Worm.Win32.Esfury_f46981183c – Adaware

Trojan.Win32.VB.ateo (Kaspersky), Worm.Win32.Esfury (VIPRE), Backdoor.Win32.VB!IK (Emsisoft), GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Worm, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: f46981183cedb0ecf4e029c6db0782f9

SHA1: 9f924efe39965bf534475dbba27afc03da4e82f3

SHA256: 12bd3946dc30d4fc1366a003fd6efd40c398658624a58e6e6ef1b0ffa66fe5c8

SSDeep: 3072:M 244PtNpyyvgeMPUs200moFrCjjq1awEK5Owdoutq:x4VvyyvtoS

Size: 228352 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: MicrosoftVisualBasicv50v60, UPolyXv05_v6

Company: WinterSoft

Created at: 1999-08-26 14:54:06

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Trojan creates the following process(es):

File activity

Registry activity

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 22953 bytes in size. The following strings are added to the hosts file listed below:

173.201.178.105	viabcp.com
173.201.178.105	www.viabcp.com
173.201.178.105	bcpzonasegura.viabcp.com
173.201.178.105	bn.com.pe
173.201.178.105	www.bn.com.pe
153.132.76.177	iniciorapido.info
129.84.152.203	www.iniciorapido.info
118.117.54.242	buscalo.in
120.230.36.107	www.buscalo.in
15.101.32.52	buscafacil.com
180.121.108.78	www.buscafacil.com
169.154.10.118	emsisoft.com
239.12.249.50	ahnlab.com
66.139.244.251	antivir.es
42.90.65.210	antiy.net
31.123.222.61	authentium.com
33.237.137.181	avast.com
184.176.200.127	avg.com
92.128.21.85	bitdefender.com
81.160.178.192	quickheal.com
151.18.93.56	clamav.net
234.145.157.2	comodo.com
142.165.233.28	drweb.com
131.198.135.67	aladdin.com
201.55.49.188	ca.com
96.182.113.133	f-prot.com
5.134.189.159	f-secure.com
250.235.91.199	fortinet.com
64.25.6.63	gdata.es
147.219.69.8	ikarus.at
55.171.146.35	jiangmin.com
44.204.47.74	kaspersky.com
114.62.218.6	mcafee.com
9.1.25.140	microsoft.com
173.209.102.166	eset.es
162.241.3.17	norman.com
232.99.174.137	nprotect.com
59.226.238.83	pandasecurity.com
223.246.58.41	pctools.com
212.23.148.148	prevx.com
26.68.130.13	rising-global.com
109.7.126.214	sophos.com
86.215.14.240	sunbeltsoftware.com
75.248.104.24	symantec.com
77.106.87.144	hacksoft.com.pe
228.44.82.89	trendmicro.com
136.252.227.116	anti-virus.by
125.29.60.155	hauri.net
195.143.43.19	virusbuster.hu
22.14.38.221	www.emsisoft.com
254.34.115.247	www.ahnlab.com
243.66.16.30	www.antivir.es
245.112.255.150	www.antiy.net
140.51.251.96	www.authentium.com
48.3.71.122	www.avast.com
37.36.229.229	www.avg.com
107.149.211.94	www.bitdefender.com
190.88.207.39	www.quickheal.com
99.40.27.253	www.clamav.net
88.73.185.105	www.comodo.com
158.187.168.225	www.drweb.com
53.58.163.170	www.aladdin.com
217.77.240.129	www.ca.com
206.110.141.236	www.f-prot.com
20.224.124.100	www.f-secure.com
103.95.119.46	www.fortinet.com
11.47.196.72	www.gdata.es
0.79.97.111	www.ikarus.at
70.193.80.231	www.jiangmin.com
153.132.76.177	www.kaspersky.com
129.84.152.203	www.mcafee.com
118.117.54.242	www.microsoft.com
120.230.36.107	www.eset.es
15.101.32.52	www.norman.com
180.121.108.78	www.nprotect.com
169.154.10.118	www.pandasecurity.com
239.12.249.50	www.pctools.com
66.139.244.251	www.prevx.com
42.90.65.210	www.rising-global.com
31.123.222.61	www.sophos.com
33.237.137.181	www.sunbeltsoftware.com
184.176.200.127	www.symantec.com
92.128.21.85	www.hacksoft.com.pe
81.160.178.192	www.trendmicro.com
151.18.93.56	www.anti-virus.by
234.145.157.2	www.hauri.net
142.165.233.28	www.virusbuster.hu
131.198.135.67	www.emsisoft.com
201.55.49.188	www.anti-trojan.net
96.182.113.133	malwarescan.emsisoft.com
5.134.189.159	forum.emsisoft.com
250.235.91.199	www.emsisoft.net
64.25.6.63	www.emsisoft.it
147.219.69.8	www.emsisoft.de
55.171.146.35	www.anti-trojan-software.net
44.204.47.74	mamutu.com
114.62.218.6	www.emsisoft.es
9.1.25.140	malwarescan.emsisoft.de
173.209.102.166	ww.emsisoft.com
162.241.3.17	www.emsisoft.fr
232.99.174.137	www.emsisoft.nl
59.226.238.83	onlinecheck.emsisoft.com
223.246.58.41	onlinecheck.emsisoft.de
212.23.148.148	www.emsisoft.org
26.68.130.13	scan.anti-trojan.net
109.7.126.214	www.trojaner.info
86.215.14.240	onlinecheck.emsisoft.org
75.248.104.24	onlinecheck.emsisoft.net
77.106.87.144	blitzblank.com
228.44.82.89	www.emsisoft.at
136.252.227.116	www.emsisoft.jp
125.29.60.155	www.mamutu.com
195.143.43.19	malwarescan.emsisoft.es
22.14.38.221	www.mamutu.de
254.34.115.247	download5.emsisoft.com
243.66.16.30	download1.emsisoft.com
245.112.255.150	download4.emsisoft.com
140.51.251.96	global.ahnlab.com
48.3.71.122	www.hackshields.com
37.36.229.229	www.internationalservicecheck.com
107.149.211.94	www.irangoals.com
190.88.207.39	ixomodels.com
99.40.27.253	www.indielisboa.com
88.73.185.105	www.latin-mass-society.org
158.187.168.225	www.arpia.be
53.58.163.170	www.owen.org
217.77.240.129	www.prdouglas.co.uk
206.110.141.236	www.zarya.info
20.224.124.100	www.willsee.com
103.95.119.46	halmapr.com
11.47.196.72	karuna-shechen.org
0.79.97.111	www.barder.com
70.193.80.231	www.antivir.es
153.132.76.177	www.buraka.tv
129.84.152.203	www.dr-bull.com
118.117.54.242	www.manchester-offices.co.uk
120.230.36.107	saverssite.com
15.101.32.52	canada.karuna-shechen.org
180.121.108.78	developmentdrums.org
169.154.10.118	www.imddomains.co.uk
239.12.249.50	cutlines.org
66.139.244.251	elblogdemanu.com
42.90.65.210	ruben.bzin.net
31.123.222.61	welkam.co.jp
33.237.137.181	www.cambridge-steiner-school.co.uk
184.176.200.127	naturesimages.net
92.128.21.85	www.1stavenuelimousines.co.uk
81.160.178.192	www.mtr-design.com
151.18.93.56	dev.depeuter.org
234.145.157.2	www.emeraldclassic.co.uk
142.165.233.28	www.peterhearnwaste.co.uk
131.198.135.67	etrr.co.uk
201.55.49.188	www.avoncourt.com
96.182.113.133	sarahmcconnellphotography.net
5.134.189.159	www.ixomodels.com
250.235.91.199	natsko.com
64.25.6.63	www.nottinghampoetryseries.com
147.219.69.8	www.sheffieldmind.co.uk
55.171.146.35	ixostore.ixomodels.com
44.204.47.74	www.flairweddings.co.uk
114.62.218.6	www.fimasys.com
9.1.25.140	cohartuk.com
173.209.102.166	qqjkw.net
162.241.3.17	vivo-austin.com
232.99.174.137	www.freeality.com
59.226.238.83	bestofewan.com
223.246.58.41	www.handwritingforkids.com
212.23.148.148	cowsmo.com
26.68.130.13	www.2xlgames.com
109.7.126.214	kimzimmer.net
86.215.14.240	basetendencies.com
75.248.104.24	trackingtheworld.com
77.106.87.144	www.reviewsofbooks.com
228.44.82.89	www.collectedcurios.com
136.252.227.116	www.renningers.com
125.29.60.155	ccslaughterspdx.com
195.143.43.19	www.briarhurst.com
22.14.38.221	www.smf.org
254.34.115.247	ribbonwarehouse.com
243.66.16.30	www.garryowen.com
245.112.255.150	45pounds.com
140.51.251.96	isotopecomics.com
48.3.71.122	roysephotos.com
37.36.229.229	www.stadiumpage.com
107.149.211.94	www.elvis-express.com
190.88.207.39	www.tomorrowsedge.net
99.40.27.253	www.beautybar.com
88.73.185.105	pineleafboys.com
158.187.168.225	www.mountainlakeslodge.com
53.58.163.170	pvtc.org
217.77.240.129	bhsbees.com
206.110.141.236	baristamagazine.com
20.224.124.100	www.gokidding.com
103.95.119.46	defalcos.com
11.47.196.72	www.celticmerchant.com
0.79.97.111	www.hxproduction.com
70.193.80.231	www.wellgousa.com
153.132.76.177	blog.titanium-jewelry.com
129.84.152.203	www.brightoctober.com
118.117.54.242	hishomeforchildren.com
120.230.36.107	www.phoenixtrikeworks.com
15.101.32.52	www.professorbeyer.com
180.121.108.78	www.secondchanceboxer.com
169.154.10.118	www.residentphotography.com
83.112.92.150	woottonfootball.com
166.238.88.95	www.deborahshelton.net
142.190.165.53	bobbondart.com
131.223.66.161	www.authentium.com
133.81.237.25	asap.authentium.com
28.20.44.226	www.authentium.com.au
192.227.121.185	avast.com
181.4.22.36	www.avast.com
251.118.193.156	files.avast.com
78.245.1.102	download535.avast.com
242.9.77.128	avg.com
231.42.235.167	www.avg.com
45.155.149.32	grisoft.com
196.26.213.233	www.grisoft.com
104.234.33.3	antivirus-tools.com
93.79.191.43	archive.bitdefender.com
164.125.105.163	avx.rob-have.net
247.63.169.108	b-have.orgbitdefender-ar.com
155.15.246.134	bitdefender.com
144.48.147.174	bitdefender.org
214.162.62.106	bitdefenderchina.com
109.101.125.239	bitdefenderguatemala.com
17.52.202.10	bitdefendermalaysia.com
6.85.103.117	bitdefendertaiwan.com
76.199.18.237	bitdefenderuruguay.com
159.70.81.183	bitdefenderusa.com
67.90.158.141	buy.bitdefender-es.com
56.123.248.248	buy.bitdefender.com
126.168.230.113	buy.bitdefender.de
209.107.226.58	de.bitdefender.com
185.59.114.84	fr.bitdefender.com
174.92.204.124	futurenow.bitdefender.com
245.18.254.56	it.bitdefender.com
140.212.250.1	jobs.bitdefender.com
48.164.139.27	kb.bitdefender.com
37.197.228.67	kb.bitdefender.de
107.55.211.187	kb.bitdefender.us
190.182.206.132	latin.bitdefender.com
166.201.27.159	linux.bitdefender.com
155.234.184.198	malwarecity.com
157.24.167.62	malwarecity.netmalwarecity.org
52.219.162.8	malwarepedia.com
216.171.239.34	neunet.orgnews.bitdefender.com
205.204.141.141	nl.bitdefender.com
19.61.123.6	renewals.bitdefender.com
102.0.119.207	sales.bitdefender.com
10.208.195.165	square.bitdefender.com
255.241.97.17	store.bitdefender.com
70.99.79.137	store.de.bitdefender.com
221.225.75.82	us.bitdefender.com
129.245.152.40	virusscanonline.net
118.22.53.148	wedoantivirus.com
188.136.36.12	www.antivirus-tools.com
15.7.31.213	www.avx.ro
179.214.108.240	www.bit-defender.de
168.247.9.23	www.bitdefende.de
238.105.248.143	www.bitdefender-es.com
65.44.243.89	www.bitdefender.be
41.252.64.115	www.bitdefender.cl
30.29.222.154	www.bitdefender.co.uk
32.142.204.19	www.bitdefender.com
183.13.200.220	www.bitdefender.com.au
91.33.20.246	www.bitdefender.com.sg
148.134.246.98	www.bitdefender.com.tw
219.248.228.30	www.bitdefender.com.vn
46.118.224.231	www.bitdefender.de
22.70.45.189	www.bitdefender.es
11.103.202.41	www.bitdefender.fr
13.217.117.161	www.bitdefender.hk
164.156.180.106	www.bitdefender.us
72.107.1.65	www.bitdefenderme.com
61.140.158.172	www.malwarecity.com
131.254.73.36	www.malwarecity.fr
214.125.136.238	quickheal.com
122.145.213.8	www.quickheal.com
111.177.115.47	www.clamav.net
181.35.29.168	cgi.clamav.net
76.162.93.113	lurker.clamav.net
240.114.169.139	wwws.clamav.net
229.215.71.179	lists.clamav.net
44.5.241.43	bugs.clamav.net
127.199.49.244	system-cleaner.comodo.com
35.151.126.14	backup.comodo.com
24.184.27.54	www.comodoantispam.com
94.42.198.242	easy-vpn.comodo.com
245.237.5.119	www.trustlogo.com
153.188.82.146	ztl.comodo.com
210.33.51.65	www.livepcsupport.com
24.147.222.185	www.whichssl.com
107.18.29.131	www.trustix.com
15.38.106.89	disk-encryption.comodo.com
4.70.196.196	speedtest.comodo.com
74.116.178.61	www.contentverification.com
157.55.174.6	idauthority.com
133.7.62.32	www.comodo.tv
122.40.152.72	online-backup.comodo.com
125.154.134.192	www.testmypcsecurity.com
20.92.130.137	www.ccssforum.org
184.44.19.163	i-vault.comodo.com
173.77.108.203	internetsecurity.comodo.com
243.191.91.67	www.comodopartners.com
70.62.86.12	timestamp.comodoca.com
46.81.163.39	secure-email.comodo.com
35.114.64.78	timestamp.wosign.com
37.160.47.198	rover800.gaima.co.uk
188.99.42.144	www.nsclean.com
96.51.119.170	www.contentverification.com
85.83.21.21	new-estore.drweb.com
155.197.3.142	support.drweb.com
238.136.255.87	pda.drweb.com
146.88.75.45	updates.drweb.com
135.121.233.153	drweb.com
206.235.215.17	vms.drweb.com
101.105.211.218	solutions.drweb.com
9.125.32.176	news.drweb.com
254.158.189.28	my.drweb.com
68.16.172.148	buy.drweb.com
151.143.167.93	products.drweb.com
95.131.24.156	new-support.drweb.com
84.163.181.195	promotions.drweb.com
154.21.164.59	network.drweb.com
237.216.160.5	customers.drweb.com
213.168.236.31	store.drweb.com
202.201.138.70	company.drweb.com
204.58.120.191	training.drweb.com
99.185.116.136	license.drweb.com
7.205.192.162	cureit.ru
253.238.94.202	free.drweb.com
