Trojan.Generic.8048033_b8402b719d
Trojan.Generic.8048033 (BitDefender), Trojan:Win32/VB.AIX (Microsoft), Trojan.Win32.CCho.b (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.Siggen4.18602 (DrWeb), Trojan.Generic.8048033 (B) (Emsisoft), Artemis!B8402B719D03 (McAfee), Trojan.Gen (Symantec), Win32.SuspectCrc (Ikarus), Gen:Variant.Symmi.13498 (FSecure), SHeur4.AJIJ (AVG), Win32:Malware-gen (Avast), TROJ_SPNR.30HL12 (TrendMicro), Trojan.Generic.8048033 (AdAware), Trojan-Spy.Win32.Keylogger.VB.2.FD, mzpefinder_pcap_file.YR, TrojanDropperVtimrun.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan-Spy, Keylogger, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: b8402b719d03f467f3b833886810d2e6
SHA1: ea397132c07cb8865dde9d9d28682469afc51b9e
SHA256: 56b1e1666bc934e16fdf1126b91e94c93f3b2146d5ce2ca84d423c0c75ff6941
SSDeep: 49152:O EyFtjSpaXaarPcGwkRD6LDM2MfWnDV70efoLgFoJ9n4Uose ROX2umDv Ah6G1:O EyFtjSpaqAPGkZe4DI570IUgFqj/yu
Size: 2671616 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: House Of Soft
Created at: 2009-07-14 02:42:43
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
zcontrol.exe:1984
ADOBED~1.EXE:636
net1.exe:964
net1.exe:1952
NET.exe:964
NET.exe:1648
Install Adobe Download Assistant.exe:1784
RAVCpl32.exe:1856
AIRRuntimeInstaller.exe:1896
reg.exe:1908
%original file name%.exe:184
regedit.exe:460
The Trojan injects its code into the following process(es):
Adobe AIR Installer.exe:1876
Adobe AIR Application Installer.exe:244
File activity
The process Adobe AIR Installer.exe:1876 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\AIR\logs\Install.log (613 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (3058 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
The process zcontrol.exe:1984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Realtek\RAVCpl32.exe (2391085 bytes)
The process ADOBED~1.EXE:636 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_256.png (10296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\Adobe Download Assistant.exe (142336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\META-INF\AIR\hash (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_512.png (23712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\mimetype (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_16.png (616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_32.png (1053 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\7z.exe (163840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_128.png (4672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\.launch (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Install Adobe Download Assistant.exe (130432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_48.png (1720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\7z.dll (1700864 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\setup.msi (22016 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\META-INF\AIR\application.xml (8351 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\DownloadAssistant.swf (3237435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\META-INF\signatures.xml (77205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_24.png (898 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp (0 bytes)
The process Install Adobe Download Assistant.exe:1784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIRRuntimeInstaller.exe (35951824 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\9C07FA4C8533A07B5EDE782A6F5AFA6A (637 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\9C07FA4C8533A07B5EDE782A6F5AFA6A (86 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\EF87FE2FBAF08DA89A8C148EF56C40E0 (425 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\AIR\logs\Install.log (1340 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\EF87FE2FBAF08DA89A8C148EF56C40E0 (96 bytes)
The process RAVCpl32.exe:1856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Realtek\tools.zip (668 bytes)
%Documents and Settings%\%current user%\Application Data\Realtek\IMG_359485_4215.jpg (102 bytes)
%Documents and Settings%\%current user%\Application Data\Realtek\reg.reg (228 bytes)
%Documents and Settings%\%current user%\Application Data\Realtek\unzip.exe (177685 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\Realtek\reg.reg (0 bytes)
The process AIRRuntimeInstaller.exe:1896 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\template.exe (59392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR.vch (3464755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\stylesNative.swf (235063 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit.dll (9845456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\digest.s (2840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe Root Certificate.cer (1189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR.dll (53421776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\template.msi (20480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf (1261461 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe (103272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\setup.swf (1282541 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit\Notice WebKit.txt (771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\AdobeCP15.dll (6916456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\sentinel (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit\LGPL License.txt (24985 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\setup.swf (1282541 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\NPSWF32.dll (43585232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\setup.msi (33792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR Installer.exe (103272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Thawte Root Certificate.cer (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe (54632 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe (130408 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp (0 bytes)
The process Adobe AIR Application Installer.exe:244 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\pca3-g5[1].crl (533 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\DD0A55570E581C3EAE83066FA036FA6B98C26BF9.crl (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\CSC3-2010[1].crl (127784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\ThawteTimestampingCA[1].crl (341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\5CB653B2DAF9459B6E8E3796503DD779BAD8DB50.crl (341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\pca3[1].crl (933 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\A567C68FE225A8176819878924C6ED2B83D9C4D5.crl (119592 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\AIR\logs\Install.log (538 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\217583007B475EB7A649AEBCFC4EC3D0EBA3F228.crl (533 bytes)
The process %original file name%.exe:184 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\zcontrol.exe (2359341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\ADOBED~1.EXE (2599096 bytes)
Registry activity
The process Adobe AIR Installer.exe:1876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 AD 11 44 CC 03 7C F1 A3 CC 23 10 74 3D 15 5A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process zcontrol.exe:1984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 94 F1 EB 45 A9 A0 36 8B 60 76 09 5E A9 89 D4"
The process ADOBED~1.EXE:636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 F9 22 1E 17 71 0B 11 32 CF C1 3A 2B 89 F8 7B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Ãâ€Ã¾ÃºÑƒÃ¼ÃµÃ½Ñ‚Ñ‹"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\AIR1.tmp]
"Install Adobe Download Assistant.exe" = "Adobe Bootstrapping Utility"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Ãœþø ôþúуüõýты"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process net1.exe:964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E 00 EF 4F 72 BF 9B 89 B1 D0 50 DB 02 F4 81 1D"
The process net1.exe:1952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D D2 C4 60 60 7E 72 E7 27 3F 8B 1C E6 FD F8 BC"
The process NET.exe:964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 5D 4C 66 39 B5 74 E4 CE CB D1 F1 67 D8 6C F8"
The process NET.exe:1648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 31 9E 14 C8 D0 37 14 AD E6 E6 1F 04 A0 23 B5"
The process Install Adobe Download Assistant.exe:1784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 0C 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 C8 36 FA 8D C8 74 24 C7 58 CA 7E A6 86 A0 56"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process RAVCpl32.exe:1856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 04 2C EB C7 A3 6E 1A 80 69 AC 3D 73 DF F3 C2"
The process AIRRuntimeInstaller.exe:1896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB EA 3F 4D 01 C2 2F 97 0C 40 AB 4A 90 DD 9A 3A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Ãâ€Ã¾ÃºÑƒÃ¼ÃµÃ½Ñ‚Ñ‹"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Ãœþø ôþúуüõýты"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\AIR2.tmp]
"Adobe AIR Installer.exe" = "Adobe AIR Installer"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process Adobe AIR Application Installer.exe:244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 0D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 23 86 88 69 93 04 B2 92 38 0A 8B BD 51 1B F2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process reg.exe:1908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"ConsentPromptBehaviorAdmin" = "0"
The process %original file name%.exe:184 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 6E AA F6 BF D2 70 95 D4 CF 32 8A 23 90 47 12"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
The process regedit.exe:460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 60 1A C1 A3 45 C2 1E 53 B1 69 78 37 ED 82 45"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HD Audio Driver" = "%WinDir%\explorer.exe %Documents and Settings%\%current user%\Application Data\Realtek\RAVCpl32.exe"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://a1396.b.akamai.net/air/3/nai/windows5.1/x86/installer |  |
| hxxp://pastebin.com/PF4F1NNN |  141.101.112.16 |
| hxxp://dl-balancer.x.dropbox.com/s/qh9jjar5l0zxwu2/unzip.exe?dl=1 | |
| hxxp://duc-balancer.x.dropbox.com/s/qh9jjar5l0zxwu2/unzip.exe?dl=1 | |
| hxxp://dl-balancer.x.dropbox.com/s/f5gcg6shw7we4e6/tools.zip?dl=1 | |
| hxxp://duc-balancer.x.dropbox.com/s/f5gcg6shw7we4e6/tools.zip?dl=1 | |
| hxxp://a1396.b.akamai.net/air/3/nai/windows5.1/x86/installer.p7 | |
| hxxp://a1180.g.akamai.net/prodSvce.crl | |
| hxxp://a1180.g.akamai.net/cds.crl | |
| hxxp://e6845.ce.akamaiedge.net/ThawteTimestampingCA.crl | |
| hxxp://e6845.ce.akamaiedge.net/pca3.crl | |
| hxxp://e6845.ce.akamaiedge.net/pca3-g5.crl | |
| hxxp://e6845.ce.akamaiedge.net/CSC3-2010.crl | |
| crl.verisign.com | 23.60.133.163 |
| airdownload.adobe.com | 204.93.47.196 |
| csc3-2010-crl.verisign.com | 23.60.133.163 |
| tss-geotrust-crl.thawte.com | 23.61.181.163 |
| dl.dropboxusercontent.com | 50.19.234.162 |
| crl.adobe.com | 157.238.74.137 |
| dl.dropbox.com | 23.21.126.209 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Screenshot
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 43748 | 44032 | 4.53606 | 3aeb6fb8fe8ab95f2462e3afb8b8acd3 |
| .data | 49152 | 8796 | 1536 | 4.57321 | f3764284f4d25ed35f75b9c16e1ab608 |
| .rsrc | 61440 | 2621388 | 2621440 | 5.53826 | b84d3627e0386f424aaa050bd2a8c192 |
| .reloc | 2682880 | 3480 | 3584 | 3.33168 | bc74eb2a181cf1029262828db6ac5b5d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
zcontrol.exe:1984
ADOBED~1.EXE:636
net1.exe:964
net1.exe:1952
NET.exe:964
NET.exe:1648
Install Adobe Download Assistant.exe:1784
RAVCpl32.exe:1856
AIRRuntimeInstaller.exe:1896
reg.exe:1908
%original file name%.exe:184
regedit.exe:460 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\AIR\logs\Install.log (613 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (3058 bytes)
%Documents and Settings%\%current user%\Application Data\Realtek\RAVCpl32.exe (2391085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_256.png (10296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\Adobe Download Assistant.exe (142336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\META-INF\AIR\hash (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_512.png (23712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\mimetype (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_16.png (616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_32.png (1053 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\7z.exe (163840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_128.png (4672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\.launch (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Install Adobe Download Assistant.exe (130432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_48.png (1720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\7z.dll (1700864 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\setup.msi (22016 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\META-INF\AIR\application.xml (8351 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\DownloadAssistant.swf (3237435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\META-INF\signatures.xml (77205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_24.png (898 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIRRuntimeInstaller.exe (35951824 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\9C07FA4C8533A07B5EDE782A6F5AFA6A (637 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\9C07FA4C8533A07B5EDE782A6F5AFA6A (86 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\EF87FE2FBAF08DA89A8C148EF56C40E0 (425 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\EF87FE2FBAF08DA89A8C148EF56C40E0 (96 bytes)
%Documents and Settings%\%current user%\Application Data\Realtek\tools.zip (668 bytes)
%Documents and Settings%\%current user%\Application Data\Realtek\IMG_359485_4215.jpg (102 bytes)
%Documents and Settings%\%current user%\Application Data\Realtek\reg.reg (228 bytes)
%Documents and Settings%\%current user%\Application Data\Realtek\unzip.exe (177685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\template.exe (59392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR.vch (3464755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\stylesNative.swf (235063 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit.dll (9845456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\digest.s (2840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe Root Certificate.cer (1189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR.dll (53421776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\template.msi (20480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf (1261461 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe (103272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\setup.swf (1282541 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit\Notice WebKit.txt (771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\AdobeCP15.dll (6916456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\sentinel (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit\LGPL License.txt (24985 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\setup.swf (1282541 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\NPSWF32.dll (43585232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\setup.msi (33792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR Installer.exe (103272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Thawte Root Certificate.cer (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe (54632 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe (130408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\pca3-g5[1].crl (533 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\DD0A55570E581C3EAE83066FA036FA6B98C26BF9.crl (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\CSC3-2010[1].crl (127784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\ThawteTimestampingCA[1].crl (341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\5CB653B2DAF9459B6E8E3796503DD779BAD8DB50.crl (341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\pca3[1].crl (933 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\A567C68FE225A8176819878924C6ED2B83D9C4D5.crl (119592 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\217583007B475EB7A649AEBCFC4EC3D0EBA3F228.crl (533 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\zcontrol.exe (2359341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\ADOBED~1.EXE (2599096 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HD Audio Driver" = "%WinDir%\explorer.exe %Documents and Settings%\%current user%\Application Data\Realtek\RAVCpl32.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
