Virus:TR/WSearch.503808
Date discovered:18/05/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:503.808 Bytes
MD5 checksum:26983eec770d46b7f7974ca00e6dff15
IVDF version:7.10.08.186 - Friday, June 25, 2010

 General Aliases:
   •  Kaspersky: Trojan-Downloader.Win32.Adload.skw
   •  VirusBuster: Adware.Rugo.RD
   •  Eset: Win32/Adware.WSearch.AD


Platform / OS:
   • Windows XP


Side effects:
   • Drops a file
   • Drops malicious files

 Files The following files are created:

– Non malicious file:
   • %WINDIR%\Tasks\ms.job

– Temporary files that might be deleted afterwards:
   • %TEMPDIR%\h8nil4o8\2.dll
   • %TEMPDIR%\h8nil4o8\3.dll
   • %TEMPDIR%\h8nil4o8\b.dll
   • %TEMPDIR%\h8nil4o8\4.dll

%SYSDIR%\799d.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.
%SYSDIR%\9bee.dll
%SYSDIR%\977o.dll

 Registry It registers a browser helper object (BHO) by adding the following key:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\D408BD6C-6563-4ea7-8656-9D55DD65A1AC]
   • @="Microsoft User"



The following registry keys are added:

– [HKCR\BHO.FunPlayer.1]
   • @="CFunPlayer Object"

– [HKCR\BHO.FunPlayer.1\CLSID]
   • @="{D408BD6C-6563-4ea7-8656-9D55DD65A1AC}"

 File details Programming language:
 The malware program was written in MS Visual C++.

Description inserted by Florian Burlefinger on Friday, June 25, 2010
Description updated by Florian Burlefinger on Tuesday, June 29, 2010

Back . . . .