Gen.Variant.Application.InstallCore.1_5906f31932
not-a-virus:HEUR:Tool.Win32.InstallCore.12563492.gen (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Gen:Variant.Application.InstallCore.1 (AdAware), Trojan.Win32.Sasfis.FD, WebToolbar.Win32.InstallCore.FD, WebToolbarInstallCore.YR (Lavasoft MAS)
Behaviour: Trojan, WebToolbar
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 5906f3193220c5ad5d618e8f4c5cc407
SHA1: cf0bebeb5519f3c8963fdd2d80447e5f5147de83
SHA256: dabfce951d800c646f0b42aad76e02a405e7f39da8e1e287825a8c9a1699cfee
SSDeep: 12288:zGVEPcPZgv3saFLoSQLAd08auf71uwGxI2M35VnOECtXMMzD:zGVy6Zy3say7ALau2xIV35VnOEqMMzD
Size: 570376 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPXv0896v102v105v122Delphistub, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):
%original file name%.exe:1992
File activity
The process %original file name%.exe:1992 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\skip-button.png (1342 bytes)
%Program Files%\is922703.log (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\back-button.png (1322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\defaultOffer\offer_html.dat (3072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\finish_button.jpg (1145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is1438683437\4380116.cfg (218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\defaultOffer\US\offer_html.dat (9361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\blank.gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\next-button-over.png (1767 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\images\progress-bg.png (2845 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\Software.png (30599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\license.txt (18520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\sdk\exceptlist.txt (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\defaultOffer\US\offer_code.dat (7706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is1438683437\673479180.cfg (218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\progress-bar.css (501 bytes)
%Documents and Settings%\%current user%\àðñþчøù ÑÂтþû\Continue FoxTab PDF Creator Installation.lnk (904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\defaultOffer\offer_code.dat (1958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\loader.gif (22379 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\Bg.jpg (14232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\browse.css (318 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\close_button.png (1170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000E0395.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000E16CF.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ICReinstall_%original file name%.exe (832520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\icon.png (6707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\ie6_main.css (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\next-button.png (1768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\progress-bg.png (2845 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\finish-button.png (1812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\buttons.css (1151 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\main.css (3797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\bootstrap_24744.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000E14DB.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\locale\EN.locale (1948 bytes)
The Trojan deletes the following file(s):
%Program Files%\is922703.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000E16CF.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\bootstrap_24744.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000E14DB.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000E0395.log (0 bytes)
Registry activity
The process %original file name%.exe:1992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 0C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Óûðòýþõ üõýю"
"Common Documents" = "%Documents and Settings%\All Users\Ãâ€Ã¾ÃºÑƒÃ¼ÃµÃ½Ñ‚Ñ‹"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Ãœþø ôþúуüõýты"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Ãâ€Ã¸Ã°Ã³Ã½Ã¾ÑÂтøúð ÿрþñûõü ÿþôúûючõýøÑÂ..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Ãâ€Ã¾ÃºÑƒÃ¼ÃµÃ½Ñ‚Ñ‹\ÃœþѠüу÷ыúð"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\àðñþчøù ÑÂтþû"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\Ãœþø ôþúуüõýты\Ãœþø рøÑÂуýúø"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Óûðòýþõ üõýю"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Ãâ€Ã¾ÃºÑƒÃ¼ÃµÃ½Ñ‚Ñ‹\Ãœþø òøôõþ÷ðÿøÑÂø"
"CommonPictures" = "%Documents and Settings%\All Users\Ãâ€Ã¾ÃºÑƒÃ¼ÃµÃ½Ñ‚Ñ‹\Ãœþø рøÑÂуýúø"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 1C 4D 4B E9 29 E2 5F 8D 83 40 BA B6 10 4B 62"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://os.solvefile.com/fx/v1.0.1/?v=2.0&c=868612504 |  207.189.109.121 |
| hxxp://os.solvefile.com/Prod/PDFCreator-v2.cis | |
| cdneu.solvefile.com | 207.189.109.121 |
| cdnus.solvefile.com | 207.189.109.121 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 610304 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 614400 | 540672 | 538112 | 5.50065 | 2ea4f0df94f187b7abf167ba5a28d7ed |
| .rsrc | 1155072 | 32768 | 29184 | 3.86347 | bb746afeda6394a6af9782c16f99aef9 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 37
c8b66fe9089f6bfe159059161782f2b7
1a5d25d6ff01291285c4e2e4f4d2b425
838754c9efbd5182e953dceae8c41b2c
7cae20b6a947550a19ff62d3c67ee30f
7aa69c3af34aa64869a5bc4185ee4761
c575400782de3812a827bbb8a0af6511
25de3682dd9b493f923e1ef78339842c
61ef01510c789e9a043292bee922f5ec
357cdaf5fe2436c1dcc5da8b7f852bff
d948939920e4405627b421b1c62e177a
905c97e4e1ace19c9e4d8608dd0b660b
e0599514701672d934cd2c38242f024a
f1eab853c4935b041300227033bbfa09
491a112b7995bc46ddb29d0205151ede
c9505ba55ed62ead97cd0f97b8f55aee
e6b3c7c0adc9c4a8629b309a54007f0e
3ac3e0bbee49b22d4074f09c40668d6d
4ccd5420d928f9b541e6a8898e912c3f
b990574765f9e30321b4a4ff60d7e7c7
b87b6e1981f25922d276b599dd9e33c5
73275045113583c92db1a4ec4b995cb6
b82971e60a34ffe112b305be38e3ffa0
19a75175907437d2d8bde989696d0d99
4502f61bb80c28bdfdb023a05f987538
574af5119297959b30fddb763d955685
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\skip-button.png (1342 bytes)
%Program Files%\is922703.log (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\back-button.png (1322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\defaultOffer\offer_html.dat (3072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\finish_button.jpg (1145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is1438683437\4380116.cfg (218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\defaultOffer\US\offer_html.dat (9361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\blank.gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\next-button-over.png (1767 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\images\progress-bg.png (2845 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\Software.png (30599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\license.txt (18520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\sdk\exceptlist.txt (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\defaultOffer\US\offer_code.dat (7706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is1438683437\673479180.cfg (218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\progress-bar.css (501 bytes)
%Documents and Settings%\%current user%\àðñþчøù ÑÂтþû\Continue FoxTab PDF Creator Installation.lnk (904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\defaultOffer\offer_code.dat (1958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\loader.gif (22379 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\Bg.jpg (14232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\browse.css (318 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\close_button.png (1170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000E0395.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000E16CF.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ICReinstall_%original file name%.exe (832520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\icon.png (6707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\ie6_main.css (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\next-button.png (1768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\progress-bg.png (2845 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\finish-button.png (1812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\buttons.css (1151 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\main.css (3797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\bootstrap_24744.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000E14DB.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\locale\EN.locale (1948 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
