BKDR_SI.AD8E57BA
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It deletes itself after execution.
TECHNICAL DETAILS
152,064 bytes
EXE
Yes
01 Apr 2014
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following copies of itself into the affected system:
- %User Profile%\LOCALS~1\WinHttp.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
WinHttp = "%User Profile%\LOCALS~1\WinHttp.exe"
Dropping Routine
This backdoor drops the following files:
- %User Temp%\tmp.dat
- %User Temp%\tmp.dll
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
Other Details
This backdoor connects to the following possibly malicious URL:
- http://www.{BLOCKED}sd.onedumb.com:443/process.jsp?pw=sbtxdx1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/login.jsp?zw=krsevs1161670G290G
- http://www.{BLOCKED}c.compress.to:443/page.jsp?mi=mkucwj1161670G290G
- http://www.{BLOCKED}c.compress.to:80/process.jsp?az=zczcpq1161670G290G
- http://{BLOCKED}.120.140:443/parse.jsp?wm=npyweq1161670G290G
- http://{BLOCKED}.120.140:80/parse.jsp?bz=gjrjyw1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/parse.jsp?zr=okimiu1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/default.jsp?ck=ypulwv1161670G290G
- http://www.{BLOCKED}c.compress.to:443/query.jsp?oe=zqwspe1161670G290G
- http://www.{BLOCKED}c.compress.to:80/query.jsp?ol=bdqlbp1161670G290G
- http://{BLOCKED}.120.140:443/index.jsp?cz=wjblbv1161670G290G
- http://{BLOCKED}.120.140:80/index.jsp?fu=nwfhdf1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/about.jsp?cs=rqitti1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/page.jsp?iq=jjovyw1161670G290G
- http://www.{BLOCKED}c.compress.to:443/parse.jsp?uk=aitgay1161670G290G
- http://www.{BLOCKED}c.compress.to:80/query.jsp?zn=uxhkql1161670G290G
- http://{BLOCKED}.120.140:443/index.jsp?rc=mbzcvn1161670G290G
- http://{BLOCKED}.120.140:80/page.jsp?wm=krxmsl1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/index.jsp?sm=hyqikt1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/query.jsp?gm=rqszgy1161670G290G
- http://www.{BLOCKED}c.compress.to:443/query.jsp?gx=okaakf1161670G290G
- http://www.{BLOCKED}c.compress.to:80/page.jsp?id=eskwww1161670G290G
- http://{BLOCKED}.120.140:443/query.jsp?lx=tzawih1161670G290G
- http://{BLOCKED}.120.140:80/parse.jsp?tm=wzcxgc1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/page.jsp?rn=eezbqn1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/parse.jsp?yi=qyhfjf1161670G290G
- http://www.{BLOCKED}c.compress.to:443/index.jsp?px=llcbhh1161670G290G
- http://www.{BLOCKED}c.compress.to:80/about.jsp?vi=otumqk1161670G290G
- http://{BLOCKED}.120.140:443/about.jsp?uf=guwmhx1161670G290G
- http://{BLOCKED}.120.140:80/index.jsp?zf=rhnsjp1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/query.jsp?cf=baubqy1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/user.jsp?tt=eqsaqa1161670G290G
- http://www.{BLOCKED}c.compress.to:443/query.jsp?xu=byysqb1161670G290G
- http://www.{BLOCKED}c.compress.to:80/about.jsp?lu=txezuf1161670G290G
- http://{BLOCKED}.120.140:443/parse.jsp?mg=jujvoc1161670G290G
- http://{BLOCKED}.120.140:80/login.jsp?rm=rauryc1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/user.jsp?ex=newggc1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/about.jsp?ub=bqdbea1161670G290G
- http://www.{BLOCKED}c.compress.to:443/default.jsp?cv=ogpibv1161670G290G
- http://www.{BLOCKED}c.compress.to:80/about.jsp?fx=uwqlmo1161670G290G
- http://{BLOCKED}.120.140:443/about.jsp?vz=wjejyl1161670G290G
- http://{BLOCKED}.120.140:80/process.jsp?tl=ltvopl1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/default.jsp?ru=wirhjz1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/process.jsp?zv=ykdixz1161670G290G
- http://www.{BLOCKED}c.compress.to:443/index.jsp?jg=dvfxpn1161670G290G
- http://www.{BLOCKED}c.compress.to:80/about.jsp?uj=unrlxa1161670G290G
- http://{BLOCKED}.120.140:443/query.jsp?uv=ghiafc1161670G290G
- http://{BLOCKED}.120.140:80/user.jsp?ez=uzjmbz1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/user.jsp?aa=yrwfiz1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/page.jsp?wj=sjshad1161670G290G
- http://www.{BLOCKED}c.compress.to:443/page.jsp?yh=hnnfwi1161670G290G
- http://www.{BLOCKED}c.compress.to:80/login.jsp?fo=pfygxa1161670G290G
- http://{BLOCKED}.120.140:443/parse.jsp?ye=fkgxxp1161670G290G
- http://{BLOCKED}.120.140:80/parse.jsp?kj=jbelcd1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/parse.jsp?ri=fpctfg1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/process.jsp?vy=brdjmc1161670G290G
- http://www.{BLOCKED}c.compress.to:443/user.jsp?we=bcepmr1161670G290G
- http://www.{BLOCKED}c.compress.to:80/user.jsp?qd=oqyoir1161670G290G
- http://{BLOCKED}.120.140:443/query.jsp?yy=gkfbar1161670G290G
- http://{BLOCKED}.120.140:80/login.jsp?zk=ujrpvu1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/index.jsp?wd=mboauq1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/page.jsp?bk=rchela1161670G290G
- http://www.{BLOCKED}c.compress.to:443/query.jsp?mz=jvoakj1161670G290G
- http://www.{BLOCKED}c.compress.to:80/default.jsp?ei=wchsln1161670G290G
- http://{BLOCKED}.120.140:443/security.jsp?vv=yqgvsb1161670G290G
- http://{BLOCKED}.120.140:80/page.jsp?jg=bdpusv1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/user.jsp?pi=xdnxpj1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/parse.jsp?vp=dzyjwu1161670G290G
- http://www.{BLOCKED}c.compress.to:443/user.jsp?us=nciure1161670G290G
- http://www.{BLOCKED}c.compress.to:80/security.jsp?uu=gxffci1161670G290G
- http://{BLOCKED}.120.140:443/login.jsp?sr=qtqvnn1161670G290G
- http://{BLOCKED}.120.140:80/process.jsp?jc=xvuxtf1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/query.jsp?zt=nhhrrw1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/security.jsp?hz=mbyfzm1161670G290G
- http://www.{BLOCKED}c.compress.to:443/query.jsp?qd=guvihw1161670G290G
- http://www.{BLOCKED}c.compress.to:80/process.jsp?yn=fhzahu1161670G290G
- http://{BLOCKED}.120.140:443/default.jsp?xh=levpmo1161670G290G
- http://{BLOCKED}.120.140:80/process.jsp?jz=vnvnrd1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/parse.jsp?gv=bssfsx1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/query.jsp?wd=dpzxdl1161670G290G
- http://www.{BLOCKED}c.compress.to:443/query.jsp?xg=zdueru1161670G290G
- http://www.{BLOCKED}c.compress.to:80/default.jsp?iz=zlvwnk1161670G290G
- http://{BLOCKED}.120.140:443/login.jsp?ms=woayfz1161670G290G
- http://{BLOCKED}.120.140:80/login.jsp?dy=lkeltk1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/user.jsp?hl=thipak1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/index.jsp?mh=ucfldu1161670G290G
- http://www.{BLOCKED}c.compress.to:443/page.jsp?uh=bvoapf1161670G290G
- http://www.{BLOCKED}c.compress.to:80/process.jsp?ce=erbajo1161670G290G
- http://{BLOCKED}.120.140:443/login.jsp?jb=dazqeg1161670G290G
- http://{BLOCKED}.120.140:80/login.jsp?lo=gfblni1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/security.jsp?ph=wyqngx1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/query.jsp?aw=pyxddm1161670G290G
- http://www.{BLOCKED}c.compress.to:443/about.jsp?ov=ocujdy1161670G290G
- http://www.{BLOCKED}c.compress.to:80/default.jsp?wv=hbclsp1161670G290G
- http://{BLOCKED}.120.140:443/login.jsp?hd=zjbxxm1161670G290G
- http://{BLOCKED}.120.140:80/query.jsp?hv=jbohay1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/security.jsp?ft=jtizhk1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/page.jsp?pm=wpqayv1161670G290G
- http://www.{BLOCKED}c.compress.to:443/security.jsp?qq=nivjph1161670G290G
- http://www.{BLOCKED}c.compress.to:80/login.jsp?as=hylynp1161670G290G
- http://{BLOCKED}.120.140:443/user.jsp?kj=kuhjfu1161670G290G
- http://{BLOCKED}.120.140:80/page.jsp?ny=wijtpn1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/security.jsp?mr=uaphkn1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/user.jsp?di=honpzu1161670G290G
- http://www.{BLOCKED}c.compress.to:443/index.jsp?ob=kqaqcn1161670G290G
- http://www.{BLOCKED}c.compress.to:80/security.jsp?yb=blpmck1161670G290G
- http://{BLOCKED}.120.140:443/index.jsp?se=fkjtxf1161670G290G
- http://{BLOCKED}.120.140:80/about.jsp?re=gcgiqr1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/parse.jsp?gi=txfsmy1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/user.jsp?zt=ydkyvi1161670G290G
- http://www.{BLOCKED}c.compress.to:443/query.jsp?hx=aymchm1161670G290G
- http://www.{BLOCKED}c.compress.to:80/about.jsp?vs=lekijp1161670G290G
- http://{BLOCKED}.120.140:443/index.jsp?sc=httqiq1161670G290G
- http://{BLOCKED}.120.140:80/page.jsp?lx=rjmmxb1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/parse.jsp?fj=kslosh1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/process.jsp?wm=fmejlp1161670G290G
- http://www.{BLOCKED}c.compress.to:443/query.jsp?pk=ssariq1161670G290G
- http://www.{BLOCKED}c.compress.to:80/about.jsp?oz=irzvap1161670G290G
- http://{BLOCKED}.120.140:443/process.jsp?cc=nfcqkk1161670G290G
- http://{BLOCKED}.120.140:80/default.jsp?fv=zeruvl1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/index.jsp?dc=ioueni1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/user.jsp?at=cuyffg1161670G290G
- http://www.{BLOCKED}c.compress.to:443/page.jsp?tu=ydbzre1161670G290G
- http://www.{BLOCKED}c.compress.to:80/index.jsp?dn=xujyqt1161670G290G
- http://{BLOCKED}.120.140:443/user.jsp?on=rjbwqp1161670G290G
- http://{BLOCKED}.120.140:80/process.jsp?hj=atpidr1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/login.jsp?mc=fbrail1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/about.jsp?fr=mumnsp1161670G290G
- http://www.{BLOCKED}c.compress.to:443/page.jsp?ky=fzmxnu1161670G290G
- http://www.{BLOCKED}c.compress.to:80/parse.jsp?or=jdpufx1161670G290G
- http://{BLOCKED}.120.140:443/process.jsp?gz=dchrzx1161670G290G
- http://{BLOCKED}.120.140:80/security.jsp?cj=lzzmbo1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/index.jsp?sd=nkreey1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/login.jsp?tk=itpuwp1161670G290G
- http://www.{BLOCKED}c.compress.to:443/about.jsp?ph=vyyops1161670G290G
- http://www.{BLOCKED}c.compress.to:80/parse.jsp?sg=iyhcgn1161670G290G
- http://{BLOCKED}.120.140:443/process.jsp?ye=vquvxl1161670G290G
- http://{BLOCKED}.120.140:80/user.jsp?gz=ltyabe1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/query.jsp?wl=izredf1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/about.jsp?ir=jgtjsr1161670G290G
- http://www.{BLOCKED}c.compress.to:443/query.jsp?cc=gezhgi1161670G290G
- http://www.{BLOCKED}c.compress.to:80/about.jsp?yt=ywkawa1161670G290G
- http://{BLOCKED}.120.140:443/default.jsp?tz=nowzfu1161670G290G
- http://{BLOCKED}.120.140:80/process.jsp?wo=vxfeyl1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/login.jsp?gb=cvpxfr1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/parse.jsp?vz=ogxopq1161670G290G
- http://www.{BLOCKED}c.compress.to:443/index.jsp?kp=pnwzxy1161670G290G
- http://www.{BLOCKED}c.compress.to:80/query.jsp?nc=vnptno1161670G290G
- http://{BLOCKED}.120.140:443/user.jsp?kq=ygewxj1161670G290G
- http://{BLOCKED}.120.140:80/login.jsp?cv=hsnqjk1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/login.jsp?kq=abslgy1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/default.jsp?qt=xkxnrr1161670G290G
- http://www.{BLOCKED}c.compress.to:443/about.jsp?sv=ksiove1161670G290G
- http://www.{BLOCKED}c.compress.to:80/query.jsp?ve=rloiqm1161670G290G
- http://{BLOCKED}.120.140:443/process.jsp?as=hzwyrh1161670G290G
- http://{BLOCKED}.120.140:80/index.jsp?to=zqtexx1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/parse.jsp?mk=ukgjgf1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/page.jsp?ph=zzbybu1161670G290G
- http://www.{BLOCKED}c.compress.to:443/parse.jsp?fw=omdguz1161670G290G
- http://www.{BLOCKED}c.compress.to:80/process.jsp?sn=plqjjk1161670G290G
- http://{BLOCKED}.120.140:443/default.jsp?ev=ekqmmz1161670G290G
- http://{BLOCKED}.120.140:80/parse.jsp?sx=xllmjk1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/login.jsp?rs=gczmzt1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/parse.jsp?bx=fdvghp1161670G290G
- http://www.{BLOCKED}c.compress.to:443/parse.jsp?ql=arxojw1161670G290G
- http://www.{BLOCKED}c.compress.to:80/parse.jsp?ty=tvzxeu1161670G290G
- http://{BLOCKED}.120.140:443/process.jsp?fs=clhqdn1161670G290G
- http://{BLOCKED}.120.140:80/default.jsp?ba=gaejuk1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/about.jsp?za=slcsdo1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/page.jsp?mz=pevgpc1161670G290G
- http://www.{BLOCKED}c.compress.to:443/security.jsp?xh=lykucu1161670G290G
- http://www.{BLOCKED}c.compress.to:80/index.jsp?nv=ahkzcp1161670G290G
- http://{BLOCKED}.120.140:443/security.jsp?fj=rlyatq1161670G290G
- http://{BLOCKED}.120.140:80/about.jsp?be=rcocvi1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/user.jsp?sl=nrocnk1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/user.jsp?ut=lxsnef1161670G290G
- http://www.{BLOCKED}c.compress.to:443/index.jsp?dt=izeihe1161670G290G
- http://www.{BLOCKED}c.compress.to:80/query.jsp?ca=jmwsck1161670G290G
- http://{BLOCKED}.120.140:443/security.jsp?aq=eqzxux1161670G290G
- http://{BLOCKED}.120.140:80/security.jsp?on=nqrdwt1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/index.jsp?qc=ufzedv1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/query.jsp?xf=qwvexu1161670G290G
- http://www.{BLOCKED}c.compress.to:443/about.jsp?cq=vfpjdf1161670G290G
- http://www.{BLOCKED}c.compress.to:80/process.jsp?ce=yquyqh1161670G290G
- http://{BLOCKED}.120.140:443/default.jsp?cg=ssixip1161670G290G
- http://{BLOCKED}.120.140:80/default.jsp?qf=okbhja1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/login.jsp?hv=wflusf1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/default.jsp?jx=pkgmgy1161670G290G
- http://www.{BLOCKED}c.compress.to:443/process.jsp?ib=shffon1161670G290G
- http://www.{BLOCKED}c.compress.to:80/parse.jsp?qr=tiolmb1161670G290G
- http://{BLOCKED}.120.140:443/parse.jsp?vh=qvcxvd1161670G290G
- http://{BLOCKED}.120.140:80/index.jsp?zo=djlvrh1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/parse.jsp?kd=yqnxey1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/parse.jsp?rr=vxjgni1161670G290G
- http://www.{BLOCKED}c.compress.to:443/default.jsp?om=ldizst1161670G290G
- http://www.{BLOCKED}c.compress.to:80/page.jsp?hz=dmeypc1161670G290G
- http://{BLOCKED}.120.140:443/page.jsp?eh=btncbv1161670G290G
- http://{BLOCKED}.120.140:80/login.jsp?na=qanwef1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/login.jsp?mr=turxwx1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/login.jsp?sr=mskpau1161670G290G
- http://www.{BLOCKED}c.compress.to:443/index.jsp?hg=dziktf1161670G290G
- http://www.{BLOCKED}c.compress.to:80/parse.jsp?za=gdkupg1161670G290G
- http://{BLOCKED}.120.140:443/login.jsp?ge=ppxwbd1161670G290G
- http://{BLOCKED}.120.140:80/page.jsp?lz=lbscyt1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/about.jsp?fq=kwbawd1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/security.jsp?eq=svzuik1161670G290G
- http://www.{BLOCKED}c.compress.to:443/query.jsp?fa=bsqzda1161670G290G
- http://www.{BLOCKED}c.compress.to:80/page.jsp?jq=iatpxz1161670G290G
- http://{BLOCKED}.120.140:443/page.jsp?kt=iusruc1161670G290G
- http://{BLOCKED}.120.140:80/security.jsp?tk=yinbpn1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/page.jsp?kq=mmxwgg1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/page.jsp?ev=omgjof1161670G290G
- http://www.{BLOCKED}c.compress.to:443/default.jsp?cl=hugsik1161670G290G
- http://www.{BLOCKED}c.compress.to:80/default.jsp?ib=krxvix1161670G290G
- http://{BLOCKED}.120.140:443/about.jsp?bn=irjfse1161670G290G
- http://{BLOCKED}.120.140:80/page.jsp?jp=dtafgy1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/user.jsp?bj=yecrnh1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/about.jsp?ly=cqknkz1161670G290G
- http://www.{BLOCKED}c.compress.to:443/parse.jsp?ef=figrpf1161670G290G
- http://www.{BLOCKED}c.compress.to:80/about.jsp?ba=rxjpuy1161670G290G
- http://{BLOCKED}.120.140:443/process.jsp?ry=kuetkr1161670G290G
- http://{BLOCKED}.120.140:80/query.jsp?ct=yqzzaq1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/process.jsp?hp=ulumpa1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/security.jsp?lf=abrjso1161670G290G
- http://www.{BLOCKED}c.compress.to:443/index.jsp?zg=bkiflz1161670G290G
- http://www.{BLOCKED}c.compress.to:80/security.jsp?qu=wbnfxd1161670G290G
- http://{BLOCKED}.120.140:443/security.jsp?ht=eqiyls1161670G290G
- http://{BLOCKED}.120.140:80/page.jsp?ws=clcyjs1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/login.jsp?xm=yhspip1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/user.jsp?vw=yuniqb1161670G290G
- http://www.{BLOCKED}c.compress.to:443/parse.jsp?dy=erxixd1161670G290G
- http://www.{BLOCKED}c.compress.to:80/about.jsp?jd=kdudia1161670G290G
- http://{BLOCKED}.120.140:443/index.jsp?qv=chkljr1161670G290G
- http://{BLOCKED}.120.140:80/parse.jsp?rw=lktlnv1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/process.jsp?eo=xjpvuz1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/about.jsp?cq=kvtula1161670G290G
- http://www.{BLOCKED}c.compress.to:443/query.jsp?mk=jdcrzf1161670G290G
- http://www.{BLOCKED}c.compress.to:80/query.jsp?xa=iwdvuu1161670G290G
- http://{BLOCKED}.120.140:443/query.jsp?ci=tfheoh1161670G290G
- http://{BLOCKED}.120.140:80/user.jsp?mb=rszcuv1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/process.jsp?cq=xbmtun1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/index.jsp?ix=sazgbt1161670G290G
- http://www.{BLOCKED}c.compress.to:443/process.jsp?ri=yjlmyu1161670G290G
- http://www.{BLOCKED}c.compress.to:80/parse.jsp?mb=soxbdc1161670G290G
- http://{BLOCKED}.120.140:443/query.jsp?qp=jnwqrz1161670G290G
- http://{BLOCKED}.120.140:80/query.jsp?lr=ahjiyd1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/about.jsp?up=weythz1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/about.jsp?yb=cryoey1161670G290G
- http://www.{BLOCKED}c.compress.to:443/page.jsp?ns=qpntwc1161670G290G
- http://www.{BLOCKED}c.compress.to:80/index.jsp?vc=gprupz1161670G290G
- http://{BLOCKED}.120.140:443/process.jsp?fd=ivfpti1161670G290G
- http://{BLOCKED}.120.140:80/parse.jsp?lm=fcttwl1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/about.jsp?ib=hatues1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/process.jsp?ig=vhwlzl1161670G290G
- http://www.{BLOCKED}c.compress.to:443/about.jsp?ll=nhbdjl1161670G290G
- http://www.{BLOCKED}c.compress.to:80/process.jsp?gd=ydbmuf1161670G290G
- http://{BLOCKED}.120.140:443/parse.jsp?pj=tewhnj1161670G290G
- http://{BLOCKED}.120.140:80/parse.jsp?ef=wjkowq1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/security.jsp?sr=mppxql1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/default.jsp?pf=oblthm1161670G290G
- http://www.{BLOCKED}c.compress.to:443/security.jsp?qz=azrkwk1161670G290G
- http://www.{BLOCKED}c.compress.to:80/security.jsp?ez=okxsfr1161670G290G
- http://{BLOCKED}.120.140:443/query.jsp?bb=wgonlp1161670G290G
- http://{BLOCKED}.120.140:80/query.jsp?xp=rwyacb1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/login.jsp?yj=knlijv1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/parse.jsp?ic=cvzezc1161670G290G
- http://www.{BLOCKED}c.compress.to:443/process.jsp?nk=tijugh1161670G290G
- http://www.{BLOCKED}c.compress.to:80/login.jsp?oz=tsecps1161670G290G
- http://{BLOCKED}.120.140:443/index.jsp?gt=urtrul1161670G290G
- http://{BLOCKED}.120.140:80/about.jsp?hu=outufs1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/user.jsp?up=uhnvrk1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/query.jsp?gl=apzkch1161670G290G
- http://www.{BLOCKED}c.compress.to:443/security.jsp?ja=zkjmiq1161670G290G
- http://www.{BLOCKED}c.compress.to:80/about.jsp?kg=aaxttj1161670G290G
- http://{BLOCKED}.120.140:443/process.jsp?gt=xpsxdt1161670G290G
- http://{BLOCKED}.120.140:80/default.jsp?su=nepvxv1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/query.jsp?hh=wghozu1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/process.jsp?kz=qbmscl1161670G290G
- http://www.{BLOCKED}c.compress.to:443/index.jsp?gu=mdncuq1161670G290G
- http://www.{BLOCKED}c.compress.to:80/parse.jsp?on=ejtpuz1161670G290G
- http://{BLOCKED}.120.140:443/query.jsp?pz=zdvrii1161670G290G
- http://{BLOCKED}.120.140:80/parse.jsp?sf=vbbqxq1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:443/query.jsp?sp=dzaqyq1161670G290G
- http://www.{BLOCKED}sd.onedumb.com:80/default.jsp?yl=wtzcez1161670G290G
- http://www.{BLOCKED}c.compress.to:443/index.jsp?hx=yxlbgd1161670G290G
- http://www.{BLOCKED}c.compress.to:80/page.jsp?px=ulvyjl1161670G290G
It deletes itself after execution.
This report is generated via an automated analysis system.
SOLUTION
9.300
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Restart in Safe Mode
Step 3
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- WinHttp = "%User Profile%\LOCALS~1\WinHttp.exe"
Step 4
Search and delete these components
- %User Temp%\tmp.dat
- %User Temp%\tmp.dll
Step 5
Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_SI.AD8E57BA. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.