Gen.Variant.Barys.7448_a1c9c1d096

by malwarelabrobot on April 2nd, 2015 in Malware Descriptions.

Trojan.MSIL.Crypt.zbt (Kaspersky), Gen:Variant.Barys.7448 (B) (Emsisoft), Gen:Variant.Barys.7448 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a1c9c1d09627949680e1bb6241c3afd6
SHA1: abf76bdbfb8be79a428103de06447c039b7a769b
SHA256: 61f796efd0bcba2dde60f2b1cce5fa44a314fa3fff4962f7f5c296a866ba588d
SSDeep: 24576:YlJPI/toUuO13OMOIwgAmeuRpXAvnpLvgYq7ES:EwGIOMZTeuRpwfG
Size: 1789952 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: ArcadeYum
Created at: 2012-09-12 20:06:39
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

a1c9c1d09627949:120
notepad.exe:480
System.exe:752
8BALLRULER 1.1 (WIN).EXE:1448
vbc.exe:552
Install 8BallRuler.exe:812
AIRRuntimeInstaller.exe:388

The Trojan injects its code into the following process(es):

Adobe AIR Installer.exe:1036
Adobe AIR Application Installer.exe:1320

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process notepad.exe:480 makes changes in the file system.
The Trojan deletes the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\vbc.exe (0 bytes)

The process Adobe AIR Installer.exe:1036 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\AIR\logs\Install.log (6204 bytes)

The process 8BALLRULER 1.1 (WIN).EXE:1448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\META-INF\signatures.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\8BallRuler.exe (142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\test2.swf (85 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\setup.msi (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\META-INF\AIR\application.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\Icon\16.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\Icon\48.png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\.launch (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Install 8BallRuler.exe (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\Icon\32.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\Icon\128.png (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\mimetype (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\META-INF\AIR\hash (32 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp (0 bytes)

The process vbc.exe:552 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\8BALLRULER 1.1 (WIN).EXE (1652 bytes)
%System%\8BallRuler\System.exe (7547 bytes)

The process Adobe AIR Application Installer.exe:1320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\AIR\logs\Install.log (6258 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\5CB653B2DAF9459B6E8E3796503DD779BAD8DB50.crl (341 bytes)

The process Install 8BallRuler.exe:812 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AIRRuntimeInstaller.exe (132160 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\9C07FA4C8533A07B5EDE782A6F5AFA6A (637 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\9C07FA4C8533A07B5EDE782A6F5AFA6A (148 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\EF87FE2FBAF08DA89A8C148EF56C40E0 (425 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\AIR\logs\Install.log (1843 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\EF87FE2FBAF08DA89A8C148EF56C40E0 (168 bytes)

The process AIRRuntimeInstaller.exe:388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\template.exe (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR.vch (1706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\stylesNative.swf (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit.dll (32275 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\digest.s (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe Root Certificate.cer (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR.dll (141488 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\template.msi (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf (3810 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\setup.swf (3831 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit\Notice WebKit.txt (771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\AdobeCP15.dll (23407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\sentinel (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit\LGPL License.txt (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\setup.swf (3831 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\NPSWF32.dll (123239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\setup.msi (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR Installer.exe (103 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Thawte Root Certificate.cer (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe (130 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp (0 bytes)

Registry activity

The process a1c9c1d09627949:120 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 F2 AE DE F6 78 21 21 49 DA 88 39 00 05 B7 7A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process notepad.exe:480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 AB 58 36 D0 98 1D 66 48 00 1F 25 B2 88 49 4C"

The process System.exe:752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 59 A0 F8 7F E6 2C 69 A8 9E 4F 82 46 8A 2A 80"

The process Adobe AIR Installer.exe:1036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 D7 71 2B B5 E1 EB 46 81 DB 8B 25 20 93 06 54"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process 8BALLRULER 1.1 (WIN).EXE:1448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 87 92 56 C3 58 87 4A 26 E3 B4 1A 33 AF 02 62"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\AIR1.tmp]
"Install 8BallRuler.exe" = "Adobe Bootstrapping Utility"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process vbc.exe:552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 65 7F C4 D2 82 D8 9F A5 83 3A 04 0D C2 02 1E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%\8BallRuler]
"system.exe" = "Visual Basic Command Line Compiler"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"8BallRuler 1.1 (WIN).exe" = "8BALLRULER 1.1 (WIN)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%System%\8BallRuler\System.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"8BallRuler" = "%System%\8BallRuler\System.exe"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process Adobe AIR Application Installer.exe:1320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 29 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 E8 7E 2A 04 6A AA 97 67 5B 25 DF B7 F1 79 BC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Install 8BallRuler.exe:812 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 31 6C 6C 2A CD 67 FF 6A F1 4C DC 1B F5 A6 23"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process AIRRuntimeInstaller.exe:388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 16 4C 8E 69 16 31 78 B7 31 2B 29 8C 2D 91 2D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\AIR2.tmp]
"Adobe AIR Installer.exe" = "Adobe AIR Installer"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5 File path
4b0fe4b36e5ed0f224bf6f2108ba9e9e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\8BALLRULER 1.1 (WIN).EXE
b03aab94e18308f2d98335205c14096a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIR1.tmp\8BallRuler\8BallRuler.exe
5b6bc0f14712a4ccbf59fba43b7be42a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIR1.tmp\Install 8BallRuler.exe
c20bc7101d27a7a8a683f1fb90112f90 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIR2.tmp\Adobe AIR Installer.exe
49f3df5f4ded35ed40dcc8b97018155c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
c0e93f3f5e14da5e9c71a64379f2afe8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR.dll
0f8485c6cf126c41fd8af1d75fc2dc08 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe
7c2813bc3663c9e4795002b25d0a9395 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\AdobeCP15.dll
42a9be218f076d756863789e3d5e8e95 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\NPSWF32.dll
862bdd6acc35602f7a0bc9d2f1d20670 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit.dll
e41c4b2066cf1b2b07d90d13bb7b193a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe
67f3e1cf291fd03d8f7b4e87015a8ab8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\template.exe
0d5fa353b229b3c0dc6dfac152c38437 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AIRRuntimeInstaller.exe
67f5238229333c061092f5a32e8c2ee1 c:\WINDOWS\system32\8BallRuler\System.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: mBLtsgg
Product Name: IQcFYEc
Product Version: 3.6.9.9
Legal Copyright: 2012 tGtrlEB
Legal Trademarks:
Original Filename: 8BallRuler.exe
Internal Name: 8BallRuler.exe
File Version: 3.6.9.9
File Description: kjzprjJ
Comments: lQOwkFv
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 1711108 1712128 4.56853 7e6995bd3ab5d814a8290c7502d5dcf0
.rsrc 1720320 68644 69632 2.75487 caa5355367297447b9a0ffdd519d353c
.reloc 1794048 12 4096 0.009099 2620980cdb7a188f88d05c1c104c8c8a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://a1396.d.akamai.net/air/3/nai/windows5.1/x86/installer
hxxp://a1396.d.akamai.net/air/3/nai/windows5.1/x86/installer.p7
hxxp://a1180.g.akamai.net/prodSvce.crl
hxxp://a1180.g.akamai.net/cds.crl
hxxp://crl.adobe.com/prodSvce.crl 87.245.221.107
hxxp://crl.adobe.com/cds.crl 87.245.221.107
hxxp://airdownload.adobe.com/air/3/nai/windows5.1/x86/installer 87.245.221.97
hxxp://airdownload.adobe.com/air/3/nai/windows5.1/x86/installer.p7 87.245.221.97
tss-geotrust-crl.thawte.com 23.43.133.163


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /air/3/nai/windows5.1/x86/installer HTTP/1.1
User-Agent: Adobe AIR Bootstrapper2.0.0.11920
Host: airdownload.adobe.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Apache
Last-Modified: Tue, 03 Mar 2015 15:13:47 GMT
ETag: "10e66d0-51063c80300c0"
Accept-Ranges: bytes
Content-Length: 17721040
Date: Wed, 01 Apr 2015 06:18:39 GMT
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
......$.......5.......#......V................*.......4.......1.....Ri
ch............................PE..L...>..T.........................
[email protected]............@............
......................\..d...................0N.......P...............
[email protected]..........................
..text...8........................... ..`.rdata...S.......T...........
.......@[email protected][email protected]..............
..^..............@[email protected][email protected].........
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U..Qh....j..E.P.M.Q.8..
..E..}..|.h.....U.Rj..E.P.M.Q......E..E...]..............U......E....E
.h....j..M.Q.U.R......E..}..|.h.....E.Pj..M.Q.U.R......E..E...]...j.h.
YA..-....u...tu.=..A..uCj......Y.e..V.E...Y.E...t.VP.f...YY.E.........
..}..u7.u...j......Y.Vj..5.|A.....A...u..........L.A.P.......Y........
U...=.|A..u.......u......h.....N...YY].jXh YA..v...3..u..E.P..d.A.j._.
}[email protected].<.@[email protected]'[email protected][email protected]...@....
.M....u.3.CS.j...Y..u.j..X...Y.7"....u.j..G...Y......]..n.....}.j.
<<< skipped >>>

GET /air/3/nai/windows5.1/x86/installer.p7 HTTP/1.1


User-Agent: Adobe AIR Bootstrapper2.0.0.11920
Host: airdownload.adobe.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Apache
Last-Modified: Tue, 03 Mar 2015 15:13:38 GMT
ETag: "f14-51063c779ac80"
Accept-Ranges: bytes
Content-Length: 3860
Date: Wed, 01 Apr 2015 06:18:51 GMT
Connection: keep-alive
0.....*.H..........0......1.0... ......0...*.H.........n0...0.........
.[.0...*.H........0_1.0...U....US1.0...U....GeoTrust Inc.1.0...U....Ad
obe Trust Services1.0...U....Product Services0...131028121920Z..230108
080000Z0e1.0...U....Adobe AIR1.0...U....Adobe Trust Services1#0!..U...
.Adobe Systems Incorporated1.0...U....US0..0...*.H............0.......
.&.a.m_.u.qJf5......fG...&h......t9...l......O..y...$D....F..A\..&.N..
k<....E..l..b.X.@.*.. ......4 C........H...'9J..a...w.............0
...0...U........0...U.%..0...*.H../...02..U... 0)0'.%.#.!hXXp://crl.ad
obe.com/prodSvce.crl0...U.......0.0....U. ......0..0....*.H../...0..0.
... .......0}.{You are not permitted to use this Certificate except as
 permitted by the license agreement accompanying the Adobe software.0.
..*.H..............Ff...K..v.q........W......F....R.k......x;.......,:
..,y.g.%./ 9/....P*.&3....`}...=h..~...f...e.lvR...f.f"..0...a........
;X..<>am....T(....'...u.j.*..Ud..=B..."6.!...Y..yE...HTfu.6..;..
[email protected]#..w...)iT..0g..........p..a.th..(............._B2.v...t.l
0...0..........>..(0...*.H........0i1.0...U....US1#0!..U....Adobe S
ystems Incorporated1.0...U....Adobe Trust Services1.0...U....Adobe Roo
t CA0...030108233723Z..230109000723Z0i1.0...U....US1#0!..U....Adobe Sy
stems Incorporated1.0...U....Adobe Trust Services1.0...U....Adobe Root
 CA0.."0...*.H.............0.........OT.....3S.?...k,.Gg~.............
..i./Y5..l.L..... ...T.. fE?9.8~....".$....5.U.i....7..N..B.j.i.f....Y
*..yZ D-..s8.</.C.]....5.)......L.=Y..1<@~..6...\...&.\E..e?
<<< skipped >>>


GET /prodSvce.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
Last-Modified: Fri, 19 Sep 2014 07:02:54 GMT
ETag: "10b28a7-1a9-50365b0a90380"
Accept-Ranges: bytes
Content-Length: 425
Content-Type: text/plain
Date: Wed, 01 Apr 2015 06:18:52 GMT
Connection: keep-alive
0...0..0...*.H........0_1.0...U....US1.0...U....GeoTrust Inc.1.0...U..
..Adobe Trust Services1.0...U....Product Services..140919064300Z..1509
19064300Z0...*.H.............A...7....Z...I.3...\.....A..|..%....".c.f
.h..._...(5J..g.KX$.d.{}..{...!w...x#..g .[.......)/.a[..L..$....n....
*qJ.Qk.&..^.S......|........9..X...=.QI........i.R....L.=.......b.r...
"c....RC..L..7M.bZFt.jk9...*4.L...-m..`....~.............2............
.y.-.....


GET /cds.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
Last-Modified: Fri, 17 Sep 2010 22:42:29 GMT
ETag: "1deb03-27d-4907c47099f40"
Accept-Ranges: bytes
Content-Length: 637
Content-Type: text/plain
Date: Wed, 01 Apr 2015 06:18:52 GMT
Connection: keep-alive
0..y0..a...0...*.H........0i1.0...U....US1#0!..U....Adobe Systems Inco
rporated1.0...U....Adobe Trust Services1.0...U....Adobe Root CA..10091
7000000Z..150916235959Z0..0!...........-..1.....100917203246Z0#..>.
....040117013929Z0.0...U.......0#..>.....040117010905Z0.0...U......
.0#..>.....100107183437Z0.0...U......../0-0...U.#..0.....8J........
T.......0...U.......0...*.H...............4.>..v...~.%.....>7. /
.....G..:B.Z..e...J....=...g..t.....9.^..p...*...c.Q.d.6.rMy..iQ.a.O..
.6..V]..F.B........'2.|.R..M....K{..$.....d....zb.R.B.....IA.:....."N0
.^...!P#.^r.?..........\z....G.'4.U"....8...<.....5.0... .......v..
w.^..d..$....?.b:... ...cHTTP/1.1 200 OK..Server: Apache..Last-Modifie
d: Fri, 17 Sep 2010 22:42:29 GMT..ETag: "1deb03-27d-4907c47099f40"..Ac
cept-Ranges: bytes..Content-Length: 637..Content-Type: text/plain..Dat
e: Wed, 01 Apr 2015 06:18:52 GMT..Connection: keep-alive..0..y0..a...0
...*.H........0i1.0...U....US1#0!..U....Adobe Systems Incorporated1.0.
..U....Adobe Trust Services1.0...U....Adobe Root CA..100917000000Z..15
0916235959Z0..0!...........-..1.....100917203246Z0#..>.....04011701
3929Z0.0...U.......0#..>.....040117010905Z0.0...U.......0#..>...
..100107183437Z0.0...U......../0-0...U.#..0.....8J........T.......0...
U.......0...*.H...............4.>..v...~.%.....>7. /.....G..:B.Z
..e...J....=...g..t.....9.^..p...*...c.Q.d.6.rMy..iQ.a.O...6..V]..F.B.
.......'2.|.R..M....K{..$.....d....zb.R.B.....IA.:....."N0.^...!P#.^r.
?..........\z....G.'4.U"....8...<.....5.0... .......v..w.^..d..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

8BALLRULER 1.1 (WIN).EXE_1448:

.text
`.rdata
@.data
.rsrc
@.reloc
FTPQ
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
operator
1.2.3
g:\Acro_root_apams\Main\code\build\win\results\Release\info\sea.pdb
SHLWAPI.dll
SHFileOperationW
ShellExecuteExW
SHELL32.dll
GetProcessHeap
GetCPInfo
KERNEL32.dll
USER32.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\8BALLRULER 1.1 (WIN).EXE
) ) ) ) ) )
!$!$!$!$!$!$!$!$!
!$!$!$!$!$!
!$!$!$!$!
' ' ' ' ' ' ' ' ' 
' '!'!'!'!'!'!'!'!'!'!
!'!'!'!'!'!' 
'!'!'!'!'!
!'!'!'!'!
'!'!'!' 
'!'!' ' 
!'!'!' '
5555555
555555555
)&&)$!  
5555555555555
555555555555555
,,('"'"'"'"'"
[email protected]
%c"8H
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
1*2024282<2
:!:%:):-:
mscoree.dll
KERNEL32.DLL
kernel32.dll
Adobe AIR Installer.exe
.launch

Install 8BallRuler.exe_812:

.text
`.rdata
@.data
.rsrc
@.reloc
SSSSh
PWSSSh
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
operator
hXXp://airdownload.adobe.com/air/3/nai/%s%d.%d/%s/%s
windows
\Versions\1.0\Adobe AIR.dll
[M-d-d:d:d:d]
2.0.0.11920
1.2.840.113583.1.1.12
Begin runtime download ("%s%s")
Begin signature download ("%s%s")
Adobe AIR Bootstrapper2.0.0.11920
HTTP/1.0
Begin cert chain validation
Cert revocation found
Cert chain validation succeeded
Cert chain validation failed
Begin CRL download ("%s")
2.5.4.6
2.5.4.3
2.5.4.10
2.5.4.11
2.5.29.37
Launching runtime installer: %s
Runtime installer failure (%d)
Bootstrapper begin (%s:version %s)
Could not locate native install directory ("%s")
Installed runtime located (%d.%d.%d.%d)
Bootstrapper failure (%d)
Launching application installer: %s
Application installer failure (%d)
g:\Acro_root_apams\Main\code\build\win\results\Release\info\naib.pdb
GetProcessHeap
KERNEL32.dll
ShellExecuteW
SHELL32.dll
VERSION.dll
RegCloseKey
RegOpenKeyExW
ADVAPI32.dll
UrlGetPartA
SHLWAPI.dll
msi.dll
USER32.dll
HttpQueryInfoW
HttpOpenRequestA
HttpSendRequestA
WININET.dll
CryptGetMessageCertificates
CertCreateCertificateContext
CertGetNameStringW
CertVerifyCRLRevocation
CertFreeCertificateContext
CertFindCertificateInStore
CertCloseStore
CertVerifySubjectCertificateContext
CertDuplicateCertificateContext
CRYPT32.dll
CryptGetObjectUrl
CryptRetrieveObjectByUrlW
CRYPTNET.dll
GetCPInfo
GetConsoleOutputCP
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
=!?-?3?8?>?
> ?%?,?1?8?=?
<$=(=,=0=
mscoree.dll
KERNEL32.DLL
n{DC74C3C6-CAB8-4C49-BE18-5B1DCD0D197E}
\Versions\1.0\Adobe AIR Application Installer.exe
${@{language}.LABEL_INSTALLING}
in <a href='hXXp://VVV.adobe.com/go/air_sysreqs_tr/'>sistem gereksinimlerini</a> inceleyip sisteminizde gerekli g
hXXp://VVV.adobe.com/go/getair_tr
hXXp://VVV.adobe.com/go/getair_tr adresinden en son Adobe AIR s
hXXp://VVV.adobe.com/go/getair_tr adresinden
s <a href='hXXp://VVV.adobe.com/go/air_sysreqs_se/'>systemkraven</a> f
hXXp://VVV.adobe.com/go/getair_se
hXXp://VVV.adobe.com/go/getair_se och f
pna dla tego systemu. Przejrzyj <a href='hXXp://VVV.adobe.com/go/air_sysreqs_pl/'>wymagania systemowe</a>
hXXp://VVV.adobe.com/go/getair_pl
hXXp://VVV.adobe.com/go/getair_pl i pon
Deze toepassing vereist een update van Adobe AIR, maar het downloaden van deze update naar uw systeem wordt niet toegestaan door uw beheerder. Neem contact op met de beheerder.
Deze toepassing vereist een update van Adobe AIR die niet beschikbaar is voor uw systeem. Bekijk de <a href='hXXp://VVV.adobe.com/go/air_sysreqs/'>systeemvereisten</a> voor Adobe AIR en werk uw systeem bij.
hXXp://VVV.adobe.com/go/getair_nl
en probeer deze toepassing opnieuw te installeren.
Er is iets misgegaan tijdens een poging deze toepassing te installeren.
hXXp://VVV.adobe.com/go/getair_nl en probeer het opnieuw.
Deze toepassing vereist een versie van Adobe AIR die niet is gevonden.
hXXp://VVV.adobe.com/go/getair_nl
of neem contact op met de schrijver van de toepassing voor een bijgewerkte versie.
m <a href='hXXp://VVV.adobe.com/go/air_sysreqs_cz/'>syst
Nainstalujte z webu
hXXp://VVV.adobe.com/go/getair_cz
hXXp://VVV.adobe.com/go/getair_cz a potom opakujte akci.
<a href='hXXp://VVV.adobe.com/go/air_sysreqs_tw/'>
hXXp://VVV.adobe.com/go/getair_tw
hXXp://VVV.adobe.com/go/getair_tw)
hXXp://VVV.adobe.com/go/getair
<a href='hXXp://VVV.adobe.com/go/air_sysreqs_cn/'>
hXXp://VVV.adobe.com/go/getair_cn
hXXp://VVV.adobe.com/go/getair_cn
<a href='hXXp://VVV.adobe.com/go/air_sysreqs_ru/'>
hXXp://VVV.adobe.com/go/getair_ru,
hXXp://VVV.adobe.com/go/getair_ru ,
hXXp://VVV.adobe.com/go/getair_ru
vel para o seu sistema. Consulte os <a href='hXXp://VVV.adobe.com/go/air_sysreqs_br/'>requisitos de sistema</a> do Adobe AIR e atualize seu sistema de acordo.
hXXp://VVV.adobe.com/go/getair_br
hXXp://VVV.adobe.com/go/getair_br e tente novamente.
o mais recente do tempo de execu
<a href='hXXp://VVV.adobe.com/go/air_sysreqs_kr/'>
hXXp://VVV.adobe.com/go/getair_kr
<a href='hXXp://VVV.adobe.com/go/air_sysreqs_jp/'>
hXXp://VVV.adobe.com/go/getair_jp
disponibile per il sistema in uso. Consultate i <a href='hXXp://VVV.adobe.com/go/air_sysreqs_it/'>requisiti di sistema</a> per Adobe AIR e aggiornate il sistema di conseguenza.
hXXp://VVV.adobe.com/go/getair_it,
hXXp://VVV.adobe.com/go/getair_it, quindi riprovate.
hXXp://VVV.adobe.com/go/getair_it
me. Veuillez consulter la <a href='hXXp://VVV.adobe.com/go/air_sysreqs_fr/'>configuration syst
hXXp://VVV.adobe.com/go/getair_fr,
hXXp://VVV.adobe.com/go/getair_fr, puis essayez
hXXp://VVV.adobe.com/go/getair_fr
n de Adobe AIR que no se encuentra disponible para el sistema. Consulte los <a href='hXXp://VVV.adobe.com/go/air_sysreqs_es/'>requisitos del sistema</a> para Adobe AIR y actualice el sistema seg
hXXp://VVV.adobe.com/go/getair_es
hXXp://VVV.adobe.com/go/getair_es y vuelva a intentarlo.
hXXp://VVV.adobe.com/go/getair_es,
This application requires an update to Adobe AIR that is not available for your system. Please view the <a href='hXXp://VVV.adobe.com/go/air_sysreqs/'>system requirements</a> for Adobe AIR and update your system accordingly.
hXXp://VVV.adobe.com/go/getair,
hXXp://VVV.adobe.com/go/getair and then try again.
ber die <a href='hXXp://VVV.adobe.com/go/air_sysreqs_de/'>Systemanforderungen</a> f
hXXp://VVV.adobe.com/go/getair_de
hXXp://VVV.adobe.com/go/getair_de zur Verf
AIRRuntimeInstaller.exe
.launch
"Adobe AIR Application Installer.exe"
@riched20.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\AIR1.tmp\Install 8BallRuler.exe
naib.exe

AIRRuntimeInstaller.exe_388:

.text
`.rdata
@.data
.rsrc
@.reloc
FTPQ
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
operator
1.2.5
E:\r\ws\St_Make\code\build\win\int\SelfExtractor.build\Release\info\sea.pdb
SHLWAPI.dll
SHFileOperationW
ShellExecuteExW
SHELL32.dll
GetProcessHeap
GetCPInfo
KERNEL32.dll
USER32.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\AIRRuntimeInstaller.exe
.XkDkD&^&^&^&^&
&rN.N.XK&K&KDKDkDkDk^&^&
]<]4||||
8E8%F>->->-
;u.oE
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
2*232`2{2
.04080<0@0
> >$>(>,>
mscoree.dll
KERNEL32.DLL
kernel32.dll
.launch
Adobe AIR Installer.exe
17.0.0.124

Adobe AIR Installer.exe_1036:

.text
`.rdata
@.data
.rsrc
@.reloc
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
E:\r\ws\St_Make\code\build\win\results\Release\info\Adobe AIR Installer.pdb
GetProcessHeap
KERNEL32.dll
USER32.dll
SHLWAPI.dll
SHELL32.dll
GetCPInfo
msi.dll
GetConsoleOutputCP
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\AIR2.tmp\Adobe AIR Installer.exe
.XkDkD&^&^&^&^&
&rN.N.XK&K&KDKDkDkDk^&^&
]<]4||||
8E8%F>->->-
;u.oE
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
2.34383<3@3
3 3@3\3`3
mscoree.dll
KERNEL32.DLL
{DC74C3C6-CAB8-4C49-BE18-5B1DCD0D197E}
hXXp://VVV.adobe.com/go/getair_tr adresinden
hXXp://VVV.adobe.com/go/getair_se
hXXp://VVV.adobe.com/go/getair_pl
Deze toepassing vereist een versie van Adobe AIR die niet is gevonden.
hXXp://VVV.adobe.com/go/getair_nl
of neem contact op met de schrijver van de toepassing voor een bijgewerkte versie.
hXXp://VVV.adobe.com/go/getair_cz
hXXp://VVV.adobe.com/go/getair
hXXp://VVV.adobe.com/go/getair_cn
hXXp://VVV.adobe.com/go/getair_ru
o mais recente do tempo de execu
hXXp://VVV.adobe.com/go/getair_br
hXXp://VVV.adobe.com/go/getair_kr
hXXp://VVV.adobe.com/go/getair_jp
hXXp://VVV.adobe.com/go/getair_it
hXXp://VVV.adobe.com/go/getair_fr
hXXp://VVV.adobe.com/go/getair_es,
hXXp://VVV.adobe.com/go/getair,
hXXp://VVV.adobe.com/go/getair_de
\Adobe AIR\Versions\1.0\Adobe AIR.dll
from hXXp://VVV.adobe.com/go/getair.
\Versions\1.0\Adobe AIR.dll
kernel32.dll
17.0.0.124
setup.exe

Adobe AIR Application Installer.exe_1320:

.text
`.rdata
@.data
.rsrc
@.reloc
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
E:\r\ws\St_Make\code\build\win\results\Release\info\Adobe AIR Application Installer.pdb
GetProcessHeap
KERNEL32.dll
USER32.dll
SHLWAPI.dll
SHELL32.dll
GetCPInfo
msi.dll
GetConsoleOutputCP
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
.5qqqq.CZZZZ
xyyyyyyyyyyyyyyy.qqqqqqqqqqqqq.CCCCCZZZZZ
ff! ....../!!!!77&..gNNN
G......Mfff!!!&qe!!7777Nyyy#8WWWW
----@@@@
)C%%YYYY%%C
l.dU`
%Fü6
%f[f f[
0URllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
:$:$:$:$:$:$:
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
4 4<4@4`4|4
hXXp://VVV.adobe.com/go/getair_tr adresinden
hXXp://VVV.adobe.com/go/getair_se
hXXp://VVV.adobe.com/go/getair_pl
Deze toepassing vereist een versie van Adobe AIR die niet is gevonden.
hXXp://VVV.adobe.com/go/getair_nl
of neem contact op met de schrijver van de toepassing voor een bijgewerkte versie.
hXXp://VVV.adobe.com/go/getair_cz
hXXp://VVV.adobe.com/go/getair
hXXp://VVV.adobe.com/go/getair_cn
hXXp://VVV.adobe.com/go/getair_ru
o mais recente do tempo de execu
hXXp://VVV.adobe.com/go/getair_br
hXXp://VVV.adobe.com/go/getair_kr
hXXp://VVV.adobe.com/go/getair_jp
hXXp://VVV.adobe.com/go/getair_it
hXXp://VVV.adobe.com/go/getair_fr
hXXp://VVV.adobe.com/go/getair_es,
hXXp://VVV.adobe.com/go/getair,
hXXp://VVV.adobe.com/go/getair_de
from hXXp://VVV.adobe.com/go/getair.
\Versions\1.0\Adobe AIR.dll
runtimes\air\win\Adobe AIR\Versions\1.0\Adobe AIR.dll
runtimeSDK\Adobe AIR\Versions\1.0\Adobe AIR.dll
\Adobe AIR\Versions\1.0\Adobe AIR.dll
kernel32.dll
mscoree.dll
KERNEL32.DLL
{DC74C3C6-CAB8-4C49-BE18-5B1DCD0D197E}
17.0.0.124
Adobe AIR Application Installer.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    a1c9c1d09627949:120
    notepad.exe:480
    System.exe:752
    8BALLRULER 1.1 (WIN).EXE:1448
    vbc.exe:552
    Install 8BallRuler.exe:812
    AIRRuntimeInstaller.exe:388

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\AIR\logs\Install.log (6204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\META-INF\signatures.xml (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\8BallRuler.exe (142 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\test2.swf (85 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\setup.msi (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\META-INF\AIR\application.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\Icon\16.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\Icon\48.png (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\.launch (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Install 8BallRuler.exe (128 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\Icon\32.png (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\Icon\128.png (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\mimetype (59 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\8BallRuler\META-INF\AIR\hash (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\8BALLRULER 1.1 (WIN).EXE (1652 bytes)
    %System%\8BallRuler\System.exe (7547 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\5CB653B2DAF9459B6E8E3796503DD779BAD8DB50.crl (341 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIRRuntimeInstaller.exe (132160 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\9C07FA4C8533A07B5EDE782A6F5AFA6A (637 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\9C07FA4C8533A07B5EDE782A6F5AFA6A (148 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\EF87FE2FBAF08DA89A8C148EF56C40E0 (425 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\EF87FE2FBAF08DA89A8C148EF56C40E0 (168 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\template.exe (59 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR.vch (1706 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\stylesNative.swf (235 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit.dll (32275 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\digest.s (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe Root Certificate.cer (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR.dll (141488 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\template.msi (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf (3810 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe (96 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\setup.swf (3831 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit\Notice WebKit.txt (771 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\AdobeCP15.dll (23407 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\sentinel (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit\LGPL License.txt (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\setup.swf (3831 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\NPSWF32.dll (123239 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\setup.msi (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR Installer.exe (103 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Thawte Root Certificate.cer (677 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe (130 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "8BallRuler" = "%System%\8BallRuler\System.exe"

  5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "UserInit" = "%System%\userinit.exe,%System%\8BallRuler\System.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now