Trojan.Packed.24524

Technical Information

Malicious functions:

Executes the following:

'<SYSTEM32>\taskhost.exe'
'<SYSTEM32>\wermgr.exe' -queuereporting
'<SYSTEM32>\DllHost.exe' /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Modifies file system :

Creates the following files:

%TEMP%\ish683627\css\sdk-ui\checkbox.css
%TEMP%\ish683627\css\sdk-ui\images\button-bg.png
%TEMP%\ish683627\css\sdk-ui\button.css
%TEMP%\ish683627\css\main.css
%TEMP%\ish683627\css\sdk-ui\browse.css
%TEMP%\ish683627\css\sdk-ui\images\progress-bg-corner.png
%TEMP%\ish683627\csshover3.htc
%TEMP%\ish683627\DAT\DSiteU.dat
%TEMP%\ish683627\css\sdk-ui\progress-bar.css
%TEMP%\ish683627\css\sdk-ui\images\progress-bg.png
%TEMP%\ish683627\css\sdk-ui\images\progress-bg2.png
%TEMP%\ish683627\css\ie6_main.css
%TEMP%\ish660976\images\Progress.png
%TEMP%\ish660976\images\ProgressBar.png
%TEMP%\ish660976\images\Loader.gif
%TEMP%\ish660976\images\Grey_Button_Hover.png
%TEMP%\ish660976\images\icon.png
%TEMP%\ish660976\images\ssClose_Hover.png
%TEMP%\ish660976\bootstrap_37631.html
%TEMP%\000A6E5B.log
%TEMP%\ish660976\locale\EN.locale
%TEMP%\ish660976\images\xxClose.png
%TEMP%\ish660976\images\xxProgressBar.png
%TEMP%\ish683627\images\BG.gif
%TEMP%\000B35EE.log
%TEMP%\000B360D.log
%PROGRAM_FILES%\is722721.log
%TEMP%\ish683627\images\xxProgressBar.png
%TEMP%\ish683627\locale\EN.locale
<LS_APPDATA>\Temp000B361D.log
%HOMEPATH%\Desktop\Continue Codec Pack Installation.lnk
%TEMP%\ICReinstall_<Virus name>.exe
%TEMP%\is357113909\959182947.cfg
%TEMP%\is357113909\2024801342.cfg
%TEMP%\ish683627\images\xxClose.png
%TEMP%\ish683627\images\Color_Button_Hover.png
%TEMP%\ish683627\images\Grey_Button.png
%TEMP%\ish683627\images\Color_Button.png
%TEMP%\ish683627\images\Close.png
%TEMP%\ish683627\images\Close_Hover.png
%TEMP%\ish683627\images\Grey_Button_Hover.png
%TEMP%\ish683627\images\ProgressBar.png
%TEMP%\ish683627\images\ssClose_Hover.png
%TEMP%\ish683627\images\Progress.png
%TEMP%\ish683627\images\icon.png
%TEMP%\ish683627\images\Loader.gif
%TEMP%\ish660976\images\Grey_Button.png
%TEMP%\ish657123\images\Close_Hover.png
%TEMP%\ish657123\images\Color_Button.png
%TEMP%\ish657123\images\Close.png
%TEMP%\ish657123\DAT\DSiteU.dat
%TEMP%\ish657123\images\BG.gif
%TEMP%\ish657123\images\Color_Button_Hover.png
%TEMP%\ish657123\images\Loader.gif
%TEMP%\ish657123\images\Progress.png
%TEMP%\ish657123\images\icon.png
%TEMP%\ish657123\images\Grey_Button.png
%TEMP%\ish657123\images\Grey_Button_Hover.png
%TEMP%\ish657123\csshover3.htc
%TEMP%\ish657123\css\sdk-ui\browse.css
%TEMP%\ish657123\css\sdk-ui\button.css
%TEMP%\ish657123\css\main.css
%TEMP%\000A057C.log
%TEMP%\ish657123\css\ie6_main.css
%TEMP%\ish657123\css\sdk-ui\checkbox.css
%TEMP%\ish657123\css\sdk-ui\images\progress-bg2.png
%TEMP%\ish657123\css\sdk-ui\progress-bar.css
%TEMP%\ish657123\css\sdk-ui\images\progress-bg.png
%TEMP%\ish657123\css\sdk-ui\images\button-bg.png
%TEMP%\ish657123\css\sdk-ui\images\progress-bg-corner.png
%TEMP%\ish657123\images\ProgressBar.png
%TEMP%\ish660976\css\sdk-ui\progress-bar.css
%TEMP%\ish660976\csshover3.htc
%TEMP%\ish660976\css\sdk-ui\images\progress-bg2.png
%TEMP%\ish660976\css\sdk-ui\images\progress-bg-corner.png
%TEMP%\ish660976\css\sdk-ui\images\progress-bg.png
%TEMP%\ish660976\DAT\DSiteU.dat
%TEMP%\ish660976\images\Color_Button.png
%TEMP%\ish660976\images\Color_Button_Hover.png
%TEMP%\ish660976\images\Close_Hover.png
%TEMP%\ish660976\images\BG.gif
%TEMP%\ish660976\images\Close.png
%TEMP%\ish660976\css\sdk-ui\images\button-bg.png
%TEMP%\ish657123\locale\EN.locale
%TEMP%\000A1093.log
%TEMP%\ish657123\images\xxProgressBar.png
%TEMP%\ish657123\images\ssClose_Hover.png
%TEMP%\ish657123\images\xxClose.png
%TEMP%\000A15A2.log
%TEMP%\ish660976\css\sdk-ui\button.css
%TEMP%\ish660976\css\sdk-ui\checkbox.css
%TEMP%\ish660976\css\sdk-ui\browse.css
%TEMP%\ish660976\css\ie6_main.css
%TEMP%\ish660976\css\main.css

Deletes the following files:

%TEMP%\ish657123\images\Progress.png
%TEMP%\ish657123\images\Loader.gif
%TEMP%\ish657123\images\ssClose_Hover.png
%TEMP%\ish657123\images\ProgressBar.png
%TEMP%\ish657123\images\icon.png
%TEMP%\ish657123\images\Color_Button_Hover.png
%TEMP%\ish657123\images\Color_Button.png
%TEMP%\ish657123\images\Grey_Button_Hover.png
%TEMP%\ish657123\images\Grey_Button.png
%TEMP%\000B360D.log
%TEMP%\000B35EE.log
%TEMP%\ish660976\bootstrap_37631.html
<LS_APPDATA>\Temp000B361D.log
%PROGRAM_FILES%\is722721.log
%TEMP%\ish657123\images\xxProgressBar.png
%TEMP%\ish657123\images\xxClose.png
%TEMP%\000A6E5B.log
%TEMP%\ish657123\locale\EN.locale
%TEMP%\ish657123\css\sdk-ui\checkbox.css
%TEMP%\ish657123\css\sdk-ui\button.css
%TEMP%\ish657123\css\sdk-ui\images\progress-bg-corner.png
%TEMP%\ish657123\css\sdk-ui\images\button-bg.png
%TEMP%\ish657123\css\sdk-ui\browse.css
%TEMP%\000A1093.log
%TEMP%\000A057C.log
%TEMP%\ish657123\css\main.css
%TEMP%\ish657123\css\ie6_main.css
%TEMP%\ish657123\images\BG.gif
%TEMP%\ish657123\DAT\DSiteU.dat
%TEMP%\ish657123\images\Close_Hover.png
%TEMP%\ish657123\images\Close.png
%TEMP%\ish657123\csshover3.htc
%TEMP%\ish657123\css\sdk-ui\images\progress-bg2.png
%TEMP%\ish657123\css\sdk-ui\images\progress-bg.png
%TEMP%\ish657123\css\sdk-ui\progress-bar.css
%TEMP%\000A15A2.log

Network activity:

Connects to:

'os#.####estcodecpackapp.com':80
'os#####.#hebestcodecpackapp.com':80
'cd###.###bestcodecpackapp.com':80

TCP:

HTTP GET requests:

cd###.###bestcodecpackapp.com/app/Cmp/codecpack.cis

HTTP POST requests:

os#.####estcodecpackapp.com/CM/?v=###############
os#####.#hebestcodecpackapp.com/CM/?v=###############

UDP:

DNS ASK os#.####estcodecpackapp.com
DNS ASK os#####.#hebestcodecpackapp.com
DNS ASK cd###.###bestcodecpackapp.com

Miscellaneous:

Searches for the following windows:

ClassName: 'OleMainThreadWndClass' WindowName: '(null)'
ClassName: 'MS_WebCheckMonitor' WindowName: '(null)'
ClassName: 'MS_AutodialMonitor' WindowName: '(null)'

Your browser is obsolete!

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial

Doctor Web in social networks

For Telegram

Other Dr.Web resources