MD5: a1729f723a9d79381fec10743b0d28a9
SHA1: f70ccb474cb9256199ffbbae49198f15f9d3eac4
SHA256: e3f6ba336d5bab4c3a4ed7e46f2131833fc18f04689da2fa740dcddf92a31d1c
SSDeep: 1536:iCaIoX1oYOcbTMV88TXJLEu42EsCGu3SzRp:iCaZ2Yrb0VTXJYWEsCGuiH
Size: 75696 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-12-25 07:01:29
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

InstGameInfoHelperMSN.exe:1928

The Trojan injects its code into the following process(es):

MSNGamesSetup.exe:668
%original file name%.exe:404

Mutexes

The following mutexes were created/opened:

ShimCacheMutex
Name

File activity

The process MSNGamesSetup.exe:668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp\ns5.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp\version.txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp\modern-header.bmp (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp\ftdownload.dat (512 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp\InstGameInfoHelperMSN.exe (10092 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp\ns5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp (0 bytes)

The process InstGameInfoHelperMSN.exe:1928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp\tn_feat.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8NUPBOC8\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\DUFX0QM9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3WMRFKWV\tn_feat[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3WMRFKWV\6901722585967888125[1].txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp\tn_feat.bmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IBX1SL4D\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3WMRFKWV\gm-config[1].xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp\gametitle.txt (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3WMRFKWV\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3WMRFKWV\6901722585967888125[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3WMRFKWV\gm-config[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DF765D.tmp (0 bytes)

The process %original file name%.exe:404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\nsisdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\MSNGamesSetup.exe (275554 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\ftdownload.dat (512 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nso1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (0 bytes)

Registry activity

The process MSNGamesSetup.exe:668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 71 C8 4A BD 15 29 36 9F DD 5C D3 06 74 10 E9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process InstGameInfoHelperMSN.exe:1928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 99 BA A8 61 4B AF 42 16 17 A8 82 63 01 BD A1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 3A 41 20 6E C9 A4 84 25 02 C9 FA 15 D3 A8 CB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 126
3d5af80433c098ec5a5279653d721ee6
ca018ed1395a5f4b3187d17d773f64e3
d016004fdd61a8dc31802e98e78f486d
fdd888ba00e902f5ca8609f5d5c21fad
962ffd960be802a2754b5321f3c2b31e
960fe821ac46581824470e46010f0cf9
2f80439bd3eadd6936faa64cb2f0fca6
b30f1a1383e1bef2052244fd45a83aa3
f9c1fca77b6df26cfb5ce8069ef9ebfa
da37947b17a4733c59690eb33576d1cf
226c49801bfd2a952e9dfc31eec2b1c0
3a1e99337440e3c4eee15d62ec470abf
bd3a8eb593f97cb393055f7ca5eb1c7c
6e0ad2cce681ad41e316a21d0e20ceba
b0b0a8c4d9722cca4d87197830a5e480
8de8b8a3ba76d0f2745b188380faa63e
6c42ece50107993a7613007752e54eff
aa8d9982fe88a7c25c18c7c20f1f762e
648812305283df15451d4e774c0c301c
d98cb7418587bf9dca413fda21c2a3f2
232d714169a6042cb34a51254bdc17a3
30834450db655ef0280dd35be11e5a7e
8e51a107ea4c6daf1cdf43ed6929e78a
50351979d2c8b93fb1c0c295b3f28977
edb82428dfd5858c9a6a052deb4609f0

URLs

URL	IP
hxxp://stamp-vpc-aws-iwin-com-1981998893.us-east-1.elb.amazonaws.com/msngames/MSNGamesSetup.exe
hxxp://msn-iwin-com-121665791.us-east-1.elb.amazonaws.com/gm-config
hxxp://msn-iwin-com-121665791.us-east-1.elb.amazonaws.com/arcade/rawinfo/2459991736120122674/6901722585967888125
hxxp://cdn-vpc-aws-iwin-com-1060965153.us-east-1.elb.amazonaws.com/images/product/2459991736120122674/tn_feat.jpg
hxxp://gm-msn.iwin.com/gm-config	54.88.224.112
hxxp://gm-msn.iwin.com/arcade/rawinfo/2459991736120122674/6901722585967888125	54.88.224.112
hxxp://dl.iwin.com/msngames/MSNGamesSetup.exe	52.6.129.32
hxxp://img.iwin.com/images/product/2459991736120122674/tn_feat.jpg	52.87.32.237

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE iwin.com Games/Spyware User-Agent (iWin GameInfo Installer Helper)

Traffic

GET /images/product/2459991736120122674/tn_feat.jpg HTTP/1.1

User-Agent: iWin GameInfo Installer Helper

Host: img.iwin.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 15505

Cache-Control: max-age=86400, s-maxage=2592000

Content-Type: image/jpeg

Date: Sun, 13 Mar 2016 00:10:15 GMT

ETag: "2623100cb36fbc1cda1dea0646c8a576"

Last-Modified: Thu, 01 May 2014 17:05:59 GMT

Server: AmazonS3

Via: 1.1 img.iwin.com

Via: 1.1 varnish

x-amz-id-2: sk9yRw3rjj6 ozUgumlQXFAntM4poilsNA04DSFZSq3fEwyl1m94ASXuURUx68e8Wlj3csnF qw=

x-amz-request-id: C9C08EFAE21B65B8

X-Varnish: 1710686642 1710503619

Content-Length: 1977

Connection: keep-alive
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
..........................................................(.(.........
......................................................................
.......!.1".A.Qa.2.q..BR.....................!..1AQ.a...."2q..BRr.#...
....3C............?.`|...vi@v}.&..4fX.Ely..9.#*......6V;..>n......x
B..........G..W!..ayo.u`c..M1..1.9.9v......m9:...>.x..A..6}-.DT~W..
S.J5...>Vj..Y.....z.z..h.9...!. .(.H........E...dGs.^.Df.6I1..b....
 ..=3..W..hs^...\U5:@.L....O.o................,/..Y`,p.<........{y`
..'.......a;.aj9........tL.......B..f..z.H..0a.2.X..{.v.};.OI....?...c
9.......-..c2e....rl......!s..].1.6hi.$..EC1.]x. .\.g).....t.....c.0d{
x..

GET /gm-config HTTP/1.1

User-Agent: iWin GameInfo Installer Helper

Host: gm-msn.iwin.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Cache-Control: max-age=7200

Content-Type: application/xml;charset=utf-8

Date: Sun, 13 Mar 2016 00:10:14 GMT

Last-Modified: Sun, 17 Aug 292278994 07:12:55 GMT

P3P: CP="NOI CURo ADMo DEVo TAIo OUR NOR IND COM NAV"

Server: nginx/1.1.19

Vary: iWin-App

Via: 1.1 varnish

X-Varnish: 1074461404

Content-Length: 4699

Connection: keep-alive
<?xml version="1.0" encoding="utf-8"?><gm-url-config xmlns="h
ttp://VVV.iwin.com/schemas/catalog" xmlns:xsi="hXXp://VVV.w3.org/2001/
XMLSchema-instance"><site-host>msn.iwin.com</site-host>
<gm-host>gm-msn.iwin.com</gm-host><url-signin>https:
//gm-msn.iwin.com/Login.do</url-signin><url-about-icoins>h
ttp://gm-msn.iwin.com/membership</url-about-icoins><url-my-ac
count>hXXps://gm-msn.iwin.com/account/icoins</url-my-account>
<url-signout>hXXps://gm-msn.iwin.com/Logout.do</url-signout&g
t;<url-search>hXXp://gm-msn.iwin.com/search?q=</url-search>
;<url-part-rawInfo>/arcade/rawinfo/</url-part-rawInfo><
url-update-arcade>hXXp://gm-msn.iwin.com/dgu?game=ARCD&ver=<
/url-update-arcade><url-update-game>hXXp://gm-msn.iwin.com/dg
u?game=</url-update-game><url-ws-services-slog>hXXp://ws-m
sn.iwin.com/services/slog?</url-ws-services-slog><url-ws-serv
ices-dlog>hXXp://ws-msn.iwin.com/services/dlog?act=</url-ws-serv
ices-dlog><url-ws-services-ulog>hXXp://ws-msn.iwin.com/servic
es/ulog?lid=</url-ws-services-ulog><url-ws-icoins>hXXp://g
m-msn.iwin.com/account/icoins-safe.xml;jsessionid=%s</url-ws-icoins
><url-part-more-game>/calendar/games/new</url-part-more-ga
me><url-part-top-game>hXXp://gm-msn.iwin.com/arcade/home</
url-part-top-game><url-part-ad1>/arcade/panel/bottom</url-
part-ad1><url-part-ad2>/arcade/panel/right</url-part-a
<<< skipped >>>

GET /arcade/rawinfo/2459991736120122674/6901722585967888125 HTTP/1.1

User-Agent: iWin GameInfo Installer Helper

Host: gm-msn.iwin.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Cache-Control: no-cache, private, max-age=0, s-max-age=0, must-revalidate

Content-Type: text/plain;charset=utf-8

Date: Sun, 13 Mar 2016 00:10:14 GMT

P3P: CP="NOI CURo ADMo DEVo TAIo OUR NOR IND COM NAV"

Server: nginx/1.1.19

Vary: MSN-App

Via: 1.1 varnish

X-Varnish: 415400501

Content-Length: 1026

Connection: keep-alive
gameid|2459991736120122674|skuid|6901722585967888125|title|Zuma's Reve
nge|tryLink|hXXp://download.iwincdn.com/gg/pf/iwin/2459991736120122674
/acd_60m_pogoiwin/iwin/ZumasRevengeSetup.exe|desc|Are you ready for Zu
ma's Revenge? It's the ribbeting sequel to the worlds #1 ball-blasting
 action game! An irresistible force has taken our fearless frog to an 
island where the puzzle-action of Zuma has evolved in amazing ways - b
ut evil spirits and tenacious tiki bosses rule the land! Survive the i
re of the island by firing stone spheres to destroy the deadly stream 
of balls. Conquer over 60 levels by staying sharp and avoiding hidden 
traps. Slide and hop for smarter shots; hit targets for exotic bonuses
; detonate new power-up balls; battle six imposing tiki bosses and gui
de your agile amphibian to victory in four all-new game modes! Will yo
u succumb to the perilous pitfalls, or can you tame the jungle in Zuma
's Revenge, an exciting ballblasting challenge?|activation_code||pid||
email||price|999|trial_time|60|allaccess|falseHTTP/1.1 200 OK..Accept-
Ranges: bytes..Age: 0..Cache-Control: no-cache, private, max-age=0, s-
max-age=0, must-revalidate..Content-Type: text/plain;charset=utf-8..Da
te: Sun, 13 Mar 2016 00:10:14 GMT..P3P: CP="NOI CURo ADMo DEVo TAIo OU
R NOR IND COM NAV"..Server: nginx/1.1.19..Vary: MSN-App..Via: 1.1 varn
ish..X-Varnish: 415400501..Content-Length: 1026..Connection: keep-aliv
e..gameid|2459991736120122674|skuid|6901722585967888125|title|Zuma's R
evenge|tryLink|hXXp://download.iwincdn.com/gg/pf/iwin/245999173612
<<< skipped >>>

GET /msngames/MSNGamesSetup.exe HTTP/1.0

Host: dl.iwin.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=14400

Content-Type: application/x-msdos-program

Date: Sun, 13 Mar 2016 00:10:02 GMT

Expires: Sun, 13 Mar 2016 04:10:02 GMT

Last-Modified: Tue, 16 Feb 2016 08:50:08 GMT

Server: Apache/2.2.22 (Ubuntu) mod_perl/2.0.5 Perl/v5.14.2

Content-Length: 3556392

Connection: Close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................Z...........0.......p....@.........
.................P........6......................................s....
.......Y..........8.6..0..............................................
.............p...............................text....X.......Z........
.......... ..`.rdata.......p.......^..............@[email protected].......
[email protected][email protected].
...Y.......Z...t..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
..>[email protected].>[email protected]
...Pr@..}[email protected]... M.......M....3.....FQ.....NU..
M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...
[email protected]}[email protected].}.j.W.E......E.......Pp@.
[email protected]@.W...E..E.h [email protected]...\r
@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.
......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\MSNGamesSetup.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\nsisdl.dll

E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp

E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\nsisdl.dll

.%U~O<2y

.reloc

WSOCK32.dll

NSISdl.dll

invalid URL

Host: %s

GET %s HTTP/1.0

User-Agent: NSISDL/1.2 (Mozilla)

http=

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Unable to open %s

%skB (%d%%) of %skB at %u.
ukB/s

(%u hours remaining)

(%u minutes remaining)

(%u seconds remaining)

Downloading %s

Execute: C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\MSNGamesSetup.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp

MSNGamesSetup.exe

MSNGAM~1.EXE

1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\MSNGamesSetup.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp

c:\%original file name%.exe

%original file name%.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0a2</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>

%original file name%.exe_404_rwx_10004000_00001000:

callback%d

MSNGamesSetup.exe_668:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

ME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh4.tmp\tn_feat.bmp

r.bmp

.msn.com.

:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh4.tmp\version.txt

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh4.tmp

sh4.tmp\ftdownload.dat

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh4.tmp\modern-header.bmp

=yt.gN!(

Z%S,4

A/%sW

ftdownload.dat

FTDOWN~1.DAT

OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh4.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\MSNGamesSetup.exe

%Program Files%\MSN Games

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp

MSNGamesSetup.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr3.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

MSN Games Manager powered by iWin is required to launch and play Zuma's Revenge and other games from games.msn.com.

1560937422

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

MSNGamesSetup.exe_668_rwx_10004000_00001000:

callback%d

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   InstGameInfoHelperMSN.exe:1928
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp\nsExec.dll (6 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp\ns5.tmp (6 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp\version.txt (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp\modern-header.bmp (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp\ftdownload.dat (512 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp\InstGameInfoHelperMSN.exe (10092 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp\tn_feat.jpg (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8NUPBOC8\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\DUFX0QM9\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3WMRFKWV\tn_feat[1].jpg (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3WMRFKWV\6901722585967888125[1].txt (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp\tn_feat.bmp (22 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IBX1SL4D\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3WMRFKWV\gm-config[1].xml (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp\gametitle.txt (14 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3WMRFKWV\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\nsisdl.dll (14 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\MSNGamesSetup.exe (275554 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\ftdownload.dat (512 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.