Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:23/10/2012
In the wild:No
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low
VDF version:
IVDF version:

 General Method of propagation:
   • No own spreading routine

   •  Eset: a variant of MSIL/Adware.PCMega.A application

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Registry modification

Right after execution the following information is displayed:

 Files The following files are created:

– Non malicious files:
   • %temporary internet files%\Content.IE5\QH9ZEEV0\stats[1].htm
   • %temporary internet files%\Content.IE5\LV2JIAKP\carregando3[1].gif
   • %temporary internet files%\Content.IE5\A9SFWXZG\stats_confirma[1].htm
   • %temporary internet files%\Content.IE5\QH9ZEEV0\i[1].gif
   • %temp%\Setupb.exe
   • %temporary internet files%\Content.IE5\LV2JIAKP\confirma[1].htm
   • %temporary internet files%\Content.IE5\5KMEPSXE\confirma_stats[1].htm
   • %temporary internet files%\Content.IE5\A9SFWXZG\confirma_stats[1].htm
   • %cookies%\biluta@pcmega.go2cloud[2].txt

 Registry The following registry keys are added:

– [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_TAPISRV\0000\Control]
   • "ActiveService"="TapiSrv"

– [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RASMAN\0000\Control]
   • "ActiveService"="RasMan"

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • http://www.mobim**********.com
   • http://www.mi**********

 File details Programming language:
The malware program was written in MS Visual C#.

Description inserted by Wensin Lee on Thursday, October 25, 2012
Description updated by Wensin Lee on Thursday, October 25, 2012

Back . . . .