Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Nome del virus:Worm/Foreign.nbt.3
Scoperto:21/09/2012
Tipo:Worm
In circolazione (ITW):No
Numero delle infezioni segnalate:Alto
Potenziale di propagazione:Medio
Potenziale di danni:Medio
File statico:No
Dimensione del file:~111.648 Byte
Versione VDF:7.11.44.74 - mercoledì 26 settembre 2012
Versione IVDF:7.11.44.74 - mercoledì 26 settembre 2012

 Generale Metodo di propagazione:
   • Rete locale


Alias:
   •  Symantec: Trojan.ADH.2
   •  Kaspersky: Trojware Trojan-Ransom.Win32.Foreign.qpp
   •  AVG: Worm/Pakes.AXR
   •  Eset: Win32/AutoRun.Spy.Banker.M worm

Precedentemente individuato come:
   •  TR/Foreign.nbt.3


Piattaforme / Sistemi operativi:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


Effetti secondari:
   • Blocca l'accesso a certi siti web
   • Blocca l'accesso a siti web di sicurezza
   • Può essere usato per eseguire codice dannoso
   • Utenti malintenzionati o malware possono servirsene per ridurre le impostazioni di sicurezza
   • Si può utilizzare per modificare le impostazioni del sistema che autorizzano o ingigantiscono il comportamento di potenziali malware.
   • Disattiva le applicazioni di sicurezza
   • Scarica file
   • Abbassa le impostazioni di sicurezza
   • Modifica del registro
   • Sottrae informazioni

 File Si copia alle seguenti posizioni:
   • %HOME%\3607F5C6165747279667\winlogon.exe
   • %HOME%\Start Menu\Fax y Esc?ner de Windows.exe
   • %HOME%\Start Menu\Programs\Internet Explorer.exe
   • %HOME%\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe
   • %ALLUSERSPROFILE%\Start Menu\Windows DVD Maker.exe
   • %ALLUSERSPROFILE%\Programs\Windows Media Center.exe
   • %ALLUSERSPROFILE%\Programs\Startup\Windows Update.exe



Crea le seguenti directory:
   • %TEMPDIR%\%numero esadecimale%\FOTOS
   • %TEMPDIR%\%numero esadecimale%\JUEGOS
   • %TEMPDIR%\%numero esadecimale%\LIBROS
   • %TEMPDIR%\%numero esadecimale%\MUSICA
   • %TEMPDIR%\%numero esadecimale%\PELICULAS
   • %TEMPDIR%\%numero esadecimale%\PELICULAS



Cancella il seguente file:
   • %temporary internet files%\Content.IE5\%tutte le directory%\*.*

 Registro Vengono aggiunte le seguenti chiavi di registro:

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\
   Layers]
   • @="RUNASADMIN"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\
   Layers]
   • @="RUNASADMIN"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
   Associations]
   • "LowRiskFileTypes"=".exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
   • "HideSCAHealth"=dword:00000001
   • "NoFolderOptions"=dword:00000000

– [HKLM\SOFTWARE\Microsoft\Security Center\Svc]
   • "AntiVirusDisableNotify"=dword:00000001
   • "AntiVirusOverride"=dword:00000000
   • "FirewallDisableNotify"=dword:00000001
   • "FirewallOverride"=dword:00000000
   • "FirstRunDisabled"=dword:00000001
   • "UpdatesDisableNotify"=dword:00000001
   • "UacDisableNotify"=dword:00000001
   • "AntiSpywareOverride"=dword:00000000

– [HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
   • "NoAutoRebootWithLoggedOnUsers"=dword:00000001

– [HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
   • "EnableFirewall"=dword:00000000

– [HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
   • "EnableFirewall"=dword:00000000

– [HKLM\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%HOME%\%numero esadecimale%\winlogon.exe"="%HOME%\%numero esadecimale%\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   • "DisableRegistryTools"=dword:00000001
   • "DisableTaskMgr"=dword:00000001

– [HKCU\Software\Policies\Microsoft\Windows\System]
   • "DisableCMD"=dword:00000001

– [HKCU\Software\Microsoft\Windows Script Host\Settings]
   • "Enabled"="0"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .htm\UserChoice]
   • "Progid"="IE.AssocFile.HTM"

– [HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\
   http\UserChoice]
   • "Progid"="IE.HTTP"

– [HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\
   https\UserChoice]
   • "Progid"="IE.HTTPS"

– [HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\
   ftp\UserChoice]
   • "Progid"="IE.FTP"

– [HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
   • "HomePage"=dword:00000001



Vengono cambiate le seguenti chiavi di registro:

Disattiva il firewall di Windows:

– [HKLM\SOFTWARE\Microsoft\Security Center]
   Valore precedente:
   • "FirewallDisableNotify"=dword:00000000
   Nuovo valore:
   • "FirewallDisableNotify"=dword:00000001

– [HKCR\ftp\shell\open\ddeexec\Application]
   Nuovo valore:
   • @="IExplore"

– [HKCR\ftp\shell\open\command]
   Nuovo valore:
   • @="%PROGRAM FILES%\Internet Explorer\iexplore.exe"

– [HKCR\https\shell\open\ddeexec\Application]
   Nuovo valore:
   • @="IExplore"

– [HKCR\https\shell\open\command]
   Nuovo valore:
   • @="%PROGRAM FILES%\Internet Explorer\iexplore.exe"

– [HKCR\HTTP\shell\open\ddeexec\Application]
   Nuovo valore:
   • @="IExplore"

– [HKCR\HTTP\shell\open\command]
   Nuovo valore:
   • @="%PROGRAM FILES%\Internet Explorer\iexplore.exe"

– [HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings]
   Nuovo valore:
   • "Enabled"="0"

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   Nuovo valore:
   • "%HOME%\%numero esadecimale%\winlogon.exe"="%HOME%\%numero esadecimale%\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"

– [HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   Nuovo valore:
   • "%HOME%\%numero esadecimale%\winlogon.exe"="%HOME%\%numero esadecimale%\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861"

– [HKLM\SOFTWARE\Microsoft\Security Center\Monitoring]
   Nuovo valore:
   • "DisableMonitoring"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\
   SymantecAntiVirus]
   Nuovo valore:
   • "DisableMonitoring"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Security Center\Monitoring\
   SymantecFirewall]
   Nuovo valore:
   • "DisableMonitoring"=dword:00000001

– [HKCR\lnkfile]
   Nuovo valore:
   • "IsShortcut"=-

– [HKCR\piffile]
   Nuovo valore:
   • "IsShortcut"=-

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Nuovo valore:
   • "ShowSuperHidden"=dword:00000000

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
   Valore precedente:
   • "TracesProcessed"=dword:00000000
   Nuovo valore:
   • "TracesProcessed"=dword:000000aa

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   Nuovo valore:
   • "Default_Search_URL"="http://94n8o8diom6di5p.directorio-w.com"
   • "Default_Page_URL"="http://53tks18hw8spjwl.directorio-w.com"
   • "Check_Associations"="no"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
   Valore precedente:
   • "DisableSR"=dword:00000000
   Nuovo valore:
   • "DisableSR"=dword:00000001

– [HKLM\SYSTEM\ControlSet001\Services\sr]
   Valore precedente:
   • "Start"=dword:00000000
   Nuovo valore:
   • "Start"=dword:00000004

– [HKCU\Control Panel\Sound]
   Valore precedente:
   • "Beep"="yes"
   Nuovo valore:
   • "Beep"="no"

– [HKLM\SYSTEM\ControlSet001\Services\wscsvc]
   Valore precedente:
   • "Start"=dword:00000002
   Nuovo valore:
   • "Start"=dword:00000004

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\%sostituzione 1%]
   Nuovo valore:
   • "Debugger"="%HOME%\%numero esadecimale%\winlogon.exe"
     
     
     %sostituzione 1%:
     .exe
     _avp.exe
     _avp32.exe
     _avpcc.exe
     _avpm.exe
     _findviru.exe
     a2servic.exe
     ackwin32.exe
     acs.exe
     advxdwin.exe
     agentsvr.exe
     agentw.exe
     ahnsd.exe
     alerter.exe
     alertsvc.exe
     alogserv.exe
     amon.exe
     amon9x.exe
     antigen.exe
     anti-trojan.exe
     antivirus.exe
     ants.exe
     apimonitor.exe
     aplica32.exe
     apvxdwin.exe
     ashWebSv.exe
     atcon.exe
     atguard.exe
     atro55en.exe
     atupdater.exe
     atwatch.exe
     aupdate.exe
     autodown.exe
     autotrace.exe
     autoupdate.exe
     avcenter.exe
     avconfig.exe
     avconsol.exe
     ave32.exe
     avgcc32.exe
     avgctrl.exe
     avgemc.exe
     avgnt.exe
     avgserv.exe
     avgserv9.exe
     avguard.exe
     avgw.exe
     avkpop.exe
     avkserv.exe
     avkservice.exe
     avkwcl9.exe
     avkwctl9.exe
     avnotify.exe
     avnt.exe
     avp.exe
     avp32.exe
     avpcc.exe
     avpdos32.exe
     avpexec.exe
     avpinst.exe
     avpm.exe
     avpmon.exe
     avpnt.exe
     avptc32.exe
     avpupd.exe
     avrescue.exe
     avscan.exe
     avsched32.exe
     avshadow.exe
     avsynmgr.exe
     avupgsvc.exe
     avwebloader.exe
     avwin95.exe
     avwinnt.exe
     avwsc.exe
     avwupd32.exe
     avxmonitor9x.exe
     avxmonitornt.exe
     avxquar.exe
     avxw.exe
     azonealarm.exe
     bd_professional.exe
     bidef.exe
     bidserver.exe
     bipcp.exe
     bipcpevalsetup.exe
     bisp.exe
     blackd.exe
     blackice.exe
     boot.exe
     bootwarn.exe
     borg2.exe
     bs120.exe
     BullGuard.exe
     callmsi.exe
     ccapp.exe
     ccevtmgr.exe
     cclaw.exe
     ccpxysvc.exe
     ccsetmgr.exe
     ccshtdwn.exe
     cdp.exe
     cfgwiz.exe
     cfiadmin.exe
     cfiaudit.exe
     cfind.exe
     cfinet.exe
     cfinet32.exe
     ChromeSetup.exe
     clamauto.exe
     claw95.exe
     claw95cf.exe
     claw95ct.exe
     clean.exe
     cleaner.exe
     cleaner3.exe
     cleanpc.exe
     cmd.exe
     cmgrdian.exe
     cmon016.exe
     ComboFix.exe
     connectionmonitor.exe
     cpd.exe
     cpdclnt.exe
     cpf.exe
     cpf9x206.exe
     cpfnt206.exe
     csinject.exe
     csinsm32.exe
     css1631.exe
     ctfmon.exe
     ctrl.exe
     cv.exe
     cwnb181.exe
     cwntdwmo.exe
     defalert.exe
     defscangui.exe
     defwatch.exe
     deputy.exe
     Diskmon.exe
     doors.exe
     dpf.exe
     drvins32.exe
     drwatson.exe
     drweb32.exe
     dumphive.exe
     dv95.exe
     dv95_o.exe
     dvp95.exe
     dvp95_0.exe
     earthagent.exe
     ecengine.exe
     ecls.exe
     ecmd.exe
     edi.exe
     efinet32.exe
     efpeadm.exe
     egui.exe
     EHttpSrv.exe
     ekrn.exe
     ent.exe
     esafe.exe
     escanh95.exe
     escanhnt.exe
     escanv95.exe
     espwatch.exe
     etrustcipe.exe
     evpn.exe
     ewido.exe
     exantivirus-cnet.exe
     exit.exe
     expert.exe
     explored.exe
     fact.exe
     f-agnt95.exe
     fameh32.exe
     fa-setup.exe
     fast.exe
     fch32.exe
     fih32.exe
     Filemon.exe
     findviru.exe
     firewall.exe
     FirewallControlPanel.exe
     FirewallSettings.exe
     fix-it.exe
     flowprotector.exe
     fnrb32.exe
     FPAVServer.exe
     fprot.exe
     f-prot.exe
     fprot95.exe
     f-prot95.exe
     fp-win.exe
     fp-win_trial.exe
     frw.exe
     fsaa.exe
     fsav.exe
     fsav32.exe
     fsav530stbyb.exe
     fsav530wtbyb.exe
     fsav95.exe
     fsave32.exe
     fsgk32.exe
     fslaunch.exe
     fsm32.exe
     fsma32.exe
     fsmb32.exe
     fssm32.exe
     f-stopw.exe
     fwenc.exe
     fwinstall.exe
     gbmenu.exe
     gbpoll.exe
     GenericRenosFix.exe
     generics.exe
     gibe.exe
     GoogleToolbarInstaller_download_signed.exe
     gpedit.exe
     guard.exe
     guarddog.exe
     guardgui.exe
     guardhlp.exe
     hacktracersetup.exe
     HelpPane.exe
     hidec.exe
     HiJackThis.exe
     HJTInstall.exe
     HostsChk.exe
     htlog.exe
     hwpe.exe
     iamapp.exe
     iamserv.exe
     iamstats.exe
     ibmasn.exe
     ibmavsp.exe
     icload95.exe
     icloadnt.exe
     icmon.exe
     icmoon.exe
     icssuppnt.exe
     icsupp.exe
     icsupp95.exe
     icsuppnt.exe
     IEDFix.exe
     iface.exe
     ifw2000.exe
     iomon98.exe
     iparmor.exe
     iris.exe
     isrv95.exe
     jammer.exe
     jed.exe
     jedi.exe
     kav8.0.0.357es.exe
     kavlite40eng.exe
     kavpers40eng.exe
     kavsvc.exe
     kerio-pf-213-en-win.exe
     kerio-wrl-421-en-win.exe
     kerio-wrp-421-en-win.exe
     killprocesssetup161.exe
     kis8.0.0.506latam.exe
     kpf.exe
     kpfw32.exe
     ldnetmon.exe
     ldpro.exe
     ldpromenu.exe
     ldscan.exe
     licmgr.exe
     localnet.exe
     lockdown.exe
     lockdown2000.exe
     lookout.exe
     lsetup.exe
     luall.exe
     luau.exe
     lucomserver.exe
     luinit.exe
     luspt.exe
     mbam.exe
     mbamgui.exe
     mbamservice.exe
     mcadmin.exe
     mcagent.exe
     mcconsol.exe
     mcmnhdlr.exe
     mcshield.exe
     mctool.exe
     mcuimgr.exe
     mcupdate.exe
     mcvsrte.exe
     mcvsshld.exe
     mdll.exe
     mfeann.exe
     mfw2en.exe
     mfweng3.02d30.exe
     mgavrtcl.exe
     mgavrte.exe
     mghtml.exe
     mgui.exe
     minilog.exe
     monitor.exe
     monsys32.exe
     monsysnt.exe
     monwow.exe
     moolive.exe
     mpfagent.exe
     mpfservice.exe
     mpftray.exe
     mrflux.exe
     MSASCui.exe
     msblast.exe
     msconfig.exe
     msinfo32.exe
     msn.exe
     mspatch.exe
     mssmmc32.exe
     mu0311ad.exe
     mwatch.exe
     mxtask.exe
     n32scan.exe
     n32scanw.exe
     nai_vs_stat.exe
     nav32_loader.exe
     nav80try.exe
     navap.exe
     navapsvc.exe
     navapw32.exe
     navauto-protect.exe
     navdx.exe
     naveng.exe
     navengnavex15.exe
     navex15.exe
     navlu32.exe
     navnt.exe
     navrunr.exe
     navsched.exe
     navstub.exe
     navw.exe
     navw32.exe
     navwnt.exe
     nc2000.exe
     ncinst4.exe
     nd98spst.exe
     ndd32.exe
     ndntspst.exe
     neomonitor.exe
     neowatchlog.exe
     netarmor.exe
     netcfg.exe
     netinfo.exe
     netmon.exe
     netscanpro.exe
     Netscape.exe
     netspyhunter-1.2.exe
     netstat.exe
     netutils.exe
     nisserv.exe
     nisum.exe
     nmain.exe
     nod32.exe
     normist.exe
     norton_internet_secu_3.0_407.exe
     notstart.exe
     npf40_tw_98_nt_me_2k.exe
     npfmessenger.exe
     nprotect.exe
     npscheck.exe
     npssvc.exe
     nsched32.exe
     ntdetect.exe
     ntrtscan.exe
     ntxconfig.exe
     nui.exe
     nupdate.exe
     nupgrade.exe
     nvapsvc.exe
     nvarch16.exe
     nvc95.exe
     nvlaunch.exe
     nvsvc32.exe
     nwinst4.exe
     nwservice.exe
     nwtool16.exe
     offguard.exe
     ogrc.exe
     opera.exe
     Opera_964_int_Setup.exe
     ostronet.exe
     outpost.exe
     outpostinstall.exe
     outpostproinstall.exe
     padmin.exe
     panixk.exe
     pathping.exe
     pavcl.exe
     pavproxy.exe
     pavsched.exe
     pavw.exe
     pcc2002s902.exe
     pcc2k_76_1436.exe
     pccclient.exe
     pccguide.exe
     pcciomon.exe
     pccmain.exe
     pccntmon.exe
     pccpfw.exe
     pccwin97.exe
     pccwin98.exe
     pcdsetup.exe
     pcfwallicon.exe
     pcip10117_0.exe
     pcscan.exe
     pcscanpdsetup.exe
     penis32.exe
     periscope.exe
     persfw.exe
     perswf.exe
     pev.exe
     pf2.exe
     pfwadmin.exe
     ping.exe
     pingscan.exe
     platin.exe
     pop3trap.exe
     poproxy.exe
     popscan.exe
     portdetective.exe
     portmon.exe
     portmonitor.exe
     ppinupdt.exe
     pptbc.exe
     ppvstop.exe
     prckiller.exe
     Process.exe
     processmonitor.exe
     procexp.exe
     procexplorerv1.0.exe
     Procmon.exe
     programauditor.exe
     proport.exe
     protectx.exe
     pspf.exe
     purge.exe
     pview.exe
     pview95.exe
     qconsole.exe
     qserver.exe
     rapapp.exe
     rav.exe
     rav7.exe
     rav7win.exe
     rav8win32eng.exe
     realmon.exe
     regedit.exe
     regedt32.exe
     Regmon.exe
     rescue.exe
     rescue32.exe
     Restart.exe
     route.exe
     routemon.exe
     rrguard.exe
     rshell.exe
     rstrui.exe
     rtvscn95.exe
     rulaunch.exe
     Safari.exe
     safeweb.exe
     SandboxieBITS.exe
     SandboxieCrypto.exe
     SandboxieDcomLaunch.exe
     SandboxieRpcSs.exe
     SandboxieWUAU.exe
     SbieCtrl.exe
     SbieSvc.exe
     sbserv.exe
     scan32.exe
     scan95.exe
     scanpm.exe
     sched.exe
     schedapp.exe
     scrscan.exe
     scvhosl.exe
     sd.exe
     sdclt.exe
     serv95.exe
     setup_flowprotector_us.exe
     setupvameeval.exe
     sgssfw32.exe
     sh.exe
     sharedaccess.exe
     shellspyinstall.exe
     shn.exe
     shstat.exe
     smc.exe
     SmitfraudFix.exe
     sofi.exe
     spf.exe
     sphinx.exe
     spider.exe
     spysweeper.exe
     spyxx.exe
     SrchSTS.exe
     srwatch.exe
     ss3edit.exe
     st2.exe
     supftrl.exe
     supporter5.exe
     sweep.exe
     sweep95.exe
     sweepnet.exe
     sweepsrv.sys.exe
     swnetsup.exe
     swreg.exe
     swsc.exe
     swxcacls.exe
     symproxysvc.exe
     symtray.exe
     sysdoc32.exe
     syshelp.exe
     taskkill.exe
     tasklist.exe
     taskmgr.exe
     taskmon.exe
     taumon.exe
     tauscan.exe
     tbscan.exe
     tc.exe
     tca.exe
     tcm.exe
     tcpsvs32.exe
     tds2.exe
     tds2-98.exe
     tds2-nt.exe
     tds-3.exe
     tfak.exe
     tfak5.exe
     tftpd.exe
     tgbob.exe
     titanin.exe
     titaninxp.exe
     tmlisten.exe
     tmntsrv.exe
     tracerpt.exe
     tracert.exe
     trjscan.exe
     trjsetup.exe
     trojantrap3.exe
     UCCLSID.exe
     UI0Detect.exe
     undoboot.exe
     unzip.exe
     update.exe
     UserAccountControlSettings.exe
     VACFix.exe
     vbcmserv.exe
     vbcons.exe
     vbust.exe
     vbwin9x.exe
     vbwinntw.exe
     vccmserv.exe
     vcleaner.exe
     vcontrol.exe
     vcsetup.exe
     vet32.exe
     vet95.exe
     vet98.exe
     vettray.exe
     vfsetup.exe
     vir-help.exe
     virusmdpersonalfirewall.exe
     vmsrvc.exe
     vnlan300.exe
     vnpc3000.exe
     vpc32.exe
     vpc42.exe
     vpcmap.exe
     vpfw30s.exe
     vptray.exe
     vscan.exe
     vscan40.exe
     vscenu6.02d30.exe
     vsched.exe
     vsecomr.exe
     vshwin32.exe
     vsisetup.exe
     vsmain.exe
     vsmon.exe
     vsscan40.exe
     vsstat.exe
     vswin9xe.exe
     vswinntse.exe
     vswinperse.exe
     vvstat.exe
     w32dsm89.exe
     w9x.exe
     watchdog.exe
     webscan.exe
     webscanx.exe
     webtrap.exe
     WerFault.exe
     wfindv32.exe
     wgfe95.exe
     whoswatchingme.exe
     wimmun32.exe
     wingate.exe
     winhlpp32.exe
     wink.exe
     winmgm32.exe
     winppr32.exe
     winrecon.exe
     winroute.exe
     winservices.exe
     winsfcm.exe
     wmias.exe
     wmiav.exe
     wnt.exe
     wradmin.exe
     wrctrl.exe
     WS2Fix.exe
     wsbgate.exe
     wuauclt.exe
     wyvernworksfirewall.exe
     xpf202en.exe
     xscan.exe
     zapro.exe
     zapsetup3001.exe
     zatutor.exe
     zatutorzauinst.exe
     zauinst.exe
     zlh.exe
     zonalarm.exe
     zonalm2601.exe
     zonealarm.exe

– [HKLM\SOFTWARE\Microsoft\Security Center]
   Nuovo valore:
   • "UacDisableNotify"=dword:00000001
     "AntiSpyWareDisableNotify"=dword:00000001
     "AntiVirusDisableNotify"=dword:00000001
     "InternetSettingsDisableNotify"=dword:00000001
     "AutoUpdateDisableNotify"=dword:00000001
     "cval"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
   Nuovo valore:
   • "ConsentPromptBehaviorAdmin"=dword:00000000
     "ConsentPromptBehaviorUser"=dword:00000000
     "EnableLUA"=dword:00000000
     "PromptOnSecureDesktop"=dword:00000001

– [HKCU\Software\Microsoft\Internet Explorer\Download]
   Nuovo valore:
   • "CheckExeSignatures"="no"
     "RunInvalidSignatures"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   Nuovo valore:
   • "HideSCAHealth"=dword:00000001
     "NoRun"=dword:00000001
     "NoFile"=dword:00000001
     "NoFolderOptions"=dword:00000000

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\DomainProfile]
   Nuovo valore:
   • "DisableNotifications"=dword:00000001
     "DoNotAllowExceptions"=dword:00000000
     "EnableFirewall"=dword:00000000

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   Nuovo valore:
   • "DisableNotifications"=dword:00000001
     "DoNotAllowExceptions"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Valore precedente:
   • "SuperHidden"=dword:00000000
     "HideFileExt"=dword:00000001
   Nuovo valore:
   • "SuperHidden"=dword:00000001
     "HideFileExt"=dword:00000003

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
   Nuovo valore:
   • "TracesSuccessful"=dword:0000001d
     "LastTraceFailure"=dword:00000004

– [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
   Valore precedente:
   • "Start Page"="http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home"
     "Local Page"="%SystemRoot%\\system32\\blank.htm"
     "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
     "Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
     "Default_Page_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
   Nuovo valore:
   • "Start Page"="http://un5967gg64ty1vo.directorio-w.com"
     "Local Page"="http://4j0snd178466456.directorio-w.com"
     "Search Page"="http://b95id8rf8ae1csf.directorio-w.com"
     "Default_Search_URL"="http://791zu81g7301ecq.directorio-w.com"
     "Default_Page_URL"="http://scibjbr9auqx0o3.directorio-w.com"

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   Valore precedente:
   • "Start Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
     "Local Page"="c:\windows\\system32\\blank.htm"
     "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
   Nuovo valore:
   • "Start Page"="http://unapz47jl26c955.directorio-w.com"
     "Local Page"="http://4p53hw6sn67ml8o.directorio-w.com"
     "Search Page"="http://0548l7olele1q67.directorio-w.com"

 “Infezione” della rete Per assicurarsi la propria propagazione, il malware tenta di connettersi ad altre macchine come descritto qui sotto:

Fa più copie di se stesso nelle seguenti condivisioni di rete:
   • %TEMPDIR%\%numero esadecimale%\FOTOS
   • %TEMPDIR%\%numero esadecimale%\JUEGOS
   • %TEMPDIR%\%numero esadecimale%\LIBROS
   • %TEMPDIR%\%numero esadecimale%\MUSICA
   • %TEMPDIR%\%numero esadecimale%\PELICULAS
   • %TEMPDIR%\%numero esadecimale%\PELICULAS

 Host L'host del file viene modificato come spiegato:

– In questo caso i dati immessi già esistenti vengono cancellati.

– L'accesso ai seguenti domini è reindirizzato ad altre destinazioni:
   • viabcp.com; www.viabcp.com; ww2.viabcp.com; bcpzonasegura.viabcp.com;
      hotmail.com; www.hotmail.com; 13iii.com; 15660808.co.kr;
      2-spyware.com; 247fixes.com; 360.cn; 360.com; 360safe.cn; 360safe.com;
      45pounds.com; 51nb.com; 9down.com; a-2.org; a188.x.akamai.net;
      abuse.ch; acs.pandasoftware.com; ad-aware-se.uptodown.com;
      ad.fastclick.net; ads.fastclick.net; agfirewall.ru; agnitum.com;
      agnitum.de; agnitum.fr; agnitum.ru; ahn.com.cn; ahnlab.com;
      akamai.net; aknow.prevx.com; aladdin.com; alert.rising.com.cn;
      alerta-antivirus.inteco.es; alerta-antivirus.red.es; alladdin.ru;
      aluriasoftware.com; analysis.seclab.tuwien.ac.at; andymanchesta.com;
      anti-virus-software-review.com; anti-virus.by; anti-virus.com;
      antirootkit.com; antispam.sunbeltsoftware.com; antispy.ru;
      antispyware.sunbeltsoftware.com; antivir.es; antiviraldp.com;
      antivirus-online.de; antivirus-tools.com; antivirus.about.com;
      antivirus.cai.com; antivirus.comodo.com; antivirus.hispavista.com;
      antivirus.sunbeltsoftware.com; antiy.net; anubis.iseclab.org;
      apac.trendmicro.com; ar.answers.yahoo.com; ar.atwola.com; arcabit.com;
      arcabit.pl; archive.bitdefender.com; arswp.com; arwww.fortinet.cz;
      asap.authentium.com; ashampoo.com; atazita.blogspot.com; atdmt.com;
      attechnical.com; atwola.com; au.mcafee.com; auditmypc.com;
      authentium.com; auwww.ealaddin.nl; avast-home.uptodown.com; avast.com;
      avast.ru; avg-antivirus.net; avg.com; avg.vo.llnwd.net; avgate.net;
      avgfrance.com; avhide.com; avira.com; avp.ch; avp.com; avp.ru;
      avpclub.ddns.info; avu.zonelabs.com; avx.rob-have.net; awaps.net;
      b-have.orgbitdefender-ar.com; babooforum.com.br; backup.comodo.com;
      baike.360.cn; baike.360.com; bakunos.com; banner.fastclick.net;
      banners.fastclick.net; baristamagazine.com; basetendencies.com;
      bbs.360.cn; bbs.360safe.cn; bbs.360safe.com; bbs.cfan.com.cn;
      bbs.cpcw.com; bbs.dswlab.com; bbs.duba.net; bbs.ikaka.com;
      bbs.janmeng.com; bbs.kafan.cn; bbs.kafan.com; bbs.kaspersky.com.cn;
      bbs.kpfans.com; bbs.mcafeefans.com; bbs.s-sos.net; bbs.sucop.com;
      bbs.taisha.org; bbs.trendmicro.com.cn; bbs.winzheng.com;
      bestofewan.com; beta.anti-virus.by; bg.virusblokada.com; bhsbees.com;
      bitcity.info; bitcity.org; bitdefender.co.uk; bitdefender.com;
      bitdefender.com.ua; bitdefender.es; bitdefender.org;
      bitdefender.secyber.net; bitdefenderchina.com;
      bitdefenderguatemala.com; bitdefendermalaysia.com;
      bitdefendertaiwan.com; bitdefenderuruguay.com; bitdefenderusa.com;
      biz.nprotect.com; bkav.com.vn; blackice.iss.net; bleedingthreats.net;
      bleepingcomputer.com; blitzblank.com; blog.hispasec.com;
      blog.threatfire.com; blog.titanium-jewelry.com; blog.trendmicro.com;
      blogs.icerocket.com; blogs.protegerse.com; blogschapines.com;
      boardreader.com; bobbondart.com; br.mcafee.com; br.trendmicro.com;
      brazil.kaspersky.com; buddy.bitdefender.com; bugs.clamav.net;
      buscafacil.com; buscalo.in; busco.in; buy.bitdefender-es.com;
      buy.bitdefender.com; buy.bitdefender.de; buy.drweb.com;
      buy.rising.com.cn; ca.com; cacomvip.ca.com; cai.com;
      canada.karuna-shechen.org; castlecops.com; castlecrops.com;
      ccslaughterspdx.com; cddchiangmai.net; cdn.atwola.com;
      center.rising.com.cn; centralcommand.com; cert.org; cfan.com.cn;
      cgi.clamav.net; changedetection.com; changelog.fr;
      channelpartner.trendmicro.com; chickensroamfree.com; chkrootkit.org;
      chollian.nprotect.co.kr; cisrt.org; cit.kookmin.ac.kr; clamav.net;
      clamwin.com; click.atdmt.com; clicks.atdmt.com;
      cloudprotection.pandasecurity.com; clubic.com; cmmings.cn;
      cn.mcafee.com; cn.sophos.com; cn.trendmicro.com;
      codesigning.ksoftware.net; codehard.wordpress.com; cohartuk.com;
      commentcamarche.net; community.thaiware.com; comodo.com;
      company.drweb.com; company.hauri.co.kr; company.hauri.net;
      computing.net; comunidad.wilkinsonpc.com.co; configurarequipos.com;
      coresecurity.com; cou85.com; cowsmo.com; cpsecure.com;
      csc.rising.com.cn; cureit.ru; customer.symantec.com;
      customers.drweb.com; cutlines.org; cwsandbox.org;
      cybercrime.pandasecurity.com; cyberdefender.com; cybertechhelp.com;
      daboweb.com; daniloff.net; daniweb.com; darkclockers.com; dazhizhu.cn;
      de.bitdefender.com; de.mcafee.com; de.trendmicro.com;
      deckard.geekstogo.com; deerfield.com; defalcos.com;
      definitions.symantec.com; dell.symantec.com; demos.eset.es;
      descargas.eset.es; dev.depeuter.org; developmentdrums.org;
      dialognauka.ru; diamondcs.com.au; dicasweb.com.br;
      discussions.virtualdr.com; disk-encryption.comodo.com; dl.360safe.com;
      dl1.antivir-pe.com; dl1.antivir-pe.de; dl1.antivir.de; dl1.avgate.net;
      dl10.freeav.net; dl2.antivir-pe.com; dl2.antivir-pe.de;
      dl2.antivir.de; dl2.avgate.net; dl3.antivir-pe.de; dl3.antivir.de;
      dl3.avgate.net; dl4.antivir-pe.com; dl4.antivir-pe.de; dl4.antivir.de;
      dl4.avgate.net; dl5.avgate.net; dl6.avgate.net; dl7.avgate.net;
      dl8.avgate.net; dl8.freeav.net; dl9.avgate.net; dl9.freeav.net;
      dnl-cd1.kaspersky-labs.com; dnl-cd10.kaspersky-labs.com;
      dnl-cd11.kaspersky-labs.com; dnl-cd12.kaspersky-labs.com;
      dnl-cd13.kaspersky-labs.com; dnl-cd2.kaspersky-labs.com;
      dnl-cd3.kaspersky-labs.com; dnl-cd4.kaspersky-labs.com;
      dnl-cd5.kaspersky-labs.com; dnl-cd6.kaspersky-labs.com;
      dnl-cd7.kaspersky-labs.com; dnl-cd8.kaspersky-labs.com;
      dnl-cd9.kaspersky-labs.com; dnl-cn1.kaspersky-labs.com;
      dnl-cn10.kaspersky-labs.com; dnl-cn11.kaspersky-labs.com;
      dnl-cn12.kaspersky-labs.com; dnl-cn13.kaspersky-labs.com;
      dnl-cn14.kaspersky-labs.com; dnl-cn15.kaspersky-labs.com;
      dnl-cn2.kaspersky-labs.com; dnl-cn3.kaspersky-labs.com;
      dnl-cn4.kaspersky-labs.com; dnl-cn5.kaspersky-labs.com;
      dnl-cn6.kaspersky-labs.com; dnl-cn7.kaspersky-labs.com;
      dnl-cn8.kaspersky-labs.com; dnl-cn9.kaspersky-labs.com;
      dnl-eu1.kaspersky-labs.com; dnl-eu10.kaspersky-labs.com;
      dnl-eu11.kaspersky-labs.com; dnl-eu12.kaspersky-labs.com;
      dnl-eu13.kaspersky-labs.com; dnl-eu14.kaspersky-labs.com;
      dnl-eu15.kaspersky-labs.com; dnl-eu2.kaspersky-labs.com;
      dnl-eu3.kaspersky-labs.com; dnl-eu4.kaspersky-labs.com;
      dnl-eu5.kaspersky-labs.com; dnl-eu6.kaspersky-labs.com;
      dnl-eu7.kaspersky-labs.com; dnl-eu8.kaspersky-labs.com;
      dnl-eu9.kaspersky-labs.com; dnl-jp1.kaspersky-labs.com;
      dnl-jp10.kaspersky-labs.com; dnl-jp11.kaspersky-labs.com;
      dnl-jp12.kaspersky-labs.com; dnl-jp13.kaspersky-labs.com;
      dnl-jp14.kaspersky-labs.com; dnl-jp15.kaspersky-labs.com;
      dnl-jp2.kaspersky-labs.com; dnl-jp3.kaspersky-labs.com;
      dnl-jp4.kaspersky-labs.com; dnl-jp5.kaspersky-labs.com;
      dnl-jp6.kaspersky-labs.com; dnl-jp7.kaspersky-labs.com;
      dnl-jp8.kaspersky-labs.com; dnl-jp9.kaspersky-labs.com;
      dnl-kr1.kaspersky-labs.com; dnl-kr10.kaspersky-labs.com;
      dnl-kr11.kaspersky-labs.com; dnl-kr12.kaspersky-labs.com;
      dnl-kr13.kaspersky-labs.com; dnl-kr15.kaspersky-labs.com;
      dnl-kr2.kaspersky-labs.com; dnl-kr3.kaspersky-labs.com;
      dnl-kr4.kaspersky-labs.com; dnl-kr5.kaspersky-labs.com;
      dnl-kr6.kaspersky-labs.com; dnl-kr7.kaspersky-labs.com;
      dnl-kr8.kaspersky-labs.com; dnl-kr9.kaspersky-labs.com;
      dnl-ru1.kaspersky-labs.com; dnl-ru10.kaspersky-labs.com;
      dnl-ru11.kaspersky-labs.com; dnl-ru12.kaspersky-labs.com;
      dnl-ru13.kaspersky-labs.com; dnl-ru14.kaspersky-labs.com;
      dnl-ru15.kaspersky-labs.com; dnl-ru2.kaspersky-labs.com;
      dnl-ru3.kaspersky-labs.com; dnl-ru4.kaspersky-labs.com;
      dnl-ru5.kaspersky-labs.com; dnl-ru6.kaspersky-labs.com;
      dnl-ru7.kaspersky-labs.com; dnl-ru8.kaspersky-labs.com;
      dnl-ru9.kaspersky-labs.com; dnl-us1.kaspersky-labs.com;
      dnl-us10.kaspersky-labs.com; dnl-us11.kaspersky-labs.com;
      dnl-us12.kaspersky-labs.com; dnl-us13.kaspersky-labs.com;
      dnl-us14.kaspersky-labs.com; dnl-us15.kaspersky-labs.com;
      dnl-us2.kaspersky-labs.com; dnl-us3.kaspersky-labs.com;
      dnl-us4.kaspersky-labs.com; dnl-us5.kaspersky-labs.com;
      dnl-us6.kaspersky-labs.com; dnl-us7.kaspersky-labs.com;
      dnl-us8.kaspersky-labs.com; dnl-us9.kaspersky-labs.com; dougknox.com;
      down.360safe.cn; down.360safe.com; download.avg.com;
      download.bleepingcomputer.com; download.com; download.com.vn;
      download.eset.com; download.f-secure.com; download.mcafee.com;
      download.microsoft.com; download.microsoft.comguru0.grisoft.cz;
      download.nai.com; download.norman.no; download.rising.com.cn;
      download.softpedia.com; download.sysinternals.com;
      download0.avast.com; download1.avast.com; download1.emsisoft.com;
      download1.quickheal.com; download10.quickheal.com;
      download100.avast.com; download1us.softpedia.com; download2.avast.com;
      download2.quickheal.com; download200.avast.com; download201.avast.com;
      download202.avast.com; download203.avast.com; download204.avast.com;
      download205.avast.com; download206.avast.com; download207.avast.com;
      download208.avast.com; download209.avast.com; download210.avast.com;
      download211.avast.com; download212.avast.com; download213.avast.com;
      download214.avast.com; download3.avast.com; download3.quickheal.com;
      download4.avast.com; download4.emsisoft.com; download4.quickheal.com;
      download5.avast.com; download5.emsisoft.com; download5.quickheal.com;
      download501.avast.com; download502.avast.com; download503.avast.com;
      download504.avast.com; download505.avast.com; download511.avast.com;
      download512.avast.com; download513.avast.com; download514.avast.com;
      download515.avast.com; download516.avast.com; download535.avast.com;
      download6.avast.com; download6.quickheal.com; download600.avast.com;
      download601.avast.com; download602.avast.com; download603.avast.com;
      download604.avast.com; download605.avast.com; download606.avast.com;
      download607.avast.com; download608.avast.com; download609.avast.com;
      download617.avast.com; download618.avast.com; download619.avast.com;
      download620.avast.com; download621.avast.com; download622.avast.com;
      download623.avast.com; download624.avast.com; download625.avast.com;
      download626.avast.com; download627.avast.com; download628.avast.com;
      download629.avast.com; download630.avast.com; download631.avast.com;
      download632.avast.com; download633.avast.com; download634.avast.com;
      download635.avast.com; download636.avast.com; download637.avast.com;
      download638.avast.com; download639.avast.com; download640.avast.com;
      download641.avast.com; download642.avast.com; download643.avast.com;
      download644.avast.com; download645.avast.com; download646.avast.com;
      download647.avast.com; download648.avast.com; download649.avast.com;
      download650.avast.com; download651.avast.com; download652.avast.com;
      download653.avast.com; download654.avast.com; download655.avast.com;
      download656.avast.com; download658.avast.com; download659.avast.com;
      download660.avast.com; download661.avast.com; download662.avast.com;
      download663.avast.com; download664.avast.com; download665.avast.com;
      download666.avast.com; download667.avast.com; download668.avast.com;
      download669.avast.com; download670.avast.com; download671.avast.com;
      download672.avast.com; download673.avast.com; download674.avast.com;
      download675.avast.com; download676.avast.com; download677.avast.com;
      download678.avast.com; download679.avast.com; download680.avast.com;
      download681.avast.com; download682.avast.com; download683.avast.com;
      download684.avast.com; download685.avast.com; download686.avast.com;
      download687.avast.com; download688.avast.com; download689.avast.com;
      download690.avast.com; download691.avast.com; download692.avast.com;
      download693.avast.com; download694.avast.com; download695.avast.com;
      download696.avast.com; download697.avast.com; download698.avast.com;
      download699.avast.com; download7.avast.com; download7.quickheal.com;
      download700.avast.com; download701.avast.com; download702.avast.com;
      download703.avast.com; download704.avast.com; download705.avast.com;
      download706.avast.com; download707.avast.com; download708.avast.com;
      download709.avast.com; download72.avast.com; download73.avast.com;
      download74.avast.com; download75.avast.com; download76.avast.com;
      download77.avast.com; download78.avast.com; download79.avast.com;
      download8.quickheal.com; download80.avast.com; download81.avast.com;
      download82.avast.com; download83.avast.com; download84.avast.com;
      download85.avast.com; download9.quickheal.com; download900.avast.com;
      download901.avast.com; download902.avast.com; download903.avast.com;
      download904.avast.com; download905.avast.com; download906.avast.com;
      download907.avast.com; download908.avast.com; download909.avast.com;
      download91.avast.com; download910.avast.com; download911.avast.com;
      download912.avast.com; download913.avast.com; download914.avast.com;
      download915.avast.com; download916.avast.com; download917.avast.com;
      download918.avast.com; download919.avast.com; download92.avast.com;
      download920.avast.com; download921.avast.com; download922.avast.com;
      download923.avast.com; download924.avast.com; download925.avast.com;
      download926.avast.com; download927.avast.com; download928.avast.com;
      download929.avast.com; download93.avast.com; download930.avast.com;
      download931.avast.com; download932.avast.com; download933.avast.com;
      download934.avast.com; download935.avast.com; download936.avast.com;
      download937.avast.com; download938.avast.com; download939.avast.com;
      download94.avast.com; download940.avast.com; download941.avast.com;
      download942.avast.com; download943.avast.com; download944.avast.com;
      download945.avast.com; download946.avast.com; download947.avast.com;
      download948.avast.com; download949.avast.com; download95.avast.com;
      download950.avast.com; download951.avast.com; download952.avast.com;
      download953.avast.com; download954.avast.com; download955.avast.com;
      download956.avast.com; download957.avast.com; download958.avast.com;
      download959.avast.com; download96.avast.com; download960.avast.com;
      download961.avast.com; download962.avast.com; download963.avast.com;
      download964.avast.com; download965.avast.com; download966.avast.com;
      download967.avast.com; download968.avast.com; download969.avast.com;
      download97.avast.com; download970.avast.com; download971.avast.com;
      download972.avast.com; download973.avast.com; download974.avast.com;
      download975.avast.com; download976.avast.com; download977.avast.com;
      download978.avast.com; download979.avast.com; download98.avast.com;
      download980.avast.com; download99.avast.com;
      downloads-eu1.kaspersky-labs.com; downloads-eu2.kaspersky-labs.com;
      downloads-eu3.kaspersky-labs.com; downloads-eu4.kaspersky-labs.com;
      downloads-us1.kaspersky-labs.com; downloads-us2.kaspersky-labs.com;
      downloads-us3.kaspersky-labs.com; downloads-us4.kaspersky-labs.com;
      downloads.andymanchesta.com; downloads.malwarebytes.org;
      downloads.microsoft.com; downloads.my-etrust.com;
      downloads1.kaspersky-labs.com; downloads2.kaspersky-labs.com;
      downloads3.kaspersky-labs.com; downloads4.kaspersky-labs.com;
      downloads5.kaspersky-labs.com; dr-web-cureit.softonic.com;
      drsolomon.com; drweb-inside.com; drweb.com; drweb.com.es; drweb.net;
      drwebinside.com; dswlab.com; duba.net; ealaddin.net;
      ealaddin.orgeshop.aladdin.com; easy-vpn.comodo.com; edm.symantec.com;
      education.symantec.com; eeload.com; eeye.com; eicar.org;
      elblogdemanu.com; elitepvpers.de; emea.trendmicro.com; emsisoft.com;
      emsisoft.de; encarta.msn.com; engine.awaps.net;
      enterprisesecur.symantec.com; eos.eset.es; eradicatespyware.net;
      es.answers.yahoo.com; es.kioskea.net; es.mcafee.com;
      es.trendmicro.com; es.wasalive.com; esafe.com;
      esecurity.livecall.co.kr; eset-la.com; eset.com; eset.es; eset.sk;
      esp.sophos.com; espanol.answers.yahoo.com;
      espanol.dir.groups.yahoo.com; espanol.groups.yahoo.com;
      esupport.trendmicro.com; et.symantec.com; etrr.co.uk;
      eugrantsadvisor.cz; eugrantsadvisor.de; eval.symantec.com; ewido.net;
      exchangeyourcareer.net; experts-exchange.com; f-prot.com;
      f-secure.com; f-secure.frf-secure.hk; f-secure.nlfsecure.com;
      fastclick.net; feedage.com; feeds.sophos.com; feeds.trendmicro.com;
      file.ikaka.cn; file.ikaka.com; file.net; files.avast.com;
      files.filefont.com; files.trendmicro-europe.com; filseclab.com;
      final4ever.com; finjan.com; firewall.sunbeltsoftware.com;
      firewallguide.com; fixmyim.com; foro.ethek.com; foros.toxico-pc.com;
      foros.zonavirus.com; forospanish.com; forospyware.com; forospyware.es;
      fortiguardcenter.com; fortihero.com; fortilog.com; fortinet.co.at;
      fortinet.com; fortiprotect.com; fortiwifi.com;
      forum.clubedohardware.com.br; forum.emsisoft.com; forum.hardware.fr;
      forum.hijackthis.de; forum.ikaka.com; forum.jiangmin.com;
      forum.kaspersky.com; forum.malekal.com; forum.piriform.com;
      forum.securitycadets.com; forum.sysinternals.com;
      forum.telecharger.01net.com; forum.tweaks.com; forum.zazana.com;
      forums.cnet.com; forums.comodo.com; forums.devshed.com;
      forums.maddoktor2.com; forums.majorgeeks.com; forums.techguy.org;
      forums.whatthetech.com; fr.bitdefender.com; fr.drweb.com;
      fr.mcafee.com; fr.trendmicro.com; fr1.drweb.com; fr2.drweb.com;
      fr3.drweb.com; fr4.drweb.com; fr5.drweb.com; fr6.drweb.com;
      fr7.drweb.com; fractus.mat.uson.mx; free-av.com; free-av.net;
      free.antivirus.com; free.avg.com; free.drweb.com; free.grisoft.com;
      free.grisoft.cz; free.pandasecurity.com; free.prevx.com;
      free.tinypicbox.com; freeav.com; freeav.net; freespywareremoval.info;
      frisk-software.com; fsc.norman.com; fsecure.nlwebyard.com;
      ftp.avp.com; ftp.bitdefender.com; ftp.ca.co; ftp.ca.com;
      ftp.customer.symantec.com; ftp.dispatch.mcafee.com;
      ftp.download.mcafee.com; ftp.downloads-eu1.kaspersky-labs.com;
      ftp.downloads-eu2.kaspersky-labs.com;
      ftp.downloads-eu3.kaspersky-labs.com;
      ftp.downloads-eu4.kaspersky-labs.com;
      ftp.downloads-us1.kaspersky-labs.com;
      ftp.downloads-us2.kaspersky-labs.com;
      ftp.downloads-us3.kaspersky-labs.com;
      ftp.downloads-us4.kaspersky-labs.com;
      ftp.downloads1.kaspersky-labs.com; ftp.downloads2.kaspersky-labs.com;
      ftp.downloads3.kaspersky-labs.com; ftp.downloads4.kaspersky-labs.com;
      ftp.drweb.com; ftp.esafe.com; ftp.europe.f-secure.com; ftp.f-prot.com;
      ftp.f-secure.com; ftp.grisoft.com; ftp.kaspersky-labs.com;
      ftp.kaspersky.com; ftp.kasperskylab.ru; ftp.liveupdate.symantec.com;
      ftp.liveupdate.symantecliveupdate.com; ftp.mast.mcafee.com;
      ftp.mcafee.com; ftp.microworldsystems.com; ftp.my-etrust.com;
      ftp.nai.com; ftp.networkassociates.com; ftp.norton.com;
      ftp.rads.mcafee.com; ftp.sandbox.norman.com; ftp.secure.nai.com;
      ftp.securityresponse.symantec.com; ftp.sophos.com; ftp.symantec.com;
      ftp.symantecliveupdate.com; ftp.symatec.com; ftp.trendmicro.com;
      ftp.uk.trendmicro-europe.com; ftp.update.symantec.com;
      ftp.updates.symantec.com; ftp.updates1.kaspersky-labs.com;
      ftp.updates2.kaspersky-labs.com; ftp.updates3.kaspersky-labs.com;
      ftp.updates4.kaspersky-labs.com; ftp.us.mcafee.com; ftp.viruslist.com;
      funkytoad.com; futurenow.bitdefender.com; fw.rising.com.cn; fx.dk;
      gangbang.mytijn.org; gdata.de; gdata.es; gecadsoftware.com;
      geekstogo.com; global.ahnlab.com; global.jiangmin.com;
      global.nprotect.com; go.mcafee.com; go.microsoft.com;
      go.rising.com.cn; go.sunbeltsoftware.com; go.symantec.com;
      go.trendmicro.com; greatis.com; grisoft.com; grisoft.cz;
      grv.microsoft.com; guiadohardware.net; guru.avg.com; guru1.grisoft.cz;
      guru2.grisoft.cz; guru3.grisoft.cz; guru4.grisoft.cz;
      guru5.grisoft.cz; gwava.nl; hacksoft.com.pe; hacksoft.pe; halmapr.com;
      hauri.co.kr; hauri.net; haurijapan.com; help.rising.com.cn;
      hi.baidu.com; hijackthis.de; hijackthis.download3000.com;
      hishomeforchildren.com; hjt-data.trend-braintree.com;
      hjt.networktechs.com; home.mcafee.com; hostedmailsecur.symantec.com;
      hotshare.net; housecall.com; housecall.trendmicro.com;
      housecall60.trendmicro.com; housecall65.trendmicro.com;
      howsafeismypc.com; huaifai.go.th; i-vault.comodo.com; iavs.cz;
      ibusca.me; idauthority.com; ids.kaspersky-labs.com; ieupdate.gdata.de;
      ieupdate1.gdata.de; ieupdate2.gdata.de; ieupdate3.gdata.de;
      ieupdate4.gdata.de; ieupdate5.gdata.de; ieupdate6.gdata.de; ikaka.cn;
      ikaka.com; ikarus.at; ikarus.net; ilove.tigolbittys.info;
      images.kaspersky.com; in.answers.yahoo.com; incodesolutions.com;
      info.drweb.com; info.prevx.com; infos-du-net.com; infosecpodcast.com;
      infospyware.com; inicioid.com; iniciorapido.info; inline-software.de;
      internetsecurity.comodo.com; intranet.cidiroax.ipn.mx;
      investor.symantec.com; irc.bigshitsandwich.org; irc.metraiciono.com;
      iseclab.org; isotopecomics.com; iss.net; it.answers.yahoo.com;
      it.bitdefender.com; it.mcafee.com; it.trendmicro.com;
      itw.trendmicro.com; ixomodels.com; ixostore.ixomodels.com;
      javacoolsoftware.com; jetico.com; jiangmin.com; jiangmin.com.cn;
      jobs.bitdefender.com; jotti.org; jp.mcafee.com; jp.trendmicro.com;
      justfacebook.net; k-otik.com; k7computing.com; kaba.360.cn;
      kaba.360.com; karuna-shechen.org; kaspersky-fr.com;
      kaspersky-labs.com; kaspersky.co.jp; kaspersky.co.uk; kaspersky.com;
      kaspersky.com.cn; kaspersky.dk; kaspersky.es; kaspersky.gr;
      kaspersky.pl; kaspersky.ru; kaspersky.se; kasperskylab.co.kr;
      kasperskylab.nl; kav.ru; kav.zonelabs.com; kb.bitdefender.com;
      kb.bitdefender.de; kb.bitdefender.us; kerio.com; kimzimmer.net;
      kioskea.net; kpfans.com; kr.ahnlab.com; kr.sophos.com; krupunmai.com;
      kvup.jiangmin.com; kztechs.com; l33t.shadow-mods.net;
      la.trendmicro.com; ladooscuro.es; laneros.com; latam.kaspersky.com;
      latin.bitdefender.com; lavasoft.com; lavasoft.nu; lavasoftusa.com;
      lexikon.ikarus.at; license.drweb.com; linhadefensiva.org;
      linhadefensiva.uol.com.br; linux.bitdefender.com; lists.clamav.net;
      liutilities.com; live.sunbeltsoftware.com; liveprotect.net;
      liveupdate.symantec.com; liveupdate.symantec.d4p.net;
      liveupdate.symantecliveupdate.com; looknstop.com;
      lovings.technigoyous.net; lurker.clamav.net; mailcenter.rising.com;
      mailcenter.rising.com.cn; majorgeeks.com; mall.hauri.co.kr;
      malwarebytes.org; malwarecity.com; malwarecity.netmalwarecity.org;
      malwaredomainlist.com; malwarepedia.com; malwareremoval.com;
      malwarescan.emsisoft.com; malwarescan.emsisoft.de;
      malwarescan.emsisoft.es; mamutu.com; manuelruvalcaba.com;
      marian.symantec.com; mast.mcafee.com; mcafee-at-home.com; mcafee.com;
      mcafeeb2b.com; mcafeefans.com; mcafeeretail.com; mcaffee.com;
      me.kaspersky.com; media.fastclick.net; megasecurity.org; merijn.org;
      metascan-online.com; microsoft.com; microsoft.fr; midescargas.com;
      mirror02.gdata.de; misec.net; mmsk.cn; moneybookers.com; moosoft.com;
      mop.pandasecurity.com; mostz.com; mozilla-hispano.org;
      msdn.microsoft.com; msk.drweb.com; msk1.drweb.com; msk2.drweb.com;
      msk3.drweb.com; msk4.drweb.com; msk5.drweb.com; msk6.drweb.com;
      msk7.drweb.com; msncleaner.softonic.com; msnfix.changelog.fr;
      msnvirusremoval.com; msr.mcafee.com; mvps.org; mx.answers.yahoo.com;
      mx.mcafee.com; mxttchina.com; my-etrust.com; my.drweb.com;
      mygeekside.com; nabble.com; nai.com; natsko.com; naturesimages.net;
      net-security.org; network.drweb.com; networkassociates.com;
      networkassociates.nai.com; networkworld.com;
      neunet.orgnews.bitdefender.com; new-beta.drweb.com;
      new-company.drweb.com; new-estore.drweb.com; new-forum.drweb.com;
      new-partners.drweb.com; new-solutions.drweb.com;
      new-support.drweb.com; new-www.drweb.com; new.taringa.net;
      news.drweb.com; newsletters.trendmicro.com; niueight.norman.no;
      niufive.norman.no; niufour.norman.no; niunine.norman.no;
      niuone.norman.no; niuseven.norman.no; niusix.norman.no;
      niuthree.norman.no; niutwo.norman.no; nl.bitdefender.com;
      noadware.net; nod32.co.uk; nod32.com; nod32.datsec.de; nod32.lu;
      nod32.ru; norman.com; norton.com; notifier.antivir-pe.de;
      novirusthanks.org; nprobeta.norman.com; nprotect.com; nprotect.net;
      nprotect.seoul.go.kr; nsclean.com; ntfaq.co.kr; obscgi.mcafee.com;
      oem.sunbeltsoftware.com; offensivecomputing.net; office.microsoft.com;
      oldtimer.geekstogo.com; one.tinypicbox.com; onecare.live.com;
      online-backup.comodo.com; online.jiangmin.com; online.rising.com.cn;
      onlinecheck.emsisoft.com; onlinecheck.emsisoft.de;
      onlinecheck.emsisoft.net; onlinecheck.emsisoft.org;
      onlinescan.avast.com; openantivirus.org; outpost.pl; ozzu.com;
      p3dev.taringa.net; pandalabs.pandasecurity.com; pandasecurity.com;
      pandasoftware.com; pandasoftware.es; pantip.com; pcav.cn;
      pccreg.antivirus.com; pccreg.trendmicro.com; pcentraide.com;
      pcguide.com; pchell.com; pcinternetpatrol.com; pcsupportadvisor.com;
      pctools.com; pda.drweb.com; pedidos.protegerse.com; personal.psu.edu;
      personalfirewall.comodo.com; pestpatrol.com; pg.hauri.net;
      phx.corporate-ir.net; pineleafboys.com; podcasts.sophos.com;
      pogonyuto.forospanish.com; precisesecurity.com; prevx.com;
      privacy.microsoft.com; products.drweb.com; promotions.drweb.com;
      psnw.com; pspl.com; pvtc.org; qqjkw.net; quickheal.co.in;
      quickheal.com; radius.turvamies.com; rads.mcafee.com;
      ravantivirus.com; raymond.cc; reg-int.nod32-es.com; reg.eset.es;
      reg.rising.com.cn; register.norman.com; removetrojanvirus.org;
      renewalcenter.symantec.com; renewals.bitdefender.com;
      research.microsoft.com; research.pandasecurity.com;
      research.sunbelt-software.com; resplendence.com;
      retail.sp.f-secure.com; retail01.sp.f-secure.com;
      retail02.sp.f-secure.com; ribbonwarehouse.com; rising-global.com;
      rising.com; rising.com.cn; rolandovera.com; rootkit.com; rootkit.nl;
      rover800.gaima.co.uk; roysephotos.com; ru.trendmicro.com;
      ruben.bzin.net; runscanner.net; safe.qq.com; safecomputing.umn.edu;
      safer-networking.org; safetynet.com; sales.bitdefender.com;
      samroeng.hi5.com; sandbox.norman.com; sandboxie.com; sapcupgrades.com;
      sarahmcconnellphotography.net; saverssite.com; scan.anti-trojan.net;
      scan.kingsoft.com; scan4you.net; scanner.novirusthanks.org;
      scanner.virus.org; scanner2.novirusthanks.or; schemas.microsoft.com;
      schemas.xmlsoap.org; sea.symantec.com; search.ca.com;
      search.mcafee.com; search.symantec.com; seasonsecurity.com;
      secdreg.org; secubox.aldria.com; secunia.com; secure-email.comodo.com;
      secure.av-desk.com; secure.nai.com; securecomputing.com; secureme.com;
      securitoo.com; security.symantec.com; securitycheck.symantec.com;
      securitynewsportal.com; securityrespons.symantec.com;
      securityresponse.symantec.com; securitywonks.net; secuser.com;
      secuser.model-fx.com; sergiwa.com; service.mcafee.com;
      service1.symantec.com; servicenews.symantec.com;
      sfdoccentral.symantec.com; shadow.grisoft.cz; shadu.baidu.com;
      shadu.duba.net; shield.prevx.com; shop.hauri.co.kr;
      shop.pandasecurity.com; shop.sunbeltsoftware.com; shop.symantec.com;
      shop.trendmicro.com; shudoo.com; simplysup.com; siren24.nprotect.com;
      siteadvisor.com; sitedirector.symantec.com; smallbiz.symantec.com;
      smbstore.trendmicro.com; smokey-services.eu; soccersuck.com;
      softfaq.com; softonic.com; software-files.download.com;
      solutions.drweb.com; sophos.com; sophos.fr; sophos1.ucd.ie;
      sophos10.ucd.ie; sophos2.ucd.ie; sophos5.ucd.ie; sophos6.ucd.ie;
      sophos7.ucd.ie; sophos8.ucd.ie; sophos9.ucd.ie;
      soporte.pandasecurity.com; sos.rising.com.cn; sosvirus.changelog.fr;
      spd.atdmt.com; specs.xmlsoap.org; speedtest.comodo.com;
      spftrl.digitalriver.com; spyany.com; spyblocker-software.com;
      spybot.info; spycheck.co.uk; spycheck.es; spychecker.com; spycop.com;
      spywaredb.com; spywaredlls.prevx.com; spywarefiles.prevx.com;
      spywareguide.com; spywareinfo.com; spywareterminator.com;
      square.bitdefender.com; static.yoreparo.com; stats.norton.com;
      stdio-labs.blogspot.com; stiller.com; store.bitdefender.com;
      store.de.bitdefender.com; store.drweb.com; store.trendmicro.com;
      subs.geekstogo.com; subwiz.trendmicro.com; sucop.com;
      sun.symantec.com; sunbelt-software.com; sunbeltsecurity.com;
      sunbeltsoftware.com; superboy2010.com.au; superdicas.com.br;
      superuser.co.kr; support.drweb.com; support.f-secure.com;
      support.kaspersky.co; support.mcafee.com; support.microsoft.com;
      support.pandasecurity.com; support.rising-global.com; sybari.com;
      sygate.com; symantec-ese.baynote.net; symantec.com;
      symantecliveupdate.com; symatec.com; sysinternals.com;
      system-cleaner.comodo.com; tallemu.com; taringa.net;
      tds.diamondcs.com.au; tech.pantip.com; techimo.com; techspot.com;
      techsupportforum.com; tecniservicioslys.com; tecno-soft.com;
      tempuri.org; thecomputerpitstop.com; thejokerx.blogspot.com;
      thetechguide.com; thinkpad.cn; threatexpert.com;
      threatinfo.trendmicro.com; timeforyourbusi.pandasecurity.com;
      timestamp.comodoca.com; timestamp.wosign.com; tinysoftware.com;
      tms.symantec.com; together.pctools.com; tool.ikaka.com; toonbox.de;
      tr.mcafee.com; trackingtheworld.com; training.drweb.com;
      training.trendmicro.com; trapware.com; trendmicro.com;
      trendmicro.com.cn; trendmicro.fr; trendsecure.com;
      trial.trendmicro.com; trucoswindows.es; trucoswindows.net;
      tw.mcafee.com; tw.sophos.com; tw.trendmicro.com; tweaksforgeeks.com;
      u0.eset.com; u1.eset.com; u10.eset.com; u100.eset.com; u11.eset.com;
      u12.eset.com; u13.eset.com; u14.eset.com; u15.eset.com; u16.eset.com;
      u17.eset.com; u18.eset.com; u19.eset.com; u2.eset.com; u20.eset.com;
      u21.eset.com; u22.eset.com; u23.eset.com; u24.eset.com; u25.eset.com;
      u26.eset.com; u27.eset.com; u28.eset.com; u29.eset.com; u3.eset.com;
      u30.eset.com; u31.eset.com; u32.eset.com; u33.eset.com; u34.eset.com;
      u35.eset.com; u36.eset.com; u36eset.com; u37.eset.com; u37eset.com;
      u38.eset.com; u39.eset.com; u4.eset.com; u40.eset.com; u41.eset.com;
      u42.eset.com; u43.eset.com; u44.eset.com; u45.eset.com; u46.eset.com;
      u47.eset.com; u48.eset.com; u49.eset.com; u5.eset.com; u50.eset.com;
      u51.eset.com; u52.eset.com; u53.eset.com; u54.eset.com; u55.eset.com;
      u56.eset.com; u57.eset.com; u58.eset.com; u59.eset.com; u6.eset.com;
      u60.eset.com; u61.eset.com; u62.eset.com; u63.eset.com; u64.eset.com;
      u65.eset.com; u66.eset.com; u67.eset.com; u68.eset.com; u69.eset.com;
      u7.eset.com; u70.eset.com; u71.eset.com; u72.eset.com; u73.eset.com;
      u74.eset.com; u75.eset.com; u76.eset.com; u77.eset.com; u78.eset.com;
      u79.eset.com; u8.eset.com; u80.eset.com; u81.eset.com; u82.eset.com;
      u83.eset.com; u84.eset.com; u85.eset.com; u86.eset.com; u87.eset.com;
      u88.eset.com; u89.eset.com; u9.eset.com; u90.eset.com; u91.eset.com;
      u92.eset.com; u93.eset.com; u94.eset.com; u95.eset.com; u96.eset.com;
      u97.eset.com; u98.eset.com; u99.eset.com; uk.mcafee.com;
      uk.trendmicro-europe.com; uk.trendmicro.com; ulove.tigolbittys.info;
      up.duba.net; up.rising.com.cn; up1.nod123.cn; upd.zonelabs.com;
      update.360safe.cn; update.360safe.com; update.aladdin.com;
      update.authentium.com; update.avg.com; update.avgfrance.com;
      update.bitdefender.com; update.drweb.com; update.ewido.com;
      update.grisoft.com; update.grisoft.cz; update.hispasec.com;
      update.ikaka.com; update.ikarus-software.at; update.quickheal.com;
      update.rising.com.cn; update.sophos.com; update.symantec.com;
      update.trendmicro.com; update7.jiangmin.com; updatem.360safe.cn;
      updatem.360safe.com; updates.a-2.org; updates.drweb.com;
      updates.f-prot.com; updates.sald.com; updates.symantec.com;
      updates3.kaspersky-labs.com; updates4.kaspersky-labs.com;
      updates5.kaspersky-labs.com; upgrade.bitdefender.com;
      upgrade1.bitdefender.com; upgrade2.bitdefender.com;
      upgrade3.bitdefender.com; upgrade4.bitdefender.com;
      upload.changelog.fr; us.bitdefender.com; us.mcafee.com;
      us.trendmicro.com; usa.kaspersky.com; usbcleaner.cn;
      ushousecall02.trendmicro.com; utilidades-utiles.com; v.dreamwiz.com;
      v4.windowsupdate.microsoft.com; v5.windowsupdate.microsoft.com;
      vet.com.au; vicentevirtual.com; viguard.com; vil.nai.com;
      vil.nail.com; virobot.co.kr; virscan.org; virus.org; virusbuster.hu;
      viruschief.com; virusdoctor.jp; virusfreezone.info;
      virusinfo.prevx.com; viruslist.com; viruslist.ru; virusscan.jotti.org;
      virusscanonline.net; virusspy.com; virustotal.com;
      visualizesoftware.com; visualtracking.symantec.com; vivo-austin.com;
      vms.drweb.com; vncsvr.com; vos.symantec.com; vrv.com.cn;
      vsantivirus.com; webadmin.norman.no; webphand.com; webroot.com;
      wedoantivirus.com; welkam.co.jp; wexperts-exchange.com;
      whatthetech.com; wikio.es; wilderssecurity.com; wilderssecurity.net;
      wildlist.com; windowsupdate.microsoft.com; winpatrol.com; wmcafee.com;
      woottonfootball.com; wtc.trendmicro.com; ww.emsisoft.com;
      www.1stavenuelimousines.co.uk; www.2xlgames.com; www.ahnlab.com;
      www.aks.com; www.aladdin.com; www.anti-trojan-software.net;
      www.anti-trojan.net; www.anti-virus.by; www.antivir.es;
      www.antivirus-tools.com; www.antiy.net; www.apsecure.com;
      www.arpia.be; www.authentium.com; www.authentium.com.au;
      www.av-desk.com; www.avast.com; www.avg.com; www.avhide.com;
      www.avoncourt.com; www.avx.ro; www.barder.com; www.beautybar.com;
      www.bg.virusblokada.com; www.bit-defender.de; www.bitdefende.de;
      www.bitdefender-es.com; www.bitdefender.be; www.bitdefender.cl;
      www.bitdefender.co.uk; www.bitdefender.com; www.bitdefender.com.au;
      www.bitdefender.com.sg; www.bitdefender.com.tw;
      www.bitdefender.com.vn; www.bitdefender.de; www.bitdefender.es;
      www.bitdefender.fr; www.bitdefender.hk; www.bitdefender.us;
      www.bitdefenderme.com; www.briarhurst.com; www.brightoctober.com;
      www.buraka.tv; www.buscafacil.com; www.buscalo.in; www.busco.in;
      www.ca.com; www.cambridge-steiner-school.co.uk; www.ccssforum.org;
      www.celticmerchant.com; www.clamav.net; www.collectedcurios.com;
      www.comodo.com; www.comodo.tv; www.comodoantispam.com;
      www.comodopartners.com; www.computing.net; www.configurarequipos.com;
      www.contentverification.com; www.deborahshelton.net; www.dr-bull.com;
      www.drweb.com; www.ealaddin.com; www.elvis-express.com;
      www.emeraldclassic.co.uk; www.emsisoft.at; www.emsisoft.com;
      www.emsisoft.de; www.emsisoft.es; www.emsisoft.fr; www.emsisoft.it;
      www.emsisoft.jp; www.emsisoft.net; www.emsisoft.nl; www.emsisoft.org;
      www.engyro.com; www.entercept.com; www.esafe.com; www.eset.es;
      www.eugrantsadvisor.com; www.eugrantsadvisor.de;
      www.eugrantsadvisor.ie; www.eugrantsadvisor.se;
      www.exchangeyourcareer.com; www.f-prot.com; www.f-secure.com;
      www.fimasys.com; www.flairweddings.co.uk; www.forospyware.com;
      www.fortifed.com; www.fortiid.com; www.fortimail.com;
      www.fortinet-apac.com; www.fortinet.ch; www.fortinet.co.il;
      www.fortinet.com; www.fortinet.net; www.fortinet.nl; www.fortinet.sg;
      www.fortinetuk.com; www.freeality.com; www.freedrweb.ru;
      www.freerav.com; www.frisk-software.com; www.frisk.is;
      www.fsecure.com; www.garryowen.com; www.gdata.es; www.globalhauri.com;
      www.gokidding.com; www.grisoft.com; www.hackshields.com;
      www.hacksoft.com.pe; www.hacksoft.pe; www.handwritingforkids.com;
      www.hasp.se; www.hauri.co.kr; www.hauri.net; www.hxproduction.com;
      www.ibusca.me; www.ikarus.at; www.imddomains.co.uk;
      www.indielisboa.com; www.inicioid.com; www.iniciorapido.info;
      www.internationalservicecheck.com; www.irangoals.com; www.iseclab.org;
      www.ixomodels.com; www.jiangmin.com; www.jiangmin.com.cn;
      www.jotti.org; www.kaspersky.com; www.kioskea.net;
      www.latin-mass-society.org; www.livepcsupport.com;
      www.malwarecity.com; www.malwarecity.fr; www.mamutu.com;
      www.mamutu.de; www.manchester-offices.co.uk; www.mcafee.at;
      www.mcafee.com; www.metascan-online.com; www.microsoft.com;
      www.midescargas.com; www.mountainlakeslodge.com; www.mtr-design.com;
      www.mygeekside.com; www.netegrity.com; www.norman.com;
      www.nottinghampoetryseries.com; www.novirusthanks.org; www.npin.co.kr;
      www.nprotect.co.kr; www.nprotect.com; www.nprotect.com.br;
      www.nsclean.com; www.owen.org; www.pandasecurity.com; www.pctools.com;
      www.peterhearnwaste.co.uk; www.phoenixtrikeworks.com;
      www.prdouglas.co.uk; www.prevx.com; www.prevx1.com;
      www.professorbeyer.com; www.quickheal.com; www.removetrojanvirus.org;
      www.renningers.com; www.residentphotography.com; www.retento.com;
      www.reviewsofbooks.com; www.rising-global.com; www.risingav.com.au;
      www.safenet-inc.com; www.scan4you.net; www.seasonsecurity.com;
      www.secondchanceboxer.com; www.secure-elements.com;
      www.sheffieldmind.co.uk; www.smf.org; www.softfaq.com; www.sophos.com;
      www.spycheck.co.uk; www.spycheck.es; www.stadiumpage.com;
      www.sunbeltsoftware.com; www.symantec.com; www.sysinternals.com;
      www.tecniservicioslys.com; www.testmypcsecurity.com;
      www.threatexpert.com; www.tomorrowsedge.net; www.trendmicro.com;
      www.trojaner.info; www.trustix.com; www.trustlogo.com; www.vba.com.by;
      www.virscan.org; www.virus.fi; www.virus.org; www.virusbuster.hu;
      www.viruschief.com; www.virusfreezone.info; www.virustotal.com;
      www.wellgousa.com; www.whichssl.com; www.willsee.com; www.xmlsoap.org;
      www.zarya.info; www1.my-etrust.com; www3.ca.com; www3.safenet-inc.com;
      www4.symantec.com; wwws.clamav.net; x-cleaner.com; x.360safe.com;
      yoreparo.com; z-oleg.com; zeustracker.abuse.ch; zeylstra.nl;
      zhidao.baidu.com; zhidao.ikaka.com; ziggamza.net; zonavirus.com;
      zonealarm.com; zonelabs.com; zonelabs.fr; zonelog.co.uk;
      zs.kingsoft.com; ztl.comodo.com




L'host del file modificato sarà del tipo:


 Processi terminati I processi che contengono una delle seguenti stringhe vengono terminati:
   • -----AV_Processes; Antivirus string [360safe]; Antivirus string
      [antivir]; Antivirus string [atwola]; Antivirus string [awaps.net];
      Antivirus string [bitdef]; Antivirus string [cureit]; Antivirus string
      [kaspersky]; Antivirus string [mcafee]; Antivirus string [spybot];
      Antivirus string [symantec]; Antivirus string [viruslist]; Antivirus
      string [zonealarm]; Antivirus string [trendmicro]; Antivirus string
      [hijackthis]; Antivirus string [f-prot]; Antivirus string [drweb];
      Antivirus string [clam]; Antivirus string [avast]; -----Antianalysis;
      Analysis tool string [sandbox]; Analysis tool string [sysinternals]


Non permette l'esecuzione di processi che contengono una delle seguenti stringhe nel nome file:
   • -----AV_Processes; Antivirus string [360safe]; Antivirus string
      [antivir]; Antivirus string [atwola]; Antivirus string [awaps.net];
      Antivirus string [bitdef]; Antivirus string [cureit]; Antivirus string
      [kaspersky]; Antivirus string [mcafee]; Antivirus string [spybot];
      Antivirus string [symantec]; Antivirus string [viruslist]; Antivirus
      string [zonealarm]; Antivirus string [trendmicro]; Antivirus string
      [hijackthis]; Antivirus string [f-prot]; Antivirus string [drweb];
      Antivirus string [clam]; Antivirus string [avast]; -----Antianalysis;
      Analysis tool string [sandbox]; Analysis tool string [sysinternals]

 Backdoor Contatta il server:
Tutti i seguenti:
   • www.bu**********d.com
   • 03hge**********ker.com
   • 03m82**********eat.com
   • 04egf**********ker.com
   • 07eh4**********eat.com
   • 0i86h**********eat.com
   • 0pdfe**********ker.com
   • 0ud54**********eat.com
   • 0ue20**********ker.com
   • 0vku8**********eat.com
   • 11fj0**********ker.com
   • 14164**********ker.com
   • 15q1o**********eat.com
   • 178vy**********ker.com
   • 187ed**********ker.com
   • 195pj**********eat.com
   • 19j47**********ker.com
   • 1bgn1**********ker.com
   • 1u6w8**********ker.com
   • 1xn8x**********eat.com
   • 219a2**********ker.com
   • 25067**********eat.com
   • 25490**********ker.com
   • 26qqy**********ker.com
   • 2805x**********eat.com
   • 2b691**********ker.com
   • 2q5t0**********eat.com
   • 2rn50**********ker.com
   • 2w6u8**********eat.com
   • 2zsbr**********eat.com
   • 30445**********eat.com
   • 30j85**********ker.com
   • 350p1**********eat.com
   • 355dn**********ker.com
   • 387w0**********ker.com
   • 38ew0**********eat.com
   • 38va4**********ker.com
   • 3k8f4**********eat.com
   • 3las1**********eat.com
   • 3mg02**********eat.com
   • 3n88b**********ker.com
   • 3z0dd**********ker.com
   • 3z80u**********ker.com
   • 42sf7**********eat.com
   • 43hgl**********eat.com
   • 440w4**********eat.com
   • 45svw**********ker.com
   • 4852x**********eat.com
   • 4e3as**********eat.com
   • 4k76t**********eat.com
   • 4lr0s**********ker.com
   • 4qky5**********ker.com
   • 4ss68**********ker.com
   • 4vxj4**********ker.com
   • 515ad**********eat.com
   • 54581**********eat.com
   • 58fup**********ker.com
   • 5auit**********eat.com
   • 5cczm**********eat.com
   • 5d484**********eat.com
   • 5dr35**********eat.com
   • 5gi2f**********ker.com
   • 5pw28**********ker.com
   • 5sd1d**********ker.com
   • 5u034**********ker.com
   • 5u272**********ker.com
   • 60571**********eat.com
   • 60k61**********ker.com
   • 6118w**********ker.com
   • 62df6**********eat.com
   • 63z98**********ker.com
   • 6617t**********eat.com
   • 67hi2**********ker.com
   • 6925j**********eat.com
   • 69617**********eat.com
   • 6eh1g**********eat.com
   • 6vfv0**********eat.com
   • 6y4rk**********eat.com
   • 707d3**********ker.com
   • 72iu4**********ker.com
   • 73ok0**********ker.com
   • 7458a**********ker.com
   • 745nx**********eat.com
   • 75e69**********eat.com
   • 76lju**********eat.com
   • 770if**********eat.com
   • 7805c**********ker.com
   • 78q6m**********ker.com
   • 7du90**********eat.com
   • 7m735**********ker.com
   • 7o6w1**********eat.com
   • 7s2m0**********ker.com
   • 7wy2e**********ker.com
   • 8495q**********ker.com
   • 84se9**********eat.com
   • 85793**********ker.com
   • 863j8**********eat.com
   • 86hy2**********ker.com
   • 87ej0**********ker.com
   • 886zn**********eat.com
   • 88o04**********eat.com
   • 892ps**********ker.com
   • 8i37c**********eat.com
   • 8iol4**********ker.com
   • 8k23l**********eat.com
   • 8n54o**********eat.com
   • 8u4ns**********ker.com
   • 8we25**********eat.com
   • 8xe36**********eat.com
   • 8z7t2**********ker.com
   • 959d0**********eat.com
   • 966l0**********eat.com
   • 96tu7**********eat.com
   • 98002**********eat.com
   • 995xd**********ker.com
   • 9f5yx**********ker.com
   • 9gauz**********eat.com
   • a1f87**********eat.com
   • a38gw**********ker.com
   • a6jer**********ker.com
   • ae76z**********ker.com
   • b31te**********ker.com
   • b4q12**********ker.com
   • b5u3i**********ker.com
   • b839f**********eat.com
   • bvw7z**********eat.com
   • c40j4**********ker.com
   • c58v8**********eat.com
   • cb830**********ker.com
   • ceeg9**********eat.com
   • cz32t**********eat.com
   • d1bs3**********ker.com
   • d6tdp**********eat.com
   • d71l5**********ker.com
   • ddgsm**********ker.com
   • ddr83**********eat.com
   • dynkm**********eat.com
   • e28jj**********ker.com
   • e757e**********eat.com
   • e7r59**********ker.com
   • e88dw**********eat.com
   • e9yz5**********ker.com
   • ed6ny**********ker.com
   • ejl51**********eat.com
   • elb77**********eat.com
   • ev6si**********ker.com
   • exoc7**********eat.com
   • f2854**********eat.com
   • f6exj**********ker.com
   • f81gp**********ker.com
   • fda71**********ker.com
   • fg41z**********eat.com
   • fod93**********ker.com
   • fy3od**********eat.com
   • fz90h**********ker.com
   • g7nf2**********eat.com
   • gf75q**********ker.com
   • h528p**********eat.com
   • h9522**********eat.com
   • hvec9**********eat.com
   • hw45v**********eat.com
   • i041d**********eat.com
   • i4w47**********ker.com
   • i6511**********ker.com
   • i83cl**********ker.com
   • ilqe0**********ker.com
   • iwyf2**********ker.com
   • jd8qc**********ker.com
   • jfz34**********ker.com
   • ju9d9**********ker.com
   • jx192**********ker.com
   • k222f**********ker.com
   • k3yrc**********eat.com
   • k997q**********ker.com
   • knw23**********eat.com
   • lr6y0**********eat.com
   • lyk86**********ker.com
   • m0q1m**********eat.com
   • m374t**********eat.com
   • m563p**********eat.com
   • m748j**********eat.com
   • m8r6r**********eat.com
   • m8ryv**********ker.com
   • md53x**********eat.com
   • mrgtq**********ker.com
   • n14c3**********ker.com
   • n2371**********ker.com
   • n4360**********ker.com
   • n526n**********ker.com
   • o180v**********eat.com
   • o1w44**********ker.com
   • o4486**********ker.com
   • o5agx**********eat.com
   • o6avv**********ker.com
   • o724f**********eat.com
   • o9zm7**********eat.com
   • opyyj**********ker.com
   • oq223**********eat.com
   • ovb3r**********ker.com
   • p2h80**********eat.com
   • p6w1o**********eat.com
   • p9g40**********ker.com
   • pil1o**********eat.com
   • pm0u9**********eat.com
   • po3a9**********ker.com
   • psqqt**********ker.com
   • pxl3j**********eat.com
   • q4y39**********eat.com
   • q518g**********eat.com
   • qgqq4**********eat.com
   • r2b8v**********eat.com
   • r2v66**********ker.com
   • r5q5i**********ker.com
   • r60v7**********eat.com
   • rat4v**********eat.com
   • ru108**********eat.com
   • s003f**********ker.com
   • s01mp**********ker.com
   • s908k**********eat.com
   • sb5l6**********eat.com
   • srkj4**********eat.com
   • t2vh5**********ker.com
   • t6dm2**********ker.com
   • td806**********eat.com
   • tp8sh**********ker.com
   • tt7q2**********ker.com
   • u2z5u**********eat.com
   • u3034**********eat.com
   • u51ys**********ker.com
   • u61u4**********ker.com
   • ui9xf**********eat.com
   • uqw11**********ker.com
   • vdcgq**********eat.com
   • vg9ig**********ker.com
   • w1n90**********eat.com
   • ws519**********eat.com
   • x4rxo**********ker.com
   • x7do7**********eat.com
   • xt1en**********eat.com
   • xw497**********ker.com
   • y1t0g**********ker.com
   • y5abo**********eat.com
   • y9948**********ker.com
   • yhjoe**********eat.com
   • yl36k**********ker.com
   • z65x1**********eat.com
   • z7re2**********ker.com
   • z8cvi**********ker.com
   • z9qey**********ker.com
   • zpn99**********eat.com
   • zv386**********eat.com
   • zvi7w**********eat.com

Come risultato può inviare informazioni e potrebbe venire fornito il controllo remoto.

 Varie Condivisioni di rete:
Verranno create le seguenti condivisioni di rete:
   • %TEMPDIR%\%numero esadecimale%\FOTOS
   • %TEMPDIR%\%numero esadecimale%\JUEGOS
   • %TEMPDIR%\%numero esadecimale%\LIBROS
   • %TEMPDIR%\%numero esadecimale%\MUSICA
   • %TEMPDIR%\%numero esadecimale%\PELICULAS
   • %TEMPDIR%\%numero esadecimale%\PELICULAS


 Dettagli del file Linguaggio di programmazione:
Il malware è stato scritto in Visual Basic.


Software di compressione:
Per complicarne l'individuazione e ridurre la dimensione del file, viene compresso con il seguente software di compressione:
   • UPX

Descrizione inserita da Daniel Mocanu su mercoledì 26 settembre 2012
Descrizione aggiornata da Daniel Mocanu su mercoledì 26 settembre 2012

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.