Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:ADWARE/PCMega.C
Date discovered:24/04/2012
Type:Adware/Spyware
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
File size:398752 Bytes
MD5 checksum:5883831f64e2801a84661e23c547bee6
VDF version:7.11.28.144 - Tuesday, April 24, 2012
IVDF version:7.11.28.144 - Tuesday, April 24, 2012

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Eset: Win32/Adware.PCMega.A application
   •  Norman: Aggressive commersial W32/PCMega.AS


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Registry modification


Right after execution the following information is displayed:


 Files  It deletes the following files:
   • %temporary internet files%\Content.IE5\C9AVS1AR\manager_stats[1].htm
   • %HOME%\Cookies\vanciefancie@pcmega.go2cloud[1].txt
   • %temporary internet files%\Content.IE5\O5M7O5Q3\aff_i[1].gif
   • %temporary internet files%\Content.IE5\O5M7O5Q3\s10[1].gif
   • %temporary internet files%\Content.IE5\O5M7O5Q3\s10[2].gif
   • %HOME%\Cookies\vanciefancie@pcmega.go2cloud[2].txt
   • %temporary internet files%\Content.IE5\G9YZGDQJ\s10[1].gif




It tries to download a file:

– The location is the following:
   • www.**********or.info/download/alot/pcmega_2.1f.exe
It is saved on the local hard drive under: %temp%\pcmega_2.1f.exe Furthermore this file gets executed after it was fully downloaded.

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • www.**********rapido.com
   • t1.**********-dm.com
   • e1.**********-dm.com
   • **********.go2cloud.org
   • www.**********tor.info
   • www.**********counter.com
   • www.mobi**********.com


Event handler:
It creates the following Event handlers:
   • GetKeyState
   • GetAsyncKeyState
   • CopyFile
   • GetWindowsDirectory
   • IsProcessorFeaturePresent
   • CreateProcess]
   • CreateFil
   • RasHangUp
   • RasDial


String:
Furthermore it contains the following strings:
   • USER
   • PASS
   • TYPE
   • SYST
   • REST
   • PASV
   • PORT
   • RETR

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Wensin Lee on Monday, June 25, 2012
Description updated by Wensin Lee on Monday, June 25, 2012

Back . . . .