Trojan.DownLoader6.45643

Technical Information

Malicious functions:

Creates and executes the following:

C:\slinstaller.exe /partner:a708 /bannerid:executable /promo:executable
C:\a708.exe
C:\slinstaller.exe (downloaded from the Internet)

Executes the following:

%WINDIR%\regedit.exe /S kans.reg
<SYSTEM32>\cmd.exe /c ""C:\x.bat" "

Modifies settings of Windows Internet Explorer:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1406' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1407' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1402' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1405' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1605' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1606' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1601' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1604' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1001' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1004' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'CurrentLevel' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'Flags' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1206' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1400' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1200' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1201' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1607' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1A04' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1A05' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1A02' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1A03' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '2001' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '2004' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1A06' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1A10' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1800' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1802' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1608' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1609' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1805' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1A00' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1803' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1804' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1406' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1407' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1402' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1405' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1605' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1606' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1601' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1604' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1001' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1004' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'CurrentLevel' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'Flags' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1206' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1400' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1200' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1201' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1607' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1A04' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1A05' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1A02' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1A03' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '2001' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '2004' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1A06' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1A10' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1800' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1802' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1608' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1609' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1805' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1A00' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1803' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1804' = '00000000'

Modifies file system :

Creates the following files:

%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\mtrslib2[1].js
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\prompt[1].php
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\a771af73[1].js
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\install[1].php
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\popup[1].php
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\protect[1].php
C:\kans.reg
C:\a708.exe
C:\x.bat
C:\slinstaller.exe
C:\trufkz.html
C:\kansup.reg

Network activity:

Connects to:

'fr###.#razywinnings.com':80
'www.mt###wnload.com':80
'mm#.##dia-motor.net':80
'po#####r.paypopup.com':80
'localhost':1038
'st####.#opconverting.com':80
'in#####.xxxtoolbar.com':80
'st####.windupdates.com':80

TCP:

HTTP GET requests:

fr###.#razywinnings.com/scripts/protect.php?pr######################################################################################################################################
po#####r.paypopup.com/popup.php?id#########################################
mm#.##dia-motor.net/install.php?al############################################################################
www.mt###wnload.com/mtrslib2.js
st####.#opconverting.com/activex/slinstaller.exe
st####.windupdates.com/prompts/a370a177/a771af73.js
in#####.xxxtoolbar.com/ist/scripts/prompt.php?re####################################################################################################

UDP:

DNS ASK fr###.#razywinnings.com
DNS ASK po#####r.paypopup.com
DNS ASK mm#.##dia-motor.net
DNS ASK www.mt###wnload.com
DNS ASK st####.#opconverting.com
DNS ASK st####.windupdates.com
DNS ASK in#####.xxxtoolbar.com

Miscellaneous:

Searches for the following windows:

ClassName: '' WindowName: ''
ClassName: 'MS_AutodialMonitor' WindowName: ''
ClassName: 'MS_WebcheckMonitor' WindowName: ''
ClassName: 'EDIT' WindowName: ''
ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: 'RegEdit_RegEdit' WindowName: ''

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial