For Consumer

Virus Profile: Generic Downloader.g

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 3/31/2005
Date Added: 10/6/2004
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Win32
DAT Required: 7273
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Nod32  - Win32/Spy.Zbot.AAO trojan
  • Symantec - Trojan.Gen
  • Microsoft - PWS:Win32/Zbot
  • Norman  - W32/ZBot.BJKJ (trojan)
  • Avira  - TR/Spy.ZBot.EB.107

Indication of Infection

    • Presence of above mentioned files and registry keys.
    • Presence of above mentioned activities.
    • It connects to the the following sites and downloads malicious files
      • [removed]eaarc.com/down/update10h.rar
      • [removed]eaard.com/down/hou.rar
      • [removed]eaarb.com/down/hou.rar

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
   

Virus Characteristics

------------------------Updated on June6th 2014-------------------------------

Aliases –

  • Baidu-International        -    Adware.Win32.Download.108
  • Kaspersky            -     Trojan-Downloader.Win32.Genome.hhzm


Characteristics :

Generic Downloader.g” is a detection for a potentially unwanted program which is not a virus or Trojan. It downloads and installs Radsteroids, which displays pop-up ads, advertisement banners and sponsored links within Internet Explorer, Firefox and Google Chrome.

During installation the file encountered some problem and crashed, but the file tried to install Radsteroids.

Upon execution the Trojan connects to the below URL’s

  • 204.[removed].57
  • 175. [removed].3
  • 50. [removed].217
  • 175. [removed].5
  • 65. [removed].27
  • 175. [removed].4
  • 50. [removed].179
  • 96. [removed].48
  • 23. [removed].163
  • www.co[removed]th.com
  • secu[removed]ecdn.com
  • www.fh[removed]go.com
  • www.s[removed]st.com
  • cdn.c[removed]st.us

Upon execution the following files have been added to the system.

  • %temp%\nsn2B4.tmp\Helper.dll
  • %temp%\nsn2B4.tmp\RadsteroidsInstall.exe
  • %temp%\nso2B2.tmp\registry.dll
  • %temp%\nsx2AF.tmp
  • %allusersprofile%\Application Data\Radsteroids\app.dat
  • %allusersprofile%\Application Data\Radsteroids\data.dat
  • %allusersprofile%\Application Data\Radsteroids\info.dat
  • %allusersprofile%\Application Data\Radsteroids\Radsteroids.ico
  • %allusersprofile%\Application Data\Radsteroids\RadsteroidsService.exe
  • %allusersprofile%\Application Data\Radsteroids\RadsteroidsService.exe.config
  • %allusersprofile%\Application Data\Radsteroids\Uninstall.exe

Upon execution the following folders have been added to the system.

  • %temp%\nsn2B4.tmp
  • %temp%\nso2B2.tmp
  • %allusersprofile%\Application Data\Radsteroids

The following registry keys have been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32c64e20-dbdb-2827-2993-da7806f211dc}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5ee1282c-6511-2f28-194d-554b8f88583d}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Radsteroids
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RADSTEROIDS
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RADSTEROIDS\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RADSTEROIDS\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Radsteroids
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Radsteroids\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Radsteroids\Enum

The following registry values have been added to the system:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}\id: "fb32ea2331d94017b675a0d9fe9986b4"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}\vp: "2.7.12131259"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}\p: "131259"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}\ip: "131259"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}\ad: "radsteroids.com"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}\ns: "RDST"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}\v: "2.7.12"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32c64e20-dbdb-2827-2993-da7806f211dc}\ik: "{8f787b0e-f3e8-3e8a-6c41-d52c8ce60389}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5ee1282c-6511-2f28-194d-554b8f88583d}\p: "131259"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5ee1282c-6511-2f28-194d-554b8f88583d}\id: "fb32ea2331d94017b675a0d9fe9986b4"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}\: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}\id: "fb32ea2331d94017b675a0d9fe9986b4"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Radsteroids\DisplayIcon: "%allusersprofile%\Application Data\Radsteroids\Radsteroids.ico"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Radsteroids\DisplayName: "Radsteroids"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Radsteroids\Publisher: "Deals Interactive Media, LLC"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Radsteroids\HelpLink: "http://www.radsteroids.com/about.html"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Radsteroids\DisplayVersion: "2.7.12"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Radsteroids\UninstallString: "%allusersprofile%\Application Data\Radsteroids\uninstall.exe /kb=y /ic=9"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Radsteroids\EstimatedSize: 0x00000568
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Radsteroids\InstallDate: "20140604"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RADSTEROIDS\0000\Control\*NewlyCreated*: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RADSTEROIDS\0000\Service: "Radsteroids"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RADSTEROIDS\0000\Legacy: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RADSTEROIDS\0000\ConfigFlags: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RADSTEROIDS\0000\Class: "LegacyDriver"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RADSTEROIDS\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RADSTEROIDS\0000\DeviceDesc: "Radsteroids"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RADSTEROIDS\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Radsteroids\Enum\0: "Root\LEGACY_RADSTEROIDS\0000"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Radsteroids\Enum\Count: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Radsteroids\Enum\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Radsteroids\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Radsteroids\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Radsteroids\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Radsteroids\ErrorControl: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Radsteroids\ImagePath: "%allusersprofile%\Application Data\Radsteroids\RadsteroidsService.exe"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Radsteroids\DisplayName: "Radsteroids"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Radsteroids\ObjectName: "LocalSystem"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RADSTEROIDS\0000\Control\*NewlyCreated*: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RADSTEROIDS\0000\Service: "Radsteroids"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RADSTEROIDS\0000\Legacy: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RADSTEROIDS\0000\ConfigFlags: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RADSTEROIDS\0000\Class: "LegacyDriver"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RADSTEROIDS\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RADSTEROIDS\0000\DeviceDesc: "Radsteroids"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RADSTEROIDS\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Radsteroids\Enum\0: "Root\LEGACY_RADSTEROIDS\0000"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Radsteroids\Enum\Count: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Radsteroids\Enum\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Radsteroids\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Radsteroids\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Radsteroids\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Radsteroids\ErrorControl: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Radsteroids\ImagePath: "%allusersprofile%\Application Data\Radsteroids\RadsteroidsService.exe"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Radsteroids\DisplayName: "Radsteroids"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Radsteroids\ObjectName: "LocalSystem"
  • HKEY_USER\S-1-5-21-[VARIES]\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping\{2670000A-7350-4f3c-8081-5663EE0C6C49}: 0x00002002
  • HKEY_USER\S-1-5-21-[VARIES]\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping\{92780B25-18CC-41C8-B9BE-3C9C571A8263}: 0x00002003
  • HKEY_USER\S-1-5-21-[VARIES]\Software\DynConIE\id: "fb32ea2331d94017b675a0d9fe9986b4"

The following registry values have been modified to the system:

  • HKEY_USER\S-1-5-21-[VARIES]\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping\NextId: 0x00002002
  • HKEY_USER\S-1-5-21-[VARIES]\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping\NextId: 0x00002004
  • HKEY_USER\S-1-5-21-[VARIES]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: binary data
  • HKEY_USER\S-1-5-21-[VARIES]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: binary data

------------------------Updated on April 17th 2014-------------------------------

Aliases –

  • Kaspersky        -    Trojan.Win32.Agent.icbs
  • fortinet        -    W32/Dloader.G!tr
  • sunbelt            -    Trojan.Win32.Generic!BT


Characteristics:

“ Generic Downloader.g” is detection for a Trojan that downloads other malicious files.

Upon execution the Trojan connects to the below IP Address

  • 37.[removed].127

Upon execution the following files have been added to the system.

  • %temp%\ABF54AE500247FF4B4909FF295A1AC9C44F08D65
  • %temp%\nse9.tmp\file1.exe
  • %temp%\nse9.tmp\file2.exe
  • %WINDIR%\System32\dfrg\mst.exe
  • %WINDIR%\System32\dfrg\stub.exe
  • %WINDIR%\System32\dfrg\reg_util.exe
  • %WINDIR%\System32\dfrg\svc.exe
  • %temp%\nsc11.tmp\Processes.dll
  • %temp%\nsmE.tmp
  • %temp%\nsc11.tmp
  • %temp%\nsd8.tmp
  • %temp%\nse9.tmp
  • %temp%\nsw1E.tmp
  • %temp%\nsh1F.tmp
  • %temp%\pack.tmp
  • %temp%\pack.tmp
  • %temp%\nsc11.tmp\utils_plugin.dll
  • %temp%\nsh1F.tmp\System.dll
  • %temp%\nsh1F.tmp\SimpleSC.dll
  • %appdata%\Updater\updater.dll
  • %temp%\nsc11.tmp\NSISdl.dll

 

------------------------Updated on Feb 20th 2014-------------------------------

Aliases –

  • ESET-NOD32        -     Win32/Delf.OGJ
  • Kaspersky        -     Trojan.Win32.Boht.acl
  • Microsoft        -     TrojanDownloader:Win32/Umbald.A


" Generic Downloader.g "  is a worm that may propagate via removable drives or network shares. Also, it is designed to download other malicious files.

Upon execution, worm creates the following files in the below location:

  • :[Removabledrive]\starter.exe

Also it drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the Worm file via the following command syntax.

[AUTORUN]
open=starter.exe

Upon execution the Trojan connects to the following URL’s.

  • hxxp://199.7.[Removed].190/pca3.crl
  • hxxp://199.7.[Removed].190/CSC3-2009-2.crl
  • to[Removed]g.ru

The following registry key has been added to the system.

  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\#xP#J4DG   

The following registry key value has been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe: "" %userprofile%\Desktop\1360675196.exe""

The above registry entry confirms that the Worm gets executed upon every system boot.

Worm creates the mutex in the following name

  • #xP#J4DG
------------------------Updated on December 12th 2013--------------------

Aliases

  • Microsoft    -     TrojanDownloader:Win32/Upatre.J
  • Kaspersky    -     Trojan.Win32.Agent.ibgu
  • Symantec    -     Trojan.Zbot

 

“Generic Downloader.g” is detection for a Trojan that download malicious file from remote server and executes in user system. It also steals sensitive information from the compromised machine and sends it to the remote attacker. It spread via spam mail as attachment. The Trojan may delete itself after the execution.  


 “Generic Downloader.g” steals information from stored passwords, cache and cookies from the following applications:

  • E-mail client
  • Browser
  • FTP client

Upon Execution, the Trojan drops file into the following location:

  • %AppData%\Microsoft\Address Book\username.wab
  • %AppData%\ Eceg\ryraaf.exe [Detected as pwszbot-fln!30b785b93eea]
  • %temp%\ supdater.exe[Detected as downloader-fxr!9ebc342110dc]
  • %UserProfile%\Local Settings\Temporary InternetFiles\Content.IE5\FJ6SRVGY\ pdf[1].exe[Detected as pwszbot-fln!e77e5c42c51a]

The following are the folders created by the Trojan

  • %AppData%\Microsoft\Address Book
  • %AppData%\Eceg


Upon execution the Trojan injects code into explorer.exe and tries to connect to the following URL .

  • tuho.[Removed].al.net
  • 10.[Removed].190
  • 104.[Removed].99
  • 111.[Removed].86
  • 112.[Removed].31
  • 114.[Removed].80
  • 116.[Removed].140
  • 122.[Removed].172
  • 13.[Removed].41
  • 130.[Removed].217
  • 130.[Removed].212
  • 135.[Removed].120
  • 135.[Removed].91
  • 139.[Removed].74
  • 139.[Removed].85
  • 140.[Removed].211
  • 144.[Removed].95
  • 149.[Removed].85
  • 150.[Removed].59
  • 151.[Removed].217
  • 160.[Removed].190
  • 162.[Removed].213
  • 164.[Removed].137
  • 165.[Removed].197
  • 166.[Removed].178
  • 168.[Removed].186
  • 168.[Removed].37
  • 169.[Removed].93
  • 172.[Removed].68
  • 172.[Removed].195
  • 177.[Removed].178
  • 178.[Removed].83
  • 181.[Removed].2
  • 184.[Removed].186
  • 186.[Removed].83
  • 187.[Removed].202
  • 191.[Removed].109
  • 192.[Removed].188
  • 193.[Removed].217
  • 196.[Removed].123
  • 198.[Removed].201
  • 198.[Removed].206
  • 2.[Removed].209
  • 20.[Removed].71
  • 200.[Removed].5
  • 204.[Removed].201
  • 204.[Removed].72
  • 21.[Removed].190
  • 21.[Removed].81
  • 210.[Removed].69
  • 212.[Removed].108
  • 214.[Removed].31
  • 216.[Removed].84
  • 218.[Removed].201
  • 220.[Removed].41
  • 221.[Removed].95
  • 221.[Removed].86
  • 222.[Removed].94
  • 224.[Removed].195
  • 226.[Removed].75
  • 226.[Removed].81
  • 226.[Removed].5
  • 228.[Removed].101
  • 23.[Removed].188
  • 23.[Removed].176
  • 230.[Removed].217
  • 231.[Removed].178
  • 232.[Removed].2
  • 239.[Removed].95
  • 240.[Removed].71
  • 241.[Removed].86
  • 244.[Removed].220
  • 247.[Removed].49
  • 249.[Removed].23
  • 250.[Removed].81
  • 250.[Removed].217
  • 251.[Removed].41
  • 252.[Removed].213
  • 252.[Removed].80
  • 253.[Removed].213
  • 255.[Removed].37
  • 255.[Removed].192
  • 27.[Removed].84
  • 27.[Removed].193
  • 30.[Removed].122
  • 31.[Removed].79
  • 31.[Removed].79
  • 32.[Removed].76
  • 32.[Removed].95
  • 33.[Removed].86
  • 33.[Removed].87
  • 34.[Removed].5
  • 38.[Removed].69
  • 4.[Removed].213
  • 40.[Removed].83
  • 42.[Removed].81
  • 45.[Removed].37
  • 45.[Removed].109
  • 5.[Removed].202
  • 5.[Removed].202
  • 52.[Removed].80
  • 54.[Removed].58
  • 56.[Removed].86
  • 57.[Removed].217
  • 58.[Removed].220
  • 58.[Removed].95
  • 59.[Removed].41
  • 59.[Removed].81
  • 6.[Removed].202
  • 62.[Removed].89
  • 66.[Removed].96
  • 66.[Removed].91
  • 68.[Removed].198
  • 68.[Removed].121
  • 69.[Removed].188
  • 70.[Removed].87
  • 71.[Removed].120
  • 74.[Removed].87
  • 74.[Removed].87
  • 78.[Removed].94
  • 79.[Removed].107
  • 81.[Removed].217
  • 9.[Removed].130
  • 90.[Removed].79
  • 90.[Removed].195
  • 92.[Removed].69
  • 92.[Removed].86
  • 92.[Removed].96
  • 98.[Removed].86
  • 99.[Removed].5
  • 99.[Removed].182
  • 188.[Removed].69
  • 05478e63.sk.[Removed].nd.com
  • 058177229054.ctinets.com
  • 10.[Removed].clarocom.net
  • 107-203-52-79.[Removed].net
  • 108-240-232-212.[Removed].net
  • 132.[Removed].fr
  • 139.[Removed].es
  • 166.[Removed].amsterdamtelecom.ru
  • 184.[Removed].[Removed].net.pe
  • 190-39-2-21.[Removed].net
  • 198-83-248-206-dynamic.[Removed].248.206
  • 201-174-.[Removed].anstelco.net
  • 201-222-210-218.[Removed].cl
  • 204-66-27-72-br2-DYNAMIC-dsl.cwj.[Removed].ica.com
  • 209H196.[Removed].-2.nt.net
  • 220-135-82-58.[Removed].net
  • 244.[Removed].[Removed].jp
  • 41-133-220-59.[Removed].za
  • 454a9fd2.[Removed].net
  • 71-15-24-20.[Removed].charter.com
  • 71-45-149-240.[Removed].net
  • 76-224-181-32.[Removed].net
  • 85.[Removed].[Removed].sepanta.net
  • 87-198-210-74.[Removed].ie
  • 89-212-97-62.[Removed].net
  • 99-176-21-104.[Removed].net
  • a91-155-62-66.[Removed].aajakaista.fi
  • a96-17-182-66.[Removed].com
  • aaadel.man.[Removed].line.com
  • ABayonne-152-1-51-40.[Removed].fr
  • Adsl-41.[Removed].aviso.ci
  • adsl-69-107-110-92.[Removed].net
  • adsl-84-227-242-216.adslplus.ch
  • bb121-6-165-68.[Removed].sg
  • BB-136-192.[Removed].il
  • cable-178-149-.[Removed].rs
  • cable-94-189-230-78.[Removed].rs
  • catv.choicecable.net
  • cpc1-brig15-2-0-cust553.[Removed].net
  • CPE-120-146-174-135.[Removed].net.au
  • cpe-23-241-3-249.[Removed].com
  • cpe-75-185-113-226.[Removed].com
  • deibp9eh1--blueice2n2.[Removed].com
  • dnsdel.mantraonline.com
  • dynamic-37-142-243-45.[Removed].il
  • fw.[Removed].com
  • fw-113-52.kymp.net
  • host.colocrossing.com
  • host109-152-72-45.[Removed].com
  • host109-155-191-191.[Removed].com
  • host144-11-static.[Removed].it
  • host-197.[Removed].tedata.net
  • host217-44-118-57.[Removed].com
  • host221-207-static.[Removed].it
  • host224-021-032-195.retemetis.net
  • host239-202-dynamic.[Removed].it
  • host252-99-dynamic.[Removed].it
  • host31-109-static.[Removed].it
  • host31-48-238-214.[Removed].com
  • host31-50-25-112.[Removed].com
  • host31-53-dynamic.[Removed].it
  • host58-87-static.[Removed].it
  • host70-182-static.[Removed].it
  • host74-38-static.[Removed].it
  • host81-132-34-226.[Removed].com
  • host81-134-92-59.[Removed].com
  • host81-136-165-250.[Removed].com
  • host86-151-108-111.[Removed].com
  • host86-157-49-221.[Removed].com
  • host86-163-7-241.[Removed].com
  • host86-166-246-33.[Removed].com
  • host86-171-139-92.[Removed].com
  • host86-177-118-98.[Removed].com
  • host86-181-179-56.[Removed].com
  • host90-25-static.[Removed].it
  • host-95-104-19-32.[Removed].ge
  • i-83-67-62-186.freedom2surf.net
  • ip-188-121-51-69.[Removed].net
  • ip-37-188-242-255.eurotel.cz
  • LDijon-156-64-15-81.[Removed].fr
  • LMontsouris-156-26-14-114.[Removed].fr
  • LNeuilly-152-23-10-27.[Removed].fr
  • LVelizy-156-44-9-130.[Removed].fr
  • mail.[Removed].net
  • memmolo.[Removed].it
  • mx-ll-49.[Removed].[Removed].th
  • no-dns-yet.[Removed].uk
  • ns4.vsnl.com
  • ool-457c6026.[Removed].net
  • osservatoriorischilegali.it
  • OTWAON23-1242541707.[Removed].ca
  • p549FC41B.[Removed].de
  • p5B16EF87.[Removed].de
  • pdv.vipnetwork.fr
  • S0106100009110719.[Removed].net
  • sotris00.[Removed].gr
  • static-217-133-116-151.[Removed].it
  • static-37-49-224-168-vstarvps.estroweb.in
  • static-87-102-39-33.[Removed].COM
  • ubaye.u-strasbg.fr
  • 178.[Removed].177
  • 190.[Removed].21
  • 137.[Removed].164
  • 69.[Removed].92
  • 95.[Removed].32
  • 188.[Removed].23
  • 123.[Removed].196
  • 202.[Removed].187
  • 217.[Removed].151
  • 201.[Removed].204
  • 81.[Removed].42
  • 121.[Removed].68
  • 195.[Removed].224
  • 190.[Removed].10
  • 217.[Removed].230
  • 197.[Removed].165
  • 5.[Removed].226
  • 81.[Removed].21
  • 80.[Removed].114
  • 172.[Removed].122
  • 190.[Removed].160
  • 195.[Removed].90
  • 80.[Removed].252
  • 212.[Removed].130
  • 86.[Removed].56
  • 201.[Removed].218
  • 140.[Removed].116
  • 201.[Removed].198
  • 120.[Removed].135
  • 2.[Removed].232
  • 91.[Removed].66
  • 109.[Removed].45
  • 89.[Removed].62
  • 31.[Removed].214
  • 178.[Removed].231
  • 176.[Removed].23
  • 130.[Removed].9
  • 76.[Removed].32
  • 79.[Removed].31
  • 85.[Removed].149
  • 86.[Removed].241
  • 217.[Removed].57
  • 220.[Removed].58
  • 83.[Removed].186
  • 186.[Removed].168
  • 37.[Removed].168
  • 211.[Removed].140
  • 86.[Removed].98
  • 107.[Removed].79
  • 68.[Removed].172
  • 217.[Removed].193
  • 94.[Removed].222
  • 86.[Removed].92
  • 202.[Removed].5


The following are the registry key added to the system

  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\ Uthouwn
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB\WAB4
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB\WAB4\Wab File Name


  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts


  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List


The following registry key values have been added to the system.


  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000


The above mentioned registry key ensure that the Trojan disables the “firewall disable notification message” settings.


  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\7303:UDP: "7303:UDP:*:Enabled:UDP 7303"


  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\7070:TCP: "7070:TCP:*:Enabled:TCP 7070"


  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\Upmiw:""%AppData%\ Eceg\ryraaf.exe ""


The above registry entry makes sure that the malware gets executed on every time when the system startup

  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\


o    LDAP Server ID: 0x00000003
o    Account Name: "WhoWhere Internet Directory Service"
o    LDAP Server: "ldap.whowhere.com"
o    LDAP URL: "http://www.whowhere.com"
o    LDAP Search Return: 0x00000064
o    LDAP Timeout: 0x0000003C
o    LDAP Authentication: 0x00000000
o    LDAP Simple Search: 0x00000001
o    LDAP Logo: "%ProgramFiles%\Common Files\Services\whowhere.bmp"

  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\


o    LDAP Server ID: 0x00000002
o    Account Name: "VeriSign Internet Directory Service"
o    LDAP Server: "directory.verisign.com"
o    LDAP URL: "ht

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95