Worm.Win32.Esfury_f46981183c

by malwarelabrobot on November 5th, 2013 in Malware Descriptions.

Trojan.Win32.VB.ateo (Kaspersky), Worm.Win32.Esfury (VIPRE), Backdoor.Win32.VB!IK (Emsisoft), GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: f46981183cedb0ecf4e029c6db0782f9
SHA1: 9f924efe39965bf534475dbba27afc03da4e82f3
SHA256: 12bd3946dc30d4fc1366a003fd6efd40c398658624a58e6e6ef1b0ffa66fe5c8
SSDeep: 3072:M 244PtNpyyvgeMPUs200moFrCjjq1awEK5Owdoutq:x4VvyyvtoS
Size: 228352 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualBasicv50v60, UPolyXv05_v6
Company: WinterSoft
Created at: 1999-08-26 14:54:06


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

File activity

Registry activity

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 22953 bytes in size. The following strings are added to the hosts file listed below:

173.201.178.105 viabcp.com
173.201.178.105 www.viabcp.com
173.201.178.105 bcpzonasegura.viabcp.com
173.201.178.105 bn.com.pe
173.201.178.105 www.bn.com.pe
153.132.76.177 iniciorapido.info
129.84.152.203 www.iniciorapido.info
118.117.54.242 buscalo.in
120.230.36.107 www.buscalo.in
15.101.32.52 buscafacil.com
180.121.108.78 www.buscafacil.com
169.154.10.118 emsisoft.com
239.12.249.50 ahnlab.com
66.139.244.251 antivir.es
42.90.65.210 antiy.net
31.123.222.61 authentium.com
33.237.137.181 avast.com
184.176.200.127 avg.com
92.128.21.85 bitdefender.com
81.160.178.192 quickheal.com
151.18.93.56 clamav.net
234.145.157.2 comodo.com
142.165.233.28 drweb.com
131.198.135.67 aladdin.com
201.55.49.188 ca.com
96.182.113.133 f-prot.com
5.134.189.159 f-secure.com
250.235.91.199 fortinet.com
64.25.6.63 gdata.es
147.219.69.8 ikarus.at
55.171.146.35 jiangmin.com
44.204.47.74 kaspersky.com
114.62.218.6 mcafee.com
9.1.25.140 microsoft.com
173.209.102.166 eset.es
162.241.3.17 norman.com
232.99.174.137 nprotect.com
59.226.238.83 pandasecurity.com
223.246.58.41 pctools.com
212.23.148.148 prevx.com
26.68.130.13 rising-global.com
109.7.126.214 sophos.com
86.215.14.240 sunbeltsoftware.com
75.248.104.24 symantec.com
77.106.87.144 hacksoft.com.pe
228.44.82.89 trendmicro.com
136.252.227.116 anti-virus.by
125.29.60.155 hauri.net
195.143.43.19 virusbuster.hu
22.14.38.221 www.emsisoft.com
254.34.115.247 www.ahnlab.com
243.66.16.30 www.antivir.es
245.112.255.150 www.antiy.net
140.51.251.96 www.authentium.com
48.3.71.122 www.avast.com
37.36.229.229 www.avg.com
107.149.211.94 www.bitdefender.com
190.88.207.39 www.quickheal.com
99.40.27.253 www.clamav.net
88.73.185.105 www.comodo.com
158.187.168.225 www.drweb.com
53.58.163.170 www.aladdin.com
217.77.240.129 www.ca.com
206.110.141.236 www.f-prot.com
20.224.124.100 www.f-secure.com
103.95.119.46 www.fortinet.com
11.47.196.72 www.gdata.es
0.79.97.111 www.ikarus.at
70.193.80.231 www.jiangmin.com
153.132.76.177 www.kaspersky.com
129.84.152.203 www.mcafee.com
118.117.54.242 www.microsoft.com
120.230.36.107 www.eset.es
15.101.32.52 www.norman.com
180.121.108.78 www.nprotect.com
169.154.10.118 www.pandasecurity.com
239.12.249.50 www.pctools.com
66.139.244.251 www.prevx.com
42.90.65.210 www.rising-global.com
31.123.222.61 www.sophos.com
33.237.137.181 www.sunbeltsoftware.com
184.176.200.127 www.symantec.com
92.128.21.85 www.hacksoft.com.pe
81.160.178.192 www.trendmicro.com
151.18.93.56 www.anti-virus.by
234.145.157.2 www.hauri.net
142.165.233.28 www.virusbuster.hu
131.198.135.67 www.emsisoft.com
201.55.49.188 www.anti-trojan.net
96.182.113.133 malwarescan.emsisoft.com
5.134.189.159 forum.emsisoft.com
250.235.91.199 www.emsisoft.net
64.25.6.63 www.emsisoft.it
147.219.69.8 www.emsisoft.de
55.171.146.35 www.anti-trojan-software.net
44.204.47.74 mamutu.com
114.62.218.6 www.emsisoft.es
9.1.25.140 malwarescan.emsisoft.de
173.209.102.166 ww.emsisoft.com
162.241.3.17 www.emsisoft.fr
232.99.174.137 www.emsisoft.nl
59.226.238.83 onlinecheck.emsisoft.com
223.246.58.41 onlinecheck.emsisoft.de
212.23.148.148 www.emsisoft.org
26.68.130.13 scan.anti-trojan.net
109.7.126.214 www.trojaner.info
86.215.14.240 onlinecheck.emsisoft.org
75.248.104.24 onlinecheck.emsisoft.net
77.106.87.144 blitzblank.com
228.44.82.89 www.emsisoft.at
136.252.227.116 www.emsisoft.jp
125.29.60.155 www.mamutu.com
195.143.43.19 malwarescan.emsisoft.es
22.14.38.221 www.mamutu.de
254.34.115.247 download5.emsisoft.com
243.66.16.30 download1.emsisoft.com
245.112.255.150 download4.emsisoft.com
140.51.251.96 global.ahnlab.com
48.3.71.122 www.hackshields.com
37.36.229.229 www.internationalservicecheck.com
107.149.211.94 www.irangoals.com
190.88.207.39 ixomodels.com
99.40.27.253 www.indielisboa.com
88.73.185.105 www.latin-mass-society.org
158.187.168.225 www.arpia.be
53.58.163.170 www.owen.org
217.77.240.129 www.prdouglas.co.uk
206.110.141.236 www.zarya.info
20.224.124.100 www.willsee.com
103.95.119.46 halmapr.com
11.47.196.72 karuna-shechen.org
0.79.97.111 www.barder.com
70.193.80.231 www.antivir.es
153.132.76.177 www.buraka.tv
129.84.152.203 www.dr-bull.com
118.117.54.242 www.manchester-offices.co.uk
120.230.36.107 saverssite.com
15.101.32.52 canada.karuna-shechen.org
180.121.108.78 developmentdrums.org
169.154.10.118 www.imddomains.co.uk
239.12.249.50 cutlines.org
66.139.244.251 elblogdemanu.com
42.90.65.210 ruben.bzin.net
31.123.222.61 welkam.co.jp
33.237.137.181 www.cambridge-steiner-school.co.uk
184.176.200.127 naturesimages.net
92.128.21.85 www.1stavenuelimousines.co.uk
81.160.178.192 www.mtr-design.com
151.18.93.56 dev.depeuter.org
234.145.157.2 www.emeraldclassic.co.uk
142.165.233.28 www.peterhearnwaste.co.uk
131.198.135.67 etrr.co.uk
201.55.49.188 www.avoncourt.com
96.182.113.133 sarahmcconnellphotography.net
5.134.189.159 www.ixomodels.com
250.235.91.199 natsko.com
64.25.6.63 www.nottinghampoetryseries.com
147.219.69.8 www.sheffieldmind.co.uk
55.171.146.35 ixostore.ixomodels.com
44.204.47.74 www.flairweddings.co.uk
114.62.218.6 www.fimasys.com
9.1.25.140 cohartuk.com
173.209.102.166 qqjkw.net
162.241.3.17 vivo-austin.com
232.99.174.137 www.freeality.com
59.226.238.83 bestofewan.com
223.246.58.41 www.handwritingforkids.com
212.23.148.148 cowsmo.com
26.68.130.13 www.2xlgames.com
109.7.126.214 kimzimmer.net
86.215.14.240 basetendencies.com
75.248.104.24 trackingtheworld.com
77.106.87.144 www.reviewsofbooks.com
228.44.82.89 www.collectedcurios.com
136.252.227.116 www.renningers.com
125.29.60.155 ccslaughterspdx.com
195.143.43.19 www.briarhurst.com
22.14.38.221 www.smf.org
254.34.115.247 ribbonwarehouse.com
243.66.16.30 www.garryowen.com
245.112.255.150 45pounds.com
140.51.251.96 isotopecomics.com
48.3.71.122 roysephotos.com
37.36.229.229 www.stadiumpage.com
107.149.211.94 www.elvis-express.com
190.88.207.39 www.tomorrowsedge.net
99.40.27.253 www.beautybar.com
88.73.185.105 pineleafboys.com
158.187.168.225 www.mountainlakeslodge.com
53.58.163.170 pvtc.org
217.77.240.129 bhsbees.com
206.110.141.236 baristamagazine.com
20.224.124.100 www.gokidding.com
103.95.119.46 defalcos.com
11.47.196.72 www.celticmerchant.com
0.79.97.111 www.hxproduction.com
70.193.80.231 www.wellgousa.com
153.132.76.177 blog.titanium-jewelry.com
129.84.152.203 www.brightoctober.com
118.117.54.242 hishomeforchildren.com
120.230.36.107 www.phoenixtrikeworks.com
15.101.32.52 www.professorbeyer.com
180.121.108.78 www.secondchanceboxer.com
169.154.10.118 www.residentphotography.com
83.112.92.150 woottonfootball.com
166.238.88.95 www.deborahshelton.net
142.190.165.53 bobbondart.com
131.223.66.161 www.authentium.com
133.81.237.25 asap.authentium.com
28.20.44.226 www.authentium.com.au
192.227.121.185 avast.com
181.4.22.36 www.avast.com
251.118.193.156 files.avast.com
78.245.1.102 download535.avast.com
242.9.77.128 avg.com
231.42.235.167 www.avg.com
45.155.149.32 grisoft.com
196.26.213.233 www.grisoft.com
104.234.33.3 antivirus-tools.com
93.79.191.43 archive.bitdefender.com
164.125.105.163 avx.rob-have.net
247.63.169.108 b-have.orgbitdefender-ar.com
155.15.246.134 bitdefender.com
144.48.147.174 bitdefender.org
214.162.62.106 bitdefenderchina.com
109.101.125.239 bitdefenderguatemala.com
17.52.202.10 bitdefendermalaysia.com
6.85.103.117 bitdefendertaiwan.com
76.199.18.237 bitdefenderuruguay.com
159.70.81.183 bitdefenderusa.com
67.90.158.141 buy.bitdefender-es.com
56.123.248.248 buy.bitdefender.com
126.168.230.113 buy.bitdefender.de
209.107.226.58 de.bitdefender.com
185.59.114.84 fr.bitdefender.com
174.92.204.124 futurenow.bitdefender.com
245.18.254.56 it.bitdefender.com
140.212.250.1 jobs.bitdefender.com
48.164.139.27 kb.bitdefender.com
37.197.228.67 kb.bitdefender.de
107.55.211.187 kb.bitdefender.us
190.182.206.132 latin.bitdefender.com
166.201.27.159 linux.bitdefender.com
155.234.184.198 malwarecity.com
157.24.167.62 malwarecity.netmalwarecity.org
52.219.162.8 malwarepedia.com
216.171.239.34 neunet.orgnews.bitdefender.com
205.204.141.141 nl.bitdefender.com
19.61.123.6 renewals.bitdefender.com
102.0.119.207 sales.bitdefender.com
10.208.195.165 square.bitdefender.com
255.241.97.17 store.bitdefender.com
70.99.79.137 store.de.bitdefender.com
221.225.75.82 us.bitdefender.com
129.245.152.40 virusscanonline.net
118.22.53.148 wedoantivirus.com
188.136.36.12 www.antivirus-tools.com
15.7.31.213 www.avx.ro
179.214.108.240 www.bit-defender.de
168.247.9.23 www.bitdefende.de
238.105.248.143 www.bitdefender-es.com
65.44.243.89 www.bitdefender.be
41.252.64.115 www.bitdefender.cl
30.29.222.154 www.bitdefender.co.uk
32.142.204.19 www.bitdefender.com
183.13.200.220 www.bitdefender.com.au
91.33.20.246 www.bitdefender.com.sg
148.134.246.98 www.bitdefender.com.tw
219.248.228.30 www.bitdefender.com.vn
46.118.224.231 www.bitdefender.de
22.70.45.189 www.bitdefender.es
11.103.202.41 www.bitdefender.fr
13.217.117.161 www.bitdefender.hk
164.156.180.106 www.bitdefender.us
72.107.1.65 www.bitdefenderme.com
61.140.158.172 www.malwarecity.com
131.254.73.36 www.malwarecity.fr
214.125.136.238 quickheal.com
122.145.213.8 www.quickheal.com
111.177.115.47 www.clamav.net
181.35.29.168 cgi.clamav.net
76.162.93.113 lurker.clamav.net
240.114.169.139 wwws.clamav.net
229.215.71.179 lists.clamav.net
44.5.241.43 bugs.clamav.net
127.199.49.244 system-cleaner.comodo.com
35.151.126.14 backup.comodo.com
24.184.27.54 www.comodoantispam.com
94.42.198.242 easy-vpn.comodo.com
245.237.5.119 www.trustlogo.com
153.188.82.146 ztl.comodo.com
210.33.51.65 www.livepcsupport.com
24.147.222.185 www.whichssl.com
107.18.29.131 www.trustix.com
15.38.106.89 disk-encryption.comodo.com
4.70.196.196 speedtest.comodo.com
74.116.178.61 www.contentverification.com
157.55.174.6 idauthority.com
133.7.62.32 www.comodo.tv
122.40.152.72 online-backup.comodo.com
125.154.134.192 www.testmypcsecurity.com
20.92.130.137 www.ccssforum.org
184.44.19.163 i-vault.comodo.com
173.77.108.203 internetsecurity.comodo.com
243.191.91.67 www.comodopartners.com
70.62.86.12 timestamp.comodoca.com
46.81.163.39 secure-email.comodo.com
35.114.64.78 timestamp.wosign.com
37.160.47.198 rover800.gaima.co.uk
188.99.42.144 www.nsclean.com
96.51.119.170 www.contentverification.com
85.83.21.21 new-estore.drweb.com
155.197.3.142 support.drweb.com
238.136.255.87 pda.drweb.com
146.88.75.45 updates.drweb.com
135.121.233.153 drweb.com
206.235.215.17 vms.drweb.com
101.105.211.218 solutions.drweb.com
9.125.32.176 news.drweb.com
254.158.189.28 my.drweb.com
68.16.172.148 buy.drweb.com
151.143.167.93 products.drweb.com
95.131.24.156 new-support.drweb.com
84.163.181.195 promotions.drweb.com
154.21.164.59 network.drweb.com
237.216.160.5 customers.drweb.com
213.168.236.31 store.drweb.com
202.201.138.70 company.drweb.com
204.58.120.191 training.drweb.com
99.185.116.136 license.drweb.com
7.205.192.162 cureit.ru
253.238.94.202 free.drweb.com
67.96.76.134 info.drweb.com
150.222.72.79 new-partners.drweb.com
126.174.149.38 drweb.net
115.207.50.145 new-company.drweb.com
117.65.221.9 new-beta.drweb.com
12.4.28.210 new-forum.drweb.com
176.212.105.169 secure.av-desk.com
165.244.6.20 www.av-desk.com
235.102.177.140 new-solutions.drweb.com
62.229.241.86 new-www.drweb.com
226.249.61.112 www.freedrweb.ru
215.26.219.151 daniloff.net
29.139.133.16 drweb-inside.com
180.10.197.217 drwebinside.com
88.218.17.243 aladdin.com
78.63.175.27 alladdin.ru
148.109.89.147 chickensroamfree.com
231.47.153.92 ealaddin.net
207.67.42.187 ealaddin.orgeshop.aladdin.com
196.100.199.226 secureme.com
10.214.114.158 www.aks.com
161.153.177.35 www.aladdin.com
69.104.254.62 www.ealaddin.com
58.137.155.169 www.ealaddin.com
128.251.70.33 auwww.ealaddin.nl
211.122.134.235 www.esafe.com
119.142.210.193 www.hasp.se
108.175.44.44 www.safenet-inc.com
178.220.26.165 www3.safenet-inc.com
5.159.22.110 www.ca.com
237.111.166.136 cacomvip.ca.com
227.144.0.244 www.netegrity.com
41.70.50.108 search.ca.com
192.8.46.53 cai.com
100.216.191.80 www.f-prot.com
89.249.24.119 frisk-software.com
159.107.7.239 www.frisk.is
242.234.2.184 www.frisk-software.com
218.253.79.211 f-secure.com
207.30.236.250 f-secure.frf-secure.hk
209.76.219.114 f-secure.nlfsecure.com
104.15.215.60 fsecure.nlwebyard.com
12.223.35.86 www.f-secure.com
1.0.193.193 www.fsecure.com
71.113.175.58 www.virus.fi
154.52.171.3 fortihero.com
62.4.247.217 fortilog.com
52.37.149.69 fortinet.co.at
122.151.131.189 fortinet.com
17.21.127.134 fortiprotect.com
181.41.204.161 fortiwifi.com
238.142.173.12 www.apsecure.com
52.0.156.132 www.fortifed.com
135.127.151.77 www.fortiid.com
43.78.228.104 www.fortimail.com
32.111.129.143 www.fortinet-apac.com
75.198.85.236 www.fortinet.ch
158.137.81.182 www.fortinet.co.il
134.89.157.208 www.fortinet.com
123.122.59.247 www.fortinet.com
125.235.41.112 arwww.fortinet.cz
20.106.37.57 www.fortinet.net
184.126.113.83 www.fortinet.nl
174.159.15.123 www.fortinet.sg
244.17.253.55 www.fortinetuk.com
71.143.249.0 www.secure-elements.com
47.95.70.215 gdata.es
104.196.39.134 www.gdata.es
106.54.210.254 ikarus.at
1.249.17.199 www.ikarus.at
165.200.94.158 global.jiangmin.com
154.233.251.9 jiangmin.com.cn
224.91.166.129 jiangmin.com
51.218.230.75 www.jiangmin.com.cn
215.238.50.101 www.kaspersky.com
204.15.208.140 forum.kaspersky.com
18.128.122.5 support.kaspersky.co
169.255.186.206 usa.kaspersky.com
77.207.6.232 brazil.kaspersky.com
134.120.232.84 latam.kaspersky.com
205.166.146.204 kaspersky.com
32.104.210.149 me.kaspersky.com
196.56.31.175 images.kaspersky.com
185.89.188.215 www.mcafee.com
255.203.103.147 support.mcafee.com
150.142.166.24 msr.mcafee.com
58.93.243.51 home.mcafee.com
47.126.144.158 networkassociates.com
185.52.127.90 us.mcafee.com
12.179.190.36 tr.mcafee.com
176.199.11.250 au.mcafee.com
165.232.101.101 mx.mcafee.com
235.21.83.222 networkassociates.nai.com
62.216.79.167 go.mcafee.com
38.168.223.193 fr.mcafee.com
27.201.57.233 uk.mcafee.com
30.59.39.97 de.mcafee.com
181.253.35.42 obscgi.mcafee.com
89.205.180.68 nai.com
78.238.13.212 www.entercept.com
252.200.100.76 jp.mcafee.com
79.71.95.21 mcafeeb2b.com
55.91.172.48 cn.mcafee.com
44.123.73.87 service.mcafee.com
46.169.56.207 br.mcafee.com
197.108.52.153 www.mcafee.at
105.60.128.179 mcafeeretail.com
94.93.30.30 it.mcafee.com
164.206.12.151 tw.mcafee.com
247.145.8.96 privacy.microsoft.com
155.97.84.54 tempuri.org
145.130.242.162 schemas.xmlsoap.org
215.244.225.26 www.microsoft.com
110.114.220.227 specs.xmlsoap.org
86.202.109.254 www.eugrantsadvisor.ie
75.235.10.105 schemas.microsoft.com
145.93.249.225 encarta.msn.com
228.220.244.170 www.sysinternals.com
136.172.65.197 grv.microsoft.com
125.204.222.236 www.xmlsoap.org
195.62.205.100 www.eugrantsadvisor.se
90.69.13.114 www.eugrantsadvisor.com
66.21.89.140 research.microsoft.com
55.54.247.179 www.engyro.com
57.167.229.44 www.exchangeyourcareer.com
208.38.225.245 www.eugrantsadvisor.de
116.58.45.15 exchangeyourcareer.net
106.91.203.55 eugrantsadvisor.de
176.205.185.243 eugrantsadvisor.cz
3.75.181.188 www.eset.es
235.27.2.147 demos.eset.es
224.60.159.254 descargas.eset.es
70.18.174.218 blogs.protegerse.com
221.213.237.163 eos.eset.es
129.164.58.122 pedidos.protegerse.com
186.9.27.41 reg-int.nod32-es.com
0.123.198.161 reg.eset.es
83.250.5.107 vicentevirtual.com
247.14.82.133 cou85.com
236.46.240.172 www.norman.com
50.160.154.37 fsc.norman.com
201.31.218.238 nprobeta.norman.com
109.239.38.8 register.norman.com
98.84.196.47 webadmin.norman.no
168.130.110.168 sandbox.norman.com
252.136.242.181 www.nprotect.com
228.88.62.207 global.nprotect.com
217.121.220.247 www.nprotect.co.kr
31.235.135.179 www.npin.co.kr
182.174.198.56 siren24.nprotect.com
90.125.19.83 15660808.co.kr
79.158.176.190 biz.nprotect.com
149.16.91.54 nprotect.net
232.143.154.0 www.nprotect.com.br
140.163.231.214 liveprotect.net
129.195.65.65 nprotect.seoul.go.kr
11.53.115.254 chollian.nprotect.co.kr
94.248.111.199 www.pandasecurity.com
70.200.255.225 research.pandasecurity.com
59.233.89.8 support.pandasecurity.com
61.90.71.129 pandalabs.pandasecurity.com
249.65.103.110 pandasecurity.com
157.17.248.136 mop.pandasecurity.com
146.50.81.176 timeforyourbusi.pandasecurity.com
216.164.64.40 cybercrime.pandasecurity.com
43.35.59.241 free.pandasecurity.com
19.54.136.12 cloudprotection.pandasecurity.com
8.87.37.51 shop.pandasecurity.com
10.133.20.171 soporte.pandasecurity.com
161.72.15.117 together.pctools.com
69.24.92.143 www.prevx.com
58.57.250.250 info.prevx.com
128.170.232.115 free.prevx.com
211.109.228.60 spywarefiles.prevx.com
119.61.48.18 spywaredlls.prevx.com
108.94.206.126 shield.prevx.com
179.208.188.246 www.prevx1.com
74.78.184.191 howsafeismypc.com
50.166.73.217 www.retento.com
39.199.230.69 www.freerav.com
109.57.213.189 www.rising-global.com
192.184.208.134 www.risingav.com.au
100.135.29.161 support.rising-global.com
89.168.186.200 superboy2010.com.au
159.26.169.64 www.sophos.com
242.221.164.10 feeds.sophos.com
218.173.241.36 esp.sophos.com
207.205.143.75 cn.sophos.com
209.63.125.196 tw.sophos.com
104.190.121.141 kr.sophos.com
12.210.197.167 sophos.com
1.243.99.207 podcasts.sophos.com
72.101.81.139 www.sunbeltsoftware.com
155.227.77.84 go.sunbeltsoftware.com
131.179.154.42 oem.sunbeltsoftware.com
120.212.55.150 antispam.sunbeltsoftware.com
122.70.226.14 antispyware.sunbeltsoftware.com
17.9.33.215 antivirus.sunbeltsoftware.com
181.216.110.174 sunbeltsoftware.com
170.249.11.25 shop.sunbeltsoftware.com
240.107.182.145 live.sunbeltsoftware.com
67.234.245.91 firewall.sunbeltsoftware.com
231.254.66.117 www.symantec.com
220.30.224.156 security.symantec.com
34.144.138.21 securityrespons.symantec.com
185.15.202.222 service1.symantec.com
93.223.22.248 enterprisesecur.symantec.com
82.68.180.32 eval.symantec.com
153.114.94.152 symantec.com
48.120.226.165 definitions.symantec.com
212.72.47.191 investor.symantec.com
201.105.204.231 et.symantec.com
15.219.119.163 sfdoccentral.symantec.com
166.158.182.40 servicenews.symantec.com
74.109.3.67 securityrespons.symantec.com
63.142.160.174 sea.symantec.com
133.0.75.38 go.symantec.com
216.127.138.240 dell.symantec.com
124.147.215.198 sun.symantec.com
113.179.49.49 marian.symantec.com
183.225.31.170 tms.symantec.com
10.164.27.115 securitycheck.symantec.com
242.116.171.141 smallbiz.symantec.com
231.149.5.181 www.symantec.com
234.7.243.45 visualtracking.symantec.com
129.201.239.246 search.symantec.com
37.153.128.16 liveupdate.symantec.com
26.186.217.56 sitedirector.symantec.com
96.44.200.176 edm.symantec.com
179.171.195.121 hostedmailsecur.symantec.com
155.190.16.148 www4.symantec.com
144.223.173.187 education.symantec.com
146.13.156.51 vos.symantec.com
41.208.151.65 www.hacksoft.com.pe
17.228.40.91 hacksoft.pe
6.4.198.198 www.hacksoft.pe
76.118.180.63 housecall.trendmicro.com
159.57.176.8 www.trendmicro.com
67.9.252.222 housecall65.trendmicro.com
56.42.154.73 us.trendmicro.com
126.156.136.194 blog.trendmicro.com
22.26.132.139 emea.trendmicro.com
186.46.209.97 housecall60.trendmicro.com
175.79.110.205 jp.trendmicro.com
245.193.93.69 de.trendmicro.com
72.64.88.14 it.trendmicro.com
236.15.165.41 itw.trendmicro.com
225.48.66.80 esupport.trendmicro.com
39.162.49.200 es.trendmicro.com
122.101.44.146 br.trendmicro.com
98.53.121.172 tw.trendmicro.com
59.58.251.184 la.trendmicro.com
62.172.233.48 uk.trendmicro.com
213.42.229.249 ru.trendmicro.com
121.62.50.19 smbstore.trendmicro.com
110.95.207.59 apac.trendmicro.com
180.209.190.247 store.trendmicro.com
7.80.185.192 training.trendmicro.com
239.31.6.151 trial.trendmicro.com
228.64.163.2 ushousecall02.trendmicro.com
230.178.78.122 subwiz.trendmicro.com
125.117.141.68 go.trendmicro.com
33.69.218.26 feeds.trendmicro.com
22.101.120.133 channelpartner.trendmicro.com
92.215.34.254 wtc.trendmicro.com
175.86.98.199 shop.trendmicro.com
83.106.174.225 fr.trendmicro.com
72.139.76.9 threatinfo.trendmicro.com
143.253.246.129 newsletters.trendmicro.com
38.123.54.74 www.anti-virus.by
202.75.131.100 bg.virusblokada.com
191.176.32.140 www.vba.com.by
5.222.203.4 beta.anti-virus.by
88.161.10.205 www.bg.virusblokada.com
252.112.87.232 www.hauri.net
241.145.244.15 www.hauri.co.kr
55.3.159.203 company.hauri.net
206.198.222.81 www.globalhauri.com
114.150.43.107 shop.hauri.co.kr
171.250.13.26 hauri.co.kr
241.108.183.147 pg.hauri.net
68.235.247.92 esecurity.livecall.co.kr
232.255.67.50 mall.hauri.co.kr
221.32.157.158 company.hauri.co.kr
35.78.139.22 haurijapan.com
119.16.135.223 virobot.co.kr
95.224.24.249 www.virusbuster.hu
84.1.113.33 virusbuster.hu
86.115.96.153 scanner.novirusthanks.org
237.54.91.98 scanner2.novirusthanks.or
145.5.236.125 novirusthanks.org
134.38.69.164 www.novirusthanks.org
204.152.52.28 virustotal.com
99.91.115.42 www.virustotal.com
75.111.192.68 virscan.org
64.143.94.107 www.virscan.org
66.189.76.228 virusscan.jotti.org
217.128.72.173 jotti.org
125.80.148.199 www.jotti.org
114.113.50.50 viruschief.com
184.227.32.171 www.viruschief.com
12.165.28.116 scanner.virus.org
244.185.173.142 virus.org
233.218.74.250 www.virus.org
47.76.57.114 scan4you.net
198.203.52.59 www.scan4you.net
106.222.129.18 avhide.com
131.35.66.161 www.avhide.com
201.149.49.25 anubis.iseclab.org
28.20.45.227 iseclab.org
192.228.121.253 www.iseclab.org
181.5.23.36 threatexpert.com
251.118.5.157 www.threatexpert.com
78.57.1.102 forospyware.com
54.9.77.128 www.forospyware.com
43.42.235.168 in.answers.yahoo.com
114.224.29.100 es.answers.yahoo.com
9.94.25.45 kioskea.net
173.114.102.71 www.kioskea.net
162.147.3.111 es.kioskea.net
232.5.242.43 mygeekside.com
59.132.237.244 www.mygeekside.com
35.83.58.203 www.tecniservicioslys.com
92.184.27.122 tecniservicioslys.com
94.42.198.242 virusfreezone.info
245.237.5.188 www.virusfreezone.info
153.189.82.146 intranet.cidiroax.ipn.mx
142.222.240.253 spycheck.es
212.79.154.118 www.spycheck.es
39.206.218.63 antivirus.hispavista.com
203.226.38.89 computing.net
192.3.196.129 www.computing.net
7.117.110.249 spycheck.co.uk
158.243.174.194 www.spycheck.co.uk
66.195.251.220 midescargas.com
55.40.152.4 www.midescargas.com
193.154.135.192 static.yoreparo.com
20.93.198.137 softfaq.com
184.44.19.164 www.softfaq.com
173.77.176.203 configurarequipos.com
243.191.91.135 www.configurarequipos.com
138.130.154.13 seasonsecurity.com
46.82.231.39 www.seasonsecurity.com
135.214.232.246 removetrojanvirus.org
205.72.147.110 www.removetrojanvirus.org
32.199.211.56 ibusca.me
196.219.31.14 www.ibusca.me
185.252.121.121 busco.in
255.41.103.242 www.busco.in
82.236.99.187 inicioid.com
59.188.243.213 www.inicioid.com


Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Delete the original Trojan file.
  2. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  3. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  4. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.