS..Kq....].UySz=..3..$."....".'.Iar\Y.WVt\....;k..h._.O..b...2....G=H9@...v0l)2!..xD7...T..Di.v.RC`.m.8.\....J....h..uss.....p..)..O3.W....5....k...y.`^ ....&1..f"..D.w.}.;D:d.F....p#... ......d...T..iU7n.;-hh..T..^P....U.....>...T..m.^..fM....>..>d..Q..!....P1......7L...[.........;.>_W.
<<
<<< skipped >>>
GET /__utm.gif?utmwv=5.5.3&utms=1&utmn=320095788&utmhn=VVV.poweriso.com&utmcs=windows-1252&utmsr=1024x768&utmvp=1004x615&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Thank you for installing PowerISO!&utmhid=1155959389&utmr=-&utmp=/thankyou.htm&utmht=1404105600036&utmac=UA-26195659-1&utmcc=__utma=12986422.1178804117.1404105600.1404105600.1404105600.1;+__utmz=12986422.1404105600.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=q~ HTTP/1.1
Accept: */*
Referer: hXXp://VVV.poweriso.com/thankyou.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 19 Apr 2000 11:43:00 GMT
Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Date: Fri, 20 Jun 2014 03:06:21 GMT
Server: Golfe2
Content-Length: 35
Age: 872019
Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate
Alternate-Protocol: 80:quic
GIF89a.............,...........D..;..
GET /images/thank-you-bg1.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.poweriso.com/thankyou.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.poweriso.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 30 Jun 2014 05:20:00 GMT
Server: Apache/2.2.27
Last-Modified: Fri, 16 Mar 2012 13:24:43 GMT
ETag: "41d-4bb5c21a9bcc0"
Accept-Ranges: bytes
Content-Length: 1053
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/gif
GIF89a..............p..o..o.....q..p..r...."v..o.#w.!u..o.R......../..F..G..J..'{.$x....%y.9..b..&z....{.....?.. t....1...n.0..H..B.....7..\..... ........7.................;...t..s.8.....x.....r........O..:..^........E..)~.5.. ...q./..,..&z.......-..[..V..A.....K..M..)}.(|..s.(}.h..3..,..`.. t.N..@...r.6..............=..~.....X.....>..e.....4.....S..U..Y...........I.....*............q.C..=..%x....n..Q..u..1.....4..l.....2.....'{.<...........................................................................................................................................................................................................................................................................................................................................................!.......,............I,X0.......8 ....|. @.....]B4h.@.....dX.a.. X...s...-Nz`.........1d$...84......5 .D9.....&.T.B...A.....F...A.l`..P ..tx8......v............f...R.D.....=..4A..B.;s:4...@...3c&..s...B..M.....S.^......c..M.....s...........N...... _.......K.N......k..= .;....
GET /images/blank.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.poweriso.com/thankyou.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.poweriso.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 30 Jun 2014 05:20:00 GMT
Server: Apache/2.2.27
Last-Modified: Thu, 22 Mar 2012 04:07:32 GMT
ETag: "2e-4bbcd0c116900"
Accept-Ranges: bytes
Content-Length: 46
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: image/gif
GIF89a.............!.......,.................;....
GET /images/check.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.poweriso.com/thankyou.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.poweriso.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 30 Jun 2014 05:20:00 GMT
Server: Apache/2.2.27
Last-Modified: Fri, 16 Mar 2012 12:31:29 GMT
ETag: "410-4bb5b63492a40"
Accept-Ranges: bytes
Content-Length: 1040
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: image/gif
GIF89a......................s.[q.1...r.[.............................Y|.>x.Y{.6..G{.Z..Yu.^w._v.[.....y..Es.Z..O..L.....N...........A..U..S......r.Y..B...r.Xs.E..Rv.9..=...t.Z..Nt.W.....K..i..p.....V..f..T......t.Vp.4..9x.`..}v.Z.....a.....Lt.0..Q..Sx.3v.R.....b..o..x}.V..}..X..[.....f..D..Y..U..W...s.W..Gt.8...v.Y..`..K..s........Z..o..up.0o./..X..Nr./..?..B.........p.2w.\.....zv.?......y.=q.F..R......u.1z.>u.4r.J..O..E........Lo...........................................................................................................................................................................................................................................................................................................................................................!.......,...............H......*\.P!.....T......$.$.FE...4.t0%..-.jd.....=-.`..q..@DP.."2...flH(..a.....l.C..0o6 A.aG.6x.4...G.9^..I.... !.....E.@\.(.....'{...3cI.<...A ....Zx`@........)4.L..N.@hx...F....A!.F.......... ^.......".1..!..:..)...L.......\.......;..
GET /spidentifier/SPIdentifierImpl.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-storage.conduit-services.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Last-Modified: Mon, 30 Jun 2014 08:19:50 GMT
Accept-Ranges: bytes
ETag: "f1bee9ba81a83e5496295efa26529c47"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 1115264
Cache-Control: private, max-age=900
Expires: Mon, 30 Jun 2014 05:34:50 GMT
Date: Mon, 30 Jun 2014 05:19:50 GMT
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7........................PE..L....q.N.................h...@...B...4............@.................................h...................................................0...........`... ............................................................................................text....g.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata...................................rsrc...0...........................@..@................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u...|.@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.2G.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.
<<
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
PWRISOVM.EXE_388:
.Rich
.Rich
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
hhctrl.ocx
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
CCmdTarget
CCmdTarget
COMCTL32.DLL
COMCTL32.DLL
CNotSupportedException
CNotSupportedException
user32.dll
user32.dll
gdi32.dll
gdi32.dll
kernel32.dll
kernel32.dll
advapi32.dll
advapi32.dll
RegCreateKeyExW
RegCreateKeyExW
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
RegOpenKeyExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteKeyW
comdlg32.dll
comdlg32.dll
winspool.drv
winspool.drv
SetWindowsHookExW
SetWindowsHookExW
RegOpenKeyW
RegOpenKeyW
msvfw32.dll
msvfw32.dll
sensapi.dll
sensapi.dll
oledlg.dll
oledlg.dll
oleacc.dll
oleacc.dll
secur32.dll
secur32.dll
avicap32.dll
avicap32.dll
winmm.dll
winmm.dll
rasapi32.dll
rasapi32.dll
mpr.dll
mpr.dll
version.dll
version.dll
unicows.dll
unicows.dll
security.dll
security.dll
ntdll.dll
ntdll.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
EnumWindows
EnumWindows
UnhookWindowsHookEx
UnhookWindowsHookEx
GetKeyState
GetKeyState
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GDI32.dll
GDI32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
SetWindowsHookExA
SetWindowsHookExA
unicows.dll not found!
unicows.dll not found!
.PAVCObject@@
.PAVCObject@@
.PAVCException@@
.PAVCException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
zcÁ
zcÁ
windows
windows
KERNEL32.DLL
KERNEL32.DLL
D*.umim
D*.umim
888g* X(((P...RBBB`ccc
888g* X(((P...RBBB`ccc
www.|||a
www.|||a
commctrl_DragListMsg
commctrl_DragListMsg
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
\\.\SCDEmuDev%d
\\.\SCDEmuDev%d
Drive %d
Drive %d
The drive letter [%C:] is already in use. PowerISO will use [%C:] for this drive.
The drive letter [%C:] is already in use. PowerISO will use [%C:] for this drive.
\\.\%c:
\\.\%c:
\Device\SCDEmu\SCDEmuCd%u
\Device\SCDEmu\SCDEmuCd%u
\\.\ :
\\.\ :
%s (Error Code = %x, %x)
%s (Error Code = %x, %x)
\\.\SCDEmuDev0
\\.\SCDEmuDev0
PowerISO Virtual Drive requires Windows 2000/XP or above operating systems.
PowerISO Virtual Drive requires Windows 2000/XP or above operating systems.
Drive [%c:]
Drive [%c:]
%d Drives
%d Drives
Unmount Drive [%c:]
Unmount Drive [%c:]
Mount Image to Drive [%c:]
Mount Image to Drive [%c:]
mount "%s" %C:
mount "%s" %C:
-ii1 -vunmount %d
-ii1 -vunmount %d
PWRISOVM.EXE
PWRISOVM.EXE
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\%C\DefaultIcon
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\%C\DefaultIcon
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\%C
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\%C
\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\%C\DefaultIcon
\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\%C\DefaultIcon
Software\Microsoft\Windows\CurrentVersion\Run\
Software\Microsoft\Windows\CurrentVersion\Run\
\Lang\*.lng
\Lang\*.lng
\PowerISO.chm::/Overview.htm
\PowerISO.chm::/Overview.htm
-evt %s
-evt %s
%s\PowerISO.exe -ii1 -hwnd %s
%s\PowerISO.exe -ii1 -hwnd %s
PE_xx
PE_xx
%s (%s)
%s (%s)
*.isz
*.isz
*.uif
*.uif
*.bif
*.bif
*.dmg
*.dmg
*.vcd
*.vcd
*.fcd
*.fcd
*.pxi
*.pxi
*.ncd
*.ncd
*.nrg
*.nrg
*.pdi
*.pdi
*.cif
*.cif
*.cdi
*.cdi
*.img
*.img
*.lcd
*.lcd
*.bwi;*.b5i
*.bwi;*.b5i
*.ashdisc
*.ashdisc
*.mdf;*.mds
*.mdf;*.mds
*.bin;*.cue
*.bin;*.cue
*.daa
*.daa
*.iso
*.iso
*.iso;*.daa;*.bin;*.cue;*.mdf;*.mds;*.ashdisc;*.bwi;*.b5i;*.lcd;*.img;*.cdi;*.cif;*.p01;*.pdi;*.nrg;*.ncd;*.pxi;*.gi;*.fcd;*.vcd;*.c2d;*.dmg;*.bif;*.uif;*.isz
*.iso;*.daa;*.bin;*.cue;*.mdf;*.mds;*.ashdisc;*.bwi;*.b5i;*.lcd;*.img;*.cdi;*.cif;*.p01;*.pdi;*.nrg;*.ncd;*.pxi;*.gi;*.fcd;*.vcd;*.c2d;*.dmg;*.bif;*.uif;*.isz
\PowerISO.exe
\PowerISO.exe
http://www.poweriso.com
http://www.poweriso.com
http://www.poweriso.com/order.htm
http://www.poweriso.com/order.htm
PowerISO.exe
PowerISO.exe
http://www.winarchiver.com
http://www.winarchiver.com
%Program Files%\PowerISO\PWRISOVM.EXE
%Program Files%\PowerISO\PWRISOVM.EXE
5, 9, 0, 0
5, 9, 0, 0
All Files (*.*)
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.
Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
#Unable to load mail system support.
#Unable to load mail system support.
iexplore.exe_1936:
%?9-*09,*19}*09
%?9-*09,*19}*09
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
SHDOCVW.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
IE-X-X
rsabase.dll
rsabase.dll
System\CurrentControlSet\Control\Windows
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
dw15 -x -s %u
watson.microsoft.com
watson.microsoft.com
IEWatsonURL
IEWatsonURL
%s -h %u
%s -h %u
iedw.exe
iedw.exe
Iexplore.XPExceptionFilter
Iexplore.XPExceptionFilter
jscript.DLL
jscript.DLL
mshtml.dll
mshtml.dll
mlang.dll
mlang.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
shdocvw.DLL
shdocvw.DLL
browseui.DLL
browseui.DLL
comctl32.DLL
comctl32.DLL
IEXPLORE.EXE
IEXPLORE.EXE
iexplore.pdb
iexplore.pdb
ADVAPI32.dll
ADVAPI32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
IExplorer.EXE
IExplorer.EXE
IIIIIB(II<.Fg
IIIIIB(II<.Fg
7?_____ZZSSH%
7?_____ZZSSH%
)z.UUUUUUUU
)z.UUUUUUUU
,....Qym
,....Qym
````2```
````2```
{.QLQIIIKGKGKGKGKGKG
{.QLQIIIKGKGKGKGKGKG
;33;33;0
;33;33;0
8888880
8888880
8887080
8887080
browseui.dll
browseui.dll
shdocvw.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5512 (xpsp.080413-2105)
Windows
Windows
Operating System
Operating System
6.00.2900.5512
6.00.2900.5512