Adware.InstallCore.125

Technical Information

Malicious functions:

Executes the following:

'<SYSTEM32>\wermgr.exe' -queuereporting
'<SYSTEM32>\DllHost.exe' /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Modifies file system :

Creates the following files:

%TEMP%\ish698572\css\sdk-ui\browse.css
%TEMP%\ish698572\css\sdk-ui\button.css
%TEMP%\ish698572\css\main.css
%TEMP%\000AA8BC.log
%TEMP%\ish698572\css\ie6_main.css
%TEMP%\ish698572\css\sdk-ui\checkbox.css
%TEMP%\ish698572\css\sdk-ui\images\progress-bg2.png
%TEMP%\ish698572\css\sdk-ui\progress-bar.css
%TEMP%\ish698572\css\sdk-ui\images\progress-bg.png
%TEMP%\ish698572\css\sdk-ui\images\button-bg.png
%TEMP%\ish698572\css\sdk-ui\images\progress-bg-corner.png
%TEMP%\ish692082\bootstrap_24383.html
%TEMP%\ish692082\images\Loader.gif
%TEMP%\ish692082\images\Pause_Button.png
%TEMP%\ish692082\images\Icon_Generic.png
%TEMP%\ish692082\images\Grey_Button.png
%TEMP%\ish692082\images\Grey_Button_Hover.png
%TEMP%\ish692082\images\Progress.png
%TEMP%\ish692082\locale\EN.locale
%TEMP%\ish692082\locale\RU.locale
%TEMP%\ish692082\images\Resume_Button.png
%TEMP%\ish692082\images\ProgressBar.png
%TEMP%\ish692082\images\Quick_Specs.png
%TEMP%\ish698572\csshover3.htc
%TEMP%\ish698572\locale\EN.locale
%TEMP%\ish698572\locale\RU.locale
%TEMP%\ish698572\images\Resume_Button.png
%TEMP%\ish698572\images\ProgressBar.png
%TEMP%\ish698572\images\Quick_Specs.png
%TEMP%\000AB47F.log
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\webcamXP[1].gif
%TEMP%\000AB7AA.log
%TEMP%\ICReinstall_<Virus name>.exe
%HOMEPATH%\Desktop\Continue webcamXP 5.6.0 Installation.lnk
%TEMP%\ish698572\images\Progress.png
%TEMP%\ish698572\images\Close_Hover.png
%TEMP%\ish698572\images\Color_Button.png
%TEMP%\ish698572\images\Close.png
%TEMP%\ish698572\form.bmp.Mask
%TEMP%\ish698572\images\BG.png
%TEMP%\ish698572\images\Color_Button_Hover.png
%TEMP%\ish698572\images\Loader.gif
%TEMP%\ish698572\images\Pause_Button.png
%TEMP%\ish698572\images\Icon_Generic.png
%TEMP%\ish698572\images\Grey_Button.png
%TEMP%\ish698572\images\Grey_Button_Hover.png
%TEMP%\ish692082\images\Color_Button_Hover.png
%TEMP%\ish690226\images\Close_Hover.png
%TEMP%\ish690226\images\Color_Button.png
%TEMP%\ish690226\images\Close.png
%TEMP%\ish690226\form.bmp.Mask
%TEMP%\ish690226\images\BG.png
%TEMP%\ish690226\images\Color_Button_Hover.png
%TEMP%\ish690226\images\Loader.gif
%TEMP%\ish690226\images\Pause_Button.png
%TEMP%\ish690226\images\Icon_Generic.png
%TEMP%\ish690226\images\Grey_Button.png
%TEMP%\ish690226\images\Grey_Button_Hover.png
%TEMP%\ish690226\csshover3.htc
%TEMP%\ish690226\css\sdk-ui\browse.css
%TEMP%\ish690226\css\sdk-ui\button.css
%TEMP%\ish690226\css\main.css
%TEMP%\000A8822.log
%TEMP%\ish690226\css\ie6_main.css
%TEMP%\ish690226\css\sdk-ui\checkbox.css
%TEMP%\ish690226\css\sdk-ui\images\progress-bg2.png
%TEMP%\ish690226\css\sdk-ui\progress-bar.css
%TEMP%\ish690226\css\sdk-ui\images\progress-bg.png
%TEMP%\ish690226\css\sdk-ui\images\button-bg.png
%TEMP%\ish690226\css\sdk-ui\images\progress-bg-corner.png
%TEMP%\ish690226\images\Progress.png
%TEMP%\ish692082\css\sdk-ui\images\progress-bg2.png
%TEMP%\ish692082\css\sdk-ui\progress-bar.css
%TEMP%\ish692082\css\sdk-ui\images\progress-bg.png
%TEMP%\ish692082\css\sdk-ui\images\button-bg.png
%TEMP%\ish692082\css\sdk-ui\images\progress-bg-corner.png
%TEMP%\ish692082\csshover3.htc
%TEMP%\ish692082\images\Close_Hover.png
%TEMP%\ish692082\images\Color_Button.png
%TEMP%\ish692082\images\Close.png
%TEMP%\ish692082\form.bmp.Mask
%TEMP%\ish692082\images\BG.png
%TEMP%\ish692082\css\sdk-ui\checkbox.css
%TEMP%\ish690226\locale\EN.locale
%TEMP%\ish690226\locale\RU.locale
%TEMP%\ish690226\images\Resume_Button.png
%TEMP%\ish690226\images\ProgressBar.png
%TEMP%\ish690226\images\Quick_Specs.png
%TEMP%\000A8D22.log
%TEMP%\ish692082\css\sdk-ui\browse.css
%TEMP%\ish692082\css\sdk-ui\button.css
%TEMP%\ish692082\css\main.css
%TEMP%\000A8F34.log
%TEMP%\ish692082\css\ie6_main.css

Deletes the following files:

%TEMP%\ish690226\images\Pause_Button.png
%TEMP%\ish690226\images\Loader.gif
%TEMP%\ish690226\images\ProgressBar.png
%TEMP%\ish690226\images\Progress.png
%TEMP%\ish690226\images\Grey_Button.png
%TEMP%\ish690226\images\Color_Button_Hover.png
%TEMP%\ish690226\images\Icon_Generic.png
%TEMP%\ish690226\images\Grey_Button_Hover.png
%TEMP%\ish690226\images\Quick_Specs.png
%TEMP%\ish692082\bootstrap_24383.html
%TEMP%\000AA8BC.log
%TEMP%\000AB7AA.log
%TEMP%\000AB47F.log
%TEMP%\ish690226\locale\EN.locale
%TEMP%\ish690226\images\Resume_Button.png
%TEMP%\000A8F34.log
%TEMP%\ish690226\locale\RU.locale
%TEMP%\ish690226\images\Color_Button.png
%TEMP%\ish690226\css\sdk-ui\button.css
%TEMP%\ish690226\css\sdk-ui\browse.css
%TEMP%\ish690226\css\sdk-ui\images\button-bg.png
%TEMP%\ish690226\css\sdk-ui\checkbox.css
%TEMP%\000A8D22.log
%TEMP%\000A8822.log
%TEMP%\ish690226\css\main.css
%TEMP%\ish690226\css\ie6_main.css
%TEMP%\ish690226\css\sdk-ui\images\progress-bg-corner.png
%TEMP%\ish690226\images\BG.png
%TEMP%\ish690226\form.bmp.Mask
%TEMP%\ish690226\images\Close_Hover.png
%TEMP%\ish690226\images\Close.png
%TEMP%\ish690226\css\sdk-ui\images\progress-bg2.png
%TEMP%\ish690226\css\sdk-ui\images\progress-bg.png
%TEMP%\ish690226\csshover3.htc
%TEMP%\ish690226\css\sdk-ui\progress-bar.css

Network activity:

Connects to:

'so##.mydiv.net':80
'os#.##divcdn.com':80
'do####ad.mydiv.net':80
'localhost':59804
'os.##divcdn.com':80

TCP:

HTTP GET requests:

so##.mydiv.net/images/win/icons/webcamXP.gif
do####ad.mydiv.net/soft/dfiles/win/webcamXP/238060_wlite560.exe

HTTP POST requests:

os#.##divcdn.com/MyDiv/?v=################
os.##divcdn.com/MyDiv/?v=################

UDP:

DNS ASK so##.mydiv.net
DNS ASK os#.##divcdn.com
DNS ASK os.##divcdn.com
DNS ASK do####ad.mydiv.net

Miscellaneous:

Searches for the following windows:

ClassName: 'OleMainThreadWndClass' WindowName: '(null)'
ClassName: 'MS_WebCheckMonitor' WindowName: '(null)'
ClassName: 'MS_AutodialMonitor' WindowName: '(null)'

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial