Submission Summary:

What's been foundSeverity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Downloads/requests other files from Internet.


Technical Details:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.


File System Modifications

#Filename(s)File SizeFile HashAlias
1 %CommonPrograms%\Startup\WhiteSmoke Writer 2010+.lnk 805 bytes MD5: 0x1E5AF6F866224D4FB0AF40448B536627
SHA-1: 0xE022F6C2EA92D747BD3A735E28202CE925C9C935
(not available)
2 %DesktopDir%\Improve Your PC.lnk 1,094 bytes MD5: 0xDDCA7235A7C7DDC88A3099696E49E911
SHA-1: 0x6B499BA88F6D341DEC9D5231AF854BBFFB1A633A
(not available)
3 %DesktopDir%\WhiteSmoke (continue installation).lnk 759 bytes MD5: 0x78485F34713F1B54C8D0D2D537F0248B
SHA-1: 0x9C0086DFDDA0349EE44785B459E3247D2F30069D
(not available)
4 %Temp%\nsi8.tmp 1,363,125 bytes MD5: 0x7D06A8D61764EC3F77AB839F140D695F
SHA-1: 0xE33225BF497497B377E7CA49CB58F6D3FA136444
(not available)
5 %Temp%\nst7.tmp 1,316,815 bytes MD5: 0x3B5CD3BEF87D38ADE65FFEF88548F81C
SHA-1: 0x0B55B536DC4C39863CD9CF79CC80B44733341718
(not available)
6 %Temp%\ 61 bytes MD5: 0x34E2B600E5BE83D98B0AFF45D270D30D
SHA-1: 0x7299669823933691880150E0A9BCE831963F9046
(not available)
7 %Temp%\ 28 bytes MD5: 0x8274ABD782D2216E895999E1858EB94D
SHA-1: 0xD1100A0EFF33D09085E429CF4860700983EE6073
(not available)
8 %Temp%\WhiteSmoke\CheckLockedWsFiles.exe 94,208 bytes MD5: 0x16D406B8E22698498DBE4F63CA2742B7
SHA-1: 0x6E987DADD281312E9CE78B2EB1C974EB6D3DA454
(not available)
9 %Temp%\WhiteSmoke\Microsoft.VC80.CRT.manifest 522 bytes MD5: 0x9EDF5EB3D091D4823C96A00B6B45DF45
SHA-1: 0x50C3A585404678A46BAE0F4369A3CD8328518F23
(not available)
10 %Temp%\WhiteSmoke\msvcp80.dll 548,864 bytes MD5: 0x2BC650257FB0867ABD54FD460EC2BAFC
SHA-1: 0xEC063526AA14BCADEEFFA6D859B39A80680015B7
(not available)
11 %Temp%\WhiteSmoke\msvcr80.dll 626,688 bytes MD5: 0x16D7DDF3B659F7CF1CB9F4DCFF4219F0
SHA-1: 0xA61454131940799F01C26943F1594EE6E7409D11
(not available)
12 %Temp%\wsget.exe 66,048 bytes MD5: 0xFBA7B22AF9048BFCB3E194B0E5965766
SHA-1: 0x6574B7A67F0536151E22C3C8C8A8C879CB2B4657
(not available)
13 %Temp%\WSZugo.exe 143,360 bytes MD5: 0x974B7B47FA7C2FCDC44516FA6D35CFAA
SHA-1: 0xF4FE7F10019A0AB5EAF9D8D639B790DC1BBC7A11
packed with UPX [Kaspersky Lab]
14 %Temp%\WSZugo.exe.part 28 bytes MD5: 0xBA53B911F2C4594ABE731652F72E6591
SHA-1: 0xC829CEC15DEB5B6B7455D952C007A75B95CA0C56
(not available)
15 [file and pathname of the sample #1] 37,960 bytes MD5: 0x6CBEB3A424FFA95B37DDF4CCF276B7A7
SHA-1: 0xD1720BCD5FDAE18656315A3E61BF13899BDC2927
AdWare.Zugo [Ikarus]
packed with UPX [Kaspersky Lab]


Memory Modifications

Process NameProcess FilenameMain Module Size
[filename of the sample #1][file and pathname of the sample #1]102,400 bytes
WSZugo.exe%Temp%\wszugo.exe397,312 bytes
wsget.exe%Temp%\wsget.exe86,016 bytes


Registry Modifications


Other details

Russian Federation

1052TCP[file and pathname of the sample #1]
1054TCP[file and pathname of the sample #1]

Remote HostPort Number



All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2015 ThreatExpert. All rights reserved.