ThreatExpert Report: W32.Rahack.W, Net-Worm.Win32.Allaple.b, W32/RAHack, WORM

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 19 August 2012, 03:01:04
Processing time: 7 min 51 sec
Submitted sample:

File MD5: 0xC6AEFA223EA6E98CE79968DF2715790A
File SHA-1: 0xFED1E5E8558BA6FE2F59D8355FFD04A11F2048D9
Filesize: 65,024 bytes
Alias:

W32.Rahack.W [Symantec]
Net-Worm.Win32.Allaple.b [Kaspersky Lab]
W32/RAHack [McAfee]
WORM_ALLAPLE.IK [Trend Micro]
W32/Allaple-F [Sophos]
Worm:Win32/Allaple.A [Microsoft]
Net-Worm.Win32.Allaple [Ikarus]
Win-Trojan/Starman.Gen [AhnLab]

Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\Inetpub\wwwroot\kkvwbsrw.exe	65,024 bytes	MD5: 0xB59D55CC18A5BFE6CECD32B48187A73F SHA-1: 0xBC8F2F707FAA3DD20BF3760F866F693E6332F148	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
2	[pathname with a string SHARE]\bcwvzwbh.exe	65,024 bytes	MD5: 0xFEA8CDB7F994F3E02AFEEC68150A8756 SHA-1: 0xF74D0B5276AB6C983D36A2896F4544BB163B827A	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
3	[pathname with a string SHARE]\bhrhnkht.exe	65,024 bytes	MD5: 0xD7E1DB0B459C4E66B44658668321F582 SHA-1: 0x24FCA24975B0522947C37175BA4B20A72D4ED47D	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
4	[pathname with a string SHARE]\bnbtzwxt.exe	65,024 bytes	MD5: 0x943B43530C68E735FDC5E7733D646B68 SHA-1: 0xE61F4E8C99FECCC0B1FDD35497362596381767A0	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
5	[pathname with a string SHARE]\brvrjrke.exe	65,024 bytes	MD5: 0xC7774B10E41F8C59FBE9EC631F905CB0 SHA-1: 0x50F599AE3686BAD3249308319CAC94E7D776D30B	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
6	[pathname with a string SHARE]\bzqlkhrh.exe	65,024 bytes	MD5: 0x271544514198CA29B02C7C324B56038B SHA-1: 0xD3BAD7F8D59CC61DD0A412BD95145FAB883E89E2	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
7	[pathname with a string SHARE]\czjevcet.exe	65,024 bytes	MD5: 0x2C0E4AACA67A141DC5CF6276FD34725F SHA-1: 0x76DB2FAFDB1511F1DAE93A01FFCDC98B2DCB04DE	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
8	[pathname with a string SHARE]\ehbebsrn.exe	65,024 bytes	MD5: 0xBB15B2A9563568694ED013D78B4E0F0C SHA-1: 0xE8F54E1458C7BF824F25BBC9A02BB0F7E6134576	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
9	[pathname with a string SHARE]\elwtjnbj.exe	65,024 bytes	MD5: 0xAF21D543310AB27E25B9DF40A39D94DA SHA-1: 0x78601D7DD9F3643B31B772320C37A30B44E86020	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
10	[pathname with a string SHARE]\njbsvtll.exe	65,024 bytes	MD5: 0xBFD36E2ED5EC38274AAFB38EA23696C5 SHA-1: 0xCA3A73D6E5AEA283C3A54AC12B97584E89F736C4	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
11	[pathname with a string SHARE]\nsqjttkv.exe	65,024 bytes	MD5: 0xB06576DD0327DD4D510DE9A1A6F6F596 SHA-1: 0x28B3974675FE7F5D770B01CAF07D09C893830CB3	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
12	[pathname with a string SHARE]\qjllsjhl.exe	65,024 bytes	MD5: 0xDE670280B5360B5482FEE36745EA13E4 SHA-1: 0xB70FFA04CB5179A51B6F5505CB4F56FFB6B2C824	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
13	[pathname with a string SHARE]\tlcwjrwt.exe	65,024 bytes	MD5: 0xA45820F96C57838884657E1F74BD7DB4 SHA-1: 0x5EE944A016D9D725102486FA8BAA046A6E349AEB	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
14	[pathname with a string SHARE]\vkjljzrn.exe	65,024 bytes	MD5: 0x402CDF9A1E66AEE01CF70F0ACF6F786B SHA-1: 0xD05AEF1BEFC7CA0581D0D8563607AB3D400B5D39	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
15	[pathname with a string SHARE]\xrljqjzn.exe	65,024 bytes	MD5: 0xB65E9E553C132EDA719D89755BD1E70B SHA-1: 0x3BF187386889DEED4CBB1519992BD12FA1A181A3	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
16	%ProgramFiles%\Common Files\System\ado\tsektjkj.exe	65,024 bytes	MD5: 0x85F7A662C0E2749AB4C1AB366F57DC9D SHA-1: 0x0A8B125CB1DD1719D6808D782D4524A9ADB8E7D6	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
17	c:\tvsknrse.exe	65,024 bytes	MD5: 0x16DBC8565D075E29BAE8749AD9BA08D6 SHA-1: 0xDCE1C9F7917241964A12918A6DA753BDE4F90734	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
18	[file and pathname of the sample #1]	65,024 bytes	MD5: 0xC6AEFA223EA6E98CE79968DF2715790A SHA-1: 0xFED1E5E8558BA6FE2F59D8355FFD04A11F2048D9	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]
19	%System%\urdvxc.exe	65,024 bytes	MD5: 0x298542F2BED71CBC195291AF751850D1 SHA-1: 0xE06A062C9D418E8D4AE5FD0FBFB4ADC7FFF9058B	W32.Rahack.W [Symantec] Net-Worm.Win32.Allaple.b [Kaspersky Lab] W32/RAHack [McAfee] WORM_ALLAPLE.IK [Trend Micro] W32/Allaple-F [Sophos] Worm:Win32/Allaple.A [Microsoft] Net-Worm.Win32.Allaple [Ikarus] Win-Trojan/Starman.Gen [AhnLab]

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following files were modified:

c:\contacts.html
c:\Inetpub\wwwroot\index.html
[pathname with a string SHARE]\Blank.htm
[pathname with a string SHARE]\Citrus Punch.htm
[pathname with a string SHARE]\Clear Day.htm
[pathname with a string SHARE]\Fiesta.htm
[pathname with a string SHARE]\Glacier.htm
[pathname with a string SHARE]\Ivy.htm
[pathname with a string SHARE]\Leaves.htm
[pathname with a string SHARE]\Maize.htm
[pathname with a string SHARE]\Nature.htm
[pathname with a string SHARE]\Network Blitz.htm
[pathname with a string SHARE]\Pie Charts.htm
[pathname with a string SHARE]\Sunflower.htm
[pathname with a string SHARE]\Sweets.htm
[pathname with a string SHARE]\Technical.htm
%ProgramFiles%\Common Files\System\ado\MDACReadme.htm

Memory Modifications

There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
MSWindows	Network Windows Service	"Stopped"	"%System%\urdvxc.exe" /service

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35349B95-82D3-1178-19ED-0E5D2312F5C0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35349B95-82D3-1178-19ED-0E5D2312F5C0}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D2E936C-285C-5A66-3FE8-B76B480783C6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D2E936C-285C-5A66-3FE8-B76B480783C6}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E69B490-CADA-5333-F4B9-23A487E429D0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E69B490-CADA-5333-F4B9-23A487E429D0}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{83B5D292-A22F-1B4A-D7F2-07B54755FFF0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{83B5D292-A22F-1B4A-D7F2-07B54755FFF0}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{983CB576-F105-8BC6-0DB8-F2C0DD84BEED}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{983CB576-F105-8BC6-0DB8-F2C0DD84BEED}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B995423-493C-874A-B498-AF856BE7A7B2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B995423-493C-874A-B498-AF856BE7A7B2}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D48139A-0CB0-D491-16DF-2D8C184E1E8F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D48139A-0CB0-D491-16DF-2D8C184E1E8F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A07EEB7C-F6B4-C91D-D8CA-1FB9515DEA4E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A07EEB7C-F6B4-C91D-D8CA-1FB9515DEA4E}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A0AD3334-277F-6872-994C-2B93F7C34368}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A0AD3334-277F-6872-994C-2B93F7C34368}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A13D7F72-BDB0-AFEB-3EEF-6D03B413C249}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A13D7F72-BDB0-AFEB-3EEF-6D03B413C249}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A18CE63E-6C47-00A5-8688-927B7EB5E2B5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A18CE63E-6C47-00A5-8688-927B7EB5E2B5}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A35546F3-F6E8-7D51-B8D2-FBA06195BCE0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A35546F3-F6E8-7D51-B8D2-FBA06195BCE0}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A51A87E0-94FA-B106-C507-F9E227A6A708}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A51A87E0-94FA-B106-C507-F9E227A6A708}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A572761A-8C09-6F81-8A7D-33A5FEE989B9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A572761A-8C09-6F81-8A7D-33A5FEE989B9}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDC3C71C-1457-613F-9EA9-5B61E2ABFEDA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDC3C71C-1457-613F-9EA9-5B61E2ABFEDA}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C038C21E-09A4-0181-45BA-BC1AC3A740D1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C038C21E-09A4-0181-45BA-BC1AC3A740D1}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C6602C09-6D7C-B20F-10F7-6505DA864FBC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C6602C09-6D7C-B20F-10F7-6505DA864FBC}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C7925F2C-2966-3738-C5B5-CAADD43EF6A6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C7925F2C-2966-3738-C5B5-CAADD43EF6A6}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C7F5BC31-7902-8F72-53DC-8FED74093BF3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C7F5BC31-7902-8F72-53DC-8FED74093BF3}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAC7D9D5-8415-BBF2-61D6-5045DFFA2B23}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAC7D9D5-8415-BBF2-61D6-5045DFFA2B23}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CB81484E-02C3-FAEC-3250-34191EE0508F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CB81484E-02C3-FAEC-3250-34191EE0508F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCAD8747-7722-8C2C-4F3B-5860069F950E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCAD8747-7722-8C2C-4F3B-5860069F950E}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2498B94-25F7-A0BB-F8CD-F0F9FF4DFDC3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2498B94-25F7-A0BB-F8CD-F0F9FF4DFDC3}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D5A5CD56-F0DA-D261-71B4-0B34349210AE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D5A5CD56-F0DA-D261-71B4-0B34349210AE}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D640D073-CC43-3788-D278-85BD9D63941B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D640D073-CC43-3788-D278-85BD9D63941B}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBFD9333-DC1B-A071-DBEB-6AA6DC597945}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBFD9333-DC1B-A071-DBEB-6AA6DC597945}\LocalServer32

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\qkezbwtr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E9E265-66BE-04A9-BADD-A06BE2E36897}]

(Default) = "jrlsslcjhwrblvss"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\rvwwbqje.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03276388-B4D4-8F3B-502B-0901696414AA}]

(Default) = "rzehtsxezlebnbwh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}\LocalServer32]

(Default) = "%ProgramFiles%\adobe\acrobat 6.0\reader\howto\enu\cwelqkks.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B6FF80D-5D50-5935-4BAD-4C4C5294B2E1}]

(Default) = "btcevktqbletrjtl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}\LocalServer32]

(Default) = [pathname with a string SHARE]\czjevcet.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BD9D438-2B62-1078-724B-E27EBD7F7A8F}]

(Default) = "nlkebntcnszbrhsz"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\xjshnvvh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F550331-2ECD-706B-E9A8-48721438E36F}]

(Default) = "vetbhklckxsskjre"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\jhtkcrqk.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171FA199-C05B-5BF3-69B2-7E67EA910DA5}]

(Default) = "rrrltshrjlqcsnkw"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\zxtlktls.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22FAED41-A1FA-DC51-2326-669AA778CE49}]

(Default) = "nenbsltnzclkrxqz"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\jehkxqtn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2373A33D-199F-43E5-6694-07C4E1CFE31C}]

(Default) = "klscesjnblnrbbnb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}\LocalServer32]

(Default) = "C:\Inetpub\wwwroot\kkvwbsrw.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DC54B40-2536-69E8-382F-178E0D784F47}]

(Default) = "hljelljtqxhklvwe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}\LocalServer32]

(Default) = "[file and pathname of the sample #1]"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{346436FA-5138-50DA-D412-0870CE39768B}]

(Default) = "hlhxlvlzxhklbwbr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35349B95-82D3-1178-19ED-0E5D2312F5C0}\LocalServer32]

(Default) = "%System%\urdvxc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35349B95-82D3-1178-19ED-0E5D2312F5C0}]

(Default) = "knrbcvtcjrjvkssw"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\jcjcvqtr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A4D260-82A5-40A1-1185-87B6D34F389A}]

(Default) = "hxrnrjjzsvqsjqls"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}\LocalServer32]

(Default) = [pathname with a string SHARE]\qjllsjhl.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4222E084-9879-6354-96E0-20C15ACDC125}]

(Default) = "ekenrssrnnxhjeer"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\tjqlrkhx.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445FAB9E-1031-CFBE-81C7-7F3ABEF2B143}]

(Default) = "xbhjksttwevtkshz"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\plug_ins\PictureTasks\Howto\tbzrsrxv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{496EDDD0-77F0-D9A4-9F5D-DD23EC9698F2}]

(Default) = "ssqehrtllbvwjjre"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}\LocalServer32]

(Default) = "%ProgramFiles%\Common Files\System\ado\tsektjkj.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C80FDD5-398A-C978-C78B-16A1293DD4DE}]

(Default) = "ethbnwjrckrbrqlb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}\LocalServer32]

(Default) = "C:\tvsknrse.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50DF717F-2804-A197-85E1-B236DAE4BB1F}]

(Default) = "xtqjrskencsejnbr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}\LocalServer32]

(Default) = [pathname with a string SHARE]\bhrhnkht.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{541C14FC-A3AA-C18E-DBF1-600A7FA7940B}]

(Default) = "tksrzsjnknbjknrb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\ktensxxh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61CA20C2-A0DD-6AB8-4CA0-BCB8C40945FC}]

(Default) = "bkjntlhnhscehzck"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\nxxhexkh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{643D6D97-3E52-70FB-581D-BC9391FA03A1}]

(Default) = "erbcbrlszkkrznhe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}\LocalServer32]

(Default) = [pathname with a string SHARE]\bcwvzwbh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6455A07B-5629-2D89-9412-B3A2DD705BDE}]

(Default) = "hqrzblthtstehwts"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}\LocalServer32]

(Default) = "%ProgramFiles%\adobe\acrobat 6.0\reader\howto\enu\elrkexns.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B999886-BE16-4EAA-FC21-EC8583C15B00}]

(Default) = "ljerxetwlezjthzn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\jclbnjhk.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72737CBC-9B11-C3AC-D03C-37102C5BD6F9}]

(Default) = "hrvxrvtvxlqskess"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}\LocalServer32]

(Default) = [pathname with a string SHARE]\bnbtzwxt.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76126225-3758-4FE5-19E1-0942B74619EF}]

(Default) = "bxjbtswzzhwshkkj"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}\LocalServer32]

(Default) = "%ProgramFiles%\adobe\acrobat 6.0\reader\elbkcznj.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78EF8F66-B7A9-1D01-86F9-8BEC6B7E14B1}]

(Default) = "rchbcrezkreesrck"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D2E936C-285C-5A66-3FE8-B76B480783C6}\LocalServer32]

(Default) = [pathname with a string SHARE]\xrljqjzn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D2E936C-285C-5A66-3FE8-B76B480783C6}]

(Default) = "rrhrlvcwsexhebnj"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E69B490-CADA-5333-F4B9-23A487E429D0}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\hjlkhbjr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E69B490-CADA-5333-F4B9-23A487E429D0}]

(Default) = "zeqbbxrebtsskkjh"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{83B5D292-A22F-1B4A-D7F2-07B54755FFF0}\LocalServer32]

(Default) = [pathname with a string SHARE]\bzqlkhrh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{83B5D292-A22F-1B4A-D7F2-07B54755FFF0}]

(Default) = "jtzbrjtlrrzkerzs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{983CB576-F105-8BC6-0DB8-F2C0DD84BEED}\LocalServer32]

(Default) = [pathname with a string SHARE]\ehbebsrn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{983CB576-F105-8BC6-0DB8-F2C0DD84BEED}]

(Default) = "ehxwxcterclhejsw"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B995423-493C-874A-B498-AF856BE7A7B2}\LocalServer32]

(Default) = [pathname with a string SHARE]\tlcwjrwt.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B995423-493C-874A-B498-AF856BE7A7B2}]

(Default) = "retsjktsxtnvesnc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D48139A-0CB0-D491-16DF-2D8C184E1E8F}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\srtkevrl.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D48139A-0CB0-D491-16DF-2D8C184E1E8F}]

(Default) = "knvbsxwqbklnrtrq"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A07EEB7C-F6B4-C91D-D8CA-1FB9515DEA4E}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\swsnzhbl.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A07EEB7C-F6B4-C91D-D8CA-1FB9515DEA4E}]

(Default) = "chrsbqxvsbjbkcsb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A0AD3334-277F-6872-994C-2B93F7C34368}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\nrbxrshr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A0AD3334-277F-6872-994C-2B93F7C34368}]

(Default) = "berqklkqnjjcjnjv"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A13D7F72-BDB0-AFEB-3EEF-6D03B413C249}\LocalServer32]

(Default) = "%ProgramFiles%\adobe\acrobat 6.0\reader\howto\enu\bjrskrkl.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A13D7F72-BDB0-AFEB-3EEF-6D03B413C249}]

(Default) = "ljrhevjqjkjtbqek"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A18CE63E-6C47-00A5-8688-927B7EB5E2B5}\LocalServer32]

(Default) = [pathname with a string SHARE]\nsqjttkv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A18CE63E-6C47-00A5-8688-927B7EB5E2B5}]

(Default) = "ktetrrknvjekcrnw"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A35546F3-F6E8-7D51-B8D2-FBA06195BCE0}\LocalServer32]

(Default) = "c:\inetpub\wwwroot\kkvwbsrw.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A35546F3-F6E8-7D51-B8D2-FBA06195BCE0}]

(Default) = "kjctserchlnblhzl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A51A87E0-94FA-B106-C507-F9E227A6A708}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\elrkexns.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A51A87E0-94FA-B106-C507-F9E227A6A708}]

(Default) = "hjrkknswbvkbench"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A572761A-8C09-6F81-8A7D-33A5FEE989B9}\LocalServer32]

(Default) = [pathname with a string SHARE]\elwtjnbj.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A572761A-8C09-6F81-8A7D-33A5FEE989B9}]

(Default) = "kkeshvhrrttqencj"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDC3C71C-1457-613F-9EA9-5B61E2ABFEDA}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\bjrskrkl.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDC3C71C-1457-613F-9EA9-5B61E2ABFEDA}]

(Default) = "zcwvbsqhlkbewnkb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C038C21E-09A4-0181-45BA-BC1AC3A740D1}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\qnwrtskv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C038C21E-09A4-0181-45BA-BC1AC3A740D1}]

(Default) = "qrsztrjwzknjswsb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C6602C09-6D7C-B20F-10F7-6505DA864FBC}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\wrejwnte.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C6602C09-6D7C-B20F-10F7-6505DA864FBC}]

(Default) = "ktzwkhsblbcwzstz"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C7925F2C-2966-3738-C5B5-CAADD43EF6A6}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\rvlkrkqq.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C7925F2C-2966-3738-C5B5-CAADD43EF6A6}]

(Default) = "blzjlebrsetztrlk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C7F5BC31-7902-8F72-53DC-8FED74093BF3}\LocalServer32]

(Default) = "%ProgramFiles%\Microsoft Visual Studio\jqwsrtkx.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C7F5BC31-7902-8F72-53DC-8FED74093BF3}]

(Default) = "ktvnntnkhrrxcbce"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAC7D9D5-8415-BBF2-61D6-5045DFFA2B23}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\rsnelllt.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAC7D9D5-8415-BBF2-61D6-5045DFFA2B23}]

(Default) = "elwxntbnvzlzcbbs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CB81484E-02C3-FAEC-3250-34191EE0508F}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\ksrrqert.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CB81484E-02C3-FAEC-3250-34191EE0508F}]

(Default) = "qnnbxbjtcqjkxwjw"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCAD8747-7722-8C2C-4F3B-5860069F950E}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\xzjkbsts.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCAD8747-7722-8C2C-4F3B-5860069F950E}]

(Default) = "rjrbhrsxkhjrljtn"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2498B94-25F7-A0BB-F8CD-F0F9FF4DFDC3}\LocalServer32]

(Default) = [pathname with a string SHARE]\vkjljzrn.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2498B94-25F7-A0BB-F8CD-F0F9FF4DFDC3}]

(Default) = "veejekbktnbctkjk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D5A5CD56-F0DA-D261-71B4-0B34349210AE}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\cwelqkks.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D5A5CD56-F0DA-D261-71B4-0B34349210AE}]

(Default) = "brwnwkebesbnbtjx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D640D073-CC43-3788-D278-85BD9D63941B}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\vwzkqlet.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D640D073-CC43-3788-D278-85BD9D63941B}]

(Default) = "krhnxkjxkhkskkex"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBFD9333-DC1B-A071-DBEB-6AA6DC597945}\LocalServer32]

(Default) = "%ProgramFiles%\Adobe\Acrobat 6.0\Reader\HowTo\ENU\kljzhele.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBFD9333-DC1B-A071-DBEB-6AA6DC597945}]

(Default) = "jehsnkhzwbwqwrvl"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) =

Other details

To mark the presence in the system, the following Mutex object was created:

jhdheddfffffhjk5trh

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.