Trojan.Win32.Swrort.3_6a559f4f4f
not-a-virus:AdWare.Win32.BrainInst.o (Kaspersky), Trojan.Win32.Generic!SB.0 (VIPRE), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 6a559f4f4f017a804767c2fb10eb9e7b
SHA1: 08da13563d96a4204c20ea481f9ad0525d00b303
SHA256: 683810ef5274ac71325eb6c68611120dd30dc49c0aca1d67451991f853274770
SSDeep: 24576:mTh0TSTDC4UGHLMPE7QHMpOt3BUOhjjJL: h0TL4Ug4Muy0t5
Size: 827328 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-09-13 17:25:37
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
ctfmon.exe:1224
The Trojan injects its code into the following process(es):
%original file name%.exe:500
File activity
The process %original file name%.exe:500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3330_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_656.part (61382 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3384_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3330.html (8664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_358.part (8251333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3384_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\49.tmp (168844 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3231_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2972.html (16864 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2979_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3940_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\pb-bg-left.jpg (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2972_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2978.html (3848 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2973.html (5894 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2973_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\red-pb-act.jpg (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\red-pb-act-left.jpg (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2998.html (6942 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3143.html (7987 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\lbg.gif (5373 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\template_40.png (110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_514.part (98121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\center2.jpg (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3389.html (20291 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_625.part (88598 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2977_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2998_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3598.html (8248 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2978_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\js\smart.js (24801 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3878_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\pb-bg.jpg (333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2979_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3940.html (20290 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\b3.gif (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\pb-bg-right.jpg (468 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Video Performer63872.exe (827328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\mid.jpg (403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3330_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3878.html (19761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2976_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_613.part (4590295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3878_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_640.part (4115674 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3143_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\corn3.png (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3143_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ajax-loader2.gif (6820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2972_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2978_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2972_feature_.png (7862 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\corn1.png (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3597_feature_646.png (2700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\trust.gif (437 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2976.html (3831 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\btn2.png (402 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\events\events.js (24689 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\conditions\conditions.js (1730 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3363_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3597_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2998_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3384.html (5709 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\js\old_smart.js (23124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\red-pb-act-right.jpg (694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2979.html (2886 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\b-bg.gif (295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3597_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\arrow.png (911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2973_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\check.jpg (1039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3940_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2977_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3231.html (6179 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3598_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\btn.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\corn4.png (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2976_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3598_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ajax-loader.gif (3208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\48.tmp (13804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3363.html (5780 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_369.part (29056876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\js\jquery.noselect.min.js (299 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3231_feature_405.png (5608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\b4.gif (661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2977.html (5570 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3389_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Рабочий Ñтол\Continue Video Performer installation.lnk (719 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013111320131114\index.dat (32768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3363_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\corn2.png (136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\arrow.gif (207 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\seesimilar.ico (99678 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\speedanalysis.ico (30894 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\js\jquery-1.7.min.js (94020 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\js\config.js (1037 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\lbg-bottom.gif (9289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2977_attr_15.png (13027 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3597.html (19832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\lbg-top.gif (13909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3231_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\main.css (8524 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3389_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2976_attr_15.png (13027 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013093020131001 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013093020131001\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\49.tmp (0 bytes)
Registry activity
The process %original file name%.exe:500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013111320131114]
"CacheRepair" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013111320131114]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013111320131114\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Главное меню"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013111320131114]
"CacheOptions" = "11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Документы\ÐœÐ¾Ñ Ð¼ÑƒÐ·Ñ‹ÐºÐ°"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий Ñтол"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\Мои документы\Мои риÑунки"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013111320131114]
"CachePrefix" = ":2013111320131114:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Главное меню"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Документы\Мои видеозапиÑи"
"CommonPictures" = "%Documents and Settings%\All Users\Документы\Мои риÑунки"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 5A 03 5F 61 2A 64 79 43 AD E1 BF 65 CD 95 21"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий Ñтол"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013111320131114]
"CacheLimit" = "8192"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Video Performer63872.exe" = "C:\DOCUME~1\test\LOCALS~1\Temp\Video Performer63872.exe /XML=C:\DOCUME~1\test\LOCALS~1\Temp\48.tmp /ROS /STP=0:2"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:]
"%original file name%.exe" = "C:\%original file name%.exe:*:Enabled:%original file name%.exe (in)"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013093020131001]
The process ctfmon.exe:1224 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://api.ibario.com/utils/dns?cid=3872 |  50.22.175.81 |
| hxxp://www.namnamtech.com/ | 174.37.181.30 |
| hxxp://www.namnamtech.com/installer/603/start.cf?cmp=6&sub=3872&rkey={36208CC7-6DA4-4091-9B07-2DC4BD194340} (Malicious) | |
| hxxp://www.namnamtech.com/installer/603/startgui.cf?rkey={D831A3AA-CB0D-4FF6-9B65-C3848883328E} (Malicious) | |
| hxxp://stats1-1013604270.us-east-1.elb.amazonaws.com/service/stats.php?sv=1 | 107.20.137.62 |
| hxxp://api.ibario.com/track/ib-start?cid=3872 | |
| hxxp://api.ibario.com/track/ib-show?cid=3872&componentid=656 | |
| hxxp://api.ibario.com/track/ib-show?cid=3872&componentid=514 | |
| hxxp://www.namnamtech.com/files/components/TikaTB.cf (Malicious) | |
| hxxp://api.ibario.com/track/ib-show?cid=3872&componentid=369 | |
| hxxp://www.namnamtech.com/files/components/conduit_checker.exe (Malicious) | |
| hxxp://www.namnamtech.com/files/components/conduitinstaller.exe (Malicious) | |
| hxxp://www.namnamtech.com/files/products/seesimilarSetupv2.exe (Malicious) | |
| hxxp://www.namnamtech.com/files/components/SpeedanAlysisSetup.exe (Malicious) | |
| hxxp://www.namnamtech.com/files/products/VideoPerformerSetup.exe (Malicious) | |
| hxxp://www.namnamtech.com/files/components/yandex_downloader_v3.exe (Malicious) | |
| hxxp://www.namnamtech.com/files/components/MyBabylonTB3.cf (Malicious) | |
| hxxp://www.namnamtech.com/files/components/Cloud_Backup_Setup.exe (Malicious) | |
| hxxp://www.namnamtech.com/files/components/LizardLink_rh.exe (Malicious) | |
| hxxp://www.namnamtech.com/files/products/PCPerformerSetup_genericv3.cf (Malicious) | |
| hxxp://www.namnamtech.com/files/components/ZulaGamesSetup.exe (Malicious) | |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate the original Trojan's process (How to End a Process With the Task Manager).
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3330_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_656.part (61382 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3384_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3330.html (8664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_358.part (8251333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3384_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\49.tmp (168844 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3231_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2972.html (16864 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2979_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3940_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\pb-bg-left.jpg (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2972_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2978.html (3848 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2973.html (5894 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2973_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\red-pb-act.jpg (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\red-pb-act-left.jpg (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2998.html (6942 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3143.html (7987 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\lbg.gif (5373 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\template_40.png (110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_514.part (98121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\center2.jpg (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3389.html (20291 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_625.part (88598 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2977_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2998_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3598.html (8248 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2978_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\js\smart.js (24801 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3878_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\pb-bg.jpg (333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2979_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3940.html (20290 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\b3.gif (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\pb-bg-right.jpg (468 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Video Performer63872.exe (827328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\mid.jpg (403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3330_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3878.html (19761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2976_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_613.part (4590295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3878_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_640.part (4115674 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3143_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\corn3.png (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3143_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ajax-loader2.gif (6820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2972_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2978_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2972_feature_.png (7862 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\corn1.png (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3597_feature_646.png (2700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\trust.gif (437 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2976.html (3831 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\btn2.png (402 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\events\events.js (24689 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\conditions\conditions.js (1730 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3363_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3597_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2998_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3384.html (5709 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\js\old_smart.js (23124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\red-pb-act-right.jpg (694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2979.html (2886 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\b-bg.gif (295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3597_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\arrow.png (911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2973_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\check.jpg (1039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3940_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2977_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3231.html (6179 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3598_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\btn.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\corn4.png (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2976_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3598_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ajax-loader.gif (3208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\48.tmp (13804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3363.html (5780 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_369.part (29056876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\js\jquery.noselect.min.js (299 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3231_feature_405.png (5608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\b4.gif (661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2977.html (5570 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3389_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Рабочий Ñтол\Continue Video Performer installation.lnk (719 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013111320131114\index.dat (32768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3363_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\corn2.png (136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\arrow.gif (207 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\seesimilar.ico (99678 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\speedanalysis.ico (30894 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\js\jquery-1.7.min.js (94020 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\js\config.js (1037 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\lbg-bottom.gif (9289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2977_attr_15.png (13027 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3597.html (19832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\lbg-top.gif (13909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3231_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\main.css (8524 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3389_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2976_attr_15.png (13027 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Video Performer63872.exe" = "C:\DOCUME~1\test\LOCALS~1\Temp\Video Performer63872.exe /XML=C:\DOCUME~1\test\LOCALS~1\Temp\48.tmp /ROS /STP=0:2" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
