In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:No

 General APPL/ - Application

This class of detection flags applications that if used unproperly or with malicious intent might damage or compromise security on the local system, remote systems or network infrastructure. These are legitimate applications that can be used to extract protected information, provide remote access to the local machine, modify advanced system settings or perform advanced operating system or networking functions.

This detection doesn't mean that the file is malicious. However, if the file got on the system without the user's knowledge the system's security might be compromised.

Disabling this detection is recommended for advanced users that understand the risks and how to use these applications.
Method of propagation:
   • No own spreading routine

   •  Sophos: Troj/Hupigon-TB
   •  Bitdefender: Gen:Adware.Heur.em0@YjBXfPz
   •  Eset: a variant of Win32/DownloadSponsor.A
   •  DrWeb: Trojan.DownLoader.20246

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Downloads files
   • Drops files

 Files The following files are created:

%TEMPDIR%\OCS\ocs_v6c.exe Furthermore it gets executed after it was fully created.

It tries to download some files:

– The location is the following:
   • http://dow**********ns/pcspeedup.exe
It is saved on the local hard drive under: %TEMPDIR%\OCS\Downloads\0674e23d6502b36621d489f1b4fbd22a\10806ff987a45c60eaa975e4aab3d1a1\pcspeedup.exe Furthermore this file gets executed after it was fully downloaded.

– The location is the following:
   • http://down**********FreeAudioConverter.exe?tb=hjkla29KK
It is saved on the local hard drive under: %TEMPDIR%\OCS\Downloads\0674e23d6502b36621d489f1b4fbd22a\c65d115629ae5d7bcb133463b628fbd1\FreeAudioConverter.exe Furthermore this file gets executed after it was fully downloaded.

 Registry The following registry key is added:

– [HKCU\Software\OCS]
   • "CID"="69b3cfcc-e70b-4ddb-b87e-5088fb54ae45"
   • "PID"="freewarede"
   • "lastPID"="freewarede"
   • "lastSID"="02af884e-e41f-4561-a434-da5f27273695"

 Backdoor Contact server:
One of the following:
   • http://download-**********0446F776E6C6F61642066726F6D206
   • http://www.download-spons**********ifyer=%5BUID%5D
   • http://download**********n-v2.png
   • http://download**********cspeedup.exe
   • http://download2**********eAudioConverter.exe?tb=hjkla29KK
   • http://in.get**********c&href=#Installer
   • http://in.ge**********DF-0973777A88F0&custom
   • http://in.getc**********8F0&custom[serviceStart
   • http://in.getclic**********8F0&custom[serviceRunni
   • http://startup.pcsp**********6A9-B8DF-0973777A88F0
   • http://link.pcsp**********?aff_id=2094

説明の挿入者 Elias Lan の 2013年3月2日土曜日
説明の更新者 Elias Lan の 2013年3月2日土曜日

戻る . . . .