ThreatExpert Report: Trojan-Banker.Win32.Banker.rqk, not-a-virus:AdWare.Win32.BHO.bje..

Submission Summary:

Submission details:

Submission received: 30 July 2008, 18:20:55
Processing time: 5 min 12 sec
Submitted sample:

File MD5: 0x3E8F78061DFD85E3BA814899FFBCACFF
File SHA-1: 0x93B2C4B57C799C25034A39881D7CFD8E60503B78
Filesize: 127,488 bytes
Alias: Trojan-Banker.Win32.Banker.rqk [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Trojan.BHO!sd6	Trojan.BHO!sd6 is a malicious program that does not infect other files but may represents security risk for your computer and/or network environment.

Attention! The following threat categories were identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A potentially unwanted adware program designed to deliver various advertisements to the users' systems
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\d9xdr.dll	32 bytes	MD5: 0x0EBB66EC61F6D9356C5698AF900168D0 SHA-1: 0xFFC6B1563A7FE4ED24713B8B55DE67C0AE187EC0	(not available)
2	%System%\ddr7xm.dll	49,152 bytes	MD5: 0x474A1F098A9658EE3B13C35DCF3005F4 SHA-1: 0xFD330C5C5215344B74558FCC0968E255B326CC0B	Backdoor.Trojan [Symantec] not-a-virus:AdWare.Win32.BHO.bje [Kaspersky Lab] Backdoor:Win32/Sereki.gen!B [Microsoft]
3	%System%\hl.dat	46,195 bytes	MD5: 0x70E658131F8DD46EB95BB786944154AB SHA-1: 0x9FCD35004386B1BF7F8C4E4E878D8FCE8CDFDB92	(not available)
4	%System%\mrcmgr.exe	63,488 bytes	MD5: 0xDF25B70614C01D4EBD877AFB9EAC0DF3 SHA-1: 0x7F5C081EF27B7D0998A149D2928C1BB9DAA9F83F	Trojan-Banker.Win32.Banker.rqk [Kaspersky Lab]
5	%System%\mshpc.dll	102,400 bytes	MD5: 0x745438053A38FEEB4A281CA0E6084672 SHA-1: 0xD0D5C88B0701B76583209F0A537AED984421989A	Trojan.BHO!sd6 [PCTools] Trojan.Win32.BHO.fhi [Kaspersky Lab] Mal/Generic-A [Sophos] Backdoor:Win32/Sereki.gen!B [Microsoft]
6	%System%\prxsmr.dll	36,864 bytes	MD5: 0x27CA3A013D2078DC983E6CC5A0776083 SHA-1: 0x72D3CECD607199EC7285CB7B3B59FCAD26BCE10A	not-a-virus:AdWare.Win32.Agent.dfo [Kaspersky Lab]
7	%System%\rp8xrc.dat	19 bytes	MD5: 0x570C8061735EF785721B0F922DB54B8B SHA-1: 0x8132D1BA29D780BC7B31329BFD80BAB7F4DBC329	(not available)
8	[file and pathname of the sample #1]	127,488 bytes	MD5: 0x3E8F78061DFD85E3BA814899FFBCACFF SHA-1: 0x93B2C4B57C799C25034A39881D7CFD8E60503B78	Trojan-Banker.Win32.Banker.rqk [Kaspersky Lab]
9	%System%\scerpt.dll	7,168 bytes	MD5: 0x1343D421CF52F7BF55D62FA949D9E258 SHA-1: 0x90F7D541D3A9D723149792CCFD014923EE2BAB54	Trojan-Banker.Win32.Banker.rqk [Kaspersky Lab]

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
mrcmgr.exe	%System%\mrcmgr.exe	118,784 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	241,664 bytes

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
ddr7xm.dll	%System%\ddr7xm.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x1F30000 - 0x1F6F000
mshpc.dll	%System%\mshpc.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0xF80000 - 0xFE4000

Notes:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A4F919F-4334-4abf-BF47-0836A8B5A54B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A4F919F-4334-4abf-BF47-0836A8B5A54B}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A4F919F-4334-4abf-BF47-0836A8B5A54B}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A4F919F-4334-4abf-BF47-0836A8B5A54B}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A4F919F-4334-4abf-BF47-0836A8B5A54B}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A4F919F-4334-4abf-BF47-0836A8B5A54B}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC3D9EE3-8304-4228-ADC2-234D035FEB89}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC3D9EE3-8304-4228-ADC2-234D035FEB89}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{244F3263-6C3C-469C-AECE-FF46D84A0A3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{244F3263-6C3C-469C-AECE-FF46D84A0A3B}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{244F3263-6C3C-469C-AECE-FF46D84A0A3B}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{244F3263-6C3C-469C-AECE-FF46D84A0A3B}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{572AB3DC-60AC-4FCB-B0F6-8B010ECFE90A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{572AB3DC-60AC-4FCB-B0F6-8B010ECFE90A}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{572AB3DC-60AC-4FCB-B0F6-8B010ECFE90A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{572AB3DC-60AC-4FCB-B0F6-8B010ECFE90A}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F6FBADC6-F435-4B4B-9153-8DFF61BCF996}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F6FBADC6-F435-4B4B-9153-8DFF61BCF996}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F6FBADC6-F435-4B4B-9153-8DFF61BCF996}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F6FBADC6-F435-4B4B-9153-8DFF61BCF996}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F6FBADC6-F435-4B4B-9153-8DFF61BCF996}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F6FBADC6-F435-4B4B-9153-8DFF61BCF996}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mdd.MddApp.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mdd.MddApp.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mmdd.MddApp
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mmdd.MddApp\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mmdd.MddApp\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSApp.BhoApp
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSApp.BhoApp\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSApp.BhoApp\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSApp.BhoApp.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSApp.BhoApp.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{161B953B-95F9-4af3-B071-D5FF5EA132EF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A4F919F-4334-4abf-BF47-0836A8B5A54B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MSControls

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\VersionIndependentProgID]

(Default) = "MSApp.BhoApp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\TypeLib]

(Default) = "{2D51E439-3AE8-4bf7-8FB2-45F768554DEC}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\ProgID]

(Default) = "MSApp.BhoApp.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}\InprocServer32]

(Default) = "%System%\mshpc.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{161B953B-95F9-4af3-B071-D5FF5EA132EF}]

(Default) = "IE Microsoft extension"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A4F919F-4334-4abf-BF47-0836A8B5A54B}\VersionIndependentProgID]

(Default) = "Mdd.MddApp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A4F919F-4334-4abf-BF47-0836A8B5A54B}\TypeLib]

(Default) = "{F6FBADC6-F435-4b4b-9153-8DFF61BCF996}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A4F919F-4334-4abf-BF47-0836A8B5A54B}\ProgID]

(Default) = "Mdd.MddApp.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A4F919F-4334-4abf-BF47-0836A8B5A54B}\InprocServer32]

(Default) = "%System%\ddr7xm.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A4F919F-4334-4abf-BF47-0836A8B5A54B}]

(Default) = "MddApp Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC3D9EE3-8304-4228-ADC2-234D035FEB89}\InprocServer32]

hp = "10860"
sp = "12872"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{244F3263-6C3C-469C-AECE-FF46D84A0A3B}\TypeLib]

(Default) = "{F6FBADC6-F435-4B4B-9153-8DFF61BCF996}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{244F3263-6C3C-469C-AECE-FF46D84A0A3B}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{244F3263-6C3C-469C-AECE-FF46D84A0A3B}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{244F3263-6C3C-469C-AECE-FF46D84A0A3B}]

(Default) = "_IMAppEvents"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}\TypeLib]

(Default) = "{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{30989926-2D37-4561-B76F-65D0F89A3560}]

(Default) = "IApp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{572AB3DC-60AC-4FCB-B0F6-8B010ECFE90A}\TypeLib]

(Default) = "{F6FBADC6-F435-4B4B-9153-8DFF61BCF996}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{572AB3DC-60AC-4FCB-B0F6-8B010ECFE90A}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{572AB3DC-60AC-4FCB-B0F6-8B010ECFE90A}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{572AB3DC-60AC-4FCB-B0F6-8B010ECFE90A}]

(Default) = "IMApp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\TypeLib]

(Default) = "{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{ECEE577A-5B6F-4BDC-9210-DB603D6BEF78}]

(Default) = "_IAppEvents"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0\0\win32]

(Default) = "%System%\mshpc.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0\HELPDIR]

(Default) = "%System%\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2D51E439-3AE8-4BF7-8FB2-45F768554DEC}\1.0]

(Default) = "MSHpc 2.0 Lib"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F6FBADC6-F435-4B4B-9153-8DFF61BCF996}\1.0\0\win32]

(Default) = "%System%\ddr7xm.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F6FBADC6-F435-4B4B-9153-8DFF61BCF996}\1.0\HELPDIR]

(Default) = "%System%\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F6FBADC6-F435-4B4B-9153-8DFF61BCF996}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F6FBADC6-F435-4B4B-9153-8DFF61BCF996}\1.0]

(Default) = "Mdd 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mdd.MddApp.1\CLSID]

(Default) = "{1A4F919F-4334-4abf-BF47-0836A8B5A54B}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mdd.MddApp.1]

(Default) = "MddApp Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mmdd.MddApp\CurVer]

(Default) = "Mdd.MddApp.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mmdd.MddApp\CLSID]

(Default) = "{1A4F919F-4334-4abf-BF47-0836A8B5A54B}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mmdd.MddApp]

(Default) = "MddApp Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSApp.BhoApp\CurVer]

(Default) = "MSApp.BhoApp.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSApp.BhoApp\CLSID]

(Default) = "{161B953B-95F9-4af3-B071-D5FF5EA132EF}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSApp.BhoApp]

(Default) = "IE Microsoft extension"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSApp.BhoApp.1\CLSID]

(Default) = "{161B953B-95F9-4af3-B071-D5FF5EA132EF}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSApp.BhoApp.1]

(Default) = "IE Microsoft extension"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

1 = "%System%\mrcmgr.exe"

so that mrcmgr.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MSControls]

s = "1"
f = "1"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

Userinit = "%System%\userinit.exe,%System%\mrcmgr.exe,"

so that mrcmgr.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Explorer]

ITBarLayout = 11 00 00 00 36 00 00 00 00 00 00 00 34 00 00 00 1B 00 00 00 57 00 00 00 01 00 00 00 20 07 00 00 A0 0F 00 00 05 00 00 00 62 05 00 00 26 00 00 00 02 00 00 00 21 07 00 00 A0 0F 00 00 04 00 00 00 21 01 00 00 A0 0F 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Other details

The following Host Names were requested from a host database:

192.168.1.164
podra.cn
195.93.219.201

The following HTTP URLs were started reading:

http://195.93.219.201/sp/g.php
http://podra.cn/zv/gid.php?sv=AFt6J8VsAwwM832HjkLVdfcSB2Z&ad=4&id=48902471-1-bb0d0a53
http://podra.cn/dd/gid.php?sv=AFt6J8VsAwwM832HjkLVdfcSB2Z&ad=4&id=48902473-1-bb9170e0
http://podra.cn/zv/cmd.php?id=48902471-1-bb0d0a53

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.