Submission Summary:
     - Submission details:             - Submission received: 19 April 2009, 12:09:13 
- Processing time: 9 min 24 sec 
- Submitted sample:                     - File MD5: 0x113554AB42E9EF2B530284E51370C507 
- File SHA-1: 0x661783D44061A4AD2077F6C47DBFDDA5AF57A1FE 
- Filesize: 655,360 bytes 
- Alias:                         
 
 
What's been found   
Severity Level
  Capability to terminate Antivirus, Firewall and other security related processes.   

  Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine).   

  Downloads/requests other files from Internet.   

  Compromises SafeBoot registry key(s) in an attempt to disable the Safe Mode.   

  Creates a startup registry entry.   

  Contains characteristics of an identified security risk.   

     
    
Possible Security Risk
     - Attention! Characteristics of the following security risks were identified in the system:
Security Risk   
Description
  Trojan-Downloader.Bagle 
    
Trojan.Downloader.Bagle runs in the background and attempts to download malicious files from the Internet without the users knowledge.
  Trojan.Lodear.D 
    
Trojan.Lodear.D is a trojan that will install itself onto infected computers so it will start everytime the system reboots. It will also try to download and install additional malware from a list of predetermined websites.
  Rootkit.Agent 
    
Rootkit.Agent is a trojan that hijack browser in order to produce popup advertisements from known badsites and also have rootkit functionality in order to hide itself as system driver.
     - Attention! The following threat categories were identified:
Threat Category   
Description
   
    
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
   
    
A program that downloads files to the local computer that may represent security risk
   
    
A network-aware worm that attempts to replicate across the existing network(s)
  File System Modifications
     - The following files were created in the system:
#   
Filename(s)    
File Size    
File Hash    
Alias
  1   
%System%\drivers\hldrrr.exe 
    
[file and pathname of the sample #1]     
655,360 bytes    
MD5: 0x113554AB42E9EF2B530284E51370C507    
SHA-1: 0x661783D44061A4AD2077F6C47DBFDDA5AF57A1FE    
Trojan.DL.Bagle.ZPL [PCTools]
 [PCTools]    
W32.Beagle.EB [Symantec]
 [Symantec]    
Trojan-Downloader.Win32.Bagle.ajd [Kaspersky Lab]    
Downloader.gen.a [McAfee]
 [McAfee]    
Troj/Agent-GQY [Sophos]    
TrojanDownloader:Win32/Bagle.RN [Microsoft]    
Trojan-Downloader.Win32.Bagle [Ikarus]
 [Ikarus]    
Win-Trojan/Bagle.655360 [AhnLab]
  2   
%System%\drivers\srosa.sys 
    
100,352 bytes    
MD5: 0x09348BABE24297C2911724AD90FC773B    
SHA-1: 0x004F941EB05890E960337074F79B83E6A7577C08    
Rootkit.Bagle.Gen.21 [PCTools]
 [PCTools]    
Trojan Horse [Symantec]
 [Symantec]    
Trojan-Downloader.Win32.Bagle.jh [Kaspersky Lab]
 [Kaspersky Lab]    
Generic Downloader.x [McAfee]
 [McAfee]    
Trojan:WinNT/Bagle.gen!B [Microsoft]    
Trojan-Downloader.Win32.Bagle [Ikarus]
 [Ikarus]    
Win-Trojan/Bagle.100352 [AhnLab]
     - Note:             - %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). 
 
   - The following directory was created:         
   - The following directory was deleted:             - [pathname with a string SHARE]\shared 
 
   - The following system services were modified:
Service Name   
Display Name    
New Status    
Service Filename
  ALG   
Application Layer Gateway Service    
"Stopped"    
%System%\alg.exe
  SharedAccess   
Windows Firewall/Internet Connection Sharing (ICS)    
"Stopped"    
%System%\svchost.exe -k netsvcs
  wscsvc   
Security Center    
"Stopped"    
%System%\svchost.exe -k netsvcs
  wuauserv   
Automatic Updates    
"Stopped"    
%System%\svchost.exe -k netsvcs
     - There was a new kernel-mode driver installed in the system:
Driver Name   
Driver Filename
  Megadrv3   
%System%\drivers\srosa.sys
  Registry Modifications
     - The following Registry Keys were created:             - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center 
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center\Svc 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000\Control 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa\Security 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa\Enum 
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA 
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000 
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000\Control 
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa 
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa\Security 
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa\Enum 
- HKEY_CURRENT_USER\Software\FirstRRRun 
- HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications 
- HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\uiytuhjy 
- HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\uiytuhjy\Settings 
 
   - The following Registry Keys were deleted:             - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\AppMgmt 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Base 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot Bus Extender 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot file system 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CryptSvc 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\DcomLaunch 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmadmin 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmboot.sys 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmio.sys 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmload.sys 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmserver 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\EventLog 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\File system 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Filter 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\HelpSvc 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Netlogon 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PCI Configuration 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PlugPlay 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PNP Filter 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Primary disk 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RpcSs 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SCSI Class 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sermouse.sys 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sr.sys 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SRService 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\System Bus Extender 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vga.sys 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vgasave.sys 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinMgmt 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000} 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318} 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318} 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318} 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318} 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318} 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318} 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318} 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318} 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318} 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F} 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA} 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\AFD 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\AppMgmt 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Base 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Boot Bus Extender 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Boot file system 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Browser 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\CryptSvc 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\DcomLaunch 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Dhcp 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmadmin 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmboot.sys 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmio.sys 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmload.sys 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmserver 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\DnsCache 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\EventLog 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\File system 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Filter 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\HelpSvc 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ip6fw.sys 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ipnat.sys 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\LanmanServer 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\LanmanWorkstation 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\LmHosts 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Messenger 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NDIS 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NDIS Wrapper 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Ndisuio 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOS 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOSGroup 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBT 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetDDEGroup 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Netlogon 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetMan 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Network 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetworkProvider 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\nm 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\nm.sys 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NtLmSsp 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PCI Configuration 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PlugPlay 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PNP Filter 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PNP_TDI 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Primary disk 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpcdd.sys 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpdd.sys 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpwd.sys 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdsessmgr 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\RpcSs 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\SCSI Class 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sermouse.sys 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\SharedAccess 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sr.sys 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\SRService 
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Streams Drivers 
 
   - The newly created Registry Values are:             - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]                 
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center\Svc]                 
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000\Control]                     - *NewlyCreated* = 0x00000000 
- ActiveService = "srosa" 
 
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA\0000]                     - Service = "srosa" 
- Legacy = 0x00000001 
- ConfigFlags = 0x00000000 
- Class = "LegacyDriver" 
- ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}" 
- DeviceDesc = "Megadrv3" 
 
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA]                     - NextInstance = 0x00000001 
 
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa\Enum]                     - 0 = "Root\LEGACY_SROSA\0000" 
- Count = 0x00000001 
- NextInstance = 0x00000001 
 
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa\Security]                     - Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0 
 
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa]                     - Type = 0x00000001 
- Start = 0x00000001 
- ErrorControl = 0x00000000 
- ImagePath = "%System%\drivers\srosa.sys" 
- DisplayName = "Megadrv3" 
 
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000\Control]                     - *NewlyCreated* = 0x00000000 
- ActiveService = "srosa" 
 
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000]                     - Service = "srosa" 
- Legacy = 0x00000001 
- ConfigFlags = 0x00000000 
- Class = "LegacyDriver" 
- ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}" 
- DeviceDesc = "Megadrv3" 
 
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA]                     - NextInstance = 0x00000001 
 
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa\Enum]                     - 0 = "Root\LEGACY_SROSA\0000" 
- Count = 0x00000001 
- NextInstance = 0x00000001 
 
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa\Security]                     - Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0 
 
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa]                     - Type = 0x00000001 
- Start = 0x00000001 
- ErrorControl = 0x00000000 
- ImagePath = "%System%\drivers\srosa.sys" 
- DisplayName = "Megadrv3" 
 
- [HKEY_CURRENT_USER\Software\FirstRRRun]                     - First12Ru123n = 0x00000001 
 
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]                     - drvsyskit = "%System%\drivers\hldrrr.exe" 
 
 so that hldrrr.exe runs every time Windows starts
 
   - The following Registry Values were deleted:             - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]                     - C:\Documents and Settings\UserName\Application Data\Microsoft\Installer\ = "" 
- C:\WINDOWS\Installer\{4275B162-C5C0-4912-9522-E92FE1C4E21D}\ = "" 
- C:\Documents and Settings\UserName\Application Data\Microsoft\Installer\{3966BA0C-23BA-4B20-9B9D-7561DEC54E6A}\ = "" 
- C:\Program Files\VMware\VMware Tools\Drivers\memctl\ = "" 
- C:\Program Files\VMware\VMware Tools\TPOG3\ = "" 
- C:\Program Files\VMware\VMware Tools\TPOG3\amd64\ = "" 
- C:\Program Files\VMware\VMware Tools\TPOG3\i386\ = "" 
- C:\Program Files\VMware\VMware Tools\vmci\ = "" 
- C:\WINDOWS\Installer\{3B410500-1802-488E-9EF1-4B11992E0440}\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ = "1" 
- C:\WINDOWS\Microsoft.NET\Framework\ = "1" 
- C:\WINDOWS\Microsoft.NET\ = "1" 
- C:\WINDOWS\PCHEALTH\ERRORREP\ = "1" 
- C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\ = "1" 
- C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\ = "1" 
- C:\WINDOWS\winsxs\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_GlobalResources\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RedistList\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Data\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MSBuild\ = "" 
- C:\WINDOWS\system32\MUI\0409\ = "" 
- C:\Program Files\Internet Explorer\MUI\0409\ = "" 
- C:\Program Files\Internet Explorer\MUI\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MUI\0409\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\MUI\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\ = "" 
- C:\WINDOWS\winsxs\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\ = "" 
- C:\Program Files\Common Files\Microsoft Shared\DW\ = "" 
- C:\Program Files\Common Files\Microsoft Shared\DW\1025\ = "" 
- C:\Program Files\Common Files\Microsoft Shared\DW\1028\ = "" 
- C:\Program Files\Common Files\Microsoft Shared\DW\1031\ = "" 
- C:\Program Files\Common Files\Microsoft Shared\DW\1033\ = "" 
- C:\Program Files\Common Files\Microsoft Shared\DW\1036\ = "" 
- C:\Program Files\Common Files\Microsoft Shared\DW\1040\ = "" 
- C:\Program Files\Common Files\Microsoft Shared\DW\1041\ = "" 
- C:\Program Files\Common Files\Microsoft Shared\DW\1042\ = "" 
- C:\Program Files\Common Files\Microsoft Shared\DW\2052\ = "" 
- C:\Program Files\Common Files\Microsoft Shared\DW\3082\ = "" 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\ = "" 
 
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]                     - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\error.aspx.resx = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\createPermission.aspx.resx = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\providerList.ascx.resx = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_GlobalResources\AppConfigCommon.resx = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageSingleRole.aspx.resx = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\setUpAuthentication.aspx.resx = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\editUser.aspx.resx = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardAddUser.ascx.resx = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.dll = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\navigationBar.ascx = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\SmtpSettings.aspx = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code\WebAdminPage.cs = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp.aspx = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\requiredBang.gif = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\ProviderList.ascx = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\manageSingleRole.aspx = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\security.aspx = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\addUser.aspx = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizardAddUser.ascx = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\alinkui.dll = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\alink.dll = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfdll.dll = 0x00000001 
- C:\WINDOWS\system32\dfshim.dll = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Deployment.dll = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\gacutil.exe.config = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\regsvcs.exe.config = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ieexec.exe.config = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe.config = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\cscompui.dll = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cscompmgd.dll = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cscomp.dll = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\1033\CvtResUI.dll = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.JScript.dll = 0x00000001 
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.JScript.tlb = 0x00000002 
 
 
 
    
Other details
     - To mark the presence in the system, the following Mutex object was created:         
   - The following Host Name was requested from a host database:         
   - The following Internet downloads were started (the retrieved bits are saved into the local file):
URL to be downloaded   
Filename for the downloaded bits
  http://www.courdesloges.com/files2.php   
%System%\drivers\down\407265.exe
  http://aytocristobal.com/files2.php   
%System%\drivers\down\407312.exe
  http://cuidatumiembro.com/files2.php   
%System%\drivers\down\407328.exe
  http://maneironsclimb.com/files2.php   
%System%\drivers\down\407328.exe
  http://www.etraining.ee/files2.php   
%System%\drivers\down\407343.exe
  http://dancefrequency.com.br/files2.php   
%System%\drivers\down\407343.exe
  http://darioo.altervista.org/files2.php   
%System%\drivers\down\407359.exe
  http://daruliftaa.com/files2.php   
%System%\drivers\down\407406.exe
  http://datalifecenter.com/files2.php   
%System%\drivers\down\407421.exe
  http://datissa.com/files2.php   
%System%\drivers\down\407421.exe
  http://www.dbmetric.com/files2.php   
%System%\drivers\down\407421.exe
  http://WWW.DDP.COM.PE/files2.php   
%System%\drivers\down\407437.exe
  http://www.debmark.com/files2.php   
%System%\drivers\down\407437.exe
  http://decastrogil.es/files2.php   
%System%\drivers\down\407484.exe
  http://delattres.com/files2.php   
%System%\drivers\down\407484.exe
  http://demianaiello.com.ar/files2.php   
%System%\drivers\down\407500.exe
  http://demo.portaltapejara.com/files2.php   
%System%\drivers\down\407500.exe
  http://derechoydemocracia.es/files2.php   
%System%\drivers\down\407515.exe
  http://www.devergo.com/files2.php   
%System%\drivers\down\407531.exe
  http://dezaete.nl/files2.php   
%System%\drivers\down\407531.exe
  http://dieppeseinemaritime.com/files2.php   
%System%\drivers\down\407531.exe
  http://digitalpicture.com/files2.php   
%System%\drivers\down\407578.exe
  http://digicromo.com/files2.php   
%System%\drivers\down\407578.exe
  http://diocesequebec.qc.ca/files2.php   
%System%\drivers\down\407593.exe
  http://divinaclub.com/files2.php   
%System%\drivers\down\407593.exe
  http://divinojocelyn.altervista.org/files2.php   
%System%\drivers\down\407609.exe
  http://dj-horoz.com/files2.php   
%System%\drivers\down\407609.exe
  http://djsoprano.cp.win.pl/files2.php   
%System%\drivers\down\407609.exe
  http://djthefox.com/files2.php   
%System%\drivers\down\407625.exe
  http://deniselinsconvites.com.br/files2.php   
%System%\drivers\down\407687.exe
  http://lotva.org/files2.php   
%System%\drivers\down\407703.exe
  http://oliwia.iskierka.org/files2.php   
%System%\drivers\down\407703.exe
  http://dospablos.es/files2.php   
%System%\drivers\down\407703.exe
  http://dponcemi.altervista.org/files2.php   
%System%\drivers\down\407718.exe
  http://drutplast.com.pl/files2.php   
%System%\drivers\down\407765.exe
  http://dudys.bx.pl/files2.php   
%System%\drivers\down\407765.exe
  http://dukedem.com/files2.php   
%System%\drivers\down\407781.exe
  http://dddesignstudio.com/files2.php   
%System%\drivers\down\407796.exe
  http://easylimo.es/files2.php   
%System%\drivers\down\407828.exe
  http://doctorlife.org/files2.php   
%System%\drivers\down\407859.exe
  http://eccesso.es/files2.php   
%System%\drivers\down\407859.exe
  http://ecobos.be/files2.php   
%System%\drivers\down\407875.exe
  http://www.edenvillage.it/files2.php   
%System%\drivers\down\407875.exe
  http://programaseducativos-salamanca.com/files2.php   
%System%\drivers\down\407890.exe
  http://www.ekogips.pl/files2.php   
%System%\drivers\down\407890.exe
  http://www.ekotap.pl/files2.php   
%System%\drivers\down\407906.exe
  http://elelfogris.com/files2.php   
%System%\drivers\down\407906.exe
  http://elemco.pl/files2.php   
%System%\drivers\down\407906.exe
  http://elitan.pl/files2.php   
%System%\drivers\down\407953.exe
  http://passecdl.co.uk/files2.php   
%System%\drivers\down\407953.exe
  http://www.elotron.com/files2.php   
%System%\drivers\down\407968.exe
  http://elpantalan.es/files2.php   
%System%\drivers\down\407968.exe
  http://industriascarnicaselrobledo.com/files2.php   
%System%\drivers\down\407984.exe
  http://www.enco-group.cz/files2.php   
%System%\drivers\down\407984.exe
  http://energiesport.com/files2.php   
%System%\drivers\down\407984.exe
  http://epamateohernandez.com/files2.php   
%System%\drivers\down\408000.exe
  http://eravamo100.altervista.org/files2.php   
%System%\drivers\down\408000.exe
  http://esf-ct.com/files2.php   
%System%\drivers\down\408031.exe
  http://espaciojoven.org/files2.php   
%System%\drivers\down\408046.exe
  http://www.espaceprojets-villejuif.fr/files2.php   
%System%\drivers\down\408062.exe
  http://www.eszterlancaruhaz.hu/files2.php   
%System%\drivers\down\408062.exe
  http://www.etalon-stroy.ru/files2.php   
%System%\drivers\down\408062.exe
  http://www.experiment.lv/files2.php   
%System%\drivers\down\408078.exe
  http://streetlions.com/files2.php   
%System%\drivers\down\408078.exe
  http://www.false-news.com/files2.php   
%System%\drivers\down\408093.exe
  http://falshpolcom.18.com1.ru/files2.php   
%System%\drivers\down\408093.exe
  http://www.concretosfamasa.com/files2.php   
%System%\drivers\down\408140.exe
  http://fermesdemarie.eolas-services.com/files2.php   
%System%\drivers\down\408156.exe
  http://fernandoaureliano.com/files2.php   
%System%\drivers\down\408156.exe
  http://fetems.org.br/files2.php   
%System%\drivers\down\408171.exe
  http://wolfsdonksport.be/files2.php   
%System%\drivers\down\408171.exe
  http://filibertovillalobosguijuelo.com/files2.php   
%System%\drivers\down\408171.exe
  http://finz-center.com/files2.php   
%System%\drivers\down\408187.exe
  http://www.fitdina.com/files2.php   
%System%\drivers\down\408187.exe
  http://fiveuk.fi.funpic.org/files2.php   
%System%\drivers\down\408203.exe
  http://flabs.net/files2.php   
%System%\drivers\down\408234.exe
  http://fomentocredito.es/files2.php   
%System%\drivers\down\408234.exe
  http://fortis-sf.home.pl/files2.php   
%System%\drivers\down\408250.exe
  http://fotoastur.com/files2.php   
%System%\drivers\down\408250.exe
  http://fouadovedia.com/files2.php   
%System%\drivers\down\408250.exe
  http://foxx.fan-sites.org/files2.php   
%System%\drivers\down\408265.exe
  http://frauen-ratgeber.com/files2.php   
%System%\drivers\down\408265.exe
  http://fritschiclean.ch/files2.php   
%System%\drivers\down\408281.exe
  http://www.kfzeintragsservice.de/files2.php   
%System%\drivers\down\408281.exe
  http://www.autometasuche.de./files2.php   
%System%\drivers\down\408281.exe
  http://www.s-w-services.co.uk/files2.php   
%System%\drivers\down\408328.exe
  http://www.bodis.at/files2.php   
%System%\drivers\down\408343.exe
  http://www.musikverein-grosswallstadt.de/files2.php   
%System%\drivers\down\408343.exe
  http://tripplexwelt.de/files2.php   
%System%\drivers\down\408359.exe
  http://www.weingut-giegerich.de/files2.php   
%System%\drivers\down\408359.exe
  http://www.tenbrink-online.de/files2.php   
%System%\drivers\down\408375.exe
  http://www.alphazip.com/files2.php   
%System%\drivers\down\408375.exe
  http://www.kayaks.cz/files2.php   
%System%\drivers\down\408390.exe
  http://galami.sk/files2.php   
%System%\drivers\down\408406.exe
  http://galateainteriorismo.com/files2.php   
%System%\drivers\down\408421.exe
  http://galixesol.com/files2.php   
%System%\drivers\down\408437.exe
  http://www.gan-psifas.co.il/files2.php   
%System%\drivers\down\408437.exe
  http://robertsandboles.co.nz/files2.php   
%System%\drivers\down\408468.exe
  http://gazetaszkolna.edu.pl/files2.php   
%System%\drivers\down\408468.exe
  http://gdri.si/files2.php   
%System%\drivers\down\408484.exe
  http://generation80.be/files2.php   
%System%\drivers\down\408531.exe
    Heuristics Analysis
     - Heuristically identified capability to terminate the following security related processes:
_avp32.exe   
_avpcc.exe    
_avpm.exe    
ackwin32.exe    
alertsvc.exe    
alogserv.exe    
anti-trojan.exe    
antivirus.exe    
ants.exe    
apvxdwin.exe    
armor2net.exe    
atcon.exe    
atupdater.exe    
atwatch.exe    
aupdate.exe    
autodown.exe    
autotrace.exe    
autoupdate.exe    
avconsol.exe    
avengine.exe    
avgcc32.exe    
avgctrl.exe    
avgnt.exe    
avgserv.exe    
avguard.exe    
avgw.exe    
avkserv.exe    
avkservice.exe    
avp.exe    
avp32.exe    
avpcc.exe    
avpm.exe    
avpupd.exe    
avsched32.exe    
avsynmgr.exe    
avwupd32.exe    
avwupsrv.exe    
avxmonitor9x.exe    
avxmonitornt.exe    
avxquar.exe    
blackd.exe    
blackice.exe    
ccapp.exe    
ccevtmgr.exe    
ccproxy.exe    
cfiaudit.exe    
claw95.exe    
claw95cf.exe    
cleaner.exe    
cleaner3.exe    
cmgrdian.exe    
cpd.exe    
defwatch.exe    
doors.exe    
drweb32w.exe    
drwebupw.exe    
escanh95.exe    
escanhnt.exe    
f-agnt95.exe    
fameh32.exe    
fast.exe    
fch32.exe    
firewall.exe    
f-prot95.exe    
frameworkservice.exe    
frw.exe    
fsav.exe    
fsav32.exe    
fsgk32.exe    
fsm32.exe    
fsma32.exe    
fsmb32.exe    
f-stopw.exe    
guard.exe    
iamapp.exe    
iamserv.exe    
icload95.exe    
icloadnt.exe    
icmon.exe    
icssuppnt.exe    
icsupp95.exe    
icsuppnt.exe    
iface.exe    
iomon98.exe    
isrv95.exe    
jedi.exe    
kavpf.exe    
livesrv.exe    
lockdown2000.exe    
luall.exe    
lucomserver.exe    
luinit.exe    
mcagent.exe    
mcmnhdlr.exe    
mcshield.exe    
mcupdate.exe    
mcvsshld.exe    
minilog.exe    
monitor.exe    
moolive.exe    
navapsvc.exe    
navapw32.exe    
navlu32.exe    
navstub.exe    
navw32.exe    
navwnt.exe    
ndd32.exe    
neowatchlog.exe    
nisum.exe    
nmain.exe    
nod32.exe    
nod32krn.exe    
normist.exe    
notstart.exe    
nprotect.exe    
nsched32.exe    
ntrtscan.exe    
ntxconfig.exe    
nupgrade.exe    
nvc95.exe    
nwservice.exe    
outpost.exe    
pavfires.exe    
pavfnsvr.exe    
pavproxy.exe    
pavsrv51.exe    
pcciomon.exe    
pccntmon.exe    
persfw.exe    
pop3trap.exe    
poproxy.exe    
pxagent.exe    
realmon.exe    
rescue.exe    
rtvscan.exe    
rtvscn95.exe    
rulaunch.exe    
savscan.exe    
scan32.exe    
shstat.exe    
smc.exe    
sndsrvc.exe    
sphinx.exe    
spyxx.exe    
ss3edit.exe    
swnetsup.exe    
symlcsvc.exe    
symproxysvc.exe    
taumon.exe    
tc.exe    
tca.exe    
tcm.exe    
tds-3.exe    
tfak.exe    
trjscan.exe    
update.exe    
updaterui.exe    
vettray.exe    
vptray.exe    
vsecomr.exe    
vshwin32.exe    
vsmon.exe    
vsserv.exe    
vsstat.exe    
watchdog.exe    
webscanx.exe    
webtrap.exe    
wgfe95.exe    
wradmin.exe    
wrctrl.exe    
xcommsvr.exe    
zatutor.exe    
zauinst.exe    
zonealarm.exe
  Downloaded File Summary:
     - Download details:             - Download retrieved: 19 April 2009 12:18:38 
- Processing time: 7 min 51 sec 
- Downloaded sample:                     - File MD5: 0x3F4F042FC88BC862989DD6702E19D917 
- File SHA-1: 0x566DD782D6E49431A401A43087DBC7AACE784C17 
- Filesize: 99,844 bytes 
- Alias:                         
 
 
What's been found   
Severity Level
  Creates a startup registry entry.   

  Contains characteristics of an identified security risk.   

  Technical Details:
   
    
Possible Security Risk
     - Attention! The following threat categories were identified:
Threat Category   
Description
   
    
A network-aware worm that attempts to replicate across the existing network(s)
   
    
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
   
    
File System Modifications
     - The following file was created in the system:
#   
Filename(s)    
File Size    
File Hash    
Alias
  1   
%AppData%\m\flec006.exe 
    
[file and pathname of the sample #1]     
99,844 bytes    
MD5: 0x3F4F042FC88BC862989DD6702E19D917    
SHA-1: 0x566DD782D6E49431A401A43087DBC7AACE784C17    
Trojan.Lodeight.C [Symantec]
 [Symantec]    
Email-Worm.Win32.Bagle.of [Kaspersky Lab]
 [Kaspersky Lab]    
W32/Bagle.gen [McAfee]
 [McAfee]    
TROJ_BAGLE.AO [Trend Micro]
 [Trend Micro]    
Mal/Packer , Mal/Behav-191, Mal/Bagpk-D [Sophos]
, Mal/Behav-191, Mal/Bagpk-D [Sophos]    
Worm:Win32/Bagle.gen!C [Microsoft]
 [Microsoft]    
Email-Worm.Win32.Bagle [Ikarus]
 [Ikarus]    
Win32/MalPackedB.suspicious [AhnLab]
 [AhnLab]
     - Note:             - %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data. 
 
   - The following directory was created:         
 
    
Memory Modifications
     - There were new processes created in the system:
Process Name   
Process Filename    
Main Module Size
  flec006.exe 
    
%AppData%\m\flec006.exe 
    
261,617 bytes
  [filename of the sample #1]   
[file and pathname of the sample #1]    
261,617 bytes
   
    
Registry Modifications
     - The newly created Registry Value is:             - [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]                     - mule_st_key = "%AppData%\m\flec006.exe" 
 
 so that flec006.exe runs every time Windows starts
 
 
    
Other details
     - The following Host Name was requested from a host database: