Trojan.Win32.QHost_4b9a84bac2

by malwarelabrobot on November 5th, 2013 in Malware Descriptions.

Trojan.Generic.1635648 (BitDefender), Worm:Win32/Virauto.A (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic.pak!cobra (VIPRE), Win32.HLLW.Autoruner.6389 (DrWeb), Trojan.Generic.1635648 (B) (Emsisoft), Artemis!4B9A84BAC2E7 (McAfee), Trojan.Gen (Symantec), Worm.Win32.AutoRun (Ikarus), Trojan.Generic.1635648 (FSecure), Generic15.BDDH (AVG), Win32:Trojan-gen (Avast)
Behaviour: Trojan, Worm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 4b9a84bac2e79d32f9451c7e2b3f3236
SHA1: 9ccb1cbb65f4472a9f9894dce4774156cc4cded7
SHA256: 6ec50362e0acb586c3ac4738325bf044e8e081bca7306f635585e995f29e3856
SSDeep: 12288:iUqp1OeJwH2K1g3a5kLxkX6Z8DMP NU7KpEjQpKTMZu/IhiD8YvsF2HwNy7UN nq:iU 1kCyh
Size: 453120 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi3, UPolyXv05_v6
Company: WinterSoft
Created at: 2009-02-15 01:26:42


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

%original file name%.exe:1844
cmd32.exe:1652

File activity

The process %original file name%.exe:1844 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files%\Windows NT\explorer.exe (2321 bytes)

The process cmd32.exe:1652 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\20131030(2).zip (222132 bytes)

Registry activity

The process %original file name%.exe:1844 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA F7 68 5C 58 3F E4 CC A0 0D 05 9B 0E 6A 35 45"

The process cmd32.exe:1652 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 72 F2 BB B1 E1 66 2C 1E 1D 0E 9D 4D E8 80 9A"

[HKCU\Control Panel\Desktop]
"ScreenSaveActive" = "1"
"ScreenSaveTimeOut" = "600"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

The Worm modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 19926 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 download7.avast.com
127.0.0.1 download6.avast.com
127.0.0.1 download5.avast.com
127.0.0.1 download4.avast.com
127.0.0.1 download3.avast.com
127.0.0.1 download2.avast.com
127.0.0.1 download1.avast.com
127.0.0.1 download0.avast.com
127.0.0.1 download72.avast.com
127.0.0.1 download73.avast.com
127.0.0.1 download74.avast.com
127.0.0.1 download75.avast.com
127.0.0.1 download76.avast.com
127.0.0.1 download77.avast.com
127.0.0.1 download78.avast.com
127.0.0.1 download79.avast.com
127.0.0.1 download80.avast.com
127.0.0.1 download81.avast.com
127.0.0.1 download82.avast.com
127.0.0.1 download83.avast.com
127.0.0.1 download84.avast.com
127.0.0.1 download85.avast.com
127.0.0.1 download91.avast.com
127.0.0.1 download92.avast.com
127.0.0.1 download93.avast.com
127.0.0.1 download94.avast.com
127.0.0.1 download95.avast.com
127.0.0.1 download96.avast.com
127.0.0.1 download97.avast.com
127.0.0.1 download98.avast.com
127.0.0.1 download99.avast.com
127.0.0.1 download100.avast.com
127.0.0.1 download200.avast.com
127.0.0.1 download201.avast.com
127.0.0.1 download202.avast.com
127.0.0.1 download203.avast.com
127.0.0.1 download204.avast.com
127.0.0.1 download205.avast.com
127.0.0.1 download206.avast.com
127.0.0.1 download207.avast.com
127.0.0.1 download208.avast.com
127.0.0.1 download209.avast.com
127.0.0.1 download210.avast.com
127.0.0.1 download211.avast.com
127.0.0.1 download212.avast.com
127.0.0.1 download213.avast.com
127.0.0.1 download214.avast.com
127.0.0.1 download501.avast.com
127.0.0.1 download502.avast.com
127.0.0.1 download503.avast.com
127.0.0.1 download504.avast.com
127.0.0.1 download505.avast.com
127.0.0.1 download511.avast.com
127.0.0.1 download512.avast.com
127.0.0.1 download513.avast.com
127.0.0.1 download514.avast.com
127.0.0.1 download515.avast.com
127.0.0.1 download516.avast.com
127.0.0.1 download600.avast.com
127.0.0.1 download601.avast.com
127.0.0.1 download602.avast.com
127.0.0.1 download603.avast.com
127.0.0.1 download604.avast.com
127.0.0.1 download605.avast.com
127.0.0.1 download606.avast.com
127.0.0.1 download607.avast.com
127.0.0.1 download608.avast.com
127.0.0.1 download609.avast.com
127.0.0.1 download617.avast.com
127.0.0.1 download618.avast.com
127.0.0.1 download619.avast.com
127.0.0.1 download620.avast.com
127.0.0.1 download621.avast.com
127.0.0.1 download622.avast.com
127.0.0.1 download623.avast.com
127.0.0.1 download624.avast.com
127.0.0.1 download625.avast.com
127.0.0.1 download626.avast.com
127.0.0.1 download627.avast.com
127.0.0.1 download628.avast.com
127.0.0.1 download629.avast.com
127.0.0.1 download630.avast.com
127.0.0.1 download631.avast.com
127.0.0.1 download632.avast.com
127.0.0.1 download633.avast.com
127.0.0.1 download634.avast.com
127.0.0.1 download635.avast.com
127.0.0.1 download636.avast.com
127.0.0.1 download637.avast.com
127.0.0.1 download638.avast.com
127.0.0.1 download639.avast.com
127.0.0.1 download640.avast.com
127.0.0.1 download641.avast.com
127.0.0.1 download642.avast.com
127.0.0.1 download643.avast.com
127.0.0.1 download644.avast.com
127.0.0.1 download645.avast.com
127.0.0.1 download646.avast.com
127.0.0.1 download647.avast.com
127.0.0.1 download648.avast.com
127.0.0.1 download649.avast.com
127.0.0.1 download650.avast.com
127.0.0.1 download651.avast.com
127.0.0.1 download652.avast.com
127.0.0.1 download653.avast.com
127.0.0.1 download654.avast.com
127.0.0.1 download655.avast.com
127.0.0.1 download656.avast.com
127.0.0.1 download657.avast.com
127.0.0.1 download658.avast.com
127.0.0.1 download659.avast.com
127.0.0.1 download660.avast.com
127.0.0.1 download661.avast.com
127.0.0.1 download662.avast.com
127.0.0.1 download663.avast.com
127.0.0.1 download664.avast.com
127.0.0.1 download665.avast.com
127.0.0.1 download666.avast.com
127.0.0.1 download667.avast.com
127.0.0.1 download668.avast.com
127.0.0.1 download669.avast.com
127.0.0.1 download670.avast.com
127.0.0.1 download671.avast.com
127.0.0.1 download672.avast.com
127.0.0.1 download673.avast.com
127.0.0.1 download674.avast.com
127.0.0.1 download675.avast.com
127.0.0.1 download676.avast.com
127.0.0.1 download677.avast.com
127.0.0.1 download678.avast.com
127.0.0.1 download679.avast.com
127.0.0.1 download680.avast.com
127.0.0.1 download681.avast.com
127.0.0.1 download682.avast.com
127.0.0.1 download683.avast.com
127.0.0.1 download684.avast.com
127.0.0.1 download685.avast.com
127.0.0.1 download686.avast.com
127.0.0.1 download687.avast.com
127.0.0.1 download688.avast.com
127.0.0.1 download689.avast.com
127.0.0.1 download690.avast.com
127.0.0.1 download691.avast.com
127.0.0.1 download692.avast.com
127.0.0.1 download693.avast.com
127.0.0.1 download694.avast.com
127.0.0.1 download695.avast.com
127.0.0.1 download696.avast.com
127.0.0.1 download697.avast.com
127.0.0.1 download698.avast.com
127.0.0.1 download699.avast.com
127.0.0.1 download700.avast.com
127.0.0.1 download701.avast.com
127.0.0.1 download702.avast.com
127.0.0.1 download703.avast.com
127.0.0.1 download704.avast.com
127.0.0.1 download705.avast.com
127.0.0.1 download706.avast.com
127.0.0.1 download707.avast.com
127.0.0.1 download708.avast.com
127.0.0.1 download709.avast.com
127.0.0.1 download900.avast.com
127.0.0.1 download901.avast.com
127.0.0.1 download902.avast.com
127.0.0.1 download903.avast.com
127.0.0.1 download904.avast.com
127.0.0.1 download905.avast.com
127.0.0.1 download906.avast.com
127.0.0.1 download907.avast.com
127.0.0.1 download908.avast.com
127.0.0.1 download909.avast.com
127.0.0.1 download910.avast.com
127.0.0.1 download911.avast.com
127.0.0.1 download912.avast.com
127.0.0.1 download913.avast.com
127.0.0.1 download914.avast.com
127.0.0.1 download915.avast.com
127.0.0.1 download916.avast.com
127.0.0.1 download917.avast.com
127.0.0.1 download918.avast.com
127.0.0.1 download919.avast.com
127.0.0.1 download920.avast.com
127.0.0.1 download921.avast.com
127.0.0.1 download922.avast.com
127.0.0.1 download923.avast.com
127.0.0.1 download924.avast.com
127.0.0.1 download925.avast.com
127.0.0.1 download926.avast.com
127.0.0.1 download927.avast.com
127.0.0.1 download928.avast.com
127.0.0.1 download929.avast.com
127.0.0.1 download930.avast.com
127.0.0.1 download931.avast.com
127.0.0.1 download932.avast.com
127.0.0.1 download933.avast.com
127.0.0.1 download934.avast.com
127.0.0.1 download935.avast.com
127.0.0.1 download936.avast.com
127.0.0.1 download937.avast.com
127.0.0.1 download938.avast.com
127.0.0.1 download939.avast.com
127.0.0.1 download940.avast.com
127.0.0.1 download941.avast.com
127.0.0.1 download942.avast.com
127.0.0.1 download943.avast.com
127.0.0.1 download944.avast.com
127.0.0.1 download945.avast.com
127.0.0.1 download946.avast.com
127.0.0.1 download947.avast.com
127.0.0.1 download948.avast.com
127.0.0.1 download949.avast.com
127.0.0.1 download950.avast.com
127.0.0.1 download951.avast.com
127.0.0.1 download952.avast.com
127.0.0.1 download953.avast.com
127.0.0.1 download954.avast.com
127.0.0.1 download955.avast.com
127.0.0.1 download956.avast.com
127.0.0.1 download957.avast.com
127.0.0.1 download958.avast.com
127.0.0.1 download959.avast.com
127.0.0.1 download960.avast.com
127.0.0.1 download961.avast.com
127.0.0.1 download962.avast.com
127.0.0.1 download963.avast.com
127.0.0.1 download964.avast.com
127.0.0.1 download965.avast.com
127.0.0.1 download966.avast.com
127.0.0.1 download967.avast.com
127.0.0.1 download968.avast.com
127.0.0.1 download969.avast.com
127.0.0.1 download970.avast.com
127.0.0.1 download971.avast.com
127.0.0.1 download972.avast.com
127.0.0.1 download973.avast.com
127.0.0.1 download974.avast.com
127.0.0.1 download975.avast.com
127.0.0.1 download976.avast.com
127.0.0.1 download977.avast.com
127.0.0.1 download978.avast.com
127.0.0.1 download979.avast.com
127.0.0.1 download980.avast.com
127.0.0.1 update.avgfrance.com
127.0.0.1 update.avg.com
127.0.0.1 shadow.grisoft.cz
127.0.0.1 update.grisoft.com
127.0.0.1 free.grisoft.cz
127.0.0.1 update.grisoft.cz
127.0.0.1 free.grisoft.com
127.0.0.1 guru.avg.com
127.0.0.1 dl1.avgate.net
127.0.0.1 dl2.avgate.net
127.0.0.1 dl3.avgate.net
127.0.0.1 dl4.avgate.net
127.0.0.1 dl5.avgate.net
127.0.0.1 dl6.avgate.net
127.0.0.1 dl7.avgate.net
127.0.0.1 dl8.freeav.net
127.0.0.1 dl9.freeav.net
127.0.0.1 dl10.freeav.net
127.0.0.1 dl1.antivir-pe.de
127.0.0.1 dl2.antivir-pe.de
127.0.0.1 dl3.antivir-pe.de
127.0.0.1 dl4.antivir-pe.de
127.0.0.1 dl1.antivir-pe.com
127.0.0.1 dl2.antivir-pe.com
127.0.0.1 dl3.antivir-pe.com
127.0.0.1 dl4.antivir-pe.com
127.0.0.1 dl1.antivir.de
127.0.0.1 dl2.antivir.de
127.0.0.1 dl3.antivir.de
127.0.0.1 dl4.antivir.de
127.0.0.1 notifier.antivir-pe.de
127.0.0.1 update.bitdefender.com
127.0.0.1 buddy.bitdefender.com
127.0.0.1 upgrade.bitdefender.com
127.0.0.1 upgrade1.bitdefender.com
127.0.0.1 upgrade2.bitdefender.com
127.0.0.1 upgrade3.bitdefender.com
127.0.0.1 upgrade4.bitdefender.com
127.0.0.1 kb.bitdefender.com
127.0.0.1 ftp.bitdefender.com
127.0.0.1 updates.drweb.com
127.0.0.1 update.drweb.com
127.0.0.1 msk.drweb.com
127.0.0.1 msk1.drweb.com
127.0.0.1 msk2.drweb.com
127.0.0.1 msk3.drweb.com
127.0.0.1 msk4.drweb.com
127.0.0.1 msk5.drweb.com
127.0.0.1 msk6.drweb.com
127.0.0.1 msk7.drweb.com
127.0.0.1 fr.drweb.com
127.0.0.1 fr1.drweb.com
127.0.0.1 fr2.drweb.com
127.0.0.1 fr3.drweb.com
127.0.0.1 fr4.drweb.com
127.0.0.1 fr5.drweb.com
127.0.0.1 fr6.drweb.com
127.0.0.1 fr7.drweb.com
127.0.0.1 dnl-cd1.kaspersky-labs.com
127.0.0.1 dnl-cd10.kaspersky-labs.com
127.0.0.1 dnl-cd11.kaspersky-labs.com
127.0.0.1 dnl-cd12.kaspersky-labs.com
127.0.0.1 dnl-cd13.kaspersky-labs.com
127.0.0.1 dnl-cd14.kaspersky-labs.com
127.0.0.1 dnl-cd2.kaspersky-labs.com
127.0.0.1 dnl-cd3.kaspersky-labs.com
127.0.0.1 dnl-cd4.kaspersky-labs.com
127.0.0.1 dnl-cd5.kaspersky-labs.com
127.0.0.1 dnl-cd6.kaspersky-labs.com
127.0.0.1 dnl-cd7.kaspersky-labs.com
127.0.0.1 dnl-cd8.kaspersky-labs.com
127.0.0.1 dnl-cd9.kaspersky-labs.com
127.0.0.1 dnl-cn1.kaspersky-labs.com
127.0.0.1 dnl-cn10.kaspersky-labs.com
127.0.0.1 dnl-cn11.kaspersky-labs.com
127.0.0.1 dnl-cn12.kaspersky-labs.com
127.0.0.1 dnl-cn13.kaspersky-labs.com
127.0.0.1 dnl-cn14.kaspersky-labs.com
127.0.0.1 dnl-cn15.kaspersky-labs.com
127.0.0.1 dnl-cn2.kaspersky-labs.com
127.0.0.1 dnl-cn3.kaspersky-labs.com
127.0.0.1 dnl-cn4.kaspersky-labs.com
127.0.0.1 dnl-cn5.kaspersky-labs.com
127.0.0.1 dnl-cn6.kaspersky-labs.com
127.0.0.1 dnl-cn7.kaspersky-labs.com
127.0.0.1 dnl-cn8.kaspersky-labs.com
127.0.0.1 dnl-cn9.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com
127.0.0.1 dnl-eu11.kaspersky-labs.com
127.0.0.1 dnl-eu12.kaspersky-labs.com
127.0.0.1 dnl-eu13.kaspersky-labs.com
127.0.0.1 dnl-eu14.kaspersky-labs.com
127.0.0.1 dnl-eu15.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-jp1.kaspersky-labs.com
127.0.0.1 dnl-jp10.kaspersky-labs.com
127.0.0.1 dnl-jp11.kaspersky-labs.com
127.0.0.1 dnl-jp12.kaspersky-labs.com
127.0.0.1 dnl-jp13.kaspersky-labs.com
127.0.0.1 dnl-jp14.kaspersky-labs.com
127.0.0.1 dnl-jp15.kaspersky-labs.com
127.0.0.1 dnl-jp2.kaspersky-labs.com
127.0.0.1 dnl-jp3.kaspersky-labs.com
127.0.0.1 dnl-jp4.kaspersky-labs.com
127.0.0.1 dnl-jp5.kaspersky-labs.com
127.0.0.1 dnl-jp6.kaspersky-labs.com
127.0.0.1 dnl-jp7.kaspersky-labs.com
127.0.0.1 dnl-jp8.kaspersky-labs.com
127.0.0.1 dnl-jp9.kaspersky-labs.com
127.0.0.1 dnl-kr1.kaspersky-labs.com
127.0.0.1 dnl-kr10.kaspersky-labs.com
127.0.0.1 dnl-kr11.kaspersky-labs.com
127.0.0.1 dnl-kr12.kaspersky-labs.com
127.0.0.1 dnl-kr13.kaspersky-labs.com
127.0.0.1 dnl-kr14.kaspersky-labs.com
127.0.0.1 dnl-kr15.kaspersky-labs.com
127.0.0.1 dnl-kr2.kaspersky-labs.com
127.0.0.1 dnl-kr3.kaspersky-labs.com
127.0.0.1 dnl-kr4.kaspersky-labs.com
127.0.0.1 dnl-kr5.kaspersky-labs.com
127.0.0.1 dnl-kr6.kaspersky-labs.com
127.0.0.1 dnl-kr7.kaspersky-labs.com
127.0.0.1 dnl-kr8.kaspersky-labs.com
127.0.0.1 dnl-kr9.kaspersky-labs.com
127.0.0.1 dnl-ru1.kaspersky-labs.com
127.0.0.1 dnl-ru10.kaspersky-labs.com
127.0.0.1 dnl-ru11.kaspersky-labs.com
127.0.0.1 dnl-ru12.kaspersky-labs.com
127.0.0.1 dnl-ru13.kaspersky-labs.com
127.0.0.1 dnl-ru14.kaspersky-labs.com
127.0.0.1 dnl-ru15.kaspersky-labs.com
127.0.0.1 dnl-ru2.kaspersky-labs.com
127.0.0.1 dnl-ru3.kaspersky-labs.com
127.0.0.1 dnl-ru4.kaspersky-labs.com
127.0.0.1 dnl-ru5.kaspersky-labs.com
127.0.0.1 dnl-ru6.kaspersky-labs.com
127.0.0.1 dnl-ru7.kaspersky-labs.com
127.0.0.1 dnl-ru8.kaspersky-labs.com
127.0.0.1 dnl-ru9.kaspersky-labs.com
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-us11.kaspersky-labs.com
127.0.0.1 dnl-us12.kaspersky-labs.com
127.0.0.1 dnl-us13.kaspersky-labs.com
127.0.0.1 dnl-us14.kaspersky-labs.com
127.0.0.1 dnl-us15.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 u0.eset.com
127.0.0.1 u1.eset.com
127.0.0.1 u2.eset.com
127.0.0.1 u3.eset.com
127.0.0.1 u4.eset.com
127.0.0.1 u5.eset.com
127.0.0.1 u6.eset.com
127.0.0.1 u7.eset.com
127.0.0.1 u8.eset.com
127.0.0.1 u9.eset.com
127.0.0.1 u10.eset.com
127.0.0.1 u11.eset.com
127.0.0.1 u12.eset.com
127.0.0.1 u13.eset.com
127.0.0.1 u14.eset.com
127.0.0.1 u15.eset.com
127.0.0.1 u16.eset.com
127.0.0.1 u17.eset.com
127.0.0.1 u18.eset.com
127.0.0.1 u19.eset.com
127.0.0.1 u20.eset.com
127.0.0.1 u21.eset.com
127.0.0.1 u22.eset.com
127.0.0.1 u23.eset.com
127.0.0.1 u24.eset.com
127.0.0.1 u25.eset.com
127.0.0.1 u26.eset.com
127.0.0.1 u27.eset.com
127.0.0.1 u28.eset.com
127.0.0.1 u29.eset.com
127.0.0.1 u30.eset.com
127.0.0.1 u31.eset.com
127.0.0.1 u32.eset.com
127.0.0.1 u33.eset.com
127.0.0.1 u34.eset.com
127.0.0.1 u35.eset.com
127.0.0.1 u36.eset.com
127.0.0.1 u37.eset.com
127.0.0.1 u38.eset.com
127.0.0.1 u39.eset.com
127.0.0.1 u40.eset.com
127.0.0.1 u41.eset.com
127.0.0.1 u42.eset.com
127.0.0.1 u43.eset.com
127.0.0.1 u44.eset.com
127.0.0.1 u45.eset.com
127.0.0.1 u46.eset.com
127.0.0.1 u47.eset.com
127.0.0.1 u48.eset.com
127.0.0.1 u49.eset.com
127.0.0.1 u50.eset.com
127.0.0.1 u51.eset.com
127.0.0.1 u52.eset.com
127.0.0.1 u53.eset.com
127.0.0.1 u54.eset.com
127.0.0.1 u55.eset.com
127.0.0.1 u56.eset.com
127.0.0.1 u57.eset.com
127.0.0.1 u58.eset.com
127.0.0.1 u59.eset.com
127.0.0.1 u60.eset.com
127.0.0.1 u61.eset.com
127.0.0.1 u62.eset.com
127.0.0.1 u63.eset.com
127.0.0.1 u64.eset.com
127.0.0.1 u65.eset.com
127.0.0.1 u66.eset.com
127.0.0.1 u67.eset.com
127.0.0.1 u68.eset.com
127.0.0.1 u69.eset.com
127.0.0.1 u70.eset.com
127.0.0.1 u71.eset.com
127.0.0.1 u72.eset.com
127.0.0.1 u73.eset.com
127.0.0.1 u74.eset.com
127.0.0.1 u75.eset.com
127.0.0.1 u76.eset.com
127.0.0.1 u77.eset.com
127.0.0.1 u78.eset.com
127.0.0.1 u79.eset.com
127.0.0.1 u80.eset.com
127.0.0.1 u81.eset.com
127.0.0.1 u82.eset.com
127.0.0.1 u83.eset.com
127.0.0.1 u84.eset.com
127.0.0.1 u85.eset.com
127.0.0.1 u86.eset.com
127.0.0.1 u87.eset.com
127.0.0.1 u88.eset.com
127.0.0.1 u89.eset.com
127.0.0.1 u90.eset.com
127.0.0.1 u91.eset.com
127.0.0.1 u92.eset.com
127.0.0.1 u93.eset.com
127.0.0.1 u94.eset.com
127.0.0.1 u95.eset.com
127.0.0.1 u96.eset.com
127.0.0.1 u97.eset.com
127.0.0.1 u98.eset.com
127.0.0.1 u99.eset.com
127.0.0.1 u100.eset.com
127.0.0.1 up1.nod123.cn
127.0.0.1 nod32.datsec.de
127.0.0.1 niufour.norman.no
127.0.0.1 download.norman.no
127.0.0.1 niuone.norman.no
127.0.0.1 niusix.norman.no
127.0.0.1 niutwo.norman.no
127.0.0.1 niuseven.norman.no
127.0.0.1 niuthree.norman.no
127.0.0.1 niunine.norman.no
127.0.0.1 niufive.norman.no
127.0.0.1 niueight.norman.no
127.0.0.1 sandbox.norman.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 symantec-ese.baynote.net
127.0.0.1 stats.norton.com
127.0.0.1 customer.symantec.com
127.0.0.1 renewalcenter.symantec.com
127.0.0.1 security.symantec.com
127.0.0.1 shop.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 ftp.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 fr.mcafee.com
127.0.0.1 mast.mcafee.com
127.0.0.1 us.mcafee.com
127.0.0.1 ftp.nai.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 download1.quickheal.com
127.0.0.1 download2.quickheal.com
127.0.0.1 download3.quickheal.com
127.0.0.1 download4.quickheal.com
127.0.0.1 download5.quickheal.com
127.0.0.1 download6.quickheal.com
127.0.0.1 download7.quickheal.com
127.0.0.1 download8.quickheal.com
127.0.0.1 download9.quickheal.com
127.0.0.1 download10.quickheal.com
127.0.0.1 update.quickheal.com
127.0.0.1 sophos1.ucd.ie
127.0.0.1 sophos2.ucd.ie
127.0.0.1 sophos3.ucd.ie
127.0.0.1 sophos4.ucd.ie
127.0.0.1 sophos5.ucd.ie
127.0.0.1 sophos6.ucd.ie
127.0.0.1 sophos7.ucd.ie
127.0.0.1 sophos8.ucd.ie
127.0.0.1 sophos9.ucd.ie
127.0.0.1 sophos10.ucd.ie
127.0.0.1 update.sophos.com
127.0.0.1 pccreg.trendmicro.com
127.0.0.1 pccreg.antivirus.com
127.0.0.1 housecall.trendmicro.com
127.0.0.1 cn.trendmicro.com
127.0.0.1 files.trendmicro-europe.com
127.0.0.1 fr.bitdefender.com
127.0.0.1 update.trendmicro.com
127.0.0.1 ieupdate.gdata.de
127.0.0.1 ieupdate6.gdata.de
127.0.0.1 ieupdate5.gdata.de
127.0.0.1 ieupdate4.gdata.de
127.0.0.1 ieupdate3.gdata.de
127.0.0.1 ieupdate2.gdata.de
127.0.0.1 ieupdate1.gdata.de
127.0.0.1 acs.pandasoftware.com
127.0.0.1 downloads.My-eTrust.com
127.0.0.1 antivirus.cai.com
127.0.0.1 ftp.ca.co
127.0.0.1 ftp.esafe.com
127.0.0.1 updates.f-prot.com
127.0.0.1 ftp.f-prot.com
127.0.0.1 update.ikarus-software.at
127.0.0.1 avu.zonelabs.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 ftp.microworldsystems.com
127.0.0.1 update.aladdin.com
127.0.0.1 update.authentium.com
127.0.0.1 update.bitdefender.com
127.0.0.1 update.ewido.com
127.0.0.1 update.hispasec.com
127.0.0.1 up.duba.net
127.0.0.1 update.ikaka.com


Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1844
    cmd32.exe:1652

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %Program Files%\Windows NT\explorer.exe (2321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\20131030(2).zip (222132 bytes)

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.