Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:WORM/Palevo.jvq
Date discovered:05/10/2009
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:Yes
File size:116.736 Bytes
MD5 checksum:48f1aeecb06e745a44eefc3c05b7156b
VDF version:7.01.06.72

 General Methods of propagation:
Autorun feature
   • Local network
    Messenger
   • Peer to Peer


Aliases:
   •  Mcafee: W32/Rimecud
   •  Kaspersky: P2P-Worm.Win32.Palevo.jvq
   •  TrendMicro: WORM_RIMCUD.SM
   •  F-Secure: Worm.P2P.Palevo.O
   •  Sophos: W32/Rimecud-B
   •  Eset: Win32/Peerfrag.EJ
   •  Bitdefender: Worm.P2P.Palevo.O


Platforms / OS:
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to certain websites
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %drive%\restore.exe



The following file is created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

 Registry The following registry key is added in order to run the process after reboot:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Taskman"=" %malware execution directory%\dllrun32.exe"

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed: It searches for the following directories:
   • %ALLUSERSPROFILE%\Local Settings\Application Data\Ares\My Shared Folder
   • %PROGRAM FILES%\LimeWire\LimeWire.props

   It retrieves shared folders by querying the following registry keys:
   • Software\BearShare\General
   • Software\iMesh\General
   • Software\Shareaza\Shareaza\Downloads
   • Software\Kazaa\LocalContent
   • Software\DC++
   • Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule Plus_is1


 Messenger It is spreading via Messenger. The characteristics are described below:

 MSN Messenger


To:
All entries in the contact list.


Propagation via URL
It sends the following link:
   • http://obamawebcam.com/load.php

At the time of analysis the file was not online anymore.

 Hosts The host file is modified as explained:

Access to the following domains is effectively blocked:
   • 127.0.0.1 www.k-lite.tk; 127.0.0.1 litetk.com; 127.0.0.1
      kazaa.ishareit.com; 127.0.0.1 www.kazaagold.com; 127.0.0.1
      www.kazaa-gold.com; 127.0.0.1 kazaagold.com; 127.0.0.1 www.k-lite.com;
      127.0.0.1 www.kazaa-download.de; 127.0.0.1 www.mp3downloadhq.com;
      127.0.0.1 www.easymusicdownload.com; 127.0.0.1 easymusicdownload.com;
      127.0.0.1 www.mp3madeeasy.com; 127.0.0.1 www.monstershare.com;
      127.0.0.1 monstershare.com; 127.0.0.1 www.kazaa-plus.net; 127.0.0.1
      kazaa-plus.net; 127.0.0.1 www.kazaa-plus.com; 127.0.0.1
      www.edonkey.com; 127.0.0.1 www.kazaa-file-sharing-downloads.com;
      127.0.0.1 www.kazaaplatinum.com; 127.0.0.1 www.madeformusic.com;
      127.0.0.1 www.ikazaa.net; 127.0.0.1 ikazaa.net; 127.0.0.1
      www.ondemandmp3.com; 127.0.0.1 www.mp3u.com; 127.0.0.1
      www.mp3specialty.com; 127.0.0.1 music-download-world.com; 127.0.0.1
      song-download-world.com; 127.0.0.1 www.flixs.net; 127.0.0.1
      www.ishareit.net; 127.0.0.1 www.ishareit.com; 127.0.0.1
      www.download-doctor.com; 127.0.0.1 www.ezmp3download.com; 127.0.0.1
      www.freesoftusa.com; 127.0.0.1 www.kazaamedia.com; 127.0.0.1
      mp3-network.com; 127.0.0.1 www.mp3-network.com; 127.0.0.1
      www.mp3grandcentral.net; 127.0.0.1 www.mp333.com; 127.0.0.1
      www.kazaamate.com; 127.0.0.1 www.emule.biz; 127.0.0.1 www.kazaam8.tk;
      127.0.0.1 www.rippro.com; 127.0.0.1 www.kaaza.com; 127.0.0.1
      secure.Webstartz.com; 127.0.0.1 www.kazaalite.de; 127.0.0.1
      www.kazza.de; 127.0.0.1 kazza.com; 127.0.0.1 www.kazaalite.at;
      127.0.0.1 www.kazaalite.ch; 127.0.0.1 www.kazaa-hilfe.de; 127.0.0.1
      www.edonkey-2000.de; 127.0.0.1 www.edonkey-bot.de; 127.0.0.1
      www.edonkey-edonkey2000.de; 127.0.0.1 www.edonkey-hilfe.de; 127.0.0.1
      www.edonkey-morpheus-forum.de; 127.0.0.1 www.emule-hilfe.de; 127.0.0.1
      www.file-sharing-forum.de; 127.0.0.1 www.filesharing-forum.de;
      127.0.0.1 www.imesh-download.de; 127.0.0.1 www.kazaa-kaza.de;
      127.0.0.1 www.kazaa-lite.info; 127.0.0.1 www.kazaa-lite-download.de;
      127.0.0.1 www.1md.de; 127.0.0.1 www.mariodolzer.de; 127.0.0.1
      www.morpheus-forum.de; 127.0.0.1 www.overnet-download.de; 127.0.0.1
      www.overnet-hilfe.de; 127.0.0.1 www.winmx-download.de; 127.0.0.1
      www.winmx-hilfe.de; 127.0.0.1 www.download-und-hilfe.de; 127.0.0.1
      www.filesharing-hilfe-forum.de; 127.0.0.1 www.musik-download.biz;
      127.0.0.1 www.mp3downloads.ch; 127.0.0.1 www.songfly.com; 127.0.0.1
      www.kazaa.nl; 127.0.0.1 1stsoftwaredownloads.com; 127.0.0.1
      morpheus-download-morpheus.com; 127.0.0.1 www.icisnet.org; 127.0.0.1
      software.global-netcom.de; 127.0.0.1 www.filesharing-download.de;
      127.0.0.1 www.p2p.tm; 127.0.0.1 www.filesharing-center.de; 127.0.0.1
      www.filesharing-tools.de; 127.0.0.1 kazaa-download-kazaa.com;
      127.0.0.1 www.interscilsa.com; 127.0.0.1 www.dvd-download-free.com;
      127.0.0.1 www.howtominibooks.com; 127.0.0.1 www.internetmovies.com;
      127.0.0.1 www.rippro.net; 127.0.0.1 www.musicmoviesbooks.com;
      127.0.0.1 www.kazaalite.org; 127.0.0.1 www.getmp3music.com; 127.0.0.1
      www1.ishareit.com; 127.0.0.1 www.filesharing-software.de; 127.0.0.1
      www.firewarez.com; 127.0.0.1 www.k-lite.co.uk; 127.0.0.1 kazzaa.info;
      127.0.0.1 www.morpheusp2p.com; 127.0.0.1 www.mudima.com; 127.0.0.1
      www.download-central.com; 127.0.0.1 kazaaplatinum.com; 127.0.0.1
      www.dingosoft.net; 127.0.0.1 www.kazaa-advance.com; 127.0.0.1
      www.downloads-unlimited.com; 127.0.0.1 klserver.port5.com; 127.0.0.1
      rippro.net; 127.0.0.1 www.findkazaalite.com; 127.0.0.1
      www.freegoldkazaa.com; 127.0.0.1 www.freekazaalite.com; 127.0.0.1
      www.kazaalitekpp.com; 127.0.0.1 kazaa.filez.ws; 127.0.0.1
      www.kazaalite-download.com; 127.0.0.1 www.kazaavip.com; 127.0.0.1
      compgenie.host.sk; 127.0.0.1 www.musicdownloadcenter.com; 127.0.0.1
      www.kazza-lite.net; 127.0.0.1 www.every.biz; 127.0.0.1 123banners.com;
      127.0.0.1 ad.adsmart.net; 127.0.0.1 ad.ca.doubleclick.net; 127.0.0.1
      ad.de.doubleclick.net; 127.0.0.1 ad.doubleclick.net; 127.0.0.1
      ad.es.doubleclick.net; 127.0.0.1 ad.fr.doubleclick.net; 127.0.0.1
      ad.free6.com; 127.0.0.1 ad.it.doubleclick.net; 127.0.0.1 ad.iwin.com;
      127.0.0.1 ad.jp.doubleclick.net; 127.0.0.1 ad.kr.doubleclick.net;
      127.0.0.1 ad.linkexchange.com; 127.0.0.1 ad.linksynergy.com; 127.0.0.1
      ad.nl.doubleclick.net; 127.0.0.1 ad.no.doubleclick.net; 127.0.0.1
      ad.preferences.com; 127.0.0.1 ad.se.doubleclick.net; 127.0.0.1
      ad.sma.punto.net; 127.0.0.1 ad.trafficmp.com; 127.0.0.1
      ad.uk.doubleclick.net; 127.0.0.1 ad.webprovider.com; 127.0.0.1
      ad08.focalink.com; 127.0.0.1 ad1.adcept.net; 127.0.0.1 ad1.icorp.net;
      127.0.0.1 ad1.looksmart.com; 127.0.0.1 ad1.peel.com; 127.0.0.1
      ad2.adcept.net; 127.0.0.1 ad2.looksmart.com; 127.0.0.1 ad2.peel.com;
      127.0.0.1 ad3.adcept.net; 127.0.0.1 ad3.peel.com; 127.0.0.1
      ad4.peel.com; 127.0.0.1 ad-adex3.flycast.com; 127.0.0.1
      adcontroller.unicast.com; 127.0.0.1 adcreatives.imaginemedia.com;
      127.0.0.1 addb.looksmart.com; 127.0.0.1 adevents.msn.com; 127.0.0.1
      adex3.flycast.com; 127.0.0.1 adforce.ads.imgis.com; 127.0.0.1
      adforce.imgis.com; 127.0.0.1 adfu.blockstackers.com; 127.0.0.1
      adimage.blm.net; 127.0.0.1 adimages.earthweb.com; 127.0.0.1
      adimages.go.com; 127.0.0.1 adimages.imaginemedia.com; 127.0.0.1
      adimg.egroups.com; 127.0.0.1 admedia.xoom.com; 127.0.0.1
      admonitor.net; 127.0.0.1 adpick.switchboard.com; 127.0.0.1
      adproject.net; 127.0.0.1 adremote.pathfinder.com; 127.0.0.1
      adres.internet.com; 127.0.0.1 ads.adflight.com; 127.0.0.1
      ads.ad-flow.com; 127.0.0.1 ads.admaximize.com; 127.0.0.1
      ads.admonitor.net; 127.0.0.1 ads.adroar.com; 127.0.0.1
      ads.astalavista.us; 127.0.0.1 ads.bfast.com; 127.0.0.1 ads.box.sk;
      127.0.0.1 ads.burstnet.com; 127.0.0.1 ads.cdfreaks.com; 127.0.0.1
      ads.chrbanner.com; 127.0.0.1 ads.clickagents.com; 127.0.0.1
      ads.clickhouse.com; 127.0.0.1 ads.dai.net; 127.0.0.1 ads.datais.com;
      127.0.0.1 ads.enliven.com; 127.0.0.1 ads.eu.msn.com; 127.0.0.1
      ads.fairfax.com.au; 127.0.0.1 ads.fool.com; 127.0.0.1
      ads.fortunecity.com; 127.0.0.1 ads.fortunecity.fr; 127.0.0.1
      ads.freeze.com; 127.0.0.1 ads.freshmeat.net; 127.0.0.1 ads.god.co.uk;
      127.0.0.1 ads.guardianunlimited.co.uk; 127.0.0.1 ads.hitcents.com;
      127.0.0.1 ads.hollywood.com; 127.0.0.1 ads.i12.de; 127.0.0.1
      ads.i33.com; 127.0.0.1 ads.ign.com; 127.0.0.1 ads.imaginemedia.com;
      127.0.0.1 ads.indya.com; 127.0.0.1 ads.infi.net; 127.0.0.1
      ads.irover.com; 127.0.0.1 ads.ixo.com; 127.0.0.1 ads.jpost.com;
      127.0.0.1 ads.jwtt3.com; 127.0.0.1 ads.killerapp.com; 127.0.0.1
      ads.link4ads.com; 127.0.0.1 ads.linksponsor.com; 127.0.0.1
      ads.looksmart.com; 127.0.0.1 ads.lycos.com; 127.0.0.1 ads.lycos.de;
      127.0.0.1 ads.madison.com; 127.0.0.1 ads.mediaodyssey.com; 127.0.0.1
      ads.mediaturf.net; 127.0.0.1 ads.msn.com; 127.0.0.1 ads.musiccity.com;
      127.0.0.1 ads.netomia.com; 127.0.0.1 ads.netpumper.com; 127.0.0.1
      ads.newcity.com; 127.0.0.1 ads.newcitynet.com; 127.0.0.1
      ads.ninemsn.com.au; 127.0.0.1 ads.rediff.com; 127.0.0.1
      ads.satyamonline.com; 127.0.0.1 ads.seattletimes.com; 127.0.0.1
      ads.smartclicks.com; 127.0.0.1 ads.smartclicks.net; 127.0.0.1
      ads.sptimes.com; 127.0.0.1 ads.startpath.com; 127.0.0.1
      ads.station.sony.com; 127.0.0.1 ads.tiscali.fr; 127.0.0.1
      ads.tripod.com; 127.0.0.1 ads.tucows.com; 127.0.0.1
      ads.vcommunities.com; 127.0.0.1 ads.web.aol.com; 127.0.0.1
      ads.x10.com; 127.0.0.1 ads.xtra.co.nz; 127.0.0.1 ads.zdnet.com;
      127.0.0.1 ads01.focalink.com; 127.0.0.1 ads02.focalink.com; 127.0.0.1
      ads03.focalink.com; 127.0.0.1 ads04.focalink.com; 127.0.0.1
      ads05.focalink.com; 127.0.0.1 ads06.focalink.com; 127.0.0.1
      ads07.focalink.com; 127.0.0.1 ads08.focalink.com; 127.0.0.1
      ads09.focalink.com; 127.0.0.1 ads1.activeagent.at; 127.0.0.1
      ads1.ad-flow.com; 127.0.0.1 ads1.speedbit.com; 127.0.0.1
      ads10.focalink.com; 127.0.0.1 ads11.focalink.com; 127.0.0.1
      ads12.focalink.com; 127.0.0.1 ads13.focalink.com; 127.0.0.1
      ads14.focalink.com; 127.0.0.1 ads15.focalink.com; 127.0.0.1
      ads16.focalink.com; 127.0.0.1 ads17.focalink.com; 127.0.0.1
      ads18.focalink.com; 127.0.0.1 ads19.focalink.com; 127.0.0.1
      ads2.speedbit.com; 127.0.0.1 ads2.zdnet.com; 127.0.0.1
      ads20.focalink.com; 127.0.0.1 ads21.focalink.com; 127.0.0.1
      ads22.focalink.com; 127.0.0.1 ads23.focalink.com; 127.0.0.1
      ads24.focalink.com; 127.0.0.1 ads25.focalink.com; 127.0.0.1
      ads3.speedbit.com; 127.0.0.1 ads3.zdnet.com; 127.0.0.1
      ads4.speedbit.com; 127.0.0.1 ads5.gamecity.net; 127.0.0.1
      ads5.speedbit.com; 127.0.0.1 ads6.speedbit.com; 127.0.0.1
      ads7.speedbit.com; 127.0.0.1 ads8.speedbit.com; 127.0.0.1
      adserv.bravenet.com; 127.0.0.1 adserv.iafrica.com; 127.0.0.1
      adserv.internetfuel.com; 127.0.0.1 adserv.quality-channel.de;
      127.0.0.1 adserver.adtech.de; 127.0.0.1 adserver.affiliation.com;
      127.0.0.1 adserver.akqa.net; 127.0.0.1 adserver.dbusiness.com;
      127.0.0.1 adserver.directforce.net; 127.0.0.1 adserver.garden.com;
      127.0.0.1 adserver.gorillanation.com; 127.0.0.1 adserver.humanux.com;
      127.0.0.1 adserver.imaginemedia.com; 127.0.0.1 adserver.isonews.com;
      127.0.0.1 adserver.janes.com; 127.0.0.1 adserver.lunarpages.com;
      127.0.0.1 adserver.merc.com; 127.0.0.1 adserver.monster.com; 127.0.0.1
      adserver.track-star.com; 127.0.0.1 adserver.tweakers.net; 127.0.0.1
      adserver.ugo.com; 127.0.0.1 adserver.webads.nl; 127.0.0.1
      adserver1.ogilvy-interactive.de; 127.0.0.1 adserver2.imaginemedia.com;
      127.0.0.1 adsubstract; 127.0.0.1 ads-ussj1.focalink.com; 127.0.0.1
      adtegrity.spinbox.net; 127.0.0.1 adulttds.com; 127.0.0.1
      aglink.mircx.com; 127.0.0.1 antfarm-ad.flycast.com; 127.0.0.1
      asm3.z1.adserver.com; 127.0.0.1 au.ads.link4ads.com; 127.0.0.1
      bach.aureate.com; 127.0.0.1 badservant.guj.de; 127.0.0.1
      banner.50megs.com; 127.0.0.1 banner.adverity.com; 127.0.0.1
      banner.commissionpartner.com; 127.0.0.1 banner.de; 127.0.0.1
      banner.easyspace.com; 127.0.0.1 banner.free6.com; 127.0.0.1
      banner.i-3.de; 127.0.0.1 banner.media-system.de; 127.0.0.1
      banner.orb.net; 127.0.0.1 banner.relcom.ru; 127.0.0.1
      bannerad.ipgnet.com; 127.0.0.1 bannerads.de; 127.0.0.1
      bannerfarm.ace.advertising.com; 127.0.0.1 bannerimages.0catch.com;
      127.0.0.1 bannermaster.geektech.com; 127.0.0.1 banner-net.com;
      127.0.0.1 bannerpower.com; 127.0.0.1 banners.adultfriendfinder.com;
      127.0.0.1 banners.easydns.com; 127.0.0.1 banners.free6.com; 127.0.0.1
      banners.hotlinks.net; 127.0.0.1 banners.looksmart.com; 127.0.0.1
      banners.nextcard.com; 127.0.0.1 banners.pennyweb.com; 127.0.0.1
      banners.valuead.com; 127.0.0.1 banners.webmasterplan.com; 127.0.0.1
      banners.wunderground.com; 127.0.0.1 bannervip.webjump.com; 127.0.0.1
      banzai.moodlogic.com; 127.0.0.1 barnesandnoble.bfast.com; 127.0.0.1
      beseen.com; 127.0.0.1 beseen.looksmart.com; 127.0.0.1
      beseen5.looksmart.com; 127.0.0.1 beseenad.looksmart.com; 127.0.0.1
      beseenad1.looksmart.com; 127.0.0.1 beseenad2.looksmart.com; 127.0.0.1
      beseenad3.looksmart.com; 127.0.0.1 beseenadx.looksmart.com; 127.0.0.1
      bfast.com; 127.0.0.1 bins.lop.com; 127.0.0.1 bizad.nikkeibp.co.jp;
      127.0.0.1 bn.bfast.com; 127.0.0.1 botw.topbucks.com; 127.0.0.1
      bsads.looksmart.com; 127.0.0.1 by.advertising.com; 127.0.0.1
      c1.thecounter.com; 127.0.0.1 c2.thecounter.com; 127.0.0.1
      c3.xxxcounter.com; 127.0.0.1 califia.imaginemedia.com; 127.0.0.1
      cash4banner.com; 127.0.0.1 cash4banner.de; 127.0.0.1 cgi.sexlist.com;
      127.0.0.1 click.avenuea.com; 127.0.0.1 click.go2net.com; 127.0.0.1
      click.linksynergy.com; 127.0.0.1 clickagents.com; 127.0.0.1
      clicks.about.com; 127.0.0.1 clicks.nastydollars.com; 127.0.0.1
      clicks.oxcash.com; 127.0.0.1 clit5.sextracker.com; 127.0.0.1
      code02.pbtech.net; 127.0.0.1 commonwealth.riddler.com; 127.0.0.1
      connect.online-dialer.com; 127.0.0.1 cookies.cmpnet.com; 127.0.0.1
      cornflakes.pathfinder.com; 127.0.0.1 counter.hitbox.com; 127.0.0.1
      counter1.sextracker.com; 127.0.0.1 counter10.sextracker.com; 127.0.0.1
      counter11.sextracker.com; 127.0.0.1 counter12.sextracker.com;
      127.0.0.1 counter13.sextracker.com; 127.0.0.1
      counter14.sextracker.com; 127.0.0.1 counter15.sextracker.com;
      127.0.0.1 counter16.sextracker.com; 127.0.0.1 counter2.sextracker.com;
      127.0.0.1 counter3.sextracker.com; 127.0.0.1 counter4.sextracker.com;
      127.0.0.1 counter5.sextracker.com; 127.0.0.1 counter6.sextracker.com;
      127.0.0.1 counter7.sextracker.com; 127.0.0.1 counter8.sextracker.com;
      127.0.0.1 counter9.sextracker.com; 127.0.0.1 crs.akamai.com; 127.0.0.1
      crux.songline.com; 127.0.0.1 ct.iac-online.de; 127.0.0.1
      de.netstatpro.net; 127.0.0.1 desktop.grokster.com; 127.0.0.1
      dialer.offshoreclicks.com; 127.0.0.1 doubleclick.net; 127.0.0.1
      download1.0190-dialer.com; 127.0.0.1 download1.libereco.net; 127.0.0.1
      download2.0190-dialer.com; 127.0.0.1 econnect.libereco.net; 127.0.0.1
      ehg.hitbox.com; 127.0.0.1 ehg-commjun.hitbox.com; 127.0.0.1
      erie.smartage.com; 127.0.0.1 etad.telegraph.co.uk; 127.0.0.1
      everyone.net; 127.0.0.1 exchange-it.com; 127.0.0.1 exitfuel.com;
      127.0.0.1 exitmoney.com; 127.0.0.1 fast.mediacharger.com; 127.0.0.1
      focalink.com; 127.0.0.1 fp.valueclick.com; 127.0.0.1
      fragmentserv.iac-online.de; 127.0.0.1 free.fuck-portal.com; 127.0.0.1
      freeadultlottery.com; 127.0.0.1 freeasiahardcore.com; 127.0.0.1
      freebieclub.com; 127.0.0.1 freebigcocks.net; 127.0.0.1
      freecelebnudity.com; 127.0.0.1 freefarmpics.com; 127.0.0.1
      freegaybears.net; 127.0.0.1 freegaylottery.com; 127.0.0.1
      freenaughtyteens.com; 127.0.0.1 freepass.elitecities.com; 127.0.0.1
      fs.dai.net; 127.0.0.1 gadgeteer.pdamart.com; 127.0.0.1
      global.msads.net; 127.0.0.1 gm.preferences.com; 127.0.0.1
      go.ezgreen.com; 127.0.0.1 got2goshop.com; 127.0.0.1
      goto.trafficmultiplier.com; 127.0.0.1 gp.dejanews.com; 127.0.0.1
      hacker-spider.de; 127.0.0.1 hc2.humanclick.com; 127.0.0.1
      hg1.hitbox.com; 127.0.0.1 hit.hotlog.ru; 127.0.0.1 hitbox.com;
      127.0.0.1 hitmatic.com; 127.0.0.1 hitsfrom.popuprush.com; 127.0.0.1
      hotfreewebcams.com; 127.0.0.1 hypercount.com; 127.0.0.1
      ifcol.exitfuel.com; 127.0.0.1 image.click2net.com; 127.0.0.1
      image.eimg.com; 127.0.0.1 images.sexlist.com; 127.0.0.1
      images2.nytimes.com; 127.0.0.1 imageserv.adtech.de; 127.0.0.1
      img.lop.com; 127.0.0.1 impnl.tradedoubler.com; 127.0.0.1
      internetfuel.com; 127.0.0.1 itn.adbureau.net; 127.0.0.1
      jcms.cydoor.com; 127.0.0.1 jeeves.flycast.com; 127.0.0.1
      jobkeys.ngadcenter.net; 127.0.0.1 kansas.valueclick.com; 127.0.0.1
      leader.linkexchange.com; 127.0.0.1 linkbuddies.com; 127.0.0.1
      liquidad.narrowcastmedia.com; 127.0.0.1 liveadvert.com; 127.0.0.1
      ln.doubleclick.net; 127.0.0.1 looksmartclicks.com; 127.0.0.1 lop.com;
      127.0.0.1 lsads.looksmart.com.au; 127.0.0.1 m.doubleclick.net;
      127.0.0.1 macaddictads.snv.futurenet.com; 127.0.0.1
      marketing-internet.com; 127.0.0.1 maxexp.com; 127.0.0.1
      maximumcash.com; 127.0.0.1 maximumpcads.imaginemedia.com; 127.0.0.1
      media.carpediem.fr; 127.0.0.1 media.expedia.com; 127.0.0.1
      media.fastclick.net; 127.0.0.1 media.popuptraffic.com; 127.0.0.1
      media.preferences.com; 127.0.0.1 media20.fastclick.net; 127.0.0.1
      mediacharger.com; 127.0.0.1 mediamgr.ugo.com; 127.0.0.1 megacash.de;
      127.0.0.1 megawebcams.tv; 127.0.0.1 mercury.rmuk.co.uk; 127.0.0.1
      millenium-hitz.com; 127.0.0.1 mjxads.internet.com; 127.0.0.1
      monitor.looksmart.com; 127.0.0.1 monsterhitz.to; 127.0.0.1
      musiccity.streamcastnetwork.com; 127.0.0.1 n24.de; 127.0.0.1
      nbc.adbureau.net; 127.0.0.1 network.realmedia.com; 127.0.0.1
      newads.cmpnet.com; 127.0.0.1 newsticker.shortnews.de; 127.0.0.1
      ng3.ads.warnerbros.com; 127.0.0.1 ngads.smartage.com; 127.0.0.1
      nitrous.exitfuel.com; 127.0.0.1 nsads.hotwired.com; 127.0.0.1
      ntbanner.digitalriver.com; 127.0.0.1 oad.realmedia.com; 127.0.0.1
      oas.benchmark.fr; 127.0.0.1 onresponse.com; 127.0.0.1
      oz.valueclick.com; 127.0.0.1 p.wtlive.com; 127.0.0.1 paycounter.com;
      127.0.0.1 ph-ad04.focalink.com; 127.0.0.1 ph-ad05.focalink.com;
      127.0.0.1 ph-ad07.focalink.com; 127.0.0.1 ph-ad16.focalink.com;
      127.0.0.1 ph-ad17.focalink.com; 127.0.0.1 ph-ad18.focalink.com;
      127.0.0.1 php.offshoreclicks.com; 127.0.0.1 pluto.beseen.com;
      127.0.0.1 pop.mircx.com; 127.0.0.1 popup.found404.com; 127.0.0.1
      porn-attack.com; 127.0.0.1 portal.hostultra.com; 127.0.0.1
      proxy.ladot.com; 127.0.0.1 pub.epiknet.org; 127.0.0.1
      pub.infiniland.com; 127.0.0.1 pub.ketix.com; 127.0.0.1
      pub.telmedia.fr; 127.0.0.1 pub.weborama.fr; 127.0.0.1
      publish.hometown.aol.co.uk; 127.0.0.1 realads.realmedia.com; 127.0.0.1
      redherring.ngadcenter.net; 127.0.0.1 redirect.click2net.com; 127.0.0.1
      redirect.iac-online.de; 127.0.0.1 regio.adlink.de; 127.0.0.1
      ResponseMedia-ad.flycast.com; 127.0.0.1 retaildirect.realmedia.com;
      127.0.0.1 rmads.eu.msn.com; 127.0.0.1 rs.webmasterplan.com; 127.0.0.1
      s0.bluestreak.com; 127.0.0.1 s1.bluestreak.com; 127.0.0.1
      s2.bluestreak.com; 127.0.0.1 s2.focalink.com; 127.0.0.1
      s3.bluestreak.com; 127.0.0.1 s4.bluestreak.com; 127.0.0.1
      s5.bluestreak.com; 127.0.0.1 s6.bluestreak.com; 127.0.0.1
      s7.bluestreak.com; 127.0.0.1 s8.bluestreak.com; 127.0.0.1 sbee.com;
      127.0.0.1 script.weborama.fr; 127.0.0.1 search.kazaa.com; 127.0.0.1
      secserv.imgis.com; 127.0.0.1 servedby.advertising.com; 127.0.0.1
      servedby.advertwizard.com; 127.0.0.1 server.hamster.com; 127.0.0.1
      server-uk.imrworldwide.com; 127.0.0.1 sexpromote.com; 127.0.0.1
      sextracker.com; 127.0.0.1 sh4banner.de; 127.0.0.1
      sh4sure-images.adbureau.net; 127.0.0.1 shop.freepush.com; 127.0.0.1
      shortwin.de; 127.0.0.1 specialoffers.aol.com; 127.0.0.1
      spezialreporte.de; 127.0.0.1 spin.spinbox.net; 127.0.0.1
      sprinks-clicks.about.com; 127.0.0.1 spylog.com; 127.0.0.1
      srv1.bannercommunity.de; 127.0.0.1 srv2.bannercommunity.de; 127.0.0.1
      srv3.bannercommunity.de; 127.0.0.1 static.admaximize.com; 127.0.0.1
      stats.superstats.com; 127.0.0.1 stats3.porntrack.com; 127.0.0.1
      statse.webtrendslive.com; 127.0.0.1 Suissa-ad.flycast.com; 127.0.0.1
      survey.proactive.nl; 127.0.0.1 sview.avenuea.com; 127.0.0.1
      t0.extreme-dm.com; 127.0.0.1 thinknyc.eu-adcenter.net; 127.0.0.1
      tour01.bangbus.com; 127.0.0.1 tpl1.realtracker.com; 127.0.0.1
      tracker.clicktrade.com; 127.0.0.1 trinityacquisitions.com; 127.0.0.1
      tsms-ad.tsms.com; 127.0.0.1 tuerck.de.counted.com; 127.0.0.1
      twistedhumor.com; 127.0.0.1 ugo.eu-adcenter.net; 127.0.0.1
      uk1.linksynergy.com; 127.0.0.1 uk2.linksynergy.com; 127.0.0.1
      uk3.linksynergy.com; 127.0.0.1 uk4.linksynergy.com; 127.0.0.1
      uk5.linksynergy.com; 127.0.0.1 us.adserver.yahoo.com; 127.0.0.1
      v0.extreme-dm.com; 127.0.0.1 v1.extreme-dm.com; 127.0.0.1
      valueclick.com; 127.0.0.1 van.ads.link4ads.com; 127.0.0.1 vant.guj.de;
      127.0.0.1 venus.goclick.com; 127.0.0.1 view.accendo.com; 127.0.0.1
      view.avenuea.com; 127.0.0.1 vis1.sexlist.com; 127.0.0.1
      vis2.sexlist.com; 127.0.0.1 vis3.sexlist.com; 127.0.0.1
      vis4.sexlist.com; 127.0.0.1 vis5.sexlist.com; 127.0.0.1
      visit.referralware.com; 127.0.0.1 visite.weborama.fr; 127.0.0.1
      VNU.eu-adcenter.net; 127.0.0.1 w0.extreme-dm.com; 127.0.0.1
      w113.hitbox.com; 127.0.0.1 w117.hitbox.com; 127.0.0.1 w25.hitbox.com;
      127.0.0.1 web2.deja.com; 127.0.0.1 webads.bizservers.com; 127.0.0.1
      weblist.de; 127.0.0.1 webpdp.gator.com; 127.0.0.1
      webxprod.qualcomm.com; 127.0.0.1 www.0190-dialer.com; 127.0.0.1
      www.12traffic.de; 127.0.0.1 www.1for1.com; 127.0.0.1 www.3turtles.com;
      127.0.0.1 www.404errorpage.com; 127.0.0.1 www.7adpower.com; 127.0.0.1
      www.7host.com; 127.0.0.1 www.activeannonce.com; 127.0.0.1
      www.adbucks.com; 127.0.0.1 www.adexit.com; 127.0.0.1 www.adexit.de;
      127.0.0.1 www.adforce.com; 127.0.0.1 www.admex.com; 127.0.0.1
      www.adnetz.net; 127.0.0.1 www.adserver.com; 127.0.0.1
      www.adserver.net; 127.0.0.1 www.adsmart.com; 127.0.0.1
      www.adsmart.net; 127.0.0.1 www.adultbizvoice.com; 127.0.0.1
      www.adultclicks.com; 127.0.0.1 www.ad-up.com; 127.0.0.1
      www.adverity.com; 127.0.0.1 www.adverlead.com; 127.0.0.1
      www.adverline.com; 127.0.0.1 www.adverline.fr; 127.0.0.1
      www.advertising.com; 127.0.0.1 www.advertwizard.com; 127.0.0.1
      www.adviews-sponsor.de; 127.0.0.1 www.alexchiu.com; 127.0.0.1
      www.alladvantage.com; 127.0.0.1 www.allclicks.com; 127.0.0.1
      www.amateur-galleries.com; 127.0.0.1 www.amazingpops.com; 127.0.0.1
      www.at-nude-teens.net; 127.0.0.1 www.bannerads.de; 127.0.0.1
      www.beseen.com; 127.0.0.1 www.bfast.com; 127.0.0.1
      www.boonsolutions.com; 127.0.0.1 www.brutalextreme.com; 127.0.0.1
      www.burstnet.com; 127.0.0.1 www.cash1x1.de; 127.0.0.1 www.cash2002.de;
      127.0.0.1 www.cash4banner.com; 127.0.0.1 www.cash4banner.de; 127.0.0.1
      www.cashcount.com; 127.0.0.1 www.cashfiesta.com; 127.0.0.1
      www.cashradio.com; 127.0.0.1 www.cashsurfers.com; 127.0.0.1
      www.casinoglamour.com; 127.0.0.1 www.cellularphones.com; 127.0.0.1
      www.cibleclick.com; 127.0.0.1 www.cj.com; 127.0.0.1
      www.click2sexy.com; 127.0.0.1 www.click-fr.com; 127.0.0.1
      www.clickxchange.com; 127.0.0.1 www.clictrafic.com; 127.0.0.1
      www.coinpromo.com; 127.0.0.1 www.cometcursor.com; 127.0.0.1
      www.cometsystems.net; 127.0.0.1 www.commission-junction.com; 127.0.0.1
      www.cr4.com; 127.0.0.1 www.crazypopups.com; 127.0.0.1
      www.crxwarez.net; 127.0.0.1 www.cydoor.com; 127.0.0.1 www.daz.com;
      127.0.0.1 www.dgm2.com; 127.0.0.1 www.directvalue.nl; 127.0.0.1
      www.drawnsex.com; 127.0.0.1 www.eads.com; 127.0.0.1 www.e-bannerx.com;
      127.0.0.1 www.eclic.net; 127.0.0.1 www.fastclick.net; 127.0.0.1
      www.fastmetasearch.com; 127.0.0.1 www.flycast.co.uk; 127.0.0.1
      www.flycast.com; 127.0.0.1 www.found404.com; 127.0.0.1
      www.fpctraffic.com; 127.0.0.1 www.freeadultlottery.com; 127.0.0.1
      www.freeasiahardcore.com; 127.0.0.1 www.free-banners.com; 127.0.0.1
      www.freebigcocks.net; 127.0.0.1 www.freecelebnudity.com; 127.0.0.1
      www.freefarmpics.com; 127.0.0.1 www.freegaybears.net; 127.0.0.1
      www.freegaylottery.com; 127.0.0.1 www.freenaughtyteens.com; 127.0.0.1
      www.freestats.com; 127.0.0.1 www.frontpagecash.com; 127.0.0.1
      www.fuck-portal.com; 127.0.0.1 www.gamingclub.com; 127.0.0.1
      www.gator.co.uk; 127.0.0.1 www.gator.com; 127.0.0.1 www.gator.net;
      127.0.0.1 www.genhit.com; 127.0.0.1 www.getsearches.com; 127.0.0.1
      www.gopopup.com; 127.0.0.1 www.greetingwishes.com; 127.0.0.1
      www.grokster.com; 127.0.0.1 www.hardcorepornos.org; 127.0.0.1
      www.hightrafficads.com; 127.0.0.1 www.hit-parade.com; 127.0.0.1
      www.hitsme.com; 127.0.0.1 www.hotfreewebcams.com; 127.0.0.1
      www.imaginemedia.com; 127.0.0.1 www.lastconsole.com; 127.0.0.1
      www.linkshare.com; 127.0.0.1 www.liveadvert.com; 127.0.0.1
      www.lo-litas.com; 127.0.0.1 www.looksmartclicks.com; 127.0.0.1
      www.lop.com; 127.0.0.1 www.lottoforever.com; 127.0.0.1
      www.reiseservice-graw.de; 127.0.0.1 www.megacash.de; 127.0.0.1
      www.megawebcams.tv; 127.0.0.1 www.milfhunter.com; 127.0.0.1
      www.modchip.com; 127.0.0.1 www.mod-chip.com; 127.0.0.1
      www.money4exit.de; 127.0.0.1 www.my-stats.com; 127.0.0.1
      www.netbroadcaster.com; 127.0.0.1 www.netflip.com; 127.0.0.1
      www.netgravity.com; 127.0.0.1 www.newtopsites.com; 127.0.0.1
      www.nic.co.il; 127.0.0.1 www.nudelinkz.com; 127.0.0.1
      www.oneandonlynetwork.com; 127.0.0.1 www.onresponse.com; 127.0.0.1
      www.paidpopup.de; 127.0.0.1 www.piratos.de; 127.0.0.1 www.popdown.de;
      127.0.0.1 www.popupad.net; 127.0.0.1 www.popuptraffic.com; 127.0.0.1
      www.PostMasterBannerNet.com; 127.0.0.1 www.prepaidliving.com;
      127.0.0.1 www.qksrv.net; 127.0.0.1 www.qualityhitz.com; 127.0.0.1
      www.qualypromos.com; 127.0.0.1 www.radiate.com; 127.0.0.1
      www.radiofreecash.com; 127.0.0.1 www.rankyou.com; 127.0.0.1
      www.reference-sexe.com; 127.0.0.1 www.sbee.com; 127.0.0.1
      www.sbvr.com; 127.0.0.1 www.searchtraffic.com; 127.0.0.1
      www.service-url.de; 127.0.0.1 www.sexfranco.com; 127.0.0.1
      www.sexfreelist.com; 127.0.0.1 www.sexlist.com; 127.0.0.1
      www.sexpromote.com; 127.0.0.1 www.sexspy.com; 127.0.0.1
      www.sexstudio24.de; 127.0.0.1 www.sextracker.com; 127.0.0.1
      www.sextraffic.org; 127.0.0.1 www.sexyfreehost.com; 127.0.0.1
      www.sexyplugin.com; 127.0.0.1 www.simplecounter.net; 127.0.0.1
      www.slutzoo.com; 127.0.0.1 www.sonixwarez.com; 127.0.0.1
      www.sponsor2002.de; 127.0.0.1 www.targetshop.com; 127.0.0.1
      www.teknosurf.com; 127.0.0.1 www.teknosurf2.com; 127.0.0.1
      www.teknosurf3.com; 127.0.0.1 www.theadultwire.com; 127.0.0.1
      www.topwarez-fr.com; 127.0.0.1 www.toys-galleries.com; 127.0.0.1
      www.trafficbox.net; 127.0.0.1 www.trafficmonetizer.com; 127.0.0.1
      www.unionwarez.com; 127.0.0.1 www.valueclick.com; 127.0.0.1
      www.valuesponsor.com; 127.0.0.1 www.warez33.com; 127.0.0.1
      www.warezfield.com; 127.0.0.1 www.web3000.co.uk; 127.0.0.1
      www.web3000.com; 127.0.0.1 www.webads.nl; 127.0.0.1 www.webferret.com;
      127.0.0.1 www.webhancer.com; 127.0.0.1 www.webhancer.net; 127.0.0.1
      www.weblist.de; 127.0.0.1 www.websitefinancing.com; 127.0.0.1
      www.wedoo.com; 127.0.0.1 www.win24.de; 127.0.0.1 www.wingowin.com;
      127.0.0.1 www.wtlive.com; 127.0.0.1 www.xiti.com; 127.0.0.1
      www.xpostx.com; 127.0.0.1 www.xxxdisplay.com; 127.0.0.1
      www.xxxfreeamateurs.com; 127.0.0.1 www.xxxteenclub.de; 127.0.0.1
      www.youmakemoney.com; 127.0.0.1 www.zeloop.net; 127.0.0.1
      www2.burstnet.com; 127.0.0.1 www2.consumercreditusa.com; 127.0.0.1
      www3.netgravity.com; 127.0.0.1 www4.netgravity.com; 127.0.0.1
      www4.trix.net; 127.0.0.1 www80.valueclick.com; 127.0.0.1
      xads.infospace.com; 127.0.0.1 xads.zedo.com; 127.0.0.1
      xxxfreeamateurs.com; 127.0.0.1 z.extreme-dm.com; 127.0.0.1
      z0.extreme-dm.com; 127.0.0.1 z1.extreme-dm.com; 127.0.0.1
      zac.netgravity.com; 127.0.0.1 img.thebugs.ws; 127.0.0.1
      pet.thebugs.ws; 127.0.0.1 mt45.mtree.com; 127.0.0.1 www.porncow.com;
      127.0.0.1 download.alexa.com; 127.0.0.1 count.exit.exchange.com;
      127.0.0.1 www.classmates.com; 127.0.0.1 bidclix.net; 127.0.0.1
      www.media-ads.org; 127.0.0.1 www.aitsafe.com; 127.0.0.1
      service.bfast.com; 127.0.0.1 spweb.whenu.com; 127.0.0.1
      www.getweathercast.com; 127.0.0.1 www.clock-sync.com; 127.0.0.1
      secure.goodthinxx.com; 127.0.0.1 port.goodthinxx.com; 127.0.0.1
      chochux.offshoreclicks.com; 127.0.0.1 go.offshoreclicks.com; 127.0.0.1
      click.atdmt.com; 127.0.0.1 dropcharge.stardialer.de; 127.0.0.1
      download.stardialer.de; 127.0.0.1 www.outwar.com; 127.0.0.1
      outwar.com; 127.0.0.1 reiseservice-graw.de; 127.0.0.1
      www.pornstarguru.com; 127.0.0.1 www.popstarwar.com; 127.0.0.1
      www.monsterwar.net; 127.0.0.1 www.gangsterwar.com; 127.0.0.1
      srch.lop.com; 127.0.0.1 clickcash.webpower.com; 127.0.0.1
      install.serviceurl.de; 127.0.0.1 aim1.radiate.com; 127.0.0.1
      aim2.radiate.com; 127.0.0.1 aim3.radiate.com; 127.0.0.1
      www.flyswat.com; 127.0.0.1 www.flyswat.net; 127.0.0.1 www.flyswat.org;
      127.0.0.1 www.flyswat.co.uk; 127.0.0.1 www.cometsystems.com; 127.0.0.1
      www.cometzone.com; 127.0.0.1 www.livecursors.com; 127.0.0.1
      aim1.adsoftware.com; 127.0.0.1 aim2.adsoftware.com; 127.0.0.1
      aim3.adsoftware.com; 127.0.0.1 aim4.adsoftware.com; 127.0.0.1
      aim5.adsoftware.com; 127.0.0.1 www.conducent.com; 127.0.0.1
      www.conducent.co.uk; 127.0.0.1 www.mathlogic.com; 127.0.0.1
      www.adsoftware.com; 127.0.0.1 www.gohip.com; 127.0.0.1
      www.lolitafree.de; 127.0.0.1 www.exitblaze.com; 127.0.0.1
      hop.clickbank.net; 127.0.0.1 www.w3exit.com; 127.0.0.1 ads.flabber.nl;
      127.0.0.1 servlets.kliks.nl; 127.0.0.1 affiliates.kliks.nl; 127.0.0.1
      ads.revenue.net; 127.0.0.1 pops.freeze.com; 127.0.0.1 adlog.com.com;
      127.0.0.1 ads.techtv.com; 127.0.0.1 ads.tripod.lycos.co.uk; 127.0.0.1
      adserv.happypuppy.com; 127.0.0.1 ads.ipowerweb.com; 127.0.0.1
      www.hitboss.com; 127.0.0.1 dbbsrv.com; 127.0.0.1
      download.globaldialer.net; 127.0.0.1 www.passthison.com; 127.0.0.1
      tafmaster.com; 127.0.0.1 www.xtra.fm; 127.0.0.1 www.mp3bank.nl;
      127.0.0.1 www.paypopup.com; 127.0.0.1 download.online-dialer.com;
      127.0.0.1 p2p.tm; 127.0.0.1 bbbsearch.com; 127.0.0.1
      ads.free-banners.com; 127.0.0.1 www.popinads.com




The modified host file will look like this:


 Backdoor The following port is opened:

%WINDIR%\Explorer.exe on a random UDP port in order to provide backdoor capabilities.


Contact server:
All of the following:
   • lalundelau.**********.es
   • bf2back.**********.es
   • thejacks**********.mobi

As a result remote control capability is provided. Besides, it periodically repeats the connection.

 Injection – It injects itself into a process.

    Process name:
   • Explorer.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Alexandru Dinu on Tuesday, November 24, 2009
Description updated by Alexandru Dinu on Wednesday, November 25, 2009

Back . . . .