Susp_Dropper_4b0e38203e

by malwarelabrobot on March 17th, 2014 in Malware Descriptions.

Susp_Dropper (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 4b0e38203ee88e8dd996fe60942d764c
SHA1: b00cb1a44d584cae1f460d9fa3406fb93e673170
SHA256: 3c06b74024b5e6bb90e24577607e7ff9acf8b60e749ba49143920048e302b50a
SSDeep: 24576:f7D0WepVUSyq SXCYC1a1oyE7rfnzJhh7f6CBzjo8g6ne5vebFmHQGth3GtB48ap:f7D0prUS8mE8cnnzJh9DnrMvPHZJI4pp
Size: 1427357 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-01-07 10:46:10
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

4f912.exe:460
Reader_sl.exe:1064
wuauclt.exe:344
regsvr32.exe:1132
4f52a.tmp:1948
%original file name%.exe:1848
%original file name%.exe:2012
addendum_gtu.exe:1060
jusched.exe:1056

The Trojan injects its code into the following process(es):
No processes have been created.

File activity

The process 4f912.exe:460 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OGZVET3R\desktop.ini (67 bytes)
C:\ (4 bytes)
%WinDir%\Prefetch\REGSVR32.EXE-25EEFE2F.pf (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\udErhHgjuH.dll (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XPWXY790\addendum_gt2_update_20140311[1].exe (184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D1.zip (38 bytes)
%System%\version.dll (119 bytes)
%WinDir%\WinSxS (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8uysfqf.dll (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XPWXY790\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (388 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B1.zip (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (1216 bytes)
%System%\config\SOFTWARE.LOG (9862 bytes)
%System%\drivers\00b60331.sys (72 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b0.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A1.zip (39 bytes)
%System%\godlion.dll (196 bytes)
%Documents and Settings%\%current user%\Application Data\addendum_gt2_update_20140311.exe (320 bytes)
%WinDir% (288 bytes)
%System%\drivers\7c1d36b7.sys (28 bytes)
%Program Files%\addendum\addendumgt (4 bytes)
%System%\vorsion.dll (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ahnmove.bat (163 bytes)
%System%\midimap.dll (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C1.zip (38 bytes)
%Program Files% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (15619 bytes)
C:\$Directory (1384 bytes)
%System%\config (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\27SDWXYF\desktop.ini (67 bytes)
%System%\drivers (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IY7YGLMZ\desktop.ini (67 bytes)
%System%\config\software (3598 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
%System% (6244 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%System%\drivers\7c1d36b7.sys (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@insurance[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)

The process wuauclt.exe:344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Trojan deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process 4f52a.tmp:1948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\4f912.exe (1616 bytes)
C:\%original file name%.exe (5442 bytes)

The Trojan deletes the following file(s):

C:\%original file name%.exe (0 bytes)

The process %original file name%.exe:1848 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\4f52a.tmp (8657 bytes)

The process %original file name%.exe:2012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp (47727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\IEKill.dll (784 bytes)
C:\DelUS.bat (138 bytes)
%Program Files%\addendum\addendumgt\uninstall.exe (2365 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\SelfDelete.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\version.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\DLLWebCount.dll (784 bytes)
%Program Files%\addendum\addendumgt\addendum_gt.dll (11344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\KillProcDLL.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\UnProtectMode.dll (7192 bytes)
%Program Files%\addendum\addendumgt\addendum_gtu.exe (12536 bytes)
%Program Files%\addendum\addendumgt\addendum_chartclub.dll (23296 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\IEKill.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\SelfDelete.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\version.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\DLLWebCount.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\KillProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\UnProtectMode.dll (0 bytes)

The process addendum_gtu.exe:1060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XPWXY790\addendum_gt2_update_20140311[1].exe (170208 bytes)
%Documents and Settings%\%current user%\Application Data\addendum_gt2_update_20140311.exe (143820 bytes)

The process jusched.exe:1056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)

Registry activity

The process 4f912.exe:460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\4f52a.tmp, , \??\%System%\1wHf2y, \??\%System%\1wHf2y"

[HKCR\CLSID\HOOK_ID]
"name" = "4f912.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 58 74 82 3B 47 FE 88 A8 6C 75 7C 87 0B A7 FC"

[HKCR\CLSID\SYS_DLL]
"name" = "8uysfqf.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Reader_sl.exe:1064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process regsvr32.exe:1132 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\IEHelper.IEHlprObj\CurVer]
"(Default)" = "IEHelper.IEHlprObj.1"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\VersionIndependentProgID]
"(Default)" = "IEHelper.IEHlprObj"

[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\0\win32]
"(Default)" = "%System%\godlion.dll"

[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\ProgID]
"(Default)" = "IEHelper.IEHlprObj.1"

[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}]
"(Default)" = "IEHlprObj Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\IEHelper.IEHlprObj]
"(Default)" = "IEHlprObj Class"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32]
"(Default)" = "%System%\godlion.dll"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\TypeLib]
"(Default)" = "{D42047D9-38C2-4FD1-8337-F69C8F835A30}"

[HKCR\IEHelper.IEHlprObj\CLSID]
"(Default)" = "{DAF9F01C-30F0-4A52-AF52-E236961977F4}"

[HKCR\IEHelper.IEHlprObj.1]
"(Default)" = "IEHlprObj Class"

[HKCR\IEHelper.IEHlprObj.1\CLSID]
"(Default)" = "{DAF9F01C-30F0-4A52-AF52-E236961977F4}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E F6 E1 4B C5 2E 74 66 DC 9B 11 FC 7F 60 2D 9A"

[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}]
"(Default)" = "IIEHlprObj"

[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\HELPDIR]
"(Default)" = "%System%\"

[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0]
"(Default)" = "IEHelper 1.0 Type Library"

[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib]
"(Default)" = "{D42047D9-38C2-4FD1-8337-F69C8F835A30}"

[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\FLAGS]
"(Default)" = "0"

The process 4f52a.tmp:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\4f52a.tmp,"

The process %original file name%.exe:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{18858B77-2B8B-4f74-A2FB-4D6BCEB47DC5}]
"Policy" = "3"

[HKCR\addendum_gt.addendum_gtObject\CLSID]
"(Default)" = "{E5084B48-28C6-45D6-A5E0-A897C67EBB3A}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{18858B77-2B8B-4f74-A2FB-4D6BCEB47DC5}]
"AppName" = "addendum_gtu.exe"

[HKCR\addendum_gt.addendum_gtObject]
"(Default)" = "addendum_gtObject Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Addendum_gt uninstall]
"UninstallString" = "%Program Files%\addendum\addendumgt\uninstall.exe"

[HKCR\CLSID\{2C157059-4438-4C01-996C-579324A2FBAB}\TypeLib]
"(Default)" = "{4317D3F0-660F-4B81-B209-483F29289000}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\addendum_gt.addendum_gtObject.1\CLSID]
"(Default)" = "{E5084B48-28C6-45D6-A5E0-A897C67EBB3A}"

[HKCR\CLSID\{2C157059-4438-4C01-996C-579324A2FBAB}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{2C157059-4438-4C01-996C-579324A2FBAB}\ProgID]
"(Default)" = "addendum_gt.addendum_gtBho.1"

[HKCR\CLSID\{E5084B48-28C6-45D6-A5E0-A897C67EBB3A}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{E5084B48-28C6-45D6-A5E0-A897C67EBB3A}]
"(Default)" = "Addendum-gt"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{E5084B48-28C6-45D6-A5E0-A897C67EBB3A}\TypeLib]
"(Default)" = "{4317D3F0-660F-4B81-B209-483F29289000}"

[HKCR\addendum_gt.addendum_gtObject.1]
"(Default)" = "addendum_gtObject Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCR\addendum_gt.addendum_gtObject\CurVer]
"(Default)" = "addendum_gt.addendum_gtObject.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\AppID\addendum_gt.DLL]
"AppID" = "{DFA646EA-F30B-41B4-94B6-D743E92C44C3}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{18858B77-2B8B-4f74-A2FB-4D6BCEB47DC5}]
"AppPath" = "%Program Files%\addendum\addendumgt\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Addendum_gt uninstall]
"DisplayName" = "Windows Addendum"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\addendum_gt]
"stver" = "20140107"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{2C157059-4438-4C01-996C-579324A2FBAB}\InprocServer32]
"(Default)" = "%Program Files%\addendum\addendumgt\addendum_gt.dll"

[HKCR\CLSID\{E5084B48-28C6-45D6-A5E0-A897C67EBB3A}]
"AppID" = "{DFA646EA-F30B-41B4-94B6-D743E92C44C3}"

[HKCR\CLSID\{2C157059-4438-4C01-996C-579324A2FBAB}]
"(Default)" = "Addendum-gt"

[HKCR\addendum_gt.addendum_gtBho.1\CLSID]
"(Default)" = "{2C157059-4438-4C01-996C-579324A2FBAB}"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C157059-4438-4C01-996C-579324A2FBAB}]
"NoExplorer" = "1"

[HKCR\addendum_gt.addendum_gtBho\CLSID]
"(Default)" = "{2C157059-4438-4C01-996C-579324A2FBAB}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\addendum_gt.addendum_gtBho]
"(Default)" = "addendum_gtBho Class"

[HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{E5084B48-28C6-45D6-A5E0-A897C67EBB3A}]
"(Default)" = "Addendum"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\CLSID\{2C157059-4438-4C01-996C-579324A2FBAB}]
"AppID" = "{DFA646EA-F30B-41B4-94B6-D743E92C44C3}"

[HKCR\CLSID\{E5084B48-28C6-45D6-A5E0-A897C67EBB3A}\VersionIndependentProgID]
"(Default)" = "addendum_gt.addendum_gtObject"

[HKCR\CLSID\{2C157059-4438-4C01-996C-579324A2FBAB}\VersionIndependentProgID]
"(Default)" = "addendum_gt.addendum_gtBho"

[HKCR\addendum_gt.addendum_gtBho\CurVer]
"(Default)" = "addendum_gt.addendum_gtBho.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\addendum_gt.addendum_gtBho.1]
"(Default)" = "addendum_gtBho Class"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 3A 03 34 46 CB 92 58 F0 2C 41 22 3B 96 BB C5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCR\CLSID\{E5084B48-28C6-45D6-A5E0-A897C67EBB3A}\InprocServer32]
"(Default)" = "%Program Files%\addendum\addendumgt\addendum_gt.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C157059-4438-4C01-996C-579324A2FBAB}]
"(Default)" = "Addendum-gt"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Addendum_gt uninstall]
"DisplayIcon" = "%Program Files%\addendum\addendumgt\uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\addendum_gt]
"TB_0" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\addendum_gt]
"nid" = "addendum_gt2"

[HKCU\Software\AppDataLow\Software\addendum_gt]
"TB_0" = "1"

[HKCR\AppID\{DFA646EA-F30B-41B4-94B6-D743E92C44C3}]
"(Default)" = "addendum_gt"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\CLSID\{E5084B48-28C6-45D6-A5E0-A897C67EBB3A}\ProgID]
"(Default)" = "addendum_gt.addendum_gtObject.1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Addendum_gt" = "%Program Files%\addendum\addendumgt\addendum_gtu.exe Runcmd"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{E5084B48-28C6-45D6-A5E0-A897C67EBB3A}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{E5084B48-28C6-45D6-A5E0-A897C67EBB3A}]
"BarSize"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Addendum_gtst"

The process addendum_gtu.exe:1060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 60 24 56 1D 97 4A 29 B9 2B C4 6A C8 88 E6 7B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Network activity (URLs)

URL IP
hxxp://www.addendam.co.kr/cnt/index.php?pid=addendum_gt2&type=6 121.78.182.82
hxxp://www.addendam.co.kr/check/addendum_gt2/update/gt.php
hxxp://down.addendam.co.kr/download/addendum_gt2_update_20140311.exe 121.78.93.23
addendam.co.kr 121.78.182.82


HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\drivers\00b60331.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.

The Trojan installs the following kernel-mode hooks:

ZwCreateFile

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    4f912.exe:460
    wuauclt.exe:344
    regsvr32.exe:1132
    4f52a.tmp:1948
    %original file name%.exe:1848
    %original file name%.exe:2012
    addendum_gtu.exe:1060

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OGZVET3R\desktop.ini (67 bytes)
    %WinDir%\Prefetch\REGSVR32.EXE-25EEFE2F.pf (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\udErhHgjuH.dll (119 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XPWXY790\addendum_gt2_update_20140311[1].exe (184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\D1.zip (38 bytes)
    %System%\version.dll (119 bytes)
    %WinDir%\WinSxS (96 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\8uysfqf.dll (119 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XPWXY790\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (388 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B1.zip (39 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (1216 bytes)
    %System%\config\SOFTWARE.LOG (9862 bytes)
    %System%\drivers\00b60331.sys (72 bytes)
    %WinDir%\Temp\Perflib_Perfdata_7b0.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\A1.zip (39 bytes)
    %System%\godlion.dll (196 bytes)
    %Documents and Settings%\%current user%\Application Data\addendum_gt2_update_20140311.exe (320 bytes)
    %System%\drivers\7c1d36b7.sys (28 bytes)
    %Program Files%\addendum\addendumgt (4 bytes)
    %System%\vorsion.dll (38 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ahnmove.bat (163 bytes)
    %System%\midimap.dll (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\C1.zip (38 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\test.pml (15619 bytes)
    C:\$Directory (1384 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\27SDWXYF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IY7YGLMZ\desktop.ini (67 bytes)
    %System%\config\software (3598 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4f912.exe (1616 bytes)
    C:\%original file name%.exe (5442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4f52a.tmp (8657 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp (47727 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\IEKill.dll (784 bytes)
    C:\DelUS.bat (138 bytes)
    %Program Files%\addendum\addendumgt\uninstall.exe (2365 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\SelfDelete.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\version.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\DLLWebCount.dll (784 bytes)
    %Program Files%\addendum\addendumgt\addendum_gt.dll (11344 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\KillProcDLL.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\UnProtectMode.dll (7192 bytes)
    %Program Files%\addendum\addendumgt\addendum_gtu.exe (12536 bytes)
    %Program Files%\addendum\addendumgt\addendum_chartclub.dll (23296 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Addendum_gt" = "%Program Files%\addendum\addendumgt\addendum_gtu.exe Runcmd"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now