open

RDN/Spybot.bfr!o!747D​1E4FF39B

This page shows details and results of our analysis on the malware RDN/Spybot.bfr!o!747D1E4FF39B

Download Current DAT

Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: N/A
  • Protection Added: 2014-11-25

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.


Minimum Engine

5600.1067

File Length

198656

Description Added

2014-11-25

Description Modified

2014-11-25

Malware Proliferation

This is a Virus

File PropertiesProperty Values
McAfee DetectionRDN/Spybot.bfr!o
Length198656 bytes
MD5747d1e4ff39be5c776c45bbffb891eb9
SHA14d9cdd2e1e8549448afdddcd675952be32e34820


Other Common Detection Aliases

Company NamesDetection Names
ahnlabTrojan/Win32.MDA
KasperskyTrojan-Spy.Win32.Zbot.upsq
SymantecTrojan.Zbot
EsetMSIL/Injector.GLR

Other brands and names may be claimed as the property of others.


ActivitiesRisk Levels
Attempts to write to a memory location of a previously loaded process.Medium
Enumerates many system files and directories.Low
Process attempts to call itself recursivelyLow
Attempts to write to a memory location of an unknown processLow
No digital signature is presentInformational


McAfee ScansScan Detections
McAfee BetaRDN/Spybot.bfr!o
McAfee SupportedRDN/Spybot.bfr!o



System Changes

Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files


The following files were analyzed:

747d1e4ff39be5c776c45bbffb891eb9.bin

The following files have been added to the system:

  • %APPDATA%\Ilpuap\cuhy.exe
  • %USERPROFILE%\Local Settings\Application Data\Identities\{D47E487F-702B-475C-B6B6-EF78A72CD682}\Microsoft\Outlook Express\F
  • %TEMP%\333E2.dmp
  • %TEMP%\WERC7.tmp.dir00\appcompat.txt
  • %TEMP%\WERC0.tmp
  • %TEMP%\2D0C3.dmp
  • %TEMP%\WERC7.tmp
  • %TEMP%\2FD51.dmp
  • %APPDATA%\Microsoft\Address Book\Administrator.wab
  • %TEMP%\WERBD.tmp.dir00\appcompat.txt
  • %APPDATA%\Qiexmy\ruhu.ozk
  • %TEMP%\WERC0.tmp.dir00\appcompat.txt
  • %TEMP%\WERBD.tmp

The following files were temporarily written to disk then later removed:

  • %TEMP%\TarED.tmp
  • %TEMP%\CabC1.tmp
  • %TEMP%\TarF9.tmp
  • %TEMP%\CabCC.tmp
  • %TEMP%\Cab10C.tmp
  • %TEMP%\CabE6.tmp
  • %TEMP%\TarF5.tmp
  • %TEMP%\TarD9.tmp
  • %TEMP%\Tar107.tmp
  • %TEMP%\TarCB.tmp
  • %TEMP%\TarD5.tmp
  • %TEMP%\Cab100.tmp
  • %TEMP%\CabF0.tmp
  • %TEMP%\Tar113.tmp
  • %TEMP%\CabF4.tmp
  • %TEMP%\CabD0.tmp
  • %TEMP%\TarE9.tmp
  • %TEMP%\TarE5.tmp
  • %TEMP%\CabD4.tmp
  • %TEMP%\WERBF.tmp.dir00\appcompat.txt
  • %TEMP%\CabC3.tmp
  • %TEMP%\Cab108.tmp
  • %TEMP%\CabEE.tmp
  • %TEMP%\CabE0.tmp
  • %TEMP%\TarF3.tmp
  • %TEMP%\CabE4.tmp
  • %TEMP%\CabFC.tmp
  • %TEMP%\TarC6.tmp
  • %TEMP%\TarD3.tmp
  • %TEMP%\WERBF.tmp
  • %TEMP%\CabF2.tmp
  • %TEMP%\TarFB.tmp
  • %TEMP%\Cab10E.tmp
  • %TEMP%\Tar101.tmp
  • %APPDATA%\Qiexmy\ruhu.tmp
  • %TEMP%\TarDB.tmp
  • %TEMP%\tmp86818cfb.bat
  • %TEMP%\TarE3.tmp
  • %TEMP%\Tar10D.tmp
  • %TEMP%\Tar10B.tmp
  • %TEMP%\CabEC.tmp
  • %TEMP%\CabE2.tmp
  • %TEMP%\Tar109.tmp
  • %TEMP%\TarCF.tmp
  • %TEMP%\CabFE.tmp
  • %TEMP%\CabC8.tmp
  • %TEMP%\CabF8.tmp
  • %TEMP%\Tar103.tmp
  • %TEMP%\TarEB.tmp
  • %TEMP%\Tar10F.tmp
  • %TEMP%\CabDC.tmp
  • %TEMP%\CabD2.tmp
  • %TEMP%\CabCA.tmp
  • %TEMP%\Cab110.tmp
  • %TEMP%\TarF7.tmp
  • %TEMP%\TarCD.tmp
  • %TEMP%\Cab104.tmp
  • %TEMP%\TarDD.tmp
  • %TEMP%\TarF1.tmp
  • %TEMP%\TarD7.tmp
  • %TEMP%\TarFF.tmp
  • %TEMP%\TarC4.tmp
  • %TEMP%\TarDF.tmp
  • %TEMP%\TarC9.tmp
  • %TEMP%\TarE7.tmp
  • %TEMP%\WERBE.tmp
  • %TEMP%\Cab10A.tmp
  • %TEMP%\CabD8.tmp
  • %TEMP%\CabDE.tmp
  • %TEMP%\CabC5.tmp
  • %TEMP%\WERBE.tmp.dir00\appcompat.txt
  • %TEMP%\TarEF.tmp
  • %TEMP%\CabFA.tmp
  • %TEMP%\CabCE.tmp
  • %TEMP%\CabE8.tmp
  • %TEMP%\CabDA.tmp
  • %TEMP%\TarFD.tmp
  • %TEMP%\Cab112.tmp
  • %TEMP%\Tar105.tmp
  • %TEMP%\TarC2.tmp
  • %TEMP%\TarD1.tmp
  • %TEMP%\Cab106.tmp
  • %TEMP%\CabF6.tmp
  • %TEMP%\Tar111.tmp
  • %TEMP%\CabEA.tmp
  • %TEMP%\CabD6.tmp
  • %TEMP%\TarE1.tmp
  • %TEMP%\Cab102.tmp

The following registry elements have been created:

  • HKEY_CURRENT_USER\IDENTITIES\{D47E487F-702B-475C-B6B6-EF78A72CD682}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\MAIL\
  • HKEY_CURRENT_USER\IDENTITIES\{D47E487F-702B-475C-B6B6-EF78A72CD682}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\NEWS\
  • HKEY_CURRENT_USER\IDENTITIES\{D47E487F-702B-475C-B6B6-EF78A72CD682}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\RULES\
  • HKEY_CURRENT_USER\IDENTITIES\{D47E487F-702B-475C-B6B6-EF78A72CD682}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\RULES\MAIL\
  • HKEY_CURRENT_USER\IDENTITIES\{D47E487F-702B-475C-B6B6-EF78A72CD682}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\TRIDENT\
  • HKEY_CURRENT_USER\IDENTITIES\{D47E487F-702B-475C-B6B6-EF78A72CD682}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\TRIDENT\MAIN\
  • HKEY_CURRENT_USER\IDENTITIES\{D47E487F-702B-475C-B6B6-EF78A72CD682}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\TRIDENT\SETTINGS\
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\ACTIVE DIRECTORY GC\
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\BIGFOOT\
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\VERISIGN\
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\WHOWHERE\
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY\
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WAB\
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WAB\WAB4\
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WAB\WAB4\WAB FILE NAME\
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WEFEI\

The following registry elements have been changed:

  • HKEY_CURRENT_USER\IDENTITIES\IDENTITY ORDINAL = 2
  • HKEY_CURRENT_USER\IDENTITIES\LAST USER ID = {D47E487F-702B-475C-B6B6-EF78A72CD682}
  • HKEY_CURRENT_USER\IDENTITIES\LAST USERNAME = Main Identity
  • HKEY_CURRENT_USER\IDENTITIES\{D47E487F-702B-475C-B6B6-EF78A72CD682}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\CONVERTEDTODBX = 1
  • HKEY_CURRENT_USER\IDENTITIES\{D47E487F-702B-475C-B6B6-EF78A72CD682}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\MSIMN = 1
  • HKEY_CURRENT_USER\IDENTITIES\{D47E487F-702B-475C-B6B6-EF78A72CD682}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\RUNNING = 1
  • HKEY_CURRENT_USER\IDENTITIES\{D47E487F-702B-475C-B6B6-EF78A72CD682}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\SETTINGS UPGRADED = 7
  • HKEY_CURRENT_USER\IDENTITIES\{D47E487F-702B-475C-B6B6-EF78A72CD682}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\SPELLDONTIGNOREDBCS = 1
  • HKEY_CURRENT_USER\IDENTITIES\{D47E487F-702B-475C-B6B6-EF78A72CD682}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\STORE ROOT = %UserProfile%\Local Settings\Application Data\Identities\{D47E487F-702B-475C-B6B6-EF78A72CD682}\Microsoft\Outlook Express\
  • HKEY_CURRENT_USER\IDENTITIES\{D47E487F-702B-475C-B6B6-EF78A72CD682}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\STOREMIGRATEDV5 = 1
  • HKEY_CURRENT_USER\IDENTITIES\{D47E487F-702B-475C-B6B6-EF78A72CD682}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\VERSTAMP = 3
  • HKEY_CURRENT_USER\IDENTITIES\{D47E487F-702B-475C-B6B6-EF78A72CD682}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\MAIL\ACCOUNTS CHECKED = 0
  • HKEY_CURRENT_USER\IDENTITIES\{D47E487F-702B-475C-B6B6-EF78A72CD682}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\MAIL\WELCOME MESSAGE = 1
  • HKEY_CURRENT_USER\IDENTITIES\{D47E487F-702B-475C-B6B6-EF78A72CD682}\SOFTWARE\MICROSOFT\OUTLOOK EXPRESS\5.0\NEWS\ACCOUNTS CHECKED = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\DEFAULT LDAP ACCOUNT = Active Directory GC
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\SERVER ID = 4
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\ASSOCIATEDID = [binary data]
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\CONNECTIONSETTINGSMIGRATED = 1
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\PRECONFIGVER = 4
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\PRECONFIGVERNTDS = 1
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\ACTIVE DIRECTORY GC\ACCOUNT NAME = Active Directory
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\ACTIVE DIRECTORY GC\LDAP AUTHENTICATION = 2
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\ACTIVE DIRECTORY GC\LDAP BIND DN = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\ACTIVE DIRECTORY GC\LDAP PORT = 3268
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\ACTIVE DIRECTORY GC\LDAP RESOLVE FLAG = 1
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\ACTIVE DIRECTORY GC\LDAP SEARCH BASE = NULL
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\ACTIVE DIRECTORY GC\LDAP SEARCH RETURN = 100
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\ACTIVE DIRECTORY GC\LDAP SECURE CONNECTION = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\ACTIVE DIRECTORY GC\LDAP SERVER = NULL
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\ACTIVE DIRECTORY GC\LDAP SERVER ID = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\ACTIVE DIRECTORY GC\LDAP SIMPLE SEARCH = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\ACTIVE DIRECTORY GC\LDAP TIMEOUT = 60
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\ACTIVE DIRECTORY GC\LDAP USER NAME = NULL
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\BIGFOOT\ACCOUNT NAME = Bigfoot Internet Directory Service
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\BIGFOOT\LDAP AUTHENTICATION = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\BIGFOOT\LDAP LOGO = %COMMONPROGRAMFILES%\Services\bigfoot.bmp
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\BIGFOOT\LDAP SEARCH RETURN = 100
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\BIGFOOT\LDAP SERVER = ldap.bigfoot.com
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\BIGFOOT\LDAP SERVER ID = 1
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\BIGFOOT\LDAP SIMPLE SEARCH = 1
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\BIGFOOT\LDAP TIMEOUT = 60
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\BIGFOOT\LDAP URL = http://www.bigfoot.com
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\VERISIGN\ACCOUNT NAME = VeriSign Internet Directory Service
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\VERISIGN\LDAP AUTHENTICATION = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\VERISIGN\LDAP LOGO = %COMMONPROGRAMFILES%\Services\verisign.bmp
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\VERISIGN\LDAP SEARCH BASE = NULL
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\VERISIGN\LDAP SEARCH RETURN = 100
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\VERISIGN\LDAP SERVER = directory.verisign.com
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\VERISIGN\LDAP SERVER ID = 2
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\VERISIGN\LDAP SIMPLE SEARCH = 1
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\VERISIGN\LDAP TIMEOUT = 60
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\VERISIGN\LDAP URL = http://www.verisign.com
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\WHOWHERE\ACCOUNT NAME = WhoWhere Internet Directory Service
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\WHOWHERE\LDAP AUTHENTICATION = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\WHOWHERE\LDAP LOGO = %COMMONPROGRAMFILES%\Services\whowhere.bmp
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\WHOWHERE\LDAP SEARCH RETURN = 100
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\WHOWHERE\LDAP SERVER = ldap.whowhere.com
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\WHOWHERE\LDAP SERVER ID = 3
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\WHOWHERE\LDAP SIMPLE SEARCH = 1
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\WHOWHERE\LDAP TIMEOUT = 60
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS\WHOWHERE\LDAP URL = http://www.whowhere.com
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY\CLEANCOOKIES = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WAB\WAB4\OLKCONTACTREFRESH = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WAB\WAB4\OLKFOLDERREFRESH = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WEFEI\ETHEEP = [binary data]
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.386\OPENWITHPROGIDS\VXDFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.AIF\OPENWITHPROGIDS\AIFFFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.AIFC\OPENWITHPROGIDS\AIFFFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.AIFF\OPENWITHPROGIDS\AIFFFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.ASF\OPENWITHPROGIDS\ASFFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.ASX\OPENWITHPROGIDS\ASXFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.AU\OPENWITHPROGIDS\AUFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.AVI\OPENWITHPROGIDS\AVIFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.BMP\OPENWITHPROGIDS\PAINT.PICTURE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.CDA\OPENWITHPROGIDS\CDAFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.CHK\OPENWITHPROGIDS\CHKFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.CSS\OPENWITHPROGIDS\CSSFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.DIB\OPENWITHPROGIDS\PAINT.PICTURE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.DOC\OPENWITHPROGIDS\WORD.DOCUMENT.8
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.DOT\OPENWITHPROGIDS\WORD.TEMPLATE.8
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.EMF\OPENWITHPROGIDS\EMFFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.EML\OPENWITHPROGIDS\MICROSOFT INTERNET MAIL MESSAGE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.GIF\OPENWITHPROGIDS\GIFFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.HTM\OPENWITHPROGIDS\HTMLFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.HTML\OPENWITHPROGIDS\HTMLFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.ICO\OPENWITHPROGIDS\ICOFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.IVF\OPENWITHPROGIDS\IVFFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.JFIF\OPENWITHPROGIDS\PJPEGFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.JPE\OPENWITHPROGIDS\JPEGFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.JPEG\OPENWITHPROGIDS\JPEGFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.JPG\OPENWITHPROGIDS\JPEGFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.M1V\OPENWITHPROGIDS\MPEGFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.M3U\OPENWITHPROGIDS\M3UFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.MHT\OPENWITHPROGIDS\MHTMLFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.MHTML\OPENWITHPROGIDS\MHTMLFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.MID\OPENWITHPROGIDS\MIDFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.MIDI\OPENWITHPROGIDS\MIDFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.MP2\OPENWITHPROGIDS\MPEGFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.MP2V\OPENWITHPROGIDS\MPEGFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.MP3\OPENWITHPROGIDS\MP3FILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.MPA\OPENWITHPROGIDS\MPEGFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.MPE\OPENWITHPROGIDS\MPEGFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.MPEG\OPENWITHPROGIDS\MPEGFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.MPG\OPENWITHPROGIDS\MPEGFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.MPV2\OPENWITHPROGIDS\MPEGFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.NWS\OPENWITHPROGIDS\MICROSOFT INTERNET NEWS MESSAGE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.OBD\OPENWITHPROGIDS\OFFICE.BINDER.9
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.OBT\OPENWITHPROGIDS\OFFICE.BINDER.TEMPLATE.9
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.OCX\OPENWITHPROGIDS\OCXFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.PNG\OPENWITHPROGIDS\PNGFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.POT\OPENWITHPROGIDS\POWERPOINT.TEMPLATE.8
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.PPT\OPENWITHPROGIDS\POWERPOINT.SHOW.8
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.RMI\OPENWITHPROGIDS\MIDFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.RTF\OPENWITHPROGIDS\WORD.RTF.8
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.SND\OPENWITHPROGIDS\AUFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.TIF\OPENWITHPROGIDS\MSPAPER.DOCUMENT
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.TIFF\OPENWITHPROGIDS\MSPAPER.DOCUMENT
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.TXT\OPENWITHPROGIDS\TXTFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.URL\OPENWITHPROGIDS\INTERNETSHORTCUT
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.VXD\OPENWITHPROGIDS\VXDFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.WAV\OPENWITHPROGIDS\SOUNDREC
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.WAX\OPENWITHPROGIDS\WAXFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.WM\OPENWITHPROGIDS\ASFFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.WMA\OPENWITHPROGIDS\WMAFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.WMF\OPENWITHPROGIDS\WMFFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.WMV\OPENWITHPROGIDS\WMVFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.WMX\OPENWITHPROGIDS\ASXFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.WRI\OPENWITHPROGIDS\WRIFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.WVX\OPENWITHPROGIDS\WVXFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.XLS\OPENWITHPROGIDS\EXCEL.SHEET.8
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.XLT\OPENWITHPROGIDS\EXCEL.TEMPLATE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.XML\OPENWITHPROGIDS\XMLFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.XSL\OPENWITHPROGIDS\XSLFILE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.ZIP\OPENWITHPROGIDS\WINRAR.ZIP
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\0\1609 = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\1\1406 = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\1\1609 = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2\1609 = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\3\1406 = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\3\1609 = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\4\1406 = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\4\1609 = 0
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\{7D9EB484-9703-F650-2F50-405B3BBBCD89} = "%APPDATA%\Ilpuap\cuhy.exe"

The applications attempted the following network connection(s):

  • 70.96.0.*:80
  • 78.1[private subnet]
  • 74.125.28.***:443
  • 74.125.28.***:80
  • hxxp://78.1[private subnet]/zhope/panel/*****

This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

Please use the following instructions for all supported versions of Windows:


1. Disable Windows System Restore. For instructions, please refer to: http://www.mcafee.com/us/downloads/free-tools/disabling-system-restore.aspx

2. Update your McAfee Anti-Virus product to the latest version (when possible), and ensure the latest DAT and Engine and any applicable EXTRA.DATs are installed.

3. Run a full system scan. (On-Demand Scan)

4. Reboot, as soon as it is convenient, to ensure all malicious components are removed.