W32/Relnek!D687E38450​67

This page shows details and results of our analysis on the malware W32/Relnek!D687E3845067

Overview

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.


Minimum DAT

7342 (2014-02-07)

Updated DAT

7342 (2014-02-07)

Minimum Engine

5600.1067

File Length

102400

Description Added

2014-02-08

Description Modified

2014-02-08

Malware Proliferation

Characteristics

This is a Virus

File PropertiesProperty Values
McAfee DetectionW32/Relnek
Length102400 bytes
MD5d687e384506729aaeb5b7bf17224d324
SHA17190d911e698f20cf9db3c4afc7e8fd924966240


Other Common Detection Aliases

Company NamesDetection Names
EMSI SoftwareWin32.Relnek.A (B)
ahnlabWin32/Relnek
avastWin32:Mirecek
AVG (GriSoft)Win32/Agent
aviraW32/Relnek.A
KasperskyVirus.Win32.Agent.cx
BitDefenderWin32.Relnek.A
clamavW32.Relnek
Dr.WebWin32.Relnek.1
F-ProtW32/Relnek.A.gen!Eldorado
FortiNetW32/Relnek.A
Microsoftvirus:win32/relnek.a
SymantecW32.Relnek.A
EsetWin32/Agent.NAW
normanRelnek.D
pandaW32/Relnek.A
risingPE:Win32.Relnek.b!1075353399
SophosW32/Relnek-A
Trend MicroPE_RELNEK.A
vba32Virus.TOT.2207
V-BusterWin32.Relnek.A (mutant)
Vet (Computer Associates)Win32/Relnek.A

Other brands and names may be claimed as the property of others.


ActivitiesRisk Levels
Enumerates many system files and directories.Low
No digital signature is presentInformational


McAfee ScansScan Detections
McAfee BetaW32/Relnek
McAfee SupportedW32/Relnek



System Changes

Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files


The following files were analyzed:

7190D911E698F20CF9DB3C4AFC7E8FD924966240

The following files have been added to the system:

  • %TEMP%\WER1A.tmp.dir00\appcompat.txt
  • %TEMP%\344BB.dmp
  • %TEMP%\WER1A.tmp

The following files have been changed:

  • %PROGRAMFILES%\Windows Media Player\OLD39.tmp
  • %PROGRAMFILES%\Adobe\Reader 9.0\Reader\AcroBroker.exe
  • %PROGRAMFILES%\msn\msncorefiles\msn6.exe
  • %ALLUSERSPROFILE%\Application Data\ADOBE\READER\9.2\ARM\ARM Update\ReaderUpdater.exe
  • %PROGRAMFILES%\messenger\msmsgsin.exe
  • %PROGRAMFILES%\Adobe\Reader 9.0\Reader\A3DUtility.exe
  • %PROGRAMFILES%\internet explorer\connection wizard\icwtutor.exe
  • %ALLUSERSPROFILE%\Application Data\ADOBE\READER\9.2\ARM\ARM Update\AdobeARM.exe
  • %PROGRAMFILES%\internet explorer\connection wizard\icwconn2.exe
  • %PROGRAMFILES%\microsoft frontpage\version3.0\bin\fpsrvadm.exe
  • %PROGRAMFILES%\internet explorer\connection wizard\isignup.exe
  • %PROGRAMFILES%\winrar\winrar.exe
  • %COMMONPROGRAMFILES%\Microsoft Shared\web server extensions\40\bin\OLD1F.tmp
  • %PROGRAMFILES%\internet explorer\connection wizard\icwrmind.exe
  • %PROGRAMFILES%\Adobe\Reader 9.0\Reader\Eula.exe
  • %PROGRAMFILES%\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
  • %PROGRAMFILES%\winrar\unrar.exe
  • %COMMONPROGRAMFILES%\Microsoft Shared\Smart Tag\SmartTagInstall.exe
  • %PROGRAMFILES%\Adobe\Reader 9.0\Reader\LogTransport2.exe
  • %ALLUSERSPROFILE%\Application Data\Adobe\Reader\9.2\ARM\AdbeRdr950_en_US.exe
  • %COMMONPROGRAMFILES%\microsoft shared\web server extensions\40\bin\fpsrvadm.exe
  • %PROGRAMFILES%\Windows NT\Accessories\OLD41.tmp
  • %PROGRAMFILES%\msn\msncorefiles\copymar.exe
  • %PROGRAMFILES%\netmeeting\cb32.exe
  • %PROGRAMFILES%\netmeeting\wb32.exe
  • %PROGRAMFILES%\windows nt\dialer.exe
  • %COMMONPROGRAMFILES%\Adobe\Updater6\Adobe_Updater.exe
  • %PROGRAMFILES%\outlook express\wabmig.exe
  • %COMMONPROGRAMFILES%\microsoft shared\web server extensions\40\isapi\fpcount.exe
  • %PROGRAMFILES%\winrar\uninstall.exe
  • %PROGRAMFILES%\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe
  • %PROGRAMFILES%\Windows Media Player\OLD3D.tmp
  • %PROGRAMFILES%\Windows Media Player\OLD3B.tmp
  • %PROGRAMFILES%\microsoft frontpage\version3.0\bin\OLD29.tmp
  • %COMMONPROGRAMFILES%\Microsoft Shared\web server extensions\40\bin\OLD1D.tmp
  • %PROGRAMFILES%\microsoft frontpage\version3.0\bin\fpsrvwin.exe
  • %PROGRAMFILES%\microsoft frontpage\version3.0\bin\OLD2B.tmp
  • %COMMONPROGRAMFILES%\microsoft shared\speech\sapisvr.exe
  • %COMMONPROGRAMFILES%\Adobe\Updater6\AdobeUpdaterInstallMgr.exe
  • %PROGRAMFILES%\windows nt\hypertrm.exe
  • %PROGRAMFILES%\internet explorer\connection wizard\inetwiz.exe
  • %PROGRAMFILES%\Outlook Express\OLD35.tmp
  • %PROGRAMFILES%\msn gaming zone\windows\shvlzm.exe
  • %PROGRAMFILES%\Windows Media Player\OLD3F.tmp
  • %PROGRAMFILES%\Outlook Express\OLD37.tmp
  • %PROGRAMFILES%\msn gaming zone\windows\zclientm.exe
  • %PROGRAMFILES%\Internet Explorer\OLD2F.tmp
  • %COMMONPROGRAMFILES%\Microsoft Shared\web server extensions\40\bin\OLD1B.tmp
  • %PROGRAMFILES%\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
  • %PROGRAMFILES%\msn gaming zone\windows\bckgzm.exe
  • %PROGRAMFILES%\outlook express\oemig50.exe
  • %COMMONPROGRAMFILES%\Microsoft Shared\web server extensions\40\_vti_bin\_vti_aut\OLD27.tmp
  • %ALLUSERSPROFILE%\Application Data\ADOBE\READER\9.2\ARM\ARM Update\AdobeARMHelper.exe
  • %PROGRAMFILES%\winrar\rar.exe
  • %PROGRAMFILES%\msn\msncorefiles\update.exe
  • %PROGRAMFILES%\Internet Explorer\Connection Wizard\OLD2D.tmp
  • %COMMONPROGRAMFILES%\microsoft shared\msinfo\msinfo32.exe
  • %PROGRAMFILES%\msn\msncorefiles\dw.exe
  • %COMMONPROGRAMFILES%\Microsoft Shared\web server extensions\40\_vti_bin\_vti_adm\OLD25.tmp
  • %PROGRAMFILES%\msn\msncorefiles\setup\msnunin.exe
  • %PROGRAMFILES%\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-[private subnet]-A92000000001}\Setup.exe
  • %PROGRAMFILES%\msn gaming zone\windows\hrtzzm.exe
  • %PROGRAMFILES%\msn gaming zone\windows\rvsezm.exe
  • %PROGRAMFILES%\Adobe\Reader 9.0\Reader\AcroRd32.exe
  • %COMMONPROGRAMFILES%\Adobe\ARM\1.0\AcrobatUpdater.exe
  • %COMMONPROGRAMFILES%\Adobe\ARM\1.0\ReaderUpdater.exe
  • %PROGRAMFILES%\NetMeeting\OLD33.tmp
  • %COMMONPROGRAMFILES%\Adobe\ARM\1.0\AdobeARMHelper.exe
  • %ALLUSERSPROFILE%\Application Data\ADOBE\READER\9.2\ARM\ARM Update\AcrobatUpdater.exe
  • %PROGRAMFILES%\msn gaming zone\windows\chkrzm.exe
  • %PROGRAMFILES%\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe
  • %COMMONPROGRAMFILES%\Microsoft Shared\web server extensions\40\_vti_bin\OLD23.tmp
  • %PROGRAMFILES%\outlook express\wab.exe
  • %PROGRAMFILES%\Movie Maker\OLD31.tmp
  • %COMMONPROGRAMFILES%\Microsoft Shared\web server extensions\40\_vti_bin\OLD21.tmp

Symptoms

This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Method of Infection

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

Removal

Please use the following instructions for all supported versions of Windows:


1. Disable Windows System Restore. For instructions, please refer to: http://www.mcafee.com/us/downloads/free-tools/disabling-system-restore.aspx

2. Update your McAfee Anti-Virus product to the latest version (when possible), and ensure the latest DAT and Engine and any applicable EXTRA.DATs are installed.

3. Run a full system scan. (On-Demand Scan)

4. Reboot, as soon as it is convenient, to ensure all malicious components are removed.

Variants