Avira Virus Lab

TR/Crypt.ZPACK.220725

  • Name
    TR/Crypt.ZPACK.220725
  • Date discovered
    Dec 12, 2015
  • Type
    Malware
  • Impact
    Medium 
  • Reported Infections
    Low 
  • Operating System
    Windows
  • VDF version
    7.12.34.4 (2015-12-03 17:06)

Stay safe from all these threats with Avira Free Antivirus.

Avira Free Antivirus Download Free

The term 'TR' denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.

  • VDF
    7.12.34.4 (2015-12-03 17:06)
  • Aliases
    Avast: Win32:Malware-gen
    AVG: Generic37.MY
    Dr. Web: Trojan.Encoder.3104
    McAfee: PWSZbot-FAOI!FBF1B81263B4
    Trend Micro: Ransom_.7C4A83A9
    Microsoft: Ransom:Win32/Tescrypt!rfn
    G Data: Trojan.GenericKD.2907449
    Kaspersky Lab: Trojan.Win32.Yakes.npyk
    Bitdefender: Trojan.GenericKD.2907449
    ESET: Win32/Filecoder.EM trojan
  • Files
    The following copies of itself are created:
    • %APPDATA%\mceyg-a.exe
    The following files are created:
    • %USERPROFILE%\My Documents\recover_file_uqdsdasyc.txt
    • %temporary internet files%\Content.IE5\QH9ZEEV0\CA0PS4IJ.htm
    • %temporary internet files%\Content.IE5\QH9ZEEV0\CAOLUVUF.htm
    • %temporary internet files%\Content.IE5\QH9ZEEV0\CA39NXCZ.htm
    The following files are changed:
    • %temporary internet files%\Content.IE5\index.dat
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1025.rtf
    • %USERPROFILE%\Cookies\index.dat
    • %USERPROFILE%\Local Settings\History\History.IE5\index.dat
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1028.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1029.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1030.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1031.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1032.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1033.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1035.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1036.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1037.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1038.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1040.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1041.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1042.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1043.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1044.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1045.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1046.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1049.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1053.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1055.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.2052.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.2070.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.3082.rtf
    • %DISKDRIVE%\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
    • %DISKDRIVE%\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
    • %DISKDRIVE%\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
    • %DISKDRIVE%\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
    • %DISKDRIVE%\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg
    • %DISKDRIVE%\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
    • %APPDATA%\Adobe\Acrobat\9.0\JavaScripts\glob.js
    • %APPDATA%\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js
    • %APPDATA%\Microsoft\Internet Explorer\brndlog.txt
    • %APPDATA%\Mozilla\Firefox\Profiles\lhn8qbrc.default\prefs.js
    • %APPDATA%\Mozilla\Firefox\Profiles\lhn8qbrc.default\sessionstore.js
    • %APPDATA%\Mozilla\Firefox\Profiles\lhn8qbrc.default\urlclassifierkey3.txt
    • %USERPROFILE%\Cookies\[email protected][1].txt
    • %USERPROFILE%\Cookies\[email protected][2].txt
    • %USERPROFILE%\Cookies\[email protected][2].txt
    • %USERPROFILE%\Cookies\[email protected][1].txt
    • %USERPROFILE%\Cookies\[email protected][1].txt
    • %USERPROFILE%\Cookies\biluta@download.mozilla[1].txt
    • %USERPROFILE%\Cookies\[email protected][2].txt
    • %USERPROFILE%\Cookies\[email protected][3].txt
    • %USERPROFILE%\Cookies\[email protected][2].txt
    • %USERPROFILE%\Cookies\[email protected][1].txt
    • %USERPROFILE%\Cookies\[email protected][2].txt
    • %USERPROFILE%\Cookies\[email protected][1].txt
    • %USERPROFILE%\Cookies\[email protected][2].txt
    • %USERPROFILE%\Cookies\[email protected][2].txt
    • %USERPROFILE%\Cookies\[email protected][1].txt
    • %USERPROFILE%\Cookies\biluta@www.bing[1].txt
    • %USERPROFILE%\Cookies\biluta@www.mozilla[1].txt
    • %USERPROFILE%\Cookies\biluta@www.msn[1].txt
    • %TEMPDIR%\AUCHECK_PARSER.txt
    • %TEMPDIR%\dd_clwireg.txt
    • %TEMPDIR%\dd_depcheckdotnetfx30.txt
    • %TEMPDIR%\dd_depcheck_NETFX20_EXP_35.txt
    • %TEMPDIR%\dd_depcheck_NETFX_EXP_35.txt
    • %TEMPDIR%\dd_dotnetfx20error.txt
    • %TEMPDIR%\dd_dotnetfx20install.txt
    • %TEMPDIR%\dd_dotnetfx35error.txt
    • %TEMPDIR%\dd_dotnetfx35install.txt
    • %TEMPDIR%\dd_dotnetfx3install.txt
    • %TEMPDIR%\dd_dotNetFx40_Full_setup_decompression_log.txt
    • %TEMPDIR%\dd_msxml_retMSI4318.txt
    • %TEMPDIR%\dd_netfx20MSI205C.txt
    • %TEMPDIR%\dd_netfx20UI205C.txt
    • %TEMPDIR%\dd_NET_Framework20_Setup12EF.txt
    The following files are renamed:
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1025.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1028.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1029.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1030.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1031.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1032.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1033.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1035.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1036.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1037.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1038.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1040.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1041.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1042.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1043.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1044.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1045.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1046.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1049.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1053.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.1055.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.2052.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.2070.rtf
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\eula.3082.rtf
    • %DISKDRIVE%\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma
    • %DISKDRIVE%\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma
    • %DISKDRIVE%\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg
    • %DISKDRIVE%\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg
    • %DISKDRIVE%\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg
    • %DISKDRIVE%\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg
    • %APPDATA%\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js
    • %APPDATA%\Microsoft\Internet Explorer\brndlog.txt
    • %APPDATA%\Mozilla\Firefox\Profiles\lhn8qbrc.default\prefs.js
    • %APPDATA%\Mozilla\Firefox\Profiles\lhn8qbrc.default\sessionstore.js
    • %APPDATA%\Mozilla\Firefox\Profiles\lhn8qbrc.default\urlclassifierkey3.txt
    • %USERPROFILE%\Cookies\[email protected][1].txt
    • %USERPROFILE%\Cookies\[email protected][2].txt
    • %USERPROFILE%\Cookies\[email protected][2].txt
    • %USERPROFILE%\Cookies\[email protected][1].txt
    • %USERPROFILE%\Cookies\[email protected][1].txt
    • %USERPROFILE%\Cookies\biluta@download.mozilla[1].txt
    • %USERPROFILE%\Cookies\[email protected][2].txt
    • %USERPROFILE%\Cookies\[email protected][3].txt
    • %USERPROFILE%\Cookies\[email protected][2].txt
    • %USERPROFILE%\Cookies\[email protected][1].txt
    • %USERPROFILE%\Cookies\[email protected][2].txt
    • %USERPROFILE%\Cookies\[email protected][1].txt
    • %USERPROFILE%\Cookies\[email protected][2].txt
    • %USERPROFILE%\Cookies\[email protected][2].txt
    • %USERPROFILE%\Cookies\[email protected][1].txt
    • %USERPROFILE%\Cookies\biluta@www.bing[1].txt
    • %USERPROFILE%\Cookies\biluta@www.mozilla[1].txt
    • %USERPROFILE%\Cookies\biluta@www.msn[1].txt
    • %TEMPDIR%\AUCHECK_PARSER.txt
    • %TEMPDIR%\dd_clwireg.txt
    • %TEMPDIR%\dd_depcheckdotnetfx30.txt
    • %TEMPDIR%\dd_depcheck_NETFX20_EXP_35.txt
    • %TEMPDIR%\dd_depcheck_NETFX_EXP_35.txt
    • %TEMPDIR%\dd_dotnetfx20error.txt
    • %TEMPDIR%\dd_dotnetfx20install.txt
    • %TEMPDIR%\dd_dotnetfx35error.txt
    • %TEMPDIR%\dd_dotnetfx35install.txt
    • %TEMPDIR%\dd_dotnetfx3install.txt
    • %TEMPDIR%\dd_dotNetFx40_Full_setup_decompression_log.txt
    • %TEMPDIR%\dd_msxml_retMSI4318.txt
    • %TEMPDIR%\dd_netfx20MSI205C.txt
    • %TEMPDIR%\dd_netfx20UI205C.txt
    • %TEMPDIR%\dd_NET_Framework20_Setup12EF.txt
    The following files are deleted:
    • %temporary internet files%\Content.IE5\QH9ZEEV0\CA0PS4IJ.htm
    • %temporary internet files%\Content.IE5\QH9ZEEV0\CAOLUVUF.htm
    • %temporary internet files%\Content.IE5\QH9ZEEV0\CA39NXCZ.htm
  • Injections
    • %APPDATA%\mceyg-a.exe
  • Registry
    The following registry entries are added:
    • HKEY_CURRENT_USER\Software\zsys ("ID": %hex values%)
    • HKEY_CURRENT_USER\Software\A45825718410E168 ("data": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Acronis": "%APPDATA%\mceyg-a.exe")
    • HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings ("ProxyEnable": dword:00000000)
  • HTTP Requests
    • myexternalip.*****com/raw
    • regiefernando.*****ages/slideshow/sysmisc.php?D123FB3FDBE6D719F0F7EA27237BFCA4D7608843743A606142A0C1A2CC5BD00F67CFFC27044025B19732C2A3406AB5715A98D5C9E047AB6F13253AAE0344640DA7177B3605D14303A952208703A01F82CC6AC501BEFE4982046B85F0FD35B98C59AEBB15C5E67DEC122D093E0168C3DC9C686822324FDBF46EB482D0BCC1D4A37B4AC4FEE4F13A07FA50977E07EB6187EB0ECE1FE66F83257A897C4DD4B751D61AA713EA0196CB955DBBCCD53857027A14E97032B0E71D632443AC6F36643886B2B30A02B937B15B1F37E55B7516E6501BCD619D89E0F1B6A24CE42FD4C66AD850EB32DA42199954F741CDC210EA559C749455560A27B46B0B202D29B6742BCB3A7BE8812CACB4DBA7A1C0EFC98E6F214D90342855A56B8F57BDE6C1B140F2DC70D937382E75EA8265FB00E4F10D1AE48D46A5F6C4F3B99D3529422B5B2E0B029EF360D839A243CF07C02DDD9C1F43BD05431277189D9F13635B2062D3D22FB7
    • regiefernando.*****i-sys/suspendedpage.cgi?D123FB3FDBE6D719F0F7EA27237BFCA4D7608843743A606142A0C1A2CC5BD00F67CFFC27044025B19732C2A3406AB5715A98D5C9E047AB6F13253AAE0344640DA7177B3605D14303A952208703A01F82CC6AC501BEFE4982046B85F0FD35B98C59AEBB15C5E67DEC122D093E0168C3DC9C686822324FDBF46EB482D0BCC1D4A37B4AC4FEE4F13A07FA50977E07EB6187EB0ECE1FE66F83257A897C4DD4B751D61AA713EA0196CB955DBBCCD53857027A14E97032B0E71D632443AC6F36643886B2B30A02B937B15B1F37E55B7516E6501BCD619D89E0F1B6A24CE42FD4C66AD850EB32DA42199954F741CDC210EA559C749455560A27B46B0B202D29B6742BCB3A7BE8812CACB4DBA7A1C0EFC98E6F214D90342855A56B8F57BDE6C1B140F2DC70D937382E75EA8265FB00E4F10D1AE48D46A5F6C4F3B99D3529422B5B2E0B029EF360D839A243CF07C02DDD9C1F43BD05431277189D9F13635B2062D3D22FB7
    • schriebershof.*****p/misc.php?D123FB3FDBE6D719F0F7EA27237BFCA4D7608843743A606142A0C1A2CC5BD00F67CFFC27044025B19732C2A3406AB5715A98D5C9E047AB6F13253AAE0344640DA7177B3605D14303A952208703A01F82CC6AC501BEFE4982046B85F0FD35B98C59AEBB15C5E67DEC122D093E0168C3DC9C686822324FDBF46EB482D0BCC1D4A37B4AC4FEE4F13A07FA50977E07EB6187EB0ECE1FE66F83257A897C4DD4B751D61AA713EA0196CB955DBBCCD53857027A14E97032B0E71D632443AC6F36643886B2B30A02B937B15B1F37E55B7516E6501BCD619D89E0F1B6A24CE42FD4C66AD850EB32DA42199954F741CDC210EA559C749455560A27B46B0B202D29B6742BCB3A7BE8812CACB4DBA7A1C0EFC98E6F214D90342855A56B8F57BDE6C1B140F2DC159C88E88ED8E7E2924FBBEF27EF682CA548E4FC2BEABCE79E0E70F5399408587B83D023FB339824ABFE511F59BDD00E5E7A0D46BD00BB828F7B4439907FA571
    • apotheke-stiepel.*****mp/misc.php?D123FB3FDBE6D719F0F7EA27237BFCA4D7608843743A606142A0C1A2CC5BD00F67CFFC27044025B19732C2A3406AB5715A98D5C9E047AB6F13253AAE0344640DA7177B3605D14303A952208703A01F82CC6AC501BEFE4982046B85F0FD35B98C59AEBB15C5E67DEC122D093E0168C3DC9C686822324FDBF46EB482D0BCC1D4A37B4AC4FEE4F13A07FA50977E07EB6187EB0ECE1FE66F83257A897C4DD4B751D61AA713EA0196CB955DBBCCD53857027A14E97032B0E71D632443AC6F36643886B2B30A02B937B15B1F37E55B7516E6501BCD619D89E0F1B6A24CE42FD4C66AD850EB32DA42199954F741CDC210EA559C749455560A27B46B0B202D29B6742BCB3A7BE8812CACB4DBA7A1C0EFC98E6F214D90342855A56B8F57BDE6C1B140F2DC422A69912817C953C6E3B1BE0432DE149A7ACEEC479DBC11708A74F4E18B27A54B42C3F3634FE5505FC2ED1AA19599F58F16A0E227D17358032CD0CF168E0BED56910172155327C62737946611CC2A5B
    • woodenden.*****ysmisc.php?D123FB3FDBE6D719F0F7EA27237BFCA4D7608843743A606142A0C1A2CC5BD00F67CFFC27044025B19732C2A3406AB5715A98D5C9E047AB6F13253AAE0344640DA7177B3605D14303A952208703A01F82CC6AC501BEFE4982046B85F0FD35B98C59AEBB15C5E67DEC122D093E0168C3DC9C686822324FDBF46EB482D0BCC1D4A37B4AC4FEE4F13A07FA50977E07EB6187EB0ECE1FE66F83257A897C4DD4B751D61AA713EA0196CB955DBBCCD53857027A14E97032B0E71D632443AC6F36643886B2B30A02B937B15B1F37E55B7516E6501BCD619D89E0F1B6A24CE42FD4C66AD850EB32DA42199954F741CDC210EA559C749455560A27B46B0B202D29B6742BCB3A7BE8812CACB4DBA7A1C0EFC98E6F214D90342855A56B8F57BDE6C1B140F2DC070096C1A2C24EE39310497D9B1DED7B4D9A51D224F3AF594D9133FCF447DC3D8359573BEE7E6AAC02CAAC9F2C59D125BD8BF2D20027D0EBC38B8D2CFD58F1C2

Help make the web safer by sending us suspicious files/URLs to analyze

Submit your file/URL or Go to support.avira.com

Why submit a suspicious file?

If you encountered a suspicious file or website that’s not in our database, we’ll analyze it and determine whether it’s harmful. Our findings are then pushed out to our millions of users with their next virus database update. If you have Avira, you’ll get that update too. Don’t have Avira? Get it on our homepage.