67.96.76.134	info.drweb.com
150.222.72.79	new-partners.drweb.com
126.174.149.38	drweb.net
115.207.50.145	new-company.drweb.com
117.65.221.9	new-beta.drweb.com
12.4.28.210	new-forum.drweb.com
176.212.105.169	secure.av-desk.com
165.244.6.20	www.av-desk.com
235.102.177.140	new-solutions.drweb.com
62.229.241.86	new-www.drweb.com
226.249.61.112	www.freedrweb.ru
215.26.219.151	daniloff.net
29.139.133.16	drweb-inside.com
180.10.197.217	drwebinside.com
88.218.17.243	aladdin.com
78.63.175.27	alladdin.ru
148.109.89.147	chickensroamfree.com
231.47.153.92	ealaddin.net
207.67.42.187	ealaddin.orgeshop.aladdin.com
196.100.199.226	secureme.com
10.214.114.158	www.aks.com
161.153.177.35	www.aladdin.com
69.104.254.62	www.ealaddin.com
58.137.155.169	www.ealaddin.com
128.251.70.33	auwww.ealaddin.nl
211.122.134.235	www.esafe.com
119.142.210.193	www.hasp.se
108.175.44.44	www.safenet-inc.com
178.220.26.165	www3.safenet-inc.com
5.159.22.110	www.ca.com
237.111.166.136	cacomvip.ca.com
227.144.0.244	www.netegrity.com
41.70.50.108	search.ca.com
192.8.46.53	cai.com
100.216.191.80	www.f-prot.com
89.249.24.119	frisk-software.com
159.107.7.239	www.frisk.is
242.234.2.184	www.frisk-software.com
218.253.79.211	f-secure.com
207.30.236.250	f-secure.frf-secure.hk
209.76.219.114	f-secure.nlfsecure.com
104.15.215.60	fsecure.nlwebyard.com
12.223.35.86	www.f-secure.com
1.0.193.193	www.fsecure.com
71.113.175.58	www.virus.fi
154.52.171.3	fortihero.com
62.4.247.217	fortilog.com
52.37.149.69	fortinet.co.at
122.151.131.189	fortinet.com
17.21.127.134	fortiprotect.com
181.41.204.161	fortiwifi.com
238.142.173.12	www.apsecure.com
52.0.156.132	www.fortifed.com
135.127.151.77	www.fortiid.com
43.78.228.104	www.fortimail.com
32.111.129.143	www.fortinet-apac.com
75.198.85.236	www.fortinet.ch
158.137.81.182	www.fortinet.co.il
134.89.157.208	www.fortinet.com
123.122.59.247	www.fortinet.com
125.235.41.112	arwww.fortinet.cz
20.106.37.57	www.fortinet.net
184.126.113.83	www.fortinet.nl
174.159.15.123	www.fortinet.sg
244.17.253.55	www.fortinetuk.com
71.143.249.0	www.secure-elements.com
47.95.70.215	gdata.es
104.196.39.134	www.gdata.es
106.54.210.254	ikarus.at
1.249.17.199	www.ikarus.at
165.200.94.158	global.jiangmin.com
154.233.251.9	jiangmin.com.cn
224.91.166.129	jiangmin.com
51.218.230.75	www.jiangmin.com.cn
215.238.50.101	www.kaspersky.com
204.15.208.140	forum.kaspersky.com
18.128.122.5	support.kaspersky.co
169.255.186.206	usa.kaspersky.com
77.207.6.232	brazil.kaspersky.com
134.120.232.84	latam.kaspersky.com
205.166.146.204	kaspersky.com
32.104.210.149	me.kaspersky.com
196.56.31.175	images.kaspersky.com
185.89.188.215	www.mcafee.com
255.203.103.147	support.mcafee.com
150.142.166.24	msr.mcafee.com
58.93.243.51	home.mcafee.com
47.126.144.158	networkassociates.com
185.52.127.90	us.mcafee.com
12.179.190.36	tr.mcafee.com
176.199.11.250	au.mcafee.com
165.232.101.101	mx.mcafee.com
235.21.83.222	networkassociates.nai.com
62.216.79.167	go.mcafee.com
