Trojan.DownLoader9.18658

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Idavdo' = '%APPDATA%\Roaming\Yppi\idavdo.exe'

Malicious functions:

Creates and executes the following:

'%APPDATA%\Roaming\Yppi\idavdo.exe'

Executes the following:

'<SYSTEM32>\wermgr.exe' -queuereporting
'<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<SYSTEM32>\taskhost.exe"

Injects code into

the following system processes:

<SYSTEM32>\cmd.exe

Modifies file system :

Creates the following files:

<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\womnlmvqoqcaelakfrsxcfescbq_biz[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\cyhivctwscyxhiqcusvkiftgulbnf_ru[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\mfrctjfizvtogqlrlramorby_info[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\iuwzlvslojqzhpnbmngyuus_net[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\vkucpmfpjfairfuemijzptdyq_org[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\vcpftkkblblnjtequcrgeudqwpx_biz[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\prugphqgebyeixoqozltshkbdmro_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ojmvkrnbzxfagqwgydbelzeqbu_org[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\htwowaaqcrhfyuciot_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\zdgmpyxeyozkvsgeqdyxaqrsijwg_info[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\divshtyxrwkrlkbaeayomfdbqcq_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ucgeyhivaqnbxcckbqfeaulxfqbe_ru[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\rtcpvxkofbyqkbxksxaqizvgu_biz[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\jbrsdiuggerkswkftowonbuug_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ppfdtglzjfpgaijfypjfp_org[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\nreipfibuonfmfiemuvaududalh_info[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\equsnrivuwllyhblnrwhqlknbm_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\prfmscdeovvsxjvlbqwsoztxkuxwd_ru[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\qwwvodpreatgfmcmfihmjzljrhu_net[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\hmfalnorrhsgzxhulltgidiht_info[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\guljzfgahycatpmvcyeixhyzt_org[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\mndzxxmbaizpztqsdqduypizhi_ru[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\dmdelfedqtgemtglkvdimzvcnjge_org[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\lvlpflaufqxoufagykbhylbkj_info[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\dyfqkbugxgfixhabmgihrkfydceqo_net[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\suwcycqswjzyklnqwdmdxoijlr_ru[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\eutcqnvkrtwtskfduhnbxk_biz[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\kfrwntgmbxucgidqrdvkaecumzce_info[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\jvojnflduldrlgypbvcjfmzuc_org[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\uwtobtwhjbpbawgmrojnnjyxjzmv_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\dqvgwoxqsxbuytuonszhdz_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\vammrhojbtaewceanrxclrayx_ru[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\jzifhqskvdypzdtdmtwlkbgy_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\eqhihyxtfkvonyxsoxowkus_info[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\nznvcebecqeidgiporfqxnfoztw_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\hjvzlxspibaqvsganrkzbqmffqbgy_biz[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\caeygmfevcskeyapgapmrovd_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\sdatmnyheytkzlyswmnnvfqylea_net[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\kheciinkpflkvfedaixcmdaior_org[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\lftsetlkceuogeljkbl_net[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ibtwpfhskaetqopzxnrnfdqu_biz[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\wkknxcldiiaynvfqvkobfquozx_ru[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ivwgxofargpvgjfcmojlsc_com[1]
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\4BB750D6-00000001.eml:OECustomProperty
%TEMP%\tmpaab5df4b.bat
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\4BB750D6-00000001.eml
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol
<LS_APPDATA>\Microsoft\Windows Mail\edb.log
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ayhbbecubeqlvozyhjbmzvgt_org[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\yhcqdwspjaynbbexhmaucilq_info[1]
%TEMP%\ppcrlui_4052_2
%TEMP%\Cab379.tmp
%TEMP%\Tar37A.tmp
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol
<LS_APPDATA>\Microsoft\Windows Mail\edbtmp.log
<LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\edb00002.log
<LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore
%APPDATA%\Roaming\Yppi\idavdo.exe
<LS_APPDATA>\Microsoft\Windows Mail\tmp.edb
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol
<LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat
<LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\fmxsovgeijflhmllbtcylhpj_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\pntrtfykvwozdqsydhevizucnz_info[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\orivheukdaeydhcmhtskaejbxgce_biz[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\aymnnjlztkhfigybagcmgyxzpw_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\cwkovtgizxskorivldaeqxceqoj_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\mngutgoftmvqcdmtsnjorhonaigv_ru[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ofjrxdiylsonbmytrwylmnrovg_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\vgeftkpftvkcewgyzpnfqqsaqrc_biz[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\pmfjnuopcmdhuhqobucypzhxkezh_ru[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\alfsifyhbqzxwkizmbdtojvdoj_net[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ztegavzhqrhdekvlugfekfpn_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\bqwkgqojgetrggilbdtmnorypov_biz[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\dalpxfugafaceylkjwtmbytfqw_org[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ltamtkugfipxgxwjvuoypqsw_net[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\nblscqacilpmbxsdwcuwamhe_info[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\tqguojfmobdatxifmvtpjcipzxw_ru[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\vkljcucidobtmzcuvsxweqjzlv_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\omheibxgcvorgxxhqsqgto_net[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\sgovuwbjlnlzumrmrfyauiz_org[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\xoaucmprkrbaxclzhozxsknbzt_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ylxbmstqwinrwbqwgthaprhojhu_biz[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\zxgabeuglnntsmrfijpzvsmvsgcygq_ru[1]

Deletes the following files:

<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\vcpftkkblblnjtequcrgeudqwpx_biz[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\prugphqgebyeixoqozltshkbdmro_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\zdgmpyxeyozkvsgeqdyxaqrsijwg_info[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ojmvkrnbzxfagqwgydbelzeqbu_org[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\sdatmnyheytkzlyswmnnvfqylea_net[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\hjvzlxspibaqvsganrkzbqmffqbgy_biz[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\mndzxxmbaizpztqsdqduypizhi_ru[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\caeygmfevcskeyapgapmrovd_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\htwowaaqcrhfyuciot_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\divshtyxrwkrlkbaeayomfdbqcq_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\iuwzlvslojqzhpnbmngyuus_net[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\equsnrivuwllyhblnrwhqlknbm_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\prfmscdeovvsxjvlbqwsoztxkuxwd_ru[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\womnlmvqoqcaelakfrsxcfescbq_biz[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\cyhivctwscyxhiqcusvkiftgulbnf_ru[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\vkucpmfpjfairfuemijzptdyq_org[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\mfrctjfizvtogqlrlramorby_info[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\eqhihyxtfkvonyxsoxowkus_info[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\lvlpflaufqxoufagykbhylbkj_info[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\dqvgwoxqsxbuytuonszhdz_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\dyfqkbugxgfixhabmgihrkfydceqo_net[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\dmdelfedqtgemtglkvdimzvcnjge_org[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\kfrwntgmbxucgidqrdvkaecumzce_info[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\jvojnflduldrlgypbvcjfmzuc_org[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\vammrhojbtaewceanrxclrayx_ru[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\uwtobtwhjbpbawgmrojnnjyxjzmv_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\eutcqnvkrtwtskfduhnbxk_biz[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ivwgxofargpvgjfcmojlsc_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ibtwpfhskaetqopzxnrnfdqu_biz[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\nznvcebecqeidgiporfqxnfoztw_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\wkknxcldiiaynvfqvkobfquozx_ru[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\jzifhqskvdypzdtdmtwlkbgy_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\suwcycqswjzyklnqwdmdxoijlr_ru[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\kheciinkpflkvfedaixcmdaior_org[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\lftsetlkceuogeljkbl_net[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ylxbmstqwinrwbqwgthaprhojhu_biz[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\zxgabeuglnntsmrfijpzvsmvsgcygq_ru[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\dalpxfugafaceylkjwtmbytfqw_org[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ltamtkugfipxgxwjvuoypqsw_net[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\sgovuwbjlnlzumrmrfyauiz_org[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\bqwkgqojgetrggilbdtmnorypov_biz[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\xoaucmprkrbaxclzhozxsknbzt_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\omheibxgcvorgxxhqsqgto_net[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\nblscqacilpmbxsdwcuwamhe_info[1]
%TEMP%\ppcrlui_4052_2
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ayhbbecubeqlvozyhjbmzvgt_org[1]
%TEMP%\Cab379.tmp
%TEMP%\Tar37A.tmp
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\tqguojfmobdatxifmvtpjcipzxw_ru[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\vkljcucidobtmzcuvsxweqjzlv_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\yhcqdwspjaynbbexhmaucilq_info[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\fmxsovgeijflhmllbtcylhpj_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\cwkovtgizxskorivldaeqxceqoj_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\jbrsdiuggerkswkftowonbuug_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ucgeyhivaqnbxcckbqfeaulxfqbe_ru[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ppfdtglzjfpgaijfypjfp_org[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\nreipfibuonfmfiemuvaududalh_info[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\guljzfgahycatpmvcyeixhyzt_org[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\qwwvodpreatgfmcmfihmjzljrhu_net[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\rtcpvxkofbyqkbxksxaqizvgu_biz[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\hmfalnorrhsgzxhulltgidiht_info[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\vgeftkpftvkcewgyzpnfqqsaqrc_biz[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\pntrtfykvwozdqsydhevizucnz_info[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\orivheukdaeydhcmhtskaejbxgce_biz[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\mngutgoftmvqcdmtsnjorhonaigv_ru[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\aymnnjlztkhfigybagcmgyxzpw_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\pmfjnuopcmdhuhqobucypzhxkezh_ru[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ofjrxdiylsonbmytrwylmnrovg_com[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\alfsifyhbqzxwkizmbdtojvdoj_net[1]
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ztegavzhqrhdekvlugfekfpn_com[1]

Moves the following files:

from <LS_APPDATA>\Microsoft\Windows Mail\edbtmp.log to <LS_APPDATA>\Microsoft\Windows Mail\edb.log

Deletes itself.

Network activity:

Connects to:

'pr########yeixoqozltshkbdmro.com':80
'mn#######izpztqsdqduypizhi.ru':80
'oj#######xfagqwgydbelzeqbu.org':80
'vc#######blnjtequcrgeudqwpx.biz':80
'hj########aqvsganrkzbqmffqbgy.biz':80
'eq#######kvonyxsoxowkus.info':80
'ca#######cskeyapgapmrovd.com':80
'sd#######ytkzlyswmnnvfqylea.net':80
'zd########zkvsgeqdyxaqrsijwg.info':80
'iu######ojqzhpnbmngyuus.net':80
'vk#######fairfuemijzptdyq.org':80
'pr########vsxjvlbqwsoztxkuxwd.ru':80
'di#######wkrlkbaeayomfdbqcq.com':80
'cy########yxhiqcusvkiftgulbnf.ru':80
'ht#####qcrhfyuciot.com':80
'mf#######vtogqlrlramorby.info':80
'wo#######qcaelakfrsxcfescbq.biz':80
'lv#######qxoufagykbhylbkj.info':80
'dq######sxbuytuonszhdz.com':80
'dy########fixhabmgihrkfydceqo.net':80
'dm########gemtglkvdimzvcnjge.org':80
'kf########ucgidqrdvkaecumzce.info':80
'jv#######ldrlgypbvcjfmzuc.org':80
'va#######taewceanrxclrayx.ru':80
'uw########pbawgmrojnnjyxjzmv.com':80
'eu######rtwtskfduhnbxk.biz':80
'iv######rgpvgjfcmojlsc.com':80
'ib#######aetqopzxnrnfdqu.biz':80
'nz#######qeidgiporfqxnfoztw.com':80
'wk#######iaynvfqvkobfquozx.ru':80
'jz#######dypzdtdmtwlkbgy.com':80
'su#######jzyklnqwdmdxoijlr.ru':80
'kh#######flkvfedaixcmdaior.org':80
'lf#####kceuogeljkbl.net':80
'eq#######wllyhblnrwhqlknbm.com':80
'zx########ntsmrfijpzvsmvsgcygq.ru':80
'xo#######rbaxclzhozxsknbzt.com':80
'lt#######ipxgxwjvuoypqsw.net':80
'yl#######inrwbqwgthaprhojhu.biz':80
'bq#######etrggilbdtmnorypov.biz':80
'cw#######xskorivldaeqxceqoj.com':80
'om######cvorgxxhqsqgto.net':80
'sg######lnlzumrmrfyauiz.org':80
'da#######faceylkjwtmbytfqw.org':80
'ay#######eqlvozyhjbmzvgt.org':80
'yh#######aynbbexhmaucilq.info':80
'74.##5.232.51':80
'www.bing.com':80
'vk#######obtmzcuvsxweqjzlv.com':80
'nb#######lpmbxsdwcuwamhe.info':80
'fm#######jflhmllbtcylhpj.com':80
'tq#######bdatxifmvtpjcipzxw.ru':80
'jb#######erkswkftowonbuug.com':80
'uc#######qnbxcckbqfeaulxfqbe.ru':80
'pp######jfpgaijfypjfp.org':80
'nr########nfmfiemuvaududalh.info':80
'gu#######ycatpmvcyeixhyzt.org':80
'qw#######atgfmcmfihmjzljrhu.net':80
'rt#######byqkbxksxaqizvgu.biz':80
'hm#######hsgzxhulltgidiht.info':80
'vg#######vkcewgyzpnfqqsaqrc.biz':80
'pn#######wozdqsydhevizucnz.info':80
'or########eydhcmhtskaejbxgce.biz':80
'mn#######mvqcdmtsnjorhonaigv.ru':80
'ay#######khfigybagcmgyxzpw.com':80
'pm#######mdhuhqobucypzhxkezh.ru':80
'of#######sonbmytrwylmnrovg.com':80
'al#######qzxwkizmbdtojvdoj.net':80
'zt#######rhdekvlugfekfpn.com':80

TCP:

HTTP GET requests:

pr########yeixoqozltshkbdmro.com/
mn#######izpztqsdqduypizhi.ru/
oj#######xfagqwgydbelzeqbu.org/
vc#######blnjtequcrgeudqwpx.biz/
hj########aqvsganrkzbqmffqbgy.biz/
eq#######kvonyxsoxowkus.info/
ca#######cskeyapgapmrovd.com/
sd#######ytkzlyswmnnvfqylea.net/
zd########zkvsgeqdyxaqrsijwg.info/
iu######ojqzhpnbmngyuus.net/
vk#######fairfuemijzptdyq.org/
pr########vsxjvlbqwsoztxkuxwd.ru/
di#######wkrlkbaeayomfdbqcq.com/
cy########yxhiqcusvkiftgulbnf.ru/
ht#####qcrhfyuciot.com/
mf#######vtogqlrlramorby.info/
wo#######qcaelakfrsxcfescbq.biz/
lv#######qxoufagykbhylbkj.info/
dq######sxbuytuonszhdz.com/
dy########fixhabmgihrkfydceqo.net/
dm########gemtglkvdimzvcnjge.org/
kf########ucgidqrdvkaecumzce.info/
jv#######ldrlgypbvcjfmzuc.org/
va#######taewceanrxclrayx.ru/
uw########pbawgmrojnnjyxjzmv.com/
eu######rtwtskfduhnbxk.biz/
iv######rgpvgjfcmojlsc.com/
ib#######aetqopzxnrnfdqu.biz/
nz#######qeidgiporfqxnfoztw.com/
wk#######iaynvfqvkobfquozx.ru/
jz#######dypzdtdmtwlkbgy.com/
su#######jzyklnqwdmdxoijlr.ru/
kh#######flkvfedaixcmdaior.org/
lf#####kceuogeljkbl.net/
eq#######wllyhblnrwhqlknbm.com/
zx########ntsmrfijpzvsmvsgcygq.ru/
xo#######rbaxclzhozxsknbzt.com/
lt#######ipxgxwjvuoypqsw.net/
yl#######inrwbqwgthaprhojhu.biz/
bq#######etrggilbdtmnorypov.biz/
cw#######xskorivldaeqxceqoj.com/
om######cvorgxxhqsqgto.net/
sg######lnlzumrmrfyauiz.org/
da#######faceylkjwtmbytfqw.org/
ay#######eqlvozyhjbmzvgt.org/
yh#######aynbbexhmaucilq.info/
74.##5.232.51/
www.bing.com/
vk#######obtmzcuvsxweqjzlv.com/
nb#######lpmbxsdwcuwamhe.info/
fm#######jflhmllbtcylhpj.com/
tq#######bdatxifmvtpjcipzxw.ru/
jb#######erkswkftowonbuug.com/
uc#######qnbxcckbqfeaulxfqbe.ru/
pp######jfpgaijfypjfp.org/
nr########nfmfiemuvaududalh.info/
gu#######ycatpmvcyeixhyzt.org/
qw#######atgfmcmfihmjzljrhu.net/
rt#######byqkbxksxaqizvgu.biz/
hm#######hsgzxhulltgidiht.info/
vg#######vkcewgyzpnfqqsaqrc.biz/
pn#######wozdqsydhevizucnz.info/
or########eydhcmhtskaejbxgce.biz/
mn#######mvqcdmtsnjorhonaigv.ru/
ay#######khfigybagcmgyxzpw.com/
pm#######mdhuhqobucypzhxkezh.ru/
of#######sonbmytrwylmnrovg.com/
al#######qzxwkizmbdtojvdoj.net/
zt#######rhdekvlugfekfpn.com/

UDP:

DNS ASK mf#######vtogqlrlramorby.info
DNS ASK wo#######qcaelakfrsxcfescbq.biz
DNS ASK vk#######fairfuemijzptdyq.org
DNS ASK di#######wkrlkbaeayomfdbqcq.com
DNS ASK iu######ojqzhpnbmngyuus.net
DNS ASK oj#######xfagqwgydbelzeqbu.org
DNS ASK vc#######blnjtequcrgeudqwpx.biz
DNS ASK zd########zkvsgeqdyxaqrsijwg.info
DNS ASK cy########yxhiqcusvkiftgulbnf.ru
DNS ASK ht#####qcrhfyuciot.com
DNS ASK pr########vsxjvlbqwsoztxkuxwd.ru
DNS ASK jb#######erkswkftowonbuug.com
DNS ASK uc#######qnbxcckbqfeaulxfqbe.ru
DNS ASK nr########nfmfiemuvaududalh.info
DNS ASK jv#######ldrlgypbvcjfmzuc.org
DNS ASK pp######jfpgaijfypjfp.org
DNS ASK qw#######atgfmcmfihmjzljrhu.net
DNS ASK eq#######wllyhblnrwhqlknbm.com
DNS ASK gu#######ycatpmvcyeixhyzt.org
DNS ASK rt#######byqkbxksxaqizvgu.biz
DNS ASK hm#######hsgzxhulltgidiht.info
DNS ASK pr########yeixoqozltshkbdmro.com
DNS ASK dy########fixhabmgihrkfydceqo.net
DNS ASK dm########gemtglkvdimzvcnjge.org
DNS ASK eu######rtwtskfduhnbxk.biz
DNS ASK jz#######dypzdtdmtwlkbgy.com
DNS ASK su#######jzyklnqwdmdxoijlr.ru
DNS ASK uw########pbawgmrojnnjyxjzmv.com
DNS ASK kf########ucgidqrdvkaecumzce.info
DNS ASK va#######taewceanrxclrayx.ru
DNS ASK lv#######qxoufagykbhylbkj.info
DNS ASK dq######sxbuytuonszhdz.com
DNS ASK lf#####kceuogeljkbl.net
DNS ASK hj########aqvsganrkzbqmffqbgy.biz
DNS ASK eq#######kvonyxsoxowkus.info
DNS ASK sd#######ytkzlyswmnnvfqylea.net
DNS ASK mn#######izpztqsdqduypizhi.ru
DNS ASK ca#######cskeyapgapmrovd.com
DNS ASK ib#######aetqopzxnrnfdqu.biz
DNS ASK kh#######flkvfedaixcmdaior.org
DNS ASK iv######rgpvgjfcmojlsc.com
DNS ASK nz#######qeidgiporfqxnfoztw.com
DNS ASK wk#######iaynvfqvkobfquozx.ru
DNS ASK da#######faceylkjwtmbytfqw.org
DNS ASK nb#######lpmbxsdwcuwamhe.info
DNS ASK vk#######obtmzcuvsxweqjzlv.com
DNS ASK zx########ntsmrfijpzvsmvsgcygq.ru
DNS ASK yl#######inrwbqwgthaprhojhu.biz
DNS ASK lt#######ipxgxwjvuoypqsw.net
DNS ASK tq#######bdatxifmvtpjcipzxw.ru
DNS ASK www.bing.com
DNS ASK www.google.com
DNS ASK vg#######vkcewgyzpnfqqsaqrc.biz
DNS ASK fm#######jflhmllbtcylhpj.com
DNS ASK yh#######aynbbexhmaucilq.info
DNS ASK ay#######eqlvozyhjbmzvgt.org
DNS ASK al#######qzxwkizmbdtojvdoj.net
DNS ASK or########eydhcmhtskaejbxgce.biz
DNS ASK pn#######wozdqsydhevizucnz.info
DNS ASK of#######sonbmytrwylmnrovg.com
DNS ASK pm#######mdhuhqobucypzhxkezh.ru
DNS ASK zt#######rhdekvlugfekfpn.com
DNS ASK ay#######khfigybagcmgyxzpw.com
DNS ASK sg######lnlzumrmrfyauiz.org
DNS ASK om######cvorgxxhqsqgto.net
DNS ASK xo#######rbaxclzhozxsknbzt.com
DNS ASK mn#######mvqcdmtsnjorhonaigv.ru
DNS ASK cw#######xskorivldaeqxceqoj.com
DNS ASK bq#######etrggilbdtmnorypov.biz
'18#.#7.50.91':27916
'98.##1.143.22':19595
'94.##.60.113':19800
'84.##.222.81':10378
'19#.#1.84.108':16276
'21#.#09.241.213':16882
'68.##.13.236':15057
'81.##3.189.232':10880
'81.##3.35.84':27777
'65.##.179.245':21463
'96.#7.81.4':19083
'99.##1.187.238':13162
'89.##2.155.200':10556
'19#.#3.239.103':12407
'41.##7.153.76':21430
'99.##.38.192':18125
'19#.#69.125.228':29902
'79.##.232.136':11922

Miscellaneous:

Searches for the following windows:

ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: 'OutlookExpressHiddenWindow' WindowName: ''
ClassName: 'Indicator' WindowName: ''

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial