Virus:Worm/Kolabc.hqm
Date discovered:23/12/2009
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:171.795 Bytes
MD5 checksum:cc88f4f016cb52cceb6d9acfe271e233
IVDF version:7.10.02.56 - Wednesday, December 23, 2009

 General Method of propagation:
   • Autorun feature
   • Local network


Aliases:
   •  Mcafee: W32/Spybot.worm
   •  Sophos: Mal/Behav-004
   •  Panda: W32/Kolabc.AF
   •  Eset: Win32/Hatob.E
   •  Bitdefender: Trojan.Agent.ANTD


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following locations:
   • %WINDIR%\Fonts\unwise_.exe
   • %drive%\RECYCLER\%CLSID%\unwise_.exe



The following file is created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\Windows Hosts Controller]
   • "Description"="Enables Windows Host Controller Service. This service cannot be stopped."
   • "DisplayName"="Windows Hosts Controller"
   • "ErrorControl"=dword:0x00000000
   • "FailureActions"=hex:0A,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,2E,00,73,00,01,00,00,00,B8,0B,00,00
   • "ImagePath"=""%WINDIR%\Fonts\unwise_.exe""
   • "ObjectName"="LocalSystem"
   • "Start"=dword:0x00000002
   • "Type"=dword:0x00000110



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Security Center]
   • "AntiVirusDisableNotify"=dword:0x00000001
   • "AntiVirusOverride"=dword:0x00000001
   • "FirewallDisableNotify"=dword:0x00000001
   • "FirewallOverride"=dword:0x00000001

– [HKLM\SOFTWARE\Policies\Microsoft\MRT]
   • "DontReportInfectionInformation"=dword:0x00000001

– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\
   Windows File Protection]
   • "SFCDisable"=dword:0xffffff9d
   • "SFCScan"=dword:0x00000000

– [HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
   • "DoNotAllowXPSP2"=dword:0x00000001



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions]
   New value:
   • "intime"="04/01/2010, 08:57 AM"
   • "msgone"="%executed file%"
   • "reup"=dword:0x00000475

– [HKLM\SYSTEM\CurrentControlSet\Control]
   New value:
   • "WaitToKillServiceT"="5000"

– [HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
   New value:
   • "AutoShareServer"=dword:0x00000001
   • "AutoShareWks"=dword:0x00000001
   • "SizReqBuf"=dword:0x00004000

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   New value:
   • "restrictanonymous"=dword:0x00000001

– [HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
   New value:
   • "AllowUserRawAccess"=dword:0x00000001
   • "DefaultTTL"=dword:0x00000040
   • "EnablePMTUBHDetect"=dword:0x00000000
   • "EnablePMTUDiscovery"=dword:0x00000001
   • "GlobalMaxTcpWindowSize"=dword:0x0003ebc0
   • "LargeBufferSize"=dword:0x000c8000
   • "MaxUserPort"=dword:0x0000fffe
   • "SackOpts"=dword:0x00000001
   • "StrictTimeWaitSeqCheck"=dword:0x00000001
   • "Tcp1323Opts"=dword:0x00000001
   • "TcpMaxDupAcks"=dword:0x00000002
   • "TcpNumConnections"=dword:0x00fffffe
   • "TcpTimedWaitDelay"=dword:0x0000001e
   • "TcpWindowSize"=dword:0x0003ebc0

– [HKLM\SOFTWARE\Microsoft\Ole]
   New value:
   • "EnableDCOM"="N"

– [HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters]
   New value:
   • "DisableRawSecurity"=dword:0x00000001

Deactivate Windows Firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\DomainProfile]
   New value:
   • "DisableNotifications"=dword:0x00000001
   • "DoNotAllowExceptions"=dword:0x00000000
   • "EnableFirewall"=dword:0x00000000

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   New value:
   • "DisableNotifications"=dword:0x00000001
   • "DoNotAllowExceptions"=dword:0x00000000
   • "EnableFirewall"=dword:0x00000000

 Messenger It is spreading via Messenger. The characteristics are described below:

– MSN Messenger

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


It uses the following login information in order to gain access to the remote machine:

– A list of usernames and passwords:
   • zxcv; zxc; zap; yxcv; youwontguessme; xyzzy; xyz; xxxxxxxxx; xxxxxxxx;
      xxxxxxx; xxxxx; xx; xp; win2k; win; wired; winxp; winston; winpass;
      winnt; wing; wine; windozexp; windozeME; windoze98; windoze95;
      windoze2k; windoze; WindowsXP; windowsME; windows98; windows95;
      windows2k; windows; windose; Win2KPro; fnc; vps; virus; USA; sqlpass;
      sql; Serveur; students; slave; secrets; secret; sysadmin; support;
      security; school; sa; userpass; username; usermane; user1; trojan;
      testing; tester; test123; Test; rooted; remote; r00t; blink182;
      qwerty; qwert; qwer; qwe; pwd; pw123; pw; password123; password1;
      Password; PASSWORD; password; passwd; pass1234; pass123; pass; owned;
      own; NULL; myvps; mssql; mysql; M$; mypc123; mypc; mypass123; mypass;
      MS; machine; microsoft; myvnc; loginpass; LOCAL; login; Unix; l33t;
      l337; letmein; hax; hacked; guessme; guess; fuckyou; fucked;
      education; EDU; U*; domainpassword; smbpass; smb; dbpass; db1234;
      desktop; dead; dave; databasepassword; database; daemon; defaultpass;
      closed; closed!; customer; changeme!; changeme; changethis; change;
      apache; anything; account?; abc123; abc; abcd; asdf; AAAA; aussie;
      88888888; 654321; 54321; 123qwe; 123asd; 123abc; 1234qwer; 123467890;
      12346789; 1234678; 123467; 12346; 123456789; 12345678; 1234567;
      123456; 12345; 1234; 123123; 123; 121212; 121; 12; 11111111; 111111;
      111; 110; 0wned; 0wn3d; 007; 00000000; 000000; 00000; 0000; 000; 00;
      %%%%%; %%%%; %%%; %%; !@; $%^&*; xXx; xxxx; xxx; aspnet69; aspnet;
      mailserver; Compaqblah; hallintovirkailijat; administrator; Access;
      admin123; admin; webserver; www; Kullan; FormationPLUS; vnc; BOSS;
      pc05; pc04; pc03; pc02; pc01; Professional; Serv-U FTP; serv-u;
      slimftp; lightHTTPD; warftpd; ftpd; proftpd; accounting; account;
      access; serveur ftp; michelle; myftp; mybox; msumer; Compaqsecret;
      Dell; IBM; Acer; m$; IPC; SMB; MS_USER; SMBUSER; fv; billgates; users;
      qaz; z1; aaa; aa; linux; unix; !@; $%^&; !@; $%^; !@; $%; !@; $; !@; ;
      !@; 31337; guest; box5; box4; box3; box2; box1; box; sudo; gameserver;
      game server; H-O; DR; exploited; DiVX-SERVER; DiVX; bill gates;
      Client05; Client04; Client03; Client02; Client01; Client; blah; 05;
      04; 03; 02; 01; ASP.NET; rdp; luna; liverpool; charlie; monkey;
      arsenal; thomas; master; Standard; httpd; apache server; root; owner;
      Admin1; ADMIN; admins; adm; SYSTEM; manager; serveur; Servidor;
      Utilizador; Server; default; Default; xxxxxx; Contgenerale;
      Amministratore; Hallintovirkailijat; Verwalter; Rendszergazda;
      Beheerder; Administracion; Administrat; Administrators;
      Administration; Administratori; Administratore; Administrador';
      Administratoro; Administrada; Administrateur; Administrador; Admin;
      Administrator



Exploit:
It makes use of the following Exploits:
– MS02-018 (Patch for Internet Information Service)
– MS03-007 (Unchecked Buffer in Windows Component)
– MS03-026 (Buffer Overrun in RPC Interface)
– MS03-039 (Buffer Overrun in RPCSS Service)
– MS03-049 (Buffer Overrun in the Workstation Service)
– MS04-007 (ASN.1 Vulnerability)
– MS06-040 (Vulnerability in Server Service)
– Bagle backdoor (port 2745)
– NetDevil backdoor (port 903)
– Optix backdoor (port 3140)
– SubSeven backdoor (port 27347)


IP address generation:
It creates random IP addresses while it keeps the first octet from its own address. Afterwards it tries to establish a connection with the created addresses.


Remote execution:
–It attempts to schedule a remote execution of the malware, on the newly infected machine. Therefore it uses the NetScheduleJobAdd function.

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: cx10man.we**********.com
Port: 3305
Channel: #mm
Nickname: P|%random character string%

Server: fx010413.w**********.org

Server: gynoman.we**********.com

Server: g.0x**********.biz

Server: c010x1.c**********.cc

Server: commgr.c**********.cc

Server: telephone.dd.bl**********.be

Server: phonewire.dd.bl**********.be

Server: phonelogin.dd.bl**********.be

Server: ufospace.et**********.net

Server: theforums.bb**********.com

Server: cx10man.we**********.com

Server: fx010413.w**********.org

Server: gynoman.we**********.com

Server: g.0x**********.biz

Server: c010x1.c**********.cc

Server: commgr.c**********.cc

Server: telephone.dd.bl**********.be

Server: phonewire.dd.bl**********.be

Server: phonelogin.dd.bl**********.be

Server: ufospace.et**********.net

Server: theforums.bb**********.com

 Process termination List of processes that are terminated:
   • SYSUPD.EXE; SVSHOST.EXE; SVCHOSTC.EXE; MSSMPP.EXE; WINDOWS12.EXE;
      DUP.EXE; NSECURITY.EXE; INSSVC.EXE; DOG.BAT; MSNET.BAT; ROOTKIT2.EXE;
      RUN_BOT.BAT.EXE; LOGONER.EXE; LOGDEC.EXE; WEBXGRAB.EXE; GG.EXE;
      WOLFF.EXE; HZ.EXE; WINPGA.EXE; WQRTUHX.EXE; DMI.EXE; RSPOOL.EXE;
      IRB.EXE; V1RG1N.EXE; ROPNC.EXE; XGUN.EXE; ADV693.EXE; JSSA.EXE;
      V1RGF.EXE; U.EXE; V1Rg1N.EXE; KA6BER.EXE; TEST.EXE; SCANS.EXE;
      SECURAQ.EXE; PS2M.EXE; OURNIK.EXE; O1O2O3O4.EXE; OF.EXE;
      TAMER.BAT.EXE; 5H7H8V6B1C5.EXE; DUAL.EXE; NXM.EXE; GT.EXE; NOPE.EXE;
      M.EXE; LOADADV735.EXE; ABO.EXE; LAM.EXE; BOX.EXE; HTRAN_V1.EXE;
      RSERVER.EXE; JOINED.EXE; HOOKIAT.EXE; UAY.EXE; OWNT.EXE; WNETWORK.EXE;
      WISHS.EXEWSEMGR.EXE; W32SIM.EXE; DISK10.EXE; WINCLEAN.EXE;
      WINUPPD.EXE; ISASS.EXE; WINIOGON.EXE; SPOOISV.EXE; VIDEOATI0.EXE;
      IS67538.EXE; BLKL.EXE; BULK.EXE; MSWDNS32.EXE; WINPKR.EXE;
      WINSNTE.EXE; EBAY.EXE; WANMPSVC.EXE; WEBMSN.EXE; SYSMGR64.EXE;
      WMISM23.EXE; WINUPDATERAR.EXE; WINSOCKET.EXE; SSQL.EXE; MSSQL32.EXE;
      SXOT.EXE; AKBOT.EXE; DC.EXE; DCZ.EXE; DCOMD.EXE; UNIVERSAL.EXE;
      UTILS32.EXE; R00TKIT.EXE; RK.EXE; ROOTKIT.EXE; T00LKIT.EXE;
      UPDATES.EXE; EXE32.EXE; EXE.EXE; DLLHST.EXE; WINDLL.EXE; GSEC.EXE;
      RUNBATCH.EXE; LOADER32.EXE; WEBEX.EXE; DOWNER.EXE; URX.EXE; PNP.EXE;
      ASN.EXE; URXBOT.EXE; FORBOT.EXE; AGOBOTSVC.EXE; WONK.EXE; PB.EXE;
      AG32.EXE; AGO.EXE; A.EXE; PHATBOT.EXE; AGOBOT3.EXE; AGOBOT.EXE;
      SYST3M33R.EXE; WEBDOWNLOADER.EXE; WEBX.EXE; XFTP.EXE; WINNET.EXE;
      WINREG32.EXE; CONVERTXDCCFILE.EXE; MSSERV.EXE; S0CKS.EXE; SOCKETS.EXE;
      SOX.EXE; SOCKS.EXE; CLASS101.EXE; 101.EXE; MSN.EXE; HAX.EXE; T.BAT;
      SDBOT05C.EXE; SDBOT05B.EXE; SD.EXE; SDBOT.EXE; IRXDCC.EXE; OFFER.EXE;
      IRBOT.EXE; IROFFER.EXE; RCC.EXE; WINMRT32.EXE; WINMRT.EXE;
      ANTISPY.EXE; MSANTISPY.EXE; DRWEB32.EXE; KEYLOGG.EXE; KEYLOG.EXE;
      KEYLOGGER.EXE; RDRBS073.EXE; BDCLI073.EXE; HXDEF073.EXE; HXGOLD.EXE;
      HXDOFENA.EXE; RDRBS100.EXE; BDCLI100.EXE; HXDEF100.EXE; XD.EXE;
      XDCCKIT.EXE; KIT.EXE; RUNTHIS.EXE; DIABL0.EXE; DIABLO.EXE; 6.EXE;
      1.EXE; OWNED.EXE; OMFGLOL.EXE; DOOR.EXE; BD.EXE; SUB7.EXE; TROJAN.EXE;
      HONEY.EXE; ROO32.EXE; ROO.EXE; SYSD32.EXE; ANTIBOTTY.EXE; SELEBEK.EXE;
      SEBEK.EXE; HONEYWALL.EXE; HONEYD.EXE; VIRUS32.EXE; VIRUS.EXE; TQ.EXE;
      BEAST.EXE; ACC3PT.EXE; MYKRALOR.EXE; KRALOR.EXEHAXOR.EXE;
      WINSLAVE.EXE; SLAVE32.EXE; SLAVE.EXE; WINMASTER.EXE; DFTPD.EXE;
      TEMP.EXE; STUB.EXE; WRAPPER.EXE; RDR32.EXE; CIAO.EXE; XTC.EXE;
      WSG32.EXE; RADMIN22.EXE; RADMIN21.EXE; RVIEW.EXE; NI.EXE;
      TASKHIDER.EXE; MSWIN32; FOODS.EXE; POSTCARD.EXE; MSDEV32.EXE;
      RUN0NCE.EXE; SPOOLS32.EXE; SPOOL32.EXE; CRSS32.EXE; IEXPLOREE.EXE;
      QQ.EXE; WINDOWS_UPDATER01.EXE; ADDIQ32.EXE; SYSINFO.EXE;
      WUAMKOPPNP.EXE; SCRH0ST.EXE; SVCH0ST32.EXE; SVHOSTS.EXE; SVHOST.EXE;
      IEXPL0RE.EXE; SVC.EXE; ZF.EXE; ZFR.EXE; WINS32.EXE; WUAMGRE.EXE;
      SCRHOST32.EXE; SASSERE.EXE; SASSER.EXE; BLAST.EXE; MSBLAST.EXE;
      HIDERUN.EXE; TCPSHELL.EXE; XSSH.EXE; ICMD.EXE; FTPIT.EXE; NAAB.EXE;
      PUSU.EXE; TBAR.EXE; ARABIAN.EXE; ARABZ.EXE; DGJDJG.EXE; OOOO.EXE;
      OOOOO.EXE; OP.EXE; 2PAC.EXE; LOGIX.EXE; CASH7OC.JPG; 0CASH.EXE;
      CASH.EXE; AOAUTOUPDATENAV.EXE; XDCC_INSTALL.EXEDD.EXE;
      NETWORKACTIVPIAFCTMV1.5.EXE; PEXPLORER.EXE; PROCDUMP32.EXE;
      PROCDUMP.EXE; TLIST.EXE; FPORT.EXE; FILEMON.EXE; PORTMON.EXE;
      PROCEXP.EXE; REGMON.EXE; WINSNIFF.EXE; HOSTMON.EXE; SHAREMON.EXE;
      TCPSTATS.EXE; TCPSTAT.EXE; TCPMON.EXE; TCPDUMP.EXE; TCPVIEWPRO.EXE;
      TCPVIEW.EXE; ZZ.EXE; DBOT.EXE; HBOT.EXE; A.BAT; AG.EXE; RUNDIL.EXE;
      WINPOOCH.EXE; WINMPAT.EXE; MSSSMSNGR6417.EXE; WAUCULT.EXE; JSWTSS.EXE;
      SVCVHOST.EXE; RP5.EXE; BSDMPLDRVR642.EXE; MYHOST.EXE; MSWINS.EXE;
      WINDOWSVISTA.EXE; QKKKU.EXE; MESSENGERR.EXE; ERASEME.EXE; TSKMAGR.EXE;
      CMH.EXE; SMSC.EXE; QTASK.EXE; WUAUMQR1.EXE; WINLOGIN.EXE;
      INTERNET.EXE; CTFMOM.EXE; WINDOWANTASDIVRI.EXE; SCHOST.EXE;
      NEWBOT.EXE; II.EXE; MSSDEV.EXE; ISHOST.EXE; ISMINI.EXE; NL210.BAT;
      WINUPDTSRV.EXE; MSN_UPDATE.EXE; SYSMONXP.EXE; SVCDATA.EXE; REG32.EXE;
      DLL32.EXE; IEXPLORES.EXE; SUSP.EXE; SPOOL.EXE; 568.EXE; CCUPDATE.EXE;
      LOADADV642.EXE; SSC.EXE; VCMON.EXE; MSTSKMGR.EXE; SERVLCES.EXE;
      SERVLCE.EXE; MSLAUGH.EXE; MSNMGR12.EXE; WINFORM32.EXE; DLLX32.EXE;
      RP.EXE; GECKO.EXE; REPTILE.EXE; LRSYS.EXE; SRSHOST.EXE; MSDOS.EXE;
      WUMGRE.EXE; WUMGR.EXE; D3DUPDATE.EXE; I11R54N4.EXE; BBEAGLE32.EXE;
      BBEAGLE2.EXE; BBEAGLE.EXE; BEAGLE.EXE; SSATE.EXE; VHOST.EXE;
      IESERVER.EXE; DSRSS.EXE; SVVOSTS.EXE; UPDAT.EXE; SERVICESMSI.EXE;
      SPOOLMGR.EXE; WINHELP.EXE; NTTDLL.EXE; IRUN4.EXE; SYS_XP.EXE;
      SVCOST.EXE; WINUSB32.EXE; WINUSB.EXE; WINSPOOLER.EXE; WINSOCK.EXE;
      IPCMGR.EXE; WUAMGRD3.EXE; WUAMGRD.EXE; WUAMGR.EXE; LANSAS.EXE;
      XML32.EXE; XML.EXE; WINZ.EXE; WINSYS.EXE; WGAVM.EXE; STDRUN3.EXE;
      TASKDIR.EXE; PMSNGR.EXE; TASKMSG.EXE; WDFMGR32.EXE; NOTAPED.EXE;
      CSRS.EXE; WINCOMM.EXE; WINOCX.EXE; WINLOLX.EXE; JAVANET.EXE;
      MAXD641.EXE; MS.EXE; SERVICE.EXE; MSNLIVE.EXE; WIP.EXE; 666.EXE;
      MYBOT.EXE; MYT0B.EXE; HELLMSN.EXE; FUNNY_PIC.SCR; MSGM.EXE; MSGMR.EXE;
      WINPADG.EXE; HIDE.EXE; HIDDEN.EXE; HIDDEN32.EXE; HIDDENRUN.EXE;
      WINDOWSP.EXE; WINSYSTEM.EXE; SYSTEM32.EXE; SYSTEM.EXE; WINDOW.EXE;
      WINDOWS.EXE; SAVEUNINST.EXE; WUPS.EXE; SVCSHOTER.EXE; WINMAP.EXE;
      MYDOCS.EXE; WINB.EXE; WINNAMPS.EXE; CMRSS.DLL.EXE; WIN.EXE; WIN32.EXE;
      WINIS.EXE; MSNMSG.EXE; MSNMSGS.EXE; XPFIREWALL.EXE; WFDMGR.EXE;
      TASKM0N.EXE; TASKGMR.EXE; WINCFG32.EXE; SYSCFG32.EXE; SYSCFG16.EXE;
      SYSTRA.EXE; RPC32.EXE; MSMGRXP.EXE; SUHOY.EXE; PICX.EXE; MATHCHK.EXE;
      RUNDLL16.EXE; MSSERRV32.EXE; POPWIN.EXE; RUNDII32.EXE; CTXAD.EXE;
      MSHTML3.EXE; MSHTML2.EXE; MSHTML1.EXE; MSHTML.EXE; NDRV.EXE;
      TSKMGR.EXE; PAPERSRV.EXE; IE7.EXE; IE6.EXE; TASKMNGR32.EXE;
      W32GEN.EXE; RUNDLL.EXE; BOT.EXE; CRXBOT.EXE; DNS32.EXERXBOT.EXE;
      DNSSVC.EXE; DNSSRV.EXE; WIN32UPDATE.EXE; WINSVC.EXE; SCSRC.EXE;
      WSERVICES.EXE; WSERVICE.EXE; WINIME.EXE; LINEWSRV.EXE; MICROSOFT.EXE;
      SERVICES32.EXE; WGAREG.EXE; ASN1SYS.EXE; IIEXPLORER.EXE;
      IIEXPLORE.EXE; LSASS_32.EXE; SSSVHOST.EXE; KERNEL32.EXE; SPOOLVS.EXE;
      SPOOLV.EXE; MSNMSGRR.EXE; MSMMSGR.EXE; MSNER.EXE; MSNUPDATER.EXE;
      MSNUPDATE.EXE; ALG32.EXE; INSTALL_SP.EXE; TMRSERVICE.EXE; MSNPLUS.EXE;
      MSMPLS.EXE; YESBRON.COM; WINLOGON32.EXE; WINL0GIN.EXE; WINL0GON.EXE;
      AK.EXE; AKWID.EXE; SYSER.EXE; WINUPD.EXE; SYS.EXE; WINRPC.EXE;
      LSASS32.EXE; MSDEVELOP.EXE; NETMSN.EXE; WINSOCKX32.EXE; SSERRVV.EXE;
      WINSYS_32.EXE; SERRV.EXE; MYSVCC.EXE; SPOOLSS.EXE; NTSF.EXE; WKS.EXE;
      BINGO.EXE; BINGOO.EXE; SCRHOST.EXE; SVLHOST.EXE; WINSINI.EXE;
      AAAAMON.EXE; DPNWSOCK.EXE; LMHSVC.EXE; S32EVNT1.EXE; DMLOADER.EXE;
      DSKQUOTA.EXE; CATSRV.EXE; RASAPI32.EXE; WINTEMP.EXE; DRIVES.EXE;
      IRDVXC.EXE; CASHBACK.EXE; MSUSB.EXE; MSUPSRV.EXE; MSJAVA.EXE;
      MS-JAVA.EXE; WININET.EXE; WINIOGIN.EXE; MSXML.EXE; NETAPI[1].EXE;
      NETAPI32.EXE; NETAPI.EXE; WINRNR.EXE; WALLPAP[1].EXE; WALLPAP.EXE;
      WINSYSMNGR32.EXE; WINLOAD.EXE; WINCMD.EXE; NETLOGON.EXE;
      EXPLORER32.EXE; DIHF.EXE; WINTASK32.EXE; WINCODECS.EXE; SXSERV101.EXE;
      MSSECURE32.EXE; MSEXPLORE.EXE; DLLSYS64.EXE; SVCHOZT.EXE;
      LIBSYS32.EXE; DLLMGR64.EXE; CRSSCS.EXE; CRSSS.EXE; SMSSS.EXE;
      LSASSS.EXE; ROFL.EXE; LOL.EXE; ROTFLZ.EXE; SVWHOST32.EXE;
      IELOWER2.EXE; IELOWER.EXE; LOWER.EXE; BL0W.EXE; SVCH0ST.EXE;
      WINUPDATES.EXE; WKSSR.EXE; PERFONT.EXE; QTTASK.BAT; MSUPDATE.EXE;
      MSNXPLIVE.EXE; SALVAGE.EXE; FHM.EXE; MSCRASH.EXE; RECSL.EXE;
      BRWCONF.EXE; MSSERV32.EXE; M2.2.EXE; WINDIR32.EXE; ZANGO.EXE;
      RUNJAVA.EXE; SERVICENT.EXE; CSVHOST.EXE; MS32.EXE; W32.EXE; Z.EXE;
      DLL64.EXE; SERV454.EXE; MSIE701.EXE; WINRARX.EXE; UPDATE32.EXE;
      GREEN.EXE; BLING.EXE; CRSSR.EXE; WNL.EXE; OWINSSAP.EXE; SVCHOST32.EXE;
      SVCHOSTS.EXE; RBOT.EXE; SVHOST32.EXE; SVHOSTCS32.EXE; SMS.EXE;
      SEEKMO.EXE; SASS.EXE; SHOST.EXE; SYS32.EXE; SVCCHOSST.EXE;
      BOTPACKED.EXE; EXXPLORER.EXE; IEXPLORE7.EXE; IEXPLORE6.EXE;
      IEXPLOR.EXE; PENIS32.EXE; WORM32.EXE;
      C27D8FEF-D7AE-42C0-82E6-F30598265639.EXE; SCRTKFG.EXE; MSAPPVIEW32.EXE


 Stealing It tries to steal the following information:
– Windows Product ID
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, April 1, 2010
Description updated by Andrei Ivanes on Thursday, April 1, 2010

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.