Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:18/06/2012
In the wild:No
Reported Infections:Medium
Distribution Potential:Low
Damage Potential:Medium
File size:383949 Bytes
MD5 checksum:22655eb0f179c1e2d56eb4ff8963cba4
VDF version:
IVDF version:

 General Method of propagation:
   • No own spreading routine

   •  Mcafee: potentially
   •  Eset: Win32/Adware.PCMega.A application

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Registry modification

Right after execution the following information is displayed:

 Files The following files are created:

– Temporary files that might be deleted afterwards:
   • %temporary internet files%\Content.IE5\C9AVS1AR\time[1].js
   • %temporary internet files%\Content.IE5\C9AVS1AR\ie[1].css
   • %temporary internet files%\Content.IE5\O5M7O5Q3\top-line[1].gif
   • %temporary internet files%\Content.IE5\O5M7O5Q3\bloqueado[1].png
   • %temporary internet files%\Content.IE5\4TQB812Z\MobiMidia_validation[1].js
   • %temporary internet files%\Content.IE5\C9AVS1AR\mt-core[1].js
   • %temporary internet files%Content.IE5\4TQB812Z\carregando[1].gif
   • %temporary internet files%\Content.IE5\4TQB812Z\stats[1].htm
   • %temporary internet files%\Content.IE5\G9YZGDQJ\stats[1].htm
   • %temporary internet files%\Content.IE5\C9AVS1AR\i[1].gif
   • %temporary internet files%\Content.IE5\G9YZGDQJ\style2[2].css
   • %temporary internet files%\Content.IE5\G9YZGDQJ\style3[1].css
   • %temporary internet files%\Content.IE5\G9YZGDQJ\principal[1].htm
   • %temporary internet files%\Content.IE5\C9AVS1AR\principal[1].htm
   • %temporary internet files%\Content.IE5\O5M7O5Q3\style1[2].css
   • %HOME%\Local Settings\History\History.IE5\MSHist012012052920120530\index.dat

 Registry The following registry key is added:

– [HKCR\CLSID\{EF82CDEB-5B9B-4DC0-9E15-0A74975776FE}\LocalServer32]
   • @="C:\sample.exe"

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • www.**********
   • www.**********
   • t1.**********
   • e1.**********

Event handler:
It creates the following Event handlers:
   • GetKeyState
   • ReadProcessMemory
   • WriteProcessMemory
   • SetWindowsHook
   • InternetOpen
   • CreateFile

Furthermore it contains the following strings:
   • maestro
   • card
   • check
   • pin

 File details Programming language:
The malware program was written in Delphi.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Wensin Lee on Wednesday, June 20, 2012
Description updated by Wensin Lee on Wednesday, June 20, 2012

Back . . . .