Gen.Trojan.Heur.ZGY.7_87f980260e

by malwarelabrobot on April 10th, 2015 in Malware Descriptions.

Trojan.Win32.VB.apqm (Kaspersky), Gen:Trojan.Heur.ZGY.7 (B) (Emsisoft), Gen:Trojan.Heur.ZGY.7 (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 87f980260ecdfa68c3e8ef0fbdfde580
SHA1: f1d5574a856c21cfab0e0bd9f943066e95c42178
SHA256: cde23b579ffc3a6085783a8fe838de5e3330a0795f40ccbd19fbbe7e471c4821
SSDeep: 1536:8Df0SMYujd6 nOGOJvLg1lg1X0PvL skLKuF8nouy8M7:8w7YuQG4mg1k8L/CoutE
Size: 64512 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2011-02-24 14:25:18
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 23465 bytes in size. The following strings are added to the hosts file listed below:

208.109.220.97 viabcp.com
208.109.220.97 www.viabcp.com
208.109.220.97 bcpzonasegura.viabcp.com
173.236.65.144 www.produbanco.com
173.236.65.144 produbanco.com
173.236.65.144 www.pichincha.com
173.236.65.144 pichincha.com
173.236.65.144 wwwp1.pichincha.com
173.236.65.144 wwwp2.pichincha.com
173.236.65.144 wwwp3.pichincha.com
173.236.65.144 wwwp4.pichincha.com
173.236.65.144 wwww01.pichincha.com
173.236.65.144 wwww02.pichincha.com
173.236.65.144 wwww03.pichincha.com
173.236.65.144 wwww04.pichincha.com
173.236.65.144 www.bancoguayaquil.com
173.236.65.144 bancoguayaquil.com
216.245.208.36 bn.com.pe
216.245.208.36 www.bn.com.pe
216.245.208.36 zonasegura1.bn.com.pe
216.245.208.36 www.zonasegura1.bn.com.pe
228.242.201.68 iniciorapido.info
143.106.28.195 www.iniciorapido.info
206.51.192.214 buscalo.in
27.78.181.247 www.buscalo.in
184.117.251.105 buscafacil.com
99.237.146.232 www.buscafacil.com
162.183.54.184 emsisoft.com
239.209.43.28 ahnlab.com
141.248.113.74 antivir.es
55.113.196.13 antiy.net
119.58.104.221 authentium.com
195.84.93.254 avast.com
97.123.163.112 avg.com
11.56.59.50 bitdefender.com
75.189.223.2 quickheal.com
151.215.212.35 clamav.net
53.67.26.149 comodo.com
224.187.109.20 drweb.com
31.132.17.39 aladdin.com
108.91.6.72 ca.com
197.198.76.118 f-prot.com
180.62.159.57 f-secure.com
175.8.135.9 fortinet.com
64.34.124.41 gdata.es
154.73.126.155 ikarus.at
136.194.21.94 jiangmin.com
132.139.185.46 kaspersky.com
20.165.174.79 mcafee.com
110.204.244.193 microsoft.com
92.69.72.63 eset.es
88.14.48.83 norman.com
164.40.37.116 nprotect.com
66.80.39.162 pandasecurity.com
49.200.190.101 pctools.com
44.145.98.52 prevx.com
121.172.87.85 rising-global.com
22.23.157.199 sophos.com
5.143.240.138 sunbeltsoftware.com
0.89.148.90 symantec.com
77.47.137.122 hacksoft.com.pe
235.154.207.236 trendmicro.com
217.19.102.107 anti-virus.by
213.220.10.127 hauri.net
33.178.255.160 virusbuster.hu
191.29.69.18 www.emsisoft.com
173.150.153.144 www.ahnlab.com
169.95.61.96 www.antivir.es
245.121.50.129 www.antiy.net
147.161.120.243 www.authentium.com
130.25.203.182 www.avast.com
125.226.179.133 www.avg.com
202.253.168.166 www.bitdefender.com
103.36.170.24 www.quickheal.com
86.156.65.151 www.clamav.net
81.102.229.171 www.comodo.com
158.128.218.203 www.drweb.com
60.167.32.61 www.aladdin.com
42.100.115.188 www.ca.com
38.45.91.140 www.f-prot.com
114.3.80.173 www.f-secure.com
16.110.82.31 www.fortinet.com
186.231.234.225 www.gdata.es
250.176.142.177 www.ikarus.at
70.134.131.210 www.jiangmin.com
228.242.201.68 www.kaspersky.com
143.106.28.195 www.mcafee.com
206.51.192.214 www.microsoft.com
27.78.181.247 www.eset.es
184.117.251.105 www.norman.com
99.237.146.232 www.nprotect.com
162.183.54.184 www.pandasecurity.com
239.209.43.28 www.pctools.com
141.248.113.74 www.prevx.com
55.113.196.13 www.rising-global.com
119.58.104.221 www.sophos.com
195.84.93.254 www.sunbeltsoftware.com
97.123.163.112 www.symantec.com
11.56.59.50 www.hacksoft.com.pe
75.189.223.2 www.trendmicro.com
151.215.212.35 www.anti-virus.by
53.67.26.149 www.hauri.net
224.187.109.20 www.virusbuster.hu
31.132.17.39 www.emsisoft.com
108.91.6.72 www.anti-trojan.net
197.198.76.118 malwarescan.emsisoft.com
180.62.159.57 forum.emsisoft.com
175.8.135.9 www.emsisoft.net
64.34.124.41 www.emsisoft.it
154.73.126.155 www.emsisoft.de
136.194.21.94 www.anti-trojan-software.net
132.139.185.46 mamutu.com
20.165.174.79 www.emsisoft.es
110.204.244.193 malwarescan.emsisoft.de
92.69.72.63 ww.emsisoft.com
88.14.48.83 www.emsisoft.fr
164.40.37.116 www.emsisoft.nl
66.80.39.162 onlinecheck.emsisoft.com
49.200.190.101 onlinecheck.emsisoft.de
44.145.98.52 www.emsisoft.org
121.172.87.85 scan.anti-trojan.net
22.23.157.199 www.trojaner.info
5.143.240.138 onlinecheck.emsisoft.org
0.89.148.90 onlinecheck.emsisoft.net
77.47.137.122 blitzblank.com
235.154.207.236 www.emsisoft.at
217.19.102.107 www.emsisoft.jp
213.220.10.127 www.mamutu.com
33.178.255.160 malwarescan.emsisoft.es
191.29.69.18 www.mamutu.de
173.150.153.144 download5.emsisoft.com
169.95.61.96 download1.emsisoft.com
245.121.50.129 download4.emsisoft.com
147.161.120.243 global.ahnlab.com
130.25.203.182 www.hackshields.com
125.226.179.133 www.internationalservicecheck.com
202.253.168.166 www.irangoals.com
103.36.170.24 ixomodels.com
86.156.65.151 www.indielisboa.com
81.102.229.171 www.latin-mass-society.org
158.128.218.203 www.arpia.be
60.167.32.61 www.owen.org
42.100.115.188 www.prdouglas.co.uk
38.45.91.140 www.zarya.info
114.3.80.173 www.willsee.com
16.110.82.31 halmapr.com
186.231.234.225 karuna-shechen.org
250.176.142.177 www.barder.com
70.134.131.210 www.antivir.es
228.242.201.68 www.buraka.tv
143.106.28.195 www.dr-bull.com
206.51.192.214 www.manchester-offices.co.uk
27.78.181.247 saverssite.com
184.117.251.105 canada.karuna-shechen.org
99.237.146.232 developmentdrums.org
162.183.54.184 www.imddomains.co.uk
239.209.43.28 cutlines.org
141.248.113.74 elblogdemanu.com
55.113.196.13 ruben.bzin.net
119.58.104.221 welkam.co.jp
195.84.93.254 www.cambridge-steiner-school.co.uk
97.123.163.112 naturesimages.net
11.56.59.50 www.1stavenuelimousines.co.uk
75.189.223.2 www.mtr-design.com
151.215.212.35 dev.depeuter.org
53.67.26.149 www.emeraldclassic.co.uk
224.187.109.20 www.peterhearnwaste.co.uk
31.132.17.39 etrr.co.uk
108.91.6.72 www.avoncourt.com
197.198.76.118 sarahmcconnellphotography.net
180.62.159.57 www.ixomodels.com
175.8.135.9 natsko.com
64.34.124.41 www.nottinghampoetryseries.com
154.73.126.155 www.sheffieldmind.co.uk
136.194.21.94 ixostore.ixomodels.com
132.139.185.46 www.flairweddings.co.uk
20.165.174.79 www.fimasys.com
110.204.244.193 cohartuk.com
92.69.72.63 qqjkw.net
88.14.48.83 vivo-austin.com
164.40.37.116 www.freeality.com
66.80.39.162 bestofewan.com
49.200.190.101 www.handwritingforkids.com
44.145.98.52 cowsmo.com
121.172.87.85 www.2xlgames.com
22.23.157.199 kimzimmer.net
5.143.240.138 basetendencies.com
0.89.148.90 trackingtheworld.com
77.47.137.122 www.reviewsofbooks.com
235.154.207.236 www.collectedcurios.com
217.19.102.107 www.renningers.com
213.220.10.127 ccslaughterspdx.com
33.178.255.160 www.briarhurst.com
191.29.69.18 www.smf.org
173.150.153.144 ribbonwarehouse.com
169.95.61.96 www.garryowen.com
245.121.50.129 45pounds.com
147.161.120.243 isotopecomics.com
130.25.203.182 roysephotos.com
125.226.179.133 www.stadiumpage.com
202.253.168.166 www.elvis-express.com
103.36.170.24 www.tomorrowsedge.net
86.156.65.151 www.beautybar.com
81.102.229.171 pineleafboys.com
158.128.218.203 www.mountainlakeslodge.com
60.167.32.61 pvtc.org
42.100.115.188 bhsbees.com
38.45.91.140 baristamagazine.com
114.3.80.173 www.gokidding.com
16.110.82.31 defalcos.com
186.231.234.225 www.celticmerchant.com
250.176.142.177 www.hxproduction.com
70.134.131.210 www.wellgousa.com
228.242.201.68 blog.titanium-jewelry.com
143.106.28.195 www.brightoctober.com
206.51.192.214 hishomeforchildren.com
27.78.181.247 www.phoenixtrikeworks.com
184.117.251.105 www.professorbeyer.com
99.237.146.232 www.secondchanceboxer.com
162.183.54.184 www.residentphotography.com
239.209.43.28 woottonfootball.com
141.248.113.74 www.deborahshelton.net
123.181.8.81 bobbondart.com
187.126.172.33 www.authentium.com
7.152.161.66 asap.authentium.com
165.191.231.179 www.authentium.com.au
79.124.127.118 avast.com
143.1.35.70 www.avast.com
219.27.24.103 files.avast.com
121.135.94.217 download535.avast.com
36.255.177.88 avg.com
99.200.85.107 www.avg.com
176.159.74.140 grisoft.com
9.10.144.186 www.grisoft.com
248.130.227.125 antivirus-tools.com
243.76.203.77 archive.bitdefender.com
132.102.192.109 avx.rob-have.net
222.141.194.223 b-have.orgbitdefender-ar.com
204.6.89.162 bitdefender.com
200.207.253.114 bitdefender.org
88.233.242.147 bitdefenderchina.com
178.16.56.4 bitdefenderguatemala.com
160.137.140.131 bitdefendermalaysia.com
156.82.116.151 bitdefendertaiwan.com
232.108.105.184 bitdefenderuruguay.com
134.148.107.230 bitdefenderusa.com
117.12.2.169 buy.bitdefender-es.com
112.213.166.120 buy.bitdefender.com
189.240.155.153 buy.bitdefender.de
90.91.225.11 de.bitdefender.com
73.211.52.206 fr.bitdefender.com
68.157.216.158 futurenow.bitdefender.com
145.115.205.190 it.bitdefender.com
47.222.19.48 jobs.bitdefender.com
29.87.170.175 kb.bitdefender.com
25.32.78.195 kb.bitdefender.de
101.246.67.228 kb.bitdefender.us
3.97.137.85 latin.bitdefender.com
241.218.221.212 linux.bitdefender.com
237.163.129.164 malwarecity.com
57.189.118.197 malwarecity.netmalwarecity.org
215.229.188.55 malwarepedia.com
198.93.15.250 neunet.orgnews.bitdefender.com
193.38.247.201 nl.bitdefender.com
14.65.236.234 renewals.bitdefender.com
171.104.238.92 sales.bitdefender.com
154.224.133.219 square.bitdefender.com
149.170.41.239 store.bitdefender.com
226.196.30.15 store.de.bitdefender.com
128.235.100.129 us.bitdefender.com
110.168.183.0 virusscanonline.net
106.113.159.208 wedoantivirus.com
182.71.148.241 www.antivirus-tools.com
84.178.150.99 www.avx.ro
254.43.46.37 www.bit-defender.de
62.244.210.245 www.bitdefende.de
138.202.199.22 www.bitdefender-es.com
40.54.13.136 www.bitdefender.be
211.174.96.7 www.bitdefender.cl
18.119.4.26 www.bitdefender.co.uk
95.146.249.59 www.bitdefender.com
252.185.63.173 www.bitdefender.com.au
167.49.214.44 www.bitdefender.com.sg
230.251.122.252 www.bitdefender.com.tw
51.21.111.96 www.bitdefender.com.vn
209.60.181.142 www.bitdefender.de
123.181.8.81 www.bitdefender.es
187.126.172.33 www.bitdefender.fr
7.152.161.66 www.bitdefender.hk
165.191.231.179 www.bitdefender.us
79.124.127.118 www.bitdefenderme.com
143.1.35.70 www.malwarecity.com
219.27.24.103 www.malwarecity.fr
121.135.94.217 quickheal.com
36.255.177.88 www.quickheal.com
99.200.85.107 www.clamav.net
176.159.74.140 cgi.clamav.net
9.10.144.186 lurker.clamav.net
248.130.227.125 wwws.clamav.net
243.76.203.77 lists.clamav.net
132.102.192.109 bugs.clamav.net
222.141.194.223 system-cleaner.comodo.com
204.6.89.162 backup.comodo.com
200.207.253.114 www.comodoantispam.com
88.233.242.147 easy-vpn.comodo.com
178.16.56.4 www.trustlogo.com
160.137.140.131 ztl.comodo.com
156.82.116.151 www.livepcsupport.com
232.108.105.184 www.whichssl.com
134.148.107.230 www.trustix.com
117.12.2.169 disk-encryption.comodo.com
112.213.166.120 speedtest.comodo.com
189.240.155.153 www.contentverification.com
90.91.225.11 idauthority.com
73.211.52.206 www.comodo.tv
68.157.216.158 online-backup.comodo.com
145.115.205.190 www.testmypcsecurity.com
47.222.19.48 www.ccssforum.org
29.87.170.175 i-vault.comodo.com
25.32.78.195 internetsecurity.comodo.com
101.246.67.228 www.comodopartners.com
3.97.137.85 timestamp.comodoca.com
241.218.221.212 secure-email.comodo.com
237.163.129.164 timestamp.wosign.com
57.189.118.197 rover800.gaima.co.uk
215.229.188.55 www.nsclean.com
198.93.15.250 www.contentverification.com
193.38.247.201 new-estore.drweb.com
14.65.236.234 support.drweb.com
171.104.238.92 pda.drweb.com
154.224.133.219 updates.drweb.com
149.170.41.239 drweb.com
226.196.30.15 vms.drweb.com
128.235.100.129 solutions.drweb.com
110.168.183.0 news.drweb.com
106.113.159.208 my.drweb.com
182.71.148.241 buy.drweb.com
84.178.150.99 products.drweb.com
254.43.46.37 new-support.drweb.com
62.244.210.245 promotions.drweb.com
138.202.199.22 network.drweb.com
40.54.13.136 customers.drweb.com
211.174.96.7 store.drweb.com
18.119.4.26 company.drweb.com
95.146.249.59 training.drweb.com
252.185.63.173 license.drweb.com
167.49.214.44 cureit.ru
230.251.122.252 free.drweb.com
51.21.111.96 info.drweb.com
209.60.181.142 new-partners.drweb.com
123.181.8.81 drweb.net
187.126.172.33 new-company.drweb.com
7.152.161.66 new-beta.drweb.com
165.191.231.179 new-forum.drweb.com
79.124.127.118 secure.av-desk.com
143.1.35.70 www.av-desk.com
31.95.92.171 new-solutions.drweb.com
189.203.162.29 new-www.drweb.com
104.67.245.156 www.freedrweb.ru
167.12.153.175 daniloff.net
244.227.142.208 drweb-inside.com
77.78.212.254 drwebinside.com
60.198.39.193 aladdin.com
55.144.15.145 alladdin.ru
200.170.4.177 chickensroamfree.com
34.209.6.35 ealaddin.net
16.74.157.230 ealaddin.orgeshop.aladdin.com
12.19.65.182 secureme.com
156.45.54.215 www.aks.com
246.84.124.72 www.aladdin.com
228.205.208.199 www.ealaddin.com
224.150.184.219 www.ealaddin.com
44.176.173.252 auwww.ealaddin.nl
202.216.175.42 www.esafe.com
185.80.70.237 www.hasp.se
180.25.234.188 www.safenet-inc.com
1.52.223.221 www3.safenet-inc.com
158.159.37.79 www.ca.com
141.23.120.18 cacomvip.ca.com
136.225.28.226 www.netegrity.com
213.183.17.2 search.ca.com
115.34.87.116 cai.com
97.155.238.243 www.f-prot.com
93.100.146.7 frisk-software.com
169.58.135.40 www.frisk.is
71.165.205.153 www.frisk-software.com
53.30.33.24 f-secure.com
49.231.197.232 f-secure.frf-secure.hk
125.1.186.9 f-secure.nlfsecure.com
27.41.0.123 fsecure.nlwebyard.com
10.161.83.62 www.f-secure.com
5.106.59.13 www.fsecure.com
82.133.48.46 www.virus.fi
239.172.50.160 fortihero.com
222.36.201.31 fortilog.com
217.238.109.51 fortinet.co.at
38.8.98.83 fortinet.com
196.47.168.197 fortiprotect.com
178.236.251.68 fortiwifi.com
174.181.227.20 www.apsecure.com
250.139.216.53 www.fortifed.com
152.246.218.166 www.fortiid.com
66.111.113.105 www.fortimail.com
130.56.22.57 www.fortinet-apac.com
206.14.11.90 www.fortinet.ch
108.122.81.204 www.fortinet.co.il
23.242.164.75 www.fortinet.com
86.187.72.94 www.fortinet.com
163.214.61.127 arwww.fortinet.cz
64.253.131.241 www.fortinet.net
235.117.26.112 www.fortinet.nl
42.63.190.64 www.fortinet.sg
119.89.179.164 www.fortinetuk.com
21.128.249.210 www.secure-elements.com
191.249.76.149 gdata.es
255.194.240.101 www.gdata.es
75.220.229.134 ikarus.at
233.3.43.247 www.ikarus.at
147.192.194.186 global.jiangmin.com
211.69.103.138 jiangmin.com.cn
31.95.92.171 jiangmin.com
189.203.162.29 www.jiangmin.com.cn
104.67.245.156 www.kaspersky.com
167.12.153.175 forum.kaspersky.com
244.227.142.208 support.kaspersky.co
77.78.212.254 usa.kaspersky.com
60.198.39.193 brazil.kaspersky.com
55.144.15.145 latam.kaspersky.com
200.170.4.177 kaspersky.com
34.209.6.35 me.kaspersky.com
16.74.157.230 images.kaspersky.com
12.19.65.182 www.mcafee.com
156.45.54.215 support.mcafee.com
246.84.124.72 msr.mcafee.com
228.205.208.199 home.mcafee.com
224.150.184.219 networkassociates.com
44.176.173.192 us.mcafee.com
142.156.115.238 tr.mcafee.com
125.20.10.177 au.mcafee.com
121.222.174.129 mx.mcafee.com
197.248.163.162 networkassociates.nai.com
99.99.233.19 go.mcafee.com
81.220.60.214 fr.mcafee.com
77.165.224.166 uk.mcafee.com
153.123.213.199 de.mcafee.com
55.231.28.57 obscgi.mcafee.com
37.95.179.183 nai.com
33.40.87.203 www.entercept.com
110.255.76.236 jp.mcafee.com
11.106.146.94 mcafeeb2b.com
250.226.229.221 cn.mcafee.com
245.171.137.172 service.mcafee.com
66.198.126.205 br.mcafee.com
223.237.196.63 www.mcafee.at
206.101.23.2 mcafeeretail.com
202.47.255.210 it.mcafee.com
22.73.244.243 tw.mcafee.com
180.112.246.100 privacy.microsoft.com
162.233.141.227 tempuri.org
158.178.49.247 schemas.xmlsoap.org
234.204.38.24 www.microsoft.com
136.244.109.138 specs.xmlsoap.org
118.176.192.8 www.eugrantsadvisor.ie
114.121.168.216 schemas.microsoft.com
191.80.157.249 encarta.msn.com
92.187.159.107 www.sysinternals.com
7.51.54.46 grv.microsoft.com
70.252.218.253 www.xmlsoap.org
147.211.207.30 www.eugrantsadvisor.se
48.62.21.144 www.eugrantsadvisor.com
219.182.104.15 research.microsoft.com
27.128.12.35 www.engyro.com
103.154.1.68 www.exchangeyourcareer.com
5.193.71.181 www.eugrantsadvisor.de
175.58.222.52 exchangeyourcareer.net
239.3.130.4 eugrantsadvisor.de
59.29.119.105 eugrantsadvisor.cz
217.69.190.151 www.eset.es
131.189.17.89 demos.eset.es
195.134.181.41 descargas.eset.es
16.161.170.74 blogs.protegerse.com
173.200.240.188 eos.eset.es
88.132.135.127 pedidos.protegerse.com
151.9.43.78 reg-int.nod32-es.com
228.36.32.111 reg.eset.es
129.143.102.225 vicentevirtual.com
44.7.185.96 cou85.com
108.209.93.116 www.norman.com
184.167.82.149 fsc.norman.com
18.18.152.194 nprobeta.norman.com
0.139.235.133 register.norman.com
252.84.211.85 webadmin.norman.no
140.110.200.118 sandbox.norman.com
230.150.203.232 www.nprotect.com
212.14.98.170 global.nprotect.com
208.215.6.122 www.nprotect.co.kr
97.242.251.155 www.npin.co.kr
186.25.65.13 siren24.nprotect.com
169.145.148.140 15660808.co.kr
164.90.124.159 biz.nprotect.com
241.117.113.192 nprotect.net
142.156.115.238 www.nprotect.com.br
125.20.10.177 liveprotect.net
121.222.174.129 nprotect.seoul.go.kr
197.248.163.230 chollian.nprotect.co.kr
167.167.45.87 www.pandasecurity.com
149.32.128.26 research.pandasecurity.com
145.233.36.234 support.pandasecurity.com
221.191.25.11 pandalabs.pandasecurity.com
123.43.96.125 pandasecurity.com
105.163.247.251 mop.pandasecurity.com
101.108.155.15 timeforyourbusi.pandasecurity.com
178.66.144.48 cybercrime.pandasecurity.com
79.174.214.162 free.pandasecurity.com
62.38.41.33 cloudprotection.pandasecurity.com
57.239.205.240 shop.pandasecurity.com
134.10.194.17 soporte.pandasecurity.com
35.49.8.131 together.pctools.com
18.169.91.70 www.prevx.com
14.115.67.22 info.prevx.com
90.141.56.55 free.prevx.com
248.180.58.168 spywarefiles.prevx.com
230.45.209.39 spywaredlls.prevx.com
226.246.117.59 shield.prevx.com
46.16.106.92 www.prevx1.com
204.56.177.206 howsafeismypc.com
186.244.4.76 www.retento.com
182.189.236.28 www.freerav.com
3.147.225.61 www.rising-global.com
160.255.227.175 www.risingav.com.au
75.119.122.114 support.rising-global.com
138.64.30.65 superboy2010.com.au
215.23.19.98 www.sophos.com
116.130.89.212 feeds.sophos.com
31.250.172.83 esp.sophos.com
95.196.80.103 cn.sophos.com
171.222.69.136 tw.sophos.com
73.5.139.249 kr.sophos.com
243.126.34.120 sophos.com
51.71.198.72 podcasts.sophos.com
127.97.187.173 www.sunbeltsoftware.com
29.137.2.219 go.sunbeltsoftware.com
199.1.85.157 oem.sunbeltsoftware.com
7.202.249.109 antispam.sunbeltsoftware.com
84.228.238.142 antispyware.sunbeltsoftware.com
241.12.52.0 antivirus.sunbeltsoftware.com
156.200.203.195 sunbeltsoftware.com
219.77.111.146 shop.sunbeltsoftware.com
40.104.100.179 live.sunbeltsoftware.com
197.211.170.37 firewall.sunbeltsoftware.com
112.75.253.164 www.symantec.com
176.21.161.184 security.symantec.com
252.235.150.217 securityrespons.symantec.com
86.86.220.6 service1.symantec.com
68.207.47.201 enterprisesecur.symantec.com
64.152.23.153 eval.symantec.com
208.178.12.186 symantec.com
42.218.15.44 definitions.symantec.com
24.82.166.238 investor.symantec.com
20.27.74.190 et.symantec.com
165.53.63.223 sfdoccentral.symantec.com
254.93.133.81 servicenews.symantec.com
237.213.216.208 securityrespons.symantec.com
232.158.192.227 sea.symantec.com
53.185.181.4 go.symantec.com
210.224.183.50 dell.symantec.com
193.88.78.245 sun.symantec.com
189.34.242.197 marian.symantec.com
9.60.231.230 tms.symantec.com
167.167.45.87 securitycheck.symantec.com
149.32.128.26 smallbiz.symantec.com
145.233.36.234 www.symantec.com
221.191.25.11 visualtracking.symantec.com
123.43.96.125 search.symantec.com
105.163.247.251 liveupdate.symantec.com
101.108.155.15 sitedirector.symantec.com
178.66.144.48 edm.symantec.com
79.174.214.162 hostedmailsecur.symantec.com
62.38.41.33 www4.symantec.com
57.239.205.240 education.symantec.com
134.10.194.17 vos.symantec.com
35.49.8.131 www.hacksoft.com.pe
18.169.91.70 hacksoft.pe
14.115.67.22 www.hacksoft.pe
90.141.56.55 housecall.trendmicro.com
248.180.58.168 www.trendmicro.com
230.45.209.39 housecall65.trendmicro.com
226.246.117.59 us.trendmicro.com
46.16.106.92 blog.trendmicro.com
204.56.177.206 emea.trendmicro.com
186.244.4.76 housecall60.trendmicro.com
182.189.236.28 jp.trendmicro.com
3.147.225.61 de.trendmicro.com
160.255.227.175 it.trendmicro.com
75.119.122.114 itw.trendmicro.com
138.64.30.65 esupport.trendmicro.com
215.23.19.98 es.trendmicro.com
116.130.89.212 br.trendmicro.com
31.250.172.83 tw.trendmicro.com
95.196.80.103 la.trendmicro.com
171.222.69.136 uk.trendmicro.com
73.5.139.249 ru.trendmicro.com
243.126.34.120 smbstore.trendmicro.com
51.71.198.72 apac.trendmicro.com
127.97.187.173 store.trendmicro.com
29.137.2.219 training.trendmicro.com
199.1.85.157 trial.trendmicro.com
7.202.249.109 ushousecall02.trendmicro.com
84.228.238.142 subwiz.trendmicro.com
241.12.52.0 go.trendmicro.com
156.200.203.195 feeds.trendmicro.com
219.77.111.146 channelpartner.trendmicro.com
40.104.100.179 wtc.trendmicro.com
197.211.170.37 shop.trendmicro.com
112.75.253.164 fr.trendmicro.com
176.21.161.184 threatinfo.trendmicro.com
252.235.150.217 newsletters.trendmicro.com
86.86.220.6 www.anti-virus.by
68.207.47.201 bg.virusblokada.com
64.152.23.153 www.vba.com.by
208.178.12.186 beta.anti-virus.by
42.218.15.44 www.bg.virusblokada.com
24.82.166.238 www.hauri.net
20.27.74.190 www.hauri.co.kr
165.53.63.223 company.hauri.net
254.93.133.81 www.globalhauri.com
237.213.216.208 shop.hauri.co.kr
44.226.4.39 hauri.co.kr
121.253.249.72 pg.hauri.net
22.36.251.118 esecurity.livecall.co.kr
5.156.146.57 mall.hauri.co.kr
1.102.54.9 company.hauri.co.kr
77.128.43.42 haurijapan.com
235.235.113.155 virobot.co.kr
217.100.196.94 www.virusbuster.hu
213.45.104.46 virusbuster.hu
33.3.93.79 scanner.novirusthanks.org
191.111.164.193 scanner2.novirusthanks.or
173.231.59.63 novirusthanks.org
169.176.223.83 www.novirusthanks.org
246.134.212.116 virustotal.com
147.242.26.230 www.virustotal.com
130.106.109.101 virscan.org
125.51.17.52 www.virscan.org
202.78.6.85 virusscan.jotti.org
103.117.76.199 jotti.org
86.237.159.138 www.jotti.org
81.183.135.90 viruschief.com
158.209.124.123 www.viruschief.com
60.248.126.236 scanner.virus.org
42.113.21.107 virus.org
38.58.185.127 www.virus.org
114.84.174.160 scan4you.net
16.124.245.18 www.scan4you.net
254.56.72.144 avhide.com
250.1.48.96 www.avhide.com
71.215.37.129 anubis.iseclab.org
228.67.39.243 iseclab.org
143.187.190.182 www.iseclab.org
206.132.98.133 threatexpert.com
27.91.87.166 www.threatexpert.com
184.198.157.24 forospyware.com
99.62.240.151 www.forospyware.com
162.8.148.171 in.answers.yahoo.com
239.34.137.204 es.answers.yahoo.com
141.73.207.61 kioskea.net
55.194.102.188 www.kioskea.net
119.139.10.140 es.kioskea.net
195.165.255.241 mygeekside.com
97.205.70.31 www.mygeekside.com
11.69.153.225 www.tecniservicioslys.com
75.14.61.177 tecniservicioslys.com
152.40.50.210 virusfreezone.info
53.80.120.68 www.virusfreezone.info
224.12.15.7 intranet.cidiroax.ipn.mx
31.145.179.214 spycheck.es
108.172.168.247 www.spycheck.es
9.23.238.105 antivirus.hispavista.com
180.143.65.232 computing.net
243.89.229.252 www.computing.net
64.47.218.29 spycheck.co.uk
154.154.32.74 www.spycheck.co.uk
136.19.115.13 midescargas.com
132.220.91.221 www.midescargas.com
20.246.80.254 static.yoreparo.com
110.30.83.112 softfaq.com
92.150.234.50 www.softfaq.com
88.95.142.2 configurarequipos.com
233.121.131.35 www.configurarequipos.com
66.161.201.149 seasonsecurity.com
49.25.28.20 www.seasonsecurity.com
44.226.4.39 removetrojanvirus.org
121.253.249.72 www.removetrojanvirus.org
22.36.251.118 ibusca.me
5.156.146.57 www.ibusca.me


Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name: HD Player
Product Version: 1.00
Legal Copyright:
Legal Trademarks:
Original Filename: 0.exe
Internal Name: 0
File Version: 1.00
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
Ù« 4096 172032 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 176128 61440 60416 5.53185 758c88845e334fd70470254136861f10
237568 4096 3072 2.12945 80963ea06c25c1003f24e4ad235c420c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
b99b73aeff04b1e5c6697f377fd2c533

URLs

URL IP
hxxp://ipaddress.com/ 148.251.128.237
hxxp://www.ipaddress.com/ 148.251.128.237
hxxp://widgets.amung.us/small/00/22.png 173.192.200.70
hxxp://whos.amung.us/swidget/d23r523t4id 67.202.94.93
hxxp://3fc8g27b19h.ipcheker.com/ 199.59.243.120


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Delete the original Trojan file.
  2. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  3. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  4. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now