Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Kolab.jre
Date discovered:04/01/2011
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:153.602 Bytes
MD5 checksum:09dfdc6e89b59c74d4e23854809780a3
VDF version:7.10.07.145
IVDF version:7.11.01.20 - Tuesday, January 4, 2011

 General Methods of propagation:
    Autorun feature
   • Local network
    Messenger


Aliases:
   •  Bitdefender: Trojan.Generic.4502934
   •  Panda: W32/Kolabc.BH.worm
   •  Eset: Win32/AutoRun.IRCBot.FE


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Third party control
   • Blocks access to certain websites
   • Blocks access to security websites
   • Drops malicious files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\wmpsd2.exe
   • %drive%\13254326.exe



It overwrites a file.
%SYSDIR%\drivers\etc\hosts



It deletes the initially executed copy of itself.



The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%TEMPDIR%\AIJ.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Agent.rkh

%HOME%\Application Data\k8bgJAiNJk



It tries to execute the following file:

Filename:
   • ipconfig /flushdns

 Registry It creates the following entries in order to bypass the Windows XP firewall:

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%SYSDIR%\wmpsd2.exe"="%SYSDIR%\wmpsd2.exe:*:Enabled:LAN Router"

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\DomainProfile\AuthorizedApplications\List]
   • "%SYSDIR%\wmpsd2.exe"="%SYSDIR%\wmpsd2.exe:*:Enabled:LAN Router"



The following registry keys are added:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\conime.exe]
   • "Debugger"="wmpsd2.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\
   Layers]
   • "%SYSDIR%\wmpsd2.exe"="DisableNXShowUI"

 Messenger It is spreading via Messenger. The characteristics are described below:

 Yahoo Messenger

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploits:
– MS04-007 (ASN.1 Vulnerability)
 MS06-040 (Vulnerability in Server Service)

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: ns53.aut**********.net
Port: 6303
Channel: #net
Nickname: N|USA|N-2H2|0|XP|%number%

 Hosts The host file is modified as explained:

Access to the following domains is effectively blocked:
   • msnfix.changelog.fr; www.incodesolutions.com; virusinfo.prevx.com;
      download.bleepingcomputer.com; www.dazhizhu.cn; foro.noticias3d.com;
      www.spybotupdates.com; club.myce.com; www.k7computing.com;
      softwaresecuritysolutions.com; antonbi.web.id; igoblog.info;
      www.nabble.com; lurker.clamav.net; lexikon.ikarus.at;
      research.sunbelt-software.com; www.virusdoctor.jp; www.elitepvpers.de;
      guru.avg.com; downloads.sophos.com; share.skype.com;
      myantispyware.com; www.computerhilfen.de; fgsite.com;
      ca.answers.yahoo.com; www.superuser.co.kr; ntfaq.co.kr;
      v.dreamwiz.com; cit.kookmin.ac.kr; forums.whatthetech.com;
      forum.hijackthis.de; avg.vo.llnwd.net; ftp.drweb.com;
      www.zonealarm.com; smadaver.com; support.emsisoft.com;
      psychoski.blogspot.com; www.corozilla.net; www.huaifai.go.th;
      www.mostz.com; www.krupunmai.com; www.cddchiangmai.net;
      forum.malekal.com; tech.pantip.com; sapcupgrades.com;
      www.elguruinformatico.com; forums.avg.com; zastita.com;
      support.kaspersky.com; foro.msgpluslive.es; www.tongjimba.com;
      www.247fixes.com; forum.sysinternals.com; forum.telecharger.01net.com;
      sophos.com; foros.softonic.com; avast-home.uptodown.com;
      dr-web-cureit.softonic.com; heavenward.ru; forum.smadav.net;
      www.forum.kaspersky.com; www.dl4all.com; www.freshwap.net;
      www.f-secure.com; www.chkrootkit.org; diamondcs.com.au;
      www.rootkit.nl; www.sysinternals.com; z-oleg.com;
      espanol.dir.groups.yahoo.com; ftp01net.telechargement.fr;
      modelayu.com; vaksin.com; bbs.kaspersky.com.cn; sf.tapuz.co.il;
      www.downtr.net; www.castlecrops.com; www.misec.net;
      safecomputing.umn.edu; www.antirootkit.com; www.greatis.com;
      ar.answers.yahoo.com; www.elhacker.org; research.pandasecurity.com;
      www.tpu.ro; www.pinoyden.com; forum.avira.de; www.tanya-it.com;
      topsy.com; answers.microsoft.com; www.rootkit.com; www.pctools.com;
      www.pcsupportadvisor.com; www.resplendence.com; www.personal.psu.edu;
      foro.ethek.com; foro.elhacker.net; download.zonealarm.com;
      spywarehammer.com; www.codelain.com; www.thaicert.org;
      wenwen.soso.com; social.technet.microsoft.com; vil.nail.com;
      search.mcafee.com; wwww.mcafee.com; download.nai.com;
      wwww.experts-exchange.com; www.bakunos.com; www.darkclockers.com;
      www2.gmer.net; ariefew.com; www.emsisoft.com; forum.romeonet.ro;
      www.arenajunkies.com; zenovy.com; www.removeitpro.net; www.Merijn.org;
      www.spywareinfo.com; www.spybot.info; www.viruslist.com;
      www.hijackthis.de; ftp.f-secure.com; forum.kaspersky.com;
      es.trendmicro-europe.com; www.hvaonline.net; forum.lowyat.net;
      kb.eset.com; www.pcwelt.de; bokwer.com; www.mypcsafe.com;
      majorgeeks.com; www.avp.com; www.virustotal.com; www.sophos.com;
      linhadefensiva.uol.com.br; cmmings.cn; www.sergiwa.com;
      www.el-hacker.com; dl2.agnitum.com; forum.smadav.net;
      images.malwareremoval.com; front.prevx.com; ad.harrenmedianetwork.com;
      www.avg-antivirus.net; www.kaspersky-labs.com; www.kaspersky.com;
      www.bleepingcomputer.com; www.free.grisoft.com;
      alerta-antivirus.inteco.es; greatis.com; www.oprekpc.com;
      www.gmer.net; forum.kasperskyclub.com; computadoras.migold.com;
      technet.microsoft.com; securityresponse.symantec.com;
      www.analysis.seclab.tuwien.ac.at; www.symantec.com; www.kztechs.com;
      ad-aware-se.uptodown.com; stdio-labs.blogspot.com; forum.lrytas.lt;
      www.decido.de; wap.elakiri.com; ot-indo.blogspot.com;
      artsoftdesign.com; forum.bkav.com.vn;
      liveupdate.symantecliveupdate.com; liveupdate.symantec.com;
      customer.symantec.com; update.symantec.com; www.box.net;
      foro.el-hacker.com; acs.pandasoftware.com; egavisa.blogspot.com;
      angui123.cn; beta.eset.com; www.ixtorrent.com; forum.programosy.pl;
      www.mcafee.com; download.mcafee.com; mast.mcafee.com;
      www.tecno-soft.com; ladooscuro.es; ftp.drweb.com;
      download.microsoft.com; www.mypcsafe.com; www.blindedbytech.com;
      kaspersky.com; sis-admin.blogspot.com; www.protecus.de; pastebin.com;
      software.informer.com; guru0.grisoft.cz; guru1.grisoft.cz;
      guru2.grisoft.cz; guru3.grisoft.cz; download.bleepingcomputer.com;
      it.answers.yahoo.com; www.softonic.com; www.mycity.rs; cairopt.net;
      rootrepeal.googlepages.com; www.windowexe.com; fineartschance.com;
      webmonster.sapaan.net; guru4.grisoft.cz; guru5.grisoft.cz;
      www.virusspy.com; download.f-secure.com; www.malwareremoval.com;
      forums.cnet.com; foros.softonic.com; www.freedrweb.com; www.kaskus.us;
      rootrepeal.psikotick.com; thaicert.nectec.or.th; rareartonline.com;
      www.computing.net; hjt-data.trend-braintree.com; www.pantip.com;
      secubox.aldria.com; www.forospyware.com; www.manuelruvalcaba.com;
      www.zonavirus.com; www.leforo.com; www.gsmph.com; blokvesti.net;
      www.viprasys.org; forum.antivir-pe.de; www.nhatnghe.com;
      forum.antivirus365.net; www.siteadvisor.com; blog.threatfire.com;
      www.threatexpert.com; blog.hispasec.com; www.configurarequipos.com;
      sosvirus.changelog.fr; www.psicofxp.com; www.gsmph.net;
      www.gyakorikerdesek.hu; us.mcafee.com; www.malekal.com;
      yourartmuseum.com; www.trucoswindows.net; mailcenter.rising.com.cn;
      mailcenter.rising.com; www.rising.com.cn; www.rising.com;
      www.babooforum.com.br; www.runscanner.net; www.blogschapines.com;
      www.zyzoom.org; www.avsoft.ru; www.elakiri.com;
      forum.telecharger.01net.com; www.com-th.net; forum.berloga.net;
      sosvirus.changelog.fr; upload.changelog.fr; www.raymond.cc;
      changelog.fr; www.pcentraide.com; atazita.blogspot.com;
      www.thinkpad.cn; www.sunbeltsoftware.com; cert.inteco.es;
      www.gamexeon.com; nod32-antivirus.en.softonic.co; www.virus-com.com;
      www.final4ever.com; files.filefont.com; www.infos-du-net.com;
      www.trendsecure.com; forum.hardware.fr; www.utilidades-utiles.com;
      blogs.icerocket.com; www.spywarefri.dk; alfrasha.maktoob.com;
      www.eset.eu; quickscan.bitdefender.com; www.xmarks.com;
      www.spychecker.com; www.geekstogo.com; forums.maddoktor2.com;
      www.smokey-services.eu; www.clubic.com; www.linhadefensiva.org;
      www.rolandovera.com; forum.burek.com; secure.sophos.com;
      usa.kaspersky.com; board.softpedia.com; www.pinoytambaygroup.com;
      download.sysinternals.com; www.pcguide.com; www.thetechguide.com;
      www.ozzu.com; www.changedetection.com; espanol.groups.yahoo.com;
      www.sunbeltsecurity.com; www.quickheal.co.in; www.vivalared.com;
      thailand.itmylike.com; harrenmedianetwork.com; forum.scpgsm.net;
      community.thaiware.com; www.avpclub.ddns.info;
      www.offensivecomputing.net; www.grisoft.com; boardreader.com;
      www.guiadohardware.net; www.webroot.com; www.thehelper.net;
      www.kaldata.com; vil.nai.com; www.malwarecrypt.com;
      www.latest-virus.com; www.msnvirusremoval.com; www.cisrt.org;
      fixmyim.com; samroeng.hi5.com; foro.elhacker.net; www.daboweb.com;
      service1.symantec.com; us3.download.comodo.com; forum.gsmhosting.com;
      www.computerforum.com; forum.avast.com; www.ixtorrent.com;
      mx.answers.yahoo.com; forums.techguy.org; www.incodesolutions.com;
      hijackthis.download3000.com; www.cybertechhelp.com;
      www.superdicas.com.br; www.51nb.com; us4.download.comodo.com;
      www.jbtalks.cc; ad13.geekstogo.com; forums.eternion-wow.com;
      simplyrudz.blogspot.com; downloads.andymanchesta.com;
      andymanchesta.com; info.prevx.com; aknow.prevx.com; www.zonavirus.com;
      securitywonks.net; www.yoreparo.com; www.spywarecease.com;
      forum.dobreprogramy.pl; community.mcafee.com; board.protecus.de;
      tech.pantip.com; www.lavasoft.com; www.virscan.org; www.eeload.com;
      down.www.kingsoft.com; www.file.net; onecare.live.com; mvps.org;
      www.laneros.com; www.pc1news.com; forum.avira.com;
      downloads.novirusthanks.org; www.pinoyhackers.com;
      www.superadblocker.com; www.housecall.trendmicro.com; www.avast.com;
      www.free.avg.com; www.onlinescan.avast.com; www.ewido.net;
      www.trucoswindows.net; www.mozilla-hispano.org;
      www.jackbloodforum.com; www.kosandpol.elakiri.com; www.thaivisa.com;
      forum.bullguard.com; www.futurenow.bitdefender.com;
      www.bitdefender.com; www.f-prot.com; www.trendsecure.com;
      security.symantec.com; oldtimer.geekstogo.com;
      sopiansantosa.blogspot.com; www.fileresearchcenter.com;
      www.looktr.com; www.zone-it.com;
      somostuyyounnuevodiaoficial.obolog.com; www.avira.com; www.eset.com;
      free.avg.com; www.free-av.com; kr.ahnlab.com; www.eset.com;
      forospyware.com; thejokerx.blogspot.com; cairopt.net;
      oolbar.cyberdefender.com; golpe.dyndns.org; forum.aiutamici.com;
      solit.us; bisnismudahsaja.blogspot.com; www.2-spyware.com;
      www.antivir.es; www.prevx.com; www.ikarus.net; bbs.s-sos.net;
      www.housecall.trendmicro.com; www.superdicas.com.br;
      www.superantispyware.com; www.unhackme.com; www.askmehelpdesk.com;
      forum.zebulon.fr; regfixerror.pctools.revenuewire.net;
      www.forums.majorgeeks.com; www.castlecops.com; www.virusspy.com;
      andymanchesta.com; www.kaspersky.es; subs.geekstogo.com;
      www.forospanish.com; blog.rnsafe.com; www.regrun.com;
      irc.snahosting.net; danielorza.net; www.pchelpforum.com;
      ftp.pcpitstop.com; www.trendmicro.com; www.fortinet.com;
      www.safer-networking.org; www.fortiguardcenter.com; www.dougknox.com;
      www.vsantivirus.com; static.commentcamarche.net;
      www.gyakorikerdesek.hu; www.fixya.com; www.alabamawomen.org;
      www.spywareremovalblog.com; www.firewallguide.com; www.auditmypc.com;
      www.spywaredb.com; www.mxttchina.com; www.ziggamza.net;
      www.forospyware.es; pogonyuto.forospanish.com; spywarefiles.prevx.com;
      k2r.th3kings.net; www.betterantivirus.com; www.365groups.com;
      trialware.norton.com; www.antivirus.comodo.com;
      www.spywareterminator.com; www.eradicatespyware.net;
      www.freespywareremoval.info; www.personalfirewall.comodo.com;
      wakoopa.com; forum.drweb.com; bb1.th3kings.net;
      www.commentcamarche.net; justfane.blogspot.com; foros.3dgames.com.ar;
      www.clamav.net; www.antivirus.about.com; www.pandasecurity.com;
      www.webphand.com; mx.answers.yahoo.com; www.securitywonks.net;
      www.messengeradictos.com; www.geekpolice.net; bub.th3kings.net;
      shield.prevx.com; www.eudict.com; uk.answers.yahoo.com;
      www.sandboxie.com; www.clamwin.com; www.cwsandbox.org; www.ca.com;
      www.arswp.com; es.answers.yahoo.com; www.trucoswindows.es;
      www.ipaddresser.com; www.abgenis.net; www.freefixer.com;
      forums.afterdawn.com; forum.torrents.ro; whois.domaintools.com;
      www.networkworld.com; www.cddchiangmai.net; www.threatexpert.com;
      www.norman.com; espanol.answers.yahoo.com; www.tallemu.com;
      foro.portalhacker.net; www.groupwhere.org; sniff.runescapetube.com;
      forum.p30world.com; poolcoversite.com; forum.bullguard.com;
      virscan.org; www.viruschief.com; scanner.virus.org; www.hijackthis.de;
      housecall65.trendmicro.com; www.guiadohardware.net;
      forums.whatthetech.com; mustlovewine.com; www3.malekal.com;
      esetnod32antivirus.blogspot.com; thedudesemo.blogspot.com;
      hjt.networktechs.com; www.techsupportforum.com; www.whatthetech.com;
      www.soccersuck.com; www.pcentraide.com; comunidad.wilkinsonpc.com.co;
      forum.hocit.com; forum.smadav.net; fgp.e2doo.com;
      community.thaiware.com; irc.evoporn.com; www.spamhaus.org;
      forum.piriform.com; www.tweaksforgeeks.com; www.daniweb.com;
      www.geekstogo.com; es.answers.yahoo.com; www.techsupportforum.com;
      dnl-eu8.kaspersky-labs.com; www.oprekpc.com; shv4.ath.cx;
      www.pcworld.com; in.answers.yahoo.com; www.vupen.com; www.pchell.com;
      www.spyany.com; forums.techguy.org; www.experts-exchange.com;
      www.wikio.es; www.pandasecurity.com; forums.devshed.com;
      devbuilds.kaspersky-labs.com; hana-ahmad.blogspot.com;
      www.linkmania.ro; www.trojaner-board.de; swandog46.geekstogo.com;
      forum.tweaks.com; www.wilderssecurity.com; www.techspot.com;
      www.thecomputerpitstop.com; es.wasalive.com; secunia.com;
      www.killtrojan.net; www.ulop.net; www.eliters.com;
      sip4.voipkosovasite.com; www.ftw.ro; anggiawan.web.id; ba-k.com;
      www.mcanime.net; es.kioskea.net; www.taringa.net;
      www.cyberdefender.com; www.feedage.com; new.taringa.net;
      forum.zazana.com; forum.clubedohardware.com.br; mks.com.pl;
      www.vietcaravan.us; trbotnet.sytes.net; community.norton.com;
      positiveroot.wordpress.com; www.computing.net;
      discussions.virtualdr.com; forum.securitycadets.com; www.techimo.com;
      13iii.com; www.dicasweb.com.br; www.javacoolsoftware.net;
      cofradia.org; wasteland-bg.com; www.windowexe.com; malekal.com;
      www.carigold.com; answers.yahoo.com; www.infosecpodcast.com;
      www.usbcleaner.cn; www.net-security.org; www.bleedingthreats.net;
      acs.pandasoftware.com; www.funkytoad.com; malwarebytes.org;
      sabithpocker.blogspot.com; comprolive.vox.com; www.worton.com;
      www.rss-verzeichnis.de; www.bloodzone.net; www.360safe.cn;
      www.360safe.com; bbs.360safe.cn; bbs.360safe.com;
      codehard.wordpress.com; forum.clubedohardware.com.br; antitrick.com;
      www.configurarequipos.com; www.jiwang.org;
      anti-virus-software-review.toptenreviews.com; forums.malwarebytes.org;
      www.360.cn; www.360.com; bbs.360safe.cn; bbs.360safe.com;
      www.forospyware.es; p3dev.taringa.net; www.precisesecurity.com;
      dlpe.antivir.com; www.jvme.com; share.skype.com; comprolive.com;
      gotoknow.org; www.forofantasiasmiguel.com; www.spywaredemon.com;
      baike.360.cn; baike.360.com; kaba.360.cn; kaba.360.com;
      deckard.geekstogo.com; www.taringa.net; forums.comodo.com;
      www.mvps.org; melcy.wordpress.com; forum.softpedia.com;
      pcvids.wordpress.com; shop.symantecstore.com;
      banes-pages.blogspot.com; down.360safe.cn; down.360safe.com;
      x.360safe.com; dl.360safe.com; ftp.drweb.com; www.hotshare.net;
      es.wasalive.com; free.antivirus.com; forum.hocit.com;
      destavision-forum.com; inspiresoft.blogspot.com;
      universomanualidades.foroactivo.com; updatem.360safe.com;
      updatem.360safe.cn; update.360safe.cn; update.360safe.com;
      www.utilidades-utiles.com; forum.kaspersky.com;
      www.indowebster.web.id; zastita.com; www.sz-pet.com;
      foros.abcdatos.com; www.elektroda.pl; gulaley.blogspot.com;
      bbs.duba.net; www.duba.net; zhidao.baidu.com; hi.baidu.com;
      www.drweb.com.es; msncleaner.softonic.com; www.javacoolsoftware.com;
      beniono.wordpress.com; www.4-gsmteam.com; msntubers.freehostia.com;
      store.norton.com; social.answers.microsoft.com; file.ikaka.com;
      file.ikaka.cn; bbs.ikaka.com; zhidao.ikaka.com; www.eset-la.com;
      download.eset.com; software-files.download.com; www.faravirusi.com;
      www.winbots.es; forum.chip.de; www.thailandsusu.com;
      debates.motos.net; www.judj.com; www.ikaka.com; www.ikaka.cn;
      bbs.cfan.com.cn; www.cfan.com.cn; www.pandasecurity.com;
      es.mcafee.com; downloads.malwarebytes.org; www.devirusare.com;
      forum.skype.com; shitit.net; www.webimmune.net; forum.swzone.it;
      www.dl4all.com; foros.mcanime.net; bbs.kafan.cn; bbs.kafan.com;
      bbs.kpfans.com; bbs.taisha.org; www.manuelruvalcaba.com;
      support.f-secure.com; bbs.winzheng.com; devirusare.com;
      social.microsoft.com; www.shitit.net; mx.answers.yahoo.com;
      darkzone.in.th; www.velocidadmaxima.com; alerta-antivirus.inteco.es;
      foros.zonavirus.com; alerta-antivirus.red.es; www.zonavirus.com;
      www.malwarebytes.org; www.commentcamarche.net;
      news.support.veritas.com; www.zonealarm.com;
      malwarebytes-anti-malware.softonic.com; www.securitystronghold.com;
      www.ewido.net; www.infospyware.com; www.bitdefender.es;
      housecall.trendmicro.com; foros.toxico-pc.com; www.identi.es;
      es.kioskea.net; virusinfo.info; forums.zonealarm.com;
      foro.infiernohacker.com; nitroamd.spaces.live.com;
      forums.overclockzone.com; www.mypcsafe.com; www.hackforums.net;
      www.exterminate-it.com; www.bbk-sc.ru; id.answers.yahoo.com;
      delimitdesign.com; br.answers.yahoo.com; edu.arabsgate.com;
      www.securelist.com; support.clean-mx.de; www.zondron.ro;
      blogger-warning.blogspot.com; guru.google.co.th; ca.mloovi.com;
      mloovi.com; otofc.com; hondafc.net; www.tutorialepc.ro;
      spyce-girl.blogspot.com; www.svcommunity.org; www.webuser.co.uk;
      zhangzhishi.com; forum.vxheavens.com; www.guanakoo.org; y-scan.com;
      forum.portfolio.hu; br.answers.yahoo.com; www.fileinspect.com;
      iboyd.net; www.help2go.com; www.dotcominfoway.com;
      www.trendmicro.co.jp; vienska.com; www.tebarnasi.com;
      lowongankarirkerja.info; www.pcgilmore.com.ph; adriyan.web.id;
      forum.donanimhaber.com; www.wardom.org; www.beartai.com;
      pchelpforum.ru; www.360reports.com; www.emsisoft.de;
      www.securitynewsportal.com; irc.ekizmedia.com; zone.arminboutique.com;
      story.dnsentrymx.com


 Process termination List of processes that are terminated:
   • DLLHOSTS.EXE; CMD.EXE; FTP.EXE; MMC.EXE; USBGUARD.EXE; MBAM.EXE;
      SUPERANTISPYWARE.EXE; AMPAWSMASHERX.EXE; SMSNIFF.EXE; SMASH1.EXE;
      SMASH2.EXE; SMASH3.EXE; SMASH4.EXE; SMASH5.EXE; SMASH6.EXE;
      SMASH7.EXE; SMASH.EXE; NETMON.EXE; PREVXCSIFREE.EXE; PREVX.EXE;
      WINDOWSDEFENDER.MSI; EAV_NT32_ENU.MSI; EAV_NT64_ENU.MSI;
      AVIRA_ANTIVIR_PERSONAL_EN.EXE; AVG_AVWT_STB_EN_9_40_FREE.EXE;
      ESCW_90_SA_SFX.EXE; SETUP_AV_FREE.EXE; DRWEB-600-WIN-PRO-X86.EXE;
      BITDEFENDER_ANTIVIRUS.EXE; SECCENTER.EXE; NS360S300EN; AVENGER.EXE;
      NAV-TW-30-17-1-0-19TBEN.EXE; ATF-CLEANER.EXE; OTM.EXE; REGSHOT.EXE;
      MSMPENG.EXE; MSASCUI.EXE; GUARDXKICKOFF.EXE; GUARDXSERVICE.EXE;
      VIRUSUTILITIES.EXE; VBA32-PERSONAL-LATEST-ENGLISH.EXE;
      TrendMicro_TISPro_16.1_1063_x32.EXE; PROCMON.EXE; WITSETUP.EXE;
      AVINSTALL.EXE; K7TS_SETUP.EXE; P08PROMO.EXE; ISSDM_EN_32.EXE;
      VIPRE.EXE; UNLOCKER.EXE; UNLOCKERASSISTANT.EXE; UNLOCKER1.8.7.EXE;
      REGUNLOCKER.EXE; COMPAQ_PROPIETARIO.EXE; ATF-CLEANER.EXE;
      SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTSXPERT.EXEDAFT.EXE; VIRUS.EXE;
      HIJACK-THIS.EXE; MRT.EXE; MRTSTUB.EXE; WINDOWS-KB890930-V2.2.EXE;
      HJ.EXE; ELISTA.EXE; PENCLEAN.EXE; MBAM-SETUP.EXE; MBAM.EXE; AVZ.EXE;
      JAJA.EXE; OTMOVEIT.EXEMBAM-SETUP.EXE; REGMON.EXE; COMBO-FIX.EXE;
      COMBOFIX.BAT; COMBOFIX.SCR; COMBOFIX.COM; NTVDM.EXE; GUARD.EXE;
      LISTO.EXE; TCPVIEW.EXE; REGEDIT.COM; REGEDIT.SCR; FOLDERCURE.EXE;
      KILLAUTOPLUS.EXE; MYPHOTOKILLER.EXE; REG.EXE; TASKKILL.EXE;
      AUTORUNS.EXE; SRENGPS.EXE; COMBOFIX.EXE; SDFIX.EXE; CATCHME.EXE;
      GMER.EXE; MBR.EXE; CF9409.EXE;
      REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGRENAB.EXE; SUPERANTISPYWARE.EXE;
      BOOTSAFE.EXE; SRESTORE.EXE; MSNCLEANER.EXE; BUSCAREG.EXE;
      KAKASETUPV6.EXE; SUPERKILLER.EXE; DUBATOOL_AV_KILLER.EXE;
      DELAYDELFILE.EXE; SEEM.EXE; BC5CA6A.EXE; ROOTALYZER.EXE;
      ROOTKITBUSTER.EXE; HELIOS.EXE; DARKSPY105.EXE; HOOKANLZ.EXE;
      PAVARK.EXE; SRENGLDR.EXE; APORTS.EXE; FPORT.EXE; PORTDETECTIVE.EXE;
      PORTMONITOR.EXE; NETSTAT.EXE; OLLYDBG.EXE; HJTINSTALL.EXE;
      HJTSETUP.EXE; HIJACKTHIS_SFX.EXE; HIJACKTHIS.EXE; HIJACKTHIS_V2.EXE;
      MSNFIX.EXE; PROCEXP.EXE; TASKMAN.EXE; TASKLIST.EXE; TASKMON.EXE;
      PSKILL.EXE; ROOTKITREVEALER.EXE; FSBL.EXE; FSB.EXE; AVGARKT.EXE;
      ROOTKIT_DETECTIVE.EXE; UNHACKME.EXE; HACKMON.EXE; RKD.EXE;
      ROOTKITNO.EXE; REANIMATOR.EXE; HOOKANLZ.EXE; ROOTREPEAL.EXE;
      ICESWORD.EXE; LORDPE.EXE; PG2.EXE; PROCDUMP.EXE; PROCESSMONITOR.EXE;
      SPYBOTSD160.EXE; TEATIMER.EXE; SPYBOTSD.EXE; WIRESHARK.EXE; APM.EXE;
      APT.EXE; ASVIEWER.EXE; CPORTS.EXE; CPROCESS.EXE; DLLCOMPARE.EXE;
      A2HIJACKFREESETUP.EXE; EULALYZERSETUP.EXE; FILEALYZ.EXE; FILEFIND.EXE;
      FIXPATH.EXE; HOSTSFILEREADER.EXE; IEFIX.EXE; AVENGER.EXE;
      INSTALLWATCHPRO25.EXE; KILLBOX.EXE; NETALYZ.EXE; OBJMONSETUP.EXE;
      PGSETUP.EXE; FIXBAGLE.EXE; CUREIT.EXE; PROCMON.EXE;
      PROJECTWHOISINSTALLER.EXE; REGALYZ.EXE; REGCOOL.EXE;
      REGISTRAR_LITE.EXE; REGSCANNER.EXE; REGSHOT.EXE; REGX2.EXE; SPF.EXE;
      SRENGLDR.EXE; STARTDRECK.EXE; SYSANALYZER_SETUP.EXE; UNIEXTRACT.EXE;
      UNLOCKER1.8.7.EXE; RAVP.EXE; MBAM.EXE; USBGUARD.EXE; AVZ.EXE; OTL.EXE;
      CPF.EXE; ZLCLIENT.EXE; 123.COM; 123.EXE


 Injection It injects itself as a remote thread into a process.

    Process name:
   • explorer.exe


 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • http://www.whereismyip.org
Accesses internet resources:
   • http://s82.epicphotohost.com/net/**********
   • http://195.137.213.67/net/**********


Mutex:
It creates the following Mutex:
   • V8x

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, January 20, 2011
Description updated by Petre Galan on Thursday, January 20, 2011

Back . . . .