Systweak Spyware Library
Systweak Spyware Library text
More than 21875 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Adtool.MyWebSearch Analysis Report
Threat Submitted On: 10 Nov 2008
Threat Analysed On: 11 Nov 2008
Threat Updated On: 11 Sept 2009
Type : Adtool
Symptoms of zdesnado
  • Connects to remote websites or FTP as and when there is an internet connection
  • Downloads and installs malicious files.
Information
Alias : [Not Available]
Md5 Hash : [f544416552e0f1d909e2860bb23edac0]
File Size : (75291 bytes)

Technical Details

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: rmtct.exe
Path : %workingdir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
41509141c8ca73d75a2e09cff062385c ( 134 bytes)
b933dad191b27e23945b36e6bd55a21e ( 761 bytes)
e3f77ebfb085a9363df474677aa074b7 ( 671 bytes)
File: axdglwdj.exe
Path : %windir%\system32

Md5Hash :41509141c8ca73d75a2e09cff062385c ( 134 bytes)
File: hosts.new
Path : %windir%\system32\drivers\etc

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
606ef19ba248710be0e9083a692efcdb ( bytes)
aec979082faa056987746d2644f0173c ( bytes)
d00d84265782462338bca716ade9f926 ( bytes)
File: fyrglcai.exe
Path : %windir%\system32

Md5Hash :41509141c8ca73d75a2e09cff062385c ( 134 bytes)
File: services.exe
Path : %windir%\system32\golum

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
2b37fd2e55257cb34211d9886a538920 ( 45058 bytes)
4e663d850917914b5c8389ebe97f85ee ( 45059 bytes)
bbf13954312ac52f14f22e3574b35f0e ( 45056 bytes)
c03d779c31af1ffc9fccc0070b91891a ( 57346 bytes)
d6d9227601528367ae137d9f2ae39999 ( 57346 bytes)
e4a8f4c1088d2ca511351756a4cc6c32 ( 45057 bytes)
File: services.exe
Path : %windir%\system32\golumm

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
04f4068334cfd5e8794c5b4a8792c6b2 ( 27655 bytes)
1f1222c75f54ee8764b8fa9db1927e28 ( 61446 bytes)
35bcc25e2f30c3c50d660256b96067b6 ( 107968 bytes)
5a0455816f428c5bb66a3405462c2338 ( 27654 bytes)
5da4966f07b227735f2bd68abb40550a ( 27654 bytes)
77a0c9954c84101dea56c427623255d1 ( 27652 bytes)
871948c15afdb96482c37d7a67c9e2aa ( 27140 bytes)
8ab5a705f5f4afe3055f47cc58f79d43 ( 27653 bytes)
c2211be5c11c63bc85af498ac10b18a6 ( 26628 bytes)
d043851a087411fbe070a5e345d5f84d ( 26630 bytes)
d922493057f55d80a77bdaba27796be0 ( 26630 bytes)
db5d097d5afe23367b43155ca961bb72 ( 57350 bytes)
e836d5502caf38c1a44f127915459678 ( 27142 bytes)
f00ac76f7d95636636f0083997699fee ( 57348 bytes)
f3dbf2e14d358a861cae4250e78a1439 ( 27653 bytes)
f9584936e62abb92030c000fa40fa4ba ( 27654 bytes)
File: iqgrgqrr.exe
Path : %windir%\system32

Md5Hash :e3f77ebfb085a9363df474677aa074b7 ( 671 bytes)
File: mnhwlgqw.exe
Path : %windir%\system32

Md5Hash :e3f77ebfb085a9363df474677aa074b7 ( 671 bytes)
File: sysnew.exe
Path : %windir%\system32\mso

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
30ab61ed7bafdbf3290265d8a284cf75 ( 32262 bytes)
3641632c75e24d980a3690940c404889 ( 32260 bytes)
File: services.exe
Path : %windir%\system32\msoffice

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
21af760c3c27260e507172c566735435 ( 32262 bytes)
3ddd0d8757c176b5ea00d88f4ea11196 ( 31236 bytes)
54b4e97966a5e08647722f6e736fb1b9 ( 79472 bytes)
5b37469bff34abd98d46e6ddb5eb46be ( 32776 bytes)
87a5c8eaf870e43fe07fcd5ca884c214 ( 32262 bytes)
a581fc6b3ae07841a2e71bea43327ebd ( 75362 bytes)
b1235e9c96457fd57a881581cff9afc8 ( 32261 bytes)
bb64ab7c7cfef675d32c744a03074822 ( 31748 bytes)
bbc64eca59b8869fa80fc4284a414eec ( 70150 bytes)
c7e857bbbe0fb46a1bfb26aab40d4bf3 ( 31751 bytes)
d6b54186094215bfb38fc403aa3d3b5b ( 75347 bytes)
e3b92a28d4eb77a2990fdedf9c068f39 ( 31749 bytes)
f5e35478ccaa2ae55563595cc838b02e ( 31750 bytes)
fa958c2620fa826aafd7caa802f669b2 ( 31236 bytes)
File: mssock.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
41509141c8ca73d75a2e09cff062385c ( 134 bytes)
e3f77ebfb085a9363df474677aa074b7 ( 671 bytes)
File: qicvykvj.exe
Path : %windir%\system32

Md5Hash :e3f77ebfb085a9363df474677aa074b7 ( 671 bytes)
File: rmtct.exe
Path : %windir%\system32

Md5Hash :41509141c8ca73d75a2e09cff062385c ( 134 bytes)
File: software.exe
Path : %windir%\system32\software

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
0b003c224b8b1fed2b8bb4b99bc70c6b ( 32262 bytes)
0e12b17557565eb7235e4a9738a4d3a6 ( 32262 bytes)
16d3e57b4ca786b4a90eb8fde3f7e905 ( 32261 bytes)
17f73786c34f3e7047093e11666e0f12 ( 32260 bytes)
ab089e45bec995b28cccaae65dd67f91 ( 32260 bytes)
be620cc987c81660a068c511f1e59c0f ( 32263 bytes)
c0deb2bf7c880a8eec39df49815354d6 ( 32260 bytes)
c4aef9fb37f153adff61877246612b79 ( 32262 bytes)
File: tdpeuatt.exe
Path : %windir%\system32

Md5Hash :b933dad191b27e23945b36e6bd55a21e ( 761 bytes)
File: services.exe
Path : %windir%\system32\windows

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
201900b381a3dab68ef9118f27f5c241 ( 27140 bytes)
2a4dd63b96721cd5bd4e0f2320a58322 ( 27138 bytes)
32f11ed057aa33319c1cb9d1df6f399f ( 27142 bytes)
39f53351a2ea1e105384fdd0bb1c0bef ( 27142 bytes)
72dccdd0882f0f06806f4e6d17b89700 ( 57351 bytes)
8e3b01d59e49c95ae54218135a6ea71a ( 27143 bytes)
91de368e7d7afe749539e97273564510 ( 26628 bytes)
979f34edddb92a948b596e3a8c009c38 ( 27142 bytes)
98654ef6c854844d3862ea4c73c15ab1 ( 27141 bytes)
d8bfcfa3cab44c3164edcb5d300ec664 ( 26630 bytes)
File: ysb.exe
Path : %windir%\system32

Md5Hash :41509141c8ca73d75a2e09cff062385c ( 134 bytes)
File: [randomname].exe
Path : %workingdir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
04f4068334cfd5e8794c5b4a8792c6b2 ( 27655 bytes)
0792fee07820286cb6f3c0e84b7aa41d ( 35840 bytes)
0b003c224b8b1fed2b8bb4b99bc70c6b ( 32262 bytes)
0e12b17557565eb7235e4a9738a4d3a6 ( 32262 bytes)
16d3e57b4ca786b4a90eb8fde3f7e905 ( 32261 bytes)
17f73786c34f3e7047093e11666e0f12 ( 32260 bytes)
188d5ff25e77a82f8b417dac6722d605 ( 35842 bytes)
1f1222c75f54ee8764b8fa9db1927e28 ( 61446 bytes)
201900b381a3dab68ef9118f27f5c241 ( 27140 bytes)
21af760c3c27260e507172c566735435 ( 32262 bytes)
2a4dd63b96721cd5bd4e0f2320a58322 ( 27138 bytes)
2a622cae5c832d9d8554fb6e9b2fedc2 ( 38912 bytes)
2b37fd2e55257cb34211d9886a538920 ( 45058 bytes)
2b9b3e80ff6fee6afbed4b9d008dfc5b ( 32260 bytes)
30ab61ed7bafdbf3290265d8a284cf75 ( 32262 bytes)
32f11ed057aa33319c1cb9d1df6f399f ( 27142 bytes)
35bcc25e2f30c3c50d660256b96067b6 ( 107968 bytes)
3641632c75e24d980a3690940c404889 ( 32260 bytes)
39f53351a2ea1e105384fdd0bb1c0bef ( 27142 bytes)
3aec2b8eb16b93952928eb66defd1cfe ( 35332 bytes)
3ddd0d8757c176b5ea00d88f4ea11196 ( 31236 bytes)
4e663d850917914b5c8389ebe97f85ee ( 45059 bytes)
51d1fac7181c26110ed84ba97adf9854 ( 34816 bytes)
54b4e97966a5e08647722f6e736fb1b9 ( 79472 bytes)
56102d6fe9961548a84f885265145c7b ( 35840 bytes)
5a0455816f428c5bb66a3405462c2338 ( 27654 bytes)
5b37469bff34abd98d46e6ddb5eb46be ( 32776 bytes)
5da4966f07b227735f2bd68abb40550a ( 27654 bytes)
67b79a754e57205cecd353507db2b0ee ( 35842 bytes)
72dccdd0882f0f06806f4e6d17b89700 ( 57351 bytes)
77a0c9954c84101dea56c427623255d1 ( 27652 bytes)
792e0fd45022c85cbed4cb1b2d48cf8a ( 27139 bytes)
7a5b0cc02ba6ae21e31192815243cf39 ( 35330 bytes)
871948c15afdb96482c37d7a67c9e2aa ( 27140 bytes)
87a5c8eaf870e43fe07fcd5ca884c214 ( 32262 bytes)
8ab5a705f5f4afe3055f47cc58f79d43 ( 27653 bytes)
8e3b01d59e49c95ae54218135a6ea71a ( 27143 bytes)
91de368e7d7afe749539e97273564510 ( 26628 bytes)
979f34edddb92a948b596e3a8c009c38 ( 27142 bytes)
98654ef6c854844d3862ea4c73c15ab1 ( 27141 bytes)
9e6d3911df38f3bc2ad39e99af11874c ( 35840 bytes)
a1ba2861cdc61337d15ca7f18f4a33ef ( 35842 bytes)
a581fc6b3ae07841a2e71bea43327ebd ( 75362 bytes)
ab089e45bec995b28cccaae65dd67f91 ( 32260 bytes)
b1235e9c96457fd57a881581cff9afc8 ( 32261 bytes)
b937936321ece50fb3b67ecd20d075b8 ( 27138 bytes)
bb64ab7c7cfef675d32c744a03074822 ( 31748 bytes)
bbc64eca59b8869fa80fc4284a414eec ( 70150 bytes)
bbf13954312ac52f14f22e3574b35f0e ( 45056 bytes)
be620cc987c81660a068c511f1e59c0f ( 32263 bytes)
c03d779c31af1ffc9fccc0070b91891a ( 57346 bytes)
c0deb2bf7c880a8eec39df49815354d6 ( 32260 bytes)
c2211be5c11c63bc85af498ac10b18a6 ( 26628 bytes)
c265778e9aca5e6335183c48fbea6d54 ( 32258 bytes)
c4aef9fb37f153adff61877246612b79 ( 32262 bytes)
c5a25cf090a31aba4e818a03f519eb43 ( 35330 bytes)
c5aec7bae3366977f8a1477dcb8cd6ef ( 35840 bytes)
c7e857bbbe0fb46a1bfb26aab40d4bf3 ( 31751 bytes)
d043851a087411fbe070a5e345d5f84d ( 26630 bytes)
d2f2e67fef0e61bc2cc96f58b7c18dc5 ( 28672 bytes)
d6b54186094215bfb38fc403aa3d3b5b ( 75347 bytes)
d6d9227601
Also creates the following files on user's System which are also created by Genuine Software :-
Note:
These file(s) can be kept as they are also created by genuine Software.
File : msimgsiz.dat
Path : %userprofile%\local settings\application data\microsoft\internet explorer

Md5Hash :1f9409c6721369b8c86cc241ca71f236 ( 16384 bytes)
File : hosts.new
Path : %windir%\system32\drivers\etc

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
665a29080248221b81ab7d6a61d8d0d1 ( bytes)
8534fa703d989f116fca7d69a6e5bb4a ( bytes)
df282082440a8f35c782a2b30d0f7529 ( bytes)
The following Registry Values are added to the provided Registry Keys :-
Note:
Delete the added Values from the Key to remove Infection
Creates the following child process(s) on execution:

%programfiles%\internet explorer\iexplore.exe http://teens3.com/tgp.html

services.exe

Creates the Following MUTEX(s) on user's System:-
overpromutex
shell.cmrupidllist
msratingmutex
raspbfile
ctf.lbes.mutexdefaults-1-5-21-289085736-2271787734-4103687552-1010
ctf.compart.mutexdefaults-1-5-21-289085736-2271787734-4103687552-1010
ctf.asm.mutexdefaults-1-5-21-289085736-2271787734-4103687552-1010
ctf.layouts.mutexdefaults-1-5-21-289085736-2271787734-4103687552-1010
ctf.tmd.mutexdefaults-1-5-21-289085736-2271787734-4103687552-1010
msimgsizecachemutex
_!shmsfthistory!_
Tries To Connect to The Following Urls:-
Http_Version :http/1.1
69.64.155.129/tgp.html
Http_Version :http/1.1
69.64.155.129/teens3.com.js
Http_Version :http/1.1
69.64.155.129/7f576b04-5d11-4def-a0e0-908026d3d710.ippi?g=7f576b04-5d11-4def-a0e0-908026d3d710
Http_Version :http/1.1
125.23.216.208/images/template/360x318/hk_20080207_stripclub1.jpg
Http_Version :http/1.1
125.23.216.208/images/misc/blank.gif
Http_Version :http/1.1
125.23.216.208/images/shared/rellinkbkg.gif
Http_Version :http/1.1
125.23.216.208/images/themes/t101/buttons/0012.gif
Http_Version :http/1.1
125.23.216.208/images/misc/trk.gif?category=&keywords=
Http_Version :http/1.1
125.23.216.208/images/themes/t101/bullets/0012.gif
Http_Version :http/1.1
206.191.161.97/gateway/gw.js?csid=f08747
Http_Version :http/1.1
168.75.68.60/f08747/b3/0/3/0806180/561821901.js?d=dm_loc%3dhttp%253a%252f%252fteens3.com%252ftgp.html%26dm_eom%3d1&c=f08747
Http_Version :http/1.1
69.64.155.129/d5a1c0cc-21c4-4f89-93b9-88710c58861a.ippi?g=d5a1c0cc-21c4-4f89-93b9-88710c58861a
Http_Version :http/1.1
125.23.216.208/images/themes/t101/bullets/0006.gif
Http_Version :http/1.1
125.23.216.208/images/themes/t101/buttons/0006.gif
Http_Version :http/1.1
206.191.161.60/f08747/b3/0/3/0806180/698858590.js?d=dm_loc%3dhttp%253a%252f%252fteens3.com%252ftgp.html%26dm_eom%3d1&c=f08747
Http_Version :http/1.1
125.23.216.208/is/i.nuseek.com?10ad=1&01cpu=/images/misc/trk.gif&a=1-1-.ezifvwhlcwqdzyccy7opmlzcesbc5z9hzz9l.dlfexhmjat3vlf.sclqtrafvfr&keywords
Tries To Connect's to the following IP Address(s) through UDP(User DataGram Protocal) :-

127.0.0.1

NOTE:

1. %workingdir% Refers to the current directory in which user is working.
2. %windir% Refers to the windows root folder. By default it is 'C:\Windows'
3. %userprofile% Refers to the windows current user's profile folder. By default it is 'C:\Documents and Settings\[user]'

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.


Microsoft Gold Certified Partner

© Systweak Inc., 1999-2011 All rights reserved.