InstallCore.b (fs) (VIPRE), Trojan.Win32.Sasfis.FDWebToolbar.Win32.InstallCore.FD (Lavasoft MAS)Behaviour: Trojan, WebToolbar
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 65807d2c8b5771b89f9a6b3756af98de
SHA1: 5c9554b4ce33692097c31f106f80a7cd9022d374
SHA256: 697c0c796e01ebf618b6892c050e24a65b20b5b4f74020e8f7d5d4b9bff8f9b4
SSDeep: 12288:d4BFtvhLsqMZxhsMjcUKtzdsEsdSDNRntC1/fn58qvueVWzGXuA:WEZxSzmnGNwH58qvxMzG3
Size: 663672 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPXv0896v102v105v122Delphistub, UPolyXv05_v6
Company: Firseria
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:444
The Trojan injects its code into the following process(es):
%original file name%.exe:1692
File activity
The process %original file name%.exe:1692 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\pause_btn.png (493 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is1705941228\7051167_Setup.CIS (337250 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\grey_btn.png (1320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\c1c90573e366fb4e7682fd08150c769c[1].htm (3123 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\PC Speed Up (Russia)[1].jpg (1294 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\006BACE1.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\bg2_ru[1].jpg (40674 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\IE_logo[1].png (5406 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\css\sdk-ui\images\progress-bg-corner.png (1636 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is1705941228\sqlite3.dll (688072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\logo[1].png (37938 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\loader.gif (10819 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\theme2_template8[1].css (1181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\css\sdk-ui\images\progress-bg2.png (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\grey_btn323.png (1843 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\offer_big.png (1246 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\bg4_ru[1].jpg (38758 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\Sanasenesa_EN[1].png (45712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\blank[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\logo[2].png (12972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\color_btn.png (4222 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\19026[1].gif (951 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\bg3_us[1].jpg (44717 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\006B9477.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\logo_new[1].png (4569 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\theme2_template8[2].css (6007 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\css\main.css (6325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\jquery.min[1].js (41378 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\Mapayuy[1].png (19688 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\bg.png (36329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\bg4_us[1].jpg (38678 bytes)
%Documents and Settings%\%current user%\àðñþчøù ÑÂÂтþû\Continue Kybtec World Clock Installation.lnk (913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\bg.jpg (22125 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\csshover3.htc (2893 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\Sanasenesa_logo[1].png (7213 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\Sponsored-Offer.png (3904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\close_hover.jpg (1685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\CH_logo[1].png (4577 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\006B9717.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\progress.png (104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\color_btn_hover.png (3743 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\css\sdk-ui\progress-bar.css (506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\006BB666.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\grey_btn_hover.png (1333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\clkL.min[2].js (594 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is1705941228\1643772874.cfg (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\clkL.min[1].js (348 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\bg3_ru[1].jpg (37853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\progress_bar.png (520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\isf_7051210.flat (688400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is1705941228\1282401253.cfg (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\bg1_us[1].jpg (21968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\bg1_ru[1].jpg (36122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\close_hover.png (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\c1c90573e366fb4e7682fd08150c769c[1] (1245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\bg[1].png (41675 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\css\ie6_main.css (870 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\bootstrap_23075.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\locale\EN.locale (2148 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\jquery.min[1].js (118484 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\progress.jpg (2973 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\css\sdk-ui\browse.css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\006BACD1.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\FF_logo[1].png (5025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\close.png (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\Seniser[1].png (54465 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ICReinstall_%original file name%.exe (1187960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\close.jpg (1725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\icon_generic.png (1906 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\addon[1].png (554 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\bg2_us[1].jpg (41588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\006B7660.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\resume_btn.png (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\css\sdk-ui\images\progress-bg.png (1105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\welcome_prod_box.png (221 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\006B9717.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\006BACE1.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\006BB666.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\isf_7051210.flat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\jquery.min[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\006B9477.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\theme2_template8[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\006BACD1.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\clkL.min[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\006B7660.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\bootstrap_23075.html (0 bytes)
Registry activity
The process %original file name%.exe:1692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2F 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Óûðòýþõ üõýю"
"Common Documents" = "%Documents and Settings%\All Users\ÃÂâ€Âþúуüõýты"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\ÃÂœþø ôþúуüõýты"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\ÃÂâ€Âþúуüõýты\ÃÂœþѠüу÷ыúð"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\àðñþчøù ÑÂÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\àðñþчøù ÑÂÂтþû"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\ÃÂœþø ôþúуüõýты\ÃÂœþø рøÑÂÂуýúø"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Óûðòýþõ üõýю"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\ÃÂâ€Âþúуüõýты\ÃÂœþø òøôõþ÷ðÿøÑÂÂø"
"CommonPictures" = "%Documents and Settings%\All Users\ÃÂâ€Âþúуüõýты\ÃÂœþø рøÑÂÂуýúø"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 CB 73 AA A8 A4 17 E7 92 D9 C1 C7 90 40 61 82"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 65 24 40 9C 17 5A 7D 17 0B 29 88 68 58 99 13"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://d.adapd.com/widget/render/hash/c1c90573e366fb4e7682fd08150c769c | 66.216.77.22 |
| hxxp://googleapis.l.google.com/ajax/libs/jquery/1.7.1/jquery.min.js | |
| hxxp://d1zz5pu7f8sf8g.cloudfront.net/ico/19026.gif | |
| hxxp://kybtec.de/wbx01/dnl/wc/wc_01__2_3_3_12__dlsites01_non_01.exe | 68.71.132.252 |
| hxxp://os-slv-1323817372.us-west-2.elb.amazonaws.com/FindMySoft_V2/?v=3.0&c=7622049 | |
| hxxp://a1834.g1.akamai.net/js/widgets/clkL.min.js | |
| hxxp://a1834.g1.akamai.net/styles/widget/static/theme2_template8.css | |
| hxxp://a1834.g1.akamai.net/images/addons/icons/18859/PC Speed Up (Russia).jpg | |
| hxxp://a1834.g1.akamai.net/images/widget/2/addon.png | |
| hxxp://counter-817696455.us-east-1.elb.amazonaws.com/blank.gif?t=141299141171&h=c1c90573e366fb4e7682fd08150c769c&cids=idb | |
| hxxp://img.findmysoftcdn.com/img/Sanasenesa/Sanasenesa_EN.png | 199.58.87.155 |
| hxxp://img.findmysoftcdn.com/img/Seniser/Seniser.png | |
| hxxp://img.findmysoftcdn.com/ofr/sqlite3.cis (Malicious) | |
| hxxp://img.findmysoftcdn.com/img/_template/IE_logo.png | |
| hxxp://img.findmysoftcdn.com/img/_template/CH_logo.png | |
| hxxp://img.findmysoftcdn.com/img/_template/FF_logo.png | |
| hxxp://img.findmysoftcdn.com/img/Sanasenesa/Sanasenesa_logo.png | |
| hxxp://img.findmysoftcdn.com/img/Mapayuy/Mapayuy.png | |
| hxxp://img.findmysoftcdn.com/img/Sesakesaye/bg.png | |
| hxxp://img.findmysoftcdn.com/img/Rulilap/bg1_us.jpg | |
| hxxp://img.findmysoftcdn.com/img/Rulilap/bg2_us.jpg | |
| hxxp://img.findmysoftcdn.com/img/Rulilap/logo.png | |
| hxxp://img.findmysoftcdn.com/img/Rulilap/bg3_us.jpg | |
| hxxp://img.findmysoftcdn.com/img/Rulilap/bg4_us.jpg | |
| hxxp://img.findmysoftcdn.com/img/Rulilap/bg1_ru.jpg | |
| hxxp://img.findmysoftcdn.com/img/Rulilap/bg2_ru.jpg | |
| hxxp://img.findmysoftcdn.com/img/Rulilap/bg3_ru.jpg | |
| hxxp://img.findmysoftcdn.com/img/Rulilap/bg4_ru.jpg | |
| hxxp://img.findmysoftcdn.com/img/Rerarapepe/logo.png | |
| hxxp://img.findmysoftcdn.com/img/Rerarapepe/logo_new.png | |
| counter.d.adapd.com | 184.73.221.87 |
| ajax.googleapis.com | 74.125.143.95 |
| cdnus.findmysoftcdn.com | 199.58.87.151 |
| os.findmysoftcdn.com | 54.212.249.225 |
| cdneu.findmysoftcdn.com | 146.185.27.53 |
| cdn.adapd.com | 23.3.91.67 |
| img.findmysoft.com | 205.251.219.10 |
IDS verdicts
Dropped PE files
| MD5 | File path |
|---|---|
| fd3bd02c9334a382df8c4e9fbe6fe368 | c:\Documents and Settings\test\Local Settings\Temp\is1705941228\sqlite3.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Screenshot
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:444
