Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Dldr.Agent.dadr
Date discovered:27/01/2010
Type:Trojan
Subtype:Downloader
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:143.360 Bytes
MD5 checksum:c715907b7cf47fbcec0d703f1eaaf57d
IVDF version:7.10.03.109 - Wednesday, January 27, 2010

 General Methods of propagation:
   • Autorun feature
   • Local network
   • Messenger


Aliases:
   •  Mcafee: W32/Spybot.worm
   •  Sophos: Troj/DwnLdr-IAF
   •  Panda: Bck/IRCBot.CUM
   •  Eset: Win32/AutoRun.IRCBot.DZ
   •  Bitdefender: Trojan.Generic.3005912


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to certain websites
   • Blocks access to security websites
   • Downloads a malicious file
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %SYSDIR%\stacsv.exe
   • %drive%\tmpdata.exe



It deletes the initially executed copy of itself.



It deletes the following file:
   • %SYSDIR%\drivers\etc\hosts



The following file is created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%




It tries to download some files:

– The location is the following:
   • http://all.messenger-update.ru/**********


– The location is the following:
   • http://rix.messenger-update.ru/**********




It tries to executes the following files:

– Filename:
   • ipconfig /flushdns


– Filename:
   • sc delete K7RTScan


– Filename:
   • CMD /C sc stop K7TSMngr


– Filename:
   • CMD /C sc config K7TSMngr start= disabled


– Filename:
   • net stop K7TSMngr


– Filename:
   • sc stop K7TSMngr


– Filename:
   • CMD /C sc delete K7TSMngr


– Filename:
   • net1 stop K7TSMngr


– Filename:
   • sc config K7TSMngr start= disabled


– Filename:
   • CMD /C net stop "avast! Antivirus"


– Filename:
   • sc delete K7TSMngr


– Filename:
   • CMD /C net stop K7RTScan


– Filename:
   • CMD /C sc stop "avast! Antivirus"


– Filename:
   • net stop "avast! Antivirus"


– Filename:
   • CMD /C sc config "avast! Antivirus" start= disabled


– Filename:
   • sc stop "avast! Antivirus"


– Filename:
   • CMD /C sc delete "avast! Antivirus"


– Filename:
   • net1 stop "avast! Antivirus"


– Filename:
   • sc config "avast! Antivirus" start= disabled


– Filename:
   • CMD /C net stop SAVService


– Filename:
   • sc delete acssrv


– Filename:
   • CMD /C sc stop SAVService


– Filename:
   • CMD /C sc stop K7RTScan


– Filename:
   • net stop SAVService


– Filename:
   • CMD /C sc config SavService start= disabled


– Filename:
   • sc stop SAVService


– Filename:
   • CMD /C sc delete SAVService


– Filename:
   • net1 stop SAVService


– Filename:
   • sc config SavService start= disabled


– Filename:
   • CMD /C net stop SAVAdminService


– Filename:
   • sc delete SAVService


– Filename:
   • CMD /C sc stop SAVAdminService


– Filename:
   • net stop SAVAdminService


– Filename:
   • CMD /C sc config K7RTScan start= disabled


– Filename:
   • CMD /C sc config SAVAdminService start= disabled


– Filename:
   • CMD /C sc delete SAVAdminService


– Filename:
   • sc stop SAVAdminService


– Filename:
   • net1 stop SAVAdminService


– Filename:
   • sc config SAVAdminService start= disabled


– Filename:
   • CMD /C net stop "Sophos AutoUpdate Service"


– Filename:
   • sc delete SAVAdminService


– Filename:
   • CMD /C sc stop "Sophos AutoUpdate Service"


– Filename:
   • net stop "Sophos AutoUpdate Service"


– Filename:
   • CMD /C sc config "Sophos AutoUpdate Service" start= disabled


– Filename:
   • net stop K7RTScan


– Filename:
   • CMD /C sc delete "Sophos AutoUpdate Service"


– Filename:
   • sc stop "Sophos AutoUpdate Service"


– Filename:
   • net1 stop "Sophos AutoUpdate Service"


– Filename:
   • sc config "Sophos AutoUpdate Service" start= disabled


– Filename:
   • CMD /C net stop "Sophos Client Firewall"


– Filename:
   • sc delete "Sophos AutoUpdate Service"


– Filename:
   • CMD /C sc stop "Sophos Client Firewall"


– Filename:
   • net stop "Sophos Client Firewall"


– Filename:
   • CMD /C sc config "Sophos Client Firewall" start= disabled


– Filename:
   • sc stop "Sophos Client Firewall"


– Filename:
   • sc stop K7RTScan


– Filename:
   • CMD /C sc delete "Sophos Client Firewall"


– Filename:
   • sc config "Sophos Client Firewall" start= disabled


– Filename:
   • net1 stop "Sophos Client Firewall"


– Filename:
   • CMD /C net stop "Sophos Client Firewall Manager"


– Filename:
   • sc delete "Sophos Client Firewall"


– Filename:
   • CMD /C sc stop "Sophos Client Firewall Manager"


– Filename:
   • net stop "Sophos Client Firewall Manager"


– Filename:
   • CMD /C sc config "Sophos Client Firewall Manager" start= disabled


– Filename:
   • sc stop "Sophos Client Firewall Manager"


– Filename:
   • CMD /C sc delete "Sophos Client Firewall Manager"


– Filename:
   • CMD /C sc delete K7RTScan


– Filename:
   • net1 stop "Sophos Client Firewall Manager"


– Filename:
   • sc config "Sophos Client Firewall Manager" start= disabled


– Filename:
   • sc delete "Sophos Client Firewall Manager"


– Filename:
   • sc config K7RTScan start= disabled


– Filename:
   • net1 stop K7RTScan


– Filename:
   • CMD /C net stop K7TSMngr

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "ctfmon.exe"="ctfmon.exe"



It creates the following entries in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%SYSDIR%\stacsv.exe"="%SYSDIR%\stacsv.exe:*:Enabled:DHCP Router"

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\DomainProfile\AuthorizedApplications\List]
   • "%SYSDIR%\stacsv.exe"="%SYSDIR%\stacsv.exe:*:Enabled:DHCP Router"



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ctfmon.exe]
   • "Debugger"="stacsv.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\
   Layers]
   • "%SYSDIR%\stacsv.exe"="DisableNXShowUI"

 Messenger It is spreading via Messenger. The characteristics are described below:

– MSN Messenger
– Yahoo Messenger

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploits:
– MS04-007 (ASN.1 Vulnerability)
– MS06-040 (Vulnerability in Server Service)


IP address generation:
It creates random IP addresses while it keeps the first octet from its own address. Afterwards it tries to establish a connection with the created addresses.

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: srv3.fas**********.info
Port: 6501
Channel: #nase#
Nickname: USA|NS4|0|XP|%number%

Server: srv3.man**********.ru
Port: 41350
Channel: #nase#
Nickname: USA|NS4|0|XP|%number%

Server: srv3.cor**********.info
Port: 7302
Channel: #nase#
Nickname: N|USA|NS4|0|XP|%number%

Server: srv3.mes**********.ru
Port: 31960
Channel: #nase#
Nickname: N|USA|NS4|0|XP|%number%

Server: srv3.fas**********.info
Port: 31960
Channel: #nase#
Nickname: N|USA|NS4|0|XP|%number%

Server: srv3.spi**********.info
Channel: #nase#
Nickname: N|USA|NS4|0|XP|%number%

Server: srv3.tra**********.info
Channel: #nase#
Nickname: N|USA|NS4|0|XP|%number%

Server: srv3.tri**********.info
Channel: #nase#
Nickname: N|USA|NS4|0|XP|%number%

Server: srv3.pde**********.info
Channel: #nase#
Nickname: N|USA|NS4|0|XP|%number%

Server: srv3.fxp**********.info
Channel: #nase#
Nickname: N|USA|NS4|0|XP|%number%

 Hosts The host file is modified as explained:

– Access to the following domains are redirected to other destinations:
   • 171.168.85.149 msnfix.changelog.fr;
      171.168.85.149 www.incodesolutions.com;
      171.168.85.149 virusinfo.prevx.com;
      171.168.85.149 download.bleepingcomputer.com;
      171.168.85.149 www.dazhizhu.cn; 171.168.85.149 foro.noticias3d.com;
      171.168.85.149 www.spybotupdates.com; 171.168.85.149 club.myce.com;
      171.168.85.149 www.k7computing.com;
      171.168.85.149 softwaresecuritysolutions.com;
      171.168.85.149 www.nabble.com; 171.168.85.149 lurker.clamav.net;
      171.168.85.149 lexikon.ikarus.at;
      171.168.85.149 research.sunbelt-software.com;
      171.168.85.149 www.virusdoctor.jp; 171.168.85.149 www.elitepvpers.de;
      171.168.85.149 guru.avg.com; 171.168.85.149 downloads.sophos.com;
      171.168.85.149 share.skype.com; 171.168.85.149 myantispyware.com;
      171.168.85.149 www.computerhilfen.de;
      171.168.85.149 www.superuser.co.kr; 171.168.85.149 ntfaq.co.kr;
      171.168.85.149 v.dreamwiz.com; 171.168.85.149 cit.kookmin.ac.kr;
      171.168.85.149 forums.whatthetech.com;
      171.168.85.149 forum.hijackthis.de; 171.168.85.149 avg.vo.llnwd.net;
      171.168.85.149 ftp.drweb.com; 171.168.85.149 www.zonealarm.com;
      171.168.85.149 smadaver.com; 171.168.85.149 support.emsisoft.com;
      171.168.85.149 www.huaifai.go.th; 171.168.85.149 www.mostz.com;
      171.168.85.149 www.krupunmai.com; 171.168.85.149 www.cddchiangmai.net;
      171.168.85.149 forum.malekal.com; 171.168.85.149 tech.pantip.com;
      171.168.85.149 sapcupgrades.com;
      171.168.85.149 www.elguruinformatico.com;
      171.168.85.149 forums.avg.com; 171.168.85.149 zastita.com;
      171.168.85.149 support.kaspersky.com; 171.168.85.149 www.247fixes.com;
      171.168.85.149 forum.sysinternals.com;
      171.168.85.149 forum.telecharger.01net.com; 171.168.85.149 sophos.com;
      171.168.85.149 foros.softonic.com;
      171.168.85.149 avast-home.uptodown.com;
      171.168.85.149 dr-web-cureit.softonic.com;
      171.168.85.149 heavenward.ru; 171.168.85.149 forum.smadav.net;
      171.168.85.149 www.forum.kaspersky.com;
      171.168.85.149 www.f-secure.com; 171.168.85.149 www.chkrootkit.org;
      171.168.85.149 diamondcs.com.au; 171.168.85.149 www.rootkit.nl;
      171.168.85.149 www.sysinternals.com; 171.168.85.149 z-oleg.com;
      171.168.85.149 espanol.dir.groups.yahoo.com;
      171.168.85.149 ftp01net.telechargement.fr;
      171.168.85.149 modelayu.com; 171.168.85.149 vaksin.com;
      171.168.85.149 bbs.kaspersky.com.cn;
      171.168.85.149 www.castlecrops.com; 171.168.85.149 www.misec.net;
      171.168.85.149 safecomputing.umn.edu;
      171.168.85.149 www.antirootkit.com; 171.168.85.149 www.greatis.com;
      171.168.85.149 ar.answers.yahoo.com; 171.168.85.149 www.elhacker.org;
      171.168.85.149 research.pandasecurity.com; 171.168.85.149 www.tpu.ro;
      171.168.85.149 www.pinoyden.com; 171.168.85.149 forum.avira.de;
      171.168.85.149 www.rootkit.com; 171.168.85.149 www.pctools.com;
      171.168.85.149 www.pcsupportadvisor.com;
      171.168.85.149 www.resplendence.com;
      171.168.85.149 www.personal.psu.edu; 171.168.85.149 foro.ethek.com;
      171.168.85.149 foro.elhacker.net;
      171.168.85.149 download.zonealarm.com;
      171.168.85.149 spywarehammer.com; 171.168.85.149 www.codelain.com;
      171.168.85.149 www.thaicert.org; 171.168.85.149 vil.nail.com;
      171.168.85.149 search.mcafee.com; 171.168.85.149 wwww.mcafee.com;
      171.168.85.149 download.nai.com;
      171.168.85.149 wwww.experts-exchange.com;
      171.168.85.149 www.bakunos.com; 171.168.85.149 www.darkclockers.com;
      171.168.85.149 www2.gmer.net; 171.168.85.149 ariefew.com;
      171.168.85.149 www.emsisoft.com; 171.168.85.149 forum.romeonet.ro;
      171.168.85.149 www.Merijn.org; 171.168.85.149 www.spywareinfo.com;
      171.168.85.149 www.spybot.info; 171.168.85.149 www.viruslist.com;
      171.168.85.149 www.hijackthis.de; 171.168.85.149 ftp.f-secure.com;
      171.168.85.149 forum.kaspersky.com;
      171.168.85.149 es.trendmicro-europe.com;
      171.168.85.149 www.hvaonline.net; 171.168.85.149 forum.lowyat.net;
      171.168.85.149 kb.eset.com; 171.168.85.149 majorgeeks.com;
      171.168.85.149 www.avp.com; 171.168.85.149 www.virustotal.com;
      171.168.85.149 www.sophos.com;
      171.168.85.149 linhadefensiva.uol.com.br; 171.168.85.149 cmmings.cn;
      171.168.85.149 www.sergiwa.com; 171.168.85.149 www.el-hacker.com;
      171.168.85.149 dl2.agnitum.com; 171.168.85.149 forum.smadav.net;
      171.168.85.149 images.malwareremoval.com;
      171.168.85.149 www.avg-antivirus.net;
      171.168.85.149 www.kaspersky-labs.com;
      171.168.85.149 www.kaspersky.com;
      171.168.85.149 www.bleepingcomputer.com;
      171.168.85.149 www.free.grisoft.com;
      171.168.85.149 alerta-antivirus.inteco.es; 171.168.85.149 greatis.com;
      171.168.85.149 www.oprekpc.com; 171.168.85.149 www.gmer.net;
      171.168.85.149 forum.kasperskyclub.com;
      171.168.85.149 securityresponse.symantec.com;
      171.168.85.149 www.analysis.seclab.tuwien.ac.at;
      171.168.85.149 www.symantec.com; 171.168.85.149 www.kztechs.com;
      171.168.85.149 ad-aware-se.uptodown.com;
      171.168.85.149 stdio-labs.blogspot.com;
      171.168.85.149 forum.lrytas.lt; 171.168.85.149 www.decido.de;
      171.168.85.149 wap.elakiri.com;
      171.168.85.149 liveupdate.symantecliveupdate.com;
      171.168.85.149 liveupdate.symantec.com;
      171.168.85.149 customer.symantec.com;
      171.168.85.149 update.symantec.com; 171.168.85.149 www.box.net;
      171.168.85.149 foro.el-hacker.com;
      171.168.85.149 acs.pandasoftware.com;
      171.168.85.149 egavisa.blogspot.com; 171.168.85.149 angui123.cn;
      171.168.85.149 beta.eset.com; 171.168.85.149 www.mcafee.com;
      171.168.85.149 www.free.avg.com; 171.168.85.149 download.mcafee.com;
      171.168.85.149 mast.mcafee.com; 171.168.85.149 www.tecno-soft.com;
      171.168.85.149 ladooscuro.es; 171.168.85.149 ftp.drweb.com;
      171.168.85.149 download.microsoft.com;
      171.168.85.149 www.mypcsafe.com; 171.168.85.149 www.blindedbytech.com;
      171.168.85.149 kaspersky.com; 171.168.85.149 guru0.grisoft.cz;
      171.168.85.149 guru1.grisoft.cz; 171.168.85.149 guru2.grisoft.cz;
      171.168.85.149 guru3.grisoft.cz;
      171.168.85.149 download.bleepingcomputer.com;
      171.168.85.149 it.answers.yahoo.com; 171.168.85.149 www.softonic.com;
      171.168.85.149 www.mycity.rs; 171.168.85.149 cairopt.net;
      171.168.85.149 rootrepeal.googlepages.com;
      171.168.85.149 guru4.grisoft.cz; 171.168.85.149 guru5.grisoft.cz;
      171.168.85.149 www.virusspy.com; 171.168.85.149 download.f-secure.com;
      171.168.85.149 www.malwareremoval.com; 171.168.85.149 forums.cnet.com;
      171.168.85.149 foros.softonic.com; 171.168.85.149 www.freedrweb.com;
      171.168.85.149 www.kaskus.us; 171.168.85.149 rootrepeal.psikotick.com;
      171.168.85.149 thaicert.nectec.or.th;
      171.168.85.149 hjt-data.trend-braintree.com;
      171.168.85.149 www.pantip.com; 171.168.85.149 secubox.aldria.com;
      171.168.85.149 www.forospyware.com;
      171.168.85.149 www.manuelruvalcaba.com;
      171.168.85.149 www.zonavirus.com; 171.168.85.149 www.leforo.com;
      171.168.85.149 www.gsmph.com; 171.168.85.149 blokvesti.net;
      171.168.85.149 www.viprasys.org; 171.168.85.149 forum.antivir-pe.de;
      171.168.85.149 www.siteadvisor.com;
      171.168.85.149 blog.threatfire.com;
      171.168.85.149 www.threatexpert.com; 171.168.85.149 blog.hispasec.com;
      171.168.85.149 www.configurarequipos.com;
      171.168.85.149 sosvirus.changelog.fr; 171.168.85.149 www.psicofxp.com;
      171.168.85.149 www.gsmph.net; 171.168.85.149 www.gyakorikerdesek.hu;
      171.168.85.149 us.mcafee.com; 171.168.85.149 mailcenter.rising.com.cn;
      171.168.85.149 mailcenter.rising.com;
      171.168.85.149 www.rising.com.cn; 171.168.85.149 www.rising.com;
      171.168.85.149 www.babooforum.com.br;
      171.168.85.149 www.runscanner.net;
      171.168.85.149 www.blogschapines.com; 171.168.85.149 www.zyzoom.org;
      171.168.85.149 www.avsoft.ru; 171.168.85.149 www.elakiri.com;
      171.168.85.149 sosvirus.changelog.fr;
      171.168.85.149 upload.changelog.fr; 171.168.85.149 www.raymond.cc;
      171.168.85.149 changelog.fr; 171.168.85.149 www.pcentraide.com;
      171.168.85.149 atazita.blogspot.com; 171.168.85.149 www.thinkpad.cn;
      171.168.85.149 www.sunbeltsoftware.com; 171.168.85.149 cert.inteco.es;
      171.168.85.149 www.gamexeon.com;
      171.168.85.149 nod32-antivirus.en.softonic.co;
      171.168.85.149 www.final4ever.com; 171.168.85.149 files.filefont.com;
      171.168.85.149 www.infos-du-net.com;
      171.168.85.149 www.trendsecure.com; 171.168.85.149 forum.hardware.fr;
      171.168.85.149 www.utilidades-utiles.com;
      171.168.85.149 blogs.icerocket.com; 171.168.85.149 www.spywarefri.dk;
      171.168.85.149 alfrasha.maktoob.com; 171.168.85.149 www.eset.eu;
      171.168.85.149 www.spychecker.com; 171.168.85.149 www.geekstogo.com;
      171.168.85.149 forums.maddoktor2.com;
      171.168.85.149 www.smokey-services.eu; 171.168.85.149 www.clubic.com;
      171.168.85.149 www.linhadefensiva.org;
      171.168.85.149 www.rolandovera.com; 171.168.85.149 forum.burek.com;
      171.168.85.149 secure.sophos.com; 171.168.85.149 usa.kaspersky.com;
      171.168.85.149 download.sysinternals.com;
      171.168.85.149 www.pcguide.com; 171.168.85.149 www.thetechguide.com;
      171.168.85.149 www.ozzu.com; 171.168.85.149 www.changedetection.com;
      171.168.85.149 espanol.groups.yahoo.com;
      171.168.85.149 www.sunbeltsecurity.com;
      171.168.85.149 www.quickheal.co.in; 171.168.85.149 www.vivalared.com;
      171.168.85.149 community.thaiware.com;
      171.168.85.149 www.avpclub.ddns.info;
      171.168.85.149 www.offensivecomputing.net;
      171.168.85.149 www.grisoft.com; 171.168.85.149 boardreader.com;
      171.168.85.149 www.guiadohardware.net; 171.168.85.149 www.webroot.com;
      171.168.85.149 www.thehelper.net; 171.168.85.149 www.kaldata.com;
      171.168.85.149 vil.nai.com; 171.168.85.149 www.msnvirusremoval.com;
      171.168.85.149 www.cisrt.org; 171.168.85.149 fixmyim.com;
      171.168.85.149 samroeng.hi5.com; 171.168.85.149 foro.elhacker.net;
      171.168.85.149 www.daboweb.com; 171.168.85.149 service1.symantec.com;
      171.168.85.149 us3.download.comodo.com;
      171.168.85.149 forum.gsmhosting.com;
      171.168.85.149 www.computerforum.com;
      171.168.85.149 forums.techguy.org;
      171.168.85.149 www.incodesolutions.com;
      171.168.85.149 hijackthis.download3000.com;
      171.168.85.149 www.cybertechhelp.com;
      171.168.85.149 www.superdicas.com.br; 171.168.85.149 www.51nb.com;
      171.168.85.149 us4.download.comodo.com; 171.168.85.149 www.jbtalks.cc;
      171.168.85.149 ad13.geekstogo.com;
      171.168.85.149 downloads.andymanchesta.com;
      171.168.85.149 andymanchesta.com; 171.168.85.149 info.prevx.com;
      171.168.85.149 aknow.prevx.com; 171.168.85.149 www.zonavirus.com;
      171.168.85.149 securitywonks.net; 171.168.85.149 www.yoreparo.com;
      171.168.85.149 www.spywarecease.com;
      171.168.85.149 forum.dobreprogramy.pl;
      171.168.85.149 community.mcafee.com; 171.168.85.149 www.lavasoft.com;
      171.168.85.149 www.virscan.org; 171.168.85.149 www.eeload.com;
      171.168.85.149 down.www.kingsoft.com; 171.168.85.149 www.file.net;
      171.168.85.149 onecare.live.com; 171.168.85.149 mvps.org;
      171.168.85.149 www.laneros.com; 171.168.85.149 www.pc1news.com;
      171.168.85.149 forum.avira.com;
      171.168.85.149 downloads.novirusthanks.org;
      171.168.85.149 www.housecall.trendmicro.com;
      171.168.85.149 www.avast.com; 171.168.85.149 www.free.avg.com;
      171.168.85.149 www.onlinescan.avast.com; 171.168.85.149 www.ewido.net;
      171.168.85.149 www.trucoswindows.net;
      171.168.85.149 www.mozilla-hispano.org;
      171.168.85.149 www.jackbloodforum.com;
      171.168.85.149 www.kosandpol.elakiri.com;
      171.168.85.149 www.futurenow.bitdefender.com;
      171.168.85.149 www.bitdefender.com; 171.168.85.149 www.f-prot.com;
      171.168.85.149 www.trendsecure.com;
      171.168.85.149 security.symantec.com;
      171.168.85.149 oldtimer.geekstogo.com;
      171.168.85.149 sopiansantosa.blogspot.com;
      171.168.85.149 www.fileresearchcenter.com;
      171.168.85.149 www.looktr.com; 171.168.85.149 www.avira.com;
      171.168.85.149 www.eset.com; 171.168.85.149 www.free.avg.com;
      171.168.85.149 www.free-av.com; 171.168.85.149 kr.ahnlab.com;
      171.168.85.149 www.eset.com; 171.168.85.149 forospyware.com;
      171.168.85.149 thejokerx.blogspot.com; 171.168.85.149 cairopt.net;
      171.168.85.149 oolbar.cyberdefender.com;
      171.168.85.149 golpe.dyndns.org; 171.168.85.149 www.2-spyware.com;
      171.168.85.149 www.antivir.es; 171.168.85.149 www.prevx.com;
      171.168.85.149 www.ikarus.net; 171.168.85.149 bbs.s-sos.net;
      171.168.85.149 www.housecall.trendmicro.com;
      171.168.85.149 www.superdicas.com.br;
      171.168.85.149 www.superantispyware.com;
      171.168.85.149 www.unhackme.com; 171.168.85.149 www.askmehelpdesk.com;
      171.168.85.149 www.forums.majorgeeks.com;
      171.168.85.149 www.castlecops.com; 171.168.85.149 www.virusspy.com;
      171.168.85.149 andymanchesta.com; 171.168.85.149 www.kaspersky.es;
      171.168.85.149 subs.geekstogo.com; 171.168.85.149 www.forospanish.com;
      171.168.85.149 blog.rnsafe.com; 171.168.85.149 www.regrun.com;
      171.168.85.149 irc.snahosting.net; 171.168.85.149 www.trendmicro.com;
      171.168.85.149 www.fortinet.com;
      171.168.85.149 www.safer-networking.org;
      171.168.85.149 www.fortiguardcenter.com;
      171.168.85.149 www.dougknox.com; 171.168.85.149 www.vsantivirus.com;
      171.168.85.149 static.commentcamarche.net;
      171.168.85.149 www.gyakorikerdesek.hu; 171.168.85.149 www.fixya.com;
      171.168.85.149 www.firewallguide.com;
      171.168.85.149 www.auditmypc.com; 171.168.85.149 www.spywaredb.com;
      171.168.85.149 www.mxttchina.com; 171.168.85.149 www.ziggamza.net;
      171.168.85.149 www.forospyware.es;
      171.168.85.149 pogonyuto.forospanish.com;
      171.168.85.149 spywarefiles.prevx.com;
      171.168.85.149 k2r.th3kings.net;
      171.168.85.149 www.betterantivirus.com;
      171.168.85.149 www.antivirus.comodo.com;
      171.168.85.149 www.spywareterminator.com;
      171.168.85.149 www.eradicatespyware.net;
      171.168.85.149 www.freespywareremoval.info;
      171.168.85.149 www.personalfirewall.comodo.com;
      171.168.85.149 wakoopa.com; 171.168.85.149 forum.drweb.com;
      171.168.85.149 bb1.th3kings.net;
      171.168.85.149 www.commentcamarche.net; 171.168.85.149 www.clamav.net;
      171.168.85.149 www.antivirus.about.com;
      171.168.85.149 www.pandasecurity.com; 171.168.85.149 www.webphand.com;
      171.168.85.149 mx.answers.yahoo.com;
      171.168.85.149 www.securitywonks.net;
      171.168.85.149 www.messengeradictos.com;
      171.168.85.149 www.geekpolice.net; 171.168.85.149 bub.th3kings.net;
      171.168.85.149 www.sandboxie.com; 171.168.85.149 www.clamwin.com;
      171.168.85.149 www.cwsandbox.org; 171.168.85.149 www.ca.com;
      171.168.85.149 www.arswp.com; 171.168.85.149 es.answers.yahoo.com;
      171.168.85.149 www.trucoswindows.es;
      171.168.85.149 www.ipaddresser.com; 171.168.85.149 www.abgenis.net;
      171.168.85.149 www.freefixer.com; 171.168.85.149 forums.afterdawn.com;
      171.168.85.149 www.networkworld.com;
      171.168.85.149 www.cddchiangmai.net;
      171.168.85.149 www.threatexpert.com; 171.168.85.149 www.norman.com;
      171.168.85.149 espanol.answers.yahoo.com;
      171.168.85.149 www.tallemu.com; 171.168.85.149 foro.portalhacker.net;
      171.168.85.149 www.groupwhere.org;
      171.168.85.149 sniff.runescapetube.com; 171.168.85.149 virscan.org;
      171.168.85.149 www.viruschief.com; 171.168.85.149 scanner.virus.org;
      171.168.85.149 www.hijackthis.de;
      171.168.85.149 housecall65.trendmicro.com;
      171.168.85.149 www.guiadohardware.net;
      171.168.85.149 forums.whatthetech.com;
      171.168.85.149 mustlovewine.com; 171.168.85.149 www3.malekal.com;
      171.168.85.149 esetnod32antivirus.blogspot.com;
      171.168.85.149 hjt.networktechs.com;
      171.168.85.149 www.techsupportforum.com;
      171.168.85.149 www.whatthetech.com; 171.168.85.149 www.soccersuck.com;
      171.168.85.149 www.pcentraide.com;
      171.168.85.149 comunidad.wilkinsonpc.com.co;
      171.168.85.149 forum.hocit.com; 171.168.85.149 forum.smadav.net;
      171.168.85.149 fgp.e2doo.com; 171.168.85.149 community.thaiware.com;
      171.168.85.149 forum.piriform.com;
      171.168.85.149 www.tweaksforgeeks.com; 171.168.85.149 www.daniweb.com;
      171.168.85.149 www.geekstogo.com; 171.168.85.149 es.answers.yahoo.com;
      171.168.85.149 www.techsupportforum.com;
      171.168.85.149 dnl-eu8.kaspersky-labs.com;
      171.168.85.149 www.oprekpc.com; 171.168.85.149 shv4.ath.cx;
      171.168.85.149 www.pcworld.com; 171.168.85.149 www.pchell.com;
      171.168.85.149 www.spyany.com; 171.168.85.149 forums.techguy.org;
      171.168.85.149 www.experts-exchange.com; 171.168.85.149 www.wikio.es;
      171.168.85.149 www.pandasecurity.com;
      171.168.85.149 forums.devshed.com;
      171.168.85.149 devbuilds.kaspersky-labs.com;
      171.168.85.149 hana-ahmad.blogspot.com;
      171.168.85.149 forum.tweaks.com;
      171.168.85.149 www.wilderssecurity.com;
      171.168.85.149 www.techspot.com;
      171.168.85.149 www.thecomputerpitstop.com;
      171.168.85.149 es.wasalive.com; 171.168.85.149 secunia.com;
      171.168.85.149 www.killtrojan.net; 171.168.85.149 www.ulop.net;
      171.168.85.149 www.eliters.com;
      171.168.85.149 sip4.voipkosovasite.com; 171.168.85.149 es.kioskea.net;
      171.168.85.149 www.taringa.net; 171.168.85.149 www.cyberdefender.com;
      171.168.85.149 www.feedage.com; 171.168.85.149 new.taringa.net;
      171.168.85.149 forum.zazana.com;
      171.168.85.149 forum.clubedohardware.com.br;
      171.168.85.149 mks.com.pl; 171.168.85.149 www.vietcaravan.us;
      171.168.85.149 trbotnet.sytes.net; 171.168.85.149 www.computing.net;
      171.168.85.149 discussions.virtualdr.com;
      171.168.85.149 forum.securitycadets.com;
      171.168.85.149 www.techimo.com; 171.168.85.149 13iii.com;
      171.168.85.149 www.dicasweb.com.br;
      171.168.85.149 www.javacoolsoftware.net; 171.168.85.149 cofradia.org;
      171.168.85.149 wasteland-bg.com; 171.168.85.149 www.windowexe.com;
      171.168.85.149 www.infosecpodcast.com;
      171.168.85.149 www.usbcleaner.cn; 171.168.85.149 www.net-security.org;
      171.168.85.149 www.bleedingthreats.net;
      171.168.85.149 acs.pandasoftware.com;
      171.168.85.149 www.funkytoad.com; 171.168.85.149 malwarebytes.org;
      171.168.85.149 sabithpocker.blogspot.com;
      171.168.85.149 comprolive.vox.com; 171.168.85.149 www.360safe.cn;
      171.168.85.149 www.360safe.com; 171.168.85.149 bbs.360safe.cn;
      171.168.85.149 bbs.360safe.com; 171.168.85.149 codehard.wordpress.com;
      171.168.85.149 forum.clubedohardware.com.br;
      171.168.85.149 antitrick.com;
      171.168.85.149 www.configurarequipos.com;
      171.168.85.149 www.jiwang.org;
      171.168.85.149 anti-virus-software-review.toptenreviews.com;
      171.168.85.149 www.360.cn; 171.168.85.149 www.360.com;
      171.168.85.149 bbs.360safe.cn; 171.168.85.149 bbs.360safe.com;
      171.168.85.149 www.forospyware.es; 171.168.85.149 p3dev.taringa.net;
      171.168.85.149 www.precisesecurity.com;
      171.168.85.149 dlpe.antivir.com; 171.168.85.149 www.jvme.com;
      171.168.85.149 share.skype.com; 171.168.85.149 comprolive.com;
      171.168.85.149 gotoknow.org; 171.168.85.149 baike.360.cn;
      171.168.85.149 baike.360.com; 171.168.85.149 kaba.360.cn;
      171.168.85.149 kaba.360.com; 171.168.85.149 deckard.geekstogo.com;
      171.168.85.149 www.taringa.net; 171.168.85.149 forums.comodo.com;
      171.168.85.149 www.mvps.org; 171.168.85.149 melcy.wordpress.com;
      171.168.85.149 forum.softpedia.com;
      171.168.85.149 pcvids.wordpress.com; 171.168.85.149 down.360safe.cn;
      171.168.85.149 down.360safe.com; 171.168.85.149 x.360safe.com;
      171.168.85.149 dl.360safe.com; 171.168.85.149 ftp.drweb.com;
      171.168.85.149 www.hotshare.net; 171.168.85.149 es.wasalive.com;
      171.168.85.149 free.antivirus.com; 171.168.85.149 forum.hocit.com;
      171.168.85.149 destavision-forum.com;
      171.168.85.149 inspiresoft.blogspot.com;
      171.168.85.149 updatem.360safe.com; 171.168.85.149 updatem.360safe.cn;
      171.168.85.149 update.360safe.cn; 171.168.85.149 update.360safe.com;
      171.168.85.149 www.utilidades-utiles.com;
      171.168.85.149 forum.kaspersky.com;
      171.168.85.149 www.indowebster.web.id; 171.168.85.149 zastita.com;
      171.168.85.149 www.sz-pet.com; 171.168.85.149 foros.abcdatos.com;
      171.168.85.149 bbs.duba.net; 171.168.85.149 www.duba.net;
      171.168.85.149 zhidao.baidu.com; 171.168.85.149 hi.baidu.com;
      171.168.85.149 www.drweb.com.es;
      171.168.85.149 msncleaner.softonic.com;
      171.168.85.149 www.javacoolsoftware.com;
      171.168.85.149 beniono.wordpress.com;
      171.168.85.149 www.4-gsmteam.com;
      171.168.85.149 msntubers.freehostia.com;
      171.168.85.149 file.ikaka.com; 171.168.85.149 file.ikaka.cn;
      171.168.85.149 bbs.ikaka.com; 171.168.85.149 zhidao.ikaka.com;
      171.168.85.149 www.eset-la.com; 171.168.85.149 download.eset.com;
      171.168.85.149 software-files.download.com;
      171.168.85.149 www.faravirusi.com; 171.168.85.149 www.winbots.es;
      171.168.85.149 forum.chip.de; 171.168.85.149 www.thailandsusu.com;
      171.168.85.149 www.ikaka.com; 171.168.85.149 www.ikaka.cn;
      171.168.85.149 bbs.cfan.com.cn; 171.168.85.149 www.cfan.com.cn;
      171.168.85.149 www.pandasecurity.com; 171.168.85.149 es.mcafee.com;
      171.168.85.149 downloads.malwarebytes.org;
      171.168.85.149 www.devirusare.com; 171.168.85.149 forum.skype.com;
      171.168.85.149 shitit.net; 171.168.85.149 www.webimmune.net;
      171.168.85.149 bbs.kafan.cn; 171.168.85.149 bbs.kafan.com;
      171.168.85.149 bbs.kpfans.com; 171.168.85.149 bbs.taisha.org;
      171.168.85.149 www.manuelruvalcaba.com;
      171.168.85.149 support.f-secure.com; 171.168.85.149 bbs.winzheng.com;
      171.168.85.149 devirusare.com; 171.168.85.149 social.microsoft.com;
      171.168.85.149 www.shitit.net; 171.168.85.149 mx.answers.yahoo.com;
      171.168.85.149 alerta-antivirus.inteco.es;
      171.168.85.149 foros.zonavirus.com;
      171.168.85.149 alerta-antivirus.red.es;
      171.168.85.149 www.zonavirus.com; 171.168.85.149 www.malwarebytes.org;
      171.168.85.149 www.commentcamarche.net;
      171.168.85.149 news.support.veritas.com;
      171.168.85.149 www.zonealarm.com; 171.168.85.149 www.ewido.net;
      171.168.85.149 www.infospyware.com; 171.168.85.149 www.bitdefender.es;
      171.168.85.149 housecall.trendmicro.com;
      171.168.85.149 foros.toxico-pc.com; 171.168.85.149 www.identi.es;
      171.168.85.149 es.kioskea.net; 171.168.85.149 virusinfo.info;
      171.168.85.149 forums.zonealarm.com;
      171.168.85.149 foro.infiernohacker.com;
      171.168.85.149 www.emsisoft.de;
      171.168.85.149 www.securitynewsportal.com;
      171.168.85.149 irc.ekizmedia.com;
      171.168.85.149 zone.arminboutique.com;
      171.168.85.149 story.dnsentrymx.com


 Injection – It injects itself as a remote thread into a process.

    Process name:
   • explorer.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

설명 삽입자 Petre Galan   2010년 5월 5일 수요일
설명 업데이트 Petre Galan   2010년 5월 5일 수요일

뒤로 . . . .
https:// 이 창은 보안을 위해 암호화되었습니다.