Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Adware/PCMeg.C
Date discovered:18/06/2012
Type:Adware/Spyware
In the wild:No
Reported Infections:Medium
Distribution Potential:Low
Damage Potential:Medium
File size:383949 Bytes
MD5 checksum:22655eb0f179c1e2d56eb4ff8963cba4
VDF version:7.11.33.62 - Monday, June 18, 2012
IVDF version:7.11.33.62 - Monday, June 18, 2012

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: potentially
   •  Eset: Win32/Adware.PCMega.A application


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Registry modification


Right after execution the following information is displayed:


 Files The following files are created:

– Temporary files that might be deleted afterwards:
   • %temporary internet files%\Content.IE5\C9AVS1AR\time[1].js
   • %temporary internet files%\Content.IE5\C9AVS1AR\ie[1].css
   • %temporary internet files%\Content.IE5\O5M7O5Q3\top-line[1].gif
   • %temporary internet files%\Content.IE5\O5M7O5Q3\bloqueado[1].png
   • %temporary internet files%\Content.IE5\4TQB812Z\MobiMidia_validation[1].js
   • %temporary internet files%\Content.IE5\C9AVS1AR\mt-core[1].js
   • %temporary internet files%Content.IE5\4TQB812Z\carregando[1].gif
   • %temporary internet files%\Content.IE5\4TQB812Z\stats[1].htm
   • %temporary internet files%\Content.IE5\G9YZGDQJ\stats[1].htm
   • %temporary internet files%\Content.IE5\C9AVS1AR\i[1].gif
   • %temporary internet files%\Content.IE5\G9YZGDQJ\style2[2].css
   • %temporary internet files%\Content.IE5\G9YZGDQJ\style3[1].css
   • %temporary internet files%\Content.IE5\G9YZGDQJ\principal[1].htm
   • %temporary internet files%\Content.IE5\C9AVS1AR\principal[1].htm
   • %temporary internet files%\Content.IE5\O5M7O5Q3\style1[2].css
   • %HOME%\Local Settings\History\History.IE5\MSHist012012052920120530\index.dat

 Registry The following registry key is added:

– [HKCR\CLSID\{EF82CDEB-5B9B-4DC0-9E15-0A74975776FE}\LocalServer32]
   • @="C:\sample.exe"

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • www.**********tetor.info
   • www.**********midia.com
   • t1.**********-dm.com
   • e1.**********-dm.com


Event handler:
It creates the following Event handlers:
   • GetKeyState
   • ReadProcessMemory
   • WriteProcessMemory
   • SetWindowsHook
   • InternetOpen
   • CreateFile


String:
Furthermore it contains the following strings:
   • maestro
   • card
   • check
   • pin

 File details Programming language:
The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Wensin Lee on Wednesday, June 20, 2012
Description updated by Wensin Lee on Wednesday, June 20, 2012

Back . . . .