Skip to main content

TrojanPSW.Win32.Fareit_2bad0ff098


Trojan.Win32.Cutwail.cfc (Kaspersky), Trojan-PSW.Win32.Fareit.FD, TrojanPSWFareit.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 2bad0ff09870ff5f36b7e36bc4e3f01f

SHA1: c10d32a3fbfb5c87d02bf4ab9a723fff62111b2b

SHA256: c4ca4e69090043e88342521ac6a13f2a67c3c18872a8270cfd21e99c2caabf27

SSDeep: 768:RPrJP6jDA9Vv N0xbn4t7p6usoF36XEOR0Of:RVPCDAm0xb27pFs0KXEOR0Of

Size: 38400 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: SummerSoft

Created at: 2008-12-09 23:07:24

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan-PSW. Trojan program intended for stealing users passwords.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):No processes have been created.The Trojan-PSW injects its code into the following process(es):

%original file name%.exe:1808

File activity

The process %original file name%.exe:1808 makes changes in the file system.


The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\theprintinghouseltd.co[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\enzoyrodrigo.com[1].htm (586 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (175 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@stepnet[1].txt (219 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ricated[1].htm (260 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\empordalia[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\easygen[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\mojacar-vacaciones[1].htm (876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\cath4choice[1].htm (27 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@totalearthcare.com[1].txt (241 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@screaminpeach[1].txt (233 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@racknstackwarehouse.com[1].txt (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\sydney[1].htm (357 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigjohnsbeefjerky[1].txt (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\shs-sales.co[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\sun-ele.co[1].htm (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\aciuba.com[1].htm (73 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@area72aa[1].txt (210 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\brijindia[1].htm (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\robertmcintyre.com[1].htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\ginalimo[1].htm (15 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@goodvaluecenter[1].txt (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\violadagamba[1].htm (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\le-mariage[1].htm (19 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@telenavis[1].txt (225 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sarahdavid[1].txt (227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\fraser-high.school[1].htm (759 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (793 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@golfpark-moossee[1].txt (281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\easygen[1].htm (13 bytes)
%Documents and Settings%\%current user%\cafxascijanu.exe (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\robertmcintyre.com[1].htm (14 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@altonhousehotel[1].txt (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\wkhk[1].htm (1832 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@traderush[1].txt (270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\robertmcintyre.com[2].htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ryumachi-jp[1].htm (10 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@4pipp[1].txt (217 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msasys[1].txt (206 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\mibsga[1].htm (1100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\eygwindows.co[1].htm (1755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\churchclothes[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\frederickallergy[1].htm (15 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@wsipowerontheweb[1].txt (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\bigtopmultimedia[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ixtractor[1].htm (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (19756 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\kamaruka.vic.edu[1].htm (30 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@westhillsstl[1].txt (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\redconeretreat[1].htm (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\sortedorganizing[1].htm (4 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ulcndsu[1].txt (221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\teasing-video[1].htm (1055 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[2].txt (358 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\trinity-works[1].htm (16 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\theprintinghouseltd.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\enzoyrodrigo.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\robertmcintyre.com[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\empordalia[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ricated[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\easygen[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\cath4choice[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\shs-sales.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\brijindia[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\ginalimo[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\easygen[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\robertmcintyre.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ryumachi-jp[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\aciuba.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\violadagamba[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\churchclothes[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\frederickallergy[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\bigtopmultimedia[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\sun-ele.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\robertmcintyre.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\kamaruka.vic.edu[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\le-mariage[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\redconeretreat[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\racknstackwarehouse.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\trinity-works[1].htm (0 bytes)

Registry activity

The process %original file name%.exe:1808 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"2312304364" = "DD 07 0C 00 02 00 11 00 03 00 2E 00 0E 00 FF 01"

"AppManagement" = "B5 1A 65 3D 15 EC C4 9C 74 4C 97 6F 47 1F F6 CE"
"cafxascijanuzap" = "6E 46 1E F5 CD A5 7D 55 A0 78 50 28 00 D7 AF 87"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 1F 4C 0D 1B 30 9A 3A D0 09 F6 1E 01 1F 10 BA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cafxascijanu" = "%Documents and Settings%\%current user%\cafxascijanu.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Network activity (URLs)

URL IP
hxxp://72.3.244.228/
hxxp://216.243.236.35/
hxxp://213.152.198.61/
hxxp://49.50.8.93/v02/
hxxp://65.181.70.3/
hxxp://217.27.254.150/
hxxp://5.9.94.34/
hxxp://182.48.49.195/
hxxp://209.160.23.206/
hxxp://173.248.156.34/
hxxp://60.191.129.142/
hxxp://198.171.234.61/
hxxp://193.104.35.207/
hxxp://platinumregistration.com/12.151.60.70
hxxp://canadienhorse.com/69.27.120.7
hxxp://signsbyyou.com/205.186.187.221
hxxp://virginiabeachhistory.org/216.117.143.48
hxxp://cadrexport.com/91.121.48.156
hxxp://192.220.97.141/
hxxp://99.192.139.59/
hxxp://amemarukun.com/122.152.128.132
hxxp://premiumfudge.com/69.5.0.127
hxxp://solartendas.com.br/187.108.194.152
hxxp://206.161.193.98/
hxxp://findersfayre.com/208.76.82.37
hxxp://chesterfieldchamber.com/50.62.148.216
hxxp://194.242.113.40/
hxxp://creativegraphicsindia.com/207.58.179.13
hxxp://cassidy.com/205.186.187.174
hxxp://lancohills.com/182.18.152.227
hxxp://cj-irinaka.com/210.172.144.247
hxxp://112.78.116.219/
hxxp://shokusen.co.jp/210.129.90.13
hxxp://aitom.cz/81.0.240.93
hxxp://orrhockey.com/209.196.155.206
hxxp://metalsaw.com/69.63.155.52
hxxp://computerlogicdirect.com/208.78.155.38
hxxp://198.171.14.144/
hxxp://dscbarcelona.com/82.98.164.2
hxxp://lindseycompany.com/38.113.1.157
hxxp://62.121.144.116/
hxxp://chasemeadow.com/217.199.187.62
hxxp://miniform.ru/31.31.207.7
hxxp://111.89.207.71/
hxxp://81.31.101.2/
hxxp://dronasoft.com/72.251.193.170
hxxp://bigmuddyumc.org/205.186.133.109
hxxp://210.188.201.42/
hxxp://hstechno.com/211.202.2.112
hxxp://borneodinawan.com/209.160.23.206
hxxp://imara-ing.com/213.195.69.220
hxxp://psiweb.org/82.165.41.45
hxxp://66.109.27.28/
hxxp://hamon.com/188.93.155.11
hxxp://backyardtirefire.com/199.59.157.102
hxxp://194.126.200.44/
hxxp://email.visionary.com/
hxxp://210.172.144.61/
hxxp://rogerturcotte.com/69.84.147.18
hxxp://takeuchinouen.com/210.172.144.21
hxxp://talkwireless.com/69.49.46.248
hxxp://209.238.103.16/
hxxp://67.210.119.235/
hxxp://euroherbal.com/212.166.68.8
hxxp://thepandapartnership.com/195.171.95.162
hxxp://prognos.com/80.74.154.246
hxxp://selc.com.au/150.60.10.97
hxxp://87.233.19.215/
hxxp://pegasogiochi.com/217.72.102.113
hxxp://213.230.215.202/
hxxp://darwin-tech.com/184.172.49.3
hxxp://94.23.212.160/
hxxp://theadlibgroup.com/69.90.163.140
hxxp://e-kanbe.com/202.122.142.40
hxxp://kbbrokerage.ca/208.92.232.210
hxxp://thekpmgroup.com/66.96.218.117
hxxp://e-genese.com/
hxxp://genquip.com.au/111.67.29.139
hxxp://cedartimbers.com/
hxxp://67.210.103.195/
hxxp://69.36.179.52/
hxxp://kalspo-japan.com/210.224.185.225
hxxp://ghostbusters.net/69.163.170.209
hxxp://79.96.73.253/
hxxp://80.51.22.5/
hxxp://69.56.229.158/
hxxp://85.214.100.84/
hxxp://72.249.28.100/
hxxp://83.65.246.237/
hxxp://holtans.no/212.33.133.94
hxxp://66.96.134.71/
hxxp://dineetje.nl/83.149.81.212
hxxp://businessassistance.com/173.237.185.32
hxxp://210.188.195.106/
hxxp://fphurley.co.uk/80.76.217.198
hxxp://ortodoncia.com.ec/199.231.93.57
hxxp://81.31.147.23/
hxxp://baggaley.co.uk/91.146.110.185
hxxp://webstroy.ru/83.222.3.128
hxxp://wetradenetwork.com/198.61.139.184
hxxp://103.9.168.166/
hxxp://uglassit.com/142.4.19.228
hxxp://archivists.com/202.181.99.40
hxxp://173.255.134.38/
hxxp://hotelmiamimilan.com/94.136.45.111
hxxp://gnetmail2.co.za/
hxxp://benefsnet.com/5.39.75.25
hxxp://worldcom.org/95.211.38.51
hxxp://tanjungbunga.com/144.76.202.231
hxxp://119.47.118.86/
hxxp://briangroce.com/207.198.118.49
hxxp://vsx-061.serverdedicati.it/
hxxp://networks2business.com/188.121.62.26
hxxp://realview.tv/217.69.43.28
hxxp://firstfreewichita.org/67.192.235.57
hxxp://middleage.org/208.112.45.106
hxxp://204.16.240.162/
hxxp://142.4.4.133/
hxxp://sargentsgardens.com/63.164.138.120
hxxp://146673-www3.conquerclub.com/
hxxp://vhosts11.aosoft.com/
hxxp://greatsea.com.sg/116.12.51.118
hxxp://borderloos.com/109.108.149.61
hxxp://aridor.net/193.238.208.73
hxxp://sterling-institute.com/
hxxp://jm-duterque.com/31.193.129.213
hxxp://ankauf-verkauf.de/46.4.72.218
hxxp://ostan.org/162.223.88.13
hxxp://kccop.org/128.121.194.248
hxxp://phc-pal.org/174.46.134.54
hxxp://kyokusen.com/210.172.144.246
hxxp://ns207670.ovh.net/
hxxp://66.29.156.131/
hxxp://lb07.virt.lolipop.jp/
hxxp://whatsyourangle.com/207.170.237.99
hxxp://208.70.244.160/
hxxp://66.181.240.100/
hxxp://darentasia.com/195.144.11.40
hxxp://acousticstage.org/211.132.107.2
hxxp://174.141.224.80/
hxxp://124.41.82.187/
hxxp://ivanica.net/149.255.58.41
hxxp://213.246.100.96/
hxxp://hlfiction.net/74.54.205.83
hxxp://96.234.178.45/
hxxp://smtp.nixe.biz/
hxxp://grand-prix-monaco.com/80.93.93.58
lopezshackleford.com212.113.128.232
stropiyer.com31.169.73.115
accentcare.com207.58.165.220
gtouk.org.uk82.147.20.69
jacksontrucks.com71.40.14.189
centralofficesource.com65.200.38.34
performancewearinc.com64.118.84.6
cubedesigners.com94.23.236.136
hkmagia.com216.22.14.93
pm-yachts.cz195.210.29.3
paginasamarillasec.com67.228.13.106
fmyamato.co.jp118.243.114.102
fishypussy.com99.192.158.18
cleanroomindiabase.com66.185.18.155
charlestonwirelessgroup.com208.43.1.92
acpwc.com64.207.189.226
spiroll.co.uk69.73.162.83
villanievillani.it62.149.196.186
isri-inc.com210.171.136.45
davidrm.com216.38.52.165
mdwyerlaw.com69.16.250.12
citrox.co.uk87.106.45.102
codupha.com.vn210.245.121.60
invention13.net173.192.57.176
likemybody.com188.165.129.91
attikainternational.com94.136.44.115
tabula.com198.171.14.144
compplanning.com198.46.91.115
acdcas.com96.31.47.154
buffclothing.co.uk94.136.45.223
happy-earth.com210.172.144.61
iglesiasimoveis.com.br75.119.213.58
foto-finito.com210.172.144.248
onlinecomic.de46.163.114.252
buildingdesignersaustralia.com.au208.109.236.231
aquabelles.com64.90.55.243
rishichem.com74.50.110.226
libercourt.com217.16.1.89
castlefieldgallery.co.uk178.250.51.129
spacecommander.de213.131.233.141
anadonaire.com5.39.16.97
sbt.com.trUnresolvable


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan-PSW file.
  3. Delete or disinfect the following files created/modified by the Trojan-PSW:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\theprintinghouseltd.co[1].htm (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\enzoyrodrigo.com[1].htm (586 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (175 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@stepnet[1].txt (219 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ricated[1].htm (260 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\empordalia[1].htm (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\easygen[1].htm (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\mojacar-vacaciones[1].htm (876 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\cath4choice[1].htm (27 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@totalearthcare.com[1].txt (241 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@screaminpeach[1].txt (233 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@racknstackwarehouse.com[1].txt (251 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\sydney[1].htm (357 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@bigjohnsbeefjerky[1].txt (241 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\shs-sales.co[1].htm (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\sun-ele.co[1].htm (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\aciuba.com[1].htm (73 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@area72aa[1].txt (210 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\brijindia[1].htm (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\robertmcintyre.com[1].htm (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\ginalimo[1].htm (15 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@goodvaluecenter[1].txt (237 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\violadagamba[1].htm (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\le-mariage[1].htm (19 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@telenavis[1].txt (225 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@sarahdavid[1].txt (227 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\fraser-high.school[1].htm (759 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (793 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@golfpark-moossee[1].txt (281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\easygen[1].htm (13 bytes)
    %Documents and Settings%\%current user%\cafxascijanu.exe (38 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\robertmcintyre.com[1].htm (14 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@altonhousehotel[1].txt (237 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\wkhk[1].htm (1832 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@traderush[1].txt (270 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\robertmcintyre.com[2].htm (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ryumachi-jp[1].htm (10 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@4pipp[1].txt (217 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@msasys[1].txt (206 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\mibsga[1].htm (1100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\eygwindows.co[1].htm (1755 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\churchclothes[1].htm (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\frederickallergy[1].htm (15 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@wsipowerontheweb[1].txt (239 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\bigtopmultimedia[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ixtractor[1].htm (34 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (19756 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\kamaruka.vic.edu[1].htm (30 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@westhillsstl[1].txt (232 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\redconeretreat[1].htm (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\sortedorganizing[1].htm (4 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@ulcndsu[1].txt (221 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\teasing-video[1].htm (1055 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[2].txt (358 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\trinity-works[1].htm (16 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "cafxascijanu" = "%Documents and Settings%\%current user%\cafxascijanu.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps