Full description

Virus:	TR/Click.Outtol.A
Date discovered:	13/07/2010
Type:	Trojan
In the wild:	Yes
Reported Infections:	Low to medium
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	237.568 Bytes
MD5 checksum:	1acddaae2e00b99fd33794cfcad6f2f1
IVDF version:	7.10.09.77 - Tuesday, July 13, 2010

General Aliases:
   • Bitdefender: Trojan.Agent.VB.BMU
   • Panda: Trj/KillAV.NK
   • Eset: Win32/AutoRun.VB.RF

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Blocks access to security websites
   • Lowers security settings
   • Downloads malicious files
   • Drops malicious files
   • Registry modification

Files It copies itself to the following location:
   • %HOME%\%current username%1\winlogon.exe

It deletes the following file:
   • %HOME%\%hex values%\wlo.exe

The following files are created:

– %HOME%\%current username%1\VERSION.TXT
– %HOME%\%hex values%\wlo.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Worm/Esfury.A.361

– %HOME%\%current username%1\wlo.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Agent.cfn

– %HOME%\%hex values%\winlogon.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Worm/Esfury.A.361

– %SYSDIR%\drivers\etc\hosts Further investigation pointed out that this file is malware, too. Detected as: TR/AntiHosts.Gen

– C:\winlogon.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Agent.cfn

– %ALLUSERSPROFILE%\Start Menu\Programs\Startup\winlogon.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Agent.cfn

It tries to download some files:

– The location is the following:
   • http://0-1-0-0-1-0-0-0-1-0-1-1-0-1-1-1-1-0-1-1-1-0-0-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-60-0-0-0-0-0-0-0-0-0-0-0-0-0.info/**********

– The locations are the following:
   • http://%character string%.che**********.info/?PWaevb7Nu6Pppnsx6gbJMPnnDHUPqa5W9MLXtueIMdn1UfoRhsYDY8CbrOJ2YW04vJu4DpIcWdQXStTkQpLfTX8JfIwCy04EIgcRu2UZn1MvgwU3RG5QM5jqXgCDmq84LTikYxahcv97XSH58hkn2TklKhDm7qqWQpLfTX8JfIwCy04EIgcRg9FZGYCYZCcOiNZSAtq1DtN1pCkFSIZOW0sqa0jm=%character string%
   • http://%character string%.che**********.info/?imp_728*90=%character string%

– The location is the following:
   • http://whos.amung.us/widget/**********/

– The location is the following:
   • http://widgets.amung.us/small/07/**********

– The location is the following:
   • http://whos.amung.us/swidget/**********

– The location is the following:
   • http://0-1-0-0-1-0-0-0-1-0-1-1-0-1-1-1-1-0-1-1-1-0-0-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-60-0-0-0-0-0-0-0-0-0-0-0-0-0.info/flv/**********

– The location is the following:
   • http://widgets.amung.us/classic/02/**********

It tries to execute the following file:

– Filename:
   • "%HOME%\%hex values%\winlogon.exe" ctfmon.exe

Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%random character string%"="%HOME%\%hex values%\winlogon.exe"
   • "NVIDIA Media Center Library"="%HOME%\%current username%1\winlogon.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "%random character string%"="%HOME%\%hex values%\winlogon.exe"
   • "NVIDIA Media Center Library"="%HOME%\%current username%1\winlogon.exe"

The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\wscsvc]
   • "Start"=dword:0x00000004

The values of the following registry key are removed:

The values of the following registry keys are removed:

– [HKLM\SOFTWARE\Classes\lnkfile]
   • IsShortcut

It creates the following entries in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   • "DisableNotifications"=dword:0x00000001
   • "DoNotAllowExceptions"=dword:0x00000000

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\DomainProfile]
   • "DisableNotifications"=dword:0x00000001
   • "DoNotAllowExceptions"=dword:0x00000000
   • "EnableFirewall"=dword:0x00000000

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%HOME%\%hex values%\winlogon.exe"="%HOME%\%hex
      values%\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"

The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FPAVServer.exe]
   • "Debugger"=""%HOME%\27F6471627473796E696D64614\winlogon.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ChromeSetup.exe]
   • "Debugger"=""%HOME%\27F6471627473796E696D64614\winlogon.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\88[.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\055[.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\521[.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   • "NoFile"=dword:0x00000001
   • "NoFolderOptions"=dword:0x00000001
   • "NoRun"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\002.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\074[.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
   • "ConsentPromptBehaviorAdmin"=dword:0x00000000
   • "EnableLUA"=dword:0x00000000
   • "PromptOnSecureDesktop"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\633[.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\432[.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\521.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\'' .exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   • "DisableRegistryTools"=dword:0x00000001
   • "DisableTaskMgr"=dword:0x00000001

– [HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\
   http\UserChoice]
   • "Progid"="IE.HTTP"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\003[.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\003.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\
   Layers]
   • "%HOME%\%hex values%\winlogon.exe"="RUNASADMIN"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\052[.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\035[.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\053.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\005[.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\
   SymantecFirewall]
   • "DisableMonitoring"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\13.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\042[.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .htm\UserChoice]
   • "Progid"="IE.AssocFile.HTM"

– [HKLM\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%HOME%\%hex values%\winlogon.exe"="%HOME%\%hex values%\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246"

– [HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings]
   • "Enabled"="0"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\EHttpSrv.exe]
   • "Debugger"=""%HOME%\27F6471627473796E696D64614\winlogon.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\BullGuard.exe]
   • "Debugger"=""%HOME%\27F6471627473796E696D64614\winlogon.exe""

– [HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings]
   • "Enabled"="0"

– [HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
   • "HomePage"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Security Center\Monitoring]
   • "DisableMonitoring"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
   • "NoFolderOptions"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\864[.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\081[.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\042.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKCU\Software\Policies\Microsoft\Windows\System]
   • "DisableCMD"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Security Center\Svc]
   • "AntiSpywareOverride"=dword:0x00000000
   • "AntiVirusDisableNotify"=dword:0x00000001
   • "AntiVirusOverride"=dword:0x00000000
   • "FirewallDisableNotify"=dword:0x00000001
   • "FirewallOverride"=dword:0x00000000
   • "FirstRunDisabled"=dword:0x00000001
   • "UacDisableNotify"=dword:0x00000001
   • "UpdatesDisableNotify"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FirewallControlPanel.exe]
   • "Debugger"=""%HOME%\27F6471627473796E696D64614\winlogon.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\091[.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
   • "NoAutoRebootWithLoggedOnUsers"=dword:0x00000001

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\
   Layers]
   • "%HOME%\%hex values%\winlogon.exe"="RUNASADMIN"

– [HKLM\Software\Policies\Microsoft\WindowsFirewall\StandardProfile]
   • "EnableFirewall"=dword:0x00000000

– [HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\
   ftp\UserChoice]
   • "Progid"="IE.FTP"

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   • "Default_Page_URL"="http://5k32pez9uwowdo0.directorio-w.com"
   • "Default_Search_URL"="http://61ohz4fld059059.directorio-w.com"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\027[.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\082.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile]
   • "EnableFirewall"=dword:0x00000000

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\004.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Filemon.exe]
   • "Debugger"=""%HOME%\27F6471627473796E696D64614\winlogon.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\06.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%HOME%\%hex values%\winlogon.exe"="%HOME%\%hex values%\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861"

– [HKLM\SOFTWARE\Microsoft\Security Center]
   • "AntiSpyWareDisableNotify"=dword:0x00000001
   • "AntiVirusDisableNotify"=dword:0x00000001
   • "AntiVirusOverride"=dword:0x00000000
   • "AutoUpdateDisableNotify"=dword:0x00000001
   • "FirewallDisableNotify"=dword:0x00000001
   • "InternetSettingsDisableNotify"=dword:0x00000001
   • "UacDisableNotify"=dword:0x00000001
   • "cval"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\051.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\'rorre' .exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\084.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\021[.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\061[.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\052.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ComboFix.exe]
   • "Debugger"=""%HOME%\27F6471627473796E696D64614\winlogon.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\006.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\827[.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Diskmon.exe]
   • "Debugger"=""%HOME%\27F6471627473796E696D64614\winlogon.exe""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\09.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

– [HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\
   SymantecAntiVirus]
   • "DisableMonitoring"=dword:0x00000001

– [HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\
   https\UserChoice]
   • "Progid"="IE.HTTPS"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\
   003[[=s rav;eslaf=p rav;eslaf=b rav;ib.exe]
   • "Debugger"=""%WINDIR%\twunk_16.exe""

The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
   New value:
   • "DisableSR"=dword:0x00000001

– [HKLM\SOFTWARE\Classes\ftp\shell\open\command]
   New value:
   • "@"=""%PROGRAM FILES%\Internet Explorer\IEXPLORE.EXE""

– [HKLM\SYSTEM\CurrentControlSet\Services\Sr]
   New value:
   • "Start"=dword:0x00000004

– [HKLM\SOFTWARE\Classes\https\shell\open\command]
   New value:
   • "@"=""%PROGRAM FILES%\Internet Explorer\IEXPLORE.EXE""

– [HKCU\Control Panel\Sound]
   New value:
   • "Beep"="no"

– [HKLM\SOFTWARE\Classes\http\shell\open\command]
   New value:
   • "@"=""%PROGRAM FILES%\Internet Explorer\IEXPLORE.EXE""

– [HKLM\SOFTWARE\Classes\http\shell\open\ddeexec\Application]
   New value:
   • "@"="IExplore"

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   New value:
   • "Disable Script Debugger"="Yes"
   • "Local Page"="http://j4d1677o5i4b992.directorio-w.com"
   • "Search Page"="http://z027305rxhiu861.directorio-w.com"
   • "Start Page"="http://oou30vs938ikf65.directorio-w.com"

– [HKLM\SOFTWARE\Classes\https\shell\open\ddeexec\Application]
   New value:
   • "@"="IExplore"

– [HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN]
   New value:
   • "Default_Page_URL"="http://g1sp91vn21u1rm1.directorio-w.com"
   • "Default_Search_URL"="http://589980kqkmulj48.directorio-w.com"
   • "Local Page"="http://cw356qr302m63gl.directorio-w.com"
   • "Search Page"="http://tft17fi9ekwn7u0.directorio-w.com"
   • "Start Page"="http://j147m23v4t1n5ai.directorio-w.com"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • "Hidden"=dword:0x00000002
   • "HideFileExt"=dword:0x00000003
   • "ShowSuperHidden"=dword:0x00000000
   • "SuperHidden"=dword:0x00000001

– [HKLM\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application]
   New value:
   • "@"="IExplore"

Hosts The host file is modified as explained:

– In this case existing entries are deleted.

– Access to the following domains are redirected to other destinations:
   • 208.109.220.95 viabcp.com; 208.109.220.95 www.viabcp.com;
      208.109.220.95 bcpzonasegura.viabcp.com; 173.236.65.132
      www.produbanco.com; 173.236.65.132 produbanco.com; 173.236.65.132
      www.pichincha.com; 173.236.65.132 pichincha.com; 173.236.65.132
      wwwp1.pichincha.com; 173.236.65.132 wwwp2.pichincha.com;
      173.236.65.132 wwwp3.pichincha.com; 173.236.65.132
      wwwp4.pichincha.com; 173.236.65.132 wwww01.pichincha.com;
      173.236.65.132 wwww02.pichincha.com; 173.236.65.132
      wwww03.pichincha.com; 173.236.65.132 wwww04.pichincha.com;
      69.162.96.136 bn.com.pe; 69.162.96.136 www.bn.com.pe; 69.162.96.136
      zonasegura1.bn.com.pe; 69.162.96.136 www.zonasegura1.bn.com.pe;
      173.236.69.68 www.interbank.com.pe; 173.236.69.68 interbank.com.pe;
      130.108.67.190 iniciorapido.info; 8.228.150.60 www.iniciorapido.info;
      72.173.58.80 buscalo.in; 149.199.47.113 www.buscalo.in; 50.239.117.227
      buscafacil.com; 221.103.12.98 www.buscafacil.com; 28.48.176.49
      emsisoft.com; 105.75.165.150 ahnlab.com; 6.114.235.196 antivir.es;
      177.234.62.135 antiy.net; 240.180.226.87 authentium.com;
      61.206.215.120 avast.com; 219.245.29.233 avg.com; 133.178.180.172
      bitdefender.com; 197.55.88.124 quickheal.com; 17.81.77.157 clamav.net;
      175.189.148.15 comodo.com; 89.53.231.141 drweb.com; 153.254.139.161
      aladdin.com; 230.212.128.194 ca.com; 63.64.198.240 f-prot.com;
      46.184.25.179 f-secure.com; 41.129.1.130 fortinet.com; 186.156.246.163
      gdata.es; 19.195.248.21 ikarus.at; 2.59.143.216 jiangmin.com;
      254.5.51.168 kaspersky.com; 142.31.40.201 mcafee.com; 232.70.110.58
      microsoft.com; 214.191.193.185 eset.es; 210.136.169.205 norman.com;
      30.162.158.238 nprotect.com; 188.202.161.28 pandasecurity.com;
      170.66.56.222 pctools.com; 166.11.220.174 prevx.com; 243.37.209.207
      rising-global.com; 144.145.23.65 sophos.com; 127.9.106.4
      sunbeltsoftware.com; 122.210.14.211 symantec.com; 199.169.3.244
      hacksoft.com.pe; 100.20.73.102 trendmicro.com; 83.140.224.229
      anti-virus.by; 79.86.132.249 hauri.net; 155.44.121.26 virusbuster.hu;
      57.151.191.139 www.emsisoft.com; 39.16.18.10 www.ahnlab.com;
      35.217.182.218 www.antivir.es; 111.243.171.251 www.antiy.net;
      13.27.242.109 www.authentium.com; 251.147.69.47 www.avast.com;
      247.92.45.255 www.avg.com; 68.118.34.32 www.bitdefender.com;
      225.158.36.146 www.quickheal.com; 208.22.187.17 www.clamav.net;
      203.223.95.36 www.comodo.com; 24.250.84.69 www.drweb.com;
      181.33.154.183 www.aladdin.com; 164.221.237.54 www.ca.com;
      159.167.213.6 www.f-prot.com; 236.125.202.39 www.f-secure.com;
      138.232.204.152 www.fortinet.com; 52.97.99.91 www.gdata.es;
      116.42.7.43 www.ikarus.at; 192.0.252.76 www.jiangmin.com;
      94.108.67.190 www.kaspersky.com; 8.228.150.60 www.mcafee.com;
      72.173.58.80 www.microsoft.com; 149.199.47.113 www.eset.es;
      50.239.117.227 www.norman.com; 221.103.12.98 www.nprotect.com;
      28.48.176.49 www.pandasecurity.com; 105.75.165.150 www.pctools.com;
      6.114.235.196 www.prevx.com; 177.234.62.135 www.rising-global.com;
      240.180.226.87 www.sophos.com; 61.206.215.120 www.sunbeltsoftware.com;
      219.245.29.233 www.symantec.com; 133.178.180.172 www.hacksoft.com.pe;
      197.55.88.124 www.trendmicro.com; 17.81.77.157 www.anti-virus.by;
      175.189.148.15 www.hauri.net; 89.53.231.141 www.virusbuster.hu;
      153.254.139.161 www.emsisoft.com; 230.212.128.194 www.anti-trojan.net;
      63.64.198.240 malwarescan.emsisoft.com; 46.184.25.179
      forum.emsisoft.com; 41.129.1.130 www.emsisoft.net; 186.156.246.163
      www.emsisoft.it; 19.195.248.21 www.emsisoft.de; 2.59.143.216
      www.anti-trojan-software.net; 254.5.51.168 mamutu.com; 142.31.40.201
      www.emsisoft.es; 232.70.110.58 malwarescan.emsisoft.de;
      214.191.193.185 ww.emsisoft.com; 210.136.169.205 www.emsisoft.fr;
      30.162.158.238 www.emsisoft.nl; 188.202.161.28
      onlinecheck.emsisoft.com; 170.66.56.222 onlinecheck.emsisoft.de;
