| Dropper/Malware.743370 |
| AVG (GriSoft) |
Generic10.AQTP (Trojan horse) |
| avira |
TR/Dropper.Gen2 |
| Kaspersky |
Trojan-Dropper.Win32.Flystud.aaw |
| BitDefender |
Gen:Variant.EvilEPL.5 |
| clamav |
Trojan.Agent-148768 |
| Dr.Web |
Trojan.Siggen2.1469 |
| eSafe (Alladin) |
Suspicious file |
| F-Prot |
W32/Trojan2.NJZO |
| FortiNet |
W32/Autorun!worm |
| Microsoft |
Backdoor:Win32/FlyAgent.E |
| Eset |
Win32/FlyStudio.OHD trojan (variant) |
| norman |
W32/Hupigon.DIEY |
| rising |
Backdoor.Win32.ECode.se |
| Sophos |
Troj/PWS-BRB |
| Trend Micro |
TROJ_UNDEF.EQ |
| vba32 |
Trojan.Win32.Pasta.ipb |
| V-Buster |
Trojan.Shutdowner!UaIp5WA/Iv0 (trojan) |
Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files
The following files were analyzed:
21f45caf86b3fef0da76ebc889c56144616b79bd
|
The following files have been added to the system: |
|
- %PROGRAMFILES%\Ycesezors\srvany.exe
- %WINDIR%\SYSTEM32\Pzriccnss.exe
- %WINDIR%\SYSTEM32\Pzriccnss.dll
- %WINDIR%\Fonts\7c1d5cd6872f50006a77be9d6d56769f.dat
|
|
The following files were temporarily written to disk then later removed: |
|
- C:\BRC_Setup.exe_And DeleteMe.bat
|
|
The following registry elements have been created: |
|
- HKEY_CURRENT_USER\SOFTWARE\FLYSKY\
- HKEY_CURRENT_USER\SOFTWARE\FLYSKY\E\
- HKEY_CURRENT_USER\SOFTWARE\FLYSKY\E\INSTALL\
- HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\RECOVERY\
- HKEY_LOCAL_MACHINE\SOFTWARE\RISING\
- HKEY_LOCAL_MACHINE\SOFTWARE\RISING\KAKA\
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\YCESEZORS\PARAMETERS\
|
|
The following registry elements have been changed: |
|
- HKEY_CURRENT_USER\SOFTWARE\FLYSKY\E\INSTALL\PATH = %TEMP%\BClib\
- HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\CHECK_ASSOCIATIONS = NO
- HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\WINDOW_PLACEMENT = [binary data]
- HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\RECOVERY\AUTORECOVER = 2
- HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\LOCKED = 1
- HKEY_CURRENT_USER\SOFTWARE\WINRAR\ARCHISTORY\0 = [binary data]
- HKEY_CURRENT_USER\SOFTWARE\WINRAR\ARCHISTORY\1 = C:\Raiden\Goat_1.5.235.1931.zip
- HKEY_CURRENT_USER\SOFTWARE\WINRAR\ARCHISTORY\2 = C:\sample\Sample.zip
- HKEY_CURRENT_USER\SOFTWARE\WINRAR\ARCHISTORY\3 = C:\sample\bc_amp.zip
- HKEY_CURRENT_USER\SOFTWARE\WINRAR\FILELIST\FILECOLUMNWIDTHS\MTIME = 100
- HKEY_CURRENT_USER\SOFTWARE\WINRAR\FILELIST\FILECOLUMNWIDTHS\NAME = 120
- HKEY_CURRENT_USER\SOFTWARE\WINRAR\FILELIST\FILECOLUMNWIDTHS\SIZE = 80
- HKEY_CURRENT_USER\SOFTWARE\WINRAR\FILELIST\FILECOLUMNWIDTHS\TYPE = 120
- HKEY_LOCAL_MACHINE\SOFTWARE\RISING\KAKA\PROCRUN = 0
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\YCESEZORS\PARAMETERS\APPLICATION = %WINDIR%\SYSTEM32\Pzriccnss.exe -s
|
To remove this infection,
1.Disable System Restore .
2.Update to current engine and DAT files for detection and removal.
3.Run a complete system scan.
You should be good to go.
