Thursday, August 28, 2008

Free Update Windows XP, Vista Spam

We received many spams related to "Official Update 2008!", the content describes free update Windows XP and Vista.

The following screens will be displayed when clicked the link inside email:







==The following focus on Web Reputation Service Testing==

Google Search CANNOT find it as below:



McAfee SiteAdvisor CANNOT find it as below:



Trend Micro WRS CAN find it as below:



finjan URL analysis CANNOT find it as below:



Dr.Web URL analysis CAN find it as below:



Exploit Prevention Labs's LinkScanner CANNOT find it as below:



Symantec Safe Web CAN find it as below:



==The following focus on AV Scanners Testing==

File install.exe received on 08.28.2008 04:20:46 (CET)

Result: 14/36 (38.89%)

Antivirus Version Last Update Result
AhnLab-V3 2008.8.27.1 2008.08.27 -
AntiVir 7.8.1.23 2008.08.27 -
Authentium 5.1.0.4 2008.08.28 W32/FakeAV2008.AT
Avast 4.8.1195.0 2008.08.27 -
AVG 8.0.0.161 2008.08.27 Downloader.FraudLoad.N
BitDefender 7.2 2008.08.28 Trojan.FakeAlert.ACE
CAT-QuickHeal 9.50 2008.08.26 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.28 -
DrWeb 4.44.0.09170 2008.08.27 Trojan.Packed.619
eSafe 7.0.17.0 2008.08.27 Suspicious File
eTrust-Vet 31.6.6052 2008.08.27 -
Ewido 4.0 2008.08.27 -
F-Prot 4.4.4.56 2008.08.28 W32/FakeAV2008.AT
F-Secure 7.60.13501.0 2008.08.27 -
Fortinet 3.14.0.0 2008.08.27 -
GData 19 2008.08.28 Backdoor.Win32.Frauder.bi
Ikarus T3.1.1.34.0 2008.08.28 Trojan-Downloader.Win32.Renos.AS
K7AntiVirus 7.10.428 2008.08.25 -
Kaspersky 7.0.0.125 2008.08.28 Backdoor.Win32.Frauder.bi
McAfee 5371 2008.08.27 Downloader-ASH.gen.b
Microsoft 1.3807 2008.08.25 -
NOD32v2 3394 2008.08.27 a variant of Win32/Kryptik.E
Norman 5.80.02 2008.08.27 W32/Tibs.gen225
Panda 9.0.0.4 2008.08.27 -
PCTools 4.4.2.0 2008.08.27 -
Prevx1 V2 2008.08.28 Malicious Software
Rising 20.59.21.00 2008.08.27 -
Sophos 4.33.0 2008.08.28 -
Sunbelt 3.1.1582.1 2008.08.26 -
Symantec 10 2008.08.28 -
TheHacker 6.3.0.6.064 2008.08.27 -
TrendMicro 8.700.0.1004 2008.08.27 -
VBA32 3.12.8.4 2008.08.27 -
ViRobot 2008.8.27.1352 2008.08.27 -
VirusBuster 4.5.11.0 2008.08.27 -
Webwasher-Gateway 6.6.2 2008.08.27 -

Additional information
File size: 203776 bytes
MD5...: 0f44ed00c0b67d9e5062b8e2c3574345
SHA1..: 4d9b42bbd950ea0c253a483ea2db3f888055c1c6
SHA256: e5885411c5ab7dbf2846b3b0606f6b294bbc9203ec8065d13560470ceab07c07
SHA512: b1b437a2df0023e1af019e6a06c31d298063f156819ea5b1de4047ad5766c6f8
00db13161056c7db223737cfc8fe00ce58d7756ebe33e4042627d6c9fbee8a6f
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40a064
timedatestamp.....: 0x48a5befd (Fri Aug 15 17:38:05 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xec3c 0x9800 7.99 173f4b069cad8234c767f5babf94449f
.rdata 0x10000 0x3f24 0x1a00 7.97 f38fb4bec5a8839e5c0bf8002d2251be
.data 0x14000 0xb6736 0x23600 8.00 b45b61b4c432446d3586a20be0fd245f
.rsrc 0xcb000 0xf000 0x3000 6.61 bbb4f98ddad8c83b4433986df95b248c

( 4 imports )
> wsock32.dll: bind, WSAStartup, listen
> kernel32.dll: CreatePipe, TerminateProcess, VirtualProtect
> gdi32.dll: SetRelAbs, StretchBlt, SetICMMode, ResetDCW, UpdateColors, SaveDC, TextOutW, SetDIBColorTable
> shell32.dll: SHAppBarMessage, StrRChrIA, StrStrIA

( 0 exports )

ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=0f44ed00c0b67d9e5062b8e2c3574345
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=5764A358008210271CBA03774D18AA00F10D311C

After executed, it has the following behaviors:

[Added process]
C:\Documents and Settings\Administrator\Desktop\install.exe
C:\WINDOWS\system32\pphcl76j0eg03.exe
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe

[DLL injection]
C:\Program Files\rhcg76j0eg03\msvcr71.dll

[Added file]
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\Administrator\Local Settings\Temp\.ttA6.tmp.vbs
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\13833935xv3[1].swf
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\install[1].exe
C:\Documents and Settings\Administrator\Recent\install.exe.txt.lnk
C:\Documents and Settings\Administrator\Recent\wireshark.cap.lnk
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
C:\Program Files\rhcg76j0eg03\database.dat
C:\Program Files\rhcg76j0eg03\license.txt
C:\Program Files\rhcg76j0eg03\MFC71.dll
C:\Program Files\rhcg76j0eg03\MFC71ENU.DLL
C:\Program Files\rhcg76j0eg03\msvcp71.dll
C:\Program Files\rhcg76j0eg03\msvcr71.dll
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe.local
C:\Program Files\rhcg76j0eg03\Uninstall.exe
C:\WINDOWS\system32\blphcl76j0eg03.scr
C:\WINDOWS\system32\lphcl76j0eg03.exe
C:\WINDOWS\system32\phcl76j0eg03.bmp
C:\WINDOWS\system32\pphcl76j0eg03.exe
C:\WINDOWS\system32\Restore\MachineGuid.txt

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=lphcl76j0eg03
Data=C:\WINDOWS\system32\lphcl76j0eg03.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=SMrhcg76j0eg03
Data=C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03
Value=DisplayName
Data=AntivirXP08

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03
Value=UninstallString
Data="C:\Program Files\rhcg76j0eg03\uninstall.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03

C:\Doc

Posted by: Roger Chiu at 2:52 PM 3 Comments Label: ,

Greeting eCard Spam

We received many spams related to "You've received a greeting ecard", some are pharmaceutical ads, some contains malicious links.

The following screens will be displayed when clicked the link inside email:



Posted by: Roger Chiu at 11:21 AM 0 Comments Label:

Friday, August 22, 2008

Weekly Top News Spam

Recently we received many spams related to "Weekly Top News", they contain many different malicious links, but almost do the same things.

The following screens will be displayed when clicked the link inside email:









Wireshark captures files downloaded as below:



==The following focus on Web Reputation Service Testing==

Google Search CANNOT find it as below:



McAfee SiteAdvisor CANNOT find it as below:



Trend Micro WRS CANNOT find it as below:



finjan URL analysis CAN find it as below:



Dr.Web URL analysis CANNOT find it (error) as below:



Exploit Prevention Labs's LinkScanner CAN find it as below:



Symantec Safe Web CANNOT find it as below:



==The following focus on AV Scanners Testing==

File installer.exe received on 08.20.2008 17:33:27 (CET)

Result: 26/35 (74.29%)

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Crypt.XPACK.Gen
Authentium - - W32/Downldr2.DIHF
Avast - - Win32:Trojan-gen {Other}
AVG - - I-Worm/Nuwar.W
BitDefender - - Trojan.Peed.JRU
CAT-QuickHeal - - TrojanDownloader.Exchanger.oz
ClamAV - - -
DrWeb - - Trojan.Packed.606
eSafe - - Suspicious File
eTrust-Vet - - -
Ewido - - -
F-Prot - - W32/Downldr2.DIHF
F-Secure - - Trojan-Downloader.Win32.Exchanger.oz
Fortinet - - PossibleThreat
GData - - Trojan-Downloader.Win32.Exchanger.oz
Ikarus - - Trojan-Dropper.Win32.Nuwar.ldt
K7AntiVirus - - -
Kaspersky - - Trojan-Downloader.Win32.Exchanger.oz
McAfee - - -
Microsoft - - TrojanDownloader:Win32/Cbeplay.E
NOD32v2 - - Win32/Agent.ETH
Norman - - W32/DLoader.IZTO
Panda - - -
PCTools - - Trojan.Erotpics!sd6
Prevx1 - - Malicious Software
Rising - - -
Sophos - - Mal/EncPk-DA
Sunbelt - - Trojan-Downloader.Exchanger.Gen
TheHacker - - -
TrendMicro - - TROJ_NUWAR.GXZ
VBA32 - - Trojan-Downloader.Win32.Pupupitu
ViRobot - - I-Worm.Win32.Jolie.74752
VirusBuster - - Trojan.DL.Exchanger.DA
Webwasher-Gateway - - Trojan.Crypt.XPACK.Gen

Additional information
MD5: 10105674cc0b639b313a3db9e18d9444
SHA1: 436848261cbbc6c265b30ed8107ef17743f39ecd
SHA256: 38e6b08f83dad2162e74ea56d0bf5a92a5756e40dc5994f21ada916f02e6a033

After executed, it has the following behaviors:

[Added process]
C:\Documents and Settings\LocalService\Application Data\633509642.exe
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe
C:\WINDOWS\System32\CbEvtSvc.exe
C:\WINDOWS\system32\pphcl76j0eg03.exe

[DLL injection]
C:\Program Files\Internet Explorer\setupapi.dll
C:\Program Files\rhcg76j0eg03\msvcp71.dll

[Added service]
NAME: CbEvtSvc
DISPLAY: CbEvtSvc
FILE: C:\WINDOWS\System32\CbEvtSvc.exe -k netsvcs

[Added file]
C:\Documents and Settings\Administrator\Desktop\installer.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\fileslis[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\metai[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\index2[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\progress[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\antivir[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\counter[1].js
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
C:\Documents and Settings\LocalService\Application Data\658087141.exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\BJW6A44R\install[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MMFL79XH\ftpgd[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WDWHWPH6\20scan1[1].exe
C:\Program Files\Internet Explorer\setupapi.dll
C:\Program Files\rhcg76j0eg03\database.dat
C:\Program Files\rhcg76j0eg03\license.txt
C:\Program Files\rhcg76j0eg03\MFC71.dll
C:\Program Files\rhcg76j0eg03\MFC71ENU.DLL
C:\Program Files\rhcg76j0eg03\msvcp71.dll
C:\Program Files\rhcg76j0eg03\msvcr71.dll
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe.local
C:\Program Files\rhcg76j0eg03\Uninstall.exe
C:\WINDOWS\system32\blphcl76j0eg03.scr
C:\WINDOWS\system32\CbEvtSvc.exe
C:\WINDOWS\system32\drivers\b9329734.sys (Rootkit Behavior)
C:\WINDOWS\system32\lphcl76j0eg03.exe
C:\WINDOWS\system32\phcl76j0eg03.bmp
C:\WINDOWS\system32\pphcl76j0eg03.exe
C:\WINDOWS\system32\Restore\MachineGuid.txt
C:\WINDOWS\Temp\.ttAC.tmp
C:\WINDOWS\Temp\.ttAC.tmp.vbs
C:\WINDOWS\Temp\37D8BF6785C63DB6.tmp
C:\WINDOWS\Temp\4AECE6A407384DE3.tmp
C:\WINDOWS\Temp\92618DBC42FD0246.tmp
C:\WINDOWS\Temp\AB.tmp
C:\WINDOWS\Temp\ACBF1B06A8F8098A.tmp

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=lphcl76j0eg03
Data=C:\WINDOWS\system32\lphcl76j0eg03.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=SMrhcg76j0eg03
Data=C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03
Value=DisplayName
Data=AntivirXP08

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03
Value=UninstallString
Data=”C:\Program Files\rhcg76j0eg03\uninstall.exe”

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03

Posted by: Roger Chiu at 12:03 PM 2 Comments Label: ,

Thursday, August 21, 2008

Paris Hilton Nuke Video Spam

Recently we received many spams related to "Paris Hilton Nuke Video". Of course, the content contains a malicious link, when clicked, it will download "video-paris-hilton.avi.exe", some antivirus scanner detects it as "Trojan-Downloader.Win32.Renos.AQ".

The following screens will be displayed when clicked the link in this email:

























Wireshark captures files downloaded as below:



==The following focus on Web Reputation Service Testing==

Google Search CANNOT find it as below:



McAfee SiteAdvisor CANNOT find it as below:



Trend Micro WRS CAN find it as below:



finjan URL analysis CAN find it as below:



Dr.Web URL analysis CANNOT find it (error) as below:



Exploit Prevention Labs's LinkScanner CANNOT find it as below:



Symantec Safe Web CANNOT find it as below:



==The following focus on AV Scanners Testing==

File video-paris-hilton.avi.exe received on 08.20.2008 07:59:43 (CET)

Result: 8/36 (22.22%)

Antivirus Version Last Update Result
AhnLab-V3 2008.8.19.0 2008.08.20 -
AntiVir 7.8.1.23 2008.08.19 -
Authentium 5.1.0.4 2008.08.20 -
Avast 4.8.1195.0 2008.08.19 -
AVG 8.0.0.161 2008.08.20 -
BitDefender 7.2 2008.08.20 MemScan:Trojan.FakeAlert.AAF
CAT-QuickHeal 9.50 2008.08.19 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.19 -
DrWeb 4.44.0.09170 2008.08.20 -
eSafe 7.0.17.0 2008.08.19 Suspicious File
eTrust-Vet 31.6.6036 2008.08.19 -
Ewido 4.0 2008.08.19 -
F-Prot 4.4.4.56 2008.08.19 -
F-Secure 7.60.13501.0 2008.08.20 -
Fortinet 3.14.0.0 2008.08.20 -
GData 2.0.7306.1023 2008.08.20 -
Ikarus T3.1.1.34.0 2008.08.20 Trojan-Downloader.Win32.Renos.AQ
K7AntiVirus 7.10.421 2008.08.19 -
Kaspersky 7.0.0.125 2008.08.20 -
McAfee 5364 2008.08.19 -
Microsoft 1.3807 2008.08.20 TrojanDownloader:Win32/Renos.gen!AQ
NOD32v2 3369 2008.08.19 -
Norman 5.80.02 2008.08.19 AntiVirus2008.gen2
Panda 9.0.0.4 2008.08.19 -
PCTools 4.4.2.0 2008.08.19 -
Prevx1 V2 2008.08.20 Malicious Software
Rising 20.58.20.00 2008.08.20 -
Sophos 4.32.0 2008.08.20 Troj/FakeAle-FT
Sunbelt 3.1.1546.1 2008.08.15 -
Symantec 10 2008.08.20 -
TheHacker 6.3.0.5.054 2008.08.19 -
TrendMicro 8.700.0.1004 2008.08.20 -
VBA32 3.12.8.3 2008.08.19 -
ViRobot 2008.8.19.1341 2008.08.20 -
VirusBuster 4.5.11.0 2008.08.19 -
Webwasher-Gateway 6.6.2 2008.08.19 -

Additional information
File size: 183296 bytes
MD5...: 2d77a6d4fa2df29b094e290512b087a0
SHA1..: 0a1dd7596d435cf4a6249348a038c7457f94a678
SHA256: 590afe46bfa375cf000ad323a2744bdb108e3c27faa4b90080df0f64a0d94ab7
SHA512: 5308b467bd8ae5474aea385c5577f00fd899f7640b24c88d8105aabd5addf19e
f20493c3e4e55386eb1424b48286ee21b61034693a684b0076d540e0e4f72788
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401000
timedatestamp.....: 0x48ab195e (Tue Aug 19 19:05:02 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0xc6ab4 0x2600 6.41 a4d45d87b08f8d94277159e0fe8a9e15
DATA 0xc8000 0x296a4 0x29200 8.00 45367edbb00e3b6724877268637ddde8
.rsrc 0xf2000 0x1000 0xa00 2.38 8ec0154fb3c0c7811715af24c77b9e13
.idata 0xf3000 0x818 0x600 2.83 649de547ef6b5432da99091f5e2cb9b0
.pack32 0xf4000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

( 3 imports )
> kernel32.dll: OpenSemaphoreA
> user32.dll: TranslateAcceleratorA, OemToCharW, AttachThreadInput, CreateCaret, MessageBoxExA, UserClientDllInitialize, GetLastInputInfo, PeekMessageA, DdeGetLastError, DdeQueryConvInfo, LoadLocalFonts, DdeConnect
> gdi32.dll: Rectangle, CreateCompatibleBitmap, GetDeviceCaps, GdiIsPlayMetafileDC, GdiGetLocalFont, GetFontData, GdiCleanCacheDC, GdiEntry16, CreateMetaFileA, SetPaletteEntries, AddFontMemResourceEx, AbortDoc

After executed, it has the following behaviors:

[Added process]
C:\Documents and Settings\Administrator\Desktop\video-paris-hilton.avi.exe
C:\WINDOWS\system32\pphcl76j0eg03.exe
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe

[DLL injection]
C:\Program Files\rhcg76j0eg03\msvcp71.dll
C:\Program Files\rhcg76j0eg03\msvcr71.dll

[Added file]
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\Administrator\Local Settings\Temp\.ttA7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\.ttA7.tmp.vbs
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
C:\Program Files\rhcg76j0eg03\database.dat
C:\Program Files\rhcg76j0eg03\license.txt
C:\Program Files\rhcg76j0eg03\MFC71.dll
C:\Program Files\rhcg76j0eg03\MFC71ENU.DLL
C:\Program Files\rhcg76j0eg03\msvcp71.dll
C:\Program Files\rhcg76j0eg03\msvcr71.dll
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe.local
C:\Program Files\rhcg76j0eg03\Uninstall.exe
C:\WINDOWS\system32\blphcl76j0eg03.scr
C:\WINDOWS\system32\lphcl76j0eg03.exe
C:\WINDOWS\system32\phcl76j0eg03.bmp
C:\WINDOWS\system32\pphcl76j0eg03.exe
C:\WINDOWS\system32\Restore\MachineGuid.txt

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=lphcl76j0eg03
Data=C:\WINDOWS\system32\lphcl76j0eg03.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=SMrhcg76j0eg03
Data=C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03
Value=DisplayName
Data=AntivirXP08

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03
Value=UninstallString
Data=”C:\Program Files\rhcg76j0eg03\uninstall.exe”

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03

Posted by: Roger Chiu at 12:27 AM 0 Comments Label: ,

Subscribe to: Posts (Atom)