Technical Information
Malicious functions:
Creates and executes the following:
- '%PROGRAM_FILES%\General Antivirus\GenAvir.exe' /inst /sp
Executes the following:
- '<SYSTEM32>\ping.exe' 127.0.0.1 -n 5
- '<SYSTEM32>\cmd.exe' /c ""%PROGRAM_FILES%\General Antivirus\exec.bat" "
Modifies settings of Windows Internet Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'WarnonZoneCrossing' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'WarnOnPostRedirect' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'WarnonBadCertRecving' = '00000000'
Modifies file system :
Creates the following files:
- %APPDATA%\General Antivirus\db\pb.dll
- %APPDATA%\General Antivirus\HTUninstaller.exe
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\General Antivirus.lnk
- %PROGRAM_FILES%\General Antivirus\working.log
- %PROGRAM_FILES%\General Antivirus\db\Urls.inf
- %PROGRAM_FILES%\General Antivirus\uninstall.ico
- %APPDATA%\General Antivirus\db\config.cfg
- %PROGRAM_FILES%\General Antivirus\exec.bat
- %HOMEPATH%\Desktop\General Antivirus.lnk
- %TEMP%\~Urls.inf.tmp
- %APPDATA%\General Antivirus\db\Urls.inf
- %TEMP%\~Timeout.inf.tmp
- %APPDATA%\General Antivirus\db\Timeout.inf
- %ALLUSERSPROFILE%\Start Menu\Programs\General Antivirus\Purchase License.lnk
- %ALLUSERSPROFILE%\Start Menu\Programs\General Antivirus\General Antivirus.lnk
- %ALLUSERSPROFILE%\Start Menu\Programs\General Antivirus\Uninstall General Antivirus.lnk
- %ALLUSERSPROFILE%\Start Menu\Programs\General Antivirus\General Antivirus Home Page.lnk
- %PROGRAM_FILES%\General Antivirus\db\ga090122.db
- %PROGRAM_FILES%\General Antivirus\explorer.ico
- %PROGRAM_FILES%\General Antivirus\db\ga190908g.db
- %PROGRAM_FILES%\General Antivirus\db\ga090225x.db
- %PROGRAM_FILES%\General Antivirus\activate.ico
- %PROGRAM_FILES%\General Antivirus\GenAvir.exe
- %PROGRAM_FILES%\General Antivirus\db\DBInfo.ver
- %PROGRAM_FILES%\General Antivirus\db\config.cfg
- %PROGRAM_FILES%\General Antivirus\HTUninstaller.exe
- %PROGRAM_FILES%\General Antivirus\db\pb.dll
- %PROGRAM_FILES%\General Antivirus\db\lists.ini
- %PROGRAM_FILES%\General Antivirus\db\Timeout.inf
- %PROGRAM_FILES%\General Antivirus\reg.ico
- %PROGRAM_FILES%\General Antivirus\iMSh.png
- %PROGRAM_FILES%\General Antivirus\iGSh.png
- %PROGRAM_FILES%\General Antivirus\iPSh.png
- %PROGRAM_FILES%\General Antivirus\db\Infected.wav
Sets the 'hidden' attribute to the following files:
- %APPDATA%\General Antivirus\db\Urls.inf
- %APPDATA%\General Antivirus\db\Timeout.inf
- %APPDATA%\General Antivirus\db\pb.dll
- %APPDATA%\General Antivirus\db\config.cfg
- %APPDATA%\General Antivirus\HTUninstaller.exe
Deletes the following files:
- %PROGRAM_FILES%\General Antivirus\db\Urls.inf
- %PROGRAM_FILES%\General Antivirus\db\Timeout.inf
- %PROGRAM_FILES%\General Antivirus\db\pb.dll
- %PROGRAM_FILES%\General Antivirus\db\config.cfg
- %PROGRAM_FILES%\General Antivirus\HTUninstaller.exe
Deletes itself.
Network activity:
Connects to:
- 'www.ge###al-av.com':80
- 'ge###al-av.com':80
- 'ge###vpay.com':80
- '74.##5.232.51':80
- 'in##f.com':80
- 'xo###r.alice.it':80
UDP:
- DNS ASK xo###r.alice.it
- DNS ASK ge###al-av.com
- DNS ASK ge###vpay.com
- DNS ASK www.google.com
- DNS ASK in##f.com
- DNS ASK www.ge###al-av.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'TfrmServices' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'TfrmProcessManager' WindowName: '(null)'
- ClassName: 'TMainWindow' WindowName: '(null)'
- ClassName: 'TfrmControlTools' WindowName: '(null)'