Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Buzus.dhxv
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:273.415 Bytes
MD5 checksum:bb1c8ec022fc800dc5a7f4a217c47e2a

 General Methods of propagation:
   • Autorun feature
   • Local network
   • Messenger


Aliases:
   •  Sophos: Troj/Nyrate-L
   •  Panda: W32/IRCbot.CVD
   •  Eset: Win32/AutoRun.IRCBot.DZ
   •  Bitdefender: Backdoor.Tofsee.Gen


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %drive%\conime.exe
   • %SYSDIR%\wcoredt.exe



It overwrites a file.
%SYSDIR%\drivers\etc\hosts



It deletes the initially executed copy of itself.



The following file is created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%




It tries to download a file:

– The location is the following:
   • http://up.g-youtube.info/net/**********




It tries to executes the following files:

– Filename:
   • ipconfig /flushdns


– Filename:
   • sc delete K7TSMngr


– Filename:
   • net stop "avast! Antivirus"


– Filename:
   • sc stop "avast! Antivirus"


– Filename:
   • sc config "avast! Antivirus" start= disabled


– Filename:
   • net1 stop "avast! Antivirus"


– Filename:
   • sc delete "avast! Antivirus"


– Filename:
   • net stop AntiVirService


– Filename:
   • sc stop AntiVirService


– Filename:
   • sc config AntiVirService start= disabled


– Filename:
   • net1 stop AntiVirService


– Filename:
   • net stop K7RTScan


– Filename:
   • sc delete AntiVirService


– Filename:
   • net stop PASRV


– Filename:
   • sc stop PASRV


– Filename:
   • net1 stop PASRV


– Filename:
   • sc config PASRV start= disabled


– Filename:
   • sc delete PASRV


– Filename:
   • net stop VSSERV


– Filename:
   • sc stop VSSERV


– Filename:
   • sc config VSSERV start= disabled


– Filename:
   • net1 stop VSSERV


– Filename:
   • sc stop K7RTScan


– Filename:
   • sc delete VSSERV


– Filename:
   • net stop avg8wd


– Filename:
   • sc stop avg8wd


– Filename:
   • sc config avg8wd start= disabled


– Filename:
   • net1 stop avg8wd


– Filename:
   • sc delete avg8wd


– Filename:
   • net stop avg9wd


– Filename:
   • sc stop avg9wd


– Filename:
   • net1 stop avg9wd


– Filename:
   • sc config avg9wd start= disabled


– Filename:
   • sc config K7RTScan start= disabled


– Filename:
   • sc delete avg9wd


– Filename:
   • net stop NOD32krn


– Filename:
   • sc stop NOD32krn


– Filename:
   • net1 stop NOD32krn


– Filename:
   • sc config NOD32krn start= disabled


– Filename:
   • sc delete NOD32krn


– Filename:
   • net stop ekrn


– Filename:
   • sc stop ekrn


– Filename:
   • net1 stop ekrn


– Filename:
   • sc config ekrn start= disabled


– Filename:
   • net1 stop K7RTScan


– Filename:
   • sc delete ekrn


– Filename:
   • net stop McShield


– Filename:
   • sc stop McShield


– Filename:
   • net1 stop McShield


– Filename:
   • sc config McShield start= disabled


– Filename:
   • sc delete McShield


– Filename:
   • net stop OutpostFirewall


– Filename:
   • sc stop OutpostFirewall


– Filename:
   • sc config OutpostFirewall start= disabled


– Filename:
   • sc delete K7RTScan


– Filename:
   • net stop K7TSMngr


– Filename:
   • sc stop K7TSMngr


– Filename:
   • sc config K7TSMngr start= disabled


– Filename:
   • net1 stop K7TSMngr

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "conime.exe"="conime.exe"



The following registry keys including all values and subkeys are removed:
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]



It creates the following entries in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\DomainProfile\AuthorizedApplications\List]
   • "%SYSDIR%\wcoredt.exe"="%SYSDIR%\wcoredt.exe:*:Enabled:LAN Router"



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Security Center]
   • "AntiVirusDisableNotify"=dword:0x00000001
   • "AntiVirusOverride"=dword:0x00000001
   • "FirewallDisableNotify"=dword:0x00000001
   • "FirewallOverride"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\conime.exe]
   • "Debugger"="wcoredt.exe"

– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   • "DisableConfig"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\
   Layers]
   • "%SYSDIR%\wcoredt.exe"="DisableNXShowUI"

– [HKLM\SOFTWARE\Policies\Microsoft\MRT]
   • "DontReportInfectionInformation"=dword:0x00000001



The following registry keys are changed:

– [HKLM\SYSTEM\CurrentControlSet\Services\wscsvc]
   New value:
   • "Start"=dword:0x00000004

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\SuperHidden]
   New value:
   • "CheckedValue"=dword:0x00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • "Hidden"=dword:0x00000002

 Messenger It is spreading via Messenger. The characteristics are described below:

– MSN Messenger
– Yahoo Messenger

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploits:
– MS04-007 (ASN.1 Vulnerability)
– MS06-040 (Vulnerability in Server Service)


IP address generation:
It creates random IP addresses while it keeps the first two octets from its own address. Afterwards it tries to establish a connection with the created addresses.

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: ptr.b-y**********.info
Port: 7231
Channel: #ops
Nickname: N|USA|V2B|0|XP|%number%

Server: comt0.d-y**********.info
Port: 6104
Channel: #ops
Nickname: N|USA|V2B|0|XP|%number%

 Hosts The host file is modified as explained:

– Access to the following domains are redirected to other destinations:
   • 166.109.246.176 msnfix.changelog.fr; www.incodesolutions.com;
      virusinfo.prevx.com; download.bleepingcomputer.com; www.dazhizhu.cn;
      foro.noticias3d.com; www.spybotupdates.com; club.myce.com;
      www.k7computing.com; softwaresecuritysolutions.com; www.nabble.com;
      lurker.clamav.net; lexikon.ikarus.at; research.sunbelt-software.com;
      www.virusdoctor.jp; www.elitepvpers.de; guru.avg.com;
      downloads.sophos.com; share.skype.com; myantispyware.com;
      www.computerhilfen.de; www.superuser.co.kr; ntfaq.co.kr;
      v.dreamwiz.com; cit.kookmin.ac.kr; forums.whatthetech.com;
      forum.hijackthis.de; avg.vo.llnwd.net; ftp.drweb.com;
      www.zonealarm.com; smadaver.com; support.emsisoft.com;
      psychoski.blogspot.com; www.huaifai.go.th; www.mostz.com;
      www.krupunmai.com; www.cddchiangmai.net; forum.malekal.com;
      tech.pantip.com; sapcupgrades.com; www.elguruinformatico.com;
      forums.avg.com; zastita.com; support.kaspersky.com;
      foro.msgpluslive.es; www.247fixes.com; forum.sysinternals.com;
      forum.telecharger.01net.com; sophos.com; foros.softonic.com;
      avast-home.uptodown.com; dr-web-cureit.softonic.com; heavenward.ru;
      forum.smadav.net; www.forum.kaspersky.com; www.f-secure.com;
      www.chkrootkit.org; diamondcs.com.au; www.rootkit.nl;
      www.sysinternals.com; z-oleg.com; espanol.dir.groups.yahoo.com;
      ftp01net.telechargement.fr; modelayu.com; vaksin.com;
      bbs.kaspersky.com.cn; www.castlecrops.com; www.misec.net;
      safecomputing.umn.edu; www.antirootkit.com; www.greatis.com;
      ar.answers.yahoo.com; www.elhacker.org; research.pandasecurity.com;
      www.tpu.ro; www.pinoyden.com; forum.avira.de; www.rootkit.com;
      www.pctools.com; www.pcsupportadvisor.com; www.resplendence.com;
      www.personal.psu.edu; foro.ethek.com; foro.elhacker.net;
      download.zonealarm.com; spywarehammer.com; www.codelain.com;
      www.thaicert.org; vil.nail.com; search.mcafee.com; wwww.mcafee.com;
      download.nai.com; wwww.experts-exchange.com; www.bakunos.com;
      www.darkclockers.com; www2.gmer.net; ariefew.com; www.emsisoft.com;
      forum.romeonet.ro; www.arenajunkies.com; www.Merijn.org;
      www.spywareinfo.com; www.spybot.info; www.viruslist.com;
      www.hijackthis.de; ftp.f-secure.com; forum.kaspersky.com;
      es.trendmicro-europe.com; www.hvaonline.net; forum.lowyat.net;
      kb.eset.com; majorgeeks.com; www.avp.com; www.virustotal.com;
      www.sophos.com; linhadefensiva.uol.com.br; cmmings.cn;
      www.sergiwa.com; www.el-hacker.com; dl2.agnitum.com; forum.smadav.net;
      images.malwareremoval.com; front.prevx.com; www.avg-antivirus.net;
      www.kaspersky-labs.com; www.kaspersky.com; www.bleepingcomputer.com;
      www.free.grisoft.com; alerta-antivirus.inteco.es; greatis.com;
      www.oprekpc.com; www.gmer.net; forum.kasperskyclub.com;
      securityresponse.symantec.com; www.analysis.seclab.tuwien.ac.at;
      www.symantec.com; www.kztechs.com; ad-aware-se.uptodown.com;
      stdio-labs.blogspot.com; forum.lrytas.lt; www.decido.de;
      wap.elakiri.com; ot-indo.blogspot.com;
      liveupdate.symantecliveupdate.com; liveupdate.symantec.com;
      customer.symantec.com; update.symantec.com; www.box.net;
      foro.el-hacker.com; acs.pandasoftware.com; egavisa.blogspot.com;
      angui123.cn; beta.eset.com; www.mcafee.com; download.mcafee.com;
      mast.mcafee.com; www.tecno-soft.com; ladooscuro.es; ftp.drweb.com;
      download.microsoft.com; www.mypcsafe.com; www.blindedbytech.com;
      kaspersky.com; sis-admin.blogspot.com; guru0.grisoft.cz;
      guru1.grisoft.cz; guru2.grisoft.cz; guru3.grisoft.cz;
      download.bleepingcomputer.com; it.answers.yahoo.com; www.softonic.com;
      www.mycity.rs; cairopt.net; rootrepeal.googlepages.com;
      www.windowexe.com; guru4.grisoft.cz; guru5.grisoft.cz;
      www.virusspy.com; download.f-secure.com; www.malwareremoval.com;
      forums.cnet.com; foros.softonic.com; www.freedrweb.com; www.kaskus.us;
      rootrepeal.psikotick.com; thaicert.nectec.or.th;
      hjt-data.trend-braintree.com; www.pantip.com; secubox.aldria.com;
      www.forospyware.com; www.manuelruvalcaba.com; www.zonavirus.com;
      www.leforo.com; www.gsmph.com; blokvesti.net; www.viprasys.org;
      forum.antivir-pe.de; www.siteadvisor.com; blog.threatfire.com;
      www.threatexpert.com; blog.hispasec.com; www.configurarequipos.com;
      sosvirus.changelog.fr; www.psicofxp.com; www.gsmph.net;
      www.gyakorikerdesek.hu; us.mcafee.com; www.malekal.com;
      mailcenter.rising.com.cn; mailcenter.rising.com; www.rising.com.cn;
      www.rising.com; www.babooforum.com.br; www.runscanner.net;
      www.blogschapines.com; www.zyzoom.org; www.avsoft.ru; www.elakiri.com;
      forum.telecharger.01net.com; sosvirus.changelog.fr;
      upload.changelog.fr; www.raymond.cc; changelog.fr; www.pcentraide.com;
      atazita.blogspot.com; www.thinkpad.cn; www.sunbeltsoftware.com;
      cert.inteco.es; www.gamexeon.com; nod32-antivirus.en.softonic.co;
      www.final4ever.com; files.filefont.com; www.infos-du-net.com;
      www.trendsecure.com; forum.hardware.fr; www.utilidades-utiles.com;
      blogs.icerocket.com; www.spywarefri.dk; alfrasha.maktoob.com;
      www.eset.eu; quickscan.bitdefender.com; www.spychecker.com;
      www.geekstogo.com; forums.maddoktor2.com; www.smokey-services.eu;
      www.clubic.com; www.linhadefensiva.org; www.rolandovera.com;
      forum.burek.com; secure.sophos.com; usa.kaspersky.com;
      board.softpedia.com; download.sysinternals.com; www.pcguide.com;
      www.thetechguide.com; www.ozzu.com; www.changedetection.com;
      espanol.groups.yahoo.com; www.sunbeltsecurity.com;
      www.quickheal.co.in; www.vivalared.com; thailand.itmylike.com;
      community.thaiware.com; www.avpclub.ddns.info;
      www.offensivecomputing.net; www.grisoft.com; boardreader.com;
      www.guiadohardware.net; www.webroot.com; www.thehelper.net;
      www.kaldata.com; vil.nai.com; www.malwarecrypt.com;
      www.msnvirusremoval.com; www.cisrt.org; fixmyim.com; samroeng.hi5.com;
      foro.elhacker.net; www.daboweb.com; service1.symantec.com;
      us3.download.comodo.com; forum.gsmhosting.com; www.computerforum.com;
      forum.avast.com; forums.techguy.org; www.incodesolutions.com;
      hijackthis.download3000.com; www.cybertechhelp.com;
      www.superdicas.com.br; www.51nb.com; us4.download.comodo.com;
      www.jbtalks.cc; ad13.geekstogo.com; forums.eternion-wow.com;
      downloads.andymanchesta.com; andymanchesta.com; info.prevx.com;
      aknow.prevx.com; www.zonavirus.com; securitywonks.net;
      www.yoreparo.com; www.spywarecease.com; forum.dobreprogramy.pl;
      community.mcafee.com; www.lavasoft.com; www.virscan.org;
      www.eeload.com; down.www.kingsoft.com; www.file.net; onecare.live.com;
      mvps.org; www.laneros.com; www.pc1news.com; forum.avira.com;
      downloads.novirusthanks.org; www.pinoyhackers.com;
      www.housecall.trendmicro.com; www.avast.com; www.free.avg.com;
      www.onlinescan.avast.com; www.ewido.net; www.trucoswindows.net;
      www.mozilla-hispano.org; www.jackbloodforum.com;
      www.kosandpol.elakiri.com; www.futurenow.bitdefender.com;
      www.bitdefender.com; www.f-prot.com; www.trendsecure.com;
      security.symantec.com; oldtimer.geekstogo.com;
      sopiansantosa.blogspot.com; www.fileresearchcenter.com;
      www.looktr.com; www.avira.com; www.eset.com; free.avg.com;
      www.free-av.com; kr.ahnlab.com; www.eset.com; forospyware.com;
      thejokerx.blogspot.com; cairopt.net; oolbar.cyberdefender.com;
      golpe.dyndns.org; forum.aiutamici.com; www.2-spyware.com;
      www.antivir.es; www.prevx.com; www.ikarus.net; bbs.s-sos.net;
      www.housecall.trendmicro.com; www.superdicas.com.br;
      www.superantispyware.com; www.unhackme.com; www.askmehelpdesk.com;
      forum.zebulon.fr; www.forums.majorgeeks.com; www.castlecops.com;
      www.virusspy.com; andymanchesta.com; www.kaspersky.es;
      subs.geekstogo.com; www.forospanish.com; blog.rnsafe.com;
      www.regrun.com; irc.snahosting.net; danielorza.net;
      www.trendmicro.com; www.fortinet.com; www.safer-networking.org;
      www.fortiguardcenter.com; www.dougknox.com; www.vsantivirus.com;
      static.commentcamarche.net; www.gyakorikerdesek.hu; www.fixya.com;
      www.alabamawomen.org; www.firewallguide.com; www.auditmypc.com;
      www.spywaredb.com; www.mxttchina.com; www.ziggamza.net;
      www.forospyware.es; pogonyuto.forospanish.com; spywarefiles.prevx.com;
      k2r.th3kings.net; www.betterantivirus.com; www.antivirus.comodo.com;
      www.spywareterminator.com; www.eradicatespyware.net;
      www.freespywareremoval.info; www.personalfirewall.comodo.com;
      wakoopa.com; forum.drweb.com; bb1.th3kings.net;
      www.commentcamarche.net; www.clamav.net; www.antivirus.about.com;
      www.pandasecurity.com; www.webphand.com; mx.answers.yahoo.com;
      www.securitywonks.net; www.messengeradictos.com; www.geekpolice.net;
      bub.th3kings.net; shield.prevx.com; www.sandboxie.com;
      www.clamwin.com; www.cwsandbox.org; www.ca.com; www.arswp.com;
      es.answers.yahoo.com; www.trucoswindows.es; www.ipaddresser.com;
      www.abgenis.net; www.freefixer.com; forums.afterdawn.com;
      www.networkworld.com; www.cddchiangmai.net; www.threatexpert.com;
      www.norman.com; espanol.answers.yahoo.com; www.tallemu.com;
      foro.portalhacker.net; www.groupwhere.org; sniff.runescapetube.com;
      forum.p30world.com; virscan.org; www.viruschief.com;
      scanner.virus.org; www.hijackthis.de; housecall65.trendmicro.com;
      www.guiadohardware.net; forums.whatthetech.com; mustlovewine.com;
      www3.malekal.com; esetnod32antivirus.blogspot.com;
      hjt.networktechs.com; www.techsupportforum.com; www.whatthetech.com;
      www.soccersuck.com; www.pcentraide.com; comunidad.wilkinsonpc.com.co;
      forum.hocit.com; forum.smadav.net; fgp.e2doo.com;
      community.thaiware.com; forum.piriform.com; www.tweaksforgeeks.com;
      www.daniweb.com; www.geekstogo.com; es.answers.yahoo.com;
      www.techsupportforum.com; dnl-eu8.kaspersky-labs.com; www.oprekpc.com;
      shv4.ath.cx; www.pcworld.com; www.pchell.com; www.spyany.com;
      forums.techguy.org; www.experts-exchange.com; www.wikio.es;
      www.pandasecurity.com; forums.devshed.com;
      devbuilds.kaspersky-labs.com; hana-ahmad.blogspot.com;
      www.linkmania.ro; forum.tweaks.com; www.wilderssecurity.com;
      www.techspot.com; www.thecomputerpitstop.com; es.wasalive.com;
      secunia.com; www.killtrojan.net; www.ulop.net; www.eliters.com;
      sip4.voipkosovasite.com; www.ftw.ro; es.kioskea.net; www.taringa.net;
      www.cyberdefender.com; www.feedage.com; new.taringa.net;
      forum.zazana.com; forum.clubedohardware.com.br; mks.com.pl;
      www.vietcaravan.us; trbotnet.sytes.net; community.norton.com;
      www.computing.net; discussions.virtualdr.com;
      forum.securitycadets.com; www.techimo.com; 13iii.com;
      www.dicasweb.com.br; www.javacoolsoftware.net; cofradia.org;
      wasteland-bg.com; www.windowexe.com; malekal.com;
      www.infosecpodcast.com; www.usbcleaner.cn; www.net-security.org;
      www.bleedingthreats.net; acs.pandasoftware.com; www.funkytoad.com;
      malwarebytes.org; sabithpocker.blogspot.com; comprolive.vox.com;
      www.worton.com; www.360safe.cn; www.360safe.com; bbs.360safe.cn;
      bbs.360safe.com; codehard.wordpress.com; forum.clubedohardware.com.br;
      antitrick.com; www.configurarequipos.com; www.jiwang.org;
      anti-virus-software-review.toptenreviews.com; www.360.cn; www.360.com;
      bbs.360safe.cn; bbs.360safe.com; www.forospyware.es;
      p3dev.taringa.net; www.precisesecurity.com; dlpe.antivir.com;
      www.jvme.com; share.skype.com; comprolive.com; gotoknow.org;
      baike.360.cn; baike.360.com; kaba.360.cn; kaba.360.com;
      deckard.geekstogo.com; www.taringa.net; forums.comodo.com;
      www.mvps.org; melcy.wordpress.com; forum.softpedia.com;
      pcvids.wordpress.com; shop.symantecstore.com; down.360safe.cn;
      down.360safe.com; x.360safe.com; dl.360safe.com; ftp.drweb.com;
      www.hotshare.net; es.wasalive.com; free.antivirus.com;
      forum.hocit.com; destavision-forum.com; inspiresoft.blogspot.com;
      updatem.360safe.com; updatem.360safe.cn; update.360safe.cn;
      update.360safe.com; www.utilidades-utiles.com; forum.kaspersky.com;
      www.indowebster.web.id; zastita.com; www.sz-pet.com;
      foros.abcdatos.com; www.elektroda.pl; bbs.duba.net; www.duba.net;
      zhidao.baidu.com; hi.baidu.com; www.drweb.com.es;
      msncleaner.softonic.com; www.javacoolsoftware.com;
      beniono.wordpress.com; www.4-gsmteam.com; msntubers.freehostia.com;
      store.norton.com; file.ikaka.com; file.ikaka.cn; bbs.ikaka.com;
      zhidao.ikaka.com; www.eset-la.com; download.eset.com;
      software-files.download.com; www.faravirusi.com; www.winbots.es;
      forum.chip.de; www.thailandsusu.com; www.ikaka.com; www.ikaka.cn;
      bbs.cfan.com.cn; www.cfan.com.cn; www.pandasecurity.com;
      es.mcafee.com; downloads.malwarebytes.org; www.devirusare.com;
      forum.skype.com; shitit.net; www.webimmune.net; forum.swzone.it;
      bbs.kafan.cn; bbs.kafan.com; bbs.kpfans.com; bbs.taisha.org;
      www.manuelruvalcaba.com; support.f-secure.com; bbs.winzheng.com;
      devirusare.com; social.microsoft.com; www.shitit.net;
      mx.answers.yahoo.com; alerta-antivirus.inteco.es; foros.zonavirus.com;
      alerta-antivirus.red.es; www.zonavirus.com; www.malwarebytes.org;
      www.commentcamarche.net; news.support.veritas.com; www.zonealarm.com;
      malwarebytes-anti-malware.softonic.com; www.ewido.net;
      www.infospyware.com; www.bitdefender.es; housecall.trendmicro.com;
      foros.toxico-pc.com; www.identi.es; es.kioskea.net; virusinfo.info;
      forums.zonealarm.com; foro.infiernohacker.com; www.emsisoft.de;
      www.securitynewsportal.com; irc.ekizmedia.com; zone.arminboutique.com;
      story.dnsentrymx.com


 Process termination List of processes that are terminated:
   • MSMPENG.EXE; MSASCUI.EXE; GUARDXKICKOFF.EXE; GUARDXSERVICE.EXE;
      VIRUSUTILITIES.EXE; VBA32-PERSONAL-LATEST-ENGLISH.EXE;
      TrendMicro_TISPro_16.1_1063_x32.EXE; WITSETUP.EXE; AVINSTALL.EXE;
      K7TS_SETUP.EXE; P08PROMO.EXE; ISSDM_EN_32.EXE; VIPRE.EXE;
      UNLOCKER.EXE; UNLOCKERASSISTANT.EXE; UNLOCKER1.8.7.EXE;
      REGUNLOCKER.EXE; COMPAQ_PROPIETARIO.EXE; ATF-CLEANER.EXE;
      SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTSXPERT.EXEDAFT.EXE; VIRUS.EXE;
      HIJACK-THIS.EXE; MRT.EXE; MRTSTUB.EXE; WINDOWS-KB890930-V2.2.EXE;
      HJ.EXE; ELISTA.EXE; PENCLEAN.EXE; MBAM-SETUP.EXE; MBAM.EXE; AVZ.EXE;
      JAJA.EXE; OTMOVEIT.EXEMBAM-SETUP.EXE; REGMON.EXE; COMBO-FIX.EXE;
      COMBOFIX.BAT; COMBOFIX.SCR; COMBOFIX.COM; NTVDM.EXE; GUARD.EXE;
      LISTO.EXE; TCPVIEW.EXE; REGEDIT.COM; REGEDIT.SCR; FOLDERCURE.EXE;
      KILLAUTOPLUS.EXE; MYPHOTOKILLER.EXE; REG.EXE; TASKKILL.EXE;
      AUTORUNS.EXE; SRENGPS.EXE; COMBOFIX.EXE; SDFIX.EXE; CATCHME.EXE;
      GMER.EXE; MBR.EXE; CF9409.EXE;
      REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGRENAB.EXE; SUPERANTISPYWARE.EXE;
      BOOTSAFE.EXE; SRESTORE.EXE; MSNCLEANER.EXE; BUSCAREG.EXE;
      KAKASETUPV6.EXE; SUPERKILLER.EXE; DUBATOOL_AV_KILLER.EXE;
      DELAYDELFILE.EXE; SEEM.EXE; BC5CA6A.EXE; ROOTALYZER.EXE;
      ROOTKITBUSTER.EXE; HELIOS.EXE; DARKSPY105.EXE; HOOKANLZ.EXE;
      PAVARK.EXE; SRENGLDR.EXE; APORTS.EXE; FPORT.EXE; PORTDETECTIVE.EXE;
      PORTMONITOR.EXE; NETSTAT.EXE; OLLYDBG.EXE; HJTINSTALL.EXE;
      HJTSETUP.EXE; HIJACKTHIS_SFX.EXE; HIJACKTHIS.EXE; HIJACKTHIS_V2.EXE;
      MSNFIX.EXE; PROCEXP.EXE; TASKMAN.EXE; TASKLIST.EXE; TASKMON.EXE;
      PSKILL.EXE; ROOTKITREVEALER.EXE; FSBL.EXE; FSB.EXE; AVGARKT.EXE;
      ROOTKIT_DETECTIVE.EXE; UNHACKME.EXE; HACKMON.EXE; RKD.EXE;
      ROOTKITNO.EXE; REANIMATOR.EXE; HOOKANLZ.EXE; ROOTREPEAL.EXE;
      ICESWORD.EXE; LORDPE.EXE; PG2.EXE; PROCDUMP.EXE; PROCESSMONITOR.EXE;
      SPYBOTSD160.EXE; TEATIMER.EXE; SPYBOTSD.EXE; WIRESHARK.EXE; APM.EXE;
      APT.EXE; ASVIEWER.EXE; CPORTS.EXE; CPROCESS.EXE; DLLCOMPARE.EXE;
      A2HIJACKFREESETUP.EXE; EULALYZERSETUP.EXE; FILEALYZ.EXE; FILEFIND.EXE;
      FIXPATH.EXE; HOSTSFILEREADER.EXE; IEFIX.EXE; AVENGER.EXE;
      INSTALLWATCHPRO25.EXE; KILLBOX.EXE; NETALYZ.EXE; OBJMONSETUP.EXE;
      PGSETUP.EXE; FIXBAGLE.EXE; CUREIT.EXE; PROCMON.EXE;
      PROJECTWHOISINSTALLER.EXE; REGALYZ.EXE; REGCOOL.EXE;
      REGISTRAR_LITE.EXE; REGSCANNER.EXE; REGSHOT.EXE; REGX2.EXE; SPF.EXE;
      SRENGLDR.EXE; STARTDRECK.EXE; SYSANALYZER_SETUP.EXE; UNIEXTRACT.EXE;
      UNLOCKER1.8.7.EXE; RAVP.EXE; MBAM.EXE; USBGUARD.EXE; AVZ.EXE; OTL.EXE;
      CPF.EXE; ZLCLIENT.EXE; 123.COM; 123.EXE


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Monday, June 7, 2010
Description updated by Petre Galan on Monday, June 7, 2010

Back . . . .