38.168.223.193	fr.mcafee.com
27.201.57.233	uk.mcafee.com
30.59.39.97	de.mcafee.com
181.253.35.42	obscgi.mcafee.com
89.205.180.68	nai.com
78.238.13.212	www.entercept.com
252.200.100.76	jp.mcafee.com
79.71.95.21	mcafeeb2b.com
55.91.172.48	cn.mcafee.com
44.123.73.87	service.mcafee.com
46.169.56.207	br.mcafee.com
197.108.52.153	www.mcafee.at
105.60.128.179	mcafeeretail.com
94.93.30.30	it.mcafee.com
164.206.12.151	tw.mcafee.com
247.145.8.96	privacy.microsoft.com
155.97.84.54	tempuri.org
145.130.242.162	schemas.xmlsoap.org
215.244.225.26	www.microsoft.com
110.114.220.227	specs.xmlsoap.org
86.202.109.254	www.eugrantsadvisor.ie
75.235.10.105	schemas.microsoft.com
145.93.249.225	encarta.msn.com
228.220.244.170	www.sysinternals.com
136.172.65.197	grv.microsoft.com
125.204.222.236	www.xmlsoap.org
195.62.205.100	www.eugrantsadvisor.se
90.69.13.114	www.eugrantsadvisor.com
66.21.89.140	research.microsoft.com
55.54.247.179	www.engyro.com
57.167.229.44	www.exchangeyourcareer.com
208.38.225.245	www.eugrantsadvisor.de
116.58.45.15	exchangeyourcareer.net
106.91.203.55	eugrantsadvisor.de
176.205.185.243	eugrantsadvisor.cz
3.75.181.188	www.eset.es
235.27.2.147	demos.eset.es
224.60.159.254	descargas.eset.es
70.18.174.218	blogs.protegerse.com
221.213.237.163	eos.eset.es
129.164.58.122	pedidos.protegerse.com
186.9.27.41	reg-int.nod32-es.com
0.123.198.161	reg.eset.es
83.250.5.107	vicentevirtual.com
247.14.82.133	cou85.com
236.46.240.172	www.norman.com
50.160.154.37	fsc.norman.com
201.31.218.238	nprobeta.norman.com
109.239.38.8	register.norman.com
98.84.196.47	webadmin.norman.no
168.130.110.168	sandbox.norman.com
252.136.242.181	www.nprotect.com
228.88.62.207	global.nprotect.com
217.121.220.247	www.nprotect.co.kr
31.235.135.179	www.npin.co.kr
182.174.198.56	siren24.nprotect.com
90.125.19.83	15660808.co.kr
79.158.176.190	biz.nprotect.com
149.16.91.54	nprotect.net
232.143.154.0	www.nprotect.com.br
140.163.231.214	liveprotect.net
129.195.65.65	nprotect.seoul.go.kr
11.53.115.254	chollian.nprotect.co.kr
94.248.111.199	www.pandasecurity.com
70.200.255.225	research.pandasecurity.com
59.233.89.8	support.pandasecurity.com
61.90.71.129	pandalabs.pandasecurity.com
249.65.103.110	pandasecurity.com
157.17.248.136	mop.pandasecurity.com
146.50.81.176	timeforyourbusi.pandasecurity.com
216.164.64.40	cybercrime.pandasecurity.com
43.35.59.241	free.pandasecurity.com
19.54.136.12	cloudprotection.pandasecurity.com
8.87.37.51	shop.pandasecurity.com
10.133.20.171	soporte.pandasecurity.com
161.72.15.117	together.pctools.com
69.24.92.143	www.prevx.com
58.57.250.250	info.prevx.com
128.170.232.115	free.prevx.com
211.109.228.60	spywarefiles.prevx.com
119.61.48.18	spywaredlls.prevx.com
108.94.206.126	shield.prevx.com
179.208.188.246	www.prevx1.com
74.78.184.191	howsafeismypc.com
50.166.73.217	www.retento.com
39.199.230.69	www.freerav.com
109.57.213.189	www.rising-global.com
192.184.208.134	www.risingav.com.au
100.135.29.161	support.rising-global.com
89.168.186.200	superboy2010.com.au
159.26.169.64	www.sophos.com
242.221.164.10	feeds.sophos.com
218.173.241.36	esp.sophos.com
207.205.143.75	cn.sophos.com
209.63.125.196	tw.sophos.com
104.190.121.141	kr.sophos.com
12.210.197.167	sophos.com
1.243.99.207	podcasts.sophos.com
72.101.81.139	www.sunbeltsoftware.com
155.227.77.84	go.sunbeltsoftware.com
131.179.154.42	oem.sunbeltsoftware.com
120.212.55.150	antispam.sunbeltsoftware.com
122.70.226.14	antispyware.sunbeltsoftware.com
17.9.33.215	antivirus.sunbeltsoftware.com
181.216.110.174	sunbeltsoftware.com
170.249.11.25	shop.sunbeltsoftware.com
240.107.182.145	live.sunbeltsoftware.com
67.234.245.91	firewall.sunbeltsoftware.com
231.254.66.117	www.symantec.com
220.30.224.156	security.symantec.com
34.144.138.21	securityrespons.symantec.com
185.15.202.222	service1.symantec.com
93.223.22.248	enterprisesecur.symantec.com
82.68.180.32	eval.symantec.com
153.114.94.152	symantec.com
48.120.226.165	definitions.symantec.com
212.72.47.191	investor.symantec.com
201.105.204.231	et.symantec.com
15.219.119.163	sfdoccentral.symantec.com
166.158.182.40	servicenews.symantec.com
74.109.3.67	securityrespons.symantec.com
63.142.160.174	sea.symantec.com
133.0.75.38	go.symantec.com
216.127.138.240	dell.symantec.com
124.147.215.198	sun.symantec.com
113.179.49.49	marian.symantec.com
183.225.31.170	tms.symantec.com
10.164.27.115	securitycheck.symantec.com
242.116.171.141	smallbiz.symantec.com
231.149.5.181	www.symantec.com
234.7.243.45	visualtracking.symantec.com
129.201.239.246	search.symantec.com
37.153.128.16	liveupdate.symantec.com
26.186.217.56	sitedirector.symantec.com
96.44.200.176	edm.symantec.com
179.171.195.121	hostedmailsecur.symantec.com
155.190.16.148	www4.symantec.com
144.223.173.187	education.symantec.com
146.13.156.51	vos.symantec.com
41.208.151.65	www.hacksoft.com.pe
17.228.40.91	hacksoft.pe
6.4.198.198	www.hacksoft.pe
76.118.180.63	housecall.trendmicro.com
159.57.176.8	www.trendmicro.com
67.9.252.222	housecall65.trendmicro.com
56.42.154.73	us.trendmicro.com
126.156.136.194	blog.trendmicro.com
22.26.132.139	emea.trendmicro.com
186.46.209.97	housecall60.trendmicro.com
175.79.110.205	jp.trendmicro.com
245.193.93.69	de.trendmicro.com
72.64.88.14	it.trendmicro.com
236.15.165.41	itw.trendmicro.com
225.48.66.80	esupport.trendmicro.com
39.162.49.200	es.trendmicro.com
122.101.44.146	br.trendmicro.com
98.53.121.172	tw.trendmicro.com
59.58.251.184	la.trendmicro.com
62.172.233.48	uk.trendmicro.com
213.42.229.249	ru.trendmicro.com
121.62.50.19	smbstore.trendmicro.com
110.95.207.59	apac.trendmicro.com
180.209.190.247	store.trendmicro.com
7.80.185.192	training.trendmicro.com
239.31.6.151	trial.trendmicro.com
228.64.163.2	ushousecall02.trendmicro.com
230.178.78.122	subwiz.trendmicro.com
125.117.141.68	go.trendmicro.com
33.69.218.26	feeds.trendmicro.com
22.101.120.133	channelpartner.trendmicro.com
92.215.34.254	wtc.trendmicro.com
175.86.98.199	shop.trendmicro.com
83.106.174.225	fr.trendmicro.com
72.139.76.9	threatinfo.trendmicro.com
143.253.246.129	newsletters.trendmicro.com
38.123.54.74	www.anti-virus.by
202.75.131.100	bg.virusblokada.com
191.176.32.140	www.vba.com.by
5.222.203.4	beta.anti-virus.by
88.161.10.205	www.bg.virusblokada.com
252.112.87.232	www.hauri.net
241.145.244.15	www.hauri.co.kr
55.3.159.203	company.hauri.net
206.198.222.81	www.globalhauri.com
114.150.43.107	shop.hauri.co.kr
171.250.13.26	hauri.co.kr
241.108.183.147	pg.hauri.net
68.235.247.92	esecurity.livecall.co.kr
232.255.67.50	mall.hauri.co.kr
221.32.157.158	company.hauri.co.kr
35.78.139.22	haurijapan.com
119.16.135.223	virobot.co.kr
95.224.24.249	www.virusbuster.hu
84.1.113.33	virusbuster.hu
86.115.96.153	scanner.novirusthanks.org
237.54.91.98	scanner2.novirusthanks.or
145.5.236.125	novirusthanks.org
134.38.69.164	www.novirusthanks.org
204.152.52.28	virustotal.com
99.91.115.42	www.virustotal.com
75.111.192.68	virscan.org
64.143.94.107	www.virscan.org
66.189.76.228	virusscan.jotti.org
217.128.72.173	jotti.org
125.80.148.199	www.jotti.org
114.113.50.50	viruschief.com
184.227.32.171	www.viruschief.com
12.165.28.116	scanner.virus.org
244.185.173.142	virus.org
233.218.74.250	www.virus.org
47.76.57.114	scan4you.net
198.203.52.59	www.scan4you.net
106.222.129.18	avhide.com
131.35.66.161	www.avhide.com
201.149.49.25	anubis.iseclab.org
28.20.45.227	iseclab.org
192.228.121.253	www.iseclab.org
181.5.23.36	threatexpert.com
251.118.5.157	www.threatexpert.com
78.57.1.102	forospyware.com
54.9.77.128	www.forospyware.com
43.42.235.168	in.answers.yahoo.com
114.224.29.100	es.answers.yahoo.com
9.94.25.45	kioskea.net
173.114.102.71	www.kioskea.net
162.147.3.111	es.kioskea.net
232.5.242.43	mygeekside.com
59.132.237.244	www.mygeekside.com
35.83.58.203	www.tecniservicioslys.com
92.184.27.122	tecniservicioslys.com
94.42.198.242	virusfreezone.info
245.237.5.188	www.virusfreezone.info
153.189.82.146	intranet.cidiroax.ipn.mx
142.222.240.253	spycheck.es
212.79.154.118	www.spycheck.es
39.206.218.63	antivirus.hispavista.com
203.226.38.89	computing.net
192.3.196.129	www.computing.net
7.117.110.249	spycheck.co.uk
158.243.174.194	www.spycheck.co.uk
66.195.251.220	midescargas.com
55.40.152.4	www.midescargas.com
193.154.135.192	static.yoreparo.com
20.93.198.137	softfaq.com
184.44.19.164	www.softfaq.com
173.77.176.203	configurarequipos.com
243.191.91.135	www.configurarequipos.com
138.130.154.13	seasonsecurity.com
46.82.231.39	www.seasonsecurity.com
135.214.232.246	removetrojanvirus.org
205.72.147.110	www.removetrojanvirus.org
32.199.211.56	ibusca.me
196.219.31.14	www.ibusca.me
185.252.121.121	busco.in
255.41.103.242	www.busco.in
82.236.99.187	inicioid.com
59.188.243.213	www.inicioid.com

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Delete the original Trojan file.
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps