ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 1 June 2009, 13:30:46
Processing time: 6 min 20 sec
Submitted sample:

File MD5: 0x56E78ABCA7ACAD5165B7390EAA32CA67
File SHA-1: 0xC5CC42FBFCE2F3EF6CC3D1AAF4DE40C2B8A84F88
Filesize: 2,249,992 bytes

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Creates a startup registry entry.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\contacts.html.vscrypt	279 bytes	MD5: 0x92BEC646A4B84158C62BC577B765F455 SHA-1: 0x13C7D7445E713A6F87A11AC29259A00C1FB47E1C	(not available)
2	%CommonDocuments%\My Pictures\Sample Pictures\Sunset.jpg.vscrypt	71,189 bytes	MD5: 0x53DB801D24D80D5DB0CE189DCF112CA2 SHA-1: 0x4FF5CE78246F779CB8AB8E519F8BB984F8C7C7A3	(not available)
3	%CommonDocuments%\My Pictures\Sample Pictures\Winter.jpg.vscrypt	105,542 bytes	MD5: 0x42D84910A6330C1976DDF34290F10FE0 SHA-1: 0xB1CAFB922DAB375EF6D4D22340E944AC03FF0001	(not available)
4	%Profiles%\Default User\Templates\excel.xls.vscrypt %Templates%\excel.xls.vscrypt	5,632 bytes	MD5: 0xBDEEF1480FCFB14DA6D85D7984F9484C SHA-1: 0x0618EF088CC0AEFD4D812988FB62178575897499	(not available)
5	%Profiles%\Default User\Templates\excel4.xls.vscrypt %Templates%\excel4.xls.vscrypt	1,518 bytes	MD5: 0xDA9C096E7C8C1910AC04353D4F546306 SHA-1: 0xD830B1C1289D30A949A0D6BF543F1E8C6B54101B	(not available)
6	%Profiles%\Default User\Templates\winword.doc.vscrypt %Templates%\winword.doc.vscrypt	4,608 bytes	MD5: 0x025DB1F652617FF9A65185DDE7788F73 SHA-1: 0x1BA2DB84D7336B06822B5DCA268342812F4ACC26	(not available)
7	%Profiles%\Default User\Templates\winword2.doc.vscrypt %Templates%\winword2.doc.vscrypt	1,769 bytes	MD5: 0xE92BD54E8723FA24D4BF5BAD3E42ACCB SHA-1: 0xE1B43D24CD9F2BE8E2BE05D7CB4C1343F71F98D1	(not available)
8	%AppData%\Microsoft\Wallpaper1.bmp	927,422 bytes	MD5: 0xB986FD0AA5C76601C3C63CFEAB195AE1 SHA-1: 0x74F2236D03F24A1A3BE0418840901120477A65B6	(not available)
9	c:\Inetpub\wwwroot\index.html.vscrypt	125 bytes	MD5: 0x0936CD57EA6CC534A431A9B31052B42D SHA-1: 0x4FE2A60D30FE8634246EBE21E142C896CA34D6F8	(not available)
10	c:\Inetpub\wwwroot\index.jpg.vscrypt	176,094 bytes	MD5: 0x1831E72B0B1289957A78D37654175512 SHA-1: 0x727100F82DED78F7B7423A491574F457F46E3623	(not available)
11	[pathname with a string SHARE]\Blank.htm.vscrypt	412 bytes	MD5: 0x7A70556356A84927BCDD4DB0492A4B86 SHA-1: 0x11B82EB92431FB77C02DB1EE7496638D1020E896	(not available)
12	[pathname with a string SHARE]\Citrus Punch.htm.vscrypt	403 bytes	MD5: 0xCF5E0311A4E4F2C2E4C7A7EFCE57AA93 SHA-1: 0x989A53A0B4850B5DFC3F07DCF8633F230889A015	(not available)
13	[pathname with a string SHARE]\Clear Day Bkgrd.jpg.vscrypt	5,675 bytes	MD5: 0x565C0341C85A16E33FC40E2333DCC253 SHA-1: 0xEAB1D37DD8D3FF698DEB11A56B0678DC2A2AF4BC	(not available)
14	[pathname with a string SHARE]\Clear Day.htm.vscrypt	276 bytes	MD5: 0x425F6845609DAD9DE89847905C3EB959 SHA-1: 0x9DA86D6AF168D7661693EB847827DCE82B95A500	(not available)
15	[pathname with a string SHARE]\Fiesta Bkgrd.jpg.vscrypt	5,048 bytes	MD5: 0x2F5A4AA4EF7ED3EE405B3E58D86B9A1A SHA-1: 0x3FCD5550FE04A869BBD83CB4E422308FEF325B28	(not available)
16	[pathname with a string SHARE]\Fiesta.htm.vscrypt	319 bytes	MD5: 0x76E3735DB00E9D767A9756B0A7124315 SHA-1: 0x8915937B8A555CF204249CD90BA5CEAD5124F8B4	(not available)
17	[pathname with a string SHARE]\Glacier Bkgrd.jpg.vscrypt	2,743 bytes	MD5: 0x9D7A65F99394E41D0406307DF195F0FD SHA-1: 0x5718D79B8EA2F41E422BBED4503E8F27C7DE722D	(not available)
18	[pathname with a string SHARE]\Glacier.htm.vscrypt	272 bytes	MD5: 0x9C45CDFD01E5813F5AEAA2E675944467 SHA-1: 0xC9A6386D47D1769283E5E4C7E589BF3376F54191	(not available)
19	[pathname with a string SHARE]\Ivy.htm.vscrypt	367 bytes	MD5: 0xD8C166CA882604127C1116A6E653FD2D SHA-1: 0xE47DE9511D2F71D5D37D3C30427C21331B4FC28C	(not available)
20	[pathname with a string SHARE]\Leaves Bkgrd.jpg.vscrypt	4,389 bytes	MD5: 0x5C97B941E13D33D1C40C3B4E1E95944E SHA-1: 0x3CFF51E59BCEE5BE13CCD0DF43BEEA59815FE427	(not available)
21	[pathname with a string SHARE]\Leaves.htm.vscrypt	368 bytes	MD5: 0xC49CD5A162FCC3A0BF141384CE8642C2 SHA-1: 0x294C8ED711752FA793C120E1EA4898A5845FA491	(not available)
22	[pathname with a string SHARE]\Maize Bkgrd.jpg.vscrypt	11,748 bytes	MD5: 0xFB3E40C874AA257C86F794A94F5A6FA8 SHA-1: 0xE5E40EE2BCABFC9647318E7F6B7887FAFF5273E9	(not available)
23	[pathname with a string SHARE]\Maize.htm.vscrypt	366 bytes	MD5: 0x387E9B7F667FE6A7AD5E98E6F31A17AE SHA-1: 0x404E7981A85360ABBA83713E11E47AEA8BB68A53	(not available)
24	[pathname with a string SHARE]\Nature Bkgrd.jpg.vscrypt	3,781 bytes	MD5: 0x9E0B86874D1C795C91603A196C2D9D10 SHA-1: 0xC2F2735142BABB375C04A97F385276E373E4FAAF	(not available)
25	[pathname with a string SHARE]\Nature.htm.vscrypt	398 bytes	MD5: 0xBEDB75607872E5288739B3F6E4C90E9B SHA-1: 0x2CFD5B2CE99D6BFE2D443FEAEB15CEA2ACE657E0	(not available)
26	[pathname with a string SHARE]\Network Blitz.htm.vscrypt	407 bytes	MD5: 0x505E371A413FEBE76622D90603C55FD8 SHA-1: 0x70FF2401C952CB839F0B14094BE58AE50E54BEC6	(not available)
27	[pathname with a string SHARE]\Pie Charts Bkgrd.jpg.vscrypt	2,371 bytes	MD5: 0x2E4F0A473B979149A9F1CFB3568C6724 SHA-1: 0xDCE6640B7E590B22DF0C3CE01A5BBF82B0047EAF	(not available)
28	[pathname with a string SHARE]\Pie Charts.htm.vscrypt	290 bytes	MD5: 0xCE3E7FDADFB61D98984703151A631CC6 SHA-1: 0xEE77DC0F27523334E49F4DD24708D8C3BBABFC35	(not available)
29	[pathname with a string SHARE]\Sunflower Bkgrd.jpg.vscrypt	17,147 bytes	MD5: 0x6CCF492DA174F63A16B364BF5DCD8463 SHA-1: 0x8AF8B5B74C71119DCCAE1829FF335CBA0F5A2CE5	(not available)
30	[pathname with a string SHARE]\Sunflower.htm.vscrypt	402 bytes	MD5: 0xFA6521C949D9B944484D98EDE046DB80 SHA-1: 0x4EDBB8FBB35F047C147FB867AEEB844EB2875889	(not available)
31	[pathname with a string SHARE]\Sweets.htm.vscrypt	361 bytes	MD5: 0xAD754D7B2D56EAA89C7DFAF912DD8FA3 SHA-1: 0x0575F45873488FC0A5BDF6578F16CD7D5BE5BB21	(not available)
32	[pathname with a string SHARE]\Technical.htm.vscrypt	411 bytes	MD5: 0xCA59B9CC206265F5A4C50E19E3AA9BDD SHA-1: 0x73AE646E7A66A9BD59BAF85E296CAC0B8DB070F2	(not available)
33	%ProgramFiles%\Common Files\System\ado\MDACReadme.htm.vscrypt	543 bytes	MD5: 0x509290B04140039C1C4B1A78F559F532 SHA-1: 0xD7333BBDA1EF742BA7E5DADA00765D7C26057EEE	(not available)
34	%ProgramFiles%\Common Files\System\Ole DB\MSDASC.TXT.vscrypt	7,997 bytes	MD5: 0x8F9D4C7D1034CFF2171205F4E072AC63 SHA-1: 0x835EA8F80E7158039F96F08634FD2E0E338B9CFF	(not available)
35	%ProgramFiles%\Common Files\System\Ole DB\MSDASQLreadme.txt.vscrypt	3,113 bytes	MD5: 0xBAFD0CE1E9401226C58657CE98896B4D SHA-1: 0x9C09293ECFF6240E3E8A5A3B8994CF1C203C0E06	(not available)
36	%ProgramFiles%\Flash Media Arts,inc\SWF Video\23854356.avi	3,609,769 bytes	MD5: 0x7E5F5BEA9600121A41DD4619ABF70029 SHA-1: 0x7CAD954529691111CBAA4F4D72B98AD496DE57AF	packed with Swc2Exe [Kaspersky Lab]
37	%ProgramFiles%\Flash Media Arts,inc\SWF Video\Free_update.exe	262,144 bytes	MD5: 0x010D7B79D002D747F420A7880F89EE38 SHA-1: 0x5CA9562EED107D818C350EB1B4C4FC30E1E349F7	(not available)
38	%ProgramFiles%\Flash Media Arts,inc\SWF Video\svchost.exe	921,565 bytes	MD5: 0x5F9927EE59B4881A2CE8634332F63FA8 SHA-1: 0x1633F6415597DBC42E2226E1FED82AB682640E6F	(not available)
39	%ProgramFiles%\Flash Media Arts,inc\SWF Video\Uninstall.exe	57,407 bytes	MD5: 0xAA74D413FCC98FEF29BA9BD75F894093 SHA-1: 0x99979D5DA7B10C286FC89B428E29DCF44F177FF5	(not available)
40	%ProgramFiles%\Flash Media Arts,inc\SWF Video\Uninstall.ini	1,776 bytes	MD5: 0x031FC32CD1B5BDE5B1EFA1D148815000 SHA-1: 0x576988516B6A303A3B2F2C00A21864EAC2F3594F	(not available)
41	%ProgramFiles%\Flash Media Arts,inc\SWF Video\Video_codec.exe	217,088 bytes	MD5: 0xD3583AC12D068E231C0B1E62C2A7EB49 SHA-1: 0x16D027A8BC926B4C7D49B067ED97C2BC37A43110	(not available)
42	%ProgramFiles%\NetMeeting\netmeet.htm.vscrypt	29,117 bytes	MD5: 0x2227B5DAE9173280EAE28E1595130FF4 SHA-1: 0x9B3A49A08DB06B6DF32B734C19F5803FD178DD81	(not available)
43	%ProgramFiles%\Outlook Express\msoe.txt.vscrypt	133 bytes	MD5: 0x2BB7A20C15D147DFD698CDD4ECD8AB58 SHA-1: 0xE7F326948ED8A5B305614B7936632A32CCF53BA1	(not available)
44	%ProgramFiles%\Windows Media Player\npdrmv2.zip.vscrypt	403 bytes	MD5: 0x0A6F94288FEBB2588B74F69A597BA4B3 SHA-1: 0x00BF8853AB80E6DDB7620EBD17D6401DB6240012	(not available)
45	%ProgramFiles%\Windows Media Player\npds.zip.vscrypt	22,060 bytes	MD5: 0x1307D51CB8B2598228F8A856B67681C7 SHA-1: 0x06DC2ADA80425C14CAD0C0F0BCB99DD625F50E19	(not available)
46	c:\vsworkdir\CSCA1.DLL	3,072 bytes	MD5: 0xB817A4C8CA2479BE0EA7E5DAB1CB4432 SHA-1: 0xD6B221D363DC9598F3649A0EF4F02DB8720DDF68	(not available)
47	c:\vsworkdir\shantazh.jpg	95,675 bytes	MD5: 0x80E1D714045A4402E3992A195F7E7A08 SHA-1: 0xA8FD970247ABB4E7B79D91765907CD4C583FEE53	(not available)
48	%Windir%\OEWABLog.txt.vscrypt	833 bytes	MD5: 0x3CE72638D5E8BEC955D5F2ADCFEEE7AD SHA-1: 0x25E12B2A2A20A21171D4896F2DC7ADBD4F44052A	(not available)
49	%Windir%\pchealth\helpctr\System\blurbs\about_support.htm.vscrypt	2,352 bytes	MD5: 0xE6D47B80E2A2265344257A309D7EE40F SHA-1: 0x07E3D112DCD5FCFCC81CE7A197FF6E640A7ADA49	(not available)
50	%Windir%\pchealth\helpctr\System\blurbs\Favorites.htm.vscrypt	1,453 bytes	MD5: 0xB35E4148F236CDDAAB3E619EA08E9D5F SHA-1: 0xB0C3E4F8561C5388C04BB5BE86B677CB50120180	(not available)
51	%Windir%\pchealth\helpctr\System\blurbs\ftshelp.htm.vscrypt	1,740 bytes	MD5: 0xCC8A51246621516CA36D933EA3EF68F6 SHA-1: 0x1D5AAC23025DC556870441526423FC82DC82F491	(not available)
52	%Windir%\pchealth\helpctr\System\blurbs\History.htm.vscrypt	1,386 bytes	MD5: 0x77B63BB2D8B86FF84F975D2B648B26CA SHA-1: 0x30D4DADB26210E24B10F43AF82AEC85290E51E39	(not available)
53	%Windir%\pchealth\helpctr\System\blurbs\Index.htm.vscrypt	1,477 bytes	MD5: 0x7729506C6821127E06345D8EE6FAAEA2 SHA-1: 0x4966B1F25C9FB2FF8B44E50E9302ED29976A3477	(not available)
54	%Windir%\pchealth\helpctr\System\blurbs\isupport.htm.vscrypt	3,873 bytes	MD5: 0x39B7055155CCE4F5452056155D106C1F SHA-1: 0x05579258609DF49F6C221EE2C0584A8E5B0E96DC	(not available)
55	%Windir%\pchealth\helpctr\System\blurbs\keywordhelp.htm.vscrypt	1,816 bytes	MD5: 0x4D880C06C1E9F5579C9D6E0F14A1C56B SHA-1: 0x3E52EBFFA8A9891A445A205F2C0243999B962A4E	(not available)
56	%Windir%\pchealth\helpctr\System\blurbs\options.htm.vscrypt	1,679 bytes	MD5: 0x34C4376D10B664A3B82DCC6BC022DE4F SHA-1: 0x41FE7F60D64B5189CFEACC36B60CE485FA53FEBE	(not available)
57	%Windir%\pchealth\helpctr\System\blurbs\searchblurb.htm.vscrypt	1,763 bytes	MD5: 0x724DB25807C1A9F04C19F04D81AB3B04 SHA-1: 0xC6FE13AD501949F5064B95C3C0F7319F4F9F0E93	(not available)
58	%Windir%\pchealth\helpctr\System\blurbs\searchtips.htm.vscrypt	10,376 bytes	MD5: 0x4DD5A80ED05EC29171BD6DB618603C7B SHA-1: 0x4D36732A4DC32EF8A48C8977FB588A0DBEFAC2BD	(not available)
59	%Windir%\pchealth\helpctr\System\blurbs\tools.htm.vscrypt	1,411 bytes	MD5: 0x3D612EEF38F95E6FCC81D9DDDF534B9F SHA-1: 0x4CF5CF1AF2D46F5D817E3D734C1DDCF56E595F6E	(not available)
60	%Windir%\pchealth\helpctr\System\blurbs\windows_newsgroups.htm.vscrypt	2,368 bytes	MD5: 0xB41ED49BD53D02EE347CC937A7D04DF9 SHA-1: 0xE76D4E5C0FDA6EC34779FD6F026C1C3996E51EC7	(not available)
61	%Windir%\pchealth\helpctr\System\CompatCtr\AboutCompat.htm.vscrypt	3,155 bytes	MD5: 0x1DA9ABA1D231F07CE15E4B042CB487C0 SHA-1: 0xA1548F40DE3C72FEC9E33298F702C10CB30CAB54	(not available)
62	%Windir%\pchealth\helpctr\System\CompatCtr\CompatMode.htm.vscrypt	77,245 bytes	MD5: 0xA5F09AD4BCA33D55439A5E42043E1E44 SHA-1: 0x47B4ADE0186AC52562088E95611A2C798AA6DF6B	(not available)
63	%Windir%\pchealth\helpctr\System\CompatCtr\CompatOffline.htm.vscrypt	1,340 bytes	MD5: 0x42D4F4A77CF69C9338C9C1DC5838F2ED SHA-1: 0xF6FB2E9FB015DE0FAD4041F83F7B274AA2E1105D	(not available)
64	%Windir%\pchealth\helpctr\System\CompatCtr\LearnCompat.htm.vscrypt	2,588 bytes	MD5: 0x184C5C8FDD59C1D4D86FF0A54C301B50 SHA-1: 0x6BBD1D3ACD58A2F1E04A56271E6D206D2D489FC1	(not available)
65	%Windir%\pchealth\helpctr\System\DVDUpgrd\dvdupgrd.htm.vscrypt	1,656 bytes	MD5: 0xD097730126D3875BF286F2F218D3B0A3 SHA-1: 0xEC4896C710D5E239A75DE7473D0E0596699CDC39	(not available)
66	%Windir%\pchealth\helpctr\System\DVDUpgrd\stripe.jpg.vscrypt	9,264 bytes	MD5: 0xB202E30ACAD7DC5C826D2985EAFEEBDC SHA-1: 0xC4A729D8C90741CB46CA2E12E21A477438D60642	(not available)
67	%Windir%\pchealth\helpctr\System\ErrMsg\ErrorMessagesOffline.htm.vscrypt	880 bytes	MD5: 0x3779DA3105AB42586E4E7FD80DF2A014 SHA-1: 0x698B7071331E4C18548AE2F1ACA05570A06B56BA	(not available)
68	%Windir%\pchealth\helpctr\System\errors\badurl.htm.vscrypt	1,663 bytes	MD5: 0xFA2AA68F4285BFAC24CE02BD1B3DA37D SHA-1: 0x219BB123AE65327DB7C6B83BE4EA47733BA5D21E	(not available)
69	%Windir%\pchealth\helpctr\System\errors\connection.htm.vscrypt	18,852 bytes	MD5: 0xA83019AD0F57B56420430379933F5A59 SHA-1: 0x846EF731DCEA665EC2740370550D4B521B3CBF56	(not available)
70	%Windir%\pchealth\helpctr\System\errors\indexfirstlevel.htm.vscrypt	1,655 bytes	MD5: 0xF66C07B090FF242C219ADC5C17C3B3D5 SHA-1: 0xF5B1980E1A59251DD477900D8DC32AC21EC785CB	(not available)
71	%Windir%\pchealth\helpctr\System\errors\notfound.htm.vscrypt	2,028 bytes	MD5: 0x3F38BD0192BD6FAE6823151DE638692E SHA-1: 0x60B79E0F50B32B2C3A3F8A942FB098BE960417F1	(not available)
72	%Windir%\pchealth\helpctr\System\errors\offline.htm.vscrypt	775 bytes	MD5: 0x1C4184BBC47A932F3C01B61FF867A361 SHA-1: 0x376796DFF85EEB6EA5E7199FC67D29D5757CB0CF	(not available)
73	%Windir%\pchealth\helpctr\System\errors\redirect.htm.vscrypt	1,728 bytes	MD5: 0x9A8F3D8ECA70C820C280335E940F89E1 SHA-1: 0xEB780CC1463AE23090414DDB158C32A579F77F32	(not available)
74	%Windir%\pchealth\helpctr\System\errors\unreachable.htm.vscrypt	1,689 bytes	MD5: 0x6E8CE278849C5E81A592A356694AD825 SHA-1: 0x29AB1DC7ADCDA43AE3E54D6D9B1FA48E5684F386	(not available)
75	%Windir%\pchealth\helpctr\System\Headlines.htm.vscrypt	6,150 bytes	MD5: 0x3AF1B9D13369FC734B4DD70219895B4B SHA-1: 0x0D967D4085DF2C7E2BB6D9EF7CF3B7EB2FCA980E	(not available)
76	%Windir%\pchealth\helpctr\System\HomePage__DESKTOP.htm.vscrypt	7,737 bytes	MD5: 0x7668C115CADD9904456B807AF9120B39 SHA-1: 0xC24654BC55391C7EEEB8785B2B461B52D851CD6D	(not available)
77	%Windir%\pchealth\helpctr\System\HomePage__SERVER.htm.vscrypt	7,355 bytes	MD5: 0x0EDB2B683AD5B80D2654A6EEE99D17C1 SHA-1: 0x301882BA6746F013CD6A2153DB5C3A17EC95F115	(not available)
78	%Windir%\pchealth\helpctr\System\NetDiag\dglogs.htm.vscrypt	55,709 bytes	MD5: 0x47DFA3EA34084558D354F9F9CDDA1514 SHA-1: 0xD1537D569C0E76E57D51857F4AF4639E7F24A758	(not available)
79	%Windir%\pchealth\helpctr\System\NetDiag\dglogshelp.htm.vscrypt	2,654 bytes	MD5: 0xF9C9D2B2A91DAE160F94DB9A3A10A61C SHA-1: 0x828EF7D53559F896AC0C79E106ABF09659A599F3	(not available)
80	%Windir%\pchealth\helpctr\System\panels\AdvSearch.htm.vscrypt	19,520 bytes	MD5: 0x462168664EC6BA1D09E8AD9F110C4E9C SHA-1: 0xD6C7418C1B1AB11D3E570583692A5B6665CD8F75	(not available)
81	%Windir%\pchealth\helpctr\System\panels\blank.htm.vscrypt	608 bytes	MD5: 0x2EC0F5547058210CAED2CFD6E7FC68DE SHA-1: 0x6810008D681F39253FC2B7E740620BD0FA0C321F	(not available)
82	%Windir%\pchealth\helpctr\System\panels\Context.htm.vscrypt	9,174 bytes	MD5: 0x7173D88A93587177D9AC1F30BFE71F3F SHA-1: 0x95CE40F3DDF7E5DB401C1CD6D6C33E10E19347C7	(not available)
83	%Windir%\pchealth\helpctr\System\panels\firstpage.htm.vscrypt	714 bytes	MD5: 0x09C298E8BF81D831C865F9A92C43DE89 SHA-1: 0x7322337CF9DC46439C1469F39C324550761FBC19	(not available)
84	%Windir%\pchealth\helpctr\System\panels\HHWrapper.htm.vscrypt	713 bytes	MD5: 0xF8204F7978B9B2F1A50638EEB0F7ABA2 SHA-1: 0x697B0D2E2880DE7CD45B16F98D6B6AEB07ACA647	(not available)
85	%Windir%\pchealth\helpctr\System\panels\MiniNavBar.htm.vscrypt	4,764 bytes	MD5: 0xB6C3C3B7A7D6962FB1E2904F95BDD202 SHA-1: 0xAA338401AC90CAEAD2AB3C393196359F6621C94A	(not available)
86	%Windir%\pchealth\helpctr\System\panels\NavBar.htm.vscrypt	20,832 bytes	MD5: 0x76AA5EEA5E9C02B7FFCBF9820E01AF1B SHA-1: 0x6C96D2121BC66B35D552015A5F9CA2994976FFA3	(not available)
87	%Windir%\pchealth\helpctr\System\panels\Options.htm.vscrypt	4,418 bytes	MD5: 0xFE0DE8EC5FDCCB4F151AA1AB2D2E7F02 SHA-1: 0xD51DE0A95D331A07B0CA553ABE4E16B78826930E	(not available)
88	%Windir%\pchealth\helpctr\System\panels\RemoteHelp.htm.vscrypt	43,111 bytes	MD5: 0xAE94BE379127173F065C3172FC0D4059 SHA-1: 0x2ED5FD9206DFC635854103C67FF3F090FC4FBA8B	(not available)
89	%Windir%\pchealth\helpctr\System\panels\ShareHelp.htm.vscrypt	4,553 bytes	MD5: 0xF0B481B8500E5BFEA103C58E438F868A SHA-1: 0x3BB083CBAA43C35F710F0069D65718CE3B2EE825	(not available)
90	%Windir%\pchealth\helpctr\System\panels\subpanels\Channels.htm.vscrypt	8,494 bytes	MD5: 0x62F2E5AAE0486304A26BA05EDF1424E4 SHA-1: 0x46323DC172564FDB857795ECAE88A76FA5589CFF	(not available)
91	%Windir%\pchealth\helpctr\System\panels\subpanels\Favorites.htm.vscrypt	8,522 bytes	MD5: 0x230CA6951F8CABB2E59850B72C7D2395 SHA-1: 0x69D0C076B5DE13B53BFB7831A0B25DF621D8C947	(not available)
92	%Windir%\pchealth\helpctr\System\panels\subpanels\History.htm.vscrypt	5,369 bytes	MD5: 0xAC329768173328363256D108CC34B84D SHA-1: 0x318C5BC27096581F94610A906E14CDF2527AE3CD	(not available)
93	%Windir%\pchealth\helpctr\System\panels\subpanels\Index.htm.vscrypt	2,911 bytes	MD5: 0xF2C5E430EF8BE131C1A58DD7078A38EC SHA-1: 0x756410BA9DC5BC35287F7B2F9BC568D50FDB1079	(not available)
94	%Windir%\pchealth\helpctr\System\panels\subpanels\Options.htm.vscrypt	3,465 bytes	MD5: 0x4400521909A92429EB54C97758C83005 SHA-1: 0x747F2C4D32C277E49F2DA392E1327CE1ED23B1BA	(not available)
95	%Windir%\pchealth\helpctr\System\panels\subpanels\Search.htm.vscrypt	37,469 bytes	MD5: 0xDB8876C1AF3F7609676CD08FE1FCB2E0 SHA-1: 0xEA831A72F0F27993657CAB99BE9FCCAF2BBF9925	(not available)
96	%Windir%\pchealth\helpctr\System\panels\subpanels\Subsite.htm.vscrypt	6,520 bytes	MD5: 0xF90207267BB71E4A9A835EF8AF0B143A SHA-1: 0x977296C3787BBCB033EC182F57CAC349D59144DA	(not available)
97	%Windir%\pchealth\helpctr\System\panels\Topics.htm.vscrypt	5,547 bytes	MD5: 0xD2289576498A0C2521F4765CE9FC0A0E SHA-1: 0x0C7CB8BE02488CD51830A8630B29983D84526355	(not available)
98	%Windir%\pchealth\helpctr\System\rc\rcRequest.htm.vscrypt	2,367 bytes	MD5: 0xE3B66B8E104E07B4BD364B234B51ED24 SHA-1: 0x00F12A6EB5D2AEE03101B70B97D0A6975AD81AF6	(not available)
99	%Windir%\pchealth\helpctr\System\Remote Assistance\Common\ConnIssue.htm.vscrypt	5,403 bytes	MD5: 0x6C2794AC7833761DE0C36D4E5B5A564C SHA-1: 0xB6189277AF4E03ACB9B051E489E70C39DC796621	(not available)
100	%Windir%\pchealth\helpctr\System\Remote Assistance\Common\LearnInternet.htm.vscrypt	1,633 bytes	MD5: 0x55D33150BD3704EBA4D1FCEB75B8267D SHA-1: 0x981636A208F5E5F02FE3C963A3186FE1F93198CD	(not available)

Notes:

%CommonDocuments% is a variable that refers to the file system directory that contains documents that are common to all users. A typical paths is C:\Documents and Settings\All Users\Documents.
%Profiles% is a variable that refers to the file system directory containing user profile folders. A typical path is C:\Documents and Settings.
%Templates% is a variable that refers to the file system directory that serves as a common repository for document templates. A typical path is C:\Documents and Settings\[UserName]\Templates.
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following files were deleted:

c:\contacts.html
%CommonDocuments%\My Pictures\Sample Pictures\Sunset.jpg
%CommonDocuments%\My Pictures\Sample Pictures\Winter.jpg
%Profiles%\Default User\Templates\excel.xls
%Profiles%\Default User\Templates\excel4.xls
%Profiles%\Default User\Templates\winword.doc
%Profiles%\Default User\Templates\winword2.doc
%Templates%\excel.xls
%Templates%\excel4.xls
%Templates%\winword.doc
%Templates%\winword2.doc
c:\Inetpub\wwwroot\index.html
c:\Inetpub\wwwroot\index.jpg
[pathname with a string SHARE]\Blank.htm
[pathname with a string SHARE]\Citrus Punch.htm
[pathname with a string SHARE]\Clear Day Bkgrd.jpg
[pathname with a string SHARE]\Clear Day.htm
[pathname with a string SHARE]\Fiesta Bkgrd.jpg
[pathname with a string SHARE]\Fiesta.htm
[pathname with a string SHARE]\Glacier Bkgrd.jpg
[pathname with a string SHARE]\Glacier.htm
[pathname with a string SHARE]\Ivy.htm
[pathname with a string SHARE]\Leaves Bkgrd.jpg
[pathname with a string SHARE]\Leaves.htm
[pathname with a string SHARE]\Maize Bkgrd.jpg
[pathname with a string SHARE]\Maize.htm
[pathname with a string SHARE]\Nature Bkgrd.jpg
[pathname with a string SHARE]\Nature.htm
[pathname with a string SHARE]\Network Blitz.htm
[pathname with a string SHARE]\Pie Charts Bkgrd.jpg
[pathname with a string SHARE]\Pie Charts.htm
[pathname with a string SHARE]\Sunflower Bkgrd.jpg
[pathname with a string SHARE]\Sunflower.htm
[pathname with a string SHARE]\Sweets.htm
[pathname with a string SHARE]\Technical.htm
%ProgramFiles%\Common Files\System\ado\MDACReadme.htm
%ProgramFiles%\Common Files\System\Ole DB\MSDASC.TXT
%ProgramFiles%\Common Files\System\Ole DB\MSDASQLreadme.txt
%ProgramFiles%\NetMeeting\netmeet.htm
%ProgramFiles%\Outlook Express\msoe.txt
%ProgramFiles%\Windows Media Player\npdrmv2.zip
%ProgramFiles%\Windows Media Player\npds.zip
%Windir%\OEWABLog.txt
%Windir%\pchealth\helpctr\System\blurbs\about_support.htm
%Windir%\pchealth\helpctr\System\blurbs\Favorites.htm
%Windir%\pchealth\helpctr\System\blurbs\ftshelp.htm
%Windir%\pchealth\helpctr\System\blurbs\History.htm
%Windir%\pchealth\helpctr\System\blurbs\Index.htm
%Windir%\pchealth\helpctr\System\blurbs\isupport.htm
%Windir%\pchealth\helpctr\System\blurbs\keywordhelp.htm
%Windir%\pchealth\helpctr\System\blurbs\options.htm
%Windir%\pchealth\helpctr\System\blurbs\searchblurb.htm
%Windir%\pchealth\helpctr\System\blurbs\searchtips.htm
%Windir%\pchealth\helpctr\System\blurbs\tools.htm
%Windir%\pchealth\helpctr\System\blurbs\windows_newsgroups.htm
%Windir%\pchealth\helpctr\System\CompatCtr\AboutCompat.htm
%Windir%\pchealth\helpctr\System\CompatCtr\CompatMode.htm
%Windir%\pchealth\helpctr\System\CompatCtr\CompatOffline.htm
%Windir%\pchealth\helpctr\System\CompatCtr\LearnCompat.htm
%Windir%\pchealth\helpctr\System\DVDUpgrd\dvdupgrd.htm
%Windir%\pchealth\helpctr\System\DVDUpgrd\stripe.jpg
%Windir%\pchealth\helpctr\System\ErrMsg\ErrorMessagesOffline.htm
%Windir%\pchealth\helpctr\System\errors\badurl.htm
%Windir%\pchealth\helpctr\System\errors\connection.htm
%Windir%\pchealth\helpctr\System\errors\indexfirstlevel.htm
%Windir%\pchealth\helpctr\System\errors\notfound.htm
%Windir%\pchealth\helpctr\System\errors\offline.htm
%Windir%\pchealth\helpctr\System\errors\redirect.htm
%Windir%\pchealth\helpctr\System\errors\unreachable.htm
%Windir%\pchealth\helpctr\System\Headlines.htm
%Windir%\pchealth\helpctr\System\HomePage__DESKTOP.htm
%Windir%\pchealth\helpctr\System\HomePage__SERVER.htm
%Windir%\pchealth\helpctr\System\NetDiag\dglogs.htm
%Windir%\pchealth\helpctr\System\NetDiag\dglogshelp.htm
%Windir%\pchealth\helpctr\System\panels\AdvSearch.htm
%Windir%\pchealth\helpctr\System\panels\blank.htm
%Windir%\pchealth\helpctr\System\panels\Context.htm
%Windir%\pchealth\helpctr\System\panels\firstpage.htm
%Windir%\pchealth\helpctr\System\panels\HHWrapper.htm
%Windir%\pchealth\helpctr\System\panels\MiniNavBar.htm
%Windir%\pchealth\helpctr\System\panels\NavBar.htm
%Windir%\pchealth\helpctr\System\panels\Options.htm
%Windir%\pchealth\helpctr\System\panels\RemoteHelp.htm
%Windir%\pchealth\helpctr\System\panels\ShareHelp.htm
%Windir%\pchealth\helpctr\System\panels\subpanels\Channels.htm
%Windir%\pchealth\helpctr\System\panels\subpanels\Favorites.htm
%Windir%\pchealth\helpctr\System\panels\subpanels\History.htm
%Windir%\pchealth\helpctr\System\panels\subpanels\Index.htm
%Windir%\pchealth\helpctr\System\panels\subpanels\Options.htm
%Windir%\pchealth\helpctr\System\panels\subpanels\Search.htm
%Windir%\pchealth\helpctr\System\panels\subpanels\Subsite.htm
%Windir%\pchealth\helpctr\System\panels\Topics.htm
%Windir%\pchealth\helpctr\System\rc\rcRequest.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Common\ConnIssue.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Common\LearnInternet.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Common\RAHelp.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Common\RCMoreInfo.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\helpeeaccept.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\Interaction\Client\setting.htm
%Windir%\pchealth\helpctr\System\Remote Assistance\RAStartPage.htm

The following directories were created:

%ProgramFiles%\Flash Media Arts,inc
c:\vsworkdir
%ProgramFiles%\Flash Media Arts,inc\SWF Video

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
svchost.exe	%ProgramFiles%\flash media arts,inc\swf video\svchost.exe	544,768 bytes
Video_codec.exe	%ProgramFiles%\Flash Media Arts,inc\SWF Video\Video_codec.exe	217,088 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SWF Video 9.0
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

2 = "%ProgramFiles%\Flash Media Arts,inc\SWF Video\Video_codec.exe"

so that Video_codec.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SWF Video 9.0]

DisplayName = "SWF Video 9.0"
DisplayIcon = "%ProgramFiles%\Flash Media Arts,inc\SWF Video\Uninstall.exe"
UninstallString = "%ProgramFiles%\Flash Media Arts,inc\SWF Video\Uninstall.exe"
NoModify = 0x00000001
NoRepair = 0x00000001

[HKEY_CURRENT_USER\Control Panel\Desktop]

ConvertedWallpaper = "C:\vsworkdir\shantazh.jpg"
ConvertedWallpaper Last WriteTime = F4 6E 2E 51 00 E3 C9 01
Pattern = ""

[HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device]

FriendlyName = "Default MidiOut Device"
CLSID = "{07B65360-C445-11CE-AFDE-00AA006C14F4}"
FilterData = 02 00 00 00 00 00 80 00 01 00 00 00 00 00 00 00 30 70 69 33 02 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 30 74 79 33 00 00 00 00 38 00 00 00 48 00 00 00 6D 69 64 73 00 00 10 00 80 00 00 AA 00 38 9B 71 00 00 00 00 00 00 00 00 00 00 00 0
MidiOutId = 0xFFFFFFFF

[HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]

FriendlyName = "Default DirectSound Device"
CLSID = "{79376820-07D0-11CF-A24D-0020AFD79767}"
FilterData = 02 00 00 00 00 00 80 00 01 00 00 00 00 00 00 00 30 70 69 33 02 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 30 74 79 33 00 00 00 00 A8 00 00 00 B8 00 00 00 31 74 79 33 00 00 00 00 A8 00 00 00 C8 00 00 00 32 74 79 33 00 00 00 00 A8 00 00 0
DSGuid = "{00000000-0000-0000-0000-000000000000}"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General]

BackupWallpaper = "%USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Wallpaper = "%USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

[HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache]

0 = E0 5A 00 00 65 68 63 66 00 00 00 00 00 00 00 00 02 01 00 00 00 00 00 00 01 00 20 00 49 00 00 00 40 00 64 00 65 00 76 00 69 00 63 00 65 00 3A 00 64 00 6D 00 6F 00 3A 00 7B 00 32 00 45 00 45 00 42 00 34 00 41 00 44 00 46 00 2D 00 34 00 35 00 37 00 38 0

The following Registry Value was deleted:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General]

BackupWallpaper = ""
Wallpaper = ""

The following Registry Values were modified:

[HKEY_CURRENT_USER\Control Panel\Desktop]

Wallpaper = "%AppData%\Microsoft\Wallpaper1.bmp"
OriginalWallpaper = "%AppData%\Microsoft\Wallpaper1.bmp"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General]

WallpaperFileTime = 3A 32 52 51 00 E3 C9 01
WallpaperLocalFileTime = 3A 5A F3 A4 C5 E2 C9 01

Other details

To mark the presence in the system, the following Mutex object was created:

)!VoqA.I4

The following Host Name was requested from a host database:

antivirusubdate.no-ip.biz

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
antivirusubdate.no-ip.biz	3460

A system request is initiated to shut down and then restart the system.

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 3460:

00000000 | 22A6 22FE 5FD5 2099 8E4D 3FA7 DB00 C526 | "."._. ..M?....&
00000010 | 9CD4 08AA 43BC 569D 9C74 86E3 C170 537E | ....C.V..t...pS~
00000020 | FA14 232E 6A38 AF67 060A 1D61 8DD7 8A70 | ..#.j8.g...a...p
00000030 | 678E 6EF5 6566 3277 29C4 0819 0E36 7063 | g.n.ef2w)....6pc
00000040 | 8063 2C69 9A2F CE89 D158 4F5E D13E 499D | .c,i./...XO^.>I.
00000050 | 8DB9 5E20 4FC7 DE7A 67EB 2C50 2F65 2487 | ..^ O..zg.,P/e$.
00000060 | 803B 38B7 3335 C3D2 A1F0 2BF4 7438 227D | .;8.35....+.t8"}
00000070 | 68E7 A40E B354 551A F542 4F88 D011 B104 | h....TU..BO.....
00000080 | 26A0 4034 2760 6A0F B83C 3960 3EB5 204A | &.@4'`j..<9`>. J
00000090 | A057 0463 7A9D A1D5 B3F4 33BA 17A9 3403 | .W.cz.....3...4.
000000A0 | D562 D186 C0D5 45C5 F2DE 61DA 7F5C FEF7 | .b....E...a..\..
000000B0 | EF8B 473E 6844 6B07 A7CB DBA8 159C 6B67 | ..G>hDk.......kg
000000C0 | 63D6 708D AEAF ED2F 4C83 FFD8 588C 52A4 | c.p..../L...X.R.
000000D0 | 1DAA 549C A092 CBFA 78AB F7C5 AD3F A22C | ..T.....x....?.,
000000E0 | A3C0 DA51 07D9 3EBE C0C2 CAA1 74AE 3996 | ...Q..>.....t.9.
000000F0 | 83E7 2E69 3404 E10B 2407 D190 1954 A215 | ...i4...$....T..

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.