Submission Summary:

What's been foundSeverity Level
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Security RiskDescription
Spyware.Known_Bad_Sites Indicates that a known bad site may have hijacked. Adware, Spyware and Phishing sites may use the Windows hosts file to redirect your browser to a malicious site when you try to access a valid site such as your Bank.

Threat CategoryDescription
A program that downloads files to the local computer that may represent security risk
A potentially unwanted adware program designed to deliver various advertisements to the users' systems
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %AppData%\Microsoft\Crypto\RSA\S-1-5-21-606747145-764733703-839522115-1003\1ca50dd2e602ad2a0e779ab7b2e5a9e6_a7bcc1a4-f7a4-4502-8650-8579e607f7f7 77 bytes MD5: 0xB7FE7CAE50BAA950808BBAED4D8915E1
SHA-1: 0x477BFD2BF86B851ACA3987074CA33F6F81D4098B
(not available)
2 %AppData%\Microsoft\Crypto\RSA\S-1-5-21-606747145-764733703-839522115-1003\2f4284c0590dc7cd08c8e02d277cce5e_a7bcc1a4-f7a4-4502-8650-8579e607f7f7 58 bytes MD5: 0x1D6915C26B69DC8B3F47478D8318D49B
SHA-1: 0xBF3BFC39E82E3F19C9FCC22D20D8C579FB9F5B9C
(not available)
3 %Temp%\Component Update 235 1,190,161 bytes MD5: 0x3C526AB98AEC1C7D7B219316FB67D9C7
SHA-1: 0xE24F9EB24F2C8A3E9CB780DC776D00D7F23ACD07
(not available)
4 %Temp%\cv4B433.tmp 206,386 bytes MD5: 0x7EFBC68D926DDA1F3CDC3A4BE6F709A9
SHA-1: 0xF9D90F5482A7250BCB76412FBA262F1D82BB2586
(not available)
5 %Temp%\nsmE.tmp\Math.dll 67,584 bytes MD5: 0x8835B67F15D96144F3184E684FA76B43
SHA-1: 0x365E34A34EB8C123D765B7DEEFD3EBB90FE0FE4B
(not available)
6 %Temp%\nsmE.tmp\System.dll 10,240 bytes MD5: 0x7E3C808299AA2C405DFFA864471DDB7F
SHA-1: 0xB5DE7804DD35ED7AFD0C3B59D866F1A0749495E0
(not available)
7 %Temp%\nsn1E.tmp 712,192 bytes MD5: 0x5373CC2291346C99AB0DF52B42BF7FDC
SHA-1: 0x7D89E7EF37DC4797DF35946C7DD839D1FCCA0504
Adware.Gen [PCTools]
Adware.Gen [Symantec]
Trojan-Downloader.Win32.Zlob.bjma [Kaspersky Lab]
Generic PUP.x!s [McAfee]
Mal/Generic-A, Mal/Zlob-G [Sophos]
TrojanDownloader:Win32/Zlob.JN [Microsoft]
Trojan.Zlob [Ikarus]
8 %Temp%\tmpC867.tmp 75 bytes MD5: 0xB98CA5281E7C658EA4E185DEF1FCCEBE
SHA-1: 0x71573A9840D6729E58D220E36583A8C12465046F
(not available)
9 %System%\48e91764-94d0-4084-7357-eedef003b577.exe 103,458 bytes MD5: 0x0F68EE4AF33FD86A2C4F3476167B92B3
SHA-1: 0x562867904994329C6E3BA573F9A92CCCD5507D29
(not available)
10 %System%\96f66cc7-a5d7-bd23-02b6-3c8996dc2376.dll 1,892,864 bytes MD5: 0xF67411A8A070D49D7232C68E1C4F476B
SHA-1: 0xE52FF117878FF7303C2FED98F6CE651DE79EE2A6
(not available)
11 %System%\bjfubdisjqdrnplk.dll 563,200 bytes MD5: 0x01B18A1CACF4461A97BE5A1EE140CCA4
SHA-1: 0x0E5490FC91973B4BB656E97A5F977E4359183C54
Trojan.Vundo [PCTools]
Trojan.Vundo [Symantec]
Trojan.Win32.BHO.uhi [Kaspersky Lab]
Mal/Zlob-G [Sophos]
TrojanDownloader:Win32/Zlob.JN [Microsoft]
Win-Trojan/Bho.563200.B [AhnLab]
12 %System%\bjfubdisjqdrnplk.dll-uninst.exe 60,026 bytes MD5: 0x2737E2B5F4614AD1BB521F6B3A840465
SHA-1: 0x6AACEE79D4A849997D2D9F2544D1DF0F3E7AE1A1
AdWare.search.precisead [Ikarus]
13 %System%\kqermpuovi.dll 385,024 bytes MD5: 0x77E5E80CD713255F865A47DDE3FF0247
SHA-1: 0x165DE946FB2F85A6EE555D164863D41C5205FF77
(not available)
14 [file and pathname of the sample #1] 4,785,136 bytes MD5: 0x553556773F6257D6FBAC52900A73395F
SHA-1: 0xA503F68801835FB8E2424E7BBBFEB398B4407A9A
Trojan-Downloader.NSIS.Agent.bk, not-a-virus:AdWare.Win32.RON.adm, Trojan-Downloader.Win32.Zlob.bjma, Trojan-Downloader.Win32.Zlob.bjig, Trojan.Win32.BHO.uhi, Trojan-Downloader.Win32.Zlob.bgjb [Kaspersky Lab]
15 %System%\tjhnrruleb.exe 48,283 bytes MD5: 0xCDD6879F5BB8FE726613F316B496D02C
SHA-1: 0x11B3D68C0B9F1AD6BEC020DF1BC8AC0D39E71343
(not available)
16 %System%\_kqermpuovi.dll 475,136 bytes MD5: 0x2B1C7A365C7B90A8520066D5B671D554
SHA-1: 0x45C53B01B7518750DD2C671A96DC6EDD501AE166
Adware.Begin2search [PCTools]
Adware.Begin2search [Symantec]
not-a-virus:AdWare.Win32.RON.adm [Kaspersky Lab]
Generic PUP.x!s [McAfee]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
apa%Temp%\nsb2.tmp\apa204,800 bytes

 

Registry Modifications

 

Other details

Remote HostPort Number
174.142.104.2780
174.46.249.2680
199.7.51.19080
204.0.5.2680
204.0.5.3280
204.0.5.3380
204.0.5.880
204.0.5.980
204.236.224.5680
209.200.63.7780

 

Outbound traffic (potentially malicious)

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.