Gen.Variant.Delf.46_325b3c3183

by malwarelabrobot on August 4th, 2015 in Malware Descriptions.

Gen:Variant.Delf.46 (B) (Emsisoft), Gen:Variant.Delf.46 (AdAware), Trojan.Win32.Alureon.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 325b3c3183c271e07740049318aa1cf5
SHA1: 1db8ae6e9f66eafb71c5c3ab964d44105cac9b59
SHA256: d9c8a4bb9df8586c304a7f708dec2c2260d888bc2f1c58ff3e1673d2e9bc8b3c
SSDeep: 12288:AjjjDB mpViHsiHxhb4drgVSGZlUntVH5kRGV7pzhP9C:Aj31RiTHfy0VdInDKotL
Size: 637952 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

unpack200.exe:620
unpack200.exe:1656
unpack200.exe:464
unpack200.exe:1844
unpack200.exe:240
unpack200.exe:1100
unpack200.exe:348
jrewin.exe:1724
%original file name%.exe:188
zipper.exe:1492
zipper.exe:1648
zipper.exe:276
zipper.exe:1844
MsiExec.exe:644
MsiExec.exe:1888

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process unpack200.exe:620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The Trojan deletes the following file(s):

The process unpack200.exe:1656 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The Trojan deletes the following file(s):

The process unpack200.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The Trojan deletes the following file(s):

The process unpack200.exe:1844 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The Trojan deletes the following file(s):

The process unpack200.exe:240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The Trojan deletes the following file(s):

The process unpack200.exe:1100 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The Trojan deletes the following file(s):

The process unpack200.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The Trojan deletes the following file(s):

The process jrewin.exe:1724 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AU70VGSF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZAC1W5FL\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\jre1.6.0\jre1.6.0.msi (841444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\FH28BNV1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3B6CLKER\desktop.ini (67 bytes)

The process %original file name%.exe:188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jrewin.exe (96837 bytes)

The process zipper.exe:1492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The process zipper.exe:1648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The process zipper.exe:276 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The process zipper.exe:1844 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The process MsiExec.exe:644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\java_install_reg.log (521 bytes)
%System%\javacpl.cpl (601 bytes)
%System%\javaws.exe (673 bytes)
%System%\javaw.exe (673 bytes)
%System%\java.exe (673 bytes)

Registry activity

The process jrewin.exe:1724 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\JavaSoft\Java Update\Policy]
"PostStatusUrl" = "https://sjremetrics.java.com/b/ss//6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\JavaSoft\Java Update\Policy]
"Country" = "UA"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 8A 4E 9B E4 12 A9 7E F6 6A F3 DD 8C 3C E9 6F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\SOFTWARE\JavaSoft]
"InstallStatus"

The process %original file name%.exe:188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 A0 E7 A2 8A C4 C7 2A 11 EE 72 19 57 B8 8C DD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"jrewin.exe" = "jrewin"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process MsiExec.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}]
"(Default)" = "Java Plug-in 1.6.0"

[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}]
"Installer" = "MSICD"

[HKCR\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}]
"(Default)" = "Java Plug-in 1.6.0"

[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\InstalledVersion]
"(Default)" = "1.6.0.0"

[HKLM\SOFTWARE\JavaSoft\Java Update\Policy]
"EnableJavaUpdate" = "1"

[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}]
"Installer" = "MSICD"

[HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0]
"RuntimeLib" = "%Program Files%\Java\jre1.6.0\bin\client\jvm.dll"

[HKCR\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\InprocServer32]
"(Default)" = "%Program Files%\Java\jre6\bin\ssv.dll"

[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}]
"(Default)" = "Java Runtime Environment 1.6.0"

[HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}]
"(Default)" = "Java Plug-in 1.6.0_18"

[HKLM\SOFTWARE\JavaSoft\Java Web Start\1.6.0]
"home" = "%Program Files%\Java\jre6\bin"

[HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.6]
"MicroVersion" = "0"

[HKCR\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBB}\InprocServer32]
"(Default)" = "%Program Files%\Java\jre1.6.0\bin\npjpi160.dll"

[HKCR\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}\InprocServer32]
"(Default)" = "%Program Files%\Java\jre1.6.0\bin\npjpi160.dll"

[HKCR\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32]
"(Default)" = "%Program Files%\Java\jre6\bin\npjpi160_18.dll"

[HKCR\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}]
"(Default)" = "Java Plug-in"

[HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\MiscStatus]
"(Default)" = "0"

[HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0]
"MicroVersion" = "0"

[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\DownloadInformation]
"CodeBase" = "http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab"

[HKCR\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}]
"(Default)" = "Java Plug-in"

[HKCR\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBB}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\jarfile\shell\open\command]
"(Default)" = "%Program Files%\Java\jre6\bin\javaw.exe -jar %1 %*"

[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}]
"(Default)" = "Java Runtime Environment 1.6.0"

[HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}]
"(Default)" = "Java Runtime Environment 1.6.0"

[HKCR\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\MiscStatus]
"(Default)" = "0"

[HKLM\SOFTWARE\JavaSoft\Java Plug-in\1.6.0]
"UseJava2IExplorer" = "0"

[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}]
"Installer" = "MSICD"

[HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32]
"(Default)" = "%Program Files%\Java\jre6\bin\npjpi160_18.dll"

[HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
"(Default)" = "SSVHelper Class"

[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\DownloadInformation]
"INF" = ""

[HKCR\JavaPlugin.FamilyVersionSupport\CLSID]
"(Default)" = "{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"

[HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\MiscStatus\1]
"(Default)" = "2449"

[HKCR\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\InprocServer32]
"(Default)" = "%Program Files%\Java\jre6\bin\ssv.dll"

[HKCR\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\MiscStatus\1]
"(Default)" = "2449"

[HKCR\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\InprocServer32]
"(Default)" = "%Program Files%\Java\jre1.6.0\bin\npjpi160.dll"

[HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}]
"(Default)" = "Java Plug-in 1.6.0_18"

[HKCR\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\MiscStatus\1]
"(Default)" = "2449"

[HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\MiscStatus\1]
"(Default)" = "2449"

[HKCR\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\DownloadInformation]
"CodeBase" = "http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab"

[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\DownloadInformation]
"INF" = ""

[HKLM\SOFTWARE\JavaSoft\Java Plug-in\1.6.0]
"JavaHome" = "%Program Files%\Java\jre1.6.0"

[HKCR\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\MiscStatus\1]
"(Default)" = "2449"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D A2 C2 B6 DD 41 71 D3 78 68 AB BD BA CD B9 4B"

[HKCR\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}]
"(Default)" = "Java Plug-in"

[HKLM\SOFTWARE\JavaSoft\Java Runtime Environment]
"currentVersion" = "1.6"

[HKCR\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\InprocServer32]
"(Default)" = "%Program Files%\Java\jre6\bin\ssv.dll"

[HKCR\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.6]
"JavaHome" = "%Program Files%\Java\jre6"

[HKCR\.jar]
"(Default)" = "jarfile"

[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InstalledVersion]
"(Default)" = "1.6.0.18"

[HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0]
"JavaHome" = "%Program Files%\Java\jre1.6.0"

[HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.6]
"RuntimeLib" = "%Program Files%\Java\jre6\bin\client\jvm.dll"

[HKCR\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBB}]
"(Default)" = "Java Plug-in 1.6.0"

[HKCR\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InstalledVersion]
"(Default)" = "1.6.0.18"

[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\DownloadInformation]
"INF" = ""

[HKCR\JavaPlugin.160\CLSID]
"(Default)" = "{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}"

[HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\jarfile]
"(Default)" = "Executable Jar File"

[HKCR\JavaPlugin\CLSID]
"(Default)" = "{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}"

[HKCR\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InprocServer32]
"(Default)" = "%Program Files%\Java\jre6\bin\ssv.dll"

[HKLM\SOFTWARE\JavaSoft\Java Plug-in\1.6.0]
"HideSystemTrayIcon" = "0"

[HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_18]
"JavaHome" = "%Program Files%\Java\jre6"

[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\DownloadInformation]
"CodeBase" = "http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched" = "%Program Files%\Java\jre6\bin\jusched.exe"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
"NoExplorer" = "1"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32]
[HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\MiscStatus]
[HKCR\JavaPlugin\CLSID]
[HKCR\jarfile\shell]
[HKCR\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\MiscStatus]
[HKCR\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\InprocServer32]
[HKCR\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\InprocServer32]
[HKCR\JavaPlugin.FamilyVersionSupport]
[HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.6]
[HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}]
[HKCR\.jar]
[HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\MiscStatus]
[HKCR\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\MiscStatus]
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InstalledVersion]
[HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}]
[HKCR\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\MiscStatus]
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\Contains]
[HKCR\jarfile\shell\open\command]
[HKCR\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}]
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InstalledVersion]
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}]
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\Contains]
[HKCR\JavaPlugin.FamilyVersionSupport\CLSID]
[HKCR\jarfile]
[HKCR\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\InprocServer32]
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\DownloadInformation]
[HKCR\jarfile\shell\open]
[HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32]
[HKCR\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\MiscStatus\1]
[HKCR\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}]
[HKCR\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}]
[HKCR\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\MiscStatus\1]
[HKCR\JavaPlugin]
[HKCR\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\MiscStatus\1]
[HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\MiscStatus\1]
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\DownloadInformation]
[HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\MiscStatus\1]
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\JavaSoft\Java Update\Policy]
"EnableAutoUpdateCheck"

The process MsiExec.exe:1888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 C2 A8 3A 7A 28 70 FD 2C 24 90 4A 80 3A CA E2"

Dropped PE files

MD5 File path
d5ce41326e6d3676951a9401f8321123 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\jrewin.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 535664 536064 4.52621 0a6ebfa5c2591935bd137387c263954e
DATA 540672 9704 9728 3.39505 7db792f66e1903cf80f2941380ad4ae5
BSS 552960 3901 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 557056 8952 9216 3.44595 3db7d5e85eb5d2cf9fde46ab9853401b
.tls 569344 16 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 573440 24 512 0.139033 c0a809db29b08ac69f1358b16f30b57f
.reloc 577536 37576 37888 4.5978 f53fd06129c39d129bafb2624c72679b
.rsrc 618496 43520 43520 3.9201 64b3a634f87e04b411d90ae9353d920a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www-legacy.oraclegha.com/update/1.6.0/1.6.0-b105.xml
hxxp://a1799.d.akamai.net/update/1.6.0/1.6.0-b105.xml
hxxp://javadl-esd.sun.com/update/1.6.0/1.6.0-b105.xml 194.146.191.107
hxxp://java.sun.com/update/1.6.0/1.6.0-b105.xml 156.151.59.19
hxxp://sistemas.anatel.gov.br/Downloads/jrewin.bin 187.32.41.70


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA HTTP response header invalid
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /update/1.6.0/1.6.0-b105.xml HTTP/1.1
User-Agent: jupdate
Host: java.sun.com
Connection: Keep-Alive


HTTP/1.0 301 Moved Permanently
Location: hXXp://javadl-esd.sun.com/update/1.6.0/1.6.0-b105.xml
Server: BigIP
Connection: close
Content-Length: 0



GET /update/1.6.0/1.6.0-b105.xml HTTP/1.1
User-Agent: jupdate
Connection: Keep-Alive
Host: javadl-esd.sun.com


HTTP/1.1 200 OK
Server: Apache
ETag: "8ca1bb3f5a1862ddace6feade35b1fa6:1433102659"
Last-Modified: Sun, 31 May 2015 19:58:57 GMT
Accept-Ranges: bytes
Content-Length: 1295
Content-Typ



GET /Downloads/jrewin.bin HTTP/1.1
Content-Type: text/html
Host: sistemas.anatel.gov.br
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Content-Length: 13170312
Content-Type: application/octet-stream
Last-Modified: Tue, 16 Jan 2007 12:16:24 GMT
Accept-Ranges: bytes
ETag: "09c99236839c71:522b"
No cache: <meta http-equiv="pragma"content="no-cache">
X-Powered-By: ASP.NET
Date: Mon, 03 Aug 2015 00:36:05 GMT
Set-Cookie: BIGipServerpool_sistemas_anatel_http=4076867756.20480.0000; path=/
Set-Cookie: bbbbbbbbbbbbbbb=HDHMNMADAAAAAAAAJLOFFBAAAAAAAAAAEADAMHOFDIOFAAAADAAAELLFMLLFAAAA; HttpOnly
Set-Cookie: TS012c9f63=01dfc394f04beb2fb58041dac041e9ca4641d7b179a1649c4a536f3b36b465efe0cbcbd0f1203a7d2eb52a9b965295d04ee5f0c25a5b1caaff626a50a02651713c75ab28b0; Path=/
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
............................G...............G...........V...........(.
..............Rich....................PE..L...`vmE....................
[email protected].............
..........................([email protected]...............................
................................H.....................................
.......text...R........................... ..`.rdata...,.......0......
............@[email protected]...|........ [email protected]....@
.......0..............@..@............................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):














Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    unpack200.exe:620
    unpack200.exe:1656
    unpack200.exe:464
    unpack200.exe:1844
    unpack200.exe:240
    unpack200.exe:1100
    unpack200.exe:348
    jrewin.exe:1724
    %original file name%.exe:188
    zipper.exe:1492
    zipper.exe:1648
    zipper.exe:276
    zipper.exe:1844
    MsiExec.exe:644
    MsiExec.exe:1888
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AU70VGSF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZAC1W5FL\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\jre1.6.0\jre1.6.0.msi (841444 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\FH28BNV1\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3B6CLKER\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrewin.exe (96837 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\java_install_reg.log (521 bytes)
    %System%\javacpl.cpl (601 bytes)
    %System%\javaws.exe (673 bytes)
    %System%\javaw.exe (673 bytes)
    %System%\java.exe (673 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched" = "%Program Files%\Java\jre6\bin\jusched.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now