Submission Summary:

• Submission details:
• Submission received: 11 November 2009, 11:40:41
• Processing time: 5 min 58 sec
• Submitted sample:
• File MD5: 0x3C546A8632DE0B30BC6008650A144226
• File SHA-1: 0xB18EE00AEE87C813843FB407BA6846A078CFDE96
• Filesize: 51,594 bytes

• Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.

Technical Details:

• The new window was created, as shown below:

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonDesktopDir%\AntiAID.lnk	831 bytes	MD5: 0x0138F95447F13DB8DAE5F3A97369CD36 SHA-1: 0x3D0F793B5E4B719BFD0FB81C3D5A9C3D83FFB62A	(not available)
2	%CommonPrograms%\AntiAID\1 AntiAID.lnk	1,739 bytes	MD5: 0x39E8E1897A1B6ED0F67B7E06FA7CD623 SHA-1: 0x57B94A855DC66FBD097EAD34C682F585D1B9404F	(not available)
3	%CommonPrograms%\AntiAID\2 Homepage.lnk	1,140 bytes	MD5: 0x7F92367C83A6A9DC6A6C9CEE7602AFAC SHA-1: 0xBFE4FEB40612BF7544B940565BF6CFC4C3BF0222	(not available)
4	%CommonPrograms%\AntiAID\3 Uninstall.lnk	1,755 bytes	MD5: 0x562BB4693F4B3EFD0BF173CBAEFCC40D SHA-1: 0x517AB7145A4328332C554C96C0B40E36347BB4A8	(not available)
5	%Temp%\2gbk87zj.exe	1,734,162 bytes	MD5: 0x2F071E5768BDE2F6E71A153C3BCD25A6 SHA-1: 0x82A3B11BD9FA5005119CE2C15D24630DBB8CB03C	(not available)
6	%Temp%\8enyqcv1.exe %System%\8enyqcv1.exe	373,760 bytes	MD5: 0xA638D3C3DA2EE9D28D68C9E16378DBF3 SHA-1: 0xAB80C835B501CA4573A811B5DE6240408D6D553A	Application.Maybe_RogueAV [PCTools]
7	%Temp%\nsj3.tmp\time.dll	10,752 bytes	MD5: 0x38977533750FE69979B2C2AC801F96E6 SHA-1: 0x74643C30CDA909E649722ED0C7F267903558E92A	(not available)
8	%Temp%\nsn6.tmp\InstallOptions.dll	14,848 bytes	MD5: 0x0DC0CC7A6D9DB685BF05A7E5F3EA4781 SHA-1: 0x5D8B6268EEEC9D8D904BC9D988A4B588B392213F	(not available)
9	%Temp%\nsn6.tmp\ioSpecial.ini	737 bytes	MD5: 0xBF07290124172839FFC30FE5BBD0F6C7 SHA-1: 0x39264B61D513EE248A22E3EF17CD91926B5E23A6	(not available)
10	%Temp%\nsn6.tmp\LangDLL.dll	5,632 bytes	MD5: 0xA401E590877EF6C928D2A97C66157094 SHA-1: 0x75E24799CF67E789FADCC8B7FDDEFC72FDC4CD61	(not available)
11	%Temp%\nsn6.tmp\modern-wizard.bmp	26,494 bytes	MD5: 0xCBE40FD2B1EC96DAEDC65DA172D90022 SHA-1: 0x366C216220AA4329DFF6C485FD0E9B0F4F0A7944	(not available)
12	%Temp%\nss8.tmp\nsProcess.dll	4,096 bytes	MD5: 0x05450FACE243B3A7472407B999B03A72 SHA-1: 0xFFD88AF2E338AE606C444390F7EAAF5F4AEF2CD9	(not available)
13	%ProgramFiles%\AntiAID Software\AntiAID\AntiAID.exe	1,634,304 bytes	MD5: 0x0990674084246B455F3B213B5AE0E7C2 SHA-1: 0xA3ABDA8453D0169FA7FB044C3EA9A8642144F5C0	(not available)
14	%ProgramFiles%\AntiAID Software\AntiAID\uninstall.exe	79,017 bytes	MD5: 0x0BD5014F4D4B039CB730814BE3588E8E SHA-1: 0x227DAA6E18076C4A681A66F4FA67416CD28BDA49	(not available)
15	%Windir%\10179tro553z.dll	5,046 bytes	MD5: 0x0820A3460D830E0610DF4AEC56B25AB5 SHA-1: 0x501AF7743ABADCFF0DB2FEBB09ECF5CB37A70E17	(not available)
16	%Windir%\104z9not9a-viruse55.dll	5,911 bytes	MD5: 0xA9E25A3F97475855F4587E8FD0153791 SHA-1: 0x89683831479885825A43F20E4C4CDF973DC45838	(not available)
17	%Windir%\1091steal1z535.exe	14,690 bytes	MD5: 0xA35ACADCF66634A196F6C71D4B9C4CC8 SHA-1: 0x80E705D38A9E4BC571E1507FE9FBF226FAD6F504	(not available)
18	%Windir%\109zthi5f2161.cpl	12,258 bytes	MD5: 0x713F02689E7491E591DC840CCF09235B SHA-1: 0x8AC2EA8A114A6F20044D8E575EFFC5CC798521D9	(not available)
19	%Windir%\10dt9ief53z1.dll	8,211 bytes	MD5: 0xC15D02F4D9E9A43764F534CDD9A8F53D SHA-1: 0xD2B08ADDACAB117A262105F5830EFDA511A6B2EF	(not available)
20	%Windir%\11515virusz98.dll	9,738 bytes	MD5: 0x2C97AEF02772A9EB3A6D953CE68EFFC8 SHA-1: 0x8CC74B0CFD1505031E2AACF5D9931F6AC35F3E51	(not available)
21	%Windir%\11560tro54b9z.exe	16,075 bytes	MD5: 0x74AA6DA965832D27D9F385B0DF5252B8 SHA-1: 0x5AD941E6D2CBF1D956C7444AE5F1E5C2D0269EF6	(not available)
22	%Windir%\117859ozm427.dll	17,910 bytes	MD5: 0xFF15115CD0032F3C028AA1F24885FF70 SHA-1: 0x501C345ED9940F9B29C45C13F5756CBE0ED485DD	(not available)
23	%Windir%\11b2b5czdoo9873.cpl	8,428 bytes	MD5: 0x8070973439C47B9900009EF41ABB7685 SHA-1: 0xA4DC3457DEEC4E3861834F6DE0E26A46B8003920	(not available)
24	%Windir%\11z58wor962b.exe	13,692 bytes	MD5: 0xED2F2644AE161AEC134635B9D50EAC07 SHA-1: 0x482D86F20B84E52DC8309BA0EF371C784D8899E6	(not available)
25	%Windir%\12350spa5b9tzf9.cpl	8,167 bytes	MD5: 0x50FE0B68951340D972C8890407CFE1E6 SHA-1: 0x6ADD74A78F4E48B150568767827F2A55B904D9C3	(not available)
26	%Windir%\1239zs5a9bot563.ocx	9,726 bytes	MD5: 0x82985BBB3FF6F77400B5A652D5FAA1BC SHA-1: 0x77EAA77DF44DEB131ABF5320A80511A352C77DF5	(not available)
27	%Windir%\12491worm315z.ocx	12,885 bytes	MD5: 0x2FF0014FCF48F63D7FB7FF6EC42B8088 SHA-1: 0x9DEC64A939323BB29FF945C19F6616F3EA884246	(not available)
28	%Windir%\12845hac9t5ol3z7.bin	16,706 bytes	MD5: 0x5D8F6580F9100F7386B5C21646C522A6 SHA-1: 0x7306599545A8E4F85EC01E6BAB12503F23F5078A	(not available)
29	%Windir%\12csza95e1370.ocx	3,154 bytes	MD5: 0x003F38BEAA439A42EF73EED2D6E09243 SHA-1: 0x6EFEB23CFB0B6CBBD851552861080FFF4B5D1D24	(not available)
30	%Windir%\13629hac5t9zl47d.ocx	3,462 bytes	MD5: 0x7E57284FFBE5B98278101BC3E4E9DDC6 SHA-1: 0xC8A276FB904CA98CF57A2FF892AB1B4F6BBFC94E	(not available)
31	%Windir%\13769spamb5t9z9.ocx	14,754 bytes	MD5: 0x1AC1F69B51566282A382DF3C3CBB9BBD SHA-1: 0x8C82A770E63A3B03E20FB87FE24B70B849247F19	(not available)
32	%Windir%\140895yz26.bin	3,329 bytes	MD5: 0x7FE4D3DA1A25169722B875CA872ED3C3 SHA-1: 0xE386484168B613EAF18580E0D67BE66B0B9A0827	(not available)
33	%Windir%\14240spz5e95.cpl	5,783 bytes	MD5: 0x1B2EF9CD06363584E166CA47DD6ACF08 SHA-1: 0x7019DB7EC0B45863F997E31F5FB3902AF98FE11D	(not available)
34	%Windir%\1432v5rzs955.cpl	18,417 bytes	MD5: 0x837B2D20EF22456E970097D1CEF38ED7 SHA-1: 0xBD17C4A29CC2931F01FE17FD46C438619C8B4D00	(not available)
35	%Windir%\148395orm15z.exe	8,231 bytes	MD5: 0x48DC6E5F453DCB17CCDB04193477F4C3 SHA-1: 0x76F428B18EF31E555EC6BB0855BEE6891935C1D2	(not available)
36	%Windir%\15194v9rz5246.dll	5,030 bytes	MD5: 0xE3F3A09FB5DDBABA6774C464020E3560 SHA-1: 0x144FB270E6E6556FCFF313BE770E2AAD98412401	(not available)
37	%Windir%\152005py5z59.bin	6,213 bytes	MD5: 0x60A9D814415E290A18FD05B87DA56D93 SHA-1: 0xFEB0F1D23FEF08AFBF39C457AECFFDA17EB32D34	(not available)
38	%Windir%\153zbac9door525.dll	5,417 bytes	MD5: 0x2A6B10AEEE9E5B2C645D367E4ECB1D8D SHA-1: 0x6F0230406BB03AA4B0C763C29018095B6CC25A65	(not available)
39	%Windir%\1584spyware2z769.dll	8,429 bytes	MD5: 0x0BED2E3009CFB7AEFD6F45884507ACF4 SHA-1: 0xE9B84E909FEF474AF147D7705BD317EB839023EA	(not available)
40	%Windir%\1584zir5s399.exe	15,274 bytes	MD5: 0xE39ED87E60F5D3085995E8F6F0B53614 SHA-1: 0xB52E676269DEF33AAC4A2B55BEEAC63E7235B16B	(not available)
41	%Windir%\15875wzrm91.ocx	16,293 bytes	MD5: 0x70E9AD53D916D09FF03A61A7271F8C3C SHA-1: 0x4E3EE6D5AB4F688A58905BC3BC161BED04047951	(not available)
42	%Windir%\15979worm48z.ocx	9,179 bytes	MD5: 0x1B2A977A64F3BFA1C5A30E00EC980C35 SHA-1: 0x1D4D37BC0313365B62A555795F8814A8940B9E35	(not available)
43	%Windir%\15z43hackto9l7a4.ocx	7,287 bytes	MD5: 0xC809D4E0677FE67114C5BAFACA01B092 SHA-1: 0x4EE883D19C047F1CA3303ECB15F1CC03EE9AC81E	(not available)
44	%Windir%\1622back5oo9z136.exe	2,804 bytes	MD5: 0xDB9B5FAB5DA40B8B26D688D1D6A8E710 SHA-1: 0x4BBCA5B5CB36DFAD6475D6323199C60F2D6415F0	(not available)
45	%Windir%\16385spy7z9.cpl	17,213 bytes	MD5: 0x906BF82944EEEE17FD281174E5D91167 SHA-1: 0x4BCE8D0F0D1E63C4AEB768C0B3F311612D2B3D05	(not available)
46	%Windir%\16440sp9mbo5cz.cpl	3,162 bytes	MD5: 0x3F5B6D6676FA49EF3EF513CD5A5140A5 SHA-1: 0x33CF5B79939555B6F5FCD976B5125CB44111F87B	(not available)
47	%Windir%\16519ha9ktool20cz.dll	16,749 bytes	MD5: 0xCD19A371CCC79D602D288A169C49ED92 SHA-1: 0xE7BECB6B336E07B949C5CB8D98994B1B53238074	(not available)
48	%Windir%\165889py1z5.dll	7,240 bytes	MD5: 0x2D120C752311F5BCD5D6A3D820FB058B SHA-1: 0x3479752A30BA32A59ADAECC139903CC0912D5319	(not available)
49	%Windir%\16923not-azvirus15.cpl	5,938 bytes	MD5: 0xE2770A09E43B334FE0628EF38C957775 SHA-1: 0xF0B5C16C0943CDC0CBA8CE17A5787A017564EDD7	(not available)
50	%Windir%\19459spambotz5e.ocx	6,972 bytes	MD5: 0x886EB03F2BB791D7BACB0AB6E27007D4 SHA-1: 0x79A31797506A40AABFDC4C5C7E54CBE21E5DB340	(not available)
51	%Windir%\1983do5n9oader313z.exe	16,070 bytes	MD5: 0x01FD0CDE4F8E55C30A9EB700A2D15B26 SHA-1: 0x5A9FD55F12FA073DE0F707751F00D2A90DCE75E7	(not available)
52	%Windir%\19cabackzo9r925.bin	7,793 bytes	MD5: 0x75C7E5BECF0792AE39AA1399EDFAE7AA SHA-1: 0x614C41134CFAB3F402D2EAC10E8EFB3B31E05F9B	(not available)
53	%Windir%\19z57spy757.bin	17,002 bytes	MD5: 0xACE92C9F50ADD7CB7E450455034FD69B SHA-1: 0x3D4DA4C088D7C4210A10FED7EFCB3860AB658C5C	(not available)
54	%Windir%\1bfethzeat2549.bin	9,956 bytes	MD5: 0x7A1EE11383A556CE7E35E9F0CD523256 SHA-1: 0x9CECAF991A1A57DAA86E36E249DD5BD084586490	(not available)
55	%Windir%\1c985zr1107.bin	7,061 bytes	MD5: 0x338E76A8B6A99CAFE74D8B8A1E7B44ED SHA-1: 0xA22180D72496D256A35B33317E35F51110935899	(not available)
56	%Windir%\1ez3b9ckdoor455.exe	10,132 bytes	MD5: 0xB9A889E87880639C4B05E4A6B431ABEB SHA-1: 0x3FB0AD2BCFCD9BEDB5F95D6AD1A0FA2F68E68440	(not available)
57	%Windir%\1f4cthrez952160.bin	2,548 bytes	MD5: 0x44FC18CDA2EFDDABD934D3168FF06700 SHA-1: 0x54CA3D96141729B8970F5F036EC25B73BAC03BBF	(not available)
58	%Windir%\1f68downl9zder1052.ocx	14,712 bytes	MD5: 0x4857AE35838217B9E5438A8D8596E6B2 SHA-1: 0x0D7C516F1A6C8DFE06F8B2901704F7FDF9E5EDF3	(not available)
59	%Windir%\1fb9b5ckdozr9470.cpl	13,535 bytes	MD5: 0xA7B40B1ECE48565C8F3DE0B9D6119B94 SHA-1: 0xAD9D645F5A9D69B3967311A90C32F81DEF4B0E46	(not available)
60	%Windir%\1z23v951063.cpl	5,941 bytes	MD5: 0x294167511F6B7DFB58C685F9AF16B1E4 SHA-1: 0x207DB1365CB13A5DD9282A3BCFA9CB512963D6AE	(not available)
61	%Windir%\1z461spy3d59.cpl	14,079 bytes	MD5: 0x43BA3952A4AFD9ABB701CF2B78FE9012 SHA-1: 0x136320DB70A80D5DFE40248C1D585E3A36D7D0B9	(not available)
62	%Windir%\1z5ddo9nloader1805.ocx	10,818 bytes	MD5: 0xB75424112B98CD555C29D3A75E592DDC SHA-1: 0x66562F64CCB83A1C449920C55CE2841249D85971	(not available)
63	%Windir%\1z75threat95513.cpl	9,454 bytes	MD5: 0xD0119DD9E96A0548EBF9C93B0D3D8326 SHA-1: 0x7D2FDC10AEEC703EB255EBBA21691FB725F6D3FB	(not available)
64	%Windir%\1z89vir2155.dll	4,795 bytes	MD5: 0xB45E48E8B526213BA9F5C6ABAE90DF99 SHA-1: 0x8B202693BD7CA1E03140C1516819850177D8412E	(not available)
65	%Windir%\1z9fadd5are397.cpl	5,840 bytes	MD5: 0x1AB849D656BF93D030BF1C78B7445B18 SHA-1: 0xC085EE6A1372B1DF01586B0C63E14BD35758978A	(not available)
66	%Windir%\2029thiz51266.ocx	3,382 bytes	MD5: 0xC131105A5A76396F00F1E4D86AFA8512 SHA-1: 0xF1D9611CEA060B216D8D251C4F06C1B570E152FD	(not available)
67	%Windir%\20548szy339.dll	13,546 bytes	MD5: 0xBFF59ADB1C21440C84F48BDCC8D58C58 SHA-1: 0xF397326B9D9DBB7800DD9ADE0DB745769254BCEE	(not available)
68	%Windir%\209z0vi5us189.bin	14,376 bytes	MD5: 0x269A78E6D65C9F35714AE7D04335B556 SHA-1: 0x82C068C36B1F7925109969E05A113072D62F885E	(not available)
69	%Windir%\21058spambotzbc9.bin	8,520 bytes	MD5: 0x01DD737E9ADC03BCF0801DBE170650DA SHA-1: 0x45FA43D11990E16A8C7DC8415D168942F78FAA82	(not available)
70	%Windir%\2135zsp568f9.bin	9,724 bytes	MD5: 0xA53A91FB79DC343C9066DBAC7C1031CD SHA-1: 0x7EEC7F0F9CA4598BE27055EA17412D6839449804	(not available)
71	%Windir%\21596no9-5-zirus6a.cpl	17,751 bytes	MD5: 0x813C32A693AF9885F031D39CAD23208D SHA-1: 0x65470304CAD3CB3FDA1EF3066A103CE046C8DA98	(not available)
72	%Windir%\22256virus53z9.exe	10,921 bytes	MD5: 0xD2720ED706775711874671FA8B929273 SHA-1: 0xB61526231926FBFA7855CAB2B6F7608FDA5525B2	(not available)
73	%Windir%\223z9virus105.bin	14,699 bytes	MD5: 0x5BE2CBB98AE1AD25B51571796C1D5530 SHA-1: 0xA4F14486C9158AF5D85435E116D34F785289A252	(not available)
74	%Windir%\2291zackd5or1565.exe	16,111 bytes	MD5: 0x6C021D649BA21AF82E7145BD0218D2BB SHA-1: 0x9140D2B53A4D7E13032CFAF28AD15B757F24D571	(not available)
75	%Windir%\22z59wo957c6.ocx	3,443 bytes	MD5: 0x97B51AFF1074BDE57C6581AA41C3FEE0 SHA-1: 0x24B6F9B902818CA235A1DDED9EABFED916245B18	(not available)
76	%Windir%\23465notza-9irus54d.exe	2,993 bytes	MD5: 0x38B4FAB55182E9DB1B80E9583B1E1525 SHA-1: 0xD5B88BA2D036D6D608CB2FE8BA2495BEE46E31A1	(not available)
77	%Windir%\23475teal1z499.exe	8,797 bytes	MD5: 0xE107FBFFF987A93D2E380CE87D10152D SHA-1: 0x980D9C8BB5EF9606B2316A8DEE72209E7B114335	(not available)
78	%Windir%\23551not9a-virzs555.dll	4,207 bytes	MD5: 0xDB6BFF6F2A0DDEB958F607AD82990E2B SHA-1: 0x55623532406AAF7DB52E217E3F5D8FC890031DBD	(not available)
79	%Windir%\23798zpambot5919.bin	6,653 bytes	MD5: 0x5A482961C0FFCA9235A97513C3B3C004 SHA-1: 0x16247D66D0CD52A077BCEC4DA175BC4ECF128891	(not available)
80	%Windir%\23c7sp9wzre2825.dll	5,061 bytes	MD5: 0x449C133FC1987B0E92988D8F740E273E SHA-1: 0x85B8C1628F10BBFB93B25EA7DC0DF1FF3E9624CD	(not available)
81	%Windir%\240zv5r9889.ocx	10,478 bytes	MD5: 0x4BF35F22C0E23F2CD2E86999CF741014 SHA-1: 0x9037A63FFDFFE3A474873E9C96B7989F0C348045	(not available)
82	%Windir%\24352wzrm966.cpl	3,710 bytes	MD5: 0x6ACBAA8793B5F2F61570125F324DEA66 SHA-1: 0xF683509C3B69C7C6F20FFEAE1AA03924DED15C01	(not available)
83	%Windir%\24660s9amboz6d5.bin	6,191 bytes	MD5: 0x235E3963041ED90A96E6B4914DE48874 SHA-1: 0x62D81678006AE5A77080C90BB09508D27CE68E32	(not available)
84	%Windir%\24832not-z-vir5s89.bin	14,435 bytes	MD5: 0x081C6B9E8141A227B2FC26D7242B5936 SHA-1: 0x334E7F97EAB5313A019CC4A27E3FEB8CC8ECF58F	(not available)
85	%Windir%\24990hackt5o94d8z.exe	4,187 bytes	MD5: 0x7A1FB7D99E90EBF90DB3B11AEC0F148A SHA-1: 0x628F9370958DD773C0984CB6C284A0A1F255009D	(not available)
86	%Windir%\24992wormz459.dll	3,477 bytes	MD5: 0xC0387671F1ED44FB4D7E403EEE9C48AC SHA-1: 0x15024602E91CDF99D288E1E9A02529C7C09E574A	(not available)
87	%Windir%\249cthze9456.ocx	12,389 bytes	MD5: 0xC89837CF1F3A103FEE988F625FDF834B SHA-1: 0x3F67C04D446EA010F52365A0558CF61D4A05FCDA	(not available)
88	%Windir%\25410wz9m676.dll	6,528 bytes	MD5: 0x3721E9FC26DE4A007B13EFCB4361704E SHA-1: 0x92EAC0B32D8C4ABC7B169951D8DFD4545D447EDD	(not available)
89	%Windir%\254179roj5ecz.cpl	4,074 bytes	MD5: 0x88FCB6FA0D175A064AF18D8C1827C8B3 SHA-1: 0xB595B4896F603021AC611F701334410C56584E83	(not available)
90	%Windir%\2558z9py574.ocx	8,889 bytes	MD5: 0xCECDC82549EA1933080829CC7EC8189B SHA-1: 0x89E3176F50A971BE3EB6683BE8435226968EA32D	(not available)
91	%Windir%\25897zot-a-virus116.exe	18,409 bytes	MD5: 0xBB678F609B71F47CBED0175CB7102EF5 SHA-1: 0x4E30D2715DE05B3C1EC74FF68BE2545FFA809BF7	(not available)
92	%Windir%\259629p5mzot37.dll	8,196 bytes	MD5: 0x328A9961A00165DF9C56FEFF7790795F SHA-1: 0xCB072BFE7769AFE7D15601F73F13802B5AEEFE79	(not available)
93	%Windir%\25db9pyware25z3.exe	6,596 bytes	MD5: 0x420A4041BE7ADE72B10C7E0218277052 SHA-1: 0x9B4E0014431D1CFB8C680EE02BA5B76D16B0366D	(not available)
94	%Windir%\26027nzt-a-v5rus4b9.dll	5,545 bytes	MD5: 0xCBA2277E36158D888BAC8766DCB5F459 SHA-1: 0x509202504DC97F269914198BAE9281E723A5278E	(not available)
95	%Windir%\260539z5j695.cpl	10,892 bytes	MD5: 0xF84FDD7F6EBF020269650F22C4CE7728 SHA-1: 0x6D44FFBE3A2E8C275D646252E4F49EBD5D26072F	(not available)
96	%Windir%\27598zroj2ed.ocx	12,204 bytes	MD5: 0xC857BF57B3F6CF458AABD16003ED4871 SHA-1: 0x656DD26438A88A179949119627B06BDE42BCE8A4	(not available)
97	%Windir%\27651ha9ztoo5495.cpl	12,190 bytes	MD5: 0x33740C72BA9E382A411C9625A5A963F8 SHA-1: 0x32F5467F6E37CB0F5DCCC6DEF4F5403D8D2568D3	(not available)
98	%Windir%\27917vir5s51cz.ocx	16,922 bytes	MD5: 0xF973E8E662E71D155EEB65154D8683AE SHA-1: 0xB5AF7F66212B8A3F53E36FCCA1DC5F2506CCFA28	(not available)
99	%Windir%\27z6thief95885.dll	5,699 bytes	MD5: 0xA2268F600D15D6C8231F82F0C22FA21D SHA-1: 0x2C6112346A0302BCE84161F56E4E2C7386E29540	(not available)
100	%Windir%\2802spz9bot46b5.ocx	9,039 bytes	MD5: 0x70532B6BC04B4FEAEF0BD4CEDC74282A SHA-1: 0x6CC5D6A85E1C8420F78F30B060E15C091B6E4885	(not available)

• Notes:
• %CommonDesktopDir% is a variable that refers to the file system directory that contains files and folders that appear on the desktop for all users. A typical path is C:\Documents and Settings\All Users\Desktop (Windows NT/2000/XP).
• %CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
• %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

• The following directories were created:
• %CommonPrograms%\AntiAID
• %Temp%\nss8.tmp
• %ProgramFiles%\AntiAID Software
• %Temp%\nsj3.tmp
• %Temp%\nsn6.tmp
• %ProgramFiles%\AntiAID Software\AntiAID

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
2gbk87zj.exe	%Temp%\2gbk87zj.exe	270,336 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	225,280 bytes
8enyqcv1.exe	%Temp%\8enyqcv1.exe	N/A

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiAID
• HKEY_LOCAL_MACHINE\SOFTWARE\AntiAID

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
• cf = ""
• tr = ""
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiAID]
• DisplayName = "AntiAID"
• UninstallString = ""%ProgramFiles%\AntiAID Software\AntiAID\uninstall.exe""
• NoModify = 0x00000001
• NoRepair = 0x00000001
• [HKEY_LOCAL_MACHINE\SOFTWARE\AntiAID]
• Lang = "English"
• Install_Dir = "%ProgramFiles%\AntiAID Software\AntiAID"
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• 8enyqcv1.exe = "%System%\8enyqcv1.exe"
• AntiAID = "%ProgramFiles%\AntiAID Software\AntiAID\AntiAID.exe -min"

so that 8enyqcv1.exe runs every time Windows starts
so that AntiAID.exe runs every time Windows starts

Other details

• Analysis of the file resources indicate the following possible country of origin:

	Ukraine

• There was registered attempt to establish connection with the remote host. The connection details are:

• The data identified by the following URL was then requested from the remote web server:
• http://www.antiaid.com/AntiAID.php?s=b77d81cc7c82b16b540602cc392bbcda