worm.win32.folstart.a also known as Gen:Variant.Adware.Mplug.45, Adware.MultiPlug!1.A126-oGReBhAEMdH (cloud), a variant of Win32/Adware.MultiPlug.KU. Malware Analysis of worm.win32.folstart.a – ACB3C07E16512E787301508AF21CE05A.EXE Created files: %COMMON APPDATA%\{D1DA171A-427F-5C8F-D1DA-A171A4275C69}\ACB3C07E16512E787301508AF21CE05A.DAT %COMMON APPDATA%\{D1DA171A-427F-5C8F-D1DA-A171A4275C69}\ACB3C07E16512E787301508AF21CE05A.EXE %SYSDIR%\TASKS\BIDAILY SYNCHRONIZE TASK[PR] %WINDIR%\TASKS\BIDAILY SYNCHRONIZE TASK[PR].JOB Detected by UnHackMe: ACB3C07E16512E787301508AF21CE05A.EXE DEFAULT LOCATION: %COMMON APPDATA%\{D1DA171A-427F-5C8F-D1DA-A171A4275C69}\ACB3C07E16512E787301508AF21CE05A.EXE Dropper hash(md5): acb3c07e16512e787301508af21ce05a UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe…

Continue reading →

EmailWorm ( 004df05b1 ) also known as Win32:Evo-gen [Susp], a variant of MSIL/Injector.PWE, MSIL10.AYOS. Malware Analysis of EmailWorm ( 004df05b1 ) – HNMSIY.EXE Created files: %TEMP%\RARSFX0\FESVXAMVENA.XML %TEMP%\RARSFX0\FMBULMIGRM.PNG %TEMP%\RARSFX0\HNMSIY.EXE Detected by UnHackMe: HNMSIY.EXE DEFAULT LOCATION: %TEMP%\RARSFX0\HNMSIY.EXE Dropper hash(md5): 2e0f18aec0b3fa2c0fbdfab70572fa4c UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100%…

Continue reading →

W32.AutorunIE1.Worm also known as Trojan ( 004743681 ), Trojan/Dropper.Delf.no, TScope.Trojan.Delf. Malware Analysis of W32.AutorunIE1.Worm – 321.EXE Created files: %Program Files%\Google\Chrome\Application\53.0.2785.116\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll %Program Files%\Google\Chrome\Application\53.0.2785.116\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll %Program Files%\29pc\321.EXE %Program Files%\29pc\456.bat %Program Files%\29pc\BackUp.ini Autostart registry keys: HKLM\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath: “”%Program Files%\Google\Chrome\Application\53.0.2785.116\Installer\chrmstp.exe” –configure-user-settings –verbose-logging –system-level –multi-install –chrome” HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\UninstallString: “”%Program Files%\Google\Chrome\Application\53.0.2785.116\Installer\setup.exe” –uninstall –multi-install –chrome –system-level” Detected by UnHackMe: 321.EXE Default location:…

Continue reading →

W32/IRCBot.C!worm also known as Trj/GdSda.A, Dropped:Generic.Malware.SBdld.FED759C0, Worm.Autorun.Win32.19. Malware Analysis of W32/IRCBot.C!worm – WINMGRS.EXE Created files: %TEMP%\WINMGRS.EXE Autostart registry keys: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\SECURITY SYSTEM: “%TEMP%\WINMGRS.EXE” Detected by UnHackMe: WINMGRS.EXE DEFAULT LOCATION: %TEMP%\WINMGRS.EXE Dropper hash(md5): 91748e79668fc8facf7b930b4849076d UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not…

Continue reading →

Win32.Worm.Autorun.Hrom also known as Dropped:Generic.Malware.SBdld.FED759C0, TROJ_GEN.R0EBC0DFT16, W32/Bloop.A.gen!Eldorado. Malware Analysis of Win32.Worm.Autorun.Hrom – WINMGRS.EXE Created files: %TEMP%\WINMGRS.EXE Autostart registry keys: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\SECURITY SYSTEM: “%TEMP%\WINMGRS.EXE” Detected by UnHackMe: WINMGRS.EXE DEFAULT LOCATION: %TEMP%\WINMGRS.EXE Dropper hash(md5): 91748e79668fc8facf7b930b4849076d UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not…

Continue reading →

Worm.Win32.Silly_P2P also known as Win32/DH{gVKBUQk?}, Trojan/Win32.Swisyn.N2036049601, Win32.Worm.Autorun.Hrom. Malware Analysis of Worm.Win32.Silly_P2P – WINMGRS.EXE Created files: %TEMP%\WINMGRS.EXE Autostart registry keys: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\SECURITY SYSTEM: “%TEMP%\WINMGRS.EXE” Detected by UnHackMe: WINMGRS.EXE DEFAULT LOCATION: %TEMP%\WINMGRS.EXE Dropper hash(md5): 91748e79668fc8facf7b930b4849076d UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not…

Continue reading →

Worm.Autorun.Win32.19 also known as Win32.Worm.Autorun.Hrom, Dropped:Generic.Malware.SBdld.FED759C0, TROJ_GEN.R0EBC0DFT16. Malware Analysis of Worm.Autorun.Win32.19 – WINMGRS.EXE Created files: %TEMP%\WINMGRS.EXE Autostart registry keys: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\SECURITY SYSTEM: “%TEMP%\WINMGRS.EXE” Detected by UnHackMe: WINMGRS.EXE DEFAULT LOCATION: %TEMP%\WINMGRS.EXE Dropper hash(md5): 91748e79668fc8facf7b930b4849076d UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not…

Continue reading →

EmailWorm ( 004df05b1 ) also known as Troj/MSIL-HMA, Win32.Trojan.WisdomEyes.151026.9950.9987, QVM03.0.Malware.Gen. Malware Analysis of EmailWorm ( 004df05b1 ) – JSIYYKSSLPJ.EXE Created files: %TEMP%\RARSFX0\BXAMVENAGXEHDOJKI.XML %TEMP%\RARSFX0\FRMKWHRRXOEOAON.PNG %TEMP%\RARSFX0\JSIYYKSSLPJ.EXE %STARTUP%\JSIYYKSSLPJ.LNK %APPDATA%\ZRRXOEOAONM\BXAMVENAGXEHDOJKI.XML Detected by UnHackMe: JSIYYKSSLPJ.EXE DEFAULT LOCATION: %TEMP%\RARSFX0\JSIYYKSSLPJ.EXE Dropper hash(md5): 4a84f3a80d6f4e0b758808d21748379d UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which…

Continue reading →

Malware Analysis of W32.BRBTTc.Worm – PAC-CMD.EXE Created files: %APPDATA%\MOZILLA\FIREFOX\PROFILES\J3CZWNGH.DEFAULT\WEBAPPSSTORE.SQLITE-WAL %APPDATA%\BYTEEXEC\CERTIMPORTER.EXE %APPDATA%\BYTEEXEC\PAC-CMD.EXE %APPDATA%\LANTERN\.PACKAGED-LANTERN.YAML %APPDATA%\LANTERN\LANTERN-3.0.0.YAML Autostart registry keys: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\LANTERN: “”%APPDATA%\LANTERN\LANTERN.EXE” -STARTUP” HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Lantern\DisplayName: “Lantern” HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\LANTERN\UNINSTALLSTRING: “”%APPDATA%\LANTERN\UNINSTALL.EXE”” Detected by UnHackMe: PAC-CMD.EXE DEFAULT LOCATION: %APPDATA%\BYTEEXEC\PAC-CMD.EXE Dropper hash(md5): 596fec004a51c4159fa9d0643d3a5130 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does…

Continue reading →

W32.FamVT.BRTTc.Worm also known as TR/Nivdort.ktnk, Trojan ( 004dc2a31 ), Trojan.Win32.Bayrob.bs (v). Malware Analysis of W32.FamVT.BRTTc.Worm – CEKRGWV.EXE Created files: %SYSTEMDRIVE%\WECXSEA\JWFJG1TH7XIFKSYZV.EXE %SYSTEMDRIVE%\WECXSEA\BX9WKLMNW %SYSTEMDRIVE%\WECXSEA\CEKRGWV.EXE %SYSTEMDRIVE%\WECXSEA\CXXSKOL %SYSTEMDRIVE%\WECXSEA\EBFOUMUOXM.EXE Autostart registry keys: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\AUTHENTICATION LAYER EXTENDER CONNECTIONS\IMAGEPATH: “%SYSTEMDRIVE%\WECXSEA\EBFOUMUOXM.EXE” HKLM\System\CurrentControlSet\services\Authentication Layer Extender Connections\DisplayName: “Authentication Layer Extender Connections” Detected by UnHackMe: CEKRGWV.EXE DEFAULT LOCATION: %SYSTEMDRIVE%\WECXSEA\CEKRGWV.EXE Dropper hash(md5): 6154a8c846ab0a4a4ba909f099ed7e8b UnHackMe removes malware invisible for…

Continue reading →

Worm.Generic.bxv also known as Trojan ( 004f412c1 ), Win32:Malware-gen, Trojan.Win32.Garrun.cae. Malware Analysis of Worm.Generic.bxv – SCVHCHOST32.EXE Created files: %SYSTEMDRIVE%\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196598451\SCVHCHOST32.EXE Detected by UnHackMe: SCVHCHOST32.EXE DEFAULT LOCATION: %SYSTEMDRIVE%\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196598451\SCVHCHOST32.EXE Dropper hash(md5): 63627b5d40f1a34753097b87f6ee81e0 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not contain any form…

Continue reading →

worm.win32.dorkbot.i also known as Adware.Installerex.A8, ADWARE/MultiPlug.Gen7, SScope.Adware.Multiplug. Malware Analysis of worm.win32.dorkbot.i – 7000BDBB2D7D2416AC9C281518EC58FC.EXE Created files: %COMMON APPDATA%\{525910B2-F7A1-4529-5259-910B2F7A42CB}\2D4E64F20C66671C %COMMON APPDATA%\{525910B2-F7A1-4529-5259-910B2F7A42CB}\7000BDBB2D7D2416AC9C281518EC58FC.DAT %COMMON APPDATA%\{525910B2-F7A1-4529-5259-910B2F7A42CB}\7000BDBB2D7D2416AC9C281518EC58FC.EXE %COMMON APPDATA%\{525910B2-F7A1-4529-5259-910B2F7A42CB}\E0B3C2A72BB280C8 %SYSDIR%\TASKS\TESTMYVISION Detected by UnHackMe: 7000BDBB2D7D2416AC9C281518EC58FC.EXE DEFAULT LOCATION: %COMMON APPDATA%\{525910B2-F7A1-4529-5259-910B2F7A42CB}\7000BDBB2D7D2416AC9C281518EC58FC.EXE Dropper hash(md5): 7000bdbb2d7d2416ac9c281518ec58fc UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means…

Continue reading →

worm.win32.folstart.a also known as W32/S-a2e0b166!Eldorado, MultiPlug (v), not-a-virus:HEUR:AdWare.Win32.MultiPlug.heur. Malware Analysis of worm.win32.folstart.a – 5779724F34DE6B6279986BFA2DAD91C7.EXE Created files: %COMMON APPDATA%\{F8D926D0-6F42-B9F7-F8D9-926D06F49B41}\5779724F34DE6B6279986BFA2DAD91C7.DAT %COMMON APPDATA%\{F8D926D0-6F42-B9F7-F8D9-926D06F49B41}\5779724F34DE6B6279986BFA2DAD91C7.EXE %SYSDIR%\TASKS\SERIESWATCHER %WINDIR%\TASKS\SERIESWATCHER.JOB Detected by UnHackMe: 5779724F34DE6B6279986BFA2DAD91C7.EXE DEFAULT LOCATION: %COMMON APPDATA%\{F8D926D0-6F42-B9F7-F8D9-926D06F49B41}\5779724F34DE6B6279986BFA2DAD91C7.EXE Dropper hash(md5): 5779724f34de6b6279986bfa2dad91c7 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does…

Continue reading →

Win.Worm.Chir-545 also known as generic.a, Posible_Worm32. Malware Analysis of Win.Worm.Chir-545 – BESWEET.EXE Created files: %TEMP%\SETUP\87953\SETUP\ASSEMBLY\SERVICE\QRCODE_DATA\RSC24.DAT %TEMP%\SETUP\87953\SETUP\ASSEMBLY\SERVICE\RESTARTDRIVER32.EXE %TEMP%\SETUP\87953\SETUP\ASSEMBLY\SERVICE\RINGDEPEND\BESWEET.EXE %TEMP%\SETUP\87953\SETUP\ASSEMBLY\SERVICE\RINGDEPEND\FAAC.EXE %TEMP%\SETUP\87953\SETUP\ASSEMBLY\SERVICE\RINGDEPEND\WAVSTK.DLL Detected by UnHackMe: BESWEET.EXE DEFAULT LOCATION: %TEMP%\SETUP\87953\SETUP\ASSEMBLY\SERVICE\RINGDEPEND\BESWEET.EXE Dropper hash(md5): 470f9ed2abc12e77d39c893435dfb17c UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not contain any form…

Continue reading →

Win.Worm.Runouce-897 also known as Adware.Mutabaha.1889. Malware Analysis of Win.Worm.Runouce-897 – TSUPGRADE.EXE Created files: %Program Files%\iTools 3\TSLib.dll %Program Files%\iTools 3\TSRes.dll %Program Files%\iTools 3\TSUpgrade.exe %Program Files%\iTools 3\UICore.dll %Program Files%\iTools 3\uninst.exe Autostart registry keys: HKLM\Software\Classes\CLSID\{12E6A993-AE52-4F99-8B89-41F985E6C952}\InprocServer32\: “%Program Files Common%\Apple\Mobile Device Support\OutlookChangeNotifierAddIn.dll” HKLM\Software\Classes\CLSID\{6812639B-FD61-4329-9901-22CFDBD690FE}\LocalServer32\: “”%Program Files Common%\Apple\Apple Application Support\APSDaemon.exe”” HKLM\Software\Classes\CLSID\{CE6AF8E5-3A75-4AF5-BD59-C42E7228B4F4}\LocalServer32\: “%Program Files Common%\Apple\Apple Application Support\secd.exe” HKLM\Software\Classes\CLSID\{D9E904CA-8865-42E7-B0F0-B7B8C4D54D70}\LocalServer32\: “”%Program Files Common%\Apple\Apple Application Support\APSDaemon.exe””…

Continue reading →

Win32.Worm.ServStart.c also known as Win32:Lapka-C [Rtk], WORM/Rbot.Gen, a variant of Win32/ServStart.F. Malware Analysis of Win32.Worm.ServStart.c – VNFVN.EXE Created files: %APPDATA%\MICROSOFT\PROTECT\S-1-5-21-2250177403-3231077850-1239169437-1002\AE53C677-92B1-482B-9B66-795217779F77 %SYSDIR%\VNFVN.EXE %COMMON APPDATA%\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_VNFVN.EXE_154BC419BB4FC3B934131FD2868DE1E5F38373_CAB_0EF2D43E\REPORT.WER %COMMON APPDATA%\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_VNFVN.EXE_154BC419BB4FC3B934131FD2868DE1E5F38373_CAB_0EF2D43E\WERCB83.TMP.APPCOMPAT.TXT %COMMON APPDATA%\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_VNFVN.EXE_154BC419BB4FC3B934131FD2868DE1E5F38373_CAB_0EF2D43E\WERCBF2.TMP.WERINTERNALMETADATA.XML Autostart registry keys: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\VNFVNF WOFWO\IMAGEPATH: “%SYSDIR%\VNFVN.EXE” HKLM\System\CurrentControlSet\services\Vnfvnf Wofwo\DisplayName: “Skcskb Tlctlctk Dulduldt Meum” Detected by UnHackMe: VNFVN.EXE Default location: %SYSDIR%\VNFVN.EXE Dropper hash(md5): 0829ba237ae7fa9390bfd2677b47a22a UnHackMe removes malware invisible for your…

Continue reading →

worm.win32.yuner.a also known as Worm/W32.AutoRun.524892, Worm.Win32.AutoRun.f, EmailWorm ( 00024be71 ). Malware Analysis of worm.win32.yuner.a – HHGRAIXG.EXE Created files: %WINDIR%\MYDOC.RTF %APPDATA%\MICROSOFT\PROTECT\S-1-5-21-2250177403-3231077850-1239169437-1002\4E4230D9-03A4-47EC-A91F-449692EB5D20 %SYSDIR%\HHGRAIXG.EXE %SYSDIR%\KSKUCFFXMLAUMFR.EXE %SYSDIR%\KUINXQEIPF.EXE Detected by UnHackMe: HHGRAIXG.EXE Default location: %SYSDIR%\HHGRAIXG.EXE Dropper hash(md5): 0007106c237e8689cc68b5111db1a174 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does…

Continue reading →

worm.win32.dorkbot.i also known as Win.Trojan.KillAV-43, Worm.AutoRun.Win32.5413, Trojan.Win32.Generic!SB.0. Malware Analysis of worm.win32.dorkbot.i – HUUAAYII.EXE Created files: %WINDIR%\MYDOC.RTF %APPDATA%\MICROSOFT\PROTECT\S-1-5-21-2250177403-3231077850-1239169437-1002\33F19BA6-C90F-4125-B4D9-14E301E3A9D4 %SYSDIR%\HUUAAYII.EXE %SYSDIR%\KPKXAOFOYWOBZ.EXE %SYSDIR%\NWLAKVOJRG.EXE Detected by UnHackMe: HUUAAYII.EXE Default location: %SYSDIR%\HUUAAYII.EXE Dropper hash(md5): 046e9e8a98460e27abfb541b1c6b381e UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not contain any…

Continue reading →

Worm.ServStart.Win32.1368 also known as Trojan.Win32.FakeLpk.aad, Trojan.Win32.Dialer (fs), Backdoor:Win32/Zegost.AD. Malware Analysis of Worm.ServStart.Win32.1368 – VNFVN.EXE Created files: %APPDATA%\MICROSOFT\PROTECT\S-1-5-21-2250177403-3231077850-1239169437-1002\AE53C677-92B1-482B-9B66-795217779F77 %SYSDIR%\VNFVN.EXE %COMMON APPDATA%\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_VNFVN.EXE_154BC419BB4FC3B934131FD2868DE1E5F38373_CAB_0EF2D43E\REPORT.WER %COMMON APPDATA%\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_VNFVN.EXE_154BC419BB4FC3B934131FD2868DE1E5F38373_CAB_0EF2D43E\WERCB83.TMP.APPCOMPAT.TXT %COMMON APPDATA%\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_VNFVN.EXE_154BC419BB4FC3B934131FD2868DE1E5F38373_CAB_0EF2D43E\WERCBF2.TMP.WERINTERNALMETADATA.XML Autostart registry keys: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\VNFVNF WOFWO\IMAGEPATH: “%SYSDIR%\VNFVN.EXE” HKLM\System\CurrentControlSet\services\Vnfvnf Wofwo\DisplayName: “Skcskb Tlctlctk Dulduldt Meum” Detected by UnHackMe: VNFVN.EXE Default location: %SYSDIR%\VNFVN.EXE Dropper hash(md5): 0829ba237ae7fa9390bfd2677b47a22a UnHackMe removes malware invisible for your antivirus! UnHackMe is…

Continue reading →

Worm.Dumaru.B also known as W32/Dumaru-A, Worm.Dumaru.Win32.16, W32/Dumaru.QCWS-6970. Malware Analysis of Worm.Dumaru.B – VXDMGR32.EXE Created files: %APPDATA%\MICROSOFT\PROTECT\S-1-5-21-2250177403-3231077850-1239169437-1002\0DB42630-499B-44B6-B4D4-F0D88225028D %SYSDIR%\LOAD32.EXE %SYSDIR%\VXDMGR32.EXE %WINDIR%\DLLREG.EXE %WINDIR%\WINDRV.EXE Autostart registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32: 43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 6C 6F 61 64 33 32 2E 65 78 65 00…

Continue reading →

Worm.Dumaru.a.(kcloud) also known as Worm:Win32/Dumaru.A, Win32.HLLM.Dumaru, W32/Dumaru.QCWS-6970. Malware Analysis of Worm.Dumaru.a.(kcloud) – VXDMGR32.EXE Created files: %APPDATA%\MICROSOFT\PROTECT\S-1-5-21-2250177403-3231077850-1239169437-1002\0DB42630-499B-44B6-B4D4-F0D88225028D %SYSDIR%\LOAD32.EXE %SYSDIR%\VXDMGR32.EXE %WINDIR%\DLLREG.EXE %WINDIR%\WINDRV.EXE Autostart registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32: 43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 6C 6F 61 64 33 32 2E 65 78 65 00…

Continue reading →

Worm.Win32.Dumaru.a also known as W32/Dumaru.a@MM, PE:Worm.Mail.Win32.Dumaru.a!1173748754, Trojan.Win32.Qudamah.Gen.6. Malware Analysis of Worm.Win32.Dumaru.a – VXDMGR32.EXE Created files: %APPDATA%\MICROSOFT\PROTECT\S-1-5-21-2250177403-3231077850-1239169437-1002\0DB42630-499B-44B6-B4D4-F0D88225028D %SYSDIR%\LOAD32.EXE %SYSDIR%\VXDMGR32.EXE %WINDIR%\DLLREG.EXE %WINDIR%\WINDRV.EXE Autostart registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32: 43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 6C 6F 61 64 33 32 2E 65 78 65 00…

Continue reading →

I-Worm.Dumaru.Gen also known as W32/Dumaru-A, I-Worm.Dumaru.A0, Win32.Dumaru.A@mm (B). Malware Analysis of I-Worm.Dumaru.Gen – VXDMGR32.EXE Created files: %APPDATA%\MICROSOFT\PROTECT\S-1-5-21-2250177403-3231077850-1239169437-1002\0DB42630-499B-44B6-B4D4-F0D88225028D %SYSDIR%\LOAD32.EXE %SYSDIR%\VXDMGR32.EXE %WINDIR%\DLLREG.EXE %WINDIR%\WINDRV.EXE Autostart registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32: 43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 6C 6F 61 64 33 32 2E 65 78 65…

Continue reading →

Worm[Email]/Win32.Dumaru also known as W32/Dumaru@MM, Worm.Dumaru.B, I-Worm.Dumaru.A0. Malware Analysis of Worm[Email]/Win32.Dumaru – VXDMGR32.EXE Created files: %APPDATA%\MICROSOFT\PROTECT\S-1-5-21-2250177403-3231077850-1239169437-1002\0DB42630-499B-44B6-B4D4-F0D88225028D %SYSDIR%\LOAD32.EXE %SYSDIR%\VXDMGR32.EXE %WINDIR%\DLLREG.EXE %WINDIR%\WINDRV.EXE Autostart registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32: 43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 6C 6F 61 64 33 32 2E 65 78 65 00…

Continue reading →

W32/AutoRun.KIY!worm also known as Gen:Variant.Graftor.22170, Backdoor ( 04c4bbee1 ), Trojan-Downloader.Win32.Agent.cgrr. Malware Analysis of W32/AutoRun.KIY!worm – 04AE73AA9FDDDC6C53F5BD6F3B67302B.EXE Created files: %APPDATA%\MICROSOFT\PROTECT\S-1-5-21-2250177403-3231077850-1239169437-1002\4469F26B-764A-4176-9EF5-D47F78F576FD %SYSDIR%\04AE73AA9FDDDC6C53F5BD6F3B67302B.EXE Autostart registry keys: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\REMOTESTORAGE\IMAGEPATH: “%SYSDIR%\04AE73AA9FDDDC6C53F5BD6F3B67302B.EXE” HKLM\System\CurrentControlSet\services\RemoteStorage\DisplayName: “Windows Accounts Driver” Detected by UnHackMe: 04AE73AA9FDDDC6C53F5BD6F3B67302B.EXE Default location: %SYSDIR%\04AE73AA9FDDDC6C53F5BD6F3B67302B.EXE Dropper hash(md5): 04ae73aa9fdddc6c53f5bd6f3b67302b UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is…

Continue reading →

Malware Analysis of Worm.WhiteIce.Win32.2204 – USBNOTIFY.EXE Created files: %Program Files%\USBBoxLite\USBMonitorProtect.sys %Program Files%\USBBoxLite\USBMonitorProtect64.sys %Program Files%\USBBoxLite\USBNotify.exe %Program Files%\USBBoxLite\usbtaskmain.exe %Program Files%\USBBoxLite\usbtasktray.exe Autostart registry keys: HKLM\SOFTWARE\CLASSES\CLSID\{0002DF01-0000-0000-C000-000000000046}\LOCALSERVER32\: “”%APPDATA%\360SE6\APPLICATION\360SE.EXE”” HKLM\Software\Classes\CLSID\{039219EC-5F9A-460E-8C72-86D5DC7B8683}\Shell\Open\command\: “%SystemRoot%\explorer.exe I:\” HKLM\Software\Classes\CLSID\{039219EC-5F9A-460E-8C72-86D5DC7B8683}\InprocServer32\: “%Program Files%\360\360Safe\safemon\360UDiskGuard.dll” HKLM\Software\Classes\CLSID\{056A6FBD-8148-443A-AAB2-DB3C46B1F083}\Shell\Open\command\: “%SystemRoot%\explorer.exe M:\” HKLM\Software\Classes\CLSID\{056A6FBD-8148-443A-AAB2-DB3C46B1F083}\InprocServer32\: “%Program Files%\360\360Safe\safemon\360UDiskGuard.dll” HKLM\Software\Classes\CLSID\{06F2A2CA-E0E2-47D7-A3EC-29FD090E7F86}\Shell\Open\command\: “%SystemRoot%\explorer.exe V:\” HKLM\Software\Classes\CLSID\{06F2A2CA-E0E2-47D7-A3EC-29FD090E7F86}\InprocServer32\: “%Program Files%\360\360Safe\safemon\360UDiskGuard.dll” HKLM\Software\Classes\CLSID\{10AFB451-4816-48A1-8DDD-0F9595EB9F67}\InProcServer32\: “%Program Files%\360\360Safe\Utils\npaxlogin.dll” HKLM\SOFTWARE\CLASSES\CLSID\{12793398-A212-446F-BA1E-1F1B5ABDB89C}\SHELL\OPEN\COMMAND\: “%SYSTEMROOT%\EXPLORER.EXE %SYSTEMDRIVE%\” HKLM\Software\Classes\CLSID\{12793398-A212-446F-BA1E-1F1B5ABDB89C}\InprocServer32\: “%Program Files%\360\360Safe\safemon\360UDiskGuard.dll” HKLM\Software\Classes\CLSID\{26CD0715-0722-479B-A8C7-29A911171774}\InProcServer32\: “%Program Files%\360\360Safe\Utils\shell360ext.dll” HKLM\Software\Classes\CLSID\{2A650B6F-1548-4294-AB07-F17604108156}\Shell\Open\command\: “%SystemRoot%\explorer.exe…

Continue reading →

I-Worm/Dumaru.A also known as Worm.Dumaru.Win32.16, Email-Worm.Win32.Dumaru.a. Malware Analysis of I-Worm/Dumaru.A – VXDMGR32.EXE Created files: %APPDATA%\MICROSOFT\PROTECT\S-1-5-21-2250177403-3231077850-1239169437-1002\0DB42630-499B-44B6-B4D4-F0D88225028D %SYSDIR%\LOAD32.EXE %SYSDIR%\VXDMGR32.EXE %WINDIR%\DLLREG.EXE %WINDIR%\WINDRV.EXE Autostart registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32: 43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 6C 6F 61 64 33 32 2E 65 78 65 00 00…

Continue reading →

W32/Dumaru.gen.worm also known as Backdoor.Win32.Dumador, Worm.Dumaru.Win32.16, W32/Dumaru.QCWS-6970. Malware Analysis of W32/Dumaru.gen.worm – VXDMGR32.EXE Created files: %APPDATA%\MICROSOFT\PROTECT\S-1-5-21-2250177403-3231077850-1239169437-1002\0DB42630-499B-44B6-B4D4-F0D88225028D %SYSDIR%\LOAD32.EXE %SYSDIR%\VXDMGR32.EXE %WINDIR%\DLLREG.EXE %WINDIR%\WINDRV.EXE Autostart registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32: 43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 6C 6F 61 64 33 32 2E 65 78 65 00…

Continue reading →

Malware Analysis of Worm/Win32.Runouce.N1211449836 – SOFTMGR64.EXE Created files: %Program Files%\360\360Safe\SoftMgr\SoftMgr.db %Program Files%\360\360Safe\SoftMgr\SoftMgr.exe %Program Files%\360\360Safe\SoftMgr\SoftMgr64.exe %Program Files%\360\360Safe\SoftMgr\SoftMgrExt.dll %Program Files%\360\360Safe\SoftMgr\SoftMgrExt64.dll Autostart registry keys: HKLM\SOFTWARE\CLASSES\CLSID\{0002DF01-0000-0000-C000-000000000046}\LOCALSERVER32\: “”%APPDATA%\360SE6\APPLICATION\360SE.EXE”” HKLM\Software\Classes\CLSID\{039219EC-5F9A-460E-8C72-86D5DC7B8683}\Shell\Open\command\: “%SystemRoot%\explorer.exe I:\” HKLM\Software\Classes\CLSID\{039219EC-5F9A-460E-8C72-86D5DC7B8683}\InprocServer32\: “%Program Files%\360\360Safe\safemon\360UDiskGuard.dll” HKLM\Software\Classes\CLSID\{056A6FBD-8148-443A-AAB2-DB3C46B1F083}\Shell\Open\command\: “%SystemRoot%\explorer.exe M:\” HKLM\Software\Classes\CLSID\{056A6FBD-8148-443A-AAB2-DB3C46B1F083}\InprocServer32\: “%Program Files%\360\360Safe\safemon\360UDiskGuard.dll” HKLM\Software\Classes\CLSID\{06F2A2CA-E0E2-47D7-A3EC-29FD090E7F86}\Shell\Open\command\: “%SystemRoot%\explorer.exe V:\” HKLM\Software\Classes\CLSID\{06F2A2CA-E0E2-47D7-A3EC-29FD090E7F86}\InprocServer32\: “%Program Files%\360\360Safe\safemon\360UDiskGuard.dll” HKLM\Software\Classes\CLSID\{10AFB451-4816-48A1-8DDD-0F9595EB9F67}\InProcServer32\: “%Program Files%\360\360Safe\Utils\npaxlogin.dll” HKLM\SOFTWARE\CLASSES\CLSID\{12793398-A212-446F-BA1E-1F1B5ABDB89C}\SHELL\OPEN\COMMAND\: “%SYSTEMROOT%\EXPLORER.EXE %SYSTEMDRIVE%\” HKLM\Software\Classes\CLSID\{12793398-A212-446F-BA1E-1F1B5ABDB89C}\InprocServer32\: “%Program Files%\360\360Safe\safemon\360UDiskGuard.dll” HKLM\Software\Classes\CLSID\{26CD0715-0722-479B-A8C7-29A911171774}\InProcServer32\: “%Program Files%\360\360Safe\Utils\shell360ext.dll” HKLM\Software\Classes\CLSID\{2A650B6F-1548-4294-AB07-F17604108156}\Shell\Open\command\: “%SystemRoot%\explorer.exe…

Continue reading →

I-Worm/Dumaru.a also known as Worm:Win32/Dumaru.A, WORM_DUMARU.GEN, Worm.Win32.Dumaru.a. Malware Analysis of I-Worm/Dumaru.a – VXDMGR32.EXE Created files: %APPDATA%\MICROSOFT\PROTECT\S-1-5-21-2250177403-3231077850-1239169437-1002\0DB42630-499B-44B6-B4D4-F0D88225028D %SYSDIR%\LOAD32.EXE %SYSDIR%\VXDMGR32.EXE %WINDIR%\DLLREG.EXE %WINDIR%\WINDRV.EXE Autostart registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load32: 43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 6C 6F 61 64 33 32 2E 65 78 65 00…

Continue reading →