ThreatExpert Report: Adware.ActiveSearch!rem, Adware.ActiveSearch, Generic.dx, Trojan-Spy.72950

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 26 May 2011, 18:57:37
Processing time: 8 min 30 sec
Submitted sample:

File MD5: 0x202B20423F2CEB42A93C7754E805EE12
File SHA-1: 0xE8DB9B4BB1313CF1C485FE88997F8DB7D71AE219
Filesize: 72,950 bytes
Alias:

Adware.ActiveSearch!rem [PCTools]
Adware.ActiveSearch [Symantec]
Generic.dx [McAfee]
Trojan-Spy.72950 [Ikarus]

Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A potentially unwanted adware program designed to deliver various advertisements to the users' systems

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonAppData%\RoboForm\license.rfo	96 bytes	MD5: 0x4914132A6F940F6E5C84A5717CFF65DD SHA-1: 0xADF06616B69A3AD6B15C42885FDB270071142B49	(not available)
2	%Temp%\nsv2.tmp\Internet.dll	4,608 bytes	MD5: 0x78D026611A970FE14E983A6B9490EA34 SHA-1: 0xCBF63F3AADE515F3FC3FBBCC4E12913F1A472D49	(not available)
3	%Temp%\nsv2.tmp\NSISdl.dll	12,800 bytes	MD5: 0x86C37C7C57469930F12B5199E1C335EF SHA-1: 0x7586CE0D91168D1BDCFC4BE39A121EDF0F65DB24	(not available)
4	%Temp%\RFSD84A.tmp\affid.txt	80 bytes	MD5: 0x8FB5783F253424594EB573CBF20E19F5 SHA-1: 0xCD79CC4DF30E0AF55DF1A6BD53FF0550A299267A	(not available)
5	%Temp%\RFSD84A.tmp\ar-Arabic.rfi	128,910 bytes	MD5: 0xEAB0CFD7F57CAC647291367631392459 SHA-1: 0x793AB6B1F083D50558F51BCF4C6868E76E0B94B0	(not available)
6	%Temp%\RFSD84A.tmp\br-Brasilian.rfi	93,150 bytes	MD5: 0x8D7216878FB502C925B91152BD316FED SHA-1: 0x8F4055906AF0949978F3B29F898E5E5E1C485D60	(not available)
7	%Temp%\RFSD84A.tmp\cacert.pem	206,185 bytes	MD5: 0x31843FE08C74188B1C539F56530D3D9F SHA-1: 0x7D0DF8F38B60AA65F6BFEB9B4F80632562DDB6BF	(not available)
8	%Temp%\RFSD84A.tmp\Chrome\background.html	287 bytes	MD5: 0xE63D62F04B0F940C9A32D638DCBEA05B SHA-1: 0xC0C32DC294634288DD9635648CAFC1F4B090313A	(not available)
9	%Temp%\RFSD84A.tmp\Chrome\background.js	10,750 bytes	MD5: 0x5671096D2916BC85A6FB04B52FC231EF SHA-1: 0x75A6A86F1C22A8A1352897F862E045C1A5AAFD3B	(not available)
10	%Temp%\RFSD84A.tmp\Chrome\common.js	732 bytes	MD5: 0x8FFDE1822D8AAE7826823C15E2CA2812 SHA-1: 0xB3F2208E524F4BF34DA9644EDF8BAA59865B1D19	(not available)
11	%Temp%\RFSD84A.tmp\Chrome\content.js	5,536 bytes	MD5: 0x2245A0A3CE3DDBDF648F947234972C3F SHA-1: 0x5FAA1D79DF51FA2CE972A884043DBE36891713E8	(not available)
12	%Temp%\RFSD84A.tmp\Chrome\filler.js	158,991 bytes	MD5: 0x1BAE7AF99164307F7B7099E14965DBAC SHA-1: 0xB0F54F904FBB0D482EE66417B32698E5C2A4F326	(not available)
13	%Temp%\RFSD84A.tmp\Chrome\manifest.json	757 bytes	MD5: 0x8126EEB84CBAEC28F35F82ED05776D2D SHA-1: 0xCFD66054693BE2BF581EBFFD05925F3410FD80E7	(not available)
14	%Temp%\RFSD84A.tmp\Chrome\plugin\nprobo1.dll	1,937,408 bytes	MD5: 0x95EE93FC1F8EEE869AF8FD0E218857DC SHA-1: 0x71F9F4C5929B8525FBE501D4C1CEA55453262619	(not available)
15	%Temp%\RFSD84A.tmp\Chrome\plugin\rf-chrome-plugin.dll	1,601,536 bytes	MD5: 0xDF301D43E2DA6739538B0E8DC2CA28FE SHA-1: 0xBCF888CBA1AB488C8FA4D2892A7F6F1A898239E0	(not available)
16	%Temp%\RFSD84A.tmp\Chrome\rf_f1.js	622,770 bytes	MD5: 0xCBF18AAC17F7928A964F702781365EC8 SHA-1: 0xB460AFC4C82611F8168AE1B3A0FC282108F4647B	(not available)
17	%Temp%\RFSD84A.tmp\Chrome\robo128.png	10,319 bytes	MD5: 0xA508BC0D26DD809995BEB24F949FCD2E SHA-1: 0x3B3E427AAD654232E784A1FCD17C760218B5A119	(not available)
18	%Temp%\RFSD84A.tmp\Chrome\robo16.png	462 bytes	MD5: 0x369817408449404202E44AF66C0D5B89 SHA-1: 0x031B223BE94FCFB5291910B816FFBEC33EA066E9	(not available)
19	%Temp%\RFSD84A.tmp\Chrome\robo32.png	1,389 bytes	MD5: 0x7CDEFD9313FF963916F3708C38EFBA08 SHA-1: 0xA667A74763BA58BE0A88E090B0AEB6BF1649F82F	(not available)
20	%Temp%\RFSD84A.tmp\Chrome\robo48.png %Temp%\RFSD84A.tmp\Opera\robo48.png	2,905 bytes	MD5: 0x7663A0F7E8BF40428F66E634B5ADE904 SHA-1: 0x777E0B610E8E113A8D4702570B3F16E4DEF2D561	(not available)
21	%Temp%\RFSD84A.tmp\cn-Chinese.rfi	118,668 bytes	MD5: 0xBB270A40B3EF4AD7D0B4AF274559C46E SHA-1: 0x01EFA48DCFFE95BCEAAB0BB3DFACBE61C2AE6DD5	(not available)
22	%Temp%\RFSD84A.tmp\cz-Czech.rfi	71,185 bytes	MD5: 0x80C6B2D744DCF0940BEC1C22057A503A SHA-1: 0x4A37F176B568ADC674BBC5D0F74DD5B789A52AE0	(not available)
23	%Temp%\RFSD84A.tmp\dbghelp.dll	1,080,656 bytes	MD5: 0x583542311DC750A1EEACD89089C37FA9 SHA-1: 0xC111C4B8F844C138AD5CA27D748C51E6C3DB6C3E	(not available)
24	%Temp%\RFSD84A.tmp\de-German.rfi	102,034 bytes	MD5: 0xF5DBB0632BFB0BFEEBCD9F2F799826CA SHA-1: 0x9755AF81DAE45F11E331D8DA41AAAE3FA8EC6F10	(not available)
25	%Temp%\RFSD84A.tmp\dk-Danish.rfi	125,646 bytes	MD5: 0x7BA96D5F9AD2B1DD63502354DB43A168 SHA-1: 0xB5DDFDB78C3EFBBEF83669F591C437C08DA9704A	(not available)
26	%Temp%\RFSD84A.tmp\dndhandle.gif	90 bytes	MD5: 0x22E3D14E5F05D024637C8D684071442F SHA-1: 0xEDAE0E99DC35E57B821650C509BEA32A5B87192B	(not available)
27	%Temp%\RFSD84A.tmp\en-english.rfi	23 bytes	MD5: 0x914CE8F20234DC4CC0146CF89B80FECB SHA-1: 0x264AC7355DEF8E4C479B38C83B4E94DBF68D333C	(not available)
28	%Temp%\RFSD84A.tmp\es-Spanish.rfi	141,209 bytes	MD5: 0x6A50856010109376D6087B45A930B783 SHA-1: 0x47B0FEC3381455AC544D57804E58A9A00FFED67B	(not available)
29	%Temp%\RFSD84A.tmp\fa-Persian.rfi	190,266 bytes	MD5: 0x338B31661CC706CC8518F0E00BDC45DA SHA-1: 0x76C360302545ECEB4E573370A39C14A9CE00BBBF	(not available)
30	%Temp%\RFSD84A.tmp\fi-Finnish.rfi	51,561 bytes	MD5: 0x7AD175071ED09EA5E6855AD5932AC090 SHA-1: 0xD8E4BAD84A11522B970DFE0E5DDC559146495914	(not available)
31	%Temp%\RFSD84A.tmp\Firefox\chrome\roboform.jar	24,126 bytes	MD5: 0x78A9929AFC74C340E69574C9CFA7047D SHA-1: 0x348548DAE66D0E4C6DA2809AD14297525E980419	(not available)
32	%Temp%\RFSD84A.tmp\Firefox\chrome.manifest	753 bytes	MD5: 0x033E15D59915CBC517EB5EA6B7FDD1E9 SHA-1: 0x634C56A21C8E0A3EE831574204A7601ADA19B4AB	(not available)
33	%Temp%\RFSD84A.tmp\Firefox\components\rfhelper.js	25,386 bytes	MD5: 0xDC87CB574EA2C4AD1D159E1D328DAC3C SHA-1: 0xD0C552E8613B5B04CB740EF46DB8B25C0A400CA7	(not available)
34	%Temp%\RFSD84A.tmp\Firefox\components\rfhelper32.js	25,950 bytes	MD5: 0xDA753FBC9A3C18DC396B0B460671A5AA SHA-1: 0x626448A0F8F9D2B25EDA466D8569934FDBD9A984	(not available)
35	%Temp%\RFSD84A.tmp\Firefox\components\rfproxy_31.dll	2,122,224 bytes	MD5: 0xEA525FB66D90590741BEC136596ED4EB SHA-1: 0xB39991C7863415D4BBD436ED705B1D1CE1523266	(not available)
36	%Temp%\RFSD84A.tmp\Firefox\components\rfproxy_31.xpt %Temp%\RFSD84A.tmp\Firefox\components\rfproxy_32.xpt	1,247 bytes	MD5: 0x7CDC2F8F2E0F5657154F5EA05EAE7E0F SHA-1: 0x44F5BBFBDF9F68EDE2F9CCB5F5B32F5E40C8E4C0	(not available)
37	%Temp%\RFSD84A.tmp\Firefox\components\rfproxy_32.dll	2,122,224 bytes	MD5: 0x91062988F6C81055ACB9D6B060611185 SHA-1: 0xE534E48C15C6884E87A5B4C34C3EBF5E1664C9F7	(not available)
38	%Temp%\RFSD84A.tmp\Firefox\install.rdf	1,302 bytes	MD5: 0x617AF23420457A18AB52B102CA3B267E SHA-1: 0x36D45429CE17D1C62CD88948BE82E10A3792C3E4	(not available)
39	%Temp%\RFSD84A.tmp\Firefox\rfhelper32.manifest	185 bytes	MD5: 0x48EA4C6B46516632CA8010D9036E8E7B SHA-1: 0x8E64ADD50CCAC558E5C1ECD5281FE7438D1108FA	(not available)
40	%Temp%\RFSD84A.tmp\fr-French.rfi	148,976 bytes	MD5: 0x63365D9F17E36BB2D7F1628A1EBD253F SHA-1: 0x73A996D28A81BC89FC556DC1F8DF0903CFE8F49B	(not available)
41	%Temp%\RFSD84A.tmp\he-Hebrew.rfi	90,836 bytes	MD5: 0xC88DCEDA730EDB03FD73BFB869928F7E SHA-1: 0x12E2342E3CAC8756B9D512EFC109004F78B4540F	(not available)
42	%Temp%\RFSD84A.tmp\hr-Croatian.rfi	86,658 bytes	MD5: 0xD2305E27835DE7F4A3C0DBB60FCF0908 SHA-1: 0x48E1FAE18573CD5D20522967450C12D3868CF549	(not available)
43	%Temp%\RFSD84A.tmp\hu-Hungarian.rfi	29,404 bytes	MD5: 0xE14710DDD6999803281196D0E05CA489 SHA-1: 0xD78161B60FE803D681814749532C15313069A316	(not available)
44	%Temp%\RFSD84A.tmp\identities.exe	242,168 bytes	MD5: 0xDAF2346C564A238499A19A22ABFEDB9C SHA-1: 0x3D32F82701DE080357A7412A6D89274B0353BE4F	(not available)
45	%Temp%\RFSD84A.tmp\install.bmp	6,356 bytes	MD5: 0x503A6751593AE3FE5C01BE5F3D631CBA SHA-1: 0xC27026E6C1EB3995E5D0C4E1947AEDB9A68364EE	(not available)
46	%Temp%\RFSD84A.tmp\it-Italian.rfi	131,397 bytes	MD5: 0x8496529C125B452392C76E3CDAEE4647 SHA-1: 0xC40C6EF6F5602B0ADF61C3090AA954D947FC987F	(not available)
47	%Temp%\RFSD84A.tmp\jp-Japanese.rfi	177,704 bytes	MD5: 0x18FB66BE05AB35E561A542594ECAE8B1 SHA-1: 0x3D6DA759F7B080A7B0C19905049DC0500043EADC	(not available)
48	%Temp%\RFSD84A.tmp\kr-Korean.rfi	147,343 bytes	MD5: 0xD818641DC2C5D563A0BB4B863F0BA5BC SHA-1: 0x616B2B9A3632ACD2B0A3A52B48EC4B129B8BC50D	(not available)
49	%Temp%\RFSD84A.tmp\license-ar.txt	32,587 bytes	MD5: 0x99665A610D75AD1D70D425A1D05244D3 SHA-1: 0x18BCE825638EE132F569EA4EFA7C50F5F7BEC1C7	(not available)
50	%Temp%\RFSD84A.tmp\license-br.txt	7,472 bytes	MD5: 0x61EE26516E7F28228F8AC94FD51FD130 SHA-1: 0x333C0656D380FBFAD3EA9E8869B6F46AD4B738AB	(not available)
51	%Temp%\RFSD84A.tmp\license-cn.txt	5,101 bytes	MD5: 0x5C20F0962F9F57B26D34C0546BCB604B SHA-1: 0xD633D0CB49E59B0507C5AF402CBFF68B79AE70F4	(not available)
52	%Temp%\RFSD84A.tmp\license-cz.txt	14,157 bytes	MD5: 0xC6A3B980DB53C7FD1D8EC5F366FFD452 SHA-1: 0x2F235E4C4AFD7879B4E25888576F171415AACB00	(not available)
53	%Temp%\RFSD84A.tmp\license-de.txt	15,211 bytes	MD5: 0xB018F2E3EE795A4746D4D33570FD436D SHA-1: 0xF621B604A079F0C84191531211E8E2EB9FA7A5E5	(not available)
54	%Temp%\RFSD84A.tmp\license-dk.txt	13,542 bytes	MD5: 0x2D3EB1C609EE1EB377AD273F2489156A SHA-1: 0x6663D912C3FAB606F915C9AE4002D5219C798E45	(not available)
55	%Temp%\RFSD84A.tmp\license-en.txt	23,662 bytes	MD5: 0xE7A8BD1FF23DE301A32CCD138BFAA4B5 SHA-1: 0x976504CD389259D3C0CC6CC5453D32BE7886F0EB	(not available)
56	%Temp%\RFSD84A.tmp\license-es.txt	18,187 bytes	MD5: 0xC3433D24D9F35875E0B4A78DFED8D845 SHA-1: 0x448B3EB484AC80939D299226102343C675CA5334	(not available)
57	%Temp%\RFSD84A.tmp\license-fi.txt	6,600 bytes	MD5: 0x81067AD474049E79A72FF2197E7509CC SHA-1: 0x0A58D6E7CC4EFCA38A6CDD49F8325BD2398D3ACC	(not available)
58	%Temp%\RFSD84A.tmp\license-fr.txt	16,083 bytes	MD5: 0x5D41D66CD323ADDA66363B0693A6BBF3 SHA-1: 0x1466B80D62AAE50F2717EF0358C8219BD912A4AD	(not available)
59	%Temp%\RFSD84A.tmp\license-he.txt	6,104 bytes	MD5: 0x427FC4CABB57286A48FE34A13B3B5C14 SHA-1: 0x324A7DADEC9FC72E1BBE29B4A2D6670A682E8798	(not available)
60	%Temp%\RFSD84A.tmp\license-hr.txt	13,263 bytes	MD5: 0x05B8E4D1D565F32A52C6DE52FCD2569A SHA-1: 0x6594C9198AECB5A96D8494F17B8369985C88ED4C	(not available)
61	%Temp%\RFSD84A.tmp\license-it.txt	6,767 bytes	MD5: 0xAD4226515DBA5801F39A86EF15032D92 SHA-1: 0xB6A14A993607326C18D5F07381FE942E06DA7B40	(not available)
62	%Temp%\RFSD84A.tmp\license-jp.txt	20,049 bytes	MD5: 0x3AFDDC2F941EA7A9225504CA364988BE SHA-1: 0x2E3D53FB6A1ABFC160CBA86C1975092E1850348D	(not available)
63	%Temp%\RFSD84A.tmp\license-kr.txt	6,917 bytes	MD5: 0xE8879A7F515A4061B76816E15BDDFB01 SHA-1: 0x037DEC3DDAE1D21E1619BA8477E306460C70327E	(not available)
64	%Temp%\RFSD84A.tmp\license-lt.txt	17,440 bytes	MD5: 0x600440606AC4E24BD23F0F3650D1C29F SHA-1: 0x13DFBB8028E1B3BB5AC917D039185939CB0B584D	(not available)
65	%Temp%\RFSD84A.tmp\license-nl.txt	7,253 bytes	MD5: 0xD21222CA25A251602C579C14C943E725 SHA-1: 0x10DA2E7E9407AFAC35E6EE2A14AC219047DB5B72	(not available)
66	%Temp%\RFSD84A.tmp\license-pl.txt	18,375 bytes	MD5: 0x83E78597C6528488250D014EB96D6C23 SHA-1: 0x3EF1252F1D0111E36447EEBBBF3A65E6810B6F46	(not available)
67	%Temp%\RFSD84A.tmp\license-ru.txt	9,340 bytes	MD5: 0xE57B32BC1E799DD70DF98B5329C510D5 SHA-1: 0x82B9F26640477DF35D60AF38DF96A42E2953EDEC	(not available)
68	%Temp%\RFSD84A.tmp\license-sb.txt	8,890 bytes	MD5: 0xB5763961CE698E81B9FBF05BC288AE18 SHA-1: 0xD96D3C6FACDB354A346925CBB4458FA8208B41EB	(not available)
69	%Temp%\RFSD84A.tmp\license-sc.txt	15,677 bytes	MD5: 0x5AC4195A81574F6BFC66EF245E1F58A6 SHA-1: 0x9FF93931B5E5C381160CB21D75B6B9CACFE294C5	(not available)
70	%Temp%\RFSD84A.tmp\license-se.txt	17,243 bytes	MD5: 0xC6986BE9A352FE61CB55DD923B4102CE SHA-1: 0x8C4B9739DDF4EAA7D6F7BB10775E67023281CD14	(not available)
71	%Temp%\RFSD84A.tmp\license-tr.txt	19,506 bytes	MD5: 0x7A0C952DC9F4B73F5F8A521EE766A454 SHA-1: 0xC7AE0D00AF562EBDEB489958A80F359B17D85C45	(not available)
72	%Temp%\RFSD84A.tmp\license-ua.txt	8,190 bytes	MD5: 0x0C1E2A45C244C5C897E68423FC7DE5FB SHA-1: 0xBE255F66341ED255776C6D4E01466415138B9345	(not available)
73	%Temp%\RFSD84A.tmp\license-zh.txt	5,101 bytes	MD5: 0xE082AD2E5D7C5A9F9F8742253B24FA99 SHA-1: 0x696F2DC3009E2C84CD6FF5ED743871BA5B1F849B	(not available)
74	%Temp%\RFSD84A.tmp\lt-Lithuanian.rfi	104,195 bytes	MD5: 0x14F2EA94735344523AA542E03B6AF05E SHA-1: 0x8CF75159A152FE556CCF4822C92BA93C999EF659	(not available)
75	%Temp%\RFSD84A.tmp\nl-Dutch.rfi	131,930 bytes	MD5: 0xD0973DA2CCDF55995127A8D625E39196 SHA-1: 0x147487208366DAD803D5CBF3D3462E5F7621DFCB	(not available)
76	%Temp%\RFSD84A.tmp\no-Norwegian.rfi	87,290 bytes	MD5: 0xC6AADA0F66419634D65B6AAEDC89FE6B SHA-1: 0xD103D36AF2D8D56C1B427FEA092445BE7B506FCC	(not available)
77	%Temp%\RFSD84A.tmp\Opera\config.xml	317 bytes	MD5: 0x12DB7C04C98EBAC606B33DAD022E5332 SHA-1: 0x69C710FFEEC38056913EE87687E1F5EF6AC1C809	(not available)
78	%Temp%\RFSD84A.tmp\Opera\includes\roboform.js	2,702 bytes	MD5: 0x12E711F4D228AC0F91220F702F5873A4 SHA-1: 0xC41A2939A3D36E9C246331FE440FA5CC0A5FAA69	(not available)
79	%Temp%\RFSD84A.tmp\Opera\index.html	1,456 bytes	MD5: 0xCA68DD07C12C98BFD0BE47439EFCE4F8 SHA-1: 0x13CE1A906E62CB14F3CCA4A4CACE1D31FD8522A8	(not available)
80	%Temp%\RFSD84A.tmp\Opera\robo18.png	795 bytes	MD5: 0x9D7EA0FBD68EAA062B0FA05849F0A893 SHA-1: 0x58AF8B820D6BE8B73B954E9F25734B7F8A56866D	(not available)
81	%Temp%\RFSD84A.tmp\passwordgenerator.exe	49,152 bytes	MD5: 0x089F1F63B619196589CD16E803D9E916 SHA-1: 0xD1BCE439278C85DE8F5E9D24B0FDB18F76270C19	(not available)
82	%Temp%\RFSD84A.tmp\pl-Polish.rfi	88,456 bytes	MD5: 0xC1EF67C6FCD26212AC481180585A76C2 SHA-1: 0x0883772818BF33F1251816560D078591AD1A599A	(not available)
83	%Temp%\RFSD84A.tmp\rfmozhlp.dll	11,776 bytes	MD5: 0x657B8789D8C866C60440ADDCA3C4ADC8 SHA-1: 0x1E2A312047FD51F5DD69AF8F3D91723975294288	(not available)
84	%Temp%\RFSD84A.tmp\rfwipeout.exe	3,224,056 bytes	MD5: 0x37B2E6AC2E80AD85A9A959A3F333E061 SHA-1: 0xF0F47A1AB4FA579DB72FDD33E40D1BFAAA7AAA71	(not available)
85	%Temp%\RFSD84A.tmp\roboform.dll	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
86	%Temp%\RFSD84A.tmp\robotaskbaricon.exe	107,000 bytes	MD5: 0xE262E210F1EE5B1616DE4FE618A5C54D SHA-1: 0x52211EA40E2EBA171FA7968172E4A983561FDDB7	(not available)
87	%Temp%\RFSD84A.tmp\ru-Russian.rfi	220,261 bytes	MD5: 0x4731BC50EF3A89F8C34E411458041801 SHA-1: 0x2F41234CB5D08C40D5613B0E4F869A71BCD7D86B	(not available)
88	%Temp%\RFSD84A.tmp\sb-Serbian.rfi	120,357 bytes	MD5: 0x2F8FEFA9F9ADFC58728CFD3688FF2476 SHA-1: 0x59C11C040F4347B1B627D441D4A0805FEA8C98D0	(not available)
89	%Temp%\RFSD84A.tmp\sc-Serbian.rfi	186,824 bytes	MD5: 0xC47FB664B8114BD23DC6D06416E20D5B SHA-1: 0x1045EBAE08AF81336EBEBA820FD5B3B6B2843675	(not available)
90	%Temp%\RFSD84A.tmp\se-Swedish.rfi	92,626 bytes	MD5: 0xE4B593E5D381C5BAB5C3D0E076C1B0E4 SHA-1: 0x23E7392DD5CA5AC77C7C487FA6A53F3549C5D4B6	(not available)
91	%Temp%\RFSD84A.tmp\sk-Slovak.rfi	104,987 bytes	MD5: 0x559870947300371915202E250EC6F589 SHA-1: 0xCE49192EB5BA0E62403A96C1047CF8A329E9527F	(not available)
92	%Temp%\RFSD84A.tmp\tr-Turkish.rfi	141,859 bytes	MD5: 0x552C4A5D032B551459B2019C0E0E0D36 SHA-1: 0xF1C19918630872D50379E5ED66D6D257653F728E	(not available)
93	%Temp%\RFSD84A.tmp\ua-Ukrainian.rfi	46,267 bytes	MD5: 0xF2BF5ABF868C283D289DB54CD62E7ABC SHA-1: 0xE346D11E7133672ABCE161312A4FB6D1834FA1DF	(not available)
94	%Temp%\RFSD84A.tmp\zh-Chinese.rfi	121,178 bytes	MD5: 0x4A3E26DD1C77A14739208E5BA1461D14 SHA-1: 0xBB6BE1F4A456E7C6C38BD1E1188185151255B78C	(not available)
95	%Temp%\_rf.log	7,578 bytes	MD5: 0x7B512EE5347B91A790329DADE0DD675E SHA-1: 0xE110C2E61554AF0E6FE4A7FF033E2C391A592CAF	(not available)
96	%System%\mi2.exe	7,715,672 bytes	MD5: 0x6E4AE0A0D0245373ECCA89C3A74646B1 SHA-1: 0xA51D568BDE1D0C5F30E37360DB81B8B22BC76D53	(not available)
97	[file and pathname of the sample #1]	72,950 bytes	MD5: 0x202B20423F2CEB42A93C7754E805EE12 SHA-1: 0xE8DB9B4BB1313CF1C485FE88997F8DB7D71AE219	Adware.ActiveSearch!rem [PCTools] Adware.ActiveSearch [Symantec] Generic.dx [McAfee] Trojan-Spy.72950 [Ikarus]

Notes:

%CommonAppData% is a variable that refers to the file system directory containing application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directories were created:

%CommonAppData%\RoboForm
%Temp%\nsv2.tmp
%Temp%\RFSD84A.tmp
%Temp%\RFSD84A.tmp\Chrome
%Temp%\RFSD84A.tmp\Chrome\plugin
%Temp%\RFSD84A.tmp\Firefox
%Temp%\RFSD84A.tmp\Firefox\chrome
%Temp%\RFSD84A.tmp\Firefox\components
%Temp%\RFSD84A.tmp\Opera
%Temp%\RFSD84A.tmp\Opera\includes
%ProgramFiles%\Siber Systems
%ProgramFiles%\Siber Systems\AI RoboForm

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	204,800 bytes
mi2.exe	%System%\mi2.exe	495,616 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{724d43a1-0d85-11d4-9908-00400523e39a}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{724d43a1-0d85-11d4-9908-00400523e39a}\Implemented Categories
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Test.Class.1
HKEY_LOCAL_MACHINE\SOFTWARE\Siber Systems
HKEY_LOCAL_MACHINE\SOFTWARE\Siber Systems\RoboForm
HKEY_CURRENT_USER\Software\Classes\CLSID\{724d43a1-0d85-11d4-9908-00400523e39a}
HKEY_CURRENT_USER\Software\Classes\CLSID\{724d43a1-0d85-11d4-9908-00400523e39a}\Implemented Categories
HKEY_CURRENT_USER\Software\Siber Systems
HKEY_CURRENT_USER\Software\Siber Systems\RoboForm

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{724d43a1-0d85-11d4-9908-00400523e39a}\Implemented Categories]

uid = "6888f9dd-4e4b-45b8-890a-cebebe0dca5a"

[HKEY_LOCAL_MACHINE\SOFTWARE\Siber Systems\RoboForm]

Common AppData Path = "%AllUsersProfile%\Application Data"
RefID = "[s-f]"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{724d43a1-0d85-11d4-9908-00400523e39a}\Implemented Categories]

uid = "6888f9dd-4e4b-45b8-890a-cebebe0dca5a"

[HKEY_CURRENT_USER\Software\Siber Systems\RoboForm]

Common AppData Path = "%AllUsersProfile%\Application Data"
RefID = "[s-f]"

[HKEY_CURRENT_USER\Software\Siber Systems]

_InstallerDir = "%Windir%\system32"
_InstallerType = 0x00000000
_CancelInstall = 0x00000001

Other details

The following port was open in the system:

Port	Protocol	Process
1052	TCP	[file and pathname of the sample #1]

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
67.208.88.196	80

The data identified by the following URL was then requested from the remote web server:

http://www.roboform.com/dist/AiRoboForm.exe

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.