ThreatExpert Report: Trojan.Zlob, Mal/Generic-L, Trojan-PWS, Trojan.Win32.Starter..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 20 October 2012, 16:05:51
Processing time: 10 min 14 sec
Submitted sample:

File MD5: 0x626AAEDB2FD3CBEABFDC5B8F7A6855C5
File SHA-1: 0xDB9FA3D3E1138A7791B2B63900FEEDD45E3EC921
Filesize: 988,031 bytes
Alias:

Trojan.Zlob [Symantec]
Mal/Generic-L [Sophos]
Trojan-PWS [Ikarus]

Summary of the findings:

What's been found	Severity Level
Registers a 32-bit in-process server DLL.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonPrograms%\WinRAR\WinRAR.lnk	632 bytes	MD5: 0x96DCEDE99D5E43DDC028A80EEFEE7337 SHA-1: 0x27B5BD68425C6336E41CFE0AE65BB919754BBE56	(not available)
2	%Programs%\WinRAR\WinRAR.lnk	632 bytes	MD5: 0x852F670EB28BCB7B450ABD93C01E7A22 SHA-1: 0x83FA8695CBC815E47ADA7AB3C62983E00885FBC6	(not available)
3	%ProgramFiles%\WinRAR\Default.sfx	54,272 bytes	MD5: 0xF7799DD28759CF8CF161918E5902D13C SHA-1: 0xB70FF42DDBDF47AF7A0FF8138AF8B14ED51127A3	Trojan.Win32.Starter [Ikarus] Win-Trojan/Starter.107008 [AhnLab] packed with UPX [Kaspersky Lab]
4	%ProgramFiles%\WinRAR\Descript.ion	1,020 bytes	MD5: 0x1F0E02F803850A5F99C6834EC9CD76AE SHA-1: 0x3E8F4FCA6E90E3F6CAFAC331A672EBEC41CE20D3	(not available)
5	%ProgramFiles%\WinRAR\Dos.SFX	95,020 bytes	MD5: 0x767C2700FFC1F69784FB12EDD4B44CF2 SHA-1: 0x46C5D89515293706BC4AE2906E09F9F976C9BC72	(not available)
6	%ProgramFiles%\WinRAR\File_Id.diz	418 bytes	MD5: 0x6337CC95A17DEAFA2F33BCA8EC51B314 SHA-1: 0x69D3B19335ADCB6B40702319C5B879D42A53E28F	(not available)
7	%ProgramFiles%\WinRAR\Formats\ace.fmt	56,320 bytes	MD5: 0x7012185FB6CD9B8EE11AFC8E262418F9 SHA-1: 0x033821A460D654AF6A79E02FFB28C05BFFD706F4	(not available)
8	%ProgramFiles%\WinRAR\Formats\arj.fmt	53,248 bytes	MD5: 0x09DF9D178708CE08D7C5529D296E816A SHA-1: 0xAF4AF886F2CC6BABB36859ACC6699C8455943541	(not available)
9	%ProgramFiles%\WinRAR\Formats\bz2.fmt	72,192 bytes	MD5: 0x668BD1E5259217A8E4E1FB8C709D2016 SHA-1: 0xC62C6237F92A6E2C0ACED26374E3708FC15306BA	(not available)
10	%ProgramFiles%\WinRAR\Formats\cab.fmt	50,176 bytes	MD5: 0xEDDFEF59076B013582072ED71E765171 SHA-1: 0x27F23B927D442D7342BA9CC7D586E1AE8EE7F6A7	(not available)
11	%ProgramFiles%\WinRAR\Formats\gz.fmt	61,952 bytes	MD5: 0x71C18CBC4EA7FC88C5A86B474609F56C SHA-1: 0x8A467CC3AD79B68F70F8E8C25B6AC7469C7655E7	(not available)
12	%ProgramFiles%\WinRAR\Formats\iso.fmt	50,176 bytes	MD5: 0x8187CE1BEA536D7CF8F9CF9A9C7334DC SHA-1: 0x0E079D3FADBFEDC4B8B339132441D882942B4735	(not available)
13	%ProgramFiles%\WinRAR\Formats\lzh.fmt	57,856 bytes	MD5: 0x998746E93811FA7E313AEA047109EECF SHA-1: 0xCDAC9C9D39D4FB67E69A31539CD8FB6AA03215E5	(not available)
14	%ProgramFiles%\WinRAR\Formats\tar.fmt	53,760 bytes	MD5: 0x4EB354CB85216762722EC06BA16F7AB3 SHA-1: 0xDDDD25D4FCCDB0D4F843F699E57BB566DB334581	(not available)
15	%ProgramFiles%\WinRAR\Formats\UNACEV2.DLL	75,264 bytes	MD5: 0x7FE66F3BD9CBB998D56EF60D511FF06F SHA-1: 0xDFD7AF26DD22DFDE03B78E835AAAA1569737A6C3	(not available)
16	%ProgramFiles%\WinRAR\Formats\uue.fmt	48,128 bytes	MD5: 0x19DE34D005C696AC2D30F5046AE9234D SHA-1: 0x263F21A8219C66F823256BC81F117C1D9A621056	(not available)
17	%ProgramFiles%\WinRAR\License.txt	8,717 bytes	MD5: 0x1003BD5321449A29F85A9FC14177643E SHA-1: 0xCC68A81B954C91FD968E0481C08770D41FD36B39	(not available)
18	%ProgramFiles%\WinRAR\Order.txt	3,282 bytes	MD5: 0x82A420488F469AE5E5A3ACAE90D9F216 SHA-1: 0x0E8619A9B2D12BC4B1CFCFB0ACD71F66E3BD154C	(not available)
19	%ProgramFiles%\WinRAR\Rar.exe	310,276 bytes	MD5: 0xDA4E476F31D0D81FF01376CF6B458C75 SHA-1: 0x11754FB9C2F7540ADF8AAFD0CD678428406B71CF	(not available)
20	%ProgramFiles%\WinRAR\Rar.txt	39,981 bytes	MD5: 0x41B03CFC60E6FE9C35B9AB5360C35F50 SHA-1: 0xC6A28AF55D06DE0A1EBD81AC2BAFC529B1AD3EAB	(not available)
21	%ProgramFiles%\WinRAR\RarExt.dll	119,808 bytes	MD5: 0x5376050192B2A469EEA3BE180E60BA35 SHA-1: 0xA2D0A805A50169603682A391EA6BC578BF28F5F3	(not available)
22	%ProgramFiles%\WinRAR\RarFiles.lst	838 bytes	MD5: 0x52AD256208D7A80B5834C25F7D199EDF SHA-1: 0x40156BD8826E7CD25BCB4F7EF19C3543B53954E6	(not available)
23	%ProgramFiles%\WinRAR\rarnew.dat	20 bytes	MD5: 0xAD08FE53A5E484EA568D60544EF3F05C SHA-1: 0x18629208273779DFA28472D5DA28542B69B4DFD2	(not available)
24	%ProgramFiles%\WinRAR\rarreg.key	476 bytes	MD5: 0xDB4B3352188B68274A5D1E211DEB86A7 SHA-1: 0x2D61606E78977270613E28C76B87ABBA2F433A23	(not available)
25	%ProgramFiles%\WinRAR\Rar_Site.txt	10,337 bytes	MD5: 0x58BF84E1D5C383CA32E522E625B449C9 SHA-1: 0x3EC77ADA26C429F5085CBD4A2A6A6609B8230B4F	(not available)
26	%ProgramFiles%\WinRAR\ReadMe.txt	1,148 bytes	MD5: 0xDC36B3F691CBCFA57F4AF29C11CB6F17 SHA-1: 0xB1FD11E8B36699E2E633EA3129EDC5C2B362DF29	(not available)
27	%ProgramFiles%\WinRAR\Register.txt	1,965 bytes	MD5: 0x37B8CEB8DD96E54B78873E4673AF40E3 SHA-1: 0x07DF2AE6C865E3AB9EE3BAA61EA02672534E32C9	(not available)
28	%ProgramFiles%\WinRAR\TechNote.txt	7,163 bytes	MD5: 0xA021CA9D82DF0D9E4F8FFD9AE2056FFD SHA-1: 0x9E1172A0BC6422FC643C16E47BD3B5762E7BF59A	(not available)
29	%ProgramFiles%\WinRAR\Uninstall.exe	94,720 bytes	MD5: 0xE3B5F10021DE70D977256B8F47F03994 SHA-1: 0x44B887522E03DAC2BDF0D09765EAAC80E8C9D8FC	(not available)
30	%ProgramFiles%\WinRAR\Uninstall.lst	621 bytes	MD5: 0x0B34303DB18E4B48AD3B071EE2681740 SHA-1: 0x7C11C677F29FB096320A7F63F84CC8C9F028B5F2	(not available)
31	%ProgramFiles%\WinRAR\UnRAR.exe	214,016 bytes	MD5: 0xB99E0B2BD820C3C101216B7E9698BB30 SHA-1: 0xD86B3A638EC0C6BB78430106D6844532A25A090F	(not available)
32	%ProgramFiles%\WinRAR\UnrarSrc.txt	105 bytes	MD5: 0x774FAD2FDE5C2E4704F4F938F831A036 SHA-1: 0x610529EDACF37FDADE18827B16B7EF86AC53DAD5	(not available)
33	%ProgramFiles%\WinRAR\WhatsNew.txt	7,418 bytes	MD5: 0xCB69EC450CD368A4E284671B1FF801F4 SHA-1: 0xE4E8112907F7976137C74DAA173CA12EE8FA879A	(not available)
34	%ProgramFiles%\WinRAR\WinCon.SFX	40,448 bytes	MD5: 0x1C9145CC26C7EB8CA8D3F8506C66CA6F SHA-1: 0xCB7469A1362F67A24BB8CC2135F174BE0C1B6EF4	Trojan.Inject [Ikarus] packed with UPX [Kaspersky Lab]
35	%ProgramFiles%\WinRAR\WinRAR.cnt	7,057 bytes	MD5: 0xB1A5E95BB5CE11C2CE4201A30325B4AF SHA-1: 0x86438C59B95DCA17493B7511793B17989C8F9444	(not available)
36	%ProgramFiles%\WinRAR\WinRAR.exe	812,032 bytes	MD5: 0x3BA45F1D32F52DF4509FF88F46610C61 SHA-1: 0xBD3C8C40628A00A97166610EB8DDB6C106A5EA70	possible-Threat.Crack.WinRar [Ikarus]
37	%ProgramFiles%\WinRAR\WinRAR.hlp	322,513 bytes	MD5: 0x8AC3BDA017FFA00D45C2FAAFBE74210A SHA-1: 0xA7A40F0C42B521A469342D89E1CBD821CDC8D499	(not available)
38	%ProgramFiles%\WinRAR\Zip.SFX	37,888 bytes	MD5: 0x2F6527F65475F226FBE2DB1B27F0758D SHA-1: 0x768465B23A4E371B4F176FB1BD9027BF26504008	Trojan.Zlob [Symantec] Trojan-PWS [Ikarus] Win-Trojan/Xema.variant [AhnLab] packed with UPX [Kaspersky Lab]
39	%ProgramFiles%\WinRAR\zipnew.dat	22 bytes	MD5: 0x76CDB2BAD9582D23C1F6F4D868218D6C SHA-1: 0xB04F3EE8F5E43FA3B162981B50BB72FE1ACABB33	(not available)
40	%ProgramFiles%\WinRAR\????.TXT	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
41	[file and pathname of the sample #1]	988,031 bytes	MD5: 0x626AAEDB2FD3CBEABFDC5B8F7A6855C5 SHA-1: 0xDB9FA3D3E1138A7791B2B63900FEEDD45E3EC921	Trojan.Zlob [Symantec] Mal/Generic-L [Sophos] Trojan-PWS [Ikarus] packed with UPX [Kaspersky Lab]

Notes:

%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%CommonPrograms%\WinRAR
%Programs%\WinRAR
%ProgramFiles%\WinRAR
%ProgramFiles%\WinRAR\Formats

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
uninstall.exe	%ProgramFiles%\WinRAR\uninstall.exe	126,976 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	122,880 bytes
rar.exe	%ProgramFiles%\winrar\rar.exe	380,928 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.zip\ShellNew
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\WinRAR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.arj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bz
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bz2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.iso
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jar
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lha
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lzh
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r00
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r01
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r02
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r03
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r04
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r05
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r06
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r07
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r08
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r09
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r10
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r11
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r12
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r13
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r14
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r15
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r16
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r17
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r18
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r19
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r20
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r21
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r22
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r23
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r24
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r25
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r26
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r27
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r28
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r29
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.rar
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.rar\ShellNew
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.rev
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.tbz
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.tbz2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.uu
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.uue
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xxe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shellex
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.REV
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.REV\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WRTE.Document.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WRTE.Document.1\UID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver
HKEY_CURRENT_USER\Software\WinRAR
HKEY_CURRENT_USER\Software\WinRAR\Formats
HKEY_CURRENT_USER\Software\WinRAR\Formats\ace.fmt
HKEY_CURRENT_USER\Software\WinRAR\Formats\arj.fmt
HKEY_CURRENT_USER\Software\WinRAR\Formats\bz2.fmt
HKEY_CURRENT_USER\Software\WinRAR\Formats\cab.fmt
HKEY_CURRENT_USER\Software\WinRAR\Formats\gz.fmt
HKEY_CURRENT_USER\Software\WinRAR\Formats\iso.fmt
HKEY_CURRENT_USER\Software\WinRAR\Formats\lzh.fmt
HKEY_CURRENT_USER\Software\WinRAR\Formats\tar.fmt
HKEY_CURRENT_USER\Software\WinRAR\Formats\uue.fmt
HKEY_CURRENT_USER\Software\WinRAR\Profiles

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR]

(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.gz]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.tar]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.tgz]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.zip\ShellNew]

FileName = "%ProgramFiles%\WinRAR\zipnew.dat"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32]

(Default) = "%ProgramFiles%\WinRAR\rarext.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR]

(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\WinRAR]

(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR]

(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR]

(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR]

(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ace]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.arj]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bz]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bz2]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.iso]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jar]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lha]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lzh]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r00]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r01]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r02]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r03]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r04]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r05]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r06]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r07]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r08]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r09]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r10]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r11]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r12]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r13]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r14]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r15]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r16]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r17]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r18]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r19]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r20]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r21]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r22]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r23]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r24]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r25]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r26]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r27]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r28]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r29]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.rar\ShellNew]

FileName = "%ProgramFiles%\WinRAR\rarnew.dat"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.rar]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.rev]

(Default) = "WinRAR.REV"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.tbz]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.tbz2]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.uu]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.uue]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xxe]

(Default) = "WinRAR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command]

(Default) = ""%ProgramFiles%\WinRAR\WinRAR.exe" "%1""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler]

(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon]

(Default) = "%ProgramFiles%\WinRAR\WinRAR.exe,0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR]

(Default) = "WinRAR ????"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command]

(Default) = ""%ProgramFiles%\WinRAR\WinRAR.exe" "%1""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon]

(Default) = "%ProgramFiles%\WinRAR\WinRAR.exe,1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.REV]

(Default) = "RAR ???"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command]

(Default) = ""%ProgramFiles%\WinRAR\WinRAR.exe" "%1""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler]

(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon]

(Default) = "%ProgramFiles%\WinRAR\WinRAR.exe,0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP]

(Default) = "WinRAR ZIP ????"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WRTE.Document.1\UID]

Frame6 = "@734700"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

{B41DB860-8EE4-11D2-9906-E49FADC173CA} = "WinRAR shell extension"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver]

DisplayName = "WinRAR ???????"
UninstallString = "%ProgramFiles%\WinRAR\uninstall.exe"

[HKEY_CURRENT_USER\Software\WinRAR\Formats\uue.fmt]

Info = 84 00 00 00 62 00 65 00 67 00 69 00 6E 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Ident = "11a6ca001c2e60a"

[HKEY_CURRENT_USER\Software\WinRAR\Formats\tar.fmt]

Info = 84 00 00 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Ident = "11a6ca001c2e60a"

[HKEY_CURRENT_USER\Software\WinRAR\Formats\lzh.fmt]

Info = 84 00 00 00 2D 00 6C 00 68 00 01 01 2D 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Ident = "11a6ca001c2e60a"

[HKEY_CURRENT_USER\Software\WinRAR\Formats\iso.fmt]

Info = 84 00 00 00 01 00 43 00 44 00 30 00 30 00 31 00 01 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Ident = "11a6ca001c2e60a"

[HKEY_CURRENT_USER\Software\WinRAR\Formats\gz.fmt]

Info = 84 00 00 00 1F 00 8B 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Ident = "11a6ca001c2e60a"

[HKEY_CURRENT_USER\Software\WinRAR\Formats\cab.fmt]

Info = 84 00 00 00 4D 00 53 00 43 00 46 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Ident = "11a6ca001c2e60a"

[HKEY_CURRENT_USER\Software\WinRAR\Formats\bz2.fmt]

Info = 84 00 00 00 42 00 5A 00 68 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Ident = "11a6ca001c2e60a"

[HKEY_CURRENT_USER\Software\WinRAR\Formats\arj.fmt]

Info = 84 00 00 00 60 00 EA 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Ident = "11a6ca001c2e60a"

[HKEY_CURRENT_USER\Software\WinRAR\Formats\ace.fmt]

Info = 84 00 00 00 2A 00 2A 00 41 00 43 00 45 00 2A 00 2A 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Ident = "11a6ca001c2e60a"

[HKEY_CURRENT_USER\Software\WinRAR\Profiles\4]

Name = "ZIP ????(????)"
Default = 0x00000000
ImmExec = 0x00000000

The following Registry Values were deleted:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.gz]

Content Type = "application/x-gzip"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.tar]

Content Type = "application/x-tar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.tgz]

Content Type = "application/x-compressed"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.zip]

Content Type = "application/x-zip-compressed"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cab]

(Default) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.zip]

(Default) =

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.