Trojan.Generic.8048033 (BitDefender), Trojan:Win32/VB.AIX (Microsoft), Trojan.Win32.CCho.b (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.Siggen4.18602 (DrWeb), Trojan.Generic.8048033 (B) (Emsisoft), Artemis!B8402B719D03 (McAfee), Trojan.Gen (Symantec), Win32.SuspectCrc (Ikarus), Gen:Variant.Symmi.13498 (FSecure), SHeur4.AJIJ (AVG), Win32:Malware-gen (Avast), TROJ_SPNR.30HL12 (TrendMicro), Trojan.Generic.8048033 (AdAware), Trojan-Spy.Win32.Keylogger.VB.2.FD, mzpefinder_pcap_file.YR, TrojanDropperVtimrun.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan-Spy, Keylogger, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b8402b719d03f467f3b833886810d2e6
SHA1: ea397132c07cb8865dde9d9d28682469afc51b9e
SHA256: 56b1e1666bc934e16fdf1126b91e94c93f3b2146d5ce2ca84d423c0c75ff6941
SSDeep: 49152:O EyFtjSpaXaarPcGwkRD6LDM2MfWnDV70efoLgFoJ9n4Uose ROX2umDv Ah6G1:O EyFtjSpaqAPGkZe4DI570IUgFqj/yu
Size: 2671616 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: House Of Soft
Created at: 2009-07-14 02:42:43
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
zcontrol.exe:1984
ADOBED~1.EXE:636
net1.exe:964
net1.exe:1952
NET.exe:964
NET.exe:1648
Install Adobe Download Assistant.exe:1784
RAVCpl32.exe:1856
AIRRuntimeInstaller.exe:1896
reg.exe:1908
%original file name%.exe:184
regedit.exe:460
The Trojan injects its code into the following process(es):
Adobe AIR Installer.exe:1876
Adobe AIR Application Installer.exe:244
File activity
The process Adobe AIR Installer.exe:1876 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\AIR\logs\Install.log (613 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (3058 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
The process zcontrol.exe:1984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Realtek\RAVCpl32.exe (2391085 bytes)
The process ADOBED~1.EXE:636 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_256.png (10296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\Adobe Download Assistant.exe (142336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\META-INF\AIR\hash (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_512.png (23712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\mimetype (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_16.png (616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_32.png (1053 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\7z.exe (163840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_128.png (4672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\.launch (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Install Adobe Download Assistant.exe (130432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_48.png (1720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\7z.dll (1700864 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\setup.msi (22016 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\META-INF\AIR\application.xml (8351 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\DownloadAssistant.swf (3237435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\META-INF\signatures.xml (77205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_24.png (898 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp (0 bytes)
The process Install Adobe Download Assistant.exe:1784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIRRuntimeInstaller.exe (35951824 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\9C07FA4C8533A07B5EDE782A6F5AFA6A (637 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\9C07FA4C8533A07B5EDE782A6F5AFA6A (86 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\EF87FE2FBAF08DA89A8C148EF56C40E0 (425 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\AIR\logs\Install.log (1340 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\EF87FE2FBAF08DA89A8C148EF56C40E0 (96 bytes)
The process RAVCpl32.exe:1856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Realtek\tools.zip (668 bytes)
%Documents and Settings%\%current user%\Application Data\Realtek\IMG_359485_4215.jpg (102 bytes)
%Documents and Settings%\%current user%\Application Data\Realtek\reg.reg (228 bytes)
%Documents and Settings%\%current user%\Application Data\Realtek\unzip.exe (177685 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\Realtek\reg.reg (0 bytes)
The process AIRRuntimeInstaller.exe:1896 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\template.exe (59392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR.vch (3464755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\stylesNative.swf (235063 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit.dll (9845456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\digest.s (2840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe Root Certificate.cer (1189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR.dll (53421776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\template.msi (20480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf (1261461 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe (103272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\setup.swf (1282541 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit\Notice WebKit.txt (771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\AdobeCP15.dll (6916456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\sentinel (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit\LGPL License.txt (24985 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\setup.swf (1282541 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\NPSWF32.dll (43585232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\setup.msi (33792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR Installer.exe (103272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Thawte Root Certificate.cer (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe (54632 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe (130408 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp (0 bytes)
The process Adobe AIR Application Installer.exe:244 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\pca3-g5[1].crl (533 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\DD0A55570E581C3EAE83066FA036FA6B98C26BF9.crl (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\CSC3-2010[1].crl (127784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\ThawteTimestampingCA[1].crl (341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\5CB653B2DAF9459B6E8E3796503DD779BAD8DB50.crl (341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\pca3[1].crl (933 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\A567C68FE225A8176819878924C6ED2B83D9C4D5.crl (119592 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\AIR\logs\Install.log (538 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\217583007B475EB7A649AEBCFC4EC3D0EBA3F228.crl (533 bytes)
The process %original file name%.exe:184 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\zcontrol.exe (2359341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\ADOBED~1.EXE (2599096 bytes)
Registry activity
The process Adobe AIR Installer.exe:1876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 AD 11 44 CC 03 7C F1 A3 CC 23 10 74 3D 15 5A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process zcontrol.exe:1984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 94 F1 EB 45 A9 A0 36 8B 60 76 09 5E A9 89 D4"
The process ADOBED~1.EXE:636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 F9 22 1E 17 71 0B 11 32 CF C1 3A 2B 89 F8 7B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\ÃÂâ€Âþúуüõýты"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\àðñþчøù ÑÂÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\àðñþчøù ÑÂÂтþû"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\AIR1.tmp]
"Install Adobe Download Assistant.exe" = "Adobe Bootstrapping Utility"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\ÃÂœþø ôþúуüõýты"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process net1.exe:964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E 00 EF 4F 72 BF 9B 89 B1 D0 50 DB 02 F4 81 1D"
The process net1.exe:1952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D D2 C4 60 60 7E 72 E7 27 3F 8B 1C E6 FD F8 BC"
The process NET.exe:964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 5D 4C 66 39 B5 74 E4 CE CB D1 F1 67 D8 6C F8"
The process NET.exe:1648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 31 9E 14 C8 D0 37 14 AD E6 E6 1F 04 A0 23 B5"
The process Install Adobe Download Assistant.exe:1784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 0C 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 C8 36 FA 8D C8 74 24 C7 58 CA 7E A6 86 A0 56"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process RAVCpl32.exe:1856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 04 2C EB C7 A3 6E 1A 80 69 AC 3D 73 DF F3 C2"
The process AIRRuntimeInstaller.exe:1896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB EA 3F 4D 01 C2 2F 97 0C 40 AB 4A 90 DD 9A 3A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\ÃÂâ€Âþúуüõýты"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\àðñþчøù ÑÂÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\àðñþчøù ÑÂÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\ÃÂœþø ôþúуüõýты"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\AIR2.tmp]
"Adobe AIR Installer.exe" = "Adobe AIR Installer"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process Adobe AIR Application Installer.exe:244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 0D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 23 86 88 69 93 04 B2 92 38 0A 8B BD 51 1B F2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process reg.exe:1908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"ConsentPromptBehaviorAdmin" = "0"
The process %original file name%.exe:184 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 6E AA F6 BF D2 70 95 D4 CF 32 8A 23 90 47 12"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
The process regedit.exe:460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 60 1A C1 A3 45 C2 1E 53 B1 69 78 37 ED 82 45"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HD Audio Driver" = "%WinDir%\explorer.exe %Documents and Settings%\%current user%\Application Data\Realtek\RAVCpl32.exe"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://a1396.b.akamai.net/air/3/nai/windows5.1/x86/installer | |
| hxxp://pastebin.com/PF4F1NNN | 141.101.112.16 |
| hxxp://dl-balancer.x.dropbox.com/s/qh9jjar5l0zxwu2/unzip.exe?dl=1 | |
| hxxp://duc-balancer.x.dropbox.com/s/qh9jjar5l0zxwu2/unzip.exe?dl=1 | |
| hxxp://dl-balancer.x.dropbox.com/s/f5gcg6shw7we4e6/tools.zip?dl=1 | |
| hxxp://duc-balancer.x.dropbox.com/s/f5gcg6shw7we4e6/tools.zip?dl=1 | |
| hxxp://a1396.b.akamai.net/air/3/nai/windows5.1/x86/installer.p7 | |
| hxxp://a1180.g.akamai.net/prodSvce.crl | |
| hxxp://a1180.g.akamai.net/cds.crl | |
| hxxp://e6845.ce.akamaiedge.net/ThawteTimestampingCA.crl | |
| hxxp://e6845.ce.akamaiedge.net/pca3.crl | |
| hxxp://e6845.ce.akamaiedge.net/pca3-g5.crl | |
| hxxp://e6845.ce.akamaiedge.net/CSC3-2010.crl | |
| crl.verisign.com | 23.60.133.163 |
| airdownload.adobe.com | 204.93.47.196 |
| csc3-2010-crl.verisign.com | 23.60.133.163 |
| tss-geotrust-crl.thawte.com | 23.61.181.163 |
| dl.dropboxusercontent.com | 50.19.234.162 |
| crl.adobe.com | 157.238.74.137 |
| dl.dropbox.com | 23.21.126.209 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Screenshot
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
zcontrol.exe:1984
ADOBED~1.EXE:636
net1.exe:964
net1.exe:1952
NET.exe:964
NET.exe:1648
Install Adobe Download Assistant.exe:1784
RAVCpl32.exe:1856
AIRRuntimeInstaller.exe:1896
reg.exe:1908
%original file name%.exe:184
regedit.exe:460 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\AIR\logs\Install.log (613 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (3058 bytes)
%Documents and Settings%\%current user%\Application Data\Realtek\RAVCpl32.exe (2391085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_256.png (10296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\Adobe Download Assistant.exe (142336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\META-INF\AIR\hash (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_512.png (23712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\mimetype (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_16.png (616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_32.png (1053 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\7z.exe (163840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_128.png (4672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\.launch (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Install Adobe Download Assistant.exe (130432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_48.png (1720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\7z.dll (1700864 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\setup.msi (22016 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\META-INF\AIR\application.xml (8351 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\DownloadAssistant.swf (3237435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\META-INF\signatures.xml (77205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_24.png (898 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIRRuntimeInstaller.exe (35951824 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\9C07FA4C8533A07B5EDE782A6F5AFA6A (637 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\9C07FA4C8533A07B5EDE782A6F5AFA6A (86 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\EF87FE2FBAF08DA89A8C148EF56C40E0 (425 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\EF87FE2FBAF08DA89A8C148EF56C40E0 (96 bytes)
%Documents and Settings%\%current user%\Application Data\Realtek\tools.zip (668 bytes)
%Documents and Settings%\%current user%\Application Data\Realtek\IMG_359485_4215.jpg (102 bytes)
%Documents and Settings%\%current user%\Application Data\Realtek\reg.reg (228 bytes)
%Documents and Settings%\%current user%\Application Data\Realtek\unzip.exe (177685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\template.exe (59392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR.vch (3464755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\stylesNative.swf (235063 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit.dll (9845456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\digest.s (2840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe Root Certificate.cer (1189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR.dll (53421776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\template.msi (20480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf (1261461 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe (103272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\setup.swf (1282541 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit\Notice WebKit.txt (771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\AdobeCP15.dll (6916456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\sentinel (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit\LGPL License.txt (24985 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\setup.swf (1282541 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\NPSWF32.dll (43585232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\setup.msi (33792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR Installer.exe (103272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Thawte Root Certificate.cer (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe (54632 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe (130408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\pca3-g5[1].crl (533 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\DD0A55570E581C3EAE83066FA036FA6B98C26BF9.crl (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\CSC3-2010[1].crl (127784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\ThawteTimestampingCA[1].crl (341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\5CB653B2DAF9459B6E8E3796503DD779BAD8DB50.crl (341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\pca3[1].crl (933 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\A567C68FE225A8176819878924C6ED2B83D9C4D5.crl (119592 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\217583007B475EB7A649AEBCFC4EC3D0EBA3F228.crl (533 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\zcontrol.exe (2359341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\ADOBED~1.EXE (2599096 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HD Audio Driver" = "%WinDir%\explorer.exe %Documents and Settings%\%current user%\Application Data\Realtek\RAVCpl32.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 43748 | 44032 | 4.53606 | 3aeb6fb8fe8ab95f2462e3afb8b8acd3 |
| .data | 49152 | 8796 | 1536 | 4.57321 | f3764284f4d25ed35f75b9c16e1ab608 |
| .rsrc | 61440 | 2621388 | 2621440 | 5.53826 | b84d3627e0386f424aaa050bd2a8c192 |
| .reloc | 2682880 | 3480 | 3584 | 3.33168 | bc74eb2a181cf1029262828db6ac5b5d |
Network Activity
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker: