Susp_Dropper_315c60e6c7
Susp_Dropper (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 315c60e6c75efb32432b0aa7df2403b4
SHA1: 7eab1e8e9c75785bfa7803171fb36420f954c960
SHA256: b5f0ffacdd17db08f967a398b8401e775eca2c80309de71c6c2edbd93c3e2b93
SSDeep: 12288:IOoW7KfzTlR4DlYmTuuuEjzZExAvbqMsz8c0nhzXrRJGtbF48ahQd3dtKB:jPozcDlYUuuZExOb3uqh3GtB48ag3dtm
Size: 678550 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-01-07 10:46:10
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
searchlineu_nc.exe:1712
Reader_sl.exe:1064
Searchline_nc_update_20140312.exe:1332
wuauclt.exe:344
%original file name%.exe:452
%original file name%.exe:372
regsvr32.exe:664
4e367.tmp:1324
jusched.exe:1056
The Trojan injects its code into the following process(es):
searchlineu_nc.exe:2004
4e645.exe:2004
File activity
The process searchlineu_nc.exe:1712 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Searchline_nc_update_20140312.exe (73915 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IGHBCWAH\Searchline_nc_update_20140312[1].exe (116900 bytes)
The process 4e645.exe:2004 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\776GnsYY.dll (119 bytes)
C:\ (4 bytes)
%System%\wbem\Logs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\K7QTK5OX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D1.zip (38 bytes)
%System%\version.dll (119 bytes)
%WinDir%\WinSxS (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CLQN8T2Z\desktop.ini (67 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IGHBCWAH\Searchline_nc_update_20140312[1].exe (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B1.zip (39 bytes)
%Documents and Settings%\%current user%\Application Data\Searchline_nc_update_20140312.exe (904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (728 bytes)
%System%\config\SOFTWARE.LOG (9862 bytes)
%System%\drivers\00b60331.sys (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (388 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b0.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A1.zip (39 bytes)
%System%\godlion.dll (196 bytes)
%WinDir% (200 bytes)
%System%\drivers\7c1d36b7.sys (28 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%Program Files%\Searchline_nc (4 bytes)
%System%\vorsion.dll (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ahnmove.bat (163 bytes)
%System%\midimap.dll (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C1.zip (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C90VGTKD\desktop.ini (67 bytes)
C:\PROGRAM FILES (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (13523 bytes)
C:\$Directory (1392 bytes)
%System%\config (96 bytes)
%System%\drivers (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\y8YHyHDhfw.dll (119 bytes)
%System%\config\software (3598 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%System%\wbem\Repository\FS\INDEX.BTR (4830 bytes)
%System% (4512 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IGHBCWAH\desktop.ini (67 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%System%\drivers\7c1d36b7.sys (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@insurance[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)
The process Searchline_nc_update_20140312.exe:1332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\KillProcDLL.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\IEKill.dll (784 bytes)
%Program Files%\Searchline_nc\searchlineu_nc.exe (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp (4 bytes)
C:\DelUS.bat (220 bytes)
%Program Files%\Searchline_nc\searchline_gongik.dll (66088 bytes)
%Program Files%\Searchline_nc\searchline_nc.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\DLLWebCount.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\SelfDelete.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\version.dll (784 bytes)
%Program Files%\Searchline_nc\uninstall.exe (2365 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp (67075 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\KillProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\IEKill.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CLQN8T2Z\index[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\DLLWebCount.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\SelfDelete.dll (0 bytes)
%Program Files%\Searchline_nc\Temp.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\version.dll (0 bytes)
The process wuauclt.exe:344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Trojan deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process %original file name%.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\4e367.tmp (4545 bytes)
The process %original file name%.exe:372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp (4 bytes)
%Program Files%\Searchline_nc\searchlineu_nc.exe (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\SelfDelete.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa2.tmp (17844 bytes)
C:\DelUS.bat (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\KillProcDLL.dll (784 bytes)
%Program Files%\Searchline_nc\searchline_nc.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\version.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\DLLWebCount.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\IEKill.dll (784 bytes)
%Program Files%\Searchline_nc\uninstall.exe (2365 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\SelfDelete.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\KillProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\version.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\DLLWebCount.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\IEKill.dll (0 bytes)
The process 4e367.tmp:1324 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\%original file name%.exe (1611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4e645.exe (1616 bytes)
The Trojan deletes the following file(s):
C:\%original file name%.exe (0 bytes)
The process jusched.exe:1056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
Registry activity
The process searchlineu_nc.exe:1712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"Searchline_nc_update_20140312.exe" = "Searchline_nc_update_20140312"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 45 17 64 81 F8 CA 1E FA 69 06 47 86 37 07 33"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\searchlinenc]
"verup" = "20140312"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process searchlineu_nc.exe:2004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 C7 4C 6E 62 EB 9E 55 2B C5 9B 82 CF D5 B2 16"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process 4e645.exe:2004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\4e367.tmp, , \??\%System%\tYlffpu, \??\%System%\tYlffpu"
[HKCR\CLSID\HOOK_ID]
"name" = "4e645.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 B4 AF E0 37 C1 D3 A4 F3 91 73 1A FE 38 AA 61"
[HKCR\CLSID\SYS_DLL]
"name" = "776GnsYY.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process Reader_sl.exe:1064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process Searchline_nc_update_20140312.exe:1332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Searchline_nc uninstall]
"DisplayIcon" = "%Program Files%\Searchline_nc\uninstall.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\searchline_nc.searchline_nc_Obj\CurVer]
"(Default)" = "searchline_nc.searchline_nc_Obj.1"
[HKCR\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}]
"(Default)" = "searchline_nc"
[HKCR\searchline_nc.searchline_nc_Obj.1\CLSID]
"(Default)" = "{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}"
[HKCR\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\0\win32]
"(Default)" = "%Program Files%\Searchline_nc\searchline_nc.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}]
"(Default)" = "searchline_nc"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\VersionIndependentProgID]
"(Default)" = "searchline_nc.searchline_nc_Obj"
[HKCR\searchline_nc.searchline_nc_Obj]
"(Default)" = "searchline_nc_Obj Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Searchline_nc uninstall]
"DisplayName" = "Searchline-nc"
[HKCR\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib]
"(Default)" = "{DB89C58B-D295-4783-99AC-ABAADE306791}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\ProgID]
"(Default)" = "searchline_nc.searchline_nc_Obj.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Searchline_nc uninstall]
"UninstallString" = "%Program Files%\Searchline_nc\uninstall.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCR\searchline_nc.searchline_nc_Obj.1]
"(Default)" = "searchline_nc_Obj Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\InprocServer32]
"(Default)" = "%Program Files%\Searchline_nc\searchline_nc.dll"
[HKCR\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}]
"AppID" = "{3FE22CA2-D5CC-4961-9FA3-96140C724342}"
[HKCR\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\TypeLib]
"(Default)" = "{DB89C58B-D295-4783-99AC-ABAADE306791}"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCR\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\HELPDIR]
"(Default)" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\AppID\{3FE22CA2-D5CC-4961-9FA3-96140C724342}]
"(Default)" = "searchline_nc"
[HKCR\AppID\searchline_nc.DLL]
"AppID" = "{3FE22CA2-D5CC-4961-9FA3-96140C724342}"
[HKCR\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 0D E0 48 88 B8 21 62 CC 24 82 D7 9C AE 4F F1"
[HKCR\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCR\searchline_nc.searchline_nc_Obj\CLSID]
"(Default)" = "{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}]
"NoExplorer" = "1"
[HKCR\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0]
"(Default)" = "searchline_nc 1.0 Çü½Ä ¶óÀ̺귯¸®"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}]
"(Default)" = "Isearchline_nc_Obj"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Searchline_nc" = "%Program Files%\Searchline_nc\searchlineu_nc.exe Runcmd"
The Trojan deletes the following registry key(s):
[HKCR\searchline_nc.searchline_nc_Obj.1\CLSID]
[HKCR\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}]
[HKCR\searchline_nc.searchline_nc_Obj\CurVer]
[HKCR\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib]
[HKCR\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\Programmable]
[HKCR\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ProxyStubClsid32]
[HKCR\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\0]
[HKCR\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\FLAGS]
[HKCR\searchline_nc.searchline_nc_Obj.1]
[HKCR\AppID\searchline_nc.DLL]
[HKCR\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}]
[HKCR\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}]
[HKCR\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\0\win32]
[HKCR\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0]
[HKCR\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ProxyStubClsid]
[HKCR\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\VersionIndependentProgID]
[HKCR\searchline_nc.searchline_nc_Obj\CLSID]
[HKCR\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\HELPDIR]
[HKCR\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\InprocServer32]
[HKCR\searchline_nc.searchline_nc_Obj]
[HKCR\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\ProgID]
[HKCR\AppID\{3FE22CA2-D5CC-4961-9FA3-96140C724342}]
[HKCR\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\TypeLib]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}]
"NoExplorer"
[HKCR\AppID\searchline_nc.DLL]
"AppID"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCR\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\InprocServer32]
"ThreadingModel"
[HKCR\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}]
"AppID"
The process %original file name%.exe:372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Searchline_nc uninstall]
"DisplayIcon" = "%Program Files%\Searchline_nc\uninstall.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\searchline_nc.searchline_nc_Obj\CurVer]
"(Default)" = "searchline_nc.searchline_nc_Obj.1"
[HKCR\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}]
"(Default)" = "searchline_nc"
[HKCR\searchline_nc.searchline_nc_Obj.1\CLSID]
"(Default)" = "{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}"
[HKCR\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\0\win32]
"(Default)" = "%Program Files%\Searchline_nc\searchline_nc.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}]
"(Default)" = "searchline_nc"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\VersionIndependentProgID]
"(Default)" = "searchline_nc.searchline_nc_Obj"
[HKCR\searchline_nc.searchline_nc_Obj]
"(Default)" = "searchline_nc_Obj Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Searchline_nc uninstall]
"DisplayName" = "Searchline-nc"
[HKCR\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib]
"(Default)" = "{DB89C58B-D295-4783-99AC-ABAADE306791}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\ProgID]
"(Default)" = "searchline_nc.searchline_nc_Obj.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Searchline_nc uninstall]
"UninstallString" = "%Program Files%\Searchline_nc\uninstall.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCR\searchline_nc.searchline_nc_Obj.1]
"(Default)" = "searchline_nc_Obj Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\InprocServer32]
"(Default)" = "%Program Files%\Searchline_nc\searchline_nc.dll"
[HKCR\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}]
"AppID" = "{3FE22CA2-D5CC-4961-9FA3-96140C724342}"
[HKCR\CLSID\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}\TypeLib]
"(Default)" = "{DB89C58B-D295-4783-99AC-ABAADE306791}"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCR\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\HELPDIR]
"(Default)" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\AppID\{3FE22CA2-D5CC-4961-9FA3-96140C724342}]
"(Default)" = "searchline_nc"
[HKCR\AppID\searchline_nc.DLL]
"AppID" = "{3FE22CA2-D5CC-4961-9FA3-96140C724342}"
[HKCR\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 58 B9 F2 CB 5E 0C 45 AE 77 90 87 D8 92 0A 28"
[HKCR\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCR\searchline_nc.searchline_nc_Obj\CLSID]
"(Default)" = "{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5F930A63-011A-4796-A0FB-3A7C8F78E7CF}]
"NoExplorer" = "1"
[HKCR\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{DB89C58B-D295-4783-99AC-ABAADE306791}\1.0]
"(Default)" = "searchline_nc 1.0 Çü½Ä ¶óÀ̺귯¸®"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\Interface\{BC5EC5A8-9A2B-4F4C-BF58-BBB179EB6850}]
"(Default)" = "Isearchline_nc_Obj"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Searchline_nc" = "%Program Files%\Searchline_nc\searchlineu_nc.exe Runcmd"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process regsvr32.exe:664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\IEHelper.IEHlprObj\CurVer]
"(Default)" = "IEHelper.IEHlprObj.1"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\VersionIndependentProgID]
"(Default)" = "IEHelper.IEHlprObj"
[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\0\win32]
"(Default)" = "%System%\godlion.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\ProgID]
"(Default)" = "IEHelper.IEHlprObj.1"
[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}]
"(Default)" = "IEHlprObj Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\IEHelper.IEHlprObj]
"(Default)" = "IEHlprObj Class"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32]
"(Default)" = "%System%\godlion.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\TypeLib]
"(Default)" = "{D42047D9-38C2-4FD1-8337-F69C8F835A30}"
[HKCR\IEHelper.IEHlprObj\CLSID]
"(Default)" = "{DAF9F01C-30F0-4A52-AF52-E236961977F4}"
[HKCR\IEHelper.IEHlprObj.1]
"(Default)" = "IEHlprObj Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCR\IEHelper.IEHlprObj.1\CLSID]
"(Default)" = "{DAF9F01C-30F0-4A52-AF52-E236961977F4}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 20 F4 2E CE B5 05 78 ED 27 C9 DA 24 95 D6 EB"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}]
"(Default)" = "IIEHlprObj"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\HELPDIR]
"(Default)" = "%System%\"
[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0]
"(Default)" = "IEHelper 1.0 Type Library"
[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib]
"(Default)" = "{D42047D9-38C2-4FD1-8337-F69C8F835A30}"
[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\FLAGS]
"(Default)" = "0"
The process 4e367.tmp:1324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\4e367.tmp,"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://search-lines.co.kr/cnt/index.php?pid=searchline&type=6 |  121.78.93.165 |
| hxxp://search-lines.co.kr/check/searchline/update/searchline.php | |
| hxxp://down.search-lines.co.kr/download/Searchline_nc_update_20140312.exe | 121.78.93.23 |
| t.openpotservice.com |  110.4.106.121 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "%System%\drivers\00b60331.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
The Trojan installs the following kernel-mode hooks:
ZwCreateFile
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
searchlineu_nc.exe:1712
Searchline_nc_update_20140312.exe:1332
wuauclt.exe:344
%original file name%.exe:452
%original file name%.exe:372
regsvr32.exe:664
4e367.tmp:1324 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\Searchline_nc_update_20140312.exe (73915 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IGHBCWAH\Searchline_nc_update_20140312[1].exe (116900 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\776GnsYY.dll (119 bytes)
%System%\wbem\Logs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\K7QTK5OX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D1.zip (38 bytes)
%System%\version.dll (119 bytes)
%WinDir%\WinSxS (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CLQN8T2Z\desktop.ini (67 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B1.zip (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (728 bytes)
%System%\config\SOFTWARE.LOG (9862 bytes)
%System%\drivers\00b60331.sys (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (388 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b0.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A1.zip (39 bytes)
%System%\godlion.dll (196 bytes)
%System%\drivers\7c1d36b7.sys (28 bytes)
%Program Files%\Searchline_nc (4 bytes)
%System%\vorsion.dll (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ahnmove.bat (163 bytes)
%System%\midimap.dll (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C1.zip (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C90VGTKD\desktop.ini (67 bytes)
C:\PROGRAM FILES (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (13523 bytes)
C:\$Directory (1392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\y8YHyHDhfw.dll (119 bytes)
%System%\config\software (3598 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%System%\wbem\Repository\FS\INDEX.BTR (4830 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IGHBCWAH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\KillProcDLL.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\IEKill.dll (784 bytes)
%Program Files%\Searchline_nc\searchlineu_nc.exe (12536 bytes)
C:\DelUS.bat (220 bytes)
%Program Files%\Searchline_nc\searchline_gongik.dll (66088 bytes)
%Program Files%\Searchline_nc\searchline_nc.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\DLLWebCount.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\SelfDelete.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\version.dll (784 bytes)
%Program Files%\Searchline_nc\uninstall.exe (2365 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp (67075 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4e367.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\SelfDelete.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa2.tmp (17844 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\KillProcDLL.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\version.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\DLLWebCount.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\IEKill.dll (784 bytes)
C:\%original file name%.exe (1611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4e645.exe (1616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Searchline_nc" = "%Program Files%\Searchline_nc\searchlineu_nc.exe Runcmd" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
