Trojan.Win32.Alureon_862f59b68b

by malwarelabrobot on June 13th, 2014 in Malware Descriptions.

Win32.Expiro.CK (B) (Emsisoft), Win32.Expiro.CK (AdAware), Trojan.Win32.Alureon.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 862f59b68b11df3c6d9b663b8d81cf61
SHA1: edbf85f2cad7c700dc561bfdcde51b2cb5d705b5
SHA256: 006fa50a88c7f293436d3a94b2bb7993da3ed5fff9cc6d3823e04d1ba750d147
SSDeep: 12288:9M/E8Z7GFcVOmrM4vHlmLTh1BWK/wxDIXgLAtmvzJgmMOPWbq3oKaljQa3pq3:217bOWMygBJ/xXgLAtmvzJgmMOObq3or
Size: 656896 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-04-02 08:10:24
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:464
MsiExec.exe:372
MsiExec.exe:1968

The Trojan injects its code into the following process(es):

WebPlatformInstaller.exe:292

File activity

The process WebPlatformInstaller.exe:292 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\-230948881.xml.temp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\1343597488.xml.temp (111948 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\-97141593.xml.temp (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\preprocessor\-1877981721.xml (5572 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\preprocessor\-1135381691.xml (8844 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\preprocessor\-97141593.xml (55924 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\preprocessor\1343597488.xml (1001578 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\1055370499.xml.temp (2104 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\logs\webpi\webpi.txt (18869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpC.tmp (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpB.tmp (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\-1877981721.xml.temp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\preprocessor\-230948881.xml (7772 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\-1135381691.xml.temp (2104 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmpC.tmp (0 bytes)

The process %original file name%.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\WebPlatformInstaller_x86_en-US[1].msi (13454 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpi.msi (13454 bytes)

Registry activity

The process WebPlatformInstaller.exe:292 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 94 9E 71 8F E8 05 FB D0 37 3D 13 25 EA 33 F8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 15 F6 F7 54 78 E9 1E 46 E9 08 27 EF F6 E8 F8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process MsiExec.exe:372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 E1 C0 69 FE 58 E9 3B A5 D3 28 96 33 4D AE F9"

The process MsiExec.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 7C 66 A4 BB 25 60 3E 25 21 3A E4 56 39 0B 3E"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WebPlatformInstaller"

Dropped PE files

MD5 File path
7e44bfa1e2393d903c7c97b8e2186b26 c:\Program Files\Microsoft\Web Platform Installer\Microsoft.Web.PlatformInstaller.UI.dll
c440645f8fe8df15e2d539f4f176b326 c:\Program Files\Microsoft\Web Platform Installer\Microsoft.Web.PlatformInstaller.dll
ae68983dc8bbd9a0c510fb9bcac65b9d c:\Program Files\Microsoft\Web Platform Installer\WebPlatformInstaller.exe
1ca8d924eb33a1f0a49b2929f265ffb9 c:\Program Files\Microsoft\Web Platform Installer\WebpiCmd.exe
827c424f77ebd9b61ba6a6c5f0c88fc3 c:\Program Files\Microsoft\Web Platform Installer\cs\Microsoft.Web.PlatformInstaller.UI.resources.dll
0f3600db5c7de1ce92ebf32b12575024 c:\Program Files\Microsoft\Web Platform Installer\cs\WebPlatformInstaller.resources.dll
6278d09bd4bebd37ba942e3cef337dd3 c:\Program Files\Microsoft\Web Platform Installer\cs\WebpiCmd.resources.dll
8265ae671a10ac1607c474a61a8f9098 c:\Program Files\Microsoft\Web Platform Installer\de\Microsoft.Web.PlatformInstaller.UI.resources.dll
1b6315a1ef11925de0e1a25add1c1897 c:\Program Files\Microsoft\Web Platform Installer\de\WebPlatformInstaller.resources.dll
89794a12e1aad848cc497e12317ded89 c:\Program Files\Microsoft\Web Platform Installer\de\WebpiCmd.resources.dll
c685c5b06f5424f1a2f320646384eb41 c:\Program Files\Microsoft\Web Platform Installer\es\Microsoft.Web.PlatformInstaller.UI.resources.dll
469a75c6819755037b3aa0a8feef6040 c:\Program Files\Microsoft\Web Platform Installer\es\WebPlatformInstaller.resources.dll
e947893aae0489c66d7799d76cf23f09 c:\Program Files\Microsoft\Web Platform Installer\es\WebpiCmd.resources.dll
5cfe1ea50cd8e8ec2e39a70bcd8ab87f c:\Program Files\Microsoft\Web Platform Installer\fr\Microsoft.Web.PlatformInstaller.UI.resources.dll
18220e96ed9debae05e0fe1762acff7f c:\Program Files\Microsoft\Web Platform Installer\fr\WebPlatformInstaller.resources.dll
672a6cf4e6d110d0c70daf8ec8cb980f c:\Program Files\Microsoft\Web Platform Installer\fr\WebpiCmd.resources.dll
bbc79a7dd4fa1807c4fce158c71f38db c:\Program Files\Microsoft\Web Platform Installer\it\Microsoft.Web.PlatformInstaller.UI.resources.dll
8d90e6d36ee2df2d7702e47d05a1a9b1 c:\Program Files\Microsoft\Web Platform Installer\it\WebPlatformInstaller.resources.dll
1bdbd2fddecce4c77354466525f201ca c:\Program Files\Microsoft\Web Platform Installer\it\WebpiCmd.resources.dll
a52df54503067856b53247ed87a4a220 c:\Program Files\Microsoft\Web Platform Installer\ja\Microsoft.Web.PlatformInstaller.UI.resources.dll
dd6dd2789a8c0a0d407035e7a3ae5f29 c:\Program Files\Microsoft\Web Platform Installer\ja\WebPlatformInstaller.resources.dll
36f26136f79e89e0face740aff5c195a c:\Program Files\Microsoft\Web Platform Installer\ja\WebpiCmd.resources.dll
448f284d2901c4dddb1f529907428f5d c:\Program Files\Microsoft\Web Platform Installer\ko\Microsoft.Web.PlatformInstaller.UI.resources.dll
8438df9023281d8be8b0ac06a9efd47e c:\Program Files\Microsoft\Web Platform Installer\ko\WebPlatformInstaller.resources.dll
95fb1c909a73806cc9500f4c63de2c54 c:\Program Files\Microsoft\Web Platform Installer\ko\WebpiCmd.resources.dll
7556ffed1746d2ba530349ba58b6470b c:\Program Files\Microsoft\Web Platform Installer\pl\Microsoft.Web.PlatformInstaller.UI.resources.dll
bdf370e7e63598b5bd4348970496dd85 c:\Program Files\Microsoft\Web Platform Installer\pl\WebPlatformInstaller.resources.dll
cba5deac4655a856c75f61b2c23f1128 c:\Program Files\Microsoft\Web Platform Installer\pl\WebpiCmd.resources.dll
d795fe25871b10a17ae79bd990300588 c:\Program Files\Microsoft\Web Platform Installer\pt\Microsoft.Web.PlatformInstaller.UI.resources.dll
a577e80f732e00003447d4df6a290af8 c:\Program Files\Microsoft\Web Platform Installer\pt\WebPlatformInstaller.resources.dll
3e68063bf3b3d8e186722b5d5b3d5316 c:\Program Files\Microsoft\Web Platform Installer\pt\WebpiCmd.resources.dll
c9b410aae284d06193eec5618ed147e3 c:\Program Files\Microsoft\Web Platform Installer\ru\Microsoft.Web.PlatformInstaller.UI.resources.dll
07afb2c5b2a1ca94e998185fb19170a4 c:\Program Files\Microsoft\Web Platform Installer\ru\WebPlatformInstaller.resources.dll
e6f97ede18387cfb7325cadedecca1db c:\Program Files\Microsoft\Web Platform Installer\ru\WebpiCmd.resources.dll
6404765deb80c2d8986f60dce505915b c:\Program Files\Microsoft\Web Platform Installer\sqmapi.dll
e7b84fefd861ff32270458336921d72c c:\Program Files\Microsoft\Web Platform Installer\tr\Microsoft.Web.PlatformInstaller.UI.resources.dll
d63056aab8f17d72ee29c55671851e2f c:\Program Files\Microsoft\Web Platform Installer\tr\WebPlatformInstaller.resources.dll
85f96012dc76f9f8c12f03ea77625756 c:\Program Files\Microsoft\Web Platform Installer\tr\WebpiCmd.resources.dll
6ca7800b282af006dcd046a43892678f c:\Program Files\Microsoft\Web Platform Installer\zh-CHS\Microsoft.Web.PlatformInstaller.UI.resources.dll
a47ca9ec6a5f3b4d6cd20093adeb0a30 c:\Program Files\Microsoft\Web Platform Installer\zh-CHS\WebPlatformInstaller.resources.dll
776cf5b26b948f9d5089a78d3992cee9 c:\Program Files\Microsoft\Web Platform Installer\zh-CHS\WebpiCmd.resources.dll
50156ac73526d130918ac6dcd46c1070 c:\Program Files\Microsoft\Web Platform Installer\zh-CHT\Microsoft.Web.PlatformInstaller.UI.resources.dll
8f40583a3b81f0f96a08bb262fb2a614 c:\Program Files\Microsoft\Web Platform Installer\zh-CHT\WebPlatformInstaller.resources.dll
e6c2e8ca5595acafe32d1f908130c351 c:\Program Files\Microsoft\Web Platform Installer\zh-CHT\WebpiCmd.resources.dll
6d2283bdfa242dd7945e48999168b6de c:\WINDOWS\assembly\GAC_MSIL\Microsoft.Web.PlatformInstaller.WebDeployShim\5.0.0.0__31bf3856ad364e35\Microsoft.Web.PlatformInstaller.WebDeployShim.dll
8737213c421fbc52468bcfc0ed4ef424 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.Web.PlatformInstaller.resources\5.0.0.0_cs_31bf3856ad364e35\Microsoft.Web.PlatformInstaller.resources.dll
b1a1b94889b77747ac38dbd2521fd711 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.Web.PlatformInstaller.resources\5.0.0.0_de_31bf3856ad364e35\Microsoft.Web.PlatformInstaller.resources.dll
c0439faccf9abcc9247ab4a152336ed5 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.Web.PlatformInstaller.resources\5.0.0.0_es_31bf3856ad364e35\Microsoft.Web.PlatformInstaller.resources.dll
d209024dc96dd629bda7b2af5fcfbb6e c:\WINDOWS\assembly\GAC_MSIL\Microsoft.Web.PlatformInstaller.resources\5.0.0.0_fr_31bf3856ad364e35\Microsoft.Web.PlatformInstaller.resources.dll
497d8469582986155661e0f82b794453 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.Web.PlatformInstaller.resources\5.0.0.0_it_31bf3856ad364e35\Microsoft.Web.PlatformInstaller.resources.dll
8cfd53038aef6794d47bd6cb9f0368ee c:\WINDOWS\assembly\GAC_MSIL\Microsoft.Web.PlatformInstaller.resources\5.0.0.0_ja_31bf3856ad364e35\Microsoft.Web.PlatformInstaller.resources.dll
5f282540b22c72c802f49fb1e9d9cf0a c:\WINDOWS\assembly\GAC_MSIL\Microsoft.Web.PlatformInstaller.resources\5.0.0.0_ko_31bf3856ad364e35\Microsoft.Web.PlatformInstaller.resources.dll
5afbf88196859f7de93207a8a0f5f86f c:\WINDOWS\assembly\GAC_MSIL\Microsoft.Web.PlatformInstaller.resources\5.0.0.0_pl_31bf3856ad364e35\Microsoft.Web.PlatformInstaller.resources.dll
d3dfd9427c655854a55c817782cd178a c:\WINDOWS\assembly\GAC_MSIL\Microsoft.Web.PlatformInstaller.resources\5.0.0.0_pt-BR_31bf3856ad364e35\Microsoft.Web.PlatformInstaller.resources.dll
87bee8f7f763fe2bd2d5ac6ac28b79dd c:\WINDOWS\assembly\GAC_MSIL\Microsoft.Web.PlatformInstaller.resources\5.0.0.0_ru_31bf3856ad364e35\Microsoft.Web.PlatformInstaller.resources.dll
bed8adfd7594817267df8d02631db2e4 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.Web.PlatformInstaller.resources\5.0.0.0_tr_31bf3856ad364e35\Microsoft.Web.PlatformInstaller.resources.dll
4e10a9b9d34aca4784bb38b84e4666a3 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.Web.PlatformInstaller.resources\5.0.0.0_zh-CHS_31bf3856ad364e35\Microsoft.Web.PlatformInstaller.resources.dll
6f1f42fd56d16b504c21bca96f4a58a3 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.Web.PlatformInstaller.resources\5.0.0.0_zh-CHT_31bf3856ad364e35\Microsoft.Web.PlatformInstaller.resources.dll
c440645f8fe8df15e2d539f4f176b326 c:\WINDOWS\assembly\GAC_MSIL\Microsoft.Web.PlatformInstaller\5.0.0.0__31bf3856ad364e35\Microsoft.Web.PlatformInstaller.dll
d9a19bae0be50614ff0d62281579b130 c:\WINDOWS\assembly\GAC_MSIL\policy.2.1.Microsoft.Web.PlatformInstaller\0.0.0.0__31bf3856ad364e35\policy.2.1.Microsoft.Web.PlatformInstaller.dll
02529a1fa4cee8a4fc402eebc5fa3633 c:\WINDOWS\assembly\GAC_MSIL\policy.3.0.Microsoft.Web.PlatformInstaller\0.0.0.0__31bf3856ad364e35\policy.3.0.Microsoft.Web.PlatformInstaller.dll
ffd9317e9ade4c6c6134ab703e1cf9d7 c:\WINDOWS\assembly\GAC_MSIL\policy.4.0.Microsoft.Web.PlatformInstaller\0.0.0.0__31bf3856ad364e35\policy.4.0.Microsoft.Web.PlatformInstaller.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 7.1.1070.01
Legal Copyright: Copyright (c) 2010 Microsoft Corporation
Legal Trademarks: Microsoft(R) is a registered trademark of Microsoft Corporation.
Original Filename: wpilauncher.exe
Internal Name: wpilauncher
File Version: 7.1.1070.01
File Description: WPI launcher
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 75738 75776 4.4044 d3802c015236a2b959d4d7679fe2210e
.data 81920 76796 4096 1.48531 8f4e6e0899dc8ed6b600dbc2a3ae65e1
.rsrc 159744 2384 2560 2.97228 f3b11a78f6dfb9f34b896846cfd35404
.reloc 163840 1826816 573440 4.9919 06d0855fa4a9951ae40c64a10857b54f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.go.microsoft.akadns.net/?linkid=9737455
hxxp://a767.dscms.akamai.net/download/C/F/F/CFF3A0B8-99D4-41A2-AE1A-496C08BEB904/WebPlatformInstaller_x86_en-US.msi
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://www.go.microsoft.akadns.net/?linkid=9752395
hxxp://lb1.www.ms.akadns.net/web/handlers/WebPI.ashx?command=getatomfeedwithavgratingquery
hxxp://www.go.microsoft.akadns.net/?linkid=9813800
hxxp://a767.dscms.akamai.net/download/1/9/8/198468DE-FC13-4265-80C5-C04C3AAC059C/logo_RTM_2012.png
hxxp://go.microsoft.com/?linkid=9737455 134.170.189.4
hxxp://go.microsoft.com/?linkid=9813800 134.170.189.4
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl 205.237.69.88
hxxp://download.microsoft.com/download/1/9/8/198468DE-FC13-4265-80C5-C04C3AAC059C/logo_RTM_2012.png 205.237.69.81
hxxp://download.microsoft.com/download/C/F/F/CFF3A0B8-99D4-41A2-AE1A-496C08BEB904/WebPlatformInstaller_x86_en-US.msi 205.237.69.81
hxxp://www.microsoft.com/web/handlers/WebPI.ashx?command=getatomfeedwithavgratingquery 1.103.192.54
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl 205.237.69.88
hxxp://go.microsoft.com/?linkid=9752395 134.170.189.4


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (Launcher)

Traffic

GET /?linkid=9737455 HTTP/1.1
User-Agent: WPILauncher/1.0
Host: go.microsoft.com


HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 233
Content-Type: text/html; charset=utf-8
Expires: Thu, 12 Jun 2014 10:06:39 GMT
Location: hXXp://download.microsoft.com/download/C/F/F/CFF3A0B8-99D4-41A2-AE1A-496C08BEB904/WebPlatformInstaller_x86_en-US.msi
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: MC1=GUID=46b0638694c8d049b7759682927e30c1&HASH=8663&LV=20146&V=3; domain=microsoft.com; expires=Sun, 03-Oct-2010 07:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 12 Jun 2014 10:07:38 GMT
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://downl
oad.microsoft.com/download/C/F/F/CFF3A0B8-99D4-41A2-AE1A-496C08BEB904/
WebPlatformInstaller_x86_en-US.msi">here</a>.</h2>..<
;/body></html>..HTTP/1.1 302 Found..Cache-Control: private..C
ontent-Length: 233..Content-Type: text/html; charset=utf-8..Expires: T
hu, 12 Jun 2014 10:06:39 GMT..Location: hXXp://download.microsoft.com/
download/C/F/F/CFF3A0B8-99D4-41A2-AE1A-496C08BEB904/WebPlatformInstall
er_x86_en-US.msi..Server: Microsoft-IIS/7.5..X-AspNet-Version: 2.0.507
27..Set-Cookie: MC1=GUID=46b0638694c8d049b7759682927e30c1&HASH=8663&LV
=20146&V=3; domain=microsoft.com; expires=Sun, 03-Oct-2010 07:00:00 GM
T; path=/..X-Powered-By: ASP.NET..Date: Thu, 12 Jun 2014 10:07:38 GMT.
.<html><head><title>Object moved</title></h
ead><body>..<h2>Object moved to <a href="hXXp://down
load.microsoft.com/download/C/F/F/CFF3A0B8-99D4-41A2-AE1A-496C08BEB904
/WebPlatformInstaller_x86_en-US.msi">here</a>.</h2>..&l
t;/body></html>....
<<< skipped >>>


GET /download/1/9/8/198468DE-FC13-4265-80C5-C04C3AAC059C/logo_RTM_2012.png HTTP/1.1
User-Agent: Platform-Installer/5.0.0.0(Microsoft Windows NT 5.1.2600 Service Pack 3)
Referer: wpi://2.1.0.0/Microsoft Windows NT 5.1.2600 Service Pack 3
Accept-Encoding: gzip, deflate,gzip, deflate
Host: download.microsoft.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Sat, 06 Oct 2012 03:06:21 GMT
Accept-Ranges: bytes
ETag: "57b9ca8f6fa3cd1:0"
Server: Microsoft-IIS/8.0
Content-Disposition: attachment
Content-Length: 978
Date: Thu, 12 Jun 2014 10:08:20 GMT
Connection: keep-alive
.PNG........IHDR.............!C......sBIT....|.d.....pHYs...t...t.k$..
....tEXtSoftware.Adobe Fireworks [email protected].
N..*..(f;pN\S.KH...%^...8..1<?)2..h.=.._..B..........`.}..`....K.I:
4.{I....*N}?O\[email protected].(...$ .\..........
.5....!.....y.UM...D@.. b.-|*6.W ..P........[....l..g.......



GET /download/1/9/8/198468DE-FC13-4265-80C5-C04C3AAC059C/logo_RTM_2012.png HTTP/1.1
User-Agent: Platform-Installer/5.0.0.0(Microsoft Windows NT 5.1.2600 Service Pack 3)
Referer: wpi://2.1.0.0/Microsoft Windows NT 5.1.2600 Service Pack 3
Accept-Encoding: gzip, deflate,gzip, deflate
Host: download.microsoft.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Sat, 06 Oct 2012 03:06:21 GMT
Accept-Ranges: bytes
ETag: "57b9ca8f6fa3cd1:0"
Server: Microsoft-IIS/8.0
Content-Disposition: attachment
Content-Length: 978
Date: Thu, 12 Jun 2014 10:08:20 GMT
Connection: keep-alive
.PNG........IHDR.............!C......sBIT....|.d.....pHYs...t...t.k$..
....tEXtSoftware.Adobe Fireworks [email protected].
N..*..(f;pN\S.KH...%^...8..1<?)2..h.=.._..B..........`.}..`....K.I:
4.{I....*N}?O\[email protected].(...$ .\..........
.5....!.....y.UM...D@.. b.-|*6.W ..P........[....l..g......K[.q.q.....
...^"..ZT\[..m..q....P.,q1........r.....j.?..1..3.;3...4`C\.!....l..6.
.....q...`C\.!....l..6......q...`C\.!....l..6......q...`C\.!....l..6..
....q...`C\.!....l..6......q...`C\[email protected]...`3.f.)_C..*N.....
[....*.3.l..6......q...`C\.!....l..6......q...`C\.!....l..6......q...`
C\.!....l..6......q...`C\.!....l..6......q...`C\.!....l..6........N.&g
t;[email protected]..,T...8 .WI;I{Iy..o.........9..}..^[email protected]......$. .K.%..P....[
..Nx.u.X.............%=.... .[.E.....,..a....LV.W.......Iz..;..D...$..
.U..?...w.ta.....^.b1........M...&<i.#.Aq%.Yti...F*[...........pY\.
...x...Vx...... %k..q.J\ ..9R...~....,.....5.g........l~.*..,l.......I
END.B`...



GET /download/C/F/F/CFF3A0B8-99D4-41A2-AE1A-496C08BEB904/WebPlatformInstaller_x86_en-US.msi HTTP/1.1
User-Agent: WPILauncher/1.0
Host: download.microsoft.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Wed, 30 Apr 2014 09:29:21 GMT
Accept-Ranges: bytes
ETag: "c0c15ab5664cf1:0"
Server: Microsoft-IIS/8.0
Content-Disposition: attachment
Content-Length: 1757184
Date: Thu, 12 Jun 2014 10:07:40 GMT
Connection: keep-alive
........................>..........................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /?linkid=9752395 HTTP/1.1
Referer: wpi://2.1.0.0/Microsoft Windows NT 5.1.2600 Service Pack 3
Accept-Encoding: gzip
User-Agent: Platform-Installer/5.0.0.0(Microsoft Windows NT 5.1.2600 Service Pack 3)
Host: go.microsoft.com


HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 203
Content-Type: text/html; charset=utf-8
Expires: Thu, 12 Jun 2014 10:07:15 GMT
Location: hXXp://VVV.microsoft.com/web/handlers/WebPI.ashx?command=getatomfeedwithavgratingquery
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: MC1=GUID=b6e8b05f24cd6c4084b4fba1599f12c7&HASH=5fb0&LV=20146&V=3; domain=microsoft.com; expires=Sun, 03-Oct-2010 07:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 12 Jun 2014 10:08:15 GMT
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://VVV.m
icrosoft.com/web/handlers/WebPI.ashx?command=getatomfeedwithavgratingq
uery">here</a>.</h2>..</body></html>..HTTP/
1.1 302 Found..Cache-Control: private..Content-Length: 203..Content-Ty
pe: text/html; charset=utf-8..Expires: Thu, 12 Jun 2014 10:07:15 GMT..
Location: hXXp://VVV.microsoft.com/web/handlers/WebPI.ashx?command=get
atomfeedwithavgratingquery..Server: Microsoft-IIS/7.5..X-AspNet-Versio
n: 2.0.50727..Set-Cookie: MC1=GUID=b6e8b05f24cd6c4084b4fba1599f12c7&HA
SH=5fb0&LV=20146&V=3; domain=microsoft.com; expires=Sun, 03-Oct-2010 0
7:00:00 GMT; path=/..X-Powered-By: ASP.NET..Date: Thu, 12 Jun 2014 10:
08:15 GMT..<html><head><title>Object moved</title
></head><body>..<h2>Object moved to <a href="h
ttp://VVV.microsoft.com/web/handlers/WebPI.ashx?command=getatomfeedwit
havgratingquery">here</a>.</h2>..</body></html
>....
<<< skipped >>>


GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sat, 24 May 2014 05:04:51 GMT
Accept-Ranges: bytes
ETag: "96bfbfb1d77cf1:0"
Server: Microsoft-IIS/8.0
VTag: 438391042600000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 813
Cache-Control: max-age=900
Date: Thu, 12 Jun 2014 10:07:46 GMT
Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....mic
rosoft1-0 ..U...$Microsoft Root Certificate Authority..140523204817Z..
140822090816Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..
%..*..S.Y..0... .....7.......0...U......%0... .....7......140821205816
Z0...*[email protected](..w.R.m..!.....4.....F....t...e..
.h~...y9..F..^.yp^.)...V.. .........i......[.2.3coIRE..[...3..S.-..R..
.p..(.... "V n.R."....0.5....P.....Ex..U..`.4S.p..ceE...a..8.N.....a..
.! ..\i.........7.e).....2.P.9%.]..".R.4.....3~B..l..RA..8..e.O....kim
..."X..o..M......0C..Q...?R....;XG....B......~.......[N........Q......
...fI.........OJ.x....l....?.E...rS.....9#.hP_z?3....D_.X.........S<
;.Bi.-*#.M......H...L.]s....J.x T....D...h.l..UU.!K..........r!}.Q....
.k8..n*.*.....O..A&..y..6/...#$.....](.Y.%........


GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Tue, 29 Apr 2014 05:04:18 GMT
Accept-Ranges: bytes
ETag: "5c09f796863cf1:0"
Server: Microsoft-IIS/8.5
VTag: 438260927500000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Thu, 12 Jun 2014 10:07:46 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..140428200830Z..140729082830Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......H0... .....7......140728201830Z0.
..*.H............. E.6..A..r....V.-..a...d%2..|......=X...|....V.'..X.
}.:.H..u.....q.{%....7.....V."...);....ur....#..]..=.z.xMb....9c.....N
X.s5S...Z..4../.k...A........_..~.....y.b.].5...NK,./..3..}*...>..X
F..78.....X........`.3....m.b.sI.\...hd..t..SH..q{.4.l.)<..d.I...K.
HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Tu
e, 29 Apr 2014 05:04:18 GMT..Accept-Ranges: bytes..ETag: "5c09f796863c
f1:0"..Server: Microsoft-IIS/8.5..VTag: 438260927500000000..P3P: CP="A
LL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo C
NT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Le
ngth: 554..Cache-Control: max-age=900..Date: Thu, 12 Jun 2014 10:07:46
 GMT..Connection: keep-alive..0..&0......0...*.H........0y1.0...U....U
S1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporati
on1#0!..U....Microsoft Code Signing PCA..140428200830Z..140729082830Z.
a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......H0.
.. .....7......140728201830Z0...*.H............. E.6..A..r....V.-..a..
.d%2..|......=X...|....V.'..X.}.:.H..u.....q.{%....7.....V."...);....u
r....#..]..=.z.xMb....9c.....NX.s5S...Z..4../.k...A........_..~.....y.
b.].5...NK,./..3..}*...>..XF..78.....X........`.3....m.b.sI.\..
<<< skipped >>>


GET /?linkid=9813800 HTTP/1.1
User-Agent: Platform-Installer/5.0.0.0(Microsoft Windows NT 5.1.2600 Service Pack 3)
Referer: wpi://2.1.0.0/Microsoft Windows NT 5.1.2600 Service Pack 3
Host: go.microsoft.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive


HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 216
Content-Type: text/html; charset=utf-8
Expires: Thu, 12 Jun 2014 10:07:19 GMT
Location: hXXp://download.microsoft.com/download/1/9/8/198468DE-FC13-4265-80C5-C04C3AAC059C/logo_RTM_2012.png
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: MC1=GUID=1b06d225caac894e954367eb3269926a&HASH=25d2&LV=20146&V=3; domain=microsoft.com; expires=Sun, 03-Oct-2010 07:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 12 Jun 2014 10:08:19 GMT
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://downl
oad.microsoft.com/download/1/9/8/198468DE-FC13-4265-80C5-C04C3AAC059C/
logo_RTM_2012.png">here</a>.</h2>..</body></ht
ml>......


GET /?linkid=9813800 HTTP/1.1


User-Agent: Platform-Installer/5.0.0.0(Microsoft Windows NT 5.1.2600 Service Pack 3)
Referer: wpi://2.1.0.0/Microsoft Windows NT 5.1.2600 Service Pack 3
Host: go.microsoft.com
Accept-Encoding: gzip, deflate


HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 216
Content-Type: text/html; charset=utf-8
Expires: Thu, 12 Jun 2014 10:07:20 GMT
Location: hXXp://download.microsoft.com/download/1/9/8/198468DE-FC13-4265-80C5-C04C3AAC059C/logo_RTM_2012.png
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: MC1=GUID=5723c31f250c154bb6ef71a8cd5d0aea&HASH=1fc3&LV=20146&V=3; domain=microsoft.com; expires=Sun, 03-Oct-2010 07:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 12 Jun 2014 10:08:20 GMT
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://downl
oad.microsoft.com/download/1/9/8/198468DE-FC13-4265-80C5-C04C3AAC059C/
logo_RTM_2012.png">here</a>.</h2>..</body></ht
ml>..HTTP/1.1 302 Found..Cache-Control: private..Content-Length: 21
6..Content-Type: text/html; charset=utf-8..Expires: Thu, 12 Jun 2014 1
0:07:20 GMT..Location: hXXp://download.microsoft.com/download/1/9/8/19
8468DE-FC13-4265-80C5-C04C3AAC059C/logo_RTM_2012.png..Server: Microsof
t-IIS/7.5..X-AspNet-Version: 2.0.50727..Set-Cookie: MC1=GUID=5723c31f2
50c154bb6ef71a8cd5d0aea&HASH=1fc3&LV=20146&V=3; domain=microsoft.com; 
expires=Sun, 03-Oct-2010 07:00:00 GMT; path=/..X-Powered-By: ASP.NET..
Date: Thu, 12 Jun 2014 10:08:20 GMT..<html><head><title
>Object moved</title></head><body>..<h2>Obj
ect moved to <a href="hXXp://download.microsoft.com/download/1/9/8/
198468DE-FC13-4265-80C5-C04C3AAC059C/logo_RTM_2012.png">here</a&
gt;.</h2>..</body></html>....
<<< skipped >>>


GET /web/handlers/WebPI.ashx?command=getatomfeedwithavgratingquery HTTP/1.1
Referer: wpi://2.1.0.0/Microsoft Windows NT 5.1.2600 Service Pack 3
Accept-Encoding: gzip
User-Agent: Platform-Installer/5.0.0.0(Microsoft Windows NT 5.1.2600 Service Pack 3)
Host: VVV.microsoft.com


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/xml; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/8.5
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-AspNet-Version: 4.0.30319
VTag: 79181426200000000
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Date: Thu, 12 Jun 2014 10:08:17 GMT
Content-Length: 22599
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?".....fm.:o.~.$.....Q3...,-f.}..
.(}.(..g../......]=.{...j|uo\..w.vvv..._<..0L.E3#(.}......^...j..v{
Z-.Q.mi..b....e...m...y....t..'.}....~.EV,...lR....'..Uc....O.uM..W..-
.m.w<...[...7....-.n1..i........&..P?.;..z9...Y>..7....5...../m.
.......:_Noj...C.Vu5[O...GiK.}...h..X^.X....Z......%p4G..b.........<
;..." .....".A.y..I..E[.l...lF|..z..w:.ID.7...M._..Y..4....>.}.VW..
.f? [email protected]\4.?X...<..]L..(.|.>...wo!...f.....H..ZT`.[.&...
.a.Gb..'...O<...:.nU.^.y.<..>.Z.G.B9.w..].O................./
......o$.x-<1;.........w....#...........{.. ....s.{....{.v?}.......
..yo...h..~z...O.3=..^ket7..h.,mZ..].o..|;..t...E3'...2k..z.^.....W.u.
V.4..j...f.^...Y..zF../...&EY....wM..&.P..:?..|$M....d3.<...y.b....
O..D,.&.?e*.?.F.)..]"...}k9$..|.5..y..E.R)xK..y..9...........>.O...
s.>.....I.>.....x....IgyS\,.:.t.............8....s...s0HS....4..
.....b.,..>>..v.....bZ5.v~~.O..2..o....rF.w../.-....T.&-..y.$[..
W.....F.q.....b..'....vV...:.....u.".;J.......yVU.$ ..y.]..[/.=.#m.z.&
gt;.W$.Pi..i~./.j..zz.Q~....I..5!....<-...&... [[..Veu....yy.....T.
,.e...V.=.zs..9...X/.L...8).,4...E....O.f..FB.n..{...k..........k$.!-~
.........}ON...f......$....o.v...{......f..4h'....t.6.V....T%1.l..XB^.
..-..%..d.\7m.H.N.xM.w5...K.7Mz]..;,d)Me..iU]....4...V%.?...._dK..fE.H
:.XN.5KiAl..B.....).G(5.h...."......`ARI}..eV[LH..[.......8..'d. &$M#.
BhQ..%...).j.r.d.z....:.I2,$..Bt]-.[..7dG.ZL.lZ.....v4.F.>}..`.
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

WebPlatformInstaller.exe_292_rwx_00B30000_0000C000:

?#{ ?#{4-
{08.{@8.{
{05%{@5%{


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:464
    MsiExec.exe:372
    MsiExec.exe:1968

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\-230948881.xml.temp (1568 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\1343597488.xml.temp (111948 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\-97141593.xml.temp (8368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\preprocessor\-1877981721.xml (5572 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\preprocessor\-1135381691.xml (8844 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\preprocessor\-97141593.xml (55924 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\preprocessor\1343597488.xml (1001578 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\1055370499.xml.temp (2104 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\logs\webpi\webpi.txt (18869 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpC.tmp (978 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpB.tmp (978 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\-1877981721.xml.temp (1568 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\preprocessor\-230948881.xml (7772 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Web Platform Installer\-1135381691.xml.temp (2104 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\WebPlatformInstaller_x86_en-US[1].msi (13454 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpi.msi (13454 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now