Systweak Spyware Library
Systweak Spyware Library text
More than 21875 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Adtool.MyWebSearch Analysis Report
Threat Submitted On: 10 Nov 2008
Threat Analysed On: 11 Nov 2008
Threat Updated On: 11 Sept 2009
Type : Adtool
Symptoms of huhk
  • Replicates itself and spreads to the other computers of the network.
  • Installed by executing the scripts from infected e-mail attachments or messages.
Information
Alias : [Not Available]
Md5 Hash : [75436f6c47820f15fcdc3c1eb27a90ea]
File Size : (1906176 bytes)

Technical Details

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: config.ini
Path : %allusersprofile%\application data\storm

Md5Hash :eae36e1301100d183385a15b0131a3e2 ( 126 bytes)
File: storm_ctrl.ini.tp
Path : %allusersprofile%\application data\storm\temp

Md5Hash :87d0a93c7872759834e305e31f6adee6 ( bytes)
File: update.exe
Path : %allusersprofile%\application data\storm\temp

Md5Hash :4cbdc5787b6c96a7bb796df0a28e28e1 ( 318624 bytes)
File: stormliv.exe
Path : %programfiles%\stormii

Md5Hash :601a7cb54f0feab5522ee9797f78c354 ( 604256 bytes)
File: chinese_big5.lang
Path : %workingdir%

Md5Hash :( bytes)
File: fun.xls.exe
Path : %systemdrive%

Md5Hash :7b7eee0ee5b3720d5eb7ac42a9da3676 ( 49154 bytes)
File: cnvpe.fne
Path : %temp%\e_n4

Md5Hash :907d0bf6f4e14f166761722d5d5b8994 ( 61440 bytes)
File: dp1.fne
Path : %temp%\e_n4

Md5Hash :f1126e3c472038e3a1c13c66016c488b ( 114688 bytes)
File: eapi.fne
Path : %temp%\e_n4

Md5Hash :aafcfb3f75a8d881dd1b43826ac8135f ( 323584 bytes)
File: krnln.fnr
Path : %temp%\e_n4

Md5Hash :21b8f5c5d1135bf5ad8c78e0995b3a41 ( 1101824 bytes)
File: shell.fne
Path : %temp%\e_n4

Md5Hash :92b6b3570cb71d7e5f4b1dc3d1f57166 ( 40960 bytes)
File: lorer.exe
Path : %temp%

Md5Hash :76390dbe1410832b2f1a60f2c83bacd1 ( 1032192 bytes)
File: rssinfo2.dat
Path : %userprofile%\application data\360safe

Md5Hash :3baddb3bbde2f6f7f5191b0153713cdb ( 30116 bytes)
File: 2ade6b.exe
Path : %windir%\system32\10a216

Md5Hash :0413553d89a26619ac83c262d9a82369 ( 113664 bytes)
File: cnvpe.fne
Path : %windir%\system32\10a216

Md5Hash :907d0bf6f4e14f166761722d5d5b8994 ( 61440 bytes)
File: dp1.fne
Path : %windir%\system32\10a216

Md5Hash :f1126e3c472038e3a1c13c66016c488b ( 114688 bytes)
File: eapi.fne
Path : %windir%\system32\10a216

Md5Hash :aafcfb3f75a8d881dd1b43826ac8135f ( 323584 bytes)
File: krnln.fnr
Path : %windir%\system32\10a216

Md5Hash :21b8f5c5d1135bf5ad8c78e0995b3a41 ( 1101824 bytes)
File: shell.fne
Path : %windir%\system32\10a216

Md5Hash :92b6b3570cb71d7e5f4b1dc3d1f57166 ( 40960 bytes)
File: spec_a.fne
Path : %windir%\system32\10a216

Md5Hash :5c2873a3e6fa77320b97f2c13353914a ( 73728 bytes)
File: 16eb.edt
Path : %windir%\system32\b55985

Md5Hash :d74525462fc6d7c06717b6ff085b92e3 ( 512 bytes)
File: [randomname].exe
Path : %workingdir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
008fb36a69a89213754d08b80f8ff0bd ( 81925 bytes)
020bfa2531eff2218a3049ae227b3281 ( 978432 bytes)
0671f1b3ab88494b73839cf48c2201d0 ( 499782 bytes)
072505dc1ae5a67db1cbc707c0c06084 ( 976900 bytes)
083db2aeee5c15bc94a027f3d41ec213 ( 976896 bytes)
0b21d50b5bd73c320a6e59786cff2a36 ( 1967848 bytes)
0dbf816c2a7b6aed58347ff93dcc48d0 ( 499722 bytes)
108e510d5c1d55d7576bf82178060ebe ( 977925 bytes)
1575c25baef9fe06b676f2c01bb0929a ( 977920 bytes)
1b88692e56a6ec06e5fb50fc89d6cd97 ( 57344 bytes)
1e834c91793b01a0da8f2f21aa0a7cca ( 499719 bytes)
26685da277bebd6e0e64d9c2d82e88bc ( 978432 bytes)
2d467541536ba62c5e791f82e25690c1 ( 499721 bytes)
3216e23c1a2c653414b97f6d868a2a07 ( 977920 bytes)
3285befde4dea314537414d00ec12fbb ( 172032 bytes)
33188d92eba8c810c2a94146610a40ee ( 977922 bytes)
36985854ae9bb916efb3876c87ee84e6 ( 978432 bytes)
383a1533ec4cad94d46f56f7b86728c2 ( 1967846 bytes)
39190fca87638919cba521b20c520499 ( 499714 bytes)
3bceb9afaff29faf2993daad88fefb7d ( 1967849 bytes)
43f27db8ad4e9c6be45d7b1418b3ffc3 ( 723968 bytes)
456f9f2f1c28bc5e2c02e6c89885804e ( 977925 bytes)
47896d3e1c148bcbe8cbd543e26d0572 ( 948736 bytes)
4ca199724f163e2726df57a444ec6d7d ( 976898 bytes)
4ca9586e3594a0a70be98e7ba8e90e2a ( 499719 bytes)
4ed506597584fa392c33f65719aef66c ( 1400756 bytes)
4f2528ce4765b2a85bc64e39844decb6 ( 499712 bytes)
4fc08067fc2e0ad55918d801894340eb ( 977920 bytes)
52b4c96f70e0f9aefa65f2b8af169b49 ( 976900 bytes)
55ce06dad8423b8a920bbf208118c253 ( 1129933 bytes)
5b19422f2c88bc83c005f784726b5667 ( 977920 bytes)
620d93c08408228b0370fc442ac7acfd ( 499721 bytes)
6297f4d55f33b766fea1c1a3aece62ad ( 561152 bytes)
6b4774e94096f9e7f6fe570280f8098a ( 77824 bytes)
6c0cb9bcf4c6f7d68f2e239d74f74725 ( 1490948 bytes)
6d608837ca980aa99b8f548158963ac5 ( 585728 bytes)
7102cfd6d6cffef4cae262a6e342a515 ( 499716 bytes)
73e24cde49d6a73e53a89faca57e99e5 ( 1967848 bytes)
753ac51cfbba6ac72870b6a51ad6f590 ( 997376 bytes)
75436f6c47820f15fcdc3c1eb27a90ea ( 1906176 bytes)
76e0f433bc92b9588649b8728ddf4b93 ( 499717 bytes)
77fbe7009f4763b59ff10cbe0fd39c32 ( 499722 bytes)
78854b0f12ab264662146eee3b27bd98 ( 940297 bytes)
7b7eee0ee5b3720d5eb7ac42a9da3676 ( 49154 bytes)
7b8aa3a536cab5f6ae9f252d8a382282 ( 94208 bytes)
7be98735bc74b639b9a91dbe60eaccec ( 434176 bytes)
7c9ec969dd93a22b8e35a57821ea03fa ( 61440 bytes)
7db0dff5b98827dcde32123e067cabc1 ( 1170432 bytes)
7e01364e65373ca18914c31666e85f7f ( 282883 bytes)
810b08044d2a1ee26d117e489900c966 ( 114688 bytes)
83a67f5069da3e6835bd2cf25995d317 ( 218376 bytes)
849a9707bd2f59eafa4487fabe502b0d ( 499721 bytes)
84d68a66140ebc86a216b67135ddafeb ( 477259 bytes)
8632f0dc0a3409e87224b247b0b3a6ac ( 976896 bytes)
89d86848833719c2479279570c738cce ( 745472 bytes)
8dab9548f63052ecc47535fde7b0b732 ( 1967848 bytes)
8e653263387ba804a48f183a2dad7a1c ( 372736 bytes)
910793a1e35d671fb3498ceae1c8c7b0 ( 977925 bytes)
9316a73dc3a61f0152325b7c3b5184de ( 977922 bytes)
93a971341b8fa32dbb5474a09ed90d55 ( 499714 byte
Also creates the following files on user's System which are also created by Genuine Software :-
Note:
These file(s) can be kept as they are also created by genuine Software.
File : er.exe
Path : %temp%

Md5Hash :45757077a47c68a603a79b03a1a836ab ( 1032192 bytes)
File : explorer.exe
Path : %windir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
5e63bc563a8d6b3760141e927d028e05 ( 1032192 bytes)
85a6dfaf3d82a416099f234300e52883 ( 1032192 bytes)
de449944a74f74d1707b0050e9f999e9 ( 1032192 bytes)
File : explorer.exe
Path : %windir%\system32\dllcache

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
32ec2c75accbc524b8e1f10fe654cd7e ( 1032192 bytes)
45757077a47c68a603a79b03a1a836ab ( 1032192 bytes)
The following Registry Values are added to the provided Registry Keys :-
Note:
Delete the added Values from the Key to remove Infection
|__ Value Added :
msserver = "msfun80.exe"
|__ Value Added :
imjpmig8.2 = "msime82.exe"
Creates the following child process(s) on execution:

services.exe

Creates the Following MUTEX(s) on user's System:-
q360safemutex
raspbfile
Tries To Connect to The Following Urls:-
Http_Version :http/1.1
124.238.254.101/apps/fixtime.html
Http_Version :http/1.1
124.238.254.101/news/news_rss.xml
Http_Version :http/1.1
124.238.254.48/?1/action_rss.html
Tries To Connect's to the following IP Address(s) through UDP(User DataGram Protocal) :-

127.0.0.1

Copies the Following Files to Given Location :-

Copies :%systemdrive%\docume~1\antisp~1.c10\locals~1\temp\lorer.exe

To : %windir%\system32\dllcache\explorer.exe

Copies :%windir%\explorer.exe

To : %windir%\system32\dllcache\explorer.exe

Moves the Following Files to Given Location :-
Moves :%windir%\explorer.exe
To : %systemdrive%\docume~1\antisp~1.c10\locals~1\temp\lorer.exe
Moves :%windir%\system32\dllcache\explorer.exe
To : %windir%\explorer.exe

NOTE:

1. %allusersprofile% Refers to the windows all users profile folder. By default it is 'C:\Documents and Settings\All Users'
2. %programfiles% Refers to the program files folder. By default it is 'C:\Program Files'
3. %workingdir% Refers to the current directory in which user is working.
4. %systemdrive% Refers to the windows System drive folder. By default it is 'C:\'
5. %temp% Refers to the windows temp folder. By default it is 'C:\Documents and Settings\[user]\Local Settings\Temp'
6. %userprofile% Refers to the windows current user's profile folder. By default it is 'C:\Documents and Settings\[user]'
7. %windir% Refers to the windows root folder. By default it is 'C:\Windows'

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.


Microsoft Gold Certified Partner

© Systweak Inc., 1999-2011 All rights reserved.