MD5: 73554f3944811c0c4b393826943be2ca
SHA1: fda86cc2ffcbecaa996fb86a83772f5a4c79685e
SHA256: 98e45b97b0b87e6578b8c5930334fed34558fc0d3985dfd098669ce4f6c4923a
SSDeep: 1536:/M31cmV V3/XruLU9ltCE7yP3Q7y1C1n9YeSgaLsbE:kcmVWD5ltbmP3Q7y1C1n9ygRw
Size: 65424 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Conduit
Created at: 2011-07-06 17:31:20
Analyzed on: WindowsXP SP3 32-bit

Summary:

Payload

No specific payload has been found.

Process activity

The program creates the following process(es):

nss4.exe:120
wuauclt.exe:304
%original file name%.exe:1180

The program injects its code into the following process(es):
No processes have been created.

File activity

The process nss4.exe:120 makes changes in the file system.
The program creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\inetc.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\System.dll (11 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (590 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\SPtool.dll (49229 bytes)

The program deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\SPtool.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp (0 bytes)

The process wuauclt.exe:304 makes changes in the file system.
The program creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2232 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The program deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process %original file name%.exe:1180 makes changes in the file system.
The program creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9B3WIFK7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9B3WIFK7\SPIdentifierImpl[1].exe (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SHQJKTIV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WPAX1SV4\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss4.exe (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp (2820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SDENO5QV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\inetc.dll (784 bytes)

The program deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nss4.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1.tmp (0 bytes)

Registry activity

The process nss4.exe:120 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 62 95 FA C0 2A 0B 60 F8 97 CB 70 B8 C4 CC A0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The program modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The program modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The program modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The program deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1180 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi3.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 6B 0D 9B AB D3 33 C2 41 9C 1E A7 98 1E A2 72"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The program modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The program modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The program modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The program deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Conduit
Product Name:
Product Version:
Legal Copyright: Conduit Ltd.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.1.1
File Description: Search Protect Identifier Stub by conduit
Comments:
Language: Language Neutral

PE Sections

Dropped from:

a3f3506c3c800c30c0d3f50ef1bcd47c
0bb6baf93131ae9d56d4a7523d44929d
1305db8c6fd141394b32c6a13fa79aad
d044e58f6dfc06ce6adf82c7a224769b
40f50a271cf4655fb1fcdd62340fd957
5f98360f313aa936a6a1c6ef75735573
70b20aa5f8d45973ae2e4a8ef6a2fe94
f1390b187d76848a0a11c7ff26beb96e
ae2925b3af705d775e2616e5e5c9af76
2c2d9f7304cd27eee6e4d5426c86c468
ef5806cfb720abca8143336fbc553131
29b403dd6c54c90a0ef9acc2c38afda9
ecfc68da96cd2ec6cc7ef049418a7473
3a14758439cd3f90fc420ea2a49ce40b
b86a14512a69da53f47bdb57ff540c58
f9cdd1ebbabc48ae9853d13c76f5bf37
d64574313e1b8d7db5214095f8d34134
d315c7b7230d0e52f4d81059adeb033e
78f5d8d0c9f199c699017a9921e3096c
8986979b3fb14d88c3e8b249ff3982e4
04ccaf1c8f8a8ce1b97a04cf02264d45
53f7afc865c33d4330d5344466d383f4
3cb46246ce51094aa4df3075b4166485
843594379a9ea5d224eef1ef287ce753
e3381c11101d705ebeaf932bf96c6ae4
0d0dee6be40fc95ed211a425e952e6e9
27489b37bd23b4c4ccc2940eec36bc5a
1a4266db2c61eb88452d8c2117193474
6d63aca3238c1b475265894519f33437
fdd03482d0541e44b773823ee883e19d
49c8fd954a9532d70bffb609bfc21db2
e1da22ef524d8b10aabcf5c5b45c7ddf
4e3c7635cca67abc214fb4e27454ac6a
06f94dfa3ce010c5ac5918e2ae94646f
3e90eead7d3566f9a66d79a78333a420
de52d74e78726cb1341ec45ba8c50137
0c4f95a8eaf33d321e3ffcee8f6b590d
1b73d3ccadfa1bdb4c68b2879d712dd9
960e6cade2477f02cf28795f24107b0d
4680cd2cf5b3e583804a530f16f753f0
f7c1f80520a57e78898558b0348ccbdc
19e0ae4d18c07ede5619af55e06ddcc8
2d52a1aeeb06b6accb467c5095ad7b6a
7ac485dd8d7f39d0919756fe009d3002
660500f4143966a98944d29380eb9e94
7c6245dfcd223e008053ab6bf78cc74d
dee103cbbf5ad318998250ad1f9c8840
a191a6ab7c01d62bcc417d4cfa37d686
d5c39376c1aaa33b398b55fffe7a5383
810cf70d9d81ce9cc859fe9d171a9218
692d8447efa14255a248bf2994d57ce2
0ad88663289f6acf6df9555bb82610b9
004522c65a7b3601b204fef0b675bdac
bd11cd2d599fda6d73e6afcb4d2894f0
35b44795e5ee1ee90f403eb33c6f1519
10eae05ca901e856a349989a3e8648fb
0db2cfab9708b97e5f8cb384070404c4
8e876b349ca06185afa71fe0da53f1c6
d6e566453f5d73ab0baede34ec0656b4
acbc930508fadec8df5cdcfac6fdf252
a86ed089aa6dedfffaaebc8424d29e57
c5e93bbbc77119dc0648445e0653cbea
4957001be01c11be8a423f52f0adef80
01f86f89473579154596fa857c12b05b
5b9d9498da10fb6f3ff8aaf8796557ba
b6f4bbd8d19c30b7e250a2db71042cb3
889dcecfa2c0ee2c8619585d9be27509
770d309616dbd0df6df9f614ccaedbf8
0611017131a3e3172d25161613f6a7dc
b5c5a6a46be9820cec7d512c8c419ce3
3376fe935fe1b9f2aec6fbd21cca450d
b7a812db63d7ab9013afb1daa6b982b0
573abac7cefe83960573543f159692b1
685156c8416161d5534cd03ae9a99c7b
3b14ac6d0c63712e78efd17bf7ec36bd
7c0a5073d2c0b82510cdd9ebf7797316
dc3d29b35dae3f76651b5e8e875095b0
f93baf6557e104cc2520e63e51beeed9
4742ce83904ab79ed83fa4b912d92977
9d7b0b6cb9d5e39bdfebc818ffc5ef4a
ae746eb5a62dad6a01fa4010a2435a17
72661a1d40ea4af9bb842abc8da9488a
8ec5880282e91541b1bdc464a1be59af
285154ebc0e2acc15fc71d10da4ad709
f599a4ef0890deb9b41cfbf317a34ae1
ea38adbf8080234b739ccb0a31ff69ce
1e84d3f915801d08dcf639be4699c6a8
b0dbbae5df0460efea71fb2205b352a9
3c8972ea4cc326c8dc5ea2e448a57edf
afda8db7cacedf10aa834565e5ba5aa2
e7dd3c64f5828875897a76db47fbf7e0
02b106e7e524e25b0aaaafd131a71c6a
81b96b56b4ca8f7089b408b13acc4eff
daa47e84b912341ce515a99b1591d1ce
d54ea37f13e8f7229d4a43bfeeb4d5a2
9d73ba98c9637bf41d69bd511ca2220b
a2058e409185fbdc62181f62732a051b
ae6bf9001c4377674fece5c14972148a
f4d9b6124c7313d15d7d42bde4138ec7
926a605889d31cad1919ed3314ab9931
0783231a2febd3480e703cee31f692ec
aa6286ccd3a4b922d238473aa9d90681
4db06f998e4960bad74fa41f4b50bdda
5de683d7c1d5291022aa942975ebe821
998150862ad6c6b5b6afa53b88d9ec02
515774233cb7542c045dc1ebd2233d2e
30757e3c43c75a17f9af2c19464235ed
c6f30ed8ed8e4511a1455cf25da458ac
c4963ae493e4e8a15c6f636bd8448b4f
bc32dd560692a28e68b332fb76f94c25
8335f650184e57788f6cb8b098d57738
e4b54fbddcf503083e269d204414cc3b
5c8adb0adf6248455d998ca46e303a20
e78aff197c00900a5559044a54b870e5
0be33f25f9d25002a091ca49f952f1b0
ec05595cf13867ea70d8fb9a84aabd95
774cd1dbd6a8e2bf26a095dce7dcae0a
e2d350a7d3fc2d9f13f3b618cd4135b4
0ca9afb406b127c02a42b9e12f4e26c6
4f42cab3166cd09320f4bf7b3a6ea9a1
54aac7fd3862dce9320bd4ec8d0c76b7
d8d1ac878ca54f166d2882bf1b5cd812
6b6e0c6648906efc7700a77b6378fe55
abc22af701fb21fe5ebd5345995f53b3
394a847341286721dc691962649ab4d0
18d9a9e3bd61fb08fd6c8b5df78cd4f9
ea26afb2cb9969bd605090614140f458
4df07ab38bf17333c0c738a3c25a4462
38b8b12477faa4aad64d3fd5be006232
3c29f04066835d574a6f4faa2df0b087
45edb90cf03d30392326fbb843a9daa2
a9139b1f611ea473345731fb268b2c4d
05ce1bb08c0e7c129a75d0cef03f4ff0
e2852671314a8a56bff9cea8f5743852
3e3882688dbbe7ae7f73a70ea148efcf
d29f898451c5252f328cecf4f80739dc
8d9287b1ff337b4f475677ebd0561206
8f5442b0cab5d54157d5c678fdd7cd05
e7fc719122dd770cbd6e30a9b821c3ea
a41ca706e47aa50d9d895713cd062506
28c300fddc893676b5e6fc92e114ffef
25e4ba92f5a86a62c701acc2e5d3adc3
2e4ecdb5077c886f6bca70fe44f25ffd
65498049c08e2ebafc768ab74c70ced1
5d4a6f7bc0853da76823891aa6e60deb
2db1c66e64e9bfcbf86ad1533d944bcd
6b8ea9c45005ff46c6d530468b9e6cad
92abf003e7302ffc7c243a9cae9577ea
fd4fec9ac6fa0ef2b0e0aebf8d0b4f76
154ad3be5425fa54d40e1edaa79218ff
a7f8fe6581e47e7ded95150dfa5e6bc5
8165be8dad23d21d621f3ed17d4ef8e9
938207fed583a23f62a4544e888ab48f
ac49ae1e05eec4fc8a7221d601f7b1f5
a556bbf4f985058b7224b3a83b0c832c
cbb393693c6523d40cdc54713bb420d3
600195814f9abe6846b41d7e3bd82e16
551f66787e650d3b58463f29916ca26d
b9b0c17da15a389fbd48a31c3fb087d6
7090d3270bbf58fd033b7e480e94c9ff
237b3d379a8f04451b234a07b53bf465
1a869b575bba18a5c3df0f3aaaed7b3d
c04efcbc5a3678a8efae9343caaf8ecf
1a51e42ad320ddfb228a39ed595f7610
3aec7683cf5453ea80fbab69630e049f
d44b1a399a9f739f96ac523d69f3ce5c
e891a331a99ac29a5aad41a09e6130ba
a26a0bccbe931416366bab1f814c783a
fd3a2fde8b9ba40b02a61b74ddeab41e
2cabae1de9845b472a6fa46b4475e512
87e6ceb17b7f2f6481b49aa4603eb965
fb07311aff46949941b1c73e4b900f98
a95e40748a5879e0c917a60b0ad4d17e
7d321be1f10b9ebcd4fce1349981e0d4
9ac4d1d2b079a99732510e91c4a8df96
14872e55439e57338564ad81a622ebb5
9f853dc4f04d6499b0ee7421abec372b
089826cc17faab6a1345ba15b09af448
1fe62b86fe65dc6dcdef3e6c3bf7c4f8
15eb8a24ef0c606889665fb3cbbe503c
33b83708220d9e7b2f862d152af1e84f
d136d271bc31b59e897b67b286a66d23
1935a20c6e15edc522cac59492f895ad
b0a8911d0b037bd078a1a0dc7b0a0f02
728fa219772849ddbc9ed787eb4a1c91
848a6561509d5185b14cb48e0a805115
0c935347c767954dd7fff6ac602fb30a
ba14bbaa7b29b05086708eb521b57b80
befecb872db62a9e9d8ffc2ad0c1f838
b5c25c27578fa6f070992d43e8a2badb
c90f46500b587e17706c5eded1f8c6ff
9fdbe17ffb391a28a5c0078b9c08a987
604efd83ddeea429ab9a7d3d7c10475c
e96131359894638b2f385f5a46888d09
a61971d853c5c54c8c0e8a32e9d8a5be
c3245a4462e273b44120c47c189eb9ad
b329c4562b6af2f9a61e61e5bd44fdf6
f867e2a9b7314ad1aab30c1543c23d24

Downloaded by:

df1d0c36f1709194db2c704069ee9fa2
1306910279a111866e46577e5ae65b92
80436fa774de880c208103c167cee69a
40ebc00aaa304665551019bbba8d3d16
b8b9b043c472e076441e6eda7f8b651c
b8a9c05e0a7a28bd898f9fb1849db94d

Similar by SSDeep:

5469cb1b24df31f5639a7cdd134f9e7e

Similar by Lavasoft Polymorphic Checker:

Total found: 14
121727637ad52010a09b0d9efbd64abb
b20a896c5474ce3ec7d0a4a47b6f8989
71275d8067b1b70e3e1b018aa9793678
64e02fe10219615a56888c3b85ca583a
c88195c688246ea7a9acb67d5bd8840a
b5d607f42787306adafe3995f9b0d2d9
eda2d9cb2d463116de20c9b655163c8b
7dc64bb9521fe6bbdf117e8d71e089f9
2e45ef1d00a69b05ab5153fa73c31e46
aa70b66d7a78cc8da274d5ab4ac07ffd
150c531a09b103797dcfa4f5f5596969
549cb96717dbd55e022e7fbbea57ea19
f4092bfc61e0555b3556324341127189
80e856e3fc1409efd62bfb2d421cb984

URLs

URL	IP
hxxp://jazz-1846647836.us-east-1.elb.amazonaws.com/
hxxp://sp-installer.conduit-data.com/	54.243.118.76

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers

Traffic

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: sp-installer.conduit-data.com

Content-Length: 263

Connection: Keep-Alive

Cache-Control: no-cache

{"event_type":"SPidentifier", "environment":"",  "machine_ID":"ZJRJCZACPP86RWSEVX8GFL AMAKAC4SSR9BLLZSMMDQNC6VVPQAR3SIEJHJ6K/DKZBYXQYKKQBYUF8ETVHDB W", "result": "success", "failure_reason": "clean_machine", "SP_version": "", "carrier_ID": "", "carrier_type": ""}
HTTP/1.1 202 Accepted

Date: Wed, 14 May 2014 15:07:05 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

The program connects to the servers at the folowing location(s):

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   nss4.exe:120
   wuauclt.exe:304
   %original file name%.exe:1180
   

2. Delete the original program file.
   
3. Delete or disinfect the following files created/modified by the program:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\inetc.dll (30 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\System.dll (11 bytes)
   %Program Files%\SearchProtect\Main\rep\SystemRepository.dat (590 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\SPtool.dll (49229 bytes)
   %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
   %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2232 bytes)
   %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9B3WIFK7\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9B3WIFK7\SPIdentifierImpl[1].exe (64797 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SHQJKTIV\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WPAX1SV4\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nss4.exe (64797 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp (2820 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SDENO5QV\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\inetc.dll (784 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.