Skip to main content

Trojan.Win32.QHost_4b9a84bac2


Trojan.Generic.1635648 (BitDefender), Worm:Win32/Virauto.A (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic.pak!cobra (VIPRE), Win32.HLLW.Autoruner.6389 (DrWeb), Trojan.Generic.1635648 (B) (Emsisoft), Artemis!4B9A84BAC2E7 (McAfee), Trojan.Gen (Symantec), Worm.Win32.AutoRun (Ikarus), Trojan.Generic.1635648 (FSecure), Generic15.BDDH (AVG), Win32:Trojan-gen (Avast)Behaviour: Trojan, Worm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 4b9a84bac2e79d32f9451c7e2b3f3236

SHA1: 9ccb1cbb65f4472a9f9894dce4774156cc4cded7

SHA256: 6ec50362e0acb586c3ac4738325bf044e8e081bca7306f635585e995f29e3856

SSDeep: 12288:iUqp1OeJwH2K1g3a5kLxkX6Z8DMP NU7KpEjQpKTMZu/IhiD8YvsF2HwNy7UN nq:iU 1kCyh

Size: 453120 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: BorlandDelphi3, UPolyXv05_v6

Company: WinterSoft

Created at: 2009-02-15 01:26:42

Summary: Worm. A program that is primarily replicating on networks or removable drives.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

%original file name%.exe:1844
cmd32.exe:1652

File activity

The process %original file name%.exe:1844 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Program Files%\Windows NT\explorer.exe (2321 bytes)

The process cmd32.exe:1652 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\20131030(2).zip (222132 bytes)

Registry activity

The process %original file name%.exe:1844 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA F7 68 5C 58 3F E4 CC A0 0D 05 9B 0E 6A 35 45"

The process cmd32.exe:1652 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 72 F2 BB B1 E1 66 2C 1E 1D 0E 9D 4D E8 80 9A"

[HKCU\Control Panel\Desktop]
"ScreenSaveActive" = "1"
"ScreenSaveTimeOut" = "600"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

The Worm modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 19926 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1download7.avast.com
127.0.0.1download6.avast.com
127.0.0.1download5.avast.com
127.0.0.1download4.avast.com
127.0.0.1download3.avast.com
127.0.0.1download2.avast.com
127.0.0.1download1.avast.com
127.0.0.1download0.avast.com
127.0.0.1download72.avast.com
127.0.0.1download73.avast.com
127.0.0.1download74.avast.com
127.0.0.1download75.avast.com
127.0.0.1download76.avast.com
127.0.0.1download77.avast.com
127.0.0.1download78.avast.com
127.0.0.1download79.avast.com
127.0.0.1download80.avast.com
127.0.0.1download81.avast.com
127.0.0.1download82.avast.com
127.0.0.1download83.avast.com
127.0.0.1download84.avast.com
127.0.0.1download85.avast.com
127.0.0.1download91.avast.com
127.0.0.1download92.avast.com
127.0.0.1download93.avast.com
127.0.0.1download94.avast.com
127.0.0.1download95.avast.com
127.0.0.1download96.avast.com
127.0.0.1download97.avast.com
127.0.0.1download98.avast.com
127.0.0.1download99.avast.com
127.0.0.1download100.avast.com
127.0.0.1download200.avast.com
127.0.0.1download201.avast.com
127.0.0.1download202.avast.com
127.0.0.1download203.avast.com
127.0.0.1download204.avast.com
127.0.0.1download205.avast.com
127.0.0.1download206.avast.com
127.0.0.1download207.avast.com
127.0.0.1download208.avast.com
127.0.0.1download209.avast.com
127.0.0.1download210.avast.com
127.0.0.1download211.avast.com
127.0.0.1download212.avast.com
127.0.0.1download213.avast.com
127.0.0.1download214.avast.com
127.0.0.1download501.avast.com
127.0.0.1download502.avast.com
127.0.0.1download503.avast.com
127.0.0.1download504.avast.com
127.0.0.1download505.avast.com
127.0.0.1download511.avast.com
127.0.0.1download512.avast.com
127.0.0.1download513.avast.com
127.0.0.1download514.avast.com
127.0.0.1download515.avast.com
127.0.0.1download516.avast.com
127.0.0.1download600.avast.com
127.0.0.1download601.avast.com
127.0.0.1download602.avast.com
127.0.0.1download603.avast.com
127.0.0.1download604.avast.com
127.0.0.1download605.avast.com
127.0.0.1download606.avast.com
127.0.0.1download607.avast.com
127.0.0.1download608.avast.com
127.0.0.1download609.avast.com
127.0.0.1download617.avast.com
127.0.0.1download618.avast.com
127.0.0.1download619.avast.com
127.0.0.1download620.avast.com
127.0.0.1download621.avast.com
127.0.0.1download622.avast.com
127.0.0.1download623.avast.com
127.0.0.1download624.avast.com
127.0.0.1download625.avast.com
127.0.0.1download626.avast.com
127.0.0.1download627.avast.com
127.0.0.1download628.avast.com
127.0.0.1download629.avast.com
127.0.0.1download630.avast.com
127.0.0.1download631.avast.com
127.0.0.1download632.avast.com
127.0.0.1download633.avast.com
127.0.0.1download634.avast.com
127.0.0.1download635.avast.com
127.0.0.1download636.avast.com
127.0.0.1download637.avast.com
127.0.0.1download638.avast.com
127.0.0.1download639.avast.com
127.0.0.1download640.avast.com
127.0.0.1download641.avast.com
127.0.0.1download642.avast.com
127.0.0.1download643.avast.com
127.0.0.1download644.avast.com
127.0.0.1download645.avast.com
127.0.0.1download646.avast.com
127.0.0.1download647.avast.com
127.0.0.1download648.avast.com
127.0.0.1download649.avast.com
127.0.0.1download650.avast.com
127.0.0.1download651.avast.com
127.0.0.1download652.avast.com
127.0.0.1download653.avast.com
127.0.0.1download654.avast.com
127.0.0.1download655.avast.com
127.0.0.1download656.avast.com
127.0.0.1download657.avast.com
127.0.0.1download658.avast.com
127.0.0.1download659.avast.com
127.0.0.1download660.avast.com
127.0.0.1download661.avast.com
127.0.0.1download662.avast.com
127.0.0.1download663.avast.com
127.0.0.1download664.avast.com
127.0.0.1download665.avast.com
127.0.0.1download666.avast.com
127.0.0.1download667.avast.com
127.0.0.1download668.avast.com
127.0.0.1download669.avast.com
127.0.0.1download670.avast.com
127.0.0.1download671.avast.com
127.0.0.1download672.avast.com
127.0.0.1download673.avast.com
127.0.0.1download674.avast.com
127.0.0.1download675.avast.com
127.0.0.1download676.avast.com
127.0.0.1download677.avast.com
127.0.0.1download678.avast.com
127.0.0.1download679.avast.com
127.0.0.1download680.avast.com
127.0.0.1download681.avast.com
127.0.0.1download682.avast.com
127.0.0.1download683.avast.com
127.0.0.1download684.avast.com
127.0.0.1download685.avast.com
127.0.0.1download686.avast.com
127.0.0.1download687.avast.com
127.0.0.1download688.avast.com
127.0.0.1download689.avast.com
127.0.0.1download690.avast.com
127.0.0.1download691.avast.com
127.0.0.1download692.avast.com
127.0.0.1download693.avast.com
127.0.0.1download694.avast.com
127.0.0.1download695.avast.com
127.0.0.1download696.avast.com
127.0.0.1download697.avast.com
127.0.0.1download698.avast.com
127.0.0.1download699.avast.com
127.0.0.1download700.avast.com
127.0.0.1download701.avast.com
127.0.0.1download702.avast.com
127.0.0.1download703.avast.com
127.0.0.1download704.avast.com
127.0.0.1download705.avast.com
127.0.0.1download706.avast.com
127.0.0.1download707.avast.com
127.0.0.1download708.avast.com
127.0.0.1download709.avast.com
127.0.0.1download900.avast.com
127.0.0.1download901.avast.com
127.0.0.1download902.avast.com
127.0.0.1download903.avast.com
127.0.0.1download904.avast.com
127.0.0.1download905.avast.com
127.0.0.1download906.avast.com
127.0.0.1download907.avast.com
127.0.0.1download908.avast.com
127.0.0.1download909.avast.com
127.0.0.1download910.avast.com
127.0.0.1download911.avast.com
127.0.0.1download912.avast.com
127.0.0.1download913.avast.com
127.0.0.1download914.avast.com
127.0.0.1download915.avast.com
127.0.0.1download916.avast.com
127.0.0.1download917.avast.com
127.0.0.1download918.avast.com
127.0.0.1download919.avast.com
127.0.0.1download920.avast.com
127.0.0.1download921.avast.com
127.0.0.1download922.avast.com
127.0.0.1download923.avast.com
127.0.0.1download924.avast.com
127.0.0.1download925.avast.com
127.0.0.1download926.avast.com
127.0.0.1download927.avast.com
127.0.0.1download928.avast.com
127.0.0.1download929.avast.com
127.0.0.1download930.avast.com
127.0.0.1download931.avast.com
127.0.0.1download932.avast.com
127.0.0.1download933.avast.com
127.0.0.1download934.avast.com
127.0.0.1download935.avast.com
127.0.0.1download936.avast.com
127.0.0.1download937.avast.com
127.0.0.1download938.avast.com
127.0.0.1download939.avast.com
127.0.0.1download940.avast.com
127.0.0.1download941.avast.com
127.0.0.1download942.avast.com
127.0.0.1download943.avast.com
127.0.0.1download944.avast.com
127.0.0.1download945.avast.com
127.0.0.1download946.avast.com
127.0.0.1download947.avast.com
127.0.0.1download948.avast.com
127.0.0.1download949.avast.com
127.0.0.1download950.avast.com
127.0.0.1download951.avast.com
127.0.0.1download952.avast.com
127.0.0.1download953.avast.com
127.0.0.1download954.avast.com
127.0.0.1download955.avast.com
127.0.0.1download956.avast.com
127.0.0.1download957.avast.com
127.0.0.1download958.avast.com
127.0.0.1download959.avast.com
127.0.0.1download960.avast.com
127.0.0.1download961.avast.com
127.0.0.1download962.avast.com
127.0.0.1download963.avast.com
127.0.0.1download964.avast.com
127.0.0.1download965.avast.com
127.0.0.1download966.avast.com
127.0.0.1download967.avast.com
127.0.0.1download968.avast.com
127.0.0.1download969.avast.com
127.0.0.1download970.avast.com
127.0.0.1download971.avast.com
127.0.0.1download972.avast.com
127.0.0.1download973.avast.com
127.0.0.1download974.avast.com
127.0.0.1download975.avast.com
127.0.0.1download976.avast.com
127.0.0.1download977.avast.com
127.0.0.1download978.avast.com
127.0.0.1download979.avast.com
127.0.0.1download980.avast.com
127.0.0.1update.avgfrance.com
127.0.0.1update.avg.com
127.0.0.1shadow.grisoft.cz
127.0.0.1update.grisoft.com
127.0.0.1free.grisoft.cz
127.0.0.1update.grisoft.cz
127.0.0.1free.grisoft.com
127.0.0.1guru.avg.com
127.0.0.1dl1.avgate.net
127.0.0.1dl2.avgate.net
127.0.0.1dl3.avgate.net
127.0.0.1dl4.avgate.net
127.0.0.1dl5.avgate.net
127.0.0.1dl6.avgate.net
127.0.0.1dl7.avgate.net
127.0.0.1dl8.freeav.net
127.0.0.1dl9.freeav.net
127.0.0.1dl10.freeav.net
127.0.0.1dl1.antivir-pe.de
127.0.0.1dl2.antivir-pe.de
127.0.0.1dl3.antivir-pe.de
127.0.0.1dl4.antivir-pe.de
127.0.0.1dl1.antivir-pe.com
127.0.0.1dl2.antivir-pe.com
127.0.0.1dl3.antivir-pe.com
127.0.0.1dl4.antivir-pe.com
127.0.0.1dl1.antivir.de
127.0.0.1dl2.antivir.de
127.0.0.1dl3.antivir.de
127.0.0.1dl4.antivir.de
127.0.0.1notifier.antivir-pe.de
127.0.0.1update.bitdefender.com
127.0.0.1buddy.bitdefender.com
127.0.0.1upgrade.bitdefender.com
127.0.0.1upgrade1.bitdefender.com
127.0.0.1upgrade2.bitdefender.com
127.0.0.1upgrade3.bitdefender.com
127.0.0.1upgrade4.bitdefender.com
127.0.0.1kb.bitdefender.com
127.0.0.1ftp.bitdefender.com
127.0.0.1updates.drweb.com
127.0.0.1update.drweb.com
127.0.0.1msk.drweb.com
127.0.0.1msk1.drweb.com
127.0.0.1msk2.drweb.com
127.0.0.1msk3.drweb.com
127.0.0.1msk4.drweb.com
127.0.0.1msk5.drweb.com
127.0.0.1msk6.drweb.com
127.0.0.1msk7.drweb.com
127.0.0.1fr.drweb.com
127.0.0.1fr1.drweb.com
127.0.0.1fr2.drweb.com
127.0.0.1fr3.drweb.com
127.0.0.1fr4.drweb.com
127.0.0.1fr5.drweb.com
127.0.0.1fr6.drweb.com
127.0.0.1fr7.drweb.com
127.0.0.1dnl-cd1.kaspersky-labs.com
127.0.0.1dnl-cd10.kaspersky-labs.com
127.0.0.1dnl-cd11.kaspersky-labs.com
127.0.0.1dnl-cd12.kaspersky-labs.com
127.0.0.1dnl-cd13.kaspersky-labs.com
127.0.0.1dnl-cd14.kaspersky-labs.com
127.0.0.1dnl-cd2.kaspersky-labs.com
127.0.0.1dnl-cd3.kaspersky-labs.com
127.0.0.1dnl-cd4.kaspersky-labs.com
127.0.0.1dnl-cd5.kaspersky-labs.com
127.0.0.1dnl-cd6.kaspersky-labs.com
127.0.0.1dnl-cd7.kaspersky-labs.com
127.0.0.1dnl-cd8.kaspersky-labs.com
127.0.0.1dnl-cd9.kaspersky-labs.com
127.0.0.1dnl-cn1.kaspersky-labs.com
127.0.0.1dnl-cn10.kaspersky-labs.com
127.0.0.1dnl-cn11.kaspersky-labs.com
127.0.0.1dnl-cn12.kaspersky-labs.com
127.0.0.1dnl-cn13.kaspersky-labs.com
127.0.0.1dnl-cn14.kaspersky-labs.com
127.0.0.1dnl-cn15.kaspersky-labs.com
127.0.0.1dnl-cn2.kaspersky-labs.com
127.0.0.1dnl-cn3.kaspersky-labs.com
127.0.0.1dnl-cn4.kaspersky-labs.com
127.0.0.1dnl-cn5.kaspersky-labs.com
127.0.0.1dnl-cn6.kaspersky-labs.com
127.0.0.1dnl-cn7.kaspersky-labs.com
127.0.0.1dnl-cn8.kaspersky-labs.com
127.0.0.1dnl-cn9.kaspersky-labs.com
127.0.0.1dnl-eu1.kaspersky-labs.com
127.0.0.1dnl-eu10.kaspersky-labs.com
127.0.0.1dnl-eu11.kaspersky-labs.com
127.0.0.1dnl-eu12.kaspersky-labs.com
127.0.0.1dnl-eu13.kaspersky-labs.com
127.0.0.1dnl-eu14.kaspersky-labs.com
127.0.0.1dnl-eu15.kaspersky-labs.com
127.0.0.1dnl-eu2.kaspersky-labs.com
127.0.0.1dnl-eu3.kaspersky-labs.com
127.0.0.1dnl-eu4.kaspersky-labs.com
127.0.0.1dnl-eu5.kaspersky-labs.com
127.0.0.1dnl-eu6.kaspersky-labs.com
127.0.0.1dnl-eu7.kaspersky-labs.com
127.0.0.1dnl-eu8.kaspersky-labs.com
127.0.0.1dnl-eu9.kaspersky-labs.com
127.0.0.1dnl-jp1.kaspersky-labs.com
127.0.0.1dnl-jp10.kaspersky-labs.com
127.0.0.1dnl-jp11.kaspersky-labs.com
127.0.0.1dnl-jp12.kaspersky-labs.com
127.0.0.1dnl-jp13.kaspersky-labs.com
127.0.0.1dnl-jp14.kaspersky-labs.com
127.0.0.1dnl-jp15.kaspersky-labs.com
127.0.0.1dnl-jp2.kaspersky-labs.com
127.0.0.1dnl-jp3.kaspersky-labs.com
127.0.0.1dnl-jp4.kaspersky-labs.com
127.0.0.1dnl-jp5.kaspersky-labs.com
127.0.0.1dnl-jp6.kaspersky-labs.com
127.0.0.1dnl-jp7.kaspersky-labs.com
127.0.0.1dnl-jp8.kaspersky-labs.com
127.0.0.1dnl-jp9.kaspersky-labs.com
127.0.0.1dnl-kr1.kaspersky-labs.com
127.0.0.1dnl-kr10.kaspersky-labs.com
127.0.0.1dnl-kr11.kaspersky-labs.com
127.0.0.1dnl-kr12.kaspersky-labs.com
127.0.0.1dnl-kr13.kaspersky-labs.com
127.0.0.1dnl-kr14.kaspersky-labs.com
127.0.0.1dnl-kr15.kaspersky-labs.com
127.0.0.1dnl-kr2.kaspersky-labs.com
127.0.0.1dnl-kr3.kaspersky-labs.com
127.0.0.1dnl-kr4.kaspersky-labs.com
127.0.0.1dnl-kr5.kaspersky-labs.com
127.0.0.1dnl-kr6.kaspersky-labs.com
127.0.0.1dnl-kr7.kaspersky-labs.com
127.0.0.1dnl-kr8.kaspersky-labs.com
127.0.0.1dnl-kr9.kaspersky-labs.com
127.0.0.1dnl-ru1.kaspersky-labs.com
127.0.0.1dnl-ru10.kaspersky-labs.com
127.0.0.1dnl-ru11.kaspersky-labs.com
127.0.0.1dnl-ru12.kaspersky-labs.com
127.0.0.1dnl-ru13.kaspersky-labs.com
127.0.0.1dnl-ru14.kaspersky-labs.com
127.0.0.1dnl-ru15.kaspersky-labs.com
127.0.0.1dnl-ru2.kaspersky-labs.com
127.0.0.1dnl-ru3.kaspersky-labs.com
127.0.0.1dnl-ru4.kaspersky-labs.com
127.0.0.1dnl-ru5.kaspersky-labs.com
127.0.0.1dnl-ru6.kaspersky-labs.com
127.0.0.1dnl-ru7.kaspersky-labs.com
127.0.0.1dnl-ru8.kaspersky-labs.com
127.0.0.1dnl-ru9.kaspersky-labs.com
127.0.0.1dnl-us1.kaspersky-labs.com
127.0.0.1dnl-us10.kaspersky-labs.com
127.0.0.1dnl-us11.kaspersky-labs.com
127.0.0.1dnl-us12.kaspersky-labs.com
127.0.0.1dnl-us13.kaspersky-labs.com
127.0.0.1dnl-us14.kaspersky-labs.com
127.0.0.1dnl-us15.kaspersky-labs.com
127.0.0.1dnl-us2.kaspersky-labs.com
127.0.0.1dnl-us3.kaspersky-labs.com
127.0.0.1dnl-us4.kaspersky-labs.com
127.0.0.1dnl-us5.kaspersky-labs.com
127.0.0.1dnl-us6.kaspersky-labs.com
127.0.0.1dnl-us7.kaspersky-labs.com
127.0.0.1dnl-us8.kaspersky-labs.com
127.0.0.1dnl-us9.kaspersky-labs.com
127.0.0.1u0.eset.com
127.0.0.1u1.eset.com
127.0.0.1u2.eset.com
127.0.0.1u3.eset.com
127.0.0.1u4.eset.com
127.0.0.1u5.eset.com
127.0.0.1u6.eset.com
127.0.0.1u7.eset.com
127.0.0.1u8.eset.com
127.0.0.1u9.eset.com
127.0.0.1u10.eset.com
127.0.0.1u11.eset.com
127.0.0.1u12.eset.com
127.0.0.1u13.eset.com
127.0.0.1u14.eset.com
127.0.0.1u15.eset.com
127.0.0.1u16.eset.com
127.0.0.1u17.eset.com
127.0.0.1u18.eset.com
127.0.0.1u19.eset.com
127.0.0.1u20.eset.com
127.0.0.1u21.eset.com
127.0.0.1u22.eset.com
127.0.0.1u23.eset.com
127.0.0.1u24.eset.com
127.0.0.1u25.eset.com
127.0.0.1u26.eset.com
127.0.0.1u27.eset.com
127.0.0.1u28.eset.com
127.0.0.1u29.eset.com
127.0.0.1u30.eset.com
127.0.0.1u31.eset.com
127.0.0.1u32.eset.com
127.0.0.1u33.eset.com
127.0.0.1u34.eset.com
127.0.0.1u35.eset.com
127.0.0.1u36.eset.com
127.0.0.1u37.eset.com
127.0.0.1u38.eset.com
127.0.0.1u39.eset.com
127.0.0.1u40.eset.com
127.0.0.1u41.eset.com
127.0.0.1u42.eset.com
127.0.0.1u43.eset.com
127.0.0.1u44.eset.com
127.0.0.1u45.eset.com
127.0.0.1u46.eset.com
127.0.0.1u47.eset.com
127.0.0.1u48.eset.com
127.0.0.1u49.eset.com
127.0.0.1u50.eset.com
127.0.0.1u51.eset.com
127.0.0.1u52.eset.com
127.0.0.1u53.eset.com
127.0.0.1u54.eset.com
127.0.0.1u55.eset.com
127.0.0.1u56.eset.com
127.0.0.1u57.eset.com
127.0.0.1u58.eset.com
127.0.0.1u59.eset.com
127.0.0.1u60.eset.com
127.0.0.1u61.eset.com
127.0.0.1u62.eset.com
127.0.0.1u63.eset.com
127.0.0.1u64.eset.com
127.0.0.1u65.eset.com
127.0.0.1u66.eset.com
127.0.0.1u67.eset.com
127.0.0.1u68.eset.com
127.0.0.1u69.eset.com
127.0.0.1u70.eset.com
127.0.0.1u71.eset.com
127.0.0.1u72.eset.com
127.0.0.1u73.eset.com
127.0.0.1u74.eset.com
127.0.0.1u75.eset.com
127.0.0.1u76.eset.com
127.0.0.1u77.eset.com
127.0.0.1u78.eset.com
127.0.0.1u79.eset.com
127.0.0.1u80.eset.com
127.0.0.1u81.eset.com
127.0.0.1u82.eset.com
127.0.0.1u83.eset.com
127.0.0.1u84.eset.com
127.0.0.1u85.eset.com
127.0.0.1u86.eset.com
127.0.0.1u87.eset.com
127.0.0.1u88.eset.com
127.0.0.1u89.eset.com
127.0.0.1u90.eset.com
127.0.0.1u91.eset.com
127.0.0.1u92.eset.com
127.0.0.1u93.eset.com
127.0.0.1u94.eset.com
127.0.0.1u95.eset.com
127.0.0.1u96.eset.com
127.0.0.1u97.eset.com
127.0.0.1u98.eset.com
127.0.0.1u99.eset.com
127.0.0.1u100.eset.com
127.0.0.1up1.nod123.cn
127.0.0.1nod32.datsec.de
127.0.0.1niufour.norman.no
127.0.0.1download.norman.no
127.0.0.1niuone.norman.no
127.0.0.1niusix.norman.no
127.0.0.1niutwo.norman.no
127.0.0.1niuseven.norman.no
127.0.0.1niuthree.norman.no
127.0.0.1niunine.norman.no
127.0.0.1niufive.norman.no
127.0.0.1niueight.norman.no
127.0.0.1sandbox.norman.com
127.0.0.1liveupdate.symantec.com
127.0.0.1update.symantec.com
127.0.0.1updates.symantec.com
127.0.0.1symantec-ese.baynote.net
127.0.0.1stats.norton.com
127.0.0.1customer.symantec.com
127.0.0.1renewalcenter.symantec.com
127.0.0.1security.symantec.com
127.0.0.1shop.symantec.com
127.0.0.1securityresponse.symantec.com
127.0.0.1ftp.symantec.com
127.0.0.1rads.mcafee.com
127.0.0.1fr.mcafee.com
127.0.0.1mast.mcafee.com
127.0.0.1us.mcafee.com
127.0.0.1ftp.nai.com
127.0.0.1download.mcafee.com
127.0.0.1dispatch.mcafee.com
127.0.0.1secure.nai.com
127.0.0.1download1.quickheal.com
127.0.0.1download2.quickheal.com
127.0.0.1download3.quickheal.com
127.0.0.1download4.quickheal.com
127.0.0.1download5.quickheal.com
127.0.0.1download6.quickheal.com
127.0.0.1download7.quickheal.com
127.0.0.1download8.quickheal.com
127.0.0.1download9.quickheal.com
127.0.0.1download10.quickheal.com
127.0.0.1update.quickheal.com
127.0.0.1sophos1.ucd.ie
127.0.0.1sophos2.ucd.ie
127.0.0.1sophos3.ucd.ie
127.0.0.1sophos4.ucd.ie
127.0.0.1sophos5.ucd.ie
127.0.0.1sophos6.ucd.ie
127.0.0.1sophos7.ucd.ie
127.0.0.1sophos8.ucd.ie
127.0.0.1sophos9.ucd.ie
127.0.0.1sophos10.ucd.ie
127.0.0.1update.sophos.com
127.0.0.1pccreg.trendmicro.com
127.0.0.1pccreg.antivirus.com
127.0.0.1housecall.trendmicro.com
127.0.0.1cn.trendmicro.com
127.0.0.1files.trendmicro-europe.com
127.0.0.1fr.bitdefender.com
127.0.0.1update.trendmicro.com
127.0.0.1ieupdate.gdata.de
127.0.0.1ieupdate6.gdata.de
127.0.0.1ieupdate5.gdata.de
127.0.0.1ieupdate4.gdata.de
127.0.0.1ieupdate3.gdata.de
127.0.0.1ieupdate2.gdata.de
127.0.0.1ieupdate1.gdata.de
127.0.0.1acs.pandasoftware.com
127.0.0.1downloads.My-eTrust.com
127.0.0.1antivirus.cai.com
127.0.0.1ftp.ca.co
127.0.0.1ftp.esafe.com
127.0.0.1updates.f-prot.com
127.0.0.1ftp.f-prot.com
127.0.0.1update.ikarus-software.at
127.0.0.1avu.zonelabs.com
127.0.0.1windowsupdate.microsoft.com
127.0.0.1ftp.microworldsystems.com
127.0.0.1update.aladdin.com
127.0.0.1update.authentium.com
127.0.0.1update.bitdefender.com
127.0.0.1update.ewido.com
127.0.0.1update.hispasec.com
127.0.0.1up.duba.net
127.0.0.1update.ikaka.com


Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1844
    cmd32.exe:1652

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %Program Files%\Windows NT\explorer.exe (2321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\20131030(2).zip (222132 bytes)

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps