Trojan.Generic.8048033_b8402b719d

by malwarelabrobot on March 3rd, 2014 in Malware Descriptions.

Trojan.Generic.8048033 (BitDefender), Trojan:Win32/VB.AIX (Microsoft), Trojan.Win32.CCho.b (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.Siggen4.18602 (DrWeb), Trojan.Generic.8048033 (B) (Emsisoft), Artemis!B8402B719D03 (McAfee), Trojan.Gen (Symantec), Win32.SuspectCrc (Ikarus), Gen:Variant.Symmi.13498 (FSecure), SHeur4.AJIJ (AVG), Win32:Malware-gen (Avast), TROJ_SPNR.30HL12 (TrendMicro), Trojan.Generic.8048033 (AdAware), Trojan-Spy.Win32.Keylogger.VB.2.FD, mzpefinder_pcap_file.YR, TrojanDropperVtimrun.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan-Spy, Keylogger, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Static Analysis
Relationships
Map
Removal Recommendations

MD5: b8402b719d03f467f3b833886810d2e6
SHA1: ea397132c07cb8865dde9d9d28682469afc51b9e
SHA256: 56b1e1666bc934e16fdf1126b91e94c93f3b2146d5ce2ca84d423c0c75ff6941
SSDeep: 49152:O EyFtjSpaXaarPcGwkRD6LDM2MfWnDV70efoLgFoJ9n4Uose ROX2umDv Ah6G1:O EyFtjSpaqAPGkZe4DI570IUgFqj/yu
Size: 2671616 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: House Of Soft
Created at: 2009-07-14 02:42:43
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

zcontrol.exe:1984
ADOBED~1.EXE:636
net1.exe:964
net1.exe:1952
NET.exe:964
NET.exe:1648
Install Adobe Download Assistant.exe:1784
RAVCpl32.exe:1856
AIRRuntimeInstaller.exe:1896
reg.exe:1908
%original file name%.exe:184
regedit.exe:460

The Trojan injects its code into the following process(es):

Adobe AIR Installer.exe:1876
Adobe AIR Application Installer.exe:244

File activity

The process Adobe AIR Installer.exe:1876 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\AIR\logs\Install.log (613 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (3058 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)

The process zcontrol.exe:1984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Realtek\RAVCpl32.exe (2391085 bytes)

The process ADOBED~1.EXE:636 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_256.png (10296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\Adobe Download Assistant.exe (142336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\META-INF\AIR\hash (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_512.png (23712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\mimetype (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_16.png (616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_32.png (1053 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\7z.exe (163840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_128.png (4672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\.launch (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Install Adobe Download Assistant.exe (130432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_48.png (1720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\7z.dll (1700864 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\setup.msi (22016 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\META-INF\AIR\application.xml (8351 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\DownloadAssistant.swf (3237435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\META-INF\signatures.xml (77205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_24.png (898 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp (0 bytes)

The process Install Adobe Download Assistant.exe:1784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIRRuntimeInstaller.exe (35951824 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\9C07FA4C8533A07B5EDE782A6F5AFA6A (637 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\9C07FA4C8533A07B5EDE782A6F5AFA6A (86 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\EF87FE2FBAF08DA89A8C148EF56C40E0 (425 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\AIR\logs\Install.log (1340 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\EF87FE2FBAF08DA89A8C148EF56C40E0 (96 bytes)

The process RAVCpl32.exe:1856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Realtek\tools.zip (668 bytes)
%Documents and Settings%\%current user%\Application Data\Realtek\IMG_359485_4215.jpg (102 bytes)
%Documents and Settings%\%current user%\Application Data\Realtek\reg.reg (228 bytes)
%Documents and Settings%\%current user%\Application Data\Realtek\unzip.exe (177685 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Realtek\reg.reg (0 bytes)

The process AIRRuntimeInstaller.exe:1896 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\template.exe (59392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR.vch (3464755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\stylesNative.swf (235063 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit.dll (9845456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\digest.s (2840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe Root Certificate.cer (1189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR.dll (53421776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\template.msi (20480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf (1261461 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe (103272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\setup.swf (1282541 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit\Notice WebKit.txt (771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\AdobeCP15.dll (6916456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\sentinel (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit\LGPL License.txt (24985 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\setup.swf (1282541 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\NPSWF32.dll (43585232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\setup.msi (33792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR Installer.exe (103272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Thawte Root Certificate.cer (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe (54632 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe (130408 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp (0 bytes)

The process Adobe AIR Application Installer.exe:244 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\pca3-g5[1].crl (533 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\DD0A55570E581C3EAE83066FA036FA6B98C26BF9.crl (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\CSC3-2010[1].crl (127784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\ThawteTimestampingCA[1].crl (341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\5CB653B2DAF9459B6E8E3796503DD779BAD8DB50.crl (341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\pca3[1].crl (933 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\A567C68FE225A8176819878924C6ED2B83D9C4D5.crl (119592 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\AIR\logs\Install.log (538 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\217583007B475EB7A649AEBCFC4EC3D0EBA3F228.crl (533 bytes)

The process %original file name%.exe:184 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\zcontrol.exe (2359341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\ADOBED~1.EXE (2599096 bytes)

Registry activity

The process Adobe AIR Installer.exe:1876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 AD 11 44 CC 03 7C F1 A3 CC 23 10 74 3D 15 5A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process zcontrol.exe:1984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 94 F1 EB 45 A9 A0 36 8B 60 76 09 5E A9 89 D4"

The process ADOBED~1.EXE:636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 F9 22 1E 17 71 0B 11 32 CF C1 3A 2B 89 F8 7B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\AIR1.tmp]
"Install Adobe Download Assistant.exe" = "Adobe Bootstrapping Utility"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process net1.exe:964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E 00 EF 4F 72 BF 9B 89 B1 D0 50 DB 02 F4 81 1D"

The process net1.exe:1952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D D2 C4 60 60 7E 72 E7 27 3F 8B 1C E6 FD F8 BC"

The process NET.exe:964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 5D 4C 66 39 B5 74 E4 CE CB D1 F1 67 D8 6C F8"

The process NET.exe:1648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 31 9E 14 C8 D0 37 14 AD E6 E6 1F 04 A0 23 B5"

The process Install Adobe Download Assistant.exe:1784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 0C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 C8 36 FA 8D C8 74 24 C7 58 CA 7E A6 86 A0 56"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process RAVCpl32.exe:1856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 04 2C EB C7 A3 6E 1A 80 69 AC 3D 73 DF F3 C2"

The process AIRRuntimeInstaller.exe:1896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB EA 3F 4D 01 C2 2F 97 0C 40 AB 4A 90 DD 9A 3A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\AIR2.tmp]
"Adobe AIR Installer.exe" = "Adobe AIR Installer"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process Adobe AIR Application Installer.exe:244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 0D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 23 86 88 69 93 04 B2 92 38 0A 8B BD 51 1B F2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process reg.exe:1908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"ConsentPromptBehaviorAdmin" = "0"

The process %original file name%.exe:184 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 6E AA F6 BF D2 70 95 D4 CF 32 8A 23 90 47 12"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The process regedit.exe:460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 60 1A C1 A3 45 C2 1E 53 B1 69 78 37 ED 82 45"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HD Audio Driver" = "%WinDir%\explorer.exe %Documents and Settings%\%current user%\Application Data\Realtek\RAVCpl32.exe"

Network activity (URLs)

URL IP
hxxp://a1396.b.akamai.net/air/3/nai/windows5.1/x86/installer
hxxp://pastebin.com/PF4F1NNN 141.101.112.16
hxxp://dl-balancer.x.dropbox.com/s/qh9jjar5l0zxwu2/unzip.exe?dl=1
hxxp://duc-balancer.x.dropbox.com/s/qh9jjar5l0zxwu2/unzip.exe?dl=1
hxxp://dl-balancer.x.dropbox.com/s/f5gcg6shw7we4e6/tools.zip?dl=1
hxxp://duc-balancer.x.dropbox.com/s/f5gcg6shw7we4e6/tools.zip?dl=1
hxxp://a1396.b.akamai.net/air/3/nai/windows5.1/x86/installer.p7
hxxp://a1180.g.akamai.net/prodSvce.crl
hxxp://a1180.g.akamai.net/cds.crl
hxxp://e6845.ce.akamaiedge.net/ThawteTimestampingCA.crl
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e6845.ce.akamaiedge.net/pca3-g5.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2010.crl
crl.verisign.com 23.60.133.163
airdownload.adobe.com 204.93.47.196
csc3-2010-crl.verisign.com 23.60.133.163
tss-geotrust-crl.thawte.com 23.61.181.163
dl.dropboxusercontent.com 50.19.234.162
crl.adobe.com 157.238.74.137
dl.dropbox.com 23.21.126.209


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Screenshot

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 43748 44032 4.53606 3aeb6fb8fe8ab95f2462e3afb8b8acd3
.data 49152 8796 1536 4.57321 f3764284f4d25ed35f75b9c16e1ab608
.rsrc 61440 2621388 2621440 5.53826 b84d3627e0386f424aaa050bd2a8c192
.reloc 2682880 3480 3584 3.33168 bc74eb2a181cf1029262828db6ac5b5d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    zcontrol.exe:1984
    ADOBED~1.EXE:636
    net1.exe:964
    net1.exe:1952
    NET.exe:964
    NET.exe:1648
    Install Adobe Download Assistant.exe:1784
    RAVCpl32.exe:1856
    AIRRuntimeInstaller.exe:1896
    reg.exe:1908
    %original file name%.exe:184
    regedit.exe:460

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\AIR\logs\Install.log (613 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (3058 bytes)
    %Documents and Settings%\%current user%\Application Data\Realtek\RAVCpl32.exe (2391085 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_256.png (10296 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\Adobe Download Assistant.exe (142336 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\META-INF\AIR\hash (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_512.png (23712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\mimetype (59 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_16.png (616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_32.png (1053 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\7z.exe (163840 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_128.png (4672 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\.launch (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Install Adobe Download Assistant.exe (130432 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_48.png (1720 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\7z.dll (1700864 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\setup.msi (22016 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\META-INF\AIR\application.xml (8351 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\DownloadAssistant.swf (3237435 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\META-INF\signatures.xml (77205 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR1.tmp\Adobe Download Assistant\app_icons\appicon_24.png (898 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIRRuntimeInstaller.exe (35951824 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\9C07FA4C8533A07B5EDE782A6F5AFA6A (637 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\9C07FA4C8533A07B5EDE782A6F5AFA6A (86 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\EF87FE2FBAF08DA89A8C148EF56C40E0 (425 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\EF87FE2FBAF08DA89A8C148EF56C40E0 (96 bytes)
    %Documents and Settings%\%current user%\Application Data\Realtek\tools.zip (668 bytes)
    %Documents and Settings%\%current user%\Application Data\Realtek\IMG_359485_4215.jpg (102 bytes)
    %Documents and Settings%\%current user%\Application Data\Realtek\reg.reg (228 bytes)
    %Documents and Settings%\%current user%\Application Data\Realtek\unzip.exe (177685 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\template.exe (59392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR.vch (3464755 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\stylesNative.swf (235063 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit.dll (9845456 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\digest.s (2840 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe Root Certificate.cer (1189 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR.dll (53421776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\template.msi (20480 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf (1261461 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe (103272 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\setup.swf (1282541 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit\Notice WebKit.txt (771 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\AdobeCP15.dll (6916456 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\sentinel (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\WebKit\LGPL License.txt (24985 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\setup.swf (1282541 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\NPSWF32.dll (43585232 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\setup.msi (33792 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR Installer.exe (103272 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\Thawte Root Certificate.cer (677 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe (54632 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AIR2.tmp\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe (130408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\pca3-g5[1].crl (533 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\DD0A55570E581C3EAE83066FA036FA6B98C26BF9.crl (933 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\CSC3-2010[1].crl (127784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\ThawteTimestampingCA[1].crl (341 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\5CB653B2DAF9459B6E8E3796503DD779BAD8DB50.crl (341 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\pca3[1].crl (933 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\A567C68FE225A8176819878924C6ED2B83D9C4D5.crl (119592 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\AIR\CRLCache\217583007B475EB7A649AEBCFC4EC3D0EBA3F228.crl (533 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\zcontrol.exe (2359341 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\ADOBED~1.EXE (2599096 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HD Audio Driver" = "%WinDir%\explorer.exe %Documents and Settings%\%current user%\Application Data\Realtek\RAVCpl32.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.