Content

W32/Bagle.ci

Type
Virus
SubType
Downloader
Discovery Date
09/19/2005
Length
17Kb Zip file
Minimum DAT
4584 (09/19/2005)
Updated DAT
5301 (05/22/2008)
Minimum Engine
5.1.00
Description Added
09/19/2005
Description Modified
09/19/2005 2:18 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This Bagle variant has been mass spammed and arrives in a ZIP file.  It is heuristically detected as 'Virus or variant New Poly Win32'  by 4424 DATS and above. 

This variant copies itself to the %WinDir%  \system32 as WINSHOST.EXE  and adds the following registry hooks:

    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
      DownloadManager
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe
    * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
      CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe

It drops a file wiwshost.exe which is detected by 4424 DATs and above as W32/Bagle.gen@MM . This file gets injected into the EXPLORER process and tries to download a file osa6.gif from various sites. (Refer to Symptoms). It also terminates security services like its predecessors and in some cases renames the main security program executable.

Sets to "disable" the following services:

    * HKLM\System\CurrentControlSet\Services\wuauserv
    * HKLM\System\CurrentControlSet\Services\SharedAccess
    * HKLM\System\CurrentControlSet\Services\vsmon
    * HKLM\System\CurrentControlSet\Services\Alerter
    * HKLM\System\CurrentControlSet\Services\wuauserv
    * HKLM\System\CurrentControlSet\Services\McShield
    * HKLM\System\CurrentControlSet\Services\McAfeeFramework
    * HKLM\System\CurrentControlSet\Services\McTaskManager

Attempts to delete the following keys:

    * HKLM\SOFTWARE\Symantec
    * HKLM\SOFTWARE\McAfee
    * HKLM\SOFTWARE\KasperskyLab
    * HKLM\SOFTWARE\Agnitum
    * HKLM\SOFTWARE\Panda Software
    * HKLM\SOFTWARE\Zone Labs

    * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      Symantec NetDriver Monitor
    * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      ccApp
    * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      NAV CfgWiz
    * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      SSC_UserPrompt
    * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      McAfee Guardian 
    * HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      McAfee.InstantUpdate.Monitor
    * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      APVXDWIN
    * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      KAV50
    * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      avg7_cc
    * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      avg7_emc
    * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client

It also modifies the file %WinDir% \system32\drivers\etc\hosts to prevent the user and any running software from contacting certain security websites. The trojanized hosts file is detected as "trojan QHosts" since DAT version 4354.

Symptoms

Services with the following names are stopped:

  • wuauserv
  • PAVSRV
  • PAVFNSVR
  • PSIMSVC
  • Pavkre
  • avProt
  • PREVSRV
  • PavPrSrv
  • SharedAccess
  • navapsvc
  • NPFMntor
  • Outpost Firewall
  • SAVScan
  • SBService
  • Symantec Core LC
  • ccEvtMgr
  • SNDSrvc
  • ccPwdSvc
  • ccSetMgr.exe
  • SPBBCSvc
  • KLBLMain
  • avg7alrt
  • avg7updsvc
  • vsmon
  • CAISafe
  • avpcc
  • fsbwsys
  • backweb client - 4476822
  • backweb client-4476822
  • fsdfwd
  • F-Secure Gatekeeper Handler Starter
  • FSMA
  • KAVMonitorService
  • navapsvc
  • NProtectService
  • Norton Antivirus Server
  • VexiraAntivirus
  • dvpinit
  • dvpapi
  • schscnt
  • BackWeb Client - 7681197
  • F-Secure Gatekeeper Handler Starter
  • FSMA
  • AVPCC
  • KAVMonitorService
  • Norman NJeeves
  • NVCScheduler
  • nvcoas
  • Norman ZANDA
  • PASSRV
  • SweepNet
  • SWEEPSRV.SYS
  • NOD32ControlCenter
  • NOD32Service
  • PCCPFW
  • Tmntsrv
  • AvxIni
  • XCOMM
  • ravmon8
  • SmcService
  • BlackICE
  • PersFW
  • McAfee Firewall
  • OutpostFirewall
  • NWService
  • alerter
  • sharedaccess
  • NISUM
  • NISSERV
  • vsmon
  • nwclnth
  • nwclntg
  • nwclnte
  • nwclntf
  • nwclntd
  • nwclntc
  • wuauserv
  • navapsvc
  • Symantec Core LC
  • SAVScan
  • kavsvc
  • DefWatch
  • Symantec AntiVirus Client
  • NSCTOP
  • Symantec Core LC
  • SAVScan
  • SAVFMSE
  • ccEvtMgr
  • navapsvc
  • ccSetMgr
  • VisNetic AntiVirus Plug-in
  • McShield
  • AlertManger
  • McAfeeFramework
  • AVExch32Service
  • AVUPDService
  • McTaskManager
  • Network Associates Log Service
  • Outbreak Manager
  • MCVSRte
  • mcupdmgr.exe
  • AvgServ
  • AvgCore
  • AvgFsh
  • awhost32
  • Ahnlab task Scheduler
  • MonSvcNT
  • V3MonNT
  • V3MonSvc
  • FSDFWD

This variant attempts to rename the following files:

  • mysuperprog.exe
  • CCSETMGR.EXE
  • CCEVTMGR.EXE
  • NAVAPSVC.EXE
  • NPFMNTOR.EXE
  • symlcsvc.exe
  • SPBBCSvc.exe
  • SNDSrvc.exe
  • ccApp.exe
  • ccl30.dll
  • ccvrtrst.dll
  • LUALL.EXE
  • AUPDATE.EXE
  • Luupdate.exe
  • LUINSDLL.DLL
  • RuLaunch.exe
  • CMGrdian.exe
  • Mcshield.exe
  • outpost.exe
  • Avconsol.exe
  • Vshwin32.exe
  • VsStat.exe
  • Avsynmgr.exe
  • kavmm.exe
  • Up2Date.exe
  • KAV.exe
  • avgcc.exe
  • avgemc.exe
  • zonealarm.exe
  • zatutor.exe
  • zlavscan.dll
  • zlclient.exe
  • isafe.exe
  • cafix.exe
  • vsvault.dll
  • av.dll
  • vetredir.dll
  • C1CSETMGR.EXE
  • CC1EVTMGR.EXE
  • NAV1APSVC.EXE
  • NPFM1NTOR.EXE
  • s1ymlcsvc.exe
  • SP1BBCSvc.exe
  • SND1Srvc.exe
  • ccA1pp.exe
  • cc1l30.dll
  • ccv1rtrst.dll
  • LUAL1L.EXE
  • AUPD1ATE.EXE
  • Luup1date.exe
  • LUI1NSDLL.DLL
  • RuLa1unch.exe
  • CM1Grdian.exe
  • Mcsh1ield.exe
  • outp1ost.exe
  • Avc1onsol.exe
  • Vshw1in32.exe
  • Vs1Stat.exe
  • Av1synmgr.exe
  • kav12mm.exe
  • Up222Date.exe
  • 2A2V.exe
  • avgc3c.exe
  • avg23emc.exe
  • zonealarm.exe
  • zatutor.exe
  • zlavscan.dll
  • zo3nealarm.exe
  • zatu6tor.exe
  • zl5avscan.dll
  • zlcli6ent.exe
  • is5a6fe.exe
  • c6a5fix.exe
  • vs6va5ult.dll
  • a5v.dll
  • ve6tre5dir.dll

It also tries to kill the following processes:

  • NUPGRADE.EXE
  • MCUPDATE.EXE
  • ATUPDATER.EXE
  • AUPDATE.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • FIREWALL.EXE
  • ATUPDATER.EXE
  • LUALL.EXE
  • DRWEBUPW.EXE
  • AUTODOWN.EXE
  • NUPGRADE.EXE
  • OUTPOST.EXE
  • ICSSUPPNT.EXE
  • ICSUPP95.EXE
  • ESCANH95.EXE
  • AVXQUAR.EXE
  • ESCANHNT.EXE
  • UPGRADER.EXE
  • AVXQUAR.EXE
  • AVWUPD32.EXE
  • AVPUPD.EXE
  • CFIAUDIT.EXE
  • UPDATE.EXE

Outgoing TCP connections to port 80 (HTTP) are established, and it tries to download a file from the following list (Note:   Many Bagle variants attempt to download files from a very large list of sites; in fact most of the sites listed are actually believed to be decoys and were never found to be hosting anything malicious):

  • http://www.yannick-spruyt.be
  • http://www.yesterdays.co.za
  • http://www.yshkj.com
  • http://www.zakazcd.dp.ua
  • http://www.students.stir.ac.uk
  • http://www.zenesoftware.com
  • http://www.zentek.co.za
  • http://www.czzm.com
  • http://www.izoli.sk
  • http://www.zorbas.az
  • http://www.zsbersala.edu.sk
  • http://www.triapex.cz
  • http://www.triptonic.ch
  • http://www.tv-marina.com
  • http://www.trago.com.pt
  • http://www.travelourway.com
  • http://www.megaserve.net
  • http://www.trgd.dobrcz.pl
  • http://www.mild.at
  • http://www.kingsley.ch
  • http://www.mild.at
  • http://www.elvis-presley.ch
  • http://www.gomyhome.com.tw
  • http://www.ider.cl
  • http://www.ascolfibras.com
  • http://www.on24.ee
  • http://www.xojc.com
  • http://www.x-treme.cz
  • http://www.gymzn.cz
  • http://www.xiantong.net
  • http://www.xmpie.com
  • http://www.xmtd.com
  • http://www.onlink.net
  • http://www.discoteka-funfactory.com
  • http://www.toussain.be
  • http://www.idcs.be
  • http://www.gepeters.org
  • http://www.angham.de
  • http://www.idaf.de
  • http://www.bolz.at
  • http://www.societaet.de
  • http://www.ppm-alliance.de
  • http://www.udc-cassinadepecchi.it
  • http://www.universe.sk
  • http://www.jingjuok.com
  • http://www.gemtrox.com.tw
  • http://www.uspowerchair.com
  • http://www.steripharm.com
  • http://www.beall-cpa.com
  • http://www.jcm-american.com
  • http://www.vercruyssenelektro.be
  • http://www.centrovestecasa.it
  • http://www.vet24h.com
  • http://www.vinimeloni.com
  • http://www.vnrvjiet.ac.in
  • http://www.vote2fateh.com
  • http://www.marketvw.com
  • http://www.formholz.at
  • http://www.checkonemedia.nl
  • http://www.fotomax.fi
  • http://www.vw.press-bank.pl
  • http://www.wamba.asn.au
  • http://www.cz-wanjia.com
  • http://www.czwanqing.com
  • http://www.wdlp.co.za
  • http://www.automobilonline.de
  • http://www.bangyan.cn
  • http://www.21ebuild.com
  • http://www.eagle.com.cn
  • http://www.eagleclub.com.cn
  • http://www.sanjinyuan.com
  • http://www.designgong.org
  • http://www.fermegaroy.com
  • http://www.welchcorp.com
  • http://www.snsphoto.com
  • http://www.soeco.org
  • http://www.softmajor.ru
  • http://www.solt3.org
  • http://www.sqnsolutions.com
  • http://www.spacium.biz
  • http://www.speedcom.home.pl
  • http://www.spirit-in-steel.at
  • http://www.spy.az
  • http://www.st-paulus-bonn.dehtdocs
  • http://www.stbs.com.hk
  • http://www.acsohio.com
  • http://www.olva.com.pe
  • http://www.subsplanet.com
  • http://www.sungodbio.com
  • http://www.superbetcs.com
  • http://www.vnn.vn
  • http://www.sydolo.com
  • http://www.szdiheng.com
  • http://www.agria.hu
  • http://www.externet.hu
  • http://www.hondenservice.be
  • http://www.ehc.hu
  • http://www.tcicampus.net
  • http://www.contentproject.com
  • http://www.festivalteatrooccidente.com
  • http://www.techni.com.cn
  • http://www.festivalteatrooccidente.com
  • http://www.thaifast.com
  • http://www.thaiventure.com
  • http://www.andi.com.vn
  • http://www.replayu.com
  • http://www.th-mutan.com
  • http://www.thetexasoutfitter.com
  • http://www.tmhcsd1987.friko.pl
  • http://www.thenextstep.tv
  • http://www.wesartproductions.com
  • http://www.wilsonscountry.com
  • http://www.windstar.pl
  • http://www.wise-industries.com
  • http://www.witold.pl
  • http://www.51.net
  • http://www.slovanet.sk
  • http://www.wombband.com
  • http://www.datanet.huwww.datanet.hu
  • http://www.uw.hu
  • http://www.dgy.com.cn
  • http://www.bs-security.de
  • http://www.die-fliesen.de
  • http://www.dom-invest.com.pl
  • http://www.engelhardtgmbh.de
  • http://www.fahrschule-herb.de
  • http://www.fahrschule-lesser.de
  • http://www.gimex-messzeuge.de
  • http://www.inside-tgweb.de
  • http://www.jue-bo.com
  • http://www.niko.de
  • http://www.nikogmbh.com
  • http://www.renegaderc.com
  • http://www.sachsenbuecher.de
  • http://www.scvanravenswaaij.nl
  • http://www.spoden.de
  • http://www.sportnf.com
  • http://www.sweb.cz
  • http://www.tg-sandhausen-basketball.de
  • http://www.thefunkiest.com
  • http://www.jeoushinn.com
  • http://www.presley.ch

    • Method of Infection

    This variant has been mass-spammed.

    Removal

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Characteristics

    Characteristics -

    This Bagle variant has been mass spammed and arrives in a ZIP file.  It is heuristically detected as 'Virus or variant New Poly Win32'  by 4424 DATS and above. 

    This variant copies itself to the %WinDir%  \system32 as WINSHOST.EXE  and adds the following registry hooks:

        * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
          DownloadManager
        * HKEY_CURRENT_USER\Software\Microsoft\Windows\
          CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe
        * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
          CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe

    It drops a file wiwshost.exe which is detected by 4424 DATs and above as W32/Bagle.gen@MM . This file gets injected into the EXPLORER process and tries to download a file osa6.gif from various sites. (Refer to Symptoms). It also terminates security services like its predecessors and in some cases renames the main security program executable.

    Sets to "disable" the following services:

        * HKLM\System\CurrentControlSet\Services\wuauserv
        * HKLM\System\CurrentControlSet\Services\SharedAccess
        * HKLM\System\CurrentControlSet\Services\vsmon
        * HKLM\System\CurrentControlSet\Services\Alerter
        * HKLM\System\CurrentControlSet\Services\wuauserv
        * HKLM\System\CurrentControlSet\Services\McShield
        * HKLM\System\CurrentControlSet\Services\McAfeeFramework
        * HKLM\System\CurrentControlSet\Services\McTaskManager

    Attempts to delete the following keys:

        * HKLM\SOFTWARE\Symantec
        * HKLM\SOFTWARE\McAfee
        * HKLM\SOFTWARE\KasperskyLab
        * HKLM\SOFTWARE\Agnitum
        * HKLM\SOFTWARE\Panda Software
        * HKLM\SOFTWARE\Zone Labs

        * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
          Symantec NetDriver Monitor
        * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
          ccApp
        * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
          NAV CfgWiz
        * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
          SSC_UserPrompt
        * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
          McAfee Guardian 
        * HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
          McAfee.InstantUpdate.Monitor
        * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
          APVXDWIN
        * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
          KAV50
        * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
          avg7_cc
        * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
          avg7_emc
        * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client

    It also modifies the file %WinDir% \system32\drivers\etc\hosts to prevent the user and any running software from contacting certain security websites. The trojanized hosts file is detected as "trojan QHosts" since DAT version 4354.

    Symptoms

    Symptoms -

    Services with the following names are stopped:

    • wuauserv
    • PAVSRV
    • PAVFNSVR
    • PSIMSVC
    • Pavkre
    • avProt
    • PREVSRV
    • PavPrSrv
    • SharedAccess
    • navapsvc
    • NPFMntor
    • Outpost Firewall
    • SAVScan
    • SBService
    • Symantec Core LC
    • ccEvtMgr
    • SNDSrvc
    • ccPwdSvc
    • ccSetMgr.exe
    • SPBBCSvc
    • KLBLMain
    • avg7alrt
    • avg7updsvc
    • vsmon
    • CAISafe
    • avpcc
    • fsbwsys
    • backweb client - 4476822
    • backweb client-4476822
    • fsdfwd
    • F-Secure Gatekeeper Handler Starter
    • FSMA
    • KAVMonitorService
    • navapsvc
    • NProtectService
    • Norton Antivirus Server
    • VexiraAntivirus
    • dvpinit
    • dvpapi
    • schscnt
    • BackWeb Client - 7681197
    • F-Secure Gatekeeper Handler Starter
    • FSMA
    • AVPCC
    • KAVMonitorService
    • Norman NJeeves
    • NVCScheduler
    • nvcoas
    • Norman ZANDA
    • PASSRV
    • SweepNet
    • SWEEPSRV.SYS
    • NOD32ControlCenter
    • NOD32Service
    • PCCPFW
    • Tmntsrv
    • AvxIni
    • XCOMM
    • ravmon8
    • SmcService
    • BlackICE
    • PersFW
    • McAfee Firewall
    • OutpostFirewall
    • NWService
    • alerter
    • sharedaccess
    • NISUM
    • NISSERV
    • vsmon
    • nwclnth
    • nwclntg
    • nwclnte
    • nwclntf
    • nwclntd
    • nwclntc
    • wuauserv
    • navapsvc
    • Symantec Core LC
    • SAVScan
    • kavsvc
    • DefWatch
    • Symantec AntiVirus Client
    • NSCTOP
    • Symantec Core LC
    • SAVScan
    • SAVFMSE
    • ccEvtMgr
    • navapsvc
    • ccSetMgr
    • VisNetic AntiVirus Plug-in
    • McShield
    • AlertManger
    • McAfeeFramework
    • AVExch32Service
    • AVUPDService
    • McTaskManager
    • Network Associates Log Service
    • Outbreak Manager
    • MCVSRte
    • mcupdmgr.exe
    • AvgServ
    • AvgCore
    • AvgFsh
    • awhost32
    • Ahnlab task Scheduler
    • MonSvcNT
    • V3MonNT
    • V3MonSvc
    • FSDFWD

    This variant attempts to rename the following files:

    • mysuperprog.exe
    • CCSETMGR.EXE
    • CCEVTMGR.EXE
    • NAVAPSVC.EXE
    • NPFMNTOR.EXE
    • symlcsvc.exe
    • SPBBCSvc.exe
    • SNDSrvc.exe
    • ccApp.exe
    • ccl30.dll
    • ccvrtrst.dll
    • LUALL.EXE
    • AUPDATE.EXE
    • Luupdate.exe
    • LUINSDLL.DLL
    • RuLaunch.exe
    • CMGrdian.exe
    • Mcshield.exe
    • outpost.exe
    • Avconsol.exe
    • Vshwin32.exe
    • VsStat.exe
    • Avsynmgr.exe
    • kavmm.exe
    • Up2Date.exe
    • KAV.exe
    • avgcc.exe
    • avgemc.exe
    • zonealarm.exe
    • zatutor.exe
    • zlavscan.dll
    • zlclient.exe
    • isafe.exe
    • cafix.exe
    • vsvault.dll
    • av.dll
    • vetredir.dll
    • C1CSETMGR.EXE
    • CC1EVTMGR.EXE
    • NAV1APSVC.EXE
    • NPFM1NTOR.EXE
    • s1ymlcsvc.exe
    • SP1BBCSvc.exe
    • SND1Srvc.exe
    • ccA1pp.exe
    • cc1l30.dll
    • ccv1rtrst.dll
    • LUAL1L.EXE
    • AUPD1ATE.EXE
    • Luup1date.exe
    • LUI1NSDLL.DLL
    • RuLa1unch.exe
    • CM1Grdian.exe
    • Mcsh1ield.exe
    • outp1ost.exe
    • Avc1onsol.exe
    • Vshw1in32.exe
    • Vs1Stat.exe
    • Av1synmgr.exe
    • kav12mm.exe
    • Up222Date.exe
    • 2A2V.exe
    • avgc3c.exe
    • avg23emc.exe
    • zonealarm.exe
    • zatutor.exe
    • zlavscan.dll
    • zo3nealarm.exe
    • zatu6tor.exe
    • zl5avscan.dll
    • zlcli6ent.exe
    • is5a6fe.exe
    • c6a5fix.exe
    • vs6va5ult.dll
    • a5v.dll
    • ve6tre5dir.dll

    It also tries to kill the following processes:

    • NUPGRADE.EXE
    • MCUPDATE.EXE
    • ATUPDATER.EXE
    • AUPDATE.EXE
    • AUTOTRACE.EXE
    • AUTOUPDATE.EXE
    • FIREWALL.EXE
    • ATUPDATER.EXE
    • LUALL.EXE
    • DRWEBUPW.EXE
    • AUTODOWN.EXE
    • NUPGRADE.EXE
    • OUTPOST.EXE
    • ICSSUPPNT.EXE
    • ICSUPP95.EXE
    • ESCANH95.EXE
    • AVXQUAR.EXE
    • ESCANHNT.EXE
    • UPGRADER.EXE
    • AVXQUAR.EXE
    • AVWUPD32.EXE
    • AVPUPD.EXE
    • CFIAUDIT.EXE
    • UPDATE.EXE

    Outgoing TCP connections to port 80 (HTTP) are established, and it tries to download a file from the following list (Note:   Many Bagle variants attempt to download files from a very large list of sites; in fact most of the sites listed are actually believed to be decoys and were never found to be hosting anything malicious):

  • http://www.yannick-spruyt.be
  • http://www.yesterdays.co.za
  • http://www.yshkj.com
  • http://www.zakazcd.dp.ua
  • http://www.students.stir.ac.uk
  • http://www.zenesoftware.com
  • http://www.zentek.co.za
  • http://www.czzm.com
  • http://www.izoli.sk
  • http://www.zorbas.az
  • http://www.zsbersala.edu.sk
  • http://www.triapex.cz
  • http://www.triptonic.ch
  • http://www.tv-marina.com
  • http://www.trago.com.pt
  • http://www.travelourway.com
  • http://www.megaserve.net
  • http://www.trgd.dobrcz.pl
  • http://www.mild.at
  • http://www.kingsley.ch
  • http://www.mild.at
  • http://www.elvis-presley.ch
  • http://www.gomyhome.com.tw
  • http://www.ider.cl
  • http://www.ascolfibras.com
  • http://www.on24.ee
  • http://www.xojc.com
  • http://www.x-treme.cz
  • http://www.gymzn.cz
  • http://www.xiantong.net
  • http://www.xmpie.com
  • http://www.xmtd.com
  • http://www.onlink.net
  • http://www.discoteka-funfactory.com
  • http://www.toussain.be
  • http://www.idcs.be
  • http://www.gepeters.org
  • http://www.angham.de
  • http://www.idaf.de
  • http://www.bolz.at
  • http://www.societaet.de
  • http://www.ppm-alliance.de
  • http://www.udc-cassinadepecchi.it
  • http://www.universe.sk
  • http://www.jingjuok.com
  • http://www.gemtrox.com.tw
  • http://www.uspowerchair.com
  • http://www.steripharm.com
  • http://www.beall-cpa.com
  • http://www.jcm-american.com
  • http://www.vercruyssenelektro.be
  • http://www.centrovestecasa.it
  • http://www.vet24h.com
  • http://www.vinimeloni.com
  • http://www.vnrvjiet.ac.in
  • http://www.vote2fateh.com
  • http://www.marketvw.com
  • http://www.formholz.at
  • http://www.checkonemedia.nl
  • http://www.fotomax.fi
  • http://www.vw.press-bank.pl
  • http://www.wamba.asn.au
  • http://www.cz-wanjia.com
  • http://www.czwanqing.com
  • http://www.wdlp.co.za
  • http://www.automobilonline.de
  • http://www.bangyan.cn
  • http://www.21ebuild.com
  • http://www.eagle.com.cn
  • http://www.eagleclub.com.cn
  • http://www.sanjinyuan.com
  • http://www.designgong.org
  • http://www.fermegaroy.com
  • http://www.welchcorp.com
  • http://www.snsphoto.com
  • http://www.soeco.org
  • http://www.softmajor.ru
  • http://www.solt3.org
  • http://www.sqnsolutions.com
  • http://www.spacium.biz
  • http://www.speedcom.home.pl
  • http://www.spirit-in-steel.at
  • http://www.spy.az
  • http://www.st-paulus-bonn.dehtdocs
  • http://www.stbs.com.hk
  • http://www.acsohio.com
  • http://www.olva.com.pe
  • http://www.subsplanet.com
  • http://www.sungodbio.com
  • http://www.superbetcs.com
  • http://www.vnn.vn
  • http://www.sydolo.com
  • http://www.szdiheng.com
  • http://www.agria.hu
  • http://www.externet.hu
  • http://www.hondenservice.be
  • http://www.ehc.hu
  • http://www.tcicampus.net
  • http://www.contentproject.com
  • http://www.festivalteatrooccidente.com
  • http://www.techni.com.cn
  • http://www.festivalteatrooccidente.com
  • http://www.thaifast.com
  • http://www.thaiventure.com
  • http://www.andi.com.vn
  • http://www.replayu.com
  • http://www.th-mutan.com
  • http://www.thetexasoutfitter.com
  • http://www.tmhcsd1987.friko.pl
  • http://www.thenextstep.tv
  • http://www.wesartproductions.com
  • http://www.wilsonscountry.com
  • http://www.windstar.pl
  • http://www.wise-industries.com
  • http://www.witold.pl
  • http://www.51.net
  • http://www.slovanet.sk
  • http://www.wombband.com
  • http://www.datanet.huwww.datanet.hu
  • http://www.uw.hu
  • http://www.dgy.com.cn
  • http://www.bs-security.de
  • http://www.die-fliesen.de
  • http://www.dom-invest.com.pl
  • http://www.engelhardtgmbh.de
  • http://www.fahrschule-herb.de
  • http://www.fahrschule-lesser.de
  • http://www.gimex-messzeuge.de
  • http://www.inside-tgweb.de
  • http://www.jue-bo.com
  • http://www.niko.de
  • http://www.nikogmbh.com
  • http://www.renegaderc.com
  • http://www.sachsenbuecher.de
  • http://www.scvanravenswaaij.nl
  • http://www.spoden.de
  • http://www.sportnf.com
  • http://www.sweb.cz
  • http://www.tg-sandhausen-basketball.de
  • http://www.thefunkiest.com
  • http://www.jeoushinn.com
  • http://www.presley.ch

    • Method of Infection

    Method of Infection -

    This variant has been mass-spammed.

    Removal -

    Removal -

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A