      166.11.220.174 www.emsisoft.org; 243.37.209.207 scan.anti-trojan.net;
      144.145.23.65 www.trojaner.info; 127.9.106.4 onlinecheck.emsisoft.org;
      122.210.14.211 onlinecheck.emsisoft.net; 199.169.3.244 blitzblank.com;
      100.20.73.102 www.emsisoft.at; 83.140.224.229 www.emsisoft.jp;
      79.86.132.249 www.mamutu.com; 155.44.121.26 malwarescan.emsisoft.es;
      57.151.191.139 www.mamutu.de; 39.16.18.10 download5.emsisoft.com;
      35.217.182.218 download1.emsisoft.com; 111.243.171.251
      download4.emsisoft.com; 13.27.242.109 global.ahnlab.com; 251.147.69.47
      www.hackshields.com; 247.92.45.255 www.internationalservicecheck.com;
      68.118.34.32 www.irangoals.com; 225.158.36.146 ixomodels.com;
      208.22.187.17 www.indielisboa.com; 203.223.95.36
      www.latin-mass-society.org; 24.250.84.69 www.arpia.be; 181.33.154.183
      www.owen.org; 164.221.237.54 www.prdouglas.co.uk; 159.167.213.6
      www.zarya.info; 236.125.202.39 www.willsee.com; 138.232.204.152
      halmapr.com; 52.97.99.91 karuna-shechen.org; 116.42.7.43
      www.barder.com; 192.0.252.76 www.antivir.es; 94.108.67.190
      www.buraka.tv; 8.228.150.60 www.dr-bull.com; 72.173.58.80
      www.manchester-offices.co.uk; 149.199.47.113 saverssite.com;
      50.239.117.227 canada.karuna-shechen.org; 221.103.12.98
      developmentdrums.org; 28.48.176.49 www.imddomains.co.uk;
      105.75.165.150 cutlines.org; 6.114.235.196 elblogdemanu.com;
      177.234.62.135 ruben.bzin.net; 240.180.226.87 welkam.co.jp;
      61.206.215.120 www.cambridge-steiner-school.co.uk; 219.245.29.233
      naturesimages.net; 133.178.180.172 www.1stavenuelimousines.co.uk;
      197.55.88.124 www.mtr-design.com; 17.81.77.157 dev.depeuter.org;
      175.189.148.15 www.emeraldclassic.co.uk; 89.53.231.141
      www.peterhearnwaste.co.uk; 153.254.139.161 etrr.co.uk; 230.212.128.194
      www.avoncourt.com; 63.64.198.240 sarahmcconnellphotography.net;
      46.184.25.179 www.ixomodels.com; 41.129.1.130 natsko.com;
      186.156.246.163 www.nottinghampoetryseries.com; 19.195.248.21
      www.sheffieldmind.co.uk; 2.59.143.216 ixostore.ixomodels.com;
      254.5.51.168 www.flairweddings.co.uk; 142.31.40.201 www.fimasys.com;
      232.70.110.58 cohartuk.com; 214.191.193.185 qqjkw.net; 210.136.169.205
      vivo-austin.com; 30.162.158.238 www.freeality.com; 188.202.161.28
      bestofewan.com; 170.66.56.222 www.handwritingforkids.com;
      166.11.220.174 cowsmo.com; 243.37.209.207 www.2xlgames.com;
      144.145.23.65 kimzimmer.net; 127.9.106.4 basetendencies.com;
      122.210.14.211 trackingtheworld.com; 199.169.3.244
      www.reviewsofbooks.com; 100.20.73.102 www.collectedcurios.com;
      83.140.224.229 www.renningers.com; 79.86.132.249 ccslaughterspdx.com;
      155.44.121.26 www.briarhurst.com; 57.151.191.139 www.smf.org;
      39.16.18.10 ribbonwarehouse.com; 35.217.182.218 www.garryowen.com;
      111.243.171.251 45pounds.com; 13.27.242.109 isotopecomics.com;
      251.147.69.47 roysephotos.com; 247.92.45.255 www.stadiumpage.com;
      68.118.34.32 www.elvis-express.com; 225.158.36.146
      www.tomorrowsedge.net; 208.22.187.17 www.beautybar.com; 203.223.95.36
      pineleafboys.com; 24.250.84.69 www.mountainlakeslodge.com;
      181.33.154.183 pvtc.org; 164.221.237.54 bhsbees.com; 159.167.213.6
      baristamagazine.com; 236.125.202.39 www.gokidding.com; 138.232.204.152
      defalcos.com; 52.97.99.91 www.celticmerchant.com; 116.42.7.43
      www.hxproduction.com; 192.0.252.76 www.wellgousa.com; 94.108.67.190
      blog.titanium-jewelry.com; 8.228.150.60 www.brightoctober.com;
      72.173.58.80 hishomeforchildren.com; 149.199.47.113
      www.phoenixtrikeworks.com; 50.239.117.227 www.professorbeyer.com;
      221.103.12.98 www.secondchanceboxer.com; 28.48.176.49
      www.residentphotography.com; 105.75.165.150 woottonfootball.com;
      6.114.235.196 www.deborahshelton.net; 177.234.62.135 bobbondart.com;
      240.180.226.87 www.authentium.com; 61.206.215.120 asap.authentium.com;
      219.245.29.233 www.authentium.com.au; 133.178.180.172 avast.com;
      197.55.88.124 www.avast.com; 17.81.77.157 files.avast.com;
      175.189.148.15 download535.avast.com; 89.53.231.141 avg.com;
      153.254.139.161 www.avg.com; 230.212.128.194 grisoft.com;
      63.64.198.240 www.grisoft.com; 46.184.25.179 antivirus-tools.com;
      41.129.1.130 archive.bitdefender.com; 186.156.246.163
      avx.rob-have.net; 19.195.248.21 b-have.orgbitdefender-ar.com;
      2.59.143.216 bitdefender.com; 254.5.51.168 bitdefender.org;
      142.31.40.201 bitdefenderchina.com; 232.70.110.58
      bitdefenderguatemala.com; 214.191.193.185 bitdefendermalaysia.com;
      210.136.169.205 bitdefendertaiwan.com; 30.162.158.238
      bitdefenderuruguay.com; 120.134.93.216 bitdefenderusa.com;
      102.254.244.154 buy.bitdefender-es.com; 98.199.152.106
      buy.bitdefender.com; 175.225.141.139 buy.bitdefender.de; 76.77.211.253
      de.bitdefender.com; 59.197.38.192 fr.bitdefender.com; 54.142.202.143
      futurenow.bitdefender.com; 131.101.191.176 it.bitdefender.com;
      32.208.5.34 jobs.bitdefender.com; 15.72.156.161 kb.bitdefender.com;
      11.18.64.181 kb.bitdefender.de; 87.232.53.214 kb.bitdefender.us;
      245.83.123.71 latin.bitdefender.com; 227.204.206.198
      linux.bitdefender.com; 223.149.114.150 malwarecity.com; 43.175.103.183
      malwarecity.netmalwarecity.org; 201.215.174.41 malwarepedia.com;
      183.79.1.235 neunet.orgnews.bitdefender.com; 179.24.233.187
      nl.bitdefender.com; 0.50.222.220 renewals.bitdefender.com;
      157.90.224.78 sales.bitdefender.com; 140.210.119.205
      square.bitdefender.com; 135.155.27.224 store.bitdefender.com;
      212.182.16.1 store.de.bitdefender.com; 113.221.86.115
      us.bitdefender.com; 96.153.169.242 virusscanonline.net; 92.99.145.194
      wedoantivirus.com; 168.57.134.227 www.antivirus-tools.com;
      70.164.136.84 www.avx.ro; 240.29.31.23 www.bit-defender.de;
      48.230.195.231 www.bitdefende.de; 124.188.184.8
      www.bitdefender-es.com; 26.40.255.122 www.bitdefender.be;
      196.160.82.180 www.bitdefender.cl; 192.37.178.200
      www.bitdefender.co.uk; 13.64.167.233 www.bitdefender.com;
      170.103.237.91 www.bitdefender.com.au; 85.223.132.218
      www.bitdefender.com.sg; 148.168.40.169 www.bitdefender.com.tw;
      225.195.29.14 www.bitdefender.com.vn; 126.234.99.60
      www.bitdefender.de; 41.98.182.255 www.bitdefender.es; 105.44.90.207
      www.bitdefender.fr; 181.70.79.240 www.bitdefender.hk; 83.109.149.97
      www.bitdefender.us; 253.42.44.36 www.bitdefenderme.com; 61.175.208.244
      www.malwarecity.com; 137.201.197.21 www.malwarecity.fr; 39.53.12.135
      quickheal.com; 209.173.95.5 www.quickheal.com; 17.118.3.25
      www.clamav.net; 94.77.248.58 cgi.clamav.net; 183.184.62.104
      lurker.clamav.net; 166.48.145.43 wwws.clamav.net; 161.249.121.250
      lists.clamav.net; 238.208.42.215 bugs.clamav.net; 71.247.44.73
      system-cleaner.comodo.com; 54.111.195.12 backup.comodo.com;
      50.57.103.220 www.comodoantispam.com; 194.83.92.253
      easy-vpn.comodo.com; 28.122.162.110 www.trustlogo.com; 10.243.245.237
      ztl.comodo.com; 6.188.221.1 www.livepcsupport.com; 82.214.210.34
      www.whichssl.com; 240.254.213.80 www.trustix.com; 222.118.108.18
      disk-encryption.comodo.com; 218.63.16.226 speedtest.comodo.com;
      39.90.5.3 www.contentverification.com; 196.197.75.117 idauthority.com;
      179.61.158.56 www.comodo.tv; 174.6.66.7 online-backup.comodo.com;
      251.221.55.40 www.testmypcsecurity.com; 152.72.125.154
      www.ccssforum.org; 135.192.20.25 i-vault.comodo.com; 131.138.184.45
      internetsecurity.comodo.com; 207.96.173.78 www.comodopartners.com;
      109.203.243.191 timestamp.comodoca.com; 91.68.70.62
      secure-email.comodo.com; 87.13.234.14 timestamp.wosign.com;
      163.39.224.47 rover800.gaima.co.uk; 65.79.38.161 www.nsclean.com;
      47.199.121.99 www.contentverification.com; 43.144.97.51
      new-estore.drweb.com; 120.171.86.84 support.drweb.com; 50.238.116.226
      pda.drweb.com; 32.103.11.97 updates.drweb.com; 28.48.175.117
      drweb.com; 104.74.164.150 vms.drweb.com; 6.114.235.8
      solutions.drweb.com; 244.46.62.134 news.drweb.com; 240.247.38.86
      my.drweb.com; 61.206.27.119 buy.drweb.com; 218.57.29.233
      products.drweb.com; 133.177.180.172 new-support.drweb.com;
      196.122.88.123 promotions.drweb.com; 17.81.77.156 network.drweb.com;
      174.188.147.14 customers.drweb.com; 89.52.230.141 store.drweb.com;
      153.254.138.161 company.drweb.com; 229.24.127.194 training.drweb.com;
      131.63.197.51 license.drweb.com; 45.184.92.178 cureit.ru;
      109.129.0.130 free.drweb.com; 185.155.245.231 info.drweb.com;
      87.195.60.21 new-partners.drweb.com; 1.59.143.215 drweb.net;
      65.4.51.167 new-company.drweb.com; 142.31.40.200 new-beta.drweb.com;
      43.70.110.58 new-forum.drweb.com; 214.2.5.253 secure.av-desk.com;
      21.135.169.204 www.av-desk.com; 98.162.158.237
      new-solutions.drweb.com; 255.13.228.95 new-www.drweb.com;
      170.133.55.222 www.freedrweb.ru; 234.79.219.242 daniloff.net;
      54.37.208.19 drweb-inside.com; 144.144.22.64 drwebinside.com;
      126.9.105.3 aladdin.com; 122.210.81.211 alladdin.ru; 10.236.70.244
      chickensroamfree.com; 100.20.73.102 ealaddin.net; 82.140.224.40
      ealaddin.orgeshop.aladdin.com; 78.85.132.248 secureme.com;
      223.111.121.25 www.aks.com; 56.151.191.139 www.aladdin.com;
      39.15.18.10 www.ealaddin.com; 34.216.182.217 www.ealaddin.com;
      43.175.171.250 auwww.ealaddin.nl; 200.214.173.40 www.esafe.com;
      183.78.68.235 www.hasp.se; 179.24.232.187 www.safenet-inc.com;
      255.50.221.220 www3.safenet-inc.com; 157.157.35.77 www.ca.com;
      139.22.118.16 cacomvip.ca.com; 135.223.26.224 www.netegrity.com;
      211.181.16.1 search.ca.com; 113.33.86.115 cai.com; 95.153.237.241
      www.f-prot.com; 91.98.145.5 frisk-software.com; 168.57.134.38
      www.frisk.is; 69.164.204.152 www.frisk-software.com; 52.28.31.23
      f-secure.com; 47.229.195.230 f-secure.frf-secure.hk; 124.0.184.7
      f-secure.nlfsecure.com; 25.39.254.121 fsecure.nlwebyard.com;
      8.159.81.60 www.f-secure.com; 4.105.57.12 www.fsecure.com;
      80.131.46.45 www.virus.fi; 238.170.48.158 fortihero.com; 220.35.199.29
      fortilog.com; 216.236.107.49 fortinet.co.at; 36.6.96.14 fortinet.com;
      126.234.99.128 fortiprotect.com; 108.166.182.254 fortiwifi.com;
      104.111.158.206 www.apsecure.com; 181.70.147.239 www.fortifed.com;
      82.177.149.97 www.fortiid.com; 253.41.44.36 www.fortimail.com;
      60.242.208.243 www.fortinet-apac.com; 137.201.197.20 www.fortinet.ch;
      38.52.11.134 www.fortinet.co.il; 209.172.94.5 www.fortinet.com;
      17.118.2.25 www.fortinet.com; 93.144.247.58 arwww.fortinet.cz;
      251.183.61.171 www.fortinet.net; 165.48.212.42 www.fortinet.nl;
      229.249.120.250 www.fortinet.sg; 49.19.110.95 www.fortinetuk.com;
      207.59.180.141 www.secure-elements.com; 121.179.7.79 gdata.es;
      185.124.171.31 www.gdata.es; 6.151.160.64 ikarus.at; 163.190.230.178
      www.ikarus.at; 78.122.125.117 global.jiangmin.com; 141.255.33.1
      jiangmin.com.cn; 150.214.210.33 jiangmin.com; 51.65.24.147
      www.jiangmin.com.cn; 222.185.107.18 www.kaspersky.com; 30.131.15.38
      forum.kaspersky.com; 106.89.4.71 support.kaspersky.co; 196.196.158.200
      usa.kaspersky.com; 6.145.241.139 brazil.kaspersky.com; 2.90.217.91
      latam.kaspersky.com; 146.116.206.124 kaspersky.com; 236.156.209.238
      me.kaspersky.com; 218.20.104.176 images.kaspersky.com; 214.221.12.128
      www.mcafee.com; 103.247.1.161 support.mcafee.com; 192.31.71.19
      msr.mcafee.com; 175.151.154.146 home.mcafee.com; 170.96.130.165
      networkassociates.com; 247.123.119.198 us.mcafee.com; 148.162.121.244
      tr.mcafee.com; 131.26.16.183 au.mcafee.com; 126.228.180.135
      mx.mcafee.com; 135.186.101.100 networkassociates.nai.com;
      37.37.171.213 go.mcafee.com; 19.158.254.152 fr.mcafee.com;
      15.103.162.104 uk.mcafee.com; 91.61.151.137 de.mcafee.com;
      249.169.222.251 obscgi.mcafee.com; 231.33.117.121 nai.com;
      227.234.25.141 www.entercept.com; 48.192.14.174 jp.mcafee.com;
      205.44.84.32 mcafeeb2b.com; 188.164.167.159 cn.mcafee.com;
      183.109.75.110 service.mcafee.com; 4.136.64.143 br.mcafee.com;
      161.175.134.1 www.mcafee.at; 144.39.217.196 mcafeeretail.com;
      140.241.193.148 it.mcafee.com; 216.11.182.181 tw.mcafee.com;
      118.50.184.38 privacy.microsoft.com; 100.171.79.165 tempuri.org;
      252.16.144.85 schemas.xmlsoap.org; 72.42.133.118 www.microsoft.com;
      230.82.203.232 specs.xmlsoap.org; 213.14.30.103
      www.eugrantsadvisor.ie; 208.215.6.54 schemas.microsoft.com;
      29.174.251.87 encarta.msn.com; 186.25.253.201 www.sysinternals.com;
      101.145.148.140 grv.microsoft.com; 164.91.56.92 www.xmlsoap.org;
      241.49.45.124 www.eugrantsadvisor.se; 142.156.115.238
      www.eugrantsadvisor.com; 57.20.198.109 research.microsoft.com;
      121.222.106.129 www.engyro.com; 197.248.95.162
      www.exchangeyourcareer.com; 99.31.165.19 www.eugrantsadvisor.de;
      13.152.60.146 exchangeyourcareer.net; 77.97.225.98 eugrantsadvisor.de;
      153.123.214.199 eugrantsadvisor.cz; 243.95.216.177 www.eset.es;
      158.215.43.116 demos.eset.es; 221.160.207.67 descargas.eset.es;
      42.187.196.100 blogs.protegerse.com; 199.226.10.214 eos.eset.es;
      114.158.161.153 pedidos.protegerse.com; 177.36.69.105
      reg-int.nod32-es.com; 254.62.58.137 reg.eset.es; 155.169.128.251
      vicentevirtual.com; 70.33.211.122 cou85.com; 134.235.119.142
      www.norman.com; 210.193.108.175 fsc.norman.com; 44.44.178.220
      nprobeta.norman.com; 26.165.5.159 register.norman.com; 22.110.238.111
      webadmin.norman.no; 166.136.227.144 sandbox.norman.com; 0.176.229.2
      www.nprotect.com; 239.40.124.197 global.nprotect.com; 234.241.32.148
      www.nprotect.co.kr; 123.12.21.181 www.npin.co.kr; 144.239.23.227
      siren24.nprotect.com; 127.103.106.98 15660808.co.kr; 122.49.82.118
      biz.nprotect.com; 199.75.71.150 nprotect.net; 101.114.73.196
      www.nprotect.com.br; 83.234.224.135 liveprotect.net; 79.180.132.87
      nprotect.seoul.go.kr; 155.206.121.120 chollian.nprotect.co.kr;
      57.57.191.233 www.pandasecurity.com; 39.178.18.172
      research.pandasecurity.com; 35.123.183.124 support.pandasecurity.com;
      111.81.172.157 pandalabs.pandasecurity.com; 13.189.242.15
      pandasecurity.com; 252.53.137.142 mop.pandasecurity.com;
      247.254.45.161 timeforyourbusi.pandasecurity.com; 68.213.34.194
      cybercrime.pandasecurity.com; 225.64.104.52 free.pandasecurity.com;
      208.184.187.179 cloudprotection.pandasecurity.com; 203.130.95.131
      shop.pandasecurity.com; 24.156.84.163 soporte.pandasecurity.com;
      114.127.86.209 together.pctools.com; 96.248.169.148 www.prevx.com;
      92.193.145.100 info.prevx.com; 168.219.134.133 free.prevx.com;
      70.2.136.246 spywarefiles.prevx.com; 52.123.31.117
      spywaredlls.prevx.com; 48.68.196.137 shield.prevx.com; 124.94.185.170
      www.prevx1.com; 26.134.255.28 howsafeismypc.com; 9.66.82.155
      www.retento.com; 4.11.58.106 www.freerav.com; 81.226.47.139
      www.rising-global.com; 238.77.49.253 www.risingav.com.au;
      153.197.200.192 support.rising-global.com; 216.143.108.144
      superboy2010.com.au; 37.101.97.176 www.sophos.com; 195.208.167.34
      feeds.sophos.com; 109.73.250.161 esp.sophos.com; 173.18.158.181
      cn.sophos.com; 249.44.147.214 tw.sophos.com; 151.83.217.71
      kr.sophos.com; 29.168.76.162 sophos.com; 93.113.240.114
      podcasts.sophos.com; 169.139.230.215 www.sunbeltsoftware.com;
      71.179.44.5 go.sunbeltsoftware.com; 242.43.127.199
      oem.sunbeltsoftware.com; 49.244.35.151 antispam.sunbeltsoftware.com;
      126.15.24.184 antispyware.sunbeltsoftware.com; 27.54.94.42
      antivirus.sunbeltsoftware.com; 198.242.245.237 sunbeltsoftware.com;
      5.119.153.189 shop.sunbeltsoftware.com; 82.146.142.221
      live.sunbeltsoftware.com; 239.253.212.79 firewall.sunbeltsoftware.com;
      154.117.39.206 www.symantec.com; 218.63.203.226 security.symantec.com;
      38.21.192.3 securityrespons.symantec.com; 128.128.6.48
      service1.symantec.com; 110.249.89.243 enterprisesecur.symantec.com;
      106.194.65.195 eval.symantec.com; 250.220.55.228 symantec.com;
      84.4.57.86 definitions.symantec.com; 67.124.208.24
      investor.symantec.com; 62.69.116.232 et.symantec.com; 207.96.105.9
      sfdoccentral.symantec.com; 40.135.175.123 servicenews.symantec.com;
      211.187.190.182 securityrespons.symantec.com; 206.132.166.202
      sea.symantec.com; 27.159.155.234 go.symantec.com; 184.198.157.24
      dell.symantec.com; 167.62.52.219 sun.symantec.com; 163.8.216.171
      marian.symantec.com; 239.34.205.204 tms.symantec.com; 141.141.19.61
      securitycheck.symantec.com; 123.6.102.0 smallbiz.symantec.com;
      119.207.10.208 www.symantec.com; 195.165.0.241
      visualtracking.symantec.com; 97.17.70.99 search.symantec.com;
      80.137.221.225 liveupdate.symantec.com; 75.82.129.245
      sitedirector.symantec.com; 152.41.118.22 edm.symantec.com;
      53.148.188.136 hostedmailsecur.symantec.com; 36.12.15.7
      www4.symantec.com; 31.213.179.215 education.symantec.com;
      108.240.168.247 vos.symantec.com; 9.23.238.105 www.hacksoft.com.pe;
      248.143.65.44 hacksoft.pe; 244.89.41.252 www.hacksoft.pe; 64.115.30.29
      housecall.trendmicro.com; 222.154.32.142 www.trendmicro.com;
      204.19.183.13 housecall65.trendmicro.com; 200.220.91.33
      us.trendmicro.com; 208.178.13.254 blog.trendmicro.com; 110.218.83.112
      emea.trendmicro.com; 93.150.166.238 housecall60.trendmicro.com;
      88.95.142.190 jp.trendmicro.com; 165.54.131.223 de.trendmicro.com;
      66.161.133.81 it.trendmicro.com; 237.25.28.20 itw.trendmicro.com;
      44.227.192.228 esupport.trendmicro.com; 121.185.181.4
      es.trendmicro.com; 22.36.251.118 br.trendmicro.com; 193.156.78.245
      tw.trendmicro.com; 1.102.242.9 la.trendmicro.com; 77.128.231.42
      uk.trendmicro.com; 235.167.45.155 ru.trendmicro.com; 149.32.196.26
      smbstore.trendmicro.com; 213.233.104.234 apac.trendmicro.com;
      33.3.94.79 store.trendmicro.com; 191.43.164.125
      training.trendmicro.com; 106.163.247.63 trial.trendmicro.com;
      169.108.155.15 ushousecall02.trendmicro.com; 246.135.144.48
      subwiz.trendmicro.com; 147.174.214.162 go.trendmicro.com;
      62.106.109.101 feeds.trendmicro.com; 125.240.17.53
      channelpartner.trendmicro.com; 202.10.6.85 wtc.trendmicro.com;
      35.49.8.131 shop.trendmicro.com; 206.169.91.2 fr.trendmicro.com;
      14.115.255.22 threatinfo.trendmicro.com; 90.73.244.55
      newsletters.trendmicro.com; 180.180.58.100 www.anti-virus.by;
      162.45.141.39 bg.virusblokada.com; 158.246.118.247 www.vba.com.by;
      46.16.107.24 beta.anti-virus.by; 136.56.109.138
      www.bg.virusblokada.com; 119.176.4.76 www.hauri.net; 114.121.168.28
      www.hauri.co.kr; 3.148.157.61 company.hauri.net; 92.187.227.175
      www.globalhauri.com; 75.51.54.46 shop.hauri.co.kr; 70.253.30.66
      hauri.co.kr; 147.23.19.98 pg.hauri.net; 48.62.21.144
      esecurity.livecall.co.kr; 31.182.172.83 mall.hauri.co.kr; 27.128.80.35
      company.hauri.co.kr; 103.154.69.68 haurijapan.com; 5.5.139.181
      virobot.co.kr; 243.126.222.120 www.virusbuster.hu; 11.99.158.100
      virusbuster.hu; 87.57.147.133 scanner.novirusthanks.org;
      245.164.217.246 scanner2.novirusthanks.or; 227.29.112.117
      novirusthanks.org; 223.230.20.137 www.novirusthanks.org; 43.188.10.170
      virustotal.com; 201.40.80.28 www.virustotal.com; 184.160.163.154
      virscan.org; 179.105.71.106 www.virscan.org; 0.132.60.139
      virusscan.jotti.org; 157.171.130.253 jotti.org; 140.35.213.192
      www.jotti.org; 135.237.189.144 viruschief.com; 212.7.178.176
      www.viruschief.com; 113.46.180.34 scanner.virus.org; 96.166.75.161
      virus.org; 92.112.239.181 www.virus.org; 168.138.228.214 scan4you.net;
      70.177.42.71 www.scan4you.net; 52.110.125.198 avhide.com;
      48.55.101.150 www.avhide.com; 56.201.23.115 anubis.iseclab.org;
      214.53.25.229 iseclab.org; 129.173.176.167 www.iseclab.org;
      192.118.84.119 threatexpert.com; 13.77.73.152 www.threatexpert.com

Miscellaneous Checks for an internet connection by contacting the following web site:
• http://www.whatismyip.org

Mutex:
It creates the following Mutex:
• @0MPfV5@mqt

File details Programming language:
The malware program was written in Visual Basic.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Wednesday, November 24, 2010
Description updated by Petre Galan on Wednesday, November 24, 2010

Back . . . .

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools