MD5: 3f07e801a58a5cfa2f25cfd05a8b9a90
SHA1: 7039b5ca80270b7e9bb87dca6d1833a8684913e6
SHA256: f4ddd9ad2f29a1ab8912af85e5949c0335f722b4b787ce23f6e43ff33ebed4f9
SSDeep: 1536:iCaIoX1oYOcbTMV88TXJLEu42EsCGu3SzRd:iCaZ2Yrb0VTXJYWEsCGuiX
Size: 75696 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-12-25 07:01:29
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

InstGameInfoHelperMSN.exe:1132

The Trojan injects its code into the following process(es):

MSNGamesSetup.exe:360
%original file name%.exe:856

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process MSNGamesSetup.exe:360 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\modern-header.bmp (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\ftdownload.dat (512 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\ns5.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\InstGameInfoHelperMSN.exe (10092 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\version.txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\nsExec.dll (6 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\ns5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp (0 bytes)

The process InstGameInfoHelperMSN.exe:1132 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HO0TMNCE\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WFK0GLOT\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WA8JEMAX\5496759050793581312[1].txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WA8JEMAX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\tn_feat.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\gametitle.txt (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\tn_feat.bmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WA8JEMAX\tn_feat[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WA8JEMAX\gm-config[1].xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7B9G7JMX\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WA8JEMAX\5496759050793581312[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WA8JEMAX\gm-config[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFF05E.tmp (0 bytes)

The process %original file name%.exe:856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\MSNGamesSetup.exe (269389 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\nsisdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\ftdownload.dat (512 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss1.tmp (0 bytes)

Registry activity

The process MSNGamesSetup.exe:360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 21 2B 5E 46 C4 23 47 93 15 38 44 ED D6 08 56"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process InstGameInfoHelperMSN.exe:1132 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 7E EC 29 5C 87 CE 56 97 FF 4A F6 9B 91 F7 A6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 11 27 A7 F2 6E 4E 7D D4 8C 50 16 15 76 F8 2D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 126
3d5af80433c098ec5a5279653d721ee6
ca018ed1395a5f4b3187d17d773f64e3
d016004fdd61a8dc31802e98e78f486d
fdd888ba00e902f5ca8609f5d5c21fad
962ffd960be802a2754b5321f3c2b31e
960fe821ac46581824470e46010f0cf9
a1729f723a9d79381fec10743b0d28a9
2f80439bd3eadd6936faa64cb2f0fca6
b30f1a1383e1bef2052244fd45a83aa3
f9c1fca77b6df26cfb5ce8069ef9ebfa
da37947b17a4733c59690eb33576d1cf
226c49801bfd2a952e9dfc31eec2b1c0
3a1e99337440e3c4eee15d62ec470abf
bd3a8eb593f97cb393055f7ca5eb1c7c
6e0ad2cce681ad41e316a21d0e20ceba
b0b0a8c4d9722cca4d87197830a5e480
8de8b8a3ba76d0f2745b188380faa63e
6c42ece50107993a7613007752e54eff
aa8d9982fe88a7c25c18c7c20f1f762e
648812305283df15451d4e774c0c301c
d98cb7418587bf9dca413fda21c2a3f2
232d714169a6042cb34a51254bdc17a3
30834450db655ef0280dd35be11e5a7e
8e51a107ea4c6daf1cdf43ed6929e78a
50351979d2c8b93fb1c0c295b3f28977
edb82428dfd5858c9a6a052deb4609f0

URLs

URL	IP
hxxp://stamp-vpc-aws-iwin-com-1981998893.us-east-1.elb.amazonaws.com/msngames/MSNGamesSetup.exe
hxxp://msn-iwin-com-121665791.us-east-1.elb.amazonaws.com/gm-config
hxxp://msn-iwin-com-121665791.us-east-1.elb.amazonaws.com/arcade/rawinfo/6577540223622285160/5496759050793581312
hxxp://cdn-vpc-aws-iwin-com-1060965153.us-east-1.elb.amazonaws.com/images/product/6577540223622285160/tn_feat.jpg
hxxp://gm-msn.iwin.com/gm-config	54.165.3.227
hxxp://img.iwin.com/images/product/6577540223622285160/tn_feat.jpg	54.164.100.22
hxxp://gm-msn.iwin.com/arcade/rawinfo/6577540223622285160/5496759050793581312	54.165.3.227
hxxp://dl.iwin.com/msngames/MSNGamesSetup.exe	52.22.186.107

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE iwin.com Games/Spyware User-Agent (iWin GameInfo Installer Helper)

Traffic

GET /msngames/MSNGamesSetup.exe HTTP/1.0

Host: dl.iwin.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=14400

Content-Type: application/x-msdos-program

Date: Sun, 14 Feb 2016 01:59:25 GMT

Expires: Sun, 14 Feb 2016 05:59:25 GMT

Last-Modified: Tue, 06 Oct 2015 15:44:54 GMT

Server: Apache/2.2.22 (Ubuntu) mod_perl/2.0.5 Perl/v5.14.2

Content-Length: 3532840

Connection: Close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....f
.R.................\...........0.......p....@.........................
.P......%.6......................................s...........Z........
....5..............................................................p..
.............................text...jZ.......\.................. ..`.r
data.......p.......`..............@[email protected]..........
[email protected][email protected]
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u....r@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Tp@[email protected]
....E..9}[email protected].}.j.W.E......E.......@[email protected]..
[email protected]<[email protected] [email protected]...\r@._
^3.[.....L$...6B...Si.....VW.T.....tO.q.3.;5.6B.sB..i......D.......t.G
.....t...O..t .....u...3....3...F.....;5.6B.r._^[...U..QQ.U.SV..i.
<<< skipped >>>

GET /images/product/6577540223622285160/tn_feat.jpg HTTP/1.1

User-Agent: iWin GameInfo Installer Helper

Host: img.iwin.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Cache-Control: max-age=86400, s-maxage=2592000

Content-Type: image/jpeg

Date: Sun, 14 Feb 2016 01:59:36 GMT

ETag: "c62bb046bec8a44f1b559d5011cc06b8"

Last-Modified: Fri, 29 Aug 2014 09:52:51 GMT

Server: AmazonS3

Via: 1.1 img.iwin.com

Via: 1.1 varnish

x-amz-id-2: aTbfNlXDXx1PPpgfgLiL3ceBikE9sSej4t2dE3 lwpKz4s35FZxf78ipNJNwZQcDLOs7cPYYIGI=

x-amz-request-id: 07EFD08E892C0A47

X-Varnish: 1551828762

Content-Length: 1355

Connection: keep-alive
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
..........................................................(.(.........
......................................................................
.!...1.A.q"2Qa...3.B..#C........................!1..Aa.Qq..."B..r.....
.......?.M...7.a.I.....%[email protected]^.j..].r......yg.b...2.S.,
.........r.>..t......p!...6K.~Q....~.6.l.fA.....z.2u ....D.|......s
A............PV...oZ.A.~..n.{....].b6.|.X....3....e...3&6..u~b..Sp;h..
[email protected]...]....f..]...wi[.Y@...............%..<..w..x8....
[email protected]|..[..?.a8.C.!Y.YR.8.....Mk...d.......x..I.........q...
-w...?>.A.t.._.mJ......2...../..Z.h'.l.OB......8.E/.E.O....Xg......
U[..Z......J...O..q.lVz.a.%-..X.a.........S.I]!.......o...>>..r.
e..'.p.:..........x4,Kk.n.;g.`... ...'...b8.>..5./f.....I [..#.{/.(
>>.e..&]pj....K.\....G..FB..mQ......C....W...j1.H.....?2..S..<
;....S....Pz....=3-O.F..w..&~7....Xd....C....1I.......OH...Vx...$.T^s.
.......,."3.R..>.~..=p......8.Gs...We..H........P.=.U.K(........\.%
..<.[..K.,0...i>.*..h...L...:.....
<<< skipped >>>

GET /gm-config HTTP/1.1

User-Agent: iWin GameInfo Installer Helper

Host: gm-msn.iwin.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Cache-Control: max-age=7200

Content-Type: application/xml;charset=utf-8

Date: Sun, 14 Feb 2016 01:59:35 GMT

Last-Modified: Sun, 17 Aug 292278994 07:12:55 GMT

P3P: CP="NOI CURo ADMo DEVo TAIo OUR NOR IND COM NAV"

Server: nginx/1.1.19

Vary: iWin-App

Via: 1.1 varnish

X-Varnish: 2150204898

Content-Length: 4697

Connection: keep-alive
<?xml version="1.0" encoding="utf-8"?><gm-url-config xmlns="h
ttp://VVV.iwin.com/schemas/catalog" xmlns:xsi="hXXp://VVV.w3.org/2001/
XMLSchema-instance"><site-host>msn.iwin.com</site-host>
<gm-host>gm-msn.iwin.com</gm-host><url-signin>https:
//gm-msn.iwin.com/Login.do</url-signin><url-about-icoins>h
ttp://gm-msn.iwin.com/membership</url-about-icoins><url-my-ac
count>hXXps://gm-msn.iwin.com/account/icoins</url-my-account>
<url-signout>hXXps://gm-msn.iwin.com/Logout.do</url-signout&g
t;<url-search>hXXp://gm-msn.iwin.com/search?q=</url-search>
;<url-part-rawInfo>/arcade/rawinfo/</url-part-rawInfo><
url-update-arcade>hXXp://gm-msn.iwin.com/dgu?game=ARCD&ver=<
/url-update-arcade><url-update-game>hXXp://gm-msn.iwin.com/dg
u?game=</url-update-game><url-ws-services-slog>hXXp://ws-m
sn.iwin.com/services/slog?</url-ws-services-slog><url-ws-serv
ices-dlog>hXXp://ws-msn.iwin.com/services/dlog?act=</url-ws-serv
ices-dlog><url-ws-services-ulog>hXXp://ws-msn.iwin.com/servic
es/ulog?lid=</url-ws-services-ulog><url-ws-icoins>hXXp://g
m-msn.iwin.com/account/icoins-safe.xml;jsessionid=%s</url-ws-icoins
><url-part-more-game>/calendar/games/new</url-part-more-ga
me><url-part-top-game>hXXp://gm-msn.iwin.com/arcade/home</
url-part-top-game><url-part-ad1>/arcade/panel/bottom</url-
part-ad1><url-part-ad2>/arcade/panel/right</url-part-a
<<< skipped >>>

GET /arcade/rawinfo/6577540223622285160/5496759050793581312 HTTP/1.1

User-Agent: iWin GameInfo Installer Helper

Host: gm-msn.iwin.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Cache-Control: no-cache, private, max-age=0, s-max-age=0, must-revalidate

Content-Type: text/plain;charset=utf-8

Date: Sun, 14 Feb 2016 01:59:36 GMT

P3P: CP="NOI CURo ADMo DEVo TAIo OUR NOR IND COM NAV"

Server: nginx/1.1.19

Vary: MSN-App

Via: 1.1 varnish

X-Varnish: 1323199687

Content-Length: 1028

Connection: keep-alive
gameid|6577540223622285160|skuid|5496759050793581312|title|Home Makeov
er 2|tryLink|hXXp://download.iwincdn.com/gg/pf/iwin/657754022362228516
0/acd_60m_pogoiwin/iwin/HomeMakeover2Setup.exe|desc|Help Emma save his
 Uncle's house and decorate it! Home Makeover is back, bigger and much
 better than before! This amazing Hidden Object game is very easy to f
ollow, gets your attention fast and very addicting! It combines 3 of t
he most favorite game mechanics: Hidden Object, Time Management and Ma
tch 3!Features:-Unlimited Game: Unlimited levels which spans around 15
 gorgeous scenes!-Achievements: 9 challenging achievements for you to 
pursue!-Extra Content: Play 4 different quick-session Hidden Object ga
mes!-Decorate: Help Emma save her uncle's house and at the same time, 
earn money from jumble sale to re-decorate the living room!-Postcard: 
When you are pleased with your brand new living room, you can take a s
napshot and send it as a postcard to your friends!|activation_code||pi
d||email||price|999|trial_time|60|allaccess|trueHTTP/1.1 200 OK..Accep
t-Ranges: bytes..Age: 0..Cache-Control: no-cache, private, max-age=0, 
s-max-age=0, must-revalidate..Content-Type: text/plain;charset=utf-8..
Date: Sun, 14 Feb 2016 01:59:36 GMT..P3P: CP="NOI CURo ADMo DEVo TAIo 
OUR NOR IND COM NAV"..Server: nginx/1.1.19..Vary: MSN-App..Via: 1.1 va
rnish..X-Varnish: 1323199687..Content-Length: 1028..Connection: keep-a
live..gameid|6577540223622285160|skuid|5496759050793581312|title|Home 
Makeover 2|tryLink|hXXp://download.iwincdn.com/gg/pf/iwin/65775402
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp\MSNGamesSetup.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp\nsisdl.dll

E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp

E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp\nsisdl.dll

.%U~O<2y

.reloc

WSOCK32.dll

NSISdl.dll

invalid URL

Host: %s

GET %s HTTP/1.0

User-Agent: NSISDL/1.2 (Mozilla)

http=

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Unable to open %s

%skB (%d%%) of %skB at %u.
ukB/s

(%u hours remaining)

(%u minutes remaining)

(%u seconds remaining)

Downloading %s

Execute: C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp\MSNGamesSetup.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp

MSNGamesSetup.exe

MSNGAM~1.EXE

1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp\MSNGamesSetup.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp

c:\%original file name%.exe

%original file name%.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0a2</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>

%original file name%.exe_856_rwx_10004000_00001000:

callback%d

MSNGamesSetup.exe_360:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

ME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp\tn_feat.bmp

r.bmp

.msn.com.

:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp\version.txt

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp

sy4.tmp\ftdownload.dat

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp\modern-header.bmp

=yt.gN!(

Z%S,4

A/%sW

ftdownload.dat

FTDOWN~1.DAT

OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp\MSNGamesSetup.exe

%Program Files%\MSN Games

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi2.tmp

MSNGamesSetup.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy3.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

MSN Games Manager powered by iWin is required to launch and play Home Makeover 2 and other games from games.msn.com.

1007289340

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0a2</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>

MSNGamesSetup.exe_360_rwx_10004000_00001000:

callback%d

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   InstGameInfoHelperMSN.exe:1132
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\modern-header.bmp (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\ftdownload.dat (512 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\ns5.tmp (6 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\InstGameInfoHelperMSN.exe (10092 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\version.txt (6 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\nsExec.dll (6 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HO0TMNCE\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WFK0GLOT\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WA8JEMAX\5496759050793581312[1].txt (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WA8JEMAX\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\tn_feat.jpg (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\gametitle.txt (15 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\tn_feat.bmp (22 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WA8JEMAX\tn_feat[1].jpg (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WA8JEMAX\gm-config[1].xml (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7B9G7JMX\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\MSNGamesSetup.exe (269389 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\nsisdl.dll (14 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\ftdownload.dat (512 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.