Submission Summary:

• Submission details:
• Submission received: 23 July 2009, 17:32:25
• Processing time: 7 min 31 sec
• Submitted sample:
• File MD5: 0xAA72E59CBF69302A7E4FD0184A1BB634
• File SHA-1: 0xC7F8C1764436C6FD3FB4B67C61D79517625740CB
• Filesize: 1,344,885 bytes

• Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

• The new window was created, as shown below:

Possible Security Risk

• Attention! The following threat category was identified:

Threat Category	Description
	A potentially unwanted adware program designed to deliver various advertisements to the users' systems

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%DesktopDir%\������������ӵ�Ӱר��.lnk	1,656 bytes	MD5: 0xB9B81786979E36565455AC5DF564EA3B SHA-1: 0x030391E8B29EAE937020CC9AE8538FE0E20B37F7	(not available)
2	%Programs%\������������ӵ�Ӱר��\��������.lnk	1,668 bytes	MD5: 0x5A5BD12D7CCB45681ABB93AAFA07C786 SHA-1: 0xA9F0510B2826DAC22A5F3F0A7FDC1D9BEE81484D	(not available)
3	%Programs%\������������ӵ�Ӱר��\ж�� ������������ӵ�Ӱר��.lnk	1,793 bytes	MD5: 0x2B4914B658BCEC86FE84D0180BF2D6AC SHA-1: 0xFF9D266AC72A5D06AFB0C63ED0BB86D0C59468DB	(not available)
4	%Programs%\������������ӵ�Ӱר��\������������ӵ�Ӱר��.lnk	1,668 bytes	MD5: 0xE7F9A74A0CE2C672D8B947643338DC32 SHA-1: 0x8DABD0F83AAE7F3189AAD18B591A91DE7B0A04A3	(not available)
5	%StartMenu%\������������ӵ�Ӱר��.lnk	1,656 bytes	MD5: 0x9CFF17AF27CA876B92D91C832EE8E47C SHA-1: 0xFBE358FAA31F31F231B906DD10E999885DA53944	(not available)
6	%ProgramFiles%\������������ӵ�Ӱר��\Uninstall\IRIMG1.JPG	4,933 bytes	MD5: 0x679D48D551F27E5E614D76261E757927 SHA-1: 0x2027180CB6FDA0774214A7BCA9DDBC6EC81AD693	(not available)
7	%ProgramFiles%\������������ӵ�Ӱר��\Uninstall\IRIMG2.JPG	29,420 bytes	MD5: 0x8618577B91BF1B3ED93E279DBF71A877 SHA-1: 0xEDEEE5D7FFD53ADA7AF1EDCA7E329D4529CDB527	(not available)
8	%ProgramFiles%\������������ӵ�Ӱר��\Uninstall\uninstall.dat	108,864 bytes	MD5: 0x385351BC4A697F05C86B229246D47D86 SHA-1: 0xB64A7DE309CF6B53A92CAC99CCA6079AFF2311F8	(not available)
9	%ProgramFiles%\������������ӵ�Ӱר��\Uninstall\uninstall.xml	5,552 bytes	MD5: 0x8337FA5358D81A028F01197FE942844B SHA-1: 0x430AF10DB44B1B78357E71838E59D3D62F63594D	(not available)
10	%ProgramFiles%\������������ӵ�Ӱר��\update.exe	395,776 bytes	MD5: 0x899ADC5B6BC133A08D09DEA376B44EBF SHA-1: 0xAEB489A993537422FEDCE9494FC7BA819CCED255	Adware.Istbar [Symantec] Possible_Virus [Trend Micro] Mal/Generic-A [Sophos]
11	%ProgramFiles%\������������ӵ�Ӱר��\update.txt	6 bytes	MD5: 0xBECD71EDF1A1FE99AACAF3893EE74910 SHA-1: 0x997F760B9055AAA15F8F5B27A79235A59EECF716	(not available)
12	%ProgramFiles%\������������ӵ�Ӱר��\yihaha.exe	860,672 bytes	MD5: 0x0B2BEB77952E6414CF69EA3990C1AD46 SHA-1: 0x67373A305C2618F04D280194A527BD57DC55ED4F	(not available)
13	[file and pathname of the sample #1]	1,344,885 bytes	MD5: 0xAA72E59CBF69302A7E4FD0184A1BB634 SHA-1: 0xC7F8C1764436C6FD3FB4B67C61D79517625740CB	(not available)
14	%Windir%\������������ӵ�Ӱר��\uninstall.exe	451,072 bytes	MD5: 0x75CA7FF96BF5A316C3AF2DE6A412BD54 SHA-1: 0x0A093950790FF0DDDFF6F5F29C6B02C10997E0C5	packed with UPX [Kaspersky Lab]

• Notes:
• %DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
• %Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
• %StartMenu% is a variable that refers to the file system directory containing Start menu items. A typical path is C:\Documents and Settings\[UserName]\Start Menu.
• %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

• The following directories were created:
• %Programs%\������������ӵ�Ӱר��
• %ProgramFiles%\������������ӵ�Ӱר��
• %ProgramFiles%\������������ӵ�Ӱר��\Uninstall
• %Windir%\������������ӵ�Ӱר��

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
irsetup.exe	%Temp%\_ir_sf7_temp_0\irsetup.exe	1,208,320 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	73,728 bytes

• Notes:
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Registry Modifications

• The following Registry Key was created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\������������ӵ�Ӱר��

• The newly created Registry Value is:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\������������ӵ�Ӱר��]
• DisplayName = "������������ӵ�Ӱר��"
• NoModify = 0x00000001
• NoRepair = 0x00000001
• UninstallString = ""%Windir%\������������ӵ�Ӱר��\uninstall.exe" "/U:%ProgramFiles%\������������ӵ�Ӱר��\Uninstall\uninstall.xml""
• Publisher = "������"
• URLInfoAbout = "http://www.yihaha.cn"
• HelpLink = "http://www.yihaha.cn"
• Contact = "������ ֧�ֲ���"
• DisplayIcon = ""%Windir%\������������ӵ�Ӱר��\uninstall.exe""

Other details

• Analysis of the file resources indicate the following possible country of origin:

	China