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\pause_btn.png (493 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is1705941228\7051167_Setup.CIS (337250 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\grey_btn.png (1320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\c1c90573e366fb4e7682fd08150c769c[1].htm (3123 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\PC Speed Up (Russia)[1].jpg (1294 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\006BACE1.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\bg2_ru[1].jpg (40674 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\IE_logo[1].png (5406 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\css\sdk-ui\images\progress-bg-corner.png (1636 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is1705941228\sqlite3.dll (688072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\logo[1].png (37938 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\loader.gif (10819 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\theme2_template8[1].css (1181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\css\sdk-ui\images\progress-bg2.png (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\grey_btn323.png (1843 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\offer_big.png (1246 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\bg4_ru[1].jpg (38758 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\Sanasenesa_EN[1].png (45712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\blank[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\logo[2].png (12972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\color_btn.png (4222 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\19026[1].gif (951 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\bg3_us[1].jpg (44717 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\006B9477.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\logo_new[1].png (4569 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\theme2_template8[2].css (6007 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\css\main.css (6325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\jquery.min[1].js (41378 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\Mapayuy[1].png (19688 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\bg.png (36329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\bg4_us[1].jpg (38678 bytes)
%Documents and Settings%\%current user%\àðñþчøù ÑÂÂтþû\Continue Kybtec World Clock Installation.lnk (913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\bg.jpg (22125 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\csshover3.htc (2893 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\Sanasenesa_logo[1].png (7213 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\Sponsored-Offer.png (3904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\close_hover.jpg (1685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\CH_logo[1].png (4577 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\006B9717.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\progress.png (104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\color_btn_hover.png (3743 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\css\sdk-ui\progress-bar.css (506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\006BB666.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\grey_btn_hover.png (1333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\clkL.min[2].js (594 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is1705941228\1643772874.cfg (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\clkL.min[1].js (348 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\bg3_ru[1].jpg (37853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\progress_bar.png (520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\isf_7051210.flat (688400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is1705941228\1282401253.cfg (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\bg1_us[1].jpg (21968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\bg1_ru[1].jpg (36122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\close_hover.png (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\c1c90573e366fb4e7682fd08150c769c[1] (1245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\bg[1].png (41675 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\css\ie6_main.css (870 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\bootstrap_23075.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\locale\EN.locale (2148 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\jquery.min[1].js (118484 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\progress.jpg (2973 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\css\sdk-ui\browse.css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\006BACD1.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\FF_logo[1].png (5025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\close.png (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\Seniser[1].png (54465 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ICReinstall_%original file name%.exe (1187960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\close.jpg (1725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\icon_generic.png (1906 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\addon[1].png (554 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\bg2_us[1].jpg (41588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\006B7660.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\resume_btn.png (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\css\sdk-ui\images\progress-bg.png (1105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish7042671\images\welcome_prod_box.png (221 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 679936 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 684032 | 618496 | 617984 | 5.49553 | 1586fdff38c07c4689c7bb3e95f8cec8 |
| .rsrc | 1302528 | 40960 | 38912 | 3.99962 | 907e5adffdd16efd66e1ac7aed1145f7 |
Network Activity
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker: