Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Buzus.cbkm
Date discovered:28/09/2009
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:79.360 Bytes
MD5 checksum:abd7030fbb20d99f2e9426ffa2def43d
IVDF version:7.01.06.44 - Monday, September 28, 2009

 General Method of propagation:
   • Autorun feature


Aliases:
   •  Panda: W32/Slenfbot.AH
   •  Eset: Win32/AutoRun.Qhost.M
   •  Bitdefender: Worm.Generic.90210


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to certain websites
   • Blocks access to security websites
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %SYSDIR%\avgvsk.exe
   • %drive%\CACHE-49450483\file.sys



It overwrites a file.
%SYSDIR%\drivers\etc\hosts



The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%drive%\CACHE-49450483\Desktop.ini

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "ctfmon.exe"="ctfmon.exe"



The following registry keys including all values and subkeys are removed:
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]



The following registry keys are added:

– [HKLM\SOFTWARE\Policies\Microsoft\MRT]
   • "DontReportInfectionInformation"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Security Center]
   • "AntiVirusDisableNotify"=dword:0x00000001
   • "AntiVirusOverride"=dword:0x00000001
   • "FirewallDisableNotify"=dword:0x00000001
   • "FirewallOverride"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ctfmon.exe]
   • "Debugger"="avgvsk.exe"

– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   • "DisableConfig"=dword:0x00000001

– [HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
   • "DoNotAllowXPSP2"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\
   Layers]
   • "%SYSDIR%\avgvsk.exe"="DisableNXShowUI"



The following registry keys are changed:

– [HKLM\SYSTEM\CurrentControlSet\Services\avg8wd]
   New value:
   • "Start"=dword:0x00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\wscsvc]
   New value:
   • "Start"=dword:0x00000004

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • "Hidden"=dword:0x00000002

– [HKLM\SYSTEM\CurrentControlSet\Services\avg8emc]
   New value:
   • "Start"=dword:0x00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   New value:
   • "%SYSDIR%\avgvsk.exe"="%SYSDIR%\avgvsk.exe:*:Enabled:Windows Live"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\SuperHidden]
   New value:
   • "CheckedValue"=dword:0x00000001

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   New value:
   • "restrictanonymous"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Ole]
   New value:
   • "EnableDCOM"="N"

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\DomainProfile\AuthorizedApplications\List]
   New value:
   • "%SYSDIR%\avgvsk.exe"="%SYSDIR%\avgvsk.exe:*:Enabled:Windows Live"

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: unas.u**********.info
Server password: su1c1d3
Channel: #te3pe3
Nickname: \00\USA\%random character string%

Server: p3x-888.u**********.info

Server: goauld.u**********.info

Server: stargate.f**********.info

Server: recoil.f**********.info

Server: sector9.f**********.info

Server: gateaddr.d**********.info

Server: wormhle.d**********.info

Server: scattr.d**********.info

Server: evthorz.d**********.info

Server: scorch.s**********.info

Server: zapniki.s**********.info

Server: zateck.s**********.info

Server: wow.d**********.info

Server: com.d**********.info

Server: dat.d**********.info

Server: sup.d**********.info

Server: especial.s**********.info

Server: rewrite.s**********.info

Server: comp.s**********.info

Server: statics.s**********.info


– Furthermore it has the ability to perform actions such as:
    • Execute file
    • Updates itself

 Hosts The host file is modified as explained:

– In this case existing entries are deleted.

– Access to the following domains is effectively blocked:
   • 127.0.0.1 msnfix.changelog.fr; 127.0.0.1 www.incodesolutions.com;
      127.0.0.1 virusinfo.prevx.com;
      127.0.0.1 download.bleepingcomputer.com; 127.0.0.1 www.dazhizhu.cn;
      127.0.0.1 foro.noticias3d.com; 127.0.0.1 www.nabble.com;
      127.0.0.1 lurker.clamav.net; 127.0.0.1 lexikon.ikarus.at;
      127.0.0.1 research.sunbelt-software.com; 127.0.0.1 www.virusdoctor.jp;
      127.0.0.1 www.elitepvpers.de; 127.0.0.1 guru.avg.com;
      127.0.0.1 www.superuser.co.kr; 127.0.0.1 ntfaq.co.kr;
      127.0.0.1 v.dreamwiz.com; 127.0.0.1 cit.kookmin.ac.kr;
      127.0.0.1 forums.whatthetech.com; 127.0.0.1 forum.hijackthis.de;
      127.0.0.1 avg.vo.llnwd.net; 127.0.0.1 www.huaifai.go.th;
      127.0.0.1 www.mostz.com; 127.0.0.1 www.krupunmai.com;
      127.0.0.1 www.cddchiangmai.net; 127.0.0.1 forum.malekal.com;
      127.0.0.1 tech.pantip.com; 127.0.0.1 sapcupgrades.com;
      127.0.0.1 www.247fixes.com; 127.0.0.1 forum.sysinternals.com;
      127.0.0.1 forum.telecharger.01net.com; 127.0.0.1 sophos.com;
      127.0.0.1 foros.softonic.com; 127.0.0.1 avast-home.uptodown.com;
      127.0.0.1 dr-web-cureit.softonic.com; 127.0.0.1 www.f-secure.com;
      127.0.0.1 www.chkrootkit.org; 127.0.0.1 diamondcs.com.au;
      127.0.0.1 www.rootkit.nl; 127.0.0.1 www.sysinternals.com;
      127.0.0.1 z-oleg.com; 127.0.0.1 espanol.dir.groups.yahoo.com;
      127.0.0.1 www.castlecrops.com; 127.0.0.1 www.misec.net;
      127.0.0.1 safecomputing.umn.edu; 127.0.0.1 www.antirootkit.com;
      127.0.0.1 www.greatis.com; 127.0.0.1 ar.answers.yahoo.com;
      127.0.0.1 www.elhacker.org; 127.0.0.1 www.rootkit.com;
      127.0.0.1 www.pctools.com; 127.0.0.1 www.pcsupportadvisor.com;
      127.0.0.1 www.resplendence.com; 127.0.0.1 www.personal.psu.edu;
      127.0.0.1 foro.ethek.com; 127.0.0.1 foro.elhacker.net;
      127.0.0.1 vil.nail.com; 127.0.0.1 search.mcafee.com;
      127.0.0.1 wwww.mcafee.com; 127.0.0.1 download.nai.com;
      127.0.0.1 wwww.experts-exchange.com; 127.0.0.1 www.bakunos.com;
      127.0.0.1 www.darkclockers.com; 127.0.0.1 www.Merijn.org;
      127.0.0.1 www.spywareinfo.com; 127.0.0.1 www.spybot.info;
      127.0.0.1 www.viruslist.com; 127.0.0.1 www.hijackthis.de;
      127.0.0.1 www.f-secure.com; 127.0.0.1 forum.kaspersky.com;
      127.0.0.1 majorgeeks.com; 127.0.0.1 www.avp.com;
      127.0.0.1 www.virustotal.com; 127.0.0.1 www.sophos.com;
      127.0.0.1 linhadefensiva.uol.com.br; 127.0.0.1 cmmings.cn;
      127.0.0.1 www.sergiwa.com; 127.0.0.1 www.el-hacker.com;
      127.0.0.1 www.avg-antivirus.net; 127.0.0.1 www.kaspersky-labs.com;
      127.0.0.1 www.kaspersky.com; 127.0.0.1 www.bleepingcomputer.com;
      127.0.0.1 www.free.grisoft.com; 127.0.0.1 alerta-antivirus.inteco.es;
      127.0.0.1 securityresponse.symantec.com;
      127.0.0.1 www.analysis.seclab.tuwien.ac.at;
      127.0.0.1 www.symantec.com; 127.0.0.1 www.kztechs.com;
      127.0.0.1 ad-aware-se.uptodown.com; 127.0.0.1 stdio-labs.blogspot.com;
      127.0.0.1 liveupdate.symantecliveupdate.com;
      127.0.0.1 liveupdate.symantec.com; 127.0.0.1 customer.symantec.com;
      127.0.0.1 update.symantec.com; 127.0.0.1 www.box.net;
      127.0.0.1 foro.el-hacker.com; 127.0.0.1 www.mcafee.com;
      127.0.0.1 www.free.avg.com; 127.0.0.1 download.mcafee.com;
      127.0.0.1 mast.mcafee.com; 127.0.0.1 www.tecno-soft.com;
      127.0.0.1 ladooscuro.es; 127.0.0.1 ftp.drweb.com;
      127.0.0.1 download.microsoft.comguru0.grisoft.cz;
      127.0.0.1 guru1.grisoft.cz; 127.0.0.1 guru2.grisoft.cz;
      127.0.0.1 guru3.grisoft.cz; 127.0.0.1 download.bleepingcomputer.com;
      127.0.0.1 it.answers.yahoo.com; 127.0.0.1 www.softonic.com;
      127.0.0.1 guru4.grisoft.cz; 127.0.0.1 guru5.grisoft.cz;
      127.0.0.1 www.virusspy.com; 127.0.0.1 www.download.f-secure.com;
      127.0.0.1 www.malwareremoval.com; 127.0.0.1 forums.cnet.com;
      127.0.0.1 foros.softonic.com; 127.0.0.1 hjt-data.trend-braintree.com;
      127.0.0.1 www.pantip.com; 127.0.0.1 secubox.aldria.com;
      127.0.0.1 www.forospyware.com; 127.0.0.1 www.manuelruvalcaba.com;
      127.0.0.1 www.zonavirus.com; 127.0.0.1 www.leforo.com;
      127.0.0.1 www.siteadvisor.com; 127.0.0.1 blog.threatfire.com;
      127.0.0.1 www.threatexpert.com; 127.0.0.1 blog.hispasec.com;
      127.0.0.1 www.configurarequipos.com; 127.0.0.1 sosvirus.changelog.fr;
      127.0.0.1 www.psicofxp.com; 127.0.0.1 mailcenter.rising.com.cn;
      127.0.0.1 mailcenter.rising.com; 127.0.0.1 www.rising.com.cn;
      127.0.0.1 www.rising.com; 127.0.0.1 www.babooforum.com.br;
      127.0.0.1 www.runscanner.net; 127.0.0.1 www.blogschapines.com;
      127.0.0.1 sosvirus.changelog.fr; 127.0.0.1 upload.changelog.fr;
      127.0.0.1 www.raymond.cc; 127.0.0.1 changelog.fr;
      127.0.0.1 www.pcentraide.com; 127.0.0.1 atazita.blogspot.com;
      127.0.0.1 www.thinkpad.cn; 127.0.0.1 www.final4ever.com;
      127.0.0.1 files.filefont.com; 127.0.0.1 www.infos-du-net.com;
      127.0.0.1 www.trendsecure.com; 127.0.0.1 forum.hardware.fr;
      127.0.0.1 www.utilidades-utiles.com; 127.0.0.1 blogs.icerocket.com;
      127.0.0.1 www.spychecker.com; 127.0.0.1 www.geekstogo.com;
      127.0.0.1 forums.maddoktor2.com; 127.0.0.1 www.smokey-services.eu;
      127.0.0.1 www.clubic.com; 127.0.0.1 www.linhadefensiva.org;
      127.0.0.1 www.rolandovera.com; 127.0.0.1 download.sysinternals.com;
      127.0.0.1 www.pcguide.com; 127.0.0.1 www.thetechguide.com;
      127.0.0.1 www.ozzu.com; 127.0.0.1 www.changedetection.com;
      127.0.0.1 espanol.groups.yahoo.com; 127.0.0.1 www.sunbeltsecurity.com;
      127.0.0.1 community.thaiware.com; 127.0.0.1 www.avpclub.ddns.info;
      127.0.0.1 www.offensivecomputing.net; 127.0.0.1 www.grisoft.com;
      127.0.0.1 boardreader.com; 127.0.0.1 www.guiadohardware.net;
      127.0.0.1 www.msnvirusremoval.com; 127.0.0.1 www.cisrt.org;
      127.0.0.1 fixmyim.com; 127.0.0.1 samroeng.hi5.com;
      127.0.0.1 foro.elhacker.net; 127.0.0.1 www.daboweb.com;
      127.0.0.1 service1.symantec.com; 127.0.0.1 forums.techguy.org;
      127.0.0.1 www.incodesolutions.com;
      127.0.0.1 hijackthis.download3000.com;
      127.0.0.1 www.cybertechhelp.com; 127.0.0.1 www.superdicas.com.br;
      127.0.0.1 www.51nb.com; 127.0.0.1 downloads.andymanchesta.com;
      127.0.0.1 andymanchesta.com; 127.0.0.1 info.prevx.com;
      127.0.0.1 aknow.prevx.com; 127.0.0.1 www.zonavirus.com;
      127.0.0.1 securitywonks.net; 127.0.0.1 www.yoreparo.com;
      127.0.0.1 www.lavasoft.com; 127.0.0.1 www.virscan.org;
      127.0.0.1 www.eeload.com; 127.0.0.1 down.www.kingsoft.com;
      127.0.0.1 www.file.net; 127.0.0.1 onecare.live.com;
      127.0.0.1 mvps.org; 127.0.0.1 www.laneros.com;
      127.0.0.1 www.housecall.trendmicro.com; 127.0.0.1 www.avast.com;
      127.0.0.1 www.free.avg.com; 127.0.0.1 www.onlinescan.avast.com;
      127.0.0.1 www.ewido.net; 127.0.0.1 www.trucoswindows.net;
      127.0.0.1 www.mozilla-hispano.org;
      127.0.0.1 www.futurenow.bitdefender.com;
      127.0.0.1 www.bitdefender.com; 127.0.0.1 www.f-prot.com;
      127.0.0.1 www.trendsecure.com; 127.0.0.1 security.symantec.com;
      127.0.0.1 oldtimer.geekstogo.com; 127.0.0.1 www.avira.com;
      127.0.0.1 www.eset.com; 127.0.0.1 www.free.avg.com;
      127.0.0.1 www.free-av.com; 127.0.0.1 kr.ahnlab.com;
      127.0.0.1 www.eset.com; 127.0.0.1 forospyware.com;
      127.0.0.1 thejokerx.blogspot.com; 127.0.0.1 www.2-spyware.com;
      127.0.0.1 www.antivir.es; 127.0.0.1 www.prevx.com;
      127.0.0.1 www.ikarus.net; 127.0.0.1 bbs.s-sos.net;
      127.0.0.1 www.housecall.trendmicro.com;
      127.0.0.1 www.superdicas.com.br; 127.0.0.1 www.forums.majorgeeks.com;
      127.0.0.1 www.castlecops.com; 127.0.0.1 www.virusspy.com;
      127.0.0.1 andymanchesta.com; 127.0.0.1 www.kaspersky.es;
      127.0.0.1 subs.geekstogo.com; 127.0.0.1 www.forospanish.com;
      127.0.0.1 www.trendmicro.com; 127.0.0.1 www.fortinet.com;
      127.0.0.1 www.safer-networking.org;
      127.0.0.1 www.fortiguardcenter.com; 127.0.0.1 www.dougknox.com;
      127.0.0.1 www.vsantivirus.com; 127.0.0.1 www.firewallguide.com;
      127.0.0.1 www.auditmypc.com; 127.0.0.1 www.spywaredb.com;
      127.0.0.1 www.mxttchina.com; 127.0.0.1 www.ziggamza.net;
      127.0.0.1 www.forospyware.es; 127.0.0.1 pogonyuto.forospanish.com;
      127.0.0.1 www.antivirus.comodo.com;
      127.0.0.1 www.spywareterminator.com;
      127.0.0.1 www.eradicatespyware.net;
      127.0.0.1 www.freespywareremoval.info;
      127.0.0.1 www.personalfirewall.comodo.com; 127.0.0.1 www.clamav.net;
      127.0.0.1 www.antivirus.about.com; 127.0.0.1 www.pandasecurity.com;
      127.0.0.1 www.webphand.com; 127.0.0.1 mx.answers.yahoo.com;
      127.0.0.1 www.securitywonks.net; 127.0.0.1 www.sandboxie.com;
      127.0.0.1 www.clamwin.com; 127.0.0.1 www.cwsandbox.org;
      127.0.0.1 www.ca.com; 127.0.0.1 www.arswp.com;
      127.0.0.1 es.answers.yahoo.com; 127.0.0.1 www.trucoswindows.es;
      127.0.0.1 www.networkworld.com; 127.0.0.1 www.cddchiangmai.net;
      127.0.0.1 www.threatexpert.com; 127.0.0.1 www.norman.com;
      127.0.0.1 espanol.answers.yahoo.com; 127.0.0.1 www.tallemu.com;
      127.0.0.1 virscan.org; 127.0.0.1 www.viruschief.com;
      127.0.0.1 scanner.virus.org; 127.0.0.1 www.hijackthis.de;
      127.0.0.1 housecall65.trendmicro.com;
      127.0.0.1 www.guiadohardware.net; 127.0.0.1 forums.whatthetech.com;
      127.0.0.1 hjt.networktechs.com; 127.0.0.1 www.techsupportforum.com;
      127.0.0.1 www.whatthetech.com; 127.0.0.1 www.soccersuck.com;
      127.0.0.1 www.pcentraide.com; 127.0.0.1 comunidad.wilkinsonpc.com.co;
      127.0.0.1 forum.piriform.com; 127.0.0.1 www.tweaksforgeeks.com;
      127.0.0.1 www.daniweb.com; 127.0.0.1 www.geekstogo.com;
      127.0.0.1 es.answers.yahoo.com; 127.0.0.1 www.techsupportforum.com;
      127.0.0.1 www.pchell.com; 127.0.0.1 www.spyany.com;
      127.0.0.1 forums.techguy.org; 127.0.0.1 www.experts-exchange.com;
      127.0.0.1 www.wikio.es; 127.0.0.1 www.pandasecurity.com;
      127.0.0.1 forums.devshed.com; 127.0.0.1 forum.tweaks.com;
      127.0.0.1 www.wilderssecurity.com; 127.0.0.1 www.techspot.com;
      127.0.0.1 www.thecomputerpitstop.com; 127.0.0.1 es.wasalive.com;
      127.0.0.1 secunia.com; 127.0.0.1 es.kioskea.net;
      127.0.0.1 www.taringa.net; 127.0.0.1 www.cyberdefender.com;
      127.0.0.1 www.feedage.com; 127.0.0.1 new.taringa.net;
      127.0.0.1 forum.zazana.com; 127.0.0.1 forum.clubedohardware.com.br;
      127.0.0.1 www.computing.net; 127.0.0.1 discussions.virtualdr.com;
      127.0.0.1 forum.securitycadets.com; 127.0.0.1 www.techimo.com;
      127.0.0.1 13iii.com; 127.0.0.1 www.dicasweb.com.br;
      127.0.0.1 www.infosecpodcast.com; 127.0.0.1 www.usbcleaner.cn;
      127.0.0.1 www.net-security.org; 127.0.0.1 www.bleedingthreats.net;
      127.0.0.1 acs.pandasoftware.com; 127.0.0.1 www.funkytoad.com;
      127.0.0.1 www.360safe.cn; 127.0.0.1 www.360safe.com;
      127.0.0.1 bbs.360safe.cn; 127.0.0.1 bbs.360safe.com;
      127.0.0.1 codehard.wordpress.com;
      127.0.0.1 forum.clubedohardware.com.br; 127.0.0.1 www.360.cn;
      127.0.0.1 www.360.com; 127.0.0.1 bbs.360safe.cn;
      127.0.0.1 bbs.360safe.com; 127.0.0.1 www.forospyware.es;
      127.0.0.1 p3dev.taringa.net; 127.0.0.1 www.precisesecurity.com;
      127.0.0.1 baike.360.cn; 127.0.0.1 baike.360.com;
      127.0.0.1 kaba.360.cn; 127.0.0.1 kaba.360.com;
      127.0.0.1 deckard.geekstogo.com; 127.0.0.1 www.taringa.net;
      127.0.0.1 forums.comodo.com; 127.0.0.1 www.mvps.org;
      127.0.0.1 down.360safe.cn; 127.0.0.1 down.360safe.com;
      127.0.0.1 x.360safe.com; 127.0.0.1 dl.360safe.com;
      127.0.0.1 ftp.drweb.com; 127.0.0.1 www.hotshare.net;
      127.0.0.1 es.wasalive.com; 127.0.0.1 free.antivirus.com;
      127.0.0.1 updatem.360safe.com; 127.0.0.1 updatem.360safe.cn;
      127.0.0.1 update.360safe.cn; 127.0.0.1 update.360safe.com;
      127.0.0.1 www.utilidades-utiles.com; 127.0.0.1 forum.kaspersky.com;
      127.0.0.1 bbs.duba.net; 127.0.0.1 www.duba.net;
      127.0.0.1 zhidao.baidu.com; 127.0.0.1 hi.baidu.com;
      127.0.0.1 www.drweb.com.es; 127.0.0.1 msncleaner.softonic.com;
      127.0.0.1 www.javacoolsoftware.com; 127.0.0.1 file.ikaka.com;
      127.0.0.1 file.ikaka.cn; 127.0.0.1 bbs.ikaka.com;
      127.0.0.1 zhidao.ikaka.com; 127.0.0.1 www.eset-la.com;
      127.0.0.1 www.eset-la.com; 127.0.0.1 software-files.download.com;
      127.0.0.1 www.ikaka.com; 127.0.0.1 www.ikaka.cn;
      127.0.0.1 bbs.cfan.com.cn; 127.0.0.1 www.cfan.com.cn;
      127.0.0.1 www.pandasecurity.com; 127.0.0.1 es.mcafee.com;
      127.0.0.1 downloads.malwarebytes.org; 127.0.0.1 bbs.kafan.cn;
      127.0.0.1 bbs.kafan.com; 127.0.0.1 bbs.kpfans.com;
      127.0.0.1 bbs.taisha.org; 127.0.0.1 www.manuelruvalcaba.com;
      127.0.0.1 support.f-secure.com; 127.0.0.1 bbs.winzheng.com;
      127.0.0.1 alerta-antivirus.inteco.es; 127.0.0.1 foros.zonavirus.com;
      127.0.0.1 alerta-antivirus.red.es; 127.0.0.1 www.zonavirus.com;
      127.0.0.1 www.malwarebytes.org; 127.0.0.1 www.commentcamarche.net;
      127.0.0.1 www.ewido.net; 127.0.0.1 www.infospyware.com;
      127.0.0.1 www.bitdefender.es; 127.0.0.1 housecall.trendmicro.com;
      127.0.0.1 foros.toxico-pc.com; 127.0.0.1 www.emsisoft.de;
      127.0.0.1 www.securitynewsportal.com


 Process termination List of processes that are terminated:
   • VIPRE.EXE; ISSDM_EN_32.EXE; P08PROMO.EXE; K7TS_SETUP.EXE;
      AVINSTALL.EXE; WITSETUP.EXE; TrendMicro_TISPro_16.1_1063_x32.EXE;
      VBA32-PERSONAL-LATEST-ENGLISH.EXE; FSMB32.EXE; FSGK32.EXE; FSAV95.EXE;
      FSAV530WTBYB.EXE; FSAV530STBYB.EXE; FSAV32.EXE; FSAV.EXE; FSAA.EXE;
      FPROT.EXE; FP-WIN.EXE; FNRB32.EXE; FIH32.EXE; FCH32.EXE; FAST.EXE;
      FAMEH32.EXE; F-STOPW.EXE; F-PROT95.EXE; F-PROT.EXE; AFMAIN.EXE;
      SPIDERUI.EXE; SPIDERNT.EXE; ALERTMAN.EXE; RAVMOND.EXE; MAKEREPORT.EXE;
      BOXMOD.EXE; 360SAFE.EXE; 360RPT.EXE; 360HOTFIX.EXE; 360TRAY.EXE;
      NSVMON.NPC; NSAVSVC.NPC; NPCGREENAGENT.NPC; PUSCAN.EXE;
      AYSERVICENT.AYE; AYAGENT.AYE; CMDAGENT.EXE; CPF.EXE; VSMON.EXE;
      ZLCLIENT.EXE; NSUTILITY.EXE; NSPUPDT.EXE; NAVQSCAN.EXE; NSPMAIN.EXE;
      NSPUPSVC.EXE; NSPSVC.EXE; MKSADMINCONSOLE.EXE; MKSUPDATE.EXE;
      MKSPC.EXE; MKSFWALL.EXE; MKSVIRMONSVC.EXE; MKS_SCAN.EXE; MKS_MAIL.EXE;
      MKSREGMON.EXE; KAVPFW.EXE; KASMAIN.EXE; KAV32.EXE; KPFWSVC.EXE;
      KISSVC.EXE; KWATCH.EXE; KPFW32.EXE; KAVSTART.EXE; KVSRVXP.EXE;
      KVOL.EXE; KVXP.KXP; KVMONXP.KXP; CAVASM.EXE; CMAIN.EXE;
      ARCABIT.CORE.LOGGINGSERVICE.EXE; ARCABIT.CORE.CONFIGURATOR2.EXE;
      TASKSCHEDULER.EXE; UPDATE.EXE; NETMONSV.EXE; FILEMONSV.EXE;
      ABREGMON.EXE.EXE; ARCACHECK.EXE; ARCAVIR.EXE; AVMENU.EXE;
      A2HIJACKFREE.EXE; A2SERVICE.EXE; A2START.EXE; A2SCAN.EXE; A2GUARD.EXE;
      VRFWSVC.EXE; HFACSVC.EXE; VRMONSVC.EXE; HPCSVC.EXE; HSVCMOD.EXE;
      VRMONNT.EXE; VBA32ADS.EXE; VBA32LDR.EXE; FILELOCKSETUP.EXE;
      TSCFCOMMANDER.EXE; TMPROXY.EXE; TMPFW.EXE; TMBMSRV.EXE; UFNAVI.EXE;
      UFSEAGNT.EXE; MKSTRAY.EXE; TISSPWIZ.EXE; SFCTLCOM.EXE; TNBUTIL.EXE;
      DEFWATCH.EXE; RTVSCAN.EXE; SBAMSVC.EXE; SBAMUI.EXE; SBAMTRAY.EXE;
      SAVADMINSERVICE.EXE; SAVSERVICE.EXE; SCFSERVICE.EXE; SCFMANAGER.EXE;
      RAVTASK.EXE; CCENTER.EXE; ULIBCFG.EXE; RAVLITE.EXE;
      PCTAV.EXEPCTAVSVC.EXEPXCONSOLE.EXEPXAGENT.EXERAV.EXE; PCTSAUXS.EXE;
      PCTSTRAY.EXE; PCTSSVC.EXE; PCTSGUI.EXE; AVGAS.EXE; PAVBCKPT.EXE;
      WEBPROXY.EXE; PAVSRV51.EXESRVLOAD.EXE; PSIMSVC.EXE; PSHOST.EXE;
      AVENGINE.EXE; PSKMSSVC.EXE; PAVPRSRV.EXE; PAVFNSVR.EXE; PSCTRLS.EXE;
      TPSRV.EXE; NOD32M2.EXE; NOD32CC.EXE; NOD32.EXE; NMAIN.EXE;
      NOD32KUI.EXE; MSASCUI.EXE; MSMPENG.EXE; MCUPDATE.EXE; MCSHIELD.EXE;
      MCVSSHLD.EXE; MCVSRTE.EXE; MCAGENT.EXE; KAVSVC.EXE; KAV.EXE;
      K7TSMNGR.EXE; K7SPMSRC.EXE; K7RTSCAN.EXE; K7PSSRVC.EXE; K7FWSRVC.EXE;
      K7EMLPXY.EXE; K7TSECURITY.EXE; K7SYSTRY.EXE; VIRUSUTILITIES.EXE;
      GUARDXSERVICE.EXE; GUARDXKICKOFF.EXE; AVKWCTL.EXE;
      AVKTUNERSERVICE.EXE; AVKSERVICE.EXE; GDFWSVC.EXE; AVKPROXY.EXE;
      GDFIRE~1.EXE; AVKTRAY.EXE; GDFIREWALLTRAY.EXE; FSAUA.EXE; FSDFWD.EXE;
      FSGK32ST.EXE; FSM32.EXE; FPWIN.EXE; FPAVSERVER.EXE; FPROTTRAY.EXE;
      INICIO.EXE; NOD32KRN.EXE; FSMA32.EXE; APVXDWIN.EXE; UMXPOL.EXE;
      UMXFWHLP.EXE; UMXAGENT.EXE; UMXCFG.EXE; PPCLTPRIV.EXE; SVCPRS32.EXE;
      ITMRTSVC.EXE; CCPROVSP.EXE; MDMCLS32.EXE; CAGLOBALLIGHT.EXE;
      CAPFUPGRADE.EXE; CAPFASEM.EXE; CAFW.EXE; CFGMNG32.EXE; CCTRAY.EXE;
      CLAMTRAY.EXE; CLAMWIN.EXE; ALSVC.EXE; ALMON.EXE; DRWEBSCD.EXE;
      SPIDERML.EXE; DRWEB32W.EXE; ACS.EXE; STRTSVC.EXE; OP_MON.EXE;
      SENSOR.EXE; QHFW332.EXE; CATEYE.EXE; ONLNSVC.EXE; EMLPROUI.EXE;
      UPSCHD.EXE; SCANMSG.EXE; SCANWSCS.EXE; EMLPROXY.EXE; ONLINENT.EXE;
      ASWCLNR.EXE; BDAGENT.EXE; VSSERV.EXE; LIVESRV.EXE; XCOMMSVR.EXE;
      UISCAN.EXE; BDSS.EXE; AVGCMGR.EXE; AVGWSRV.EXE; AVGUI.EXE;
      AVGSCANX.EXE; AVGUPSVC.EXE; AVGAMSVR.EXE; AVGUPD.EXE; AVGTRAY.EXE;
      AVGFRW.EXE; AVGEMC.EXE; AVGNSX.EXE; AVGRSX.EXE; AVGWDSVC.EXE;
      ASHWEBSV.EXE; ASHMAISV.EXE; ASWUPDSV.EXE; ASHSERV.EXE; ASHDISP.EXE;
      AVCENTER.EXE; SCHED.EXE; AVIRARKD.EXE; AVGNT.EXE; AVGUARD.EXE;
      AHNSDSV.EXE; ACAIS.EXE; ACALS.EXE; ACAEGMGR.EXE; QOELOADER.EXE;
      ACAAS.EXE; QUHLPSVC.EXE; AVGCSRVX.EXE; 123.EXE;
      RAVP.EXEMBAM.EXE123.COM; UNIEXTRACT.EXE; SYSANALYZER_SETUP.EXE;
      STARTDRECK.EXE; SPF.EXE; REGX2.EXE; REGSHOT.EXE; REGSCANNER.EXE;
      REGISTRAR_LITE.EXE; REGCOOL.EXE; REGALYZ.EXE;
      PROJECTWHOISINSTALLER.EXE; PROCMON.EXE; CUREIT.EXE; FIXBAGLE.EXE;
      PGSETUP.EXE; OBJMONSETUP.EXE; NETALYZ.EXE; KILLBOX.EXE;
      INSTALLWATCHPRO25.EXE; AVENGER.EXE; IEFIX.EXE; HOSTSFILEREADER.EXE;
      FIXPATH.EXE; FILEFIND.EXE; FILEALYZ.EXE; EULALYZERSETUP.EXE;
      A2HIJACKFREESETUP.EXE; DLLCOMPARE.EXE; CPROCESS.EXE; CPORTS.EXE;
      ASVIEWER.EXE; APT.EXE; APM.EXE; WIRESHARK.EXE; SPYBOTSD.EXE;
      TEATIMER.EXE; SPYBOTSD160.EXE; PROCESSMONITOR.EXE; PROCDUMP.EXE;
      PG2.EXE; LORDPE.EXE; ICESWORD.EXE; REANIMATOR.EXE; ROOTKITNO.EXE;
      RKD.EXE; HACKMON.EXE; UNHACKME.EXE; ROOTKIT_DETECTIVE.EXE;
      AVGARKT.EXE; FSB.EXE; FSBL.EXE; ROOTKITREVEALER.EXE; PSKILL.EXE;
      TASKMON.EXE; TASKLIST.EXE; TASKMAN.EXE; PROCEXP.EXE; MSNFIX.EXE;
      HIJACKTHIS_V2.EXE; HIJACKTHIS.EXE; HIJACKTHIS_SFX.EXE; HJTSETUP.EXE;
      HJTINSTALL.EXE; OLLYDBG.EXE; NETSTAT.EXE; PORTMONITOR.EXE;
      PORTDETECTIVE.EXE; FPORT.EXE; APORTS.EXE; PAVARK.EXE; DARKSPY105.EXE;
      HELIOS.EXE; ROOTKITBUSTER.EXE; ROOTALYZER.EXE; BC5CA6A.EXE; SEEM.EXE;
      DELAYDELFILE.EXE; DUBATOOL_AV_KILLER.EXE; SUPERKILLER.EXE;
      KAKASETUPV6.EXE; BUSCAREG.EXE; MSNCLEANER.EXE; SRESTORE.EXE;
      BOOTSAFE.EXE; SUPERANTISPYWARE.EXE;
      REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGRENAB.EXE; CF9409.EXE; GMER.EXE;
      CATCHME.EXE; SDFIX.EXE; COMBOFIX.EXE; SRENGPS.EXE; AUTORUNS.EXE;
      TASKKILL.EXE; REG.EXE; MYPHOTOKILLER.EXE; KILLAUTOPLUS.EXE;
      FOLDERCURE.EXE; REGEDIT.SCR; REGEDIT.COM; TCPVIEW.EXE; LISTO.EXE;
      GUARD.EXE; NTVDM.EXE; COMMAND.COM; COMBOFIX.COM; COMBOFIX.SCR;
      COMOBO-FIX.EXE; COMBOFIX.BAT; COMBO-FIX.EXE; REGMON.EXE;
      OTMOVEIT.EXEMBAM-SETUP.EXE; JAJA.EXE; AVZ.EXE; MBAM.EXE;
      MBAM-SETUP.EXE; PENCLEAN.EXE; ELISTA.EXE; HJ.EXE;
      WINDOWS-KB890930-V2.2.EXE; MRTSTUB.EXE; MRT.EXE; HIJACK-THIS.EXE;
      VIRUS.EXE; SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTSXPERT.EXEDAFT.EXE;
      ATF-CLEANER.EXE; COMPAQ_PROPIETARIO.EXE; REGUNLOCKER.EXE;
      UNLOCKERASSISTANT.EXE; UNLOCKER.EXE; SRENGLDR.EXE; HOOKANLZ.EXE;
      UNLOCKER1.8.7.EXE


 Injection – It injects itself as a thread into a process.

    Process name:
   • explorer.exe


 File details Programming language:
The malware program was written in Delphi.

Description inserted by Petre Galan on Tuesday, February 23, 2010
Description updated by Petre Galan on Tuesday, February 23, 2010

Back . . . .