Win32.Sality.3_9b52e41417

by malwarelabrobot on July 1st, 2015 in Malware Descriptions.

Win32.Sality.3 (B) (Emsisoft), Win32.Sality.3 (AdAware), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Worm, Virus, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 9b52e41417b7fbf50b55de9b97c0248c
SHA1: 02a5e2091757b6c9e8a960dfab5ed0abc3ff2740
SHA256: 434108235ab5eab821a40912aa72bd518f5d11aa84c6632cc5d7ae3b1271acca
SSDeep: 393216:qER9zgBomLitU6HgQDrOeaJ /pMzxq8zhVyuuWEZ:7kDLi5AQGr0V8zlK
Size: 13903056 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Super PC Tools Ltd
Created at: 2012-12-04 15:55:11
Analyzed on: WindowsXP SP3 32-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Worm creates the following process(es):

%original file name%.exe:1892
Itygfl.exe:1880

The Worm injects its code into the following process(es):

Explorer.EXE:884

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1892 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\Vdlwqgghdsy.tmp (453316 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (432 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (856 bytes)
%WinDir%\system.ini (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\wtzbmfkyv.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winrtgh.exe (741 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\yhrqnzfos.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\vngvva.dll (2011 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\Itygfl.exe (1943872 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00125E35_Rar\%original file name%.exe (106095 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\Vdlwqgghdsy.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\yhrqnzfos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winrtgh.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\wtzbmfkyv.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\vngvva.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\Itygfl.exe (0 bytes)

The process Itygfl.exe:1880 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\podhl.dll (5 bytes)
%Program Files%\CinemaPlus-4.5vV20.06\utils.exe (58376 bytes)
%WinDir%\Tasks\45108de3-03ce-4a70-a8ea-7e26a3593ea2-5.job (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\rvgiusr.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\54067 (38739 bytes)
%Program Files%\CinemaPlus-4.5vV20.06\45108de3-03ce-4a70-a8ea-7e26a3593ea2-5.exe (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp (667164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\qdqhsqfvc.dll (29608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\wtzbmfkyv.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\dppztnsv.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\yhrqnzfos.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\138976 (9120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\iyqqqtrql.dll (3616 bytes)
%Program Files%\CinemaPlus-4.5vV20.06\Uninstall.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\ipgeoapi[1] (40 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\podhl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\rvgiusr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\54067 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\138976 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\qdqhsqfvc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\wtzbmfkyv.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\dppztnsv.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\yhrqnzfos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\iyqqqtrql.dll (0 bytes)

Registry activity

The process %original file name%.exe:1892 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Aas]
"a4_116" = "831618036"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a3_78" = "542637991"
"a3_79" = "549622726"
"a3_72" = "533156193"
"a3_73" = "506656128"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Aas]
"a3_71" = "525712590"
"a3_76" = "561686245"
"a3_77" = "568613636"
"a3_74" = "513568291"
"a3_75" = "554631746"
"a4_108" = "774265068"
"a4_109" = "781434189"
"a4_102" = "731250342"
"a4_103" = "738419463"
"a4_100" = "716912100"
"a4_101" = "724081221"
"a4_106" = "759926826"
"a4_107" = "767095947"
"a4_104" = "745588584"
"a4_105" = "752757705"
"a2_59" = "422984031"
"a2_58" = "415800351"
"a2_53" = "379966024"
"a2_52" = "372799203"
"a2_51" = "365617299"
"a2_50" = "358449269"
"a2_57" = "408633582"
"a2_56" = "401468491"
"a2_55" = "394299200"
"a2_54" = "387135981"
"a4_55" = "394301655"
"a4_54" = "387132534"
"a4_57" = "408639897"
"a4_56" = "401470776"
"a4_51" = "365625171"
"a4_50" = "358456050"
"a4_53" = "379963413"
"a4_52" = "372794292"

[HKCU\Software\Aas\695404737]
"50183847" = "247D32B83D47435F2ED0E33C5DD34E729A41500BEC3D7263C63EA032241876F9CA2AB0B709E472865D6C4A30392434DF4508B4552311855571DEB262EFB3B690133A5F283FE741ABB1DFAAE9E664B81EDE3B4A95232E0898017CACF1EB56D1F98C1AFB26401F8945DB790B927771E8A250144DE11B6B0D0D4F0F193516E9AAD7"

[HKCU\Software\Aas]
"a4_59" = "422978139"
"a4_58" = "415809018"

[HKCU\Software\Aas\695404737]
"21507363" = "0"

[HKCU\Software\Aas]
"a3_94" = "690598327"
"a3_95" = "698045910"
"a3_96" = "671534665"
"a3_97" = "678453992"
"a3_90" = "662052915"
"a3_91" = "669107282"
"a3_92" = "643004661"
"a3_93" = "649993492"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a3_98" = "685967115"
"a3_99" = "726580138"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas]
"a2_99" = "709740052"
"a2_98" = "702577207"
"a2_97" = "695410658"
"a2_96" = "688240952"
"a2_95" = "681058906"
"a2_94" = "673891645"
"a2_93" = "666722960"
"a2_92" = "659557616"
"a2_91" = "652391203"
"a2_90" = "645223029"
"a1_58" = "2122216074"
"a1_59" = "3679070487"
"a1_56" = "1958837866"
"a1_57" = "2855502273"
"a1_54" = "398023738"
"a1_55" = "929764750"
"a1_52" = "115280610"
"a1_53" = "1202690392"
"a1_50" = "4046179263"
"a1_51" = "2049208362"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a3_43" = "324843106"
"a3_42" = "284237251"
"a3_41" = "277248416"
"a3_40" = "269796609"
"a3_47" = "353765350"
"a3_46" = "313221959"
"a3_45" = "305778468"
"a3_44" = "332278405"
"a3_49" = "368270520"
"a3_48" = "360822809"
"a4_99" = "709742979"
"a4_98" = "702573858"
"a2_118" = "845963217"
"a4_91" = "652390011"
"a4_90" = "645220890"
"a4_93" = "666728253"
"a4_92" = "659559132"
"a4_95" = "681066495"
"a4_94" = "673897374"
"a4_97" = "695404737"
"a4_96" = "688235616"
"a3_109" = "798021476"
"a3_108" = "790966981"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKCU\Software\Aas]
"a3_101" = "707522668"
"a3_100" = "733503437"
"a3_103" = "754977070"
"a3_102" = "714511503"
"a3_105" = "769475040"
"a3_104" = "762555713"
"a3_107" = "750493346"
"a3_106" = "742980099"
"a2_113" = "810112742"
"a2_112" = "802946172"

"a3_70" = "485103791"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a2_110" = "788610169"
"a2_117" = "838779156"
"a2_116" = "831612797"
"a2_115" = "824446284"
"a2_114" = "817277547"
"a1_104" = "2685646389"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas\695404737]
"35845605" = "419"

[HKCU\Software\Aas]
"a3_116" = "814879197"
"a3_117" = "821922428"
"a3_114" = "834001179"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_115" = "807894458"
"a1_89" = "3870368509"
"a1_88" = "3863203079"
"a1_85" = "2799038365"
"a1_84" = "3204094363"
"a1_87" = "3070898350"
"a1_86" = "1112269515"
"a1_81" = "674345196"
"a1_80" = "1693460493"
"a1_83" = "3245186510"
"a1_82" = "3049774661"
"a3_110" = "771902343"
"a3_111" = "778955814"
"a1_67" = "2778379046"
"a1_66" = "406948436"
"a1_65" = "4003379665"
"a1_64" = "4178367108"
"a1_63" = "1130052496"
"a1_62" = "2518841384"
"a1_61" = "1455966560"
"a1_60" = "1643179985"
"a1_69" = "557237473"
"a1_68" = "2736602247"
"a1_12" = "1079953105"
"a1_13" = "2003790256"
"a1_10" = "2571536574"
"a1_11" = "88579733"
"a1_16" = "2923784009"
"a1_17" = "3575108390"
"a1_14" = "1000269956"
"a1_15" = "1785906934"
"a4_115" = "824448915"
"a4_114" = "817279794"
"a1_18" = "378561897"
"a1_19" = "249124972"
"a4_111" = "795772431"
"a4_110" = "788603310"
"a4_113" = "810110673"
"a4_112" = "802941552"
"a2_48" = "344127482"
"a2_49" = "351278400"
"a2_40" = "286766770"
"a2_41" = "293931954"
"a2_42" = "301097193"
"a2_43" = "308265722"
"a2_44" = "315446529"
"a2_45" = "322617133"
"a2_46" = "329783293"
"a2_47" = "336949512"
"a4_42" = "301103082"
"a4_43" = "308272203"
"a4_40" = "286764840"
"a4_41" = "293933961"
"a4_46" = "329779566"
"a4_47" = "336948687"
"a4_44" = "315441324"
"a4_45" = "322610445"

"a4_48" = "344117808"
"a4_49" = "351286929"
"a3_18" = "112354555"
"a3_19" = "152901914"
"a3_14" = "83367783"
"a3_15" = "124488582"
"a3_16" = "131411001"
"a3_17" = "104906840"
"a3_10" = "88506851"
"a3_11" = "95435266"
"a3_12" = "69459621"
"a3_13" = "76378820"
"a4_37" = "265257477"
"a4_36" = "258088356"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_33" = "236580993"
"a4_32" = "229411872"
"a4_31" = "222242751"
"a4_30" = "215073630"
"a4_39" = "279595719"
"a4_38" = "272426598"
"a1_103" = "1725347922"
"a1_102" = "3948444383"

[HKCU\Software\Aas\695404737]
"28676484" = "35"

[HKCU\Software\Aas]
"a1_101" = "3358314494"
"a2_88" = "630888199"
"a2_89" = "638057189"
"a2_84" = "602207275"
"a2_85" = "609374042"
"a2_86" = "616542146"
"a2_87" = "623707729"
"a2_80" = "573523249"
"a3_34" = "260325067"
"a2_82" = "587870263"
"a2_83" = "595044512"
"a1_29" = "1556813635"
"a1_28" = "2453985489"
"a1_23" = "1389583336"
"a1_22" = "1646816488"
"a1_21" = "2510567371"
"a1_20" = "4179345861"
"a1_27" = "1351314250"
"a1_26" = "2788788649"
"a1_25" = "3756449476"
"a1_24" = "2214208678"
"a3_50" = "341766363"
"a3_51" = "348755322"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_53" = "396796476"
"a3_54" = "370165343"
"a3_55" = "377748222"
"a3_56" = "384737041"
"a3_57" = "425210800"
"a3_58" = "432789459"
"a3_59" = "406145138"
"a2_111" = "795775080"
"a2_31" = "222245752"
"a2_30" = "215084280"
"a2_33" = "236580182"
"a2_32" = "229419339"
"a2_35" = "250912954"
"a2_34" = "243747946"
"a2_37" = "265262506"
"a2_36" = "258082163"
"a2_39" = "279598098"
"a2_38" = "272433114"
"a4_79" = "566360559"
"a4_78" = "559191438"
"a4_73" = "523345833"
"a4_72" = "516176712"
"a4_71" = "509007591"
"a4_70" = "501838470"
"a4_77" = "552022317"
"a4_76" = "544853196"
"a4_75" = "537684075"
"a4_74" = "530514954"
"a4_86" = "616544406"
"a4_87" = "623713527"
"a4_84" = "602206164"
"a4_85" = "609375285"
"a4_82" = "587867922"
"a4_83" = "595037043"
"a4_80" = "573529680"
"a4_81" = "580698801"
"a4_88" = "630882648"
"a4_89" = "638051769"
"a2_100" = "716909820"

[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "138"

[HKCU\Software\Aas]
"a2_102" = "731243377"
"a2_103" = "738412321"
"a2_104" = "745593321"
"a2_105" = "752762106"
"a2_106" = "759925061"
"a2_107" = "767094404"
"a1_96" = "3483569465"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas]
"a1_107" = "1202236379"
"a1_106" = "2048729204"
"a1_105" = "313760407"
"a1_98" = "838666100"
"a1_99" = "3907543262"
"a1_92" = "3062808849"
"a1_93" = "992523116"
"a1_90" = "758868558"
"a1_91" = "318277666"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_97" = "628675605"
"a1_94" = "2140324"
"a1_95" = "3743829155"
"a2_75" = "537686204"
"a2_74" = "530519852"
"a2_77" = "552015329"
"a2_76" = "544855859"
"a2_71" = "509004182"
"a2_70" = "501835727"
"a2_73" = "523353832"
"a2_72" = "516173005"
"a1_100" = "4074825521"
"a2_79" = "566357288"
"a2_78" = "559199907"
"a1_74" = "1582724950"
"a1_75" = "2680656444"
"a1_76" = "2653138306"
"a1_77" = "2309221472"
"a1_70" = "3135282635"
"a1_71" = "3753476258"
"a1_72" = "2043165850"
"a1_73" = "1687027579"
"a1_78" = "3014046535"
"a1_79" = "2996274105"
"a1_109" = "1584253968"
"a1_108" = "2399124917"
"a1_0" = "3891626428"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKCU\Software\Aas]
"a1_2" = "2694554007"
"a1_3" = "3562307834"
"a1_4" = "1956306748"
"a1_5" = "1676510136"
"a1_6" = "2940193405"
"a1_7" = "164892380"
"a3_29" = "224867540"
"a3_28" = "183865525"
"a1_116" = "2749097902"
"a1_117" = "3123006859"
"a1_110" = "553937936"
"a1_111" = "1736622936"
"a1_112" = "2022033705"
"a1_9" = "219984560"
"a3_21" = "167399900"
"a3_20" = "159956413"
"a3_23" = "148336286"
"a3_22" = "140888703"
"a3_25" = "195929936"
"a3_24" = "188875569"
"a3_27" = "176880658"
"a3_26" = "169827315"
"a4_24" = "172058904"
"a4_25" = "179228025"
"a4_26" = "186397146"
"a4_27" = "193566267"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a2_81" = "580706331"
"a3_112" = "785940569"
"a3_113" = "826942712"
"a2_101" = "724075487"
"a1_38" = "518015273"
"a1_39" = "600233625"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_30" = "3127478752"
"a1_31" = "3251302894"
"a1_32" = "3991731833"
"a1_33" = "1434924607"
"a1_34" = "961169979"
"a1_35" = "1804992603"
"a1_36" = "2075743743"
"a1_37" = "641650645"
"a2_108" = "774259659"
"a2_109" = "781428740"
"a3_69" = "478110732"
"a3_68" = "470664173"
"a3_65" = "449123976"
"a3_64" = "442135145"
"a3_67" = "497168202"
"a3_66" = "489720619"
"a3_61" = "454263092"
"a3_60" = "413199509"
"a3_63" = "468244982"
"a3_62" = "461186391"
"a1_1" = "1783641388"
"a2_28" = "200725981"
"a2_29" = "207897273"
"a2_26" = "186394688"
"a2_27" = "193561052"
"a2_24" = "172064691"
"a2_25" = "179236685"
"a2_22" = "157726711"
"a2_23" = "164895268"
"a2_20" = "143376547"
"a2_21" = "150544522"
"a4_68" = "487500228"
"a4_69" = "494669349"
"a4_60" = "430147260"
"a4_61" = "437316381"
"a4_62" = "444485502"
"a4_63" = "451654623"
"a4_64" = "458823744"
"a4_65" = "465992865"
"a4_66" = "473161986"
"a4_67" = "480331107"
"a2_7" = "50176995"
"a2_6" = "43008156"
"a2_5" = "35843907"
"a2_4" = "28674907"
"a2_3" = "21508735"
"a2_2" = "14341920"
"a2_1" = "7172750"
"a2_0" = "6822"
"a2_9" = "64526549"

"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a4_9" = "64522089"
"a4_8" = "57352968"
"a3_52" = "389745053"
"a2_8" = "57371156"
"a3_87" = "607024862"
"a3_86" = "633131711"
"a3_85" = "626081308"
"a3_84" = "585598461"
"a3_83" = "578085210"
"a3_82" = "571034939"
"a3_81" = "597665944"
"a3_80" = "590099577"
"a3_89" = "654610320"
"a3_88" = "614067057"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 A0 A9 5F 05 3C 21 1D B7 02 7B 1E 79 65 24 F0"

[HKCU\Software\Aas]
"a1_8" = "2255280950"
"a2_62" = "444493628"
"a2_63" = "451653255"
"a2_60" = "430155291"
"a2_61" = "437307440"
"a2_66" = "473168737"
"a2_67" = "480336336"
"a2_64" = "458821216"
"a2_65" = "465983851"
"a2_68" = "487502528"
"a2_69" = "494670154"
"a1_41" = "2141848503"
"a1_40" = "4002133139"
"a1_43" = "1804970518"
"a1_42" = "533686436"
"a1_45" = "533750108"
"a1_44" = "1565666298"
"a1_47" = "3032026497"
"a1_46" = "411316048"
"a1_49" = "3187753707"
"a1_48" = "3334140921"

[HKCU\Software\Aas\695404737]
"43014726" = "0B00687474703A2F2F7777772E6572692E6564752E706B2F696D616765732F6C6F676F2E67696600687474703A2F2F666F75726C696E652E636F6D2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F65796C656E6972696B2E62697A2F6C6F676F2E67696600687474703A2F2F666F7462616C6261736B612E79632E637A2F696D616765732F666D61696E2E67696600687474703A2F2F65736B696D6F7669652E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F657374657469636165737061636F62656D65737461722E636F6D2E62722F6C6F676F2E67696600687474703A2F2F666F7263656C696E652E636F6D2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F65736F757263652E636F2E696E2F696D616765732F6C6F676F322E67696600687474703A2F2F6164732E797570706164732E636F6D2F6C6F676F2E67696600687474703A2F2F636172743133332E6F72672F696D616765732F6D61696E2E67696600687474703A2F2F66696E65706561726C2E636F6D2E686B2F696D616765732F6C6F676F2E676966"

[HKCU\Software\Aas]
"a3_118" = "862924447"
"a1_114" = "4290568831"
"a1_115" = "755779399"
"a3_36" = "241268621"
"a3_37" = "248309804"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_35" = "267899754"
"a3_32" = "212854281"
"a3_33" = "253401768"
"a3_30" = "231909751"
"a3_31" = "205278614"
"a1_113" = "877537903"
"a3_38" = "289377359"
"a3_39" = "296296686"

"a1_118" = "4075066751"

"a2_17" = "121879878"
"a2_16" = "114712150"
"a2_15" = "107543557"
"a2_14" = "100360511"
"a2_13" = "93192628"
"a2_12" = "86027818"
"a2_11" = "78859721"
"a2_10" = "71693037"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKCU\Software\Aas]
"a2_19" = "136210009"
"a2_18" = "129052159"
"a4_11" = "78860331"
"a4_10" = "71691210"
"a4_13" = "93198573"
"a4_12" = "86029452"
"a4_15" = "107536815"
"a4_14" = "100367694"
"a4_17" = "121875057"
"a4_16" = "114705936"
"a4_19" = "136213299"
"a4_18" = "129044178"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Aas]
"a3_8" = "40388897"
"a3_9" = "47967552"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_4" = "11991981"
"a3_5" = "52535244"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"
"a4_118" = "845956278"
"a4_117" = "838787157"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

The process Itygfl.exe:1880 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Tempo]
"(Default)" = "tempo"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\ArenaHD]
"Value" = "1"

[HKLM\SOFTWARE\HighDefAction]
"Value" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CinemaPlus-4.5vV20.06]
"DisplayName" = "CinemaPlus-4.5vV20.06"

[HKCU\Software\YorkNewCin]
"Value" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\InstalledBrowserExtensions\30935\Status]
"Installed" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Crossrider]
"Verifier" = "5f72e33dbd3b41320ca31c44bbee79db"

[HKCU\Software\ArenaHD]
"Value" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CinemaPlus-4.5vV20.06]
"CrAppId" = "74261"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\InstalledBrowserExtensions\Cinema PlusV20.06]
"74261" = "CinemaPlus-4.5vV20.06"

[HKCU\Software\InstalledBrowserExtensions\30935\Status]
"Installed" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\InstalledBrowserExtensions\30935]
"74261" = "CinemaPlus-4.5vV20.06"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\YorkNewCin]
"Value" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CinemaPlus-4.5vV20.06]
"DisplayIcon" = "%Program Files%\CinemaPlus-4.5vV20.06\utils.exe"

[HKLM\SOFTWARE\Crossrider]
"Bic" = "489a8b790810d1f418e4baf98ee7a6f8IE"

[HKCU\Software\HighDefAction]
"Value" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CinemaPlus-4.5vV20.06]
"DisplayVersion" = "1.36.01.22"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Crossrider]
"Bic" = "489a8b790810d1f418e4baf98ee7a6f8IE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 9E B4 9E A1 A0 B0 32 7C A7 A9 E1 66 3E C5 7F"

[HKLM\SOFTWARE\Crossrider]
"Verifier" = "5f72e33dbd3b41320ca31c44bbee79db"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CinemaPlus-4.5vV20.06]
"UninstallString" = "%Program Files%\CinemaPlus-4.5vV20.06\Uninstall.exe /fcp=1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CinemaPlus-4.5vV20.06]
"CrPublisherId" = "30935"

[HKLM\SOFTWARE\InstalledBrowserExtensions\30935]
"74261" = "CinemaPlus-4.5vV20.06"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CinemaPlus-4.5vV20.06]
"Publisher" = "Cinema PlusV20.06"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following registry key(s):

[HKLM\SOFTWARE\Tempo]

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
c04af2ae6d2894e66e3d93ef37ca3479 c:\Program Files\CinemaPlus-4.5vV20.06\45108de3-03ce-4a70-a8ea-7e26a3593ea2-5.exe
6c88a3b7be7a3063e9c51777e792b188 c:\Program Files\CinemaPlus-4.5vV20.06\Uninstall.exe
20e4ea1c49198636ce999b7dbac2bad2 c:\Program Files\CinemaPlus-4.5vV20.06\utils.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Cinema PlusV20.06
Product Name: CinemaPlus-4.5vV20.06
Product Version:
Legal Copyright: Copyright Cinema PlusV20.06
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.36.01.22
File Description: CinemaPlus-4.5vV20.06 Installer
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 34108 34304 4.23174 7b5dfa9fbfc1a70133a7bdfa0066be17
.data 40960 144 512 0.831186 28f29d4150b83e7faae233a71c5cab15
.rdata 45056 9272 9728 3.95241 f652035f54b3a74c89f7bb1cb907d4d2
.bss 57344 297092 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 356352 4868 5120 3.6057 0d5c3df1017a50cd5a6baab82c884d87
.ndata 364544 598016 8192 0 0829f71740aab1ab98b33eae21dee122
.rsrc 962560 102400 99328 5.14445 a0e1af5fa8f7e3ca681129f97454d516

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=003044&i=100&n=init_start_funnel_step_name&rnd=1435628555
hxxp://ipgeoapi.com/ 54.225.137.220
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&app=74261&appver=0&ver=1_36_01_22&version_date=15-06-20&bic=489a8b790810d1f418e4baf98ee7a6f8IE&verifier=5f72e33dbd3b41320ca31c44bbee79db&upi=489a8b790810d1f418e4baf98ee7a6f8&procid=E4190FE0152E4AFFABC02DA2DB033747PI&srcid=003044&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&xpiver=0_95&crxver=1_26_57&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899358217&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=DigitNetwork&mdat=AVwJJNql/PbKhW0jLxP2pgYdRC8Adht035Oiv/VdBFOgH1lCSRYDzu1eiJRQRcekoAV4wQCv0/3FoAU6Nq4TyNSQ1/Xncv9B/aXZSLXHvoHFDg44kG0vAaSX5o9UJ3UeFRngKVmGQv7Jq3XE4lhheXPGvgKkkQlbgQ5FMRSd56ddLtowECOB76ieA27Loa1McC07VgrTuDPFJpnvsAq0gBjE7rZg&procstarttime=1435628555&procruntime=12&rnd=1435628567
hxxp://s3-website-us-east-1.amazonaws.com/installer-error.gif?action=sesamy&app=74261&appver=0&ver=1_36_01_22&version_date=15-06-20&bic=489a8b790810d1f418e4baf98ee7a6f8IE&verifier=5f72e33dbd3b41320ca31c44bbee79db&upi=489a8b790810d1f418e4baf98ee7a6f8&procid=E4190FE0152E4AFFABC02DA2DB033747PI&srcid=003044&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&error=0&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899358217&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=DigitNetwork&procstarttime=1435628555&procruntime=12&rnd=1435628567
hxxp://cds.m9u9b7r5.hwcdn.net/monetization.gif?event=3&ibic=489a8b790810d1f418e4baf98ee7a6f8IE&verifier=5f72e33dbd3b41320ca31c44bbee79db&campaign=003044&country=ua&app=74261&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1435628555&asw=0_1073750528_-2147483648_0&browser=&rnd=1435628555
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=003044&i=200&n=init_end_funnel_step_name&rnd=1435628568
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=003044&i=300&n=deploy_start_funnel_step_name&rnd=1435628568
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=003044&i=400&n=deploy_verifier_start_funnel_step_name&rnd=1435628570
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=003044&i=500&n=deploy_notification_start_funnel_step_name&rnd=1435628570
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=003044&i=600&n=deploy_omaha_start_funnel_step_name&rnd=1435628570
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=003044&i=700&n=deploy_ch_start_funnel_step_name&rnd=1435628571
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=003044&i=800&n=deploy_nova_start_funnel_step_name&rnd=1435628571
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=003044&i=900&n=deploy_ff_start_funnel_step_name&rnd=1435628571
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=003044&i=950&n=deploy_nova_ie_start_funnel_step_name&rnd=1435628571
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=003044&i=1000&n=deploy_ie_start_funnel_step_name&rnd=1435628571
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=003044&i=1100&n=deploy_updater_start_funnel_step_name&rnd=1435628572
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=003044&i=1200&n=deploy_watchdog_start_funnel_step_name&rnd=1435628573
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=003044&i=10000&n=deploy_end_funnel_step_name&rnd=1435628573
hxxp://errors.neomaxsrv.com/utility.gif?report=fdata&f=1&c=003044&i=700&n=deploy_ch_start_funnel_step_name&rnd=1435628571 54.231.14.52
hxxp://errors.neomaxsrv.com/utility.gif?report=fdata&f=1&c=003044&i=800&n=deploy_nova_start_funnel_step_name&rnd=1435628571 54.231.14.52
hxxp://errors.neomaxsrv.com/utility.gif?report=fdata&f=1&c=003044&i=500&n=deploy_notification_start_funnel_step_name&rnd=1435628570 54.231.14.52
hxxp://errors.neomaxsrv.com/utility.gif?report=fdata&f=1&c=003044&i=1000&n=deploy_ie_start_funnel_step_name&rnd=1435628571 54.231.14.52
hxxp://errors.neomaxsrv.com/installer-error.gif?action=sesamy&app=74261&appver=0&ver=1_36_01_22&version_date=15-06-20&bic=489a8b790810d1f418e4baf98ee7a6f8IE&verifier=5f72e33dbd3b41320ca31c44bbee79db&upi=489a8b790810d1f418e4baf98ee7a6f8&procid=E4190FE0152E4AFFABC02DA2DB033747PI&srcid=003044&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&error=0&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899358217&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=DigitNetwork&procstarttime=1435628555&procruntime=12&rnd=1435628567 54.231.14.52
hxxp://errors.neomaxsrv.com/utility.gif?report=fdata&f=1&c=003044&i=600&n=deploy_omaha_start_funnel_step_name&rnd=1435628570 54.231.14.52
hxxp://errors.neomaxsrv.com/utility.gif?report=fdata&f=1&c=003044&i=1200&n=deploy_watchdog_start_funnel_step_name&rnd=1435628573 54.231.14.52
hxxp://errors.neomaxsrv.com/utility.gif?report=fdata&f=1&c=003044&i=400&n=deploy_verifier_start_funnel_step_name&rnd=1435628570 54.231.14.52
hxxp://errors.neomaxsrv.com/utility.gif?report=fdata&f=1&c=003044&i=300&n=deploy_start_funnel_step_name&rnd=1435628568 54.231.14.52
hxxp://logs.neomaxsrv.com/monetization.gif?event=3&ibic=489a8b790810d1f418e4baf98ee7a6f8IE&verifier=5f72e33dbd3b41320ca31c44bbee79db&campaign=003044&country=ua&app=74261&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1435628555&asw=0_1073750528_-2147483648_0&browser=&rnd=1435628555 69.16.175.42
hxxp://stats.neomaxsrv.com/installer.gif?action=started&app=74261&appver=0&ver=1_36_01_22&version_date=15-06-20&bic=489a8b790810d1f418e4baf98ee7a6f8IE&verifier=5f72e33dbd3b41320ca31c44bbee79db&upi=489a8b790810d1f418e4baf98ee7a6f8&procid=E4190FE0152E4AFFABC02DA2DB033747PI&srcid=003044&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&xpiver=0_95&crxver=1_26_57&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899358217&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=DigitNetwork&mdat=AVwJJNql/PbKhW0jLxP2pgYdRC8Adht035Oiv/VdBFOgH1lCSRYDzu1eiJRQRcekoAV4wQCv0/3FoAU6Nq4TyNSQ1/Xncv9B/aXZSLXHvoHFDg44kG0vAaSX5o9UJ3UeFRngKVmGQv7Jq3XE4lhheXPGvgKkkQlbgQ5FMRSd56ddLtowECOB76ieA27Loa1McC07VgrTuDPFJpnvsAq0gBjE7rZg&procstarttime=1435628555&procruntime=12&rnd=1435628567 54.231.18.188
hxxp://errors.neomaxsrv.com/utility.gif?report=fdata&f=1&c=003044&i=200&n=init_end_funnel_step_name&rnd=1435628568 54.231.14.52
hxxp://errors.neomaxsrv.com/utility.gif?report=fdata&f=1&c=003044&i=950&n=deploy_nova_ie_start_funnel_step_name&rnd=1435628571 54.231.14.52
hxxp://errors.neomaxsrv.com/utility.gif?report=fdata&f=1&c=003044&i=10000&n=deploy_end_funnel_step_name&rnd=1435628573 54.231.14.52
hxxp://errors.neomaxsrv.com/utility.gif?report=fdata&f=1&c=003044&i=1100&n=deploy_updater_start_funnel_step_name&rnd=1435628572 54.231.14.52
hxxp://errors.neomaxsrv.com/utility.gif?report=fdata&f=1&c=003044&i=100&n=init_start_funnel_step_name&rnd=1435628555 54.231.14.52
hxxp://errors.neomaxsrv.com/utility.gif?report=fdata&f=1&c=003044&i=900&n=deploy_ff_start_funnel_step_name&rnd=1435628571 54.231.14.52


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE Win32/Toolbar.CrossRider.A Checkin

Traffic

GET /utility.gif?report=fdata&f=1&c=003044&i=100&n=init_start_funnel_step_name&rnd=1435628555 HTTP/1.1
Host: errors.neomaxsrv.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: NCPDwIGnCENRQfEL0il1JOeyEFFNwP29dssYEl6emyhrd4seg4udJ 5/YHrGAHWBi6sZ7wtX6LI=
x-amz-request-id: 2E9994C3424BCA94
Date: Tue, 30 Jun 2015 01:42:37 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Mon, 18 May 2015 15:31:15 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: NCPDwI
GnCENRQfEL0il1JOeyEFFNwP29dssYEl6emyhrd4seg4udJ 5/YHrGAHWBi6sZ7wtX6LI=
..x-amz-request-id: 2E9994C3424BCA94..Date: Tue, 30 Jun 2015 01:42:37 
GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, 
must-revalidate..Last-Modified: Mon, 18 May 2015 15:31:15 GMT..ETag: "
28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Le
ngth: 35..Server: AmazonS3..GIF89a.............,...........D..;
....


GET /installer-error.gif?action=sesamy&app=74261&appver=0&ver=1_36_01_22&version_date=15-06-20&bic=489a8b790810d1f418e4baf98ee7a6f8IE&verifier=5f72e33dbd3b41320ca31c44bbee79db&upi=489a8b790810d1f418e4baf98ee7a6f8&procid=E4190FE0152E4AFFABC02DA2DB033747PI&srcid=003044&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&error=0&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899358217&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=DigitNetwork&procstarttime=1435628555&procruntime=12&rnd=1435628567 HTTP/1.1


Host: errors.neomaxsrv.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: aK2JbjS9oiT36JkQoQRJNCZEyqpxqYNWxZgN02y4iW NEAe4OlqWC5KMopBoKNUfVXIyKw42uo8=
x-amz-request-id: D63344446F6CB4DE
Date: Tue, 30 Jun 2015 01:42:47 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Mon, 18 May 2015 15:31:10 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: aK2Jbj
S9oiT36JkQoQRJNCZEyqpxqYNWxZgN02y4iW NEAe4OlqWC5KMopBoKNUfVXIyKw42uo8=
..x-amz-request-id: D63344446F6CB4DE..Date: Tue, 30 Jun 2015 01:42:47 
GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, 
must-revalidate..Last-Modified: Mon, 18 May 2015 15:31:10 GMT..ETag: "
28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Le
ngth: 35..Server: AmazonS3..GIF89a.............,...........D..;
....


GET /utility.gif?report=fdata&f=1&c=003044&i=200&n=init_end_funnel_step_name&rnd=1435628568 HTTP/1.1


Host: errors.neomaxsrv.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: NjuKZbrtH4PkLhCLwHdq1GMloulc1XfDqVm/EobPIjXwYJdi8MBFZjIZJsaXYWaM6vI 7ADHwFo=
x-amz-request-id: AECC2B7B384AD109
Date: Tue, 30 Jun 2015 01:42:48 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Mon, 18 May 2015 15:31:15 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....


GET /utility.gif?report=fdata&f=1&c=003044&i=300&n=deploy_start_funnel_step_name&rnd=1435628568 HTTP/1.1


Host: errors.neomaxsrv.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: BZuiHgHgf2f8O5 XFSsNxQGGBepw4AR1uKfqaKrnEfeXt 9JAZ9yq/NihJrYl9 QQvYT7t8NKzc=
x-amz-request-id: 43CADC47B0387047
Date: Tue, 30 Jun 2015 01:42:48 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Mon, 18 May 2015 15:31:15 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: BZuiHg
Hgf2f8O5 XFSsNxQGGBepw4AR1uKfqaKrnEfeXt 9JAZ9yq/NihJrYl9 QQvYT7t8NKzc=
..x-amz-request-id: 43CADC47B0387047..Date: Tue, 30 Jun 2015 01:42:48 
GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, 
must-revalidate..Last-Modified: Mon, 18 May 2015 15:31:15 GMT..ETag: "
28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Le
ngth: 35..Server: AmazonS3..GIF89a.............,...........D..;
....


GET /utility.gif?report=fdata&f=1&c=003044&i=400&n=deploy_verifier_start_funnel_step_name&rnd=1435628570 HTTP/1.1


Host: errors.neomaxsrv.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: VXA9jhHDicufGNcjtcxeNgYUYVAXBP43AOu8c9814WxMT5vMw01Gte5VsF3jJZdkGjOa09Zl2O8=
x-amz-request-id: 6D08D9350654D6C0
Date: Tue, 30 Jun 2015 01:42:49 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Mon, 18 May 2015 15:31:15 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: VXA9jh
HDicufGNcjtcxeNgYUYVAXBP43AOu8c9814WxMT5vMw01Gte5VsF3jJZdkGjOa09Zl2O8=
..x-amz-request-id: 6D08D9350654D6C0..Date: Tue, 30 Jun 2015 01:42:49 
GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, 
must-revalidate..Last-Modified: Mon, 18 May 2015 15:31:15 GMT..ETag: "
28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Le
ngth: 35..Server: AmazonS3..GIF89a.............,...........D..;
....


GET /utility.gif?report=fdata&f=1&c=003044&i=500&n=deploy_notification_start_funnel_step_name&rnd=1435628570 HTTP/1.1


Host: errors.neomaxsrv.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: tbLKg1ib05jGWekMWJshcEEiDnoCVzVWOrTV0vQL4YLVWO8/TKwnP0cPM/Mh4EPSu5pJ0wy6t5I=
x-amz-request-id: AA2EB6FB036F8F23
Date: Tue, 30 Jun 2015 01:42:50 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Mon, 18 May 2015 15:31:15 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....


GET /utility.gif?report=fdata&f=1&c=003044&i=600&n=deploy_omaha_start_funnel_step_name&rnd=1435628570 HTTP/1.1


Host: errors.neomaxsrv.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: Exo/nKS5NkGVtD2Cjd4n/hx1wDzrMzVd7E7Rcc33158AGeV6WylD7RKTF9tu WIh2upuQ3mAVuk=
x-amz-request-id: B5044553A7A6CC72
Date: Tue, 30 Jun 2015 01:42:50 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Mon, 18 May 2015 15:31:15 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....


GET /utility.gif?report=fdata&f=1&c=003044&i=700&n=deploy_ch_start_funnel_step_name&rnd=1435628571 HTTP/1.1


Host: errors.neomaxsrv.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: 6sOzzn sPRKMgv y1uGaQo9C7KqB2C1UaW4wTxeZbb p6386VWbZ5PRDhjp0hUvVtnOn2Rr435M=
x-amz-request-id: 22A312D414DF3DB3
Date: Tue, 30 Jun 2015 01:42:50 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Mon, 18 May 2015 15:31:15 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....


GET /utility.gif?report=fdata&f=1&c=003044&i=800&n=deploy_nova_start_funnel_step_name&rnd=1435628571 HTTP/1.1


Host: errors.neomaxsrv.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: oeiGai/oJ847wORJEMbuwjU82vBrOva w0V21n qaeBCO2awItJwG79ApIhanpUCKKZPxxSJhvA=
x-amz-request-id: CB3446CD43E6E77D
Date: Tue, 30 Jun 2015 01:42:50 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Mon, 18 May 2015 15:31:15 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....


GET /utility.gif?report=fdata&f=1&c=003044&i=900&n=deploy_ff_start_funnel_step_name&rnd=1435628571 HTTP/1.1


Host: errors.neomaxsrv.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: GOlYFSyi5YYpZmm7T0u6d1TaiRoT3HCYCJjP0R9oUvR 4wVCSkLTEcUmfOs4iI 3E3TiIiHryaY=
x-amz-request-id: 82067BB157671934
Date: Tue, 30 Jun 2015 01:42:51 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Mon, 18 May 2015 15:31:15 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....


GET /utility.gif?report=fdata&f=1&c=003044&i=950&n=deploy_nova_ie_start_funnel_step_name&rnd=1435628571 HTTP/1.1


Host: errors.neomaxsrv.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: KN4xLad7c87UxbaONgwua8QA2MLHcL51Ycxmfx3pZmFojse6QTP7Xt02R0dBgVJCnjic AvjhbY=
x-amz-request-id: 741049F9AEA3E492
Date: Tue, 30 Jun 2015 01:42:51 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Mon, 18 May 2015 15:31:15 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....


GET /utility.gif?report=fdata&f=1&c=003044&i=1000&n=deploy_ie_start_funnel_step_name&rnd=1435628571 HTTP/1.1


Host: errors.neomaxsrv.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: yiiJshyBQOjOdF UOh0U cXT/TmQzpK6T4INnZOensGotvJo0jbywdDtaQDYxQXfWIOv8qmVzxM=
x-amz-request-id: C718AA564585D738
Date: Tue, 30 Jun 2015 01:42:51 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Mon, 18 May 2015 15:31:15 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....


GET /utility.gif?report=fdata&f=1&c=003044&i=1100&n=deploy_updater_start_funnel_step_name&rnd=1435628572 HTTP/1.1


Host: errors.neomaxsrv.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: fUmIj8f3DDK3kf1c7W0BcSqxh5Loy94Xec5OHD5TNz2Wuebh 3rKenpZVMwV2Y9Ze4z6JxBS7 c=
x-amz-request-id: E8D5D6A7BAE27F2F
Date: Tue, 30 Jun 2015 01:42:51 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Mon, 18 May 2015 15:31:15 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: fUmIj8
f3DDK3kf1c7W0BcSqxh5Loy94Xec5OHD5TNz2Wuebh 3rKenpZVMwV2Y9Ze4z6JxBS7 c=
..x-amz-request-id: E8D5D6A7BAE27F2F..Date: Tue, 30 Jun 2015 01:42:51 
GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, 
must-revalidate..Last-Modified: Mon, 18 May 2015 15:31:15 GMT..ETag: "
28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Le
ngth: 35..Server: AmazonS3..GIF89a.............,...........D..;
....


GET /utility.gif?report=fdata&f=1&c=003044&i=1200&n=deploy_watchdog_start_funnel_step_name&rnd=1435628573 HTTP/1.1


Host: errors.neomaxsrv.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: PHnbk7J3KySDFqMtEJmhD5Jkf4YZssVUMR0RxbKkBmqGJdkabhRbjMVbZiz6aAmvkolG8o/Mxpc=
x-amz-request-id: 221D8A6FC17A9425
Date: Tue, 30 Jun 2015 01:42:53 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Mon, 18 May 2015 15:31:15 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....


GET /utility.gif?report=fdata&f=1&c=003044&i=10000&n=deploy_end_funnel_step_name&rnd=1435628573 HTTP/1.1


Host: errors.neomaxsrv.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: VD3FjRbmVH0xTckY7gr2ia7hxGVtjqL11tBVknqKOc8axKh3vwT7RbgmnctPwMoi39HuS/94dXw=
x-amz-request-id: 85E49B6DD071332D
Date: Tue, 30 Jun 2015 01:42:53 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Mon, 18 May 2015 15:31:15 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: VD3FjR
bmVH0xTckY7gr2ia7hxGVtjqL11tBVknqKOc8axKh3vwT7RbgmnctPwMoi39HuS/94dXw=
..x-amz-request-id: 85E49B6DD071332D..Date: Tue, 30 Jun 2015 01:42:53 
GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, 
must-revalidate..Last-Modified: Mon, 18 May 2015 15:31:15 GMT..ETag: "
28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Le
ngth: 35..Server: AmazonS3.....



GET /installer.gif?action=started&app=74261&appver=0&ver=1_36_01_22&version_date=15-06-20&bic=489a8b790810d1f418e4baf98ee7a6f8IE&verifier=5f72e33dbd3b41320ca31c44bbee79db&upi=489a8b790810d1f418e4baf98ee7a6f8&procid=E4190FE0152E4AFFABC02DA2DB033747PI&srcid=003044&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&xpiver=0_95&crxver=1_26_57&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899358217&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=DigitNetwork&mdat=AVwJJNql/PbKhW0jLxP2pgYdRC8Adht035Oiv/VdBFOgH1lCSRYDzu1eiJRQRcekoAV4wQCv0/3FoAU6Nq4TyNSQ1/Xncv9B/aXZSLXHvoHFDg44kG0vAaSX5o9UJ3UeFRngKVmGQv7Jq3XE4lhheXPGvgKkkQlbgQ5FMRSd56ddLtowECOB76ieA27Loa1McC07VgrTuDPFJpnvsAq0gBjE7rZg&procstarttime=1435628555&procruntime=12&rnd=1435628567 HTTP/1.1
Host: stats.neomaxsrv.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: u7emOEUwABJBZOk56mEqaLwsJdehjzRYlGL2fJngG2RnD6UB9FCX49LAwuL5YBlt5xdn84UqEt0=
x-amz-request-id: 4A08993417C5151D
Date: Tue, 30 Jun 2015 01:42:47 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Mon, 18 May 2015 15:28:28 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: u7emOE
UwABJBZOk56mEqaLwsJdehjzRYlGL2fJngG2RnD6UB9FCX49LAwuL5YBlt5xdn84UqEt0=
..x-amz-request-id: 4A08993417C5151D..Date: Tue, 30 Jun 2015 01:42:47 
GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, 
must-revalidate..Last-Modified: Mon, 18 May 2015 15:28:28 GMT..ETag: "
28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Le
ngth: 35..Server: AmazonS3..GIF89a.............,...........D..;..



GET / HTTP/1.1
Host: ipgeoapi.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Tue, 30 Jun 2015 01:42:45 GMT
Connection: keep-alive
Content-Type: application/json;charset=utf-8
Content-Length: 40
Server: thin 1.4.1 codename Chromeo
Via: 1.1 vegur
{"country_code":222,"country_name":"UA"}HTTP/1.1 200 OK..Date: Tue, 30
 Jun 2015 01:42:45 GMT..Connection: keep-alive..Content-Type: applicat
ion/json;charset=utf-8..Content-Length: 40..Server: thin 1.4.1 codenam
e Chromeo..Via: 1.1 vegur..{"country_code":222,"country_name":"UA"}..



GET /monetization.gif?event=3&ibic=489a8b790810d1f418e4baf98ee7a6f8IE&verifier=5f72e33dbd3b41320ca31c44bbee79db&campaign=003044&country=ua&app=74261&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1435628555&asw=0_1073750528_-2147483648_0&browser=&rnd=1435628555 HTTP/1.1
Host: logs.neomaxsrv.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Tue, 30 Jun 2015 01:42:46 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1389114507"
Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
Cache-Control: max-age=86400
Content-Length: 35
Content-Type: image/gif
X-HW: 1435628566.dop011.fr7.t,1435628566.cds021.fr7.c
GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Tue, 30 Jun 
2015 01:42:46 GMT..Keep-Alive: timeout=5, max=100..Connection: Keep-Al
ive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 
Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 3
5..Content-Type: image/gif..X-HW: 1435628566.dop011.fr7.t,1435628566.c
ds021.fr7.c..GIF89a.............,...........D..;..

The Worm connects to the servers at the folowing location(s):

Explorer.EXE_884_rwx_014D0000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

Explorer.EXE_884_rwx_01CA0000_00001000:

|explorer.exeM_884_

Explorer.EXE_884_rwx_02340000_0108E000:

c:\windows
hXXp://VVV.eri.edu.pk/images/logo.gif
hXXp://fourline.com.tr/images/logo.gif
hXXp://eylenirik.biz/logo.gif
hXXp://fotbalbaska.yc.cz/images/fmain.gif
hXXp://eskimovie.com/images/logo.gif
hXXp://esteticaespacobemestar.com.br/logo.gif
hXXp://forceline.com.tr/images/logo.gif
hXXp://esource.co.in/images/logo2.gif
hXXp://ads.yuppads.com/logo.gif
hXXp://cart133.org/images/main.gif
hXXp://finepearl.com.hk/images/logo.gif
%System%\drivers\gggofn.sys
12032183118
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
KERNEL32.dll
USER32.dll
h.rdata
H.data
.reloc
ntoskrnl.exe
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
hXXp://
ipfltdrv.sys
VVV.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
.adata
M_%d_
%c%d_%d
?456789:;<=
!"#$%&'()* ,-./0123
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
&3&3&3&389
.rdata
.data
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1892
    Itygfl.exe:1880

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\Vdlwqgghdsy.tmp (453316 bytes)
    %Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (432 bytes)
    %Program Files%\Common Files\Java\Java Update\jusched.exe (856 bytes)
    %WinDir%\system.ini (72 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\wtzbmfkyv.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\winrtgh.exe (741 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\yhrqnzfos.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\vngvva.dll (2011 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp\Itygfl.exe (1943872 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00125E35_Rar\%original file name%.exe (106095 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\podhl.dll (5 bytes)
    %Program Files%\CinemaPlus-4.5vV20.06\utils.exe (58376 bytes)
    %WinDir%\Tasks\45108de3-03ce-4a70-a8ea-7e26a3593ea2-5.job (72 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\rvgiusr.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\54067 (38739 bytes)
    %Program Files%\CinemaPlus-4.5vV20.06\45108de3-03ce-4a70-a8ea-7e26a3593ea2-5.exe (7547 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp (667164 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\qdqhsqfvc.dll (29608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\wtzbmfkyv.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\dppztnsv.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\System.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\yhrqnzfos.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\138976 (9120 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp\iyqqqtrql.dll (3616 bytes)
    %Program Files%\CinemaPlus-4.5vV20.06\Uninstall.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\ipgeoapi[1] (40 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now