Submission Summary:

• Submission details:
• Submission received: 7 May 2009, 03:12:12
• Processing time: 9 min 45 sec
• Submitted sample:
• File MD5: 0x597D74008FBF3540649A71415F719C73
• File SHA-1: 0xE0B5A2BB77C0467BAFB372E50CF9A5D64D733019
• Filesize: 2,515,312 bytes
• Alias:
• not-a-virus:FraudTool.Win32.Agent.dx [Kaspersky Lab]
• Troj/FakeVir-IQ [Sophos]
• Trojan.Generic [Ikarus]

• Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat category was identified:

Threat Category	Description
	A potentially unwanted adware program designed to deliver various advertisements to the users' systems

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\asdasd.asdasd c:\proc.id	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
2	%CommonPrograms%\Intelinet\Intelinet.lnk	652 bytes	MD5: 0xD3AC6467C0BC610166440F5D525BC84C SHA-1: 0x69F7626B5547C0F095AB354F8E1A497F21373138	(not available)
3	%CommonPrograms%\Intelinet\Uninstall Intelinet.lnk	647 bytes	MD5: 0x12C642EA3A697BE8F51C672517A6C7D7 SHA-1: 0xF09B8D01743B81FD918439467B5DBC4DAD076363	(not available)
4	%ProgramFiles%\Intelinet\BCKManager.dll	120,088 bytes	MD5: 0x5D009DDCCF799D63EAA5F1AC9078EE1F SHA-1: 0xA4EB410400135395A0474BB09E762630A6830F8D	(not available)
5	%ProgramFiles%\Intelinet\CheckRegistry.dll	95,512 bytes	MD5: 0x879A967E257FCA7EEF4A6C6CAC635AB7 SHA-1: 0x32A20F9E479018262C692D78B5A33A84AD6390EB	(not available)
6	%ProgramFiles%\Intelinet\Database\Immunizer.db	130,559 bytes	MD5: 0xC20F0B46E53A85619F90C8988912DBA1 SHA-1: 0x9948FF592263FC1E7258892BA6B303DBA69D7271	(not available)
7	%ProgramFiles%\Intelinet\Database\Spyware.db	693,812 bytes	MD5: 0x60E0554A06546014128C724D8748C8FA SHA-1: 0x68998DB061B6FE62D8EF7E2FFF2BA4871605C18A	(not available)
8	%ProgramFiles%\Intelinet\hashes.md5	291,648 bytes	MD5: 0x1C19C76F909460CFAA88EC90D2314441 SHA-1: 0x6B7023D62E8CBE443552BBABAAE79CB212895F3B	(not available)
9	%ProgramFiles%\Intelinet\intelin2.exe	861,464 bytes	MD5: 0xA45727B9DE964DA960CE7EEAD9E4A7BE SHA-1: 0xE00A399D2AB74BFAD9088C415E24892A6D74BF2C	Adware.Gen [Symantec] not-a-virus:FraudTool.Win32.Agent.dx [Kaspersky Lab] Generic PUP.x [McAfee] Troj/FakeVir-IQ [Sophos] Program:Win32/Intelinet [Microsoft] PHISH [Ikarus]
10	%ProgramFiles%\Intelinet\Intelinet.exe	7,382,296 bytes	MD5: 0x867DE1AB5DCEE1AE73BC4FD26FC4E7E5 SHA-1: 0xFC901CD5AA907B36CD35CDE8FC1359EFC92019AB	Adware.Gen [Symantec] not-a-virus:FraudTool.Win32.Agent.dx [Kaspersky Lab] Troj/FakeVir-IQ [Sophos] Trojan.Generic [Ikarus]
11	%ProgramFiles%\Intelinet\ListLogs.dll	29,976 bytes	MD5: 0xF46C6400D8976713D71597E233E337E0 SHA-1: 0x95C63C7999605F6EADC4FC7E44C15B366F68840B	(not available)
12	%ProgramFiles%\Intelinet\Logs\2009_05_07.log	118,312 bytes	MD5: 0x1745815D0EB2CCE0DD4FDEC89AA43D84 SHA-1: 0x8A382B56C35276F1E25E2F734211157AAA64A1F2	(not available)
13	%ProgramFiles%\Intelinet\ManageRegistry.dll	50,456 bytes	MD5: 0x97758BE9A626074960E8E9F8FC6D9E41 SHA-1: 0x8A7BE84F27821567EED0FDC4F6CFA3A3B0FA78BA	(not available)
14	%ProgramFiles%\Intelinet\MFC71.dll	1,060,864 bytes	MD5: 0xF35A584E947A5B401FEB0FE01DB4A0D7 SHA-1: 0x664DC99E78261A43D876311931694B6EF87CC8B9	(not available)
15	%ProgramFiles%\Intelinet\msvcp71.dll	499,712 bytes	MD5: 0x561FA2ABB31DFA8FAB762145F81667C2 SHA-1: 0xC8CCB04EEDAC821A13FAE314A2435192860C72B8	(not available)
16	%ProgramFiles%\Intelinet\msvcr71.dll	348,160 bytes	MD5: 0x86F1895AE8C5E8B17D99ECE768A70732 SHA-1: 0xD5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA	(not available)
17	%ProgramFiles%\Intelinet\SpywareGuard.dll	70,936 bytes	MD5: 0x36F9EAB3E60EBB9E1CAB024A87AC933E SHA-1: 0x87710382257006688F4FC7FFF5488755F0C911E1	(not available)
18	%ProgramFiles%\Intelinet\Spywarehandler.dll	148,760 bytes	MD5: 0x8FE65B5B96CCA56F0CC0AF8F71A27D96 SHA-1: 0x0DC24E1A16D865B1CF376E74B1B4183D3709BE22	(not available)
19	%ProgramFiles%\Intelinet\unins000.dat	3,781 bytes	MD5: 0x0791D1242EFDFBBDEC7F74957EC0833D SHA-1: 0xAE4C7F61DB94DF5CB8B2674B00A3C9616D48737C	(not available)
20	%ProgramFiles%\Intelinet\unins000.exe	691,481 bytes	MD5: 0x53475C2D8D633FF99FF2A14B5DE6DBD9 SHA-1: 0xF0C8357791849703DF7508284A7AFCECD8AABCCD	(not available)
21	[file and pathname of the sample #1]	2,515,312 bytes	MD5: 0x597D74008FBF3540649A71415F719C73 SHA-1: 0xE0B5A2BB77C0467BAFB372E50CF9A5D64D733019	not-a-virus:FraudTool.Win32.Agent.dx [Kaspersky Lab] Troj/FakeVir-IQ [Sophos] Trojan.Generic [Ikarus]

• Notes:
• %CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
• %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

• The following directories were created:
• %CommonPrograms%\Intelinet
• %ProgramFiles%\Intelinet
• %ProgramFiles%\Intelinet\Backup
• %ProgramFiles%\Intelinet\Database
• %ProgramFiles%\Intelinet\Logs

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
intelin2.exe	%ProgramFiles%\intelinet\intelin2.exe	1,196,032 bytes
intelinet.exe	%ProgramFiles%\intelinet\intelinet.exe	7,376,896 bytes
IEXPLORE.EXE	%ProgramFiles%\Internet Explorer\IEXPLORE.EXE	102,400 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	81,920 bytes
[filename of the sample #1 without extension].tmp	%Temp%\is-FQ2K8.tmp\[filename of the sample #1 without extension].tmp	741,376 bytes

• Notes:
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

• There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
Intelinet.exe	%ProgramFiles%\intelinet\intelinet.exe	7,380,992 bytes

• There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
IntelinetSecure	IntelinetSecure	"Running"	%ProgramFiles%\intelinet\intelin2.exe

• The following system service was modified:

• Notes:
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Intelinet_is1
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_INTELINETSECURE
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_INTELINETSECURE\0000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_INTELINETSECURE\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MESSENGER
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MESSENGER\0000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MESSENGER\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IntelinetSecure
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IntelinetSecure\Security
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IntelinetSecure\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_INTELINETSECURE
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_INTELINETSECURE\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_INTELINETSECURE\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MESSENGER
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MESSENGER\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MESSENGER\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IntelinetSecure
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IntelinetSecure\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IntelinetSecure\Enum
• HKEY_CURRENT_USER\Software\Intelinet
• HKEY_CURRENT_USER\Software\Intelinet\General
• HKEY_CURRENT_USER\Software\Intelinet\Leftover
• HKEY_CURRENT_USER\Software\Intelinet\Logging
• HKEY_CURRENT_USER\Software\Intelinet\Registration
• HKEY_CURRENT_USER\Software\Intelinet\RescanAndClean
• HKEY_CURRENT_USER\Software\Intelinet\Scheduler
• HKEY_CURRENT_USER\Software\Intelinet\Update
• HKEY_CURRENT_USER\Software\SpyClean
• HKEY_CURRENT_USER\Software\SpyClean\General

• The following Registry Keys were deleted:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4EA7C4C5-C5C0-4F5C-A008-8293505F71CC}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E5DF9D10-3B52-11D1-83E8-00A0C90DC849}

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Intelinet_is1]
• Inno Setup: Setup Version = "5.2.2"
• Inno Setup: App Path = "%ProgramFiles%\Intelinet"
• InstallLocation = "%ProgramFiles%\Intelinet\"
• Inno Setup: Icon Group = "Intelinet"
• Inno Setup: User = "%UserName%"
• Inno Setup: Selected Tasks = ""
• Inno Setup: Deselected Tasks = "desktopicon,quicklaunchicon"
• DisplayName = "Intelinet 3.1.0"
• UninstallString = ""%ProgramFiles%\Intelinet\unins000.exe""
• QuietUninstallString = ""%ProgramFiles%\Intelinet\unins000.exe" /SILENT"
• Publisher = "Intelinet, Inc."
• NoModify = 0x00000001
• NoRepair = 0x00000001
• InstallDate = "20090507"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_INTELINETSECURE\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "IntelinetSecure"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_INTELINETSECURE\0000]
• Service = "IntelinetSecure"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "IntelinetSecure"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_INTELINETSECURE]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MESSENGER\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "Messenger"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MESSENGER\0000]
• Service = "Messenger"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "Messenger"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MESSENGER]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IntelinetSecure\Enum]
• 0 = "Root\LEGACY_INTELINETSECURE\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IntelinetSecure\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IntelinetSecure]
• Type = 0x00000110
• Start = 0x00000003
• ErrorControl = 0x00000000
• ImagePath = "%ProgramFiles%\intelinet\intelin2.exe"
• DisplayName = "IntelinetSecure"
• ObjectName = "LocalSystem"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_INTELINETSECURE\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "IntelinetSecure"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_INTELINETSECURE\0000]
• Service = "IntelinetSecure"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "IntelinetSecure"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_INTELINETSECURE]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MESSENGER\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "Messenger"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MESSENGER\0000]
• Service = "Messenger"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "Messenger"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MESSENGER]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IntelinetSecure\Enum]
• 0 = "Root\LEGACY_INTELINETSECURE\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IntelinetSecure\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IntelinetSecure]
• Type = 0x00000110
• Start = 0x00000003
• ErrorControl = 0x00000000
• ImagePath = "%ProgramFiles%\intelinet\intelin2.exe"
• DisplayName = "IntelinetSecure"
• ObjectName = "LocalSystem"
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• Intelinet = "%ProgramFiles%\Intelinet\Intelinet.exe"

so that Intelinet.exe runs every time Windows starts

• [HKEY_CURRENT_USER\Software\Intelinet\Update]
• AppVersion = "3.0.1"
• [HKEY_CURRENT_USER\Software\Intelinet\Scheduler]
• OnScheduler = 0x00000000
• [HKEY_CURRENT_USER\Software\Intelinet\RescanAndClean]
• stat = 0x00000000
• [HKEY_CURRENT_USER\Software\Intelinet\General]
• FirstRun = 0x00000001
• FixedErrors = 0x00000000
• TotalErrors = 0x00000195
• GreenFlag = 0x00000000
• LastScan = D9 07 05 00 04 00 07 00 04 00 0D 00 34 00 00 00
• [HKEY_CURRENT_USER\Software\SpyClean\General]
• AutoImmunize = 0x00000001

• The following Registry Values were deleted:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}]
• Compatibility Flags = 0x00000400
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4EA7C4C5-C5C0-4F5C-A008-8293505F71CC}]
• Compatibility Flags = 0x00000400
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E5DF9D10-3B52-11D1-83E8-00A0C90DC849}]
• Compatibility Flags = 0x00020000

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
• (Default) = 0x0000000C
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
• (Default) = 0x0000000C

Other details

• Analysis of the file resources indicate the following possible countries of origin:

	Russian Federation
	Netherlands

• To mark the presence in the system, the following Mutex objects were created:
• {4F0423F2-E7A5-4B22-86AF-EA341544A76F}
• 2AC1A572DB6944B0A65C38C4140AF2F46a80039F4E8
• .NET CLR Data_Perf_Library_Lock_PID_6a8
• .NET CLR Networking_Perf_Library_Lock_PID_6a8
• .NET Data Provider for Oracle_Perf_Library_Lock_PID_6a8
• .NET Data Provider for SqlServer_Perf_Library_Lock_PID_6a8
• .NETFramework_Perf_Library_Lock_PID_6a8
• ASP.NET_Perf_Library_Lock_PID_6a8
• ASP.NET_2.0.50727_Perf_Library_Lock_PID_6a8
• aspnet_state_Perf_Library_Lock_PID_6a8
• ContentFilter_Perf_Library_Lock_PID_6a8
• ContentIndex_Perf_Library_Lock_PID_6a8
• ISAPISearch_Perf_Library_Lock_PID_6a8
• PerfDisk_Perf_Library_Lock_PID_6a8
• PerfNet_Perf_Library_Lock_PID_6a8
• PerfOS_Perf_Library_Lock_PID_6a8
• PerfProc_Perf_Library_Lock_PID_6a8
• PSched_Perf_Library_Lock_PID_6a8
• RemoteAccess_Perf_Library_Lock_PID_6a8
• RSVP_Perf_Library_Lock_PID_6a8
• Spooler_Perf_Library_Lock_PID_6a8
• TapiSrv_Perf_Library_Lock_PID_6a8
• Tcpip_Perf_Library_Lock_PID_6a8
• TermService_Perf_Library_Lock_PID_6a8
• WmiApRpl_Perf_Library_Lock_PID_6a8
• _SHuassist.mtx
• 2AC1A572DB6944B0A65C38C4140AF2F475c0039F4E8