Gen.Variant.Zusy.Elzob.22474_fbace3e2dc

by malwarelabrobot on April 19th, 2015 in Malware Descriptions.

Trojan.Win32.VBKrypt.xiz (Kaspersky), Gen:Variant.Zusy.Elzob.22474 (B) (Emsisoft), Gen:Variant.Zusy.Elzob.22474 (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: fbace3e2dc45c3c30ae9cb4773740a9b
SHA1: f2107f06ed9e7334e9ba9381f7dcd47cc2b719d3
SHA256: c0ff91b05ae51c5c69269ddced822d345a6a4dec9f44ae7206e0597882790ee1
SSDeep: 1536:Zcjd75QPYyM haVCpR/orFNbXV8l0ByhuhgpHFr3 nouy8o0X6Pufu:ejdiPYydUVCptoZJC6pilr3eoutoJQu
Size: 73728 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 1983-01-15 13:23:20
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 22836 bytes in size. The following strings are added to the hosts file listed below:

208.109.220.95 viabcp.com
208.109.220.95 www.viabcp.com
208.109.220.95 bcpzonasegura.viabcp.com
17.30.245.112 iniciorapido.info
187.151.72.239 www.iniciorapido.info
251.96.237.3 buscalo.in
71.122.226.36 www.buscalo.in
229.162.40.150 buscafacil.com
144.26.191.21 www.buscafacil.com
207.227.99.228 emsisoft.com
28.254.88.73 ahnlab.com
185.37.158.119 antivir.es
100.157.241.58 antiy.net
163.103.149.10 authentium.com
240.129.138.42 avast.com
141.168.208.156 avg.com
56.100.103.95 bitdefender.com
120.234.11.47 quickheal.com
196.4.0.80 clamav.net
98.111.70.193 comodo.com
12.232.153.64 drweb.com
76.177.62.84 aladdin.com
152.135.51.117 ca.com
242.243.121.163 f-prot.com
225.107.204.102 f-secure.com
220.52.180.53 fortinet.com
109.79.169.86 gdata.es
198.118.171.200 ikarus.at
181.238.66.139 jiangmin.com
176.184.230.91 kaspersky.com
65.210.219.123 mcafee.com
155.249.33.237 microsoft.com
137.113.116.108 eset.es
133.59.92.128 norman.com
209.85.81.161 nprotect.com
111.124.83.206 pandasecurity.com
93.245.234.145 pctools.com
89.190.143.97 prevx.com
165.216.132.130 rising-global.com
67.68.202.244 sophos.com
50.188.29.183 sunbeltsoftware.com
45.133.193.134 symantec.com
122.92.182.167 hacksoft.com.pe
23.199.252.25 trendmicro.com
6.63.147.152 anti-virus.by
1.9.55.172 hauri.net
78.223.44.204 virusbuster.hu
236.74.114.62 www.emsisoft.com
218.194.197.189 www.ahnlab.com
214.140.105.141 www.antivir.es
34.166.94.174 www.antiy.net
192.205.164.31 www.authentium.com
174.70.247.226 www.avast.com
170.15.224.178 www.avg.com
246.41.213.211 www.bitdefender.com
148.81.215.69 www.quickheal.com
131.201.110.196 www.clamav.net
126.146.18.215 www.comodo.com
203.173.7.248 www.drweb.com
104.212.77.106 www.aladdin.com
87.144.160.233 www.ca.com
82.90.136.185 www.f-prot.com
159.48.125.217 www.f-secure.com
60.155.127.75 www.fortinet.com
231.19.22.14 www.gdata.es
39.221.186.222 www.ikarus.at
115.179.175.255 www.jiangmin.com
17.30.245.112 www.kaspersky.com
187.151.72.239 www.mcafee.com
251.96.237.3 www.microsoft.com
71.122.226.36 www.eset.es
229.162.40.150 www.norman.com
144.26.191.21 www.nprotect.com
207.227.99.228 www.pandasecurity.com
28.254.88.73 www.pctools.com
185.37.158.119 www.prevx.com
100.157.241.58 www.rising-global.com
163.103.149.10 www.sophos.com
240.129.138.42 www.sunbeltsoftware.com
141.168.208.156 www.symantec.com
56.100.103.95 www.hacksoft.com.pe
120.234.11.47 www.trendmicro.com
196.4.0.80 www.anti-virus.by
98.111.70.193 www.hauri.net
12.232.153.64 www.virusbuster.hu
76.177.62.84 www.emsisoft.com
152.135.51.117 www.anti-trojan.net
242.243.121.163 malwarescan.emsisoft.com
225.107.204.102 forum.emsisoft.com
220.52.180.53 www.emsisoft.net
109.79.169.86 www.emsisoft.it
198.118.171.200 www.emsisoft.de
181.238.66.139 www.anti-trojan-software.net
176.184.230.91 mamutu.com
65.210.219.123 www.emsisoft.es
155.249.33.237 malwarescan.emsisoft.de
137.113.116.108 ww.emsisoft.com
133.59.92.128 www.emsisoft.fr
209.85.81.161 www.emsisoft.nl
111.124.83.206 onlinecheck.emsisoft.com
93.245.234.145 onlinecheck.emsisoft.de
89.190.143.97 www.emsisoft.org
165.216.132.130 scan.anti-trojan.net
67.68.202.244 www.trojaner.info
50.188.29.183 onlinecheck.emsisoft.org
45.133.193.134 onlinecheck.emsisoft.net
122.92.182.167 blitzblank.com
23.199.252.25 www.emsisoft.at
6.63.147.152 www.emsisoft.jp
1.9.55.172 www.mamutu.com
78.223.44.204 malwarescan.emsisoft.es
236.74.114.62 www.mamutu.de
218.194.197.189 download5.emsisoft.com
214.140.105.141 download1.emsisoft.com
34.166.94.174 download4.emsisoft.com
192.205.164.31 global.ahnlab.com
174.70.247.226 www.hackshields.com
170.15.224.178 www.internationalservicecheck.com
246.41.213.211 www.irangoals.com
148.81.215.69 ixomodels.com
131.201.110.196 www.indielisboa.com
126.146.18.215 www.latin-mass-society.org
203.173.7.248 www.arpia.be
104.212.77.106 www.owen.org
87.144.160.233 www.prdouglas.co.uk
82.90.136.185 www.zarya.info
159.48.125.217 www.willsee.com
60.155.127.75 halmapr.com
231.19.22.14 karuna-shechen.org
39.221.186.222 www.barder.com
115.179.175.255 www.antivir.es
17.30.245.112 www.buraka.tv
187.151.72.239 www.dr-bull.com
251.96.237.3 www.manchester-offices.co.uk
71.122.226.36 saverssite.com
229.162.40.150 canada.karuna-shechen.org
144.26.191.21 developmentdrums.org
207.227.99.228 www.imddomains.co.uk
28.254.88.73 cutlines.org
185.37.158.119 elblogdemanu.com
100.157.241.58 ruben.bzin.net
163.103.149.10 welkam.co.jp
240.129.138.42 www.cambridge-steiner-school.co.uk
141.168.208.156 naturesimages.net
56.100.103.95 www.1stavenuelimousines.co.uk
120.234.11.47 www.mtr-design.com
196.4.0.80 dev.depeuter.org
98.111.70.193 www.emeraldclassic.co.uk
12.232.153.64 www.peterhearnwaste.co.uk
76.177.62.84 etrr.co.uk
152.135.51.117 www.avoncourt.com
242.243.121.163 sarahmcconnellphotography.net
225.107.204.102 www.ixomodels.com
220.52.180.53 natsko.com
109.79.169.86 www.nottinghampoetryseries.com
198.118.171.200 www.sheffieldmind.co.uk
181.238.66.139 ixostore.ixomodels.com
176.184.230.91 www.flairweddings.co.uk
65.210.219.123 www.fimasys.com
155.249.33.237 cohartuk.com
137.113.116.108 qqjkw.net
133.59.92.128 vivo-austin.com
209.85.81.161 www.freeality.com
111.124.83.206 bestofewan.com
93.245.234.145 www.handwritingforkids.com
89.190.143.97 cowsmo.com
165.216.132.130 www.2xlgames.com
67.68.202.244 kimzimmer.net
50.188.29.183 basetendencies.com
45.133.193.134 trackingtheworld.com
122.92.182.167 www.reviewsofbooks.com
23.199.252.25 www.collectedcurios.com
6.63.147.152 www.renningers.com
1.9.55.172 ccslaughterspdx.com
78.223.44.204 www.briarhurst.com
236.74.114.62 www.smf.org
218.194.197.189 ribbonwarehouse.com
214.140.105.141 www.garryowen.com
34.166.94.174 45pounds.com
192.205.164.31 isotopecomics.com
174.70.247.226 roysephotos.com
170.15.224.178 www.stadiumpage.com
246.41.213.211 www.elvis-express.com
148.81.215.69 www.tomorrowsedge.net
131.201.110.196 www.beautybar.com
126.146.18.215 pineleafboys.com
203.173.7.248 www.mountainlakeslodge.com
104.212.77.106 pvtc.org
87.144.160.233 bhsbees.com
82.90.136.185 baristamagazine.com
159.48.125.217 www.gokidding.com
60.155.127.75 defalcos.com
231.19.22.14 www.celticmerchant.com
39.221.186.222 www.hxproduction.com
115.179.175.255 www.wellgousa.com
17.30.245.112 blog.titanium-jewelry.com
187.151.72.239 www.brightoctober.com
251.96.237.3 hishomeforchildren.com
71.122.226.36 www.phoenixtrikeworks.com
229.162.40.150 www.professorbeyer.com
144.26.191.21 www.secondchanceboxer.com
207.227.99.228 www.residentphotography.com
28.254.88.73 woottonfootball.com
185.37.158.119 www.deborahshelton.net
100.157.241.58 bobbondart.com
163.103.149.10 www.authentium.com
240.129.138.42 asap.authentium.com
141.168.208.156 www.authentium.com.au
56.100.103.95 avast.com
120.234.11.47 www.avast.com
196.4.0.80 files.avast.com
98.111.70.193 download535.avast.com
12.232.153.64 avg.com
76.177.62.84 www.avg.com
152.135.51.117 grisoft.com
242.243.121.163 www.grisoft.com
225.107.204.102 antivirus-tools.com
220.52.180.53 archive.bitdefender.com
109.79.169.86 avx.rob-have.net
198.118.171.200 b-have.orgbitdefender-ar.com
181.238.66.139 bitdefender.com
176.184.230.91 bitdefender.org
65.210.219.123 bitdefenderchina.com
155.249.33.237 bitdefenderguatemala.com
137.113.116.108 bitdefendermalaysia.com
133.59.92.128 bitdefendertaiwan.com
209.85.81.161 bitdefenderuruguay.com
111.124.83.206 bitdefenderusa.com
93.245.234.145 buy.bitdefender-es.com
89.190.143.97 buy.bitdefender.com
165.216.132.130 buy.bitdefender.de
67.68.202.244 de.bitdefender.com
50.188.29.183 fr.bitdefender.com
45.133.193.134 futurenow.bitdefender.com
122.92.182.167 it.bitdefender.com
23.199.252.25 jobs.bitdefender.com
6.63.147.152 kb.bitdefender.com
1.9.55.172 kb.bitdefender.de
78.223.44.204 kb.bitdefender.us
236.74.114.62 latin.bitdefender.com
218.194.197.189 linux.bitdefender.com
214.140.105.141 malwarecity.com
34.166.94.174 malwarecity.netmalwarecity.org
192.205.164.31 malwarepedia.com
174.70.247.226 neunet.orgnews.bitdefender.com
170.15.224.178 nl.bitdefender.com
246.41.213.211 renewals.bitdefender.com
148.81.215.69 sales.bitdefender.com
131.201.110.196 square.bitdefender.com
126.146.18.215 store.bitdefender.com
203.173.7.248 store.de.bitdefender.com
104.212.77.106 us.bitdefender.com
87.144.160.233 virusscanonline.net
82.90.136.185 wedoantivirus.com
159.48.125.217 www.antivirus-tools.com
60.155.127.75 www.avx.ro
231.19.22.14 www.bit-defender.de
39.221.186.222 www.bitdefende.de
115.179.175.255 www.bitdefender-es.com
17.30.245.112 www.bitdefender.be
187.151.72.239 www.bitdefender.cl
251.96.237.3 www.bitdefender.co.uk
71.122.226.36 www.bitdefender.com
229.162.40.150 www.bitdefender.com.au
144.26.191.21 www.bitdefender.com.sg
207.227.99.228 www.bitdefender.com.tw
216.186.20.5 www.bitdefender.com.vn
117.225.90.51 www.bitdefender.de
32.89.173.246 www.bitdefender.es
95.35.81.198 www.bitdefender.fr
172.61.70.230 www.bitdefender.hk
74.100.140.88 www.bitdefender.us
244.32.35.27 www.bitdefenderme.com
52.166.199.235 www.malwarecity.com
128.192.188.12 www.malwarecity.fr
30.43.2.125 quickheal.com
200.164.85.252 www.quickheal.com
8.109.250.16 www.clamav.net
84.67.239.49 cgi.clamav.net
174.175.53.95 lurker.clamav.net
157.39.136.34 wwws.clamav.net
152.240.112.241 lists.clamav.net
41.11.101.18 bugs.clamav.net
130.50.103.132 system-cleaner.comodo.com
113.170.254.71 backup.comodo.com
108.116.162.23 www.comodoantispam.com
253.142.151.55 easy-vpn.comodo.com
87.181.221.169 www.trustlogo.com
69.46.48.40 ztl.comodo.com
65.247.24.60 www.livepcsupport.com
141.17.13.93 www.whichssl.com
43.56.15.138 www.trustix.com
25.177.166.77 disk-encryption.comodo.com
21.122.75.29 speedtest.comodo.com
97.148.64.62 www.contentverification.com
255.0.134.176 idauthority.com
238.120.217.115 www.comodo.tv
233.65.125.66 online-backup.comodo.com
54.24.114.99 www.testmypcsecurity.com
211.131.184.213 www.ccssforum.org
194.251.79.84 i-vault.comodo.com
189.197.243.104 internetsecurity.comodo.com
10.155.232.136 www.comodopartners.com
168.6.46.250 timestamp.comodoca.com
150.126.129.121 secure-email.comodo.com
146.72.37.73 timestamp.wosign.com
222.98.26.106 rover800.gaima.co.uk
124.137.96.219 www.nsclean.com
106.2.179.158 www.contentverification.com
102.203.156.110 new-estore.drweb.com
178.229.145.143 support.drweb.com
80.13.147.1 pda.drweb.com
63.133.42.128 updates.drweb.com
58.78.206.147 drweb.com
135.105.195.180 vms.drweb.com
36.144.9.38 solutions.drweb.com
19.76.92.165 news.drweb.com
14.22.68.117 my.drweb.com
91.236.57.149 buy.drweb.com
249.87.59.7 products.drweb.com
163.207.210.202 new-support.drweb.com
227.153.118.154 promotions.drweb.com
47.111.107.187 network.drweb.com
205.218.177.44 customers.drweb.com
119.83.4.171 store.drweb.com
183.28.169.191 company.drweb.com
3.54.158.224 training.drweb.com
161.94.228.82 license.drweb.com
76.214.123.209 cureit.ru
139.159.31.160 free.drweb.com
216.186.20.5 info.drweb.com
117.225.90.51 new-partners.drweb.com
32.89.173.246 drweb.net
95.35.81.198 new-company.drweb.com
172.61.70.230 new-beta.drweb.com
74.100.140.88 new-forum.drweb.com
244.32.35.27 secure.av-desk.com
52.166.199.235 www.av-desk.com
128.192.188.12 new-solutions.drweb.com
30.43.2.125 new-www.drweb.com
200.164.85.252 www.freedrweb.ru
8.109.250.16 daniloff.net
84.67.239.49 drweb-inside.com
174.175.53.95 drwebinside.com
157.39.136.34 aladdin.com
152.240.112.241 alladdin.ru
41.11.101.18 chickensroamfree.com
130.50.103.132 ealaddin.net
113.170.254.71 ealaddin.orgeshop.aladdin.com
108.116.162.23 secureme.com
253.142.151.55 www.aks.com
87.181.221.169 www.aladdin.com
69.46.48.40 www.ealaddin.com
65.247.24.60 www.ealaddin.com
141.17.13.93 auwww.ealaddin.nl
43.56.15.138 www.esafe.com
25.177.166.77 www.hasp.se
21.122.75.29 www.safenet-inc.com
97.148.64.62 www3.safenet-inc.com
255.0.134.176 www.ca.com
186.68.165.62 cacomvip.ca.com
181.13.73.14 www.netegrity.com
2.228.62.47 search.ca.com
159.79.132.161 cai.com
142.199.27.32 www.f-prot.com
137.145.191.52 frisk-software.com
214.103.180.84 www.frisk.is
115.210.250.198 www.frisk-software.com
98.74.77.69 f-secure.com
94.20.241.21 f-secure.frf-secure.hk
170.46.230.54 f-secure.nlfsecure.com
72.85.44.167 fsecure.nlwebyard.com
54.206.127.106 www.f-secure.com
50.151.104.58 www.fsecure.com
126.177.93.91 www.virus.fi
28.217.95.205 fortihero.com
11.81.246.75 fortilog.com
6.26.154.95 fortinet.co.at
83.53.143.128 fortinet.com
240.92.213.242 fortiprotect.com
223.24.40.113 fortiwifi.com
218.226.16.65 www.apsecure.com
39.184.5.97 www.fortifed.com
196.35.7.211 www.fortiid.com
111.155.158.150 www.fortimail.com
175.101.66.102 www.fortinet-apac.com
251.59.55.135 www.fortinet.ch
153.166.125.248 www.fortinet.co.il
67.31.208.119 www.fortinet.com
131.232.117.139 www.fortinet.com
207.2.106.172 arwww.fortinet.cz
109.42.176.30 www.fortinet.net
24.162.71.156 www.fortinet.nl
87.107.235.108 www.fortinet.sg
164.134.224.209 www.fortinetuk.com
65.173.38.255 www.secure-elements.com
236.37.121.194 gdata.es
43.239.29.146 www.gdata.es
120.9.18.178 ikarus.at
21.48.88.36 www.ikarus.at
192.236.239.231 global.jiangmin.com
0.114.147.183 jiangmin.com.cn
76.140.136.216 jiangmin.com
234.247.206.73 www.jiangmin.com.cn
148.112.33.200 www.kaspersky.com
212.57.198.220 forum.kaspersky.com
32.15.187.253 support.kaspersky.co
122.123.1.43 usa.kaspersky.com
105.243.84.237 brazil.kaspersky.com
100.188.60.189 latam.kaspersky.com
245.215.49.222 kaspersky.com
78.254.51.80 me.kaspersky.com
61.118.202.19 images.kaspersky.com
56.64.110.227 www.mcafee.com
201.90.99.3 support.mcafee.com
34.129.169.117 msr.mcafee.com
17.249.252.244 home.mcafee.com
13.195.228.8 networkassociates.com
89.221.217.41 us.mcafee.com
247.4.219.86 tr.mcafee.com
229.125.114.25 au.mcafee.com
225.70.23.233 mx.mcafee.com
45.96.12.198 networkassociates.nai.com
135.136.14.56 go.mcafee.com
118.0.97.251 fr.mcafee.com
113.201.5.202 uk.mcafee.com
190.160.250.235 de.mcafee.com
91.11.64.93 obscgi.mcafee.com
74.131.215.220 nai.com
69.77.123.240 www.entercept.com
146.35.112.16 jp.mcafee.com
47.142.182.130 mcafeeb2b.com
30.6.9.1 cn.mcafee.com
26.208.173.209 service.mcafee.com
102.234.162.242 br.mcafee.com
4.17.232.99 www.mcafee.at
242.138.59.38 mcafeeretail.com
238.83.36.246 it.mcafee.com
58.109.25.23 tw.mcafee.com
216.149.27.137 privacy.microsoft.com
199.13.178.8 tempuri.org
194.214.86.27 schemas.xmlsoap.org
15.241.75.60 www.microsoft.com
172.24.145.174 specs.xmlsoap.org
155.212.228.45 www.eugrantsadvisor.ie
150.158.204.253 schemas.microsoft.com
227.116.193.29 encarta.msn.com
128.223.195.143 www.sysinternals.com
43.87.90.82 grv.microsoft.com
107.33.254.34 www.xmlsoap.org
183.247.243.67 www.eugrantsadvisor.se
85.98.57.180 www.eugrantsadvisor.com
255.219.140.51 research.microsoft.com
63.164.49.71 www.engyro.com
139.190.38.104 www.exchangeyourcareer.com
41.230.108.218 www.eugrantsadvisor.de
212.94.3.89 exchangeyourcareer.net
19.39.167.40 eugrantsadvisor.de
96.66.156.141 eugrantsadvisor.cz
253.105.226.187 www.eset.es
168.225.53.126 demos.eset.es
231.171.217.78 descargas.eset.es
52.197.206.110 blogs.protegerse.com
209.236.20.224 eos.eset.es
124.168.171.163 pedidos.protegerse.com
188.46.79.115 reg-int.nod32-es.com
8.72.68.148 reg.eset.es
166.179.138.5 vicentevirtual.com
80.44.221.132 cou85.com
144.245.130.152 www.norman.com
220.203.119.185 fsc.norman.com
54.55.189.231 nprobeta.norman.com
37.175.16.170 register.norman.com
32.120.248.121 webadmin.norman.no
177.147.237.154 sandbox.norman.com
10.186.239.12 www.nprotect.com
249.50.134.207 global.nprotect.com
244.252.42.159 www.nprotect.co.kr
133.22.31.191 www.npin.co.kr
222.61.101.49 siren24.nprotect.com
205.181.184.176 15660808.co.kr
201.127.160.196 biz.nprotect.com
21.153.149.229 nprotect.net
179.192.151.18 www.nprotect.com.br
161.57.46.213 liveprotect.net
105.206.158.113 nprotect.seoul.go.kr
181.232.148.146 chollian.nprotect.co.kr
83.84.218.4 www.pandasecurity.com
66.204.45.198 research.pandasecurity.com
61.149.209.150 support.pandasecurity.com
138.108.198.183 pandalabs.pandasecurity.com
39.215.12.41 pandasecurity.com
22.79.163.168 mop.pandasecurity.com
17.24.71.188 timeforyourbusi.pandasecurity.com
94.239.60.220 cybercrime.pandasecurity.com
251.90.130.78 free.pandasecurity.com
234.210.213.205 cloudprotection.pandasecurity.com
230.156.121.157 shop.pandasecurity.com
50.182.110.190 soporte.pandasecurity.com
208.221.180.47 together.pctools.com
190.86.7.242 www.prevx.com
186.31.239.194 info.prevx.com
6.57.229.227 free.prevx.com
164.97.231.85 spywarefiles.prevx.com
147.217.126.211 spywaredlls.prevx.com
142.162.34.231 shield.prevx.com
219.189.23.8 www.prevx1.com
120.228.93.122 howsafeismypc.com
103.160.176.249 www.retento.com
98.105.152.201 www.freerav.com
175.64.141.233 www.rising-global.com
76.171.143.91 www.risingav.com.au
247.35.38.30 support.rising-global.com
55.237.202.238 superboy2010.com.au
131.195.191.15 www.sophos.com
33.46.5.128 feeds.sophos.com
203.167.88.255 esp.sophos.com
11.112.252.19 cn.sophos.com
87.138.242.52 tw.sophos.com
245.178.56.166 kr.sophos.com
160.42.207.36 sophos.com
223.243.115.244 podcasts.sophos.com
44.14.104.89 www.sunbeltsoftware.com
201.53.174.135 go.sunbeltsoftware.com
116.173.1.74 oem.sunbeltsoftware.com
179.119.165.26 antispam.sunbeltsoftware.com
0.145.154.58 antispyware.sunbeltsoftware.com
157.184.224.172 antivirus.sunbeltsoftware.com
72.116.119.111 sunbeltsoftware.com
136.250.27.63 shop.sunbeltsoftware.com
212.20.16.96 live.sunbeltsoftware.com
114.127.86.209 firewall.sunbeltsoftware.com
28.248.169.80 www.symantec.com
92.193.77.100 security.symantec.com
168.151.67.133 securityrespons.symantec.com
2.3.137.179 service1.symantec.com
241.123.220.117 enterprisesecur.symantec.com
236.68.196.69 eval.symantec.com
125.95.185.102 symantec.com
214.134.187.216 definitions.symantec.com
129.186.14.87 investor.symantec.com
124.132.178.39 et.symantec.com
13.158.167.71 sfdoccentral.symantec.com
102.197.237.185 servicenews.symantec.com
85.61.64.56 securityrespons.symantec.com
81.7.40.76 sea.symantec.com
157.33.29.109 go.symantec.com
59.72.31.154 dell.symantec.com
41.193.182.93 sun.symantec.com
37.138.90.45 marian.symantec.com
113.164.80.78 tms.symantec.com
15.16.150.192 securitycheck.symantec.com
254.136.233.130 smallbiz.symantec.com
249.81.141.82 www.symantec.com
70.40.130.115 visualtracking.symantec.com
227.147.200.229 search.symantec.com
210.11.95.100 liveupdate.symantec.com
205.213.3.120 sitedirector.symantec.com
26.171.248.152 edm.symantec.com
183.22.62.10 hostedmailsecur.symantec.com
166.142.145.137 www4.symantec.com
162.88.53.89 education.symantec.com
238.114.42.122 vos.symantec.com
140.153.112.235 www.hacksoft.com.pe
122.18.195.174 hacksoft.pe
118.219.171.126 www.hacksoft.pe
194.245.161.159 housecall.trendmicro.com
96.29.163.17 www.trendmicro.com
79.149.58.143 housecall65.trendmicro.com
74.94.222.163 us.trendmicro.com
151.121.211.196 blog.trendmicro.com
52.160.25.54 emea.trendmicro.com
35.92.108.181 housecall60.trendmicro.com
30.38.84.133 jp.trendmicro.com
107.252.73.165 de.trendmicro.com
8.103.75.23 it.trendmicro.com
179.223.226.218 itw.trendmicro.com
243.169.134.170 esupport.trendmicro.com
63.127.123.203 es.trendmicro.com
221.234.193.60 br.trendmicro.com
135.99.20.187 tw.trendmicro.com
199.44.185.207 la.trendmicro.com
19.70.174.240 uk.trendmicro.com
177.110.244.98 ru.trendmicro.com
92.230.139.224 smbstore.trendmicro.com
155.175.47.176 apac.trendmicro.com
232.202.36.21 store.trendmicro.com
133.241.106.67 training.trendmicro.com
48.105.137.210 trial.trendmicro.com
59.254.45.162 ushousecall02.trendmicro.com
136.25.34.194 subwiz.trendmicro.com
37.64.104.52 go.trendmicro.com
208.252.255.247 feeds.trendmicro.com
16.130.163.199 channelpartner.trendmicro.com
92.156.152.232 wtc.trendmicro.com
250.7.222.89 shop.trendmicro.com
164.128.49.216 fr.trendmicro.com
228.73.213.236 threatinfo.trendmicro.com
48.31.203.13 newsletters.trendmicro.com
138.139.17.59 www.anti-virus.by
120.3.100.253 bg.virusblokada.com
116.204.76.205 www.vba.com.by
5.231.65.238 beta.anti-virus.by
94.14.67.96 www.bg.virusblokada.com
77.134.218.35 www.hauri.net
72.79.126.243 www.hauri.co.kr
217.106.115.19 company.hauri.net
50.145.185.133 www.globalhauri.com
33.9.12.4 shop.hauri.co.kr
29.211.244.24 hauri.co.kr
105.237.233.57 pg.hauri.net
7.20.235.102 esecurity.livecall.co.kr
245.141.130.41 mall.hauri.co.kr
241.86.38.249 company.hauri.co.kr
61.112.28.26 haurijapan.com
219.220.98.140 virobot.co.kr
201.84.181.78 www.virusbuster.hu
197.29.89.30 virusbuster.hu
18.244.78.63 scanner.novirusthanks.org
175.95.148.177 scanner2.novirusthanks.or
158.215.43.48 novirusthanks.org
85.92.139.0 www.novirusthanks.org
162.51.128.32 virustotal.com
63.158.198.146 www.virustotal.com
46.22.25.17 virscan.org
42.224.189.225 www.virscan.org
118.250.178.2 virusscan.jotti.org
20.33.248.115 jotti.org
2.154.75.54 www.jotti.org
254.99.51.6 viruschief.com
74.125.41.39 www.viruschief.com
232.165.43.153 scanner.virus.org
215.29.194.23 virus.org
210.230.102.43 www.virus.org
31.1.91.76 scan4you.net
188.40.161.190 www.scan4you.net
171.228.244.61 avhide.com
166.173.220.13 www.avhide.com
243.132.209.45 anubis.iseclab.org
144.239.211.159 iseclab.org
59.103.106.98 www.iseclab.org
123.49.14.50 threatexpert.com
199.7.3.83 www.threatexpert.com
101.114.73.196 forospyware.com
15.235.156.67 www.forospyware.com
27.128.12.35 in.answers.yahoo.com
103.154.2.68 es.answers.yahoo.com
5.194.72.182 kioskea.net
175.58.223.52 www.kioskea.net
239.3.131.4 es.kioskea.net
60.30.120.105 mygeekside.com
217.69.190.151 www.mygeekside.com
132.189.17.90 www.tecniservicioslys.com
195.134.181.41 tecniservicioslys.com
16.161.170.74 virusfreezone.info
173.200.240.188 www.virusfreezone.info
88.132.135.127 intranet.cidiroax.ipn.mx
152.10.43.79 spycheck.es
228.36.32.112 www.spycheck.es
130.143.102.225 antivirus.hispavista.com
44.8.185.96 computing.net
108.209.93.116 www.computing.net
184.167.83.149 spycheck.co.uk
18.19.153.195 www.spycheck.co.uk
0.139.236.133 midescargas.com
252.84.212.85 www.midescargas.com
141.111.201.118 static.yoreparo.com
230.150.203.232 softfaq.com
213.202.30.103 www.softfaq.com
140.147.194.54 configurarequipos.com
29.174.183.87 www.configurarequipos.com
118.213.253.201 seasonsecurity.com
101.77.80.72 www.seasonsecurity.com
97.23.56.92 removetrojanvirus.org
173.49.45.125 www.removetrojanvirus.org
75.88.47.170 ibusca.me
57.209.198.109 www.ibusca.me


Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 172032 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 176128 61440 61440 5.5336 585425e899c82a7721b9961afd417da4
.rsrc 237568 24576 11264 4.60291 c58ca94a63088c8e563d496bdbb08fab

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.ip-adress.com/ 64.34.169.244
hxxp://whos.amung.us/swidget/cpbyzvl1vh6r 67.202.94.94
hxxp://widgets.amung.us/small/00/1.png 173.192.170.82


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Delete the original Trojan file.
  2. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  3. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  4. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now