Systweak Spyware Library
Systweak Spyware Library text
More than 21875 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Adtool.MyWebSearch Analysis Report
Threat Submitted On: 10 Nov 2008
Threat Analysed On: 11 Nov 2008
Threat Updated On: 11 Sept 2009
Type : Adtool
Symptoms of diazom
  • Connects to remote websites or FTP as and when there is an internet connection
  • Downloads and installs malicious files.
Information
Alias : [Not Available]
Md5 Hash : [631182f0cb72b44dc8f059fe94d0797d]
File Size : (106496 bytes)

Technical Details

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: adobe32.exe
Path : %allusersprofile%\start menu\programs\startup

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
29e6d726242c5a812e86b176323df984 ( 106496 bytes)
631182f0cb72b44dc8f059fe94d0797d ( 106496 bytes)
cbd708e7c472155c187df54e6242a4d8 ( 106496 bytes)
File: icq.exe
Path : %allusersprofile%\start menu\programs\startup

Md5Hash :5b7a511eb8fdc372134be6d41c514640 ( 49152 bytes)
File: filex.exe
Path : %temp%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
88e3f571ad32acc8f6cf8d38035c5584 ( 114178 bytes)
b7357d02c6f084209f3a0a11d2716d06 ( 114178 bytes)
File: tmp116312.exe
Path : %temp%

Md5Hash :5b7a511eb8fdc372134be6d41c514640 ( 49152 bytes)
File: tmp88875.exe
Path : %temp%

Md5Hash :5b7a511eb8fdc372134be6d41c514640 ( 49152 bytes)
File: tmp98328.exe
Path : %temp%

Md5Hash :5b7a511eb8fdc372134be6d41c514640 ( 49152 bytes)
File: himem32.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
29e6d726242c5a812e86b176323df984 ( 106496 bytes)
631182f0cb72b44dc8f059fe94d0797d ( 106496 bytes)
cbd708e7c472155c187df54e6242a4d8 ( 106496 bytes)
File: mmapi32.dll
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
02c9c1dc861c37f254ea7848ce28e0e0 ( 59904 bytes)
13f5b14d2e35d5f3924b0e4816b5700e ( 59904 bytes)
5a4650cdd20331e5de77aa64b82a4e46 ( 59904 bytes)
File: qmedia.exe
Path : %windir%\system32

Md5Hash :5b7a511eb8fdc372134be6d41c514640 ( 49152 bytes)
File: wucfg.dat
Path : %windir%

Md5Hash :3694cce6775dd83ae5fbdc6cc79de564 ( 55 bytes)
File: [randomname].exe
Path : %workingdir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
29e6d726242c5a812e86b176323df984 ( 106496 bytes)
3a389a4f480289aae13752bbcc00273e ( 111618 bytes)
4834b51a2327df4352171b366e9c9fa4 ( 112130 bytes)
4e09a04be5921e307cd2b151e64a0ecd ( 111616 bytes)
631182f0cb72b44dc8f059fe94d0797d ( 106496 bytes)
8561c43d69aa70956cb46cb53286926a ( 112130 bytes)
8e1c0b6d3c60b76ea3aadaf9671ce6df ( 112130 bytes)
964730f709d7a7120f3a92cdde391160 ( 99330 bytes)
cbd708e7c472155c187df54e6242a4d8 ( 106496 bytes)
f749da944ac39dccb19e9b22428f7fec ( 111618 bytes)
f92eb16e1c8d44eab85c48a3743b9f70 ( 112130 bytes)
The following Registry Values are added to the provided Registry Keys :-
Note:
Delete the added Values from the Key to remove Infection
|__ Value Added :
winamp media = "%windir%\system32\qmedia.exe"
|__ Value Added :
memory manager = "%windir%\system32\himem32.exe"
|__ Value Added :
winamp media = "%windir%\system32\qmedia.exe"
Creates the following child process(s) on execution:

services.exe

%systemdrive%\docume~1\antisp~1\locals~1\temp\tmp98328.exe

%systemdrive%\docume~1\antisp~1\locals~1\temp\filex.exe

Creates the Following MUTEX(s) on user's System:-
mc_v1.2.4
mc_v1.1.2
mc_v1.2.2
mc_v1.2.3
mtx_cv_cv_v2.0
raspbfile
Tries To Connect to The Following Urls:-
Http_Version :http/1.1
207.210.93.242/contact.php?p=fxenafluxw0nafluxwgnaflvvfdfabbzkisqiv8bclkqkyohxxmswtmncgalexdekjbeuupvxwahwvq=
Http_Version :http/1.1
207.210.93.242/dcv.php
Http_Version :http/1.1
207.210.93.242/ecv20.php
Http_Version :http/1.1
74.222.0.72/edcv.php
Copies the Following Files to Given Location :-

Copies :%systemdrive%\docume~1\antisp~1\locals~1\temp\tmp98328.exe

To : %windir%\system32\qmedia.exe

Copies :%systemdrive%\docume~1\antisp~1\locals~1\temp\tmp98328.exe

To : %allusersprofile%\start menu\programs\startup\icq.exe

Moves the Following Files to Given Location :-

NOTE:

1. %allusersprofile% Refers to the windows all users profile folder. By default it is 'C:\Documents and Settings\All Users'
2. %temp% Refers to the windows temp folder. By default it is 'C:\Documents and Settings\[user]\Local Settings\Temp'
3. %windir% Refers to the windows root folder. By default it is 'C:\Windows'
4. %workingdir% Refers to the current directory in which user is working.

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.


Microsoft Gold Certified Partner

© Systweak Inc., 1999-2011 All rights reserved.