Mal/Packer

Posted: October 28, 2009

Mal/Packer is a disturbing malware infection attacking Windows XP and Vista operating systems. After infecting, Mal/Packer will inject malicious .exe and .dll files and hinder users from accessing the registry. Mal/Packer affects computer systems through pornographic related adult web sites, corrupt multimedia codecs, SPAM e-mail or through suspicious file sharing downloads. Mal/Packer is a destructive malware that can seriously destroy Windows system.

Aliases

Mal/EncPk-BW (Sophos)
Packed.Win32.NSAnti (Ikarus)
Packed/Upack (AhnLab)
PE_Patch (Kaspersky Lab)

File System Modifications

The following files were created in the system:

#	File Name
1	%AppData%\iloader.exe
2	%AppData%\timerlocksetup.exe
3	%CommonDesktopDir%\auto.exe
4	%CommonPrograms%\startup\70cuse.lnk.exe
5	%CommonPrograms%\startup\avg.exe
6	%CommonPrograms%\startup\gbplugin.exe
7	%CommonPrograms%\startup\livemessenger.scr
8	%CommonPrograms%\startup\msn.exe
9	%CommonPrograms%\startup\startup.exe
10	%CommonPrograms%\startup\sys_aupdate.exe
11	%CommonPrograms%\startup\windows32.exe
12	%DesktopDir%\keymaker.exe
13	%FontsDir%\b4b147bc522828731f1a016bfa72c073\system\svchost.exe
14	%FontsDir%\unwise_.exe
15	%Profiles%\2f.tmp_bak.exe
16	%Profiles%\mscrss.exe
17	%ProgramFiles%\_twunk_64.exe
18	%ProgramFiles%\aggress\doorway generator\aggressdoorgen.exe
19	%ProgramFiles%\aore-unpacktools\about.exe
20	%ProgramFiles%\bifrost\q.exe
21	%ProgramFiles%\bifrost\server.exe
22	%ProgramFiles%\clzxabxpmdh\fuy0gh6d.exe
23	%ProgramFiles%\common files\efbaf.exe
24	%ProgramFiles%\common files\system\qqtc32.exe
25	%ProgramFiles%\common files\system\she.dll
26	%ProgramFiles%\common files\system\vbtoedl.exe
27	%ProgramFiles%\counter\htmlpeek.dll
28	%ProgramFiles%\d93310q\gdabn.exe
29	%ProgramFiles%\desktop lock\keygen.exe
30	%ProgramFiles%\game accelerator\gamexl.exe
31	%ProgramFiles%\game accelerator\web.exe
32	%ProgramFiles%\gameos\web.exe
33	%ProgramFiles%\hotbounce\ifufi2\ifufi2.exe
34	%ProgramFiles%\idigital technologies\key serv 2.0\srvcks.exe
35	%ProgramFiles%\internet download manager\idman.exe
36	%ProgramFiles%\internet explorer\connection wizard\audwf.exe
37	%ProgramFiles%\internet explorer\inter_1.exe
38	%ProgramFiles%\internet explorer\keygen.exe
39	%ProgramFiles%\internet explorer\piplayer.exe
40	%ProgramFiles%\internet explorer\setupapi.dll
41	%ProgramFiles%\internet explorer\syssmss.exe
42	%ProgramFiles%\internet explorer\winrar_all_version.exe
43	%ProgramFiles%\kari\win32ip.exe
44	%ProgramFiles%\meex.exe
45	%ProgramFiles%\myportal\speed-x\speedx.exe
46	%ProgramFiles%\navilog1\gnc.exe
47	%ProgramFiles%\netlog version 2.0\logview.exe
48	%ProgramFiles%\netlog version 2.0\netlog.exe
49	%ProgramFiles%\nvsvcm.exe
50	%ProgramFiles%\outlook express\keygen.exe
51	%ProgramFiles%\outlook express\system.exe
52	%ProgramFiles%\rss team\rs_accounts_seeker.exe
53	%ProgramFiles%\rss team\rsdwn.dll
54	%ProgramFiles%\rss team\sqlite3.dll
55	%ProgramFiles%\sd updater\uninstall.exe
56	%ProgramFiles%\ssc service utility\s2csplash.dll
57	%ProgramFiles%\vopt8\vopt.exe
58	%ProgramFiles%\windows media player\kguwc.exe
59	%ProgramFiles%\windows nt\services.exe
60	%ProgramFiles%\winrar\activation.exe
61	%ProgramFiles%\winrar\original_files_and_patch\keygen.exe
62	%ProgramFiles%\winrar\winrde.exe
63	%ProgramFiles%\wolfbox\uninstall.exe
64	%ProgramFiles%\zero freezer 1.5\data_file.exe
65	%System%\1.exe
66	%System%\1025\1025.exe
67	%System%\1028\1028.exe
68	%System%\1031\1031.exe
69	%System%\1033\1033.exe
70	%System%\1037\1037.exe
71	%System%\1041\1041.exe
72	%System%\1042\1042.exe
73	%System%\1054\1054.exe
74	%System%\111.exe
75	%System%\2052\2052.exe
76	%System%\3076\3076.exe
77	%System%\33f5c.dll
78	%System%\360mo.dll
79	%System%\3com_dmi\3com_dmi.exe
80	%System%\3fabe9c0.exe
81	%System%\40790400.exe
82	%System%\51b294.exe
83	%System%\51b322.exe
84	%System%\51b380.exe
85	%System%\6553bb80.dll
86	%System%\about.exe
87	%System%\abpexsgo.exe
88	%System%\addnew.exe
89	%System%\ahikzqor.exe
90	%System%\ailin.exe
91	%System%\alalin.exe
92	%System%\alatin.exe
93	%System%\alibaba32.exe
94	%System%\alien32.exe
95	%System%\alimoto32.exe
96	%System%\alitao32.exe
97	%System%\alitin.exe
98	%System%\alitte32.exe
99	%System%\alovxjmx.exe
100	%System%\alxlin.exe

Registry Modifications

The following newly produced Registry Values are:
HKEY..\..\..\..{Subkeys}* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TTGrfwruUws.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WINGB_ENHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11FDB6D4-166A-47BF-A0F8-A09DABA75FC1}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11FDB6D4-166A-47BF-A0F8-A09DABA75FC1}\InprocServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51716C09-6B08-4CCF-B526-718E912C0573}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51716C09-6B08-4CCF-B526-718E912C0573}\InprocServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{526EB425-7F56-4773-8D70-B8E45AA8E2B6}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{526EB425-7F56-4773-8D70-B8E45AA8E2B6}\InprocServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6049BC02-7EDA-4C41-B4AB-D5398607C39E}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6049BC02-7EDA-4C41-B4AB-D5398607C39E}\InprocServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74DA2FEC-F68F-4DC7-9A45-9174AC044427}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74DA2FEC-F68F-4DC7-9A45-9174AC044427}\InprocServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81EB905C-EDF8-4033-80BF-E0F4F46733DF}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81EB905C-EDF8-4033-80BF-E0F4F46733DF}\InprocServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{84639C2D-CD75-4081-B515-329AFCECBF19}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{84639C2D-CD75-4081-B515-329AFCECBF19}\InprocServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8708994F-1758-4C2C-9A3F-FA22D6CCCB41}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8708994F-1758-4C2C-9A3F-FA22D6CCCB41}\InprocServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87DE8A1A-96C5-4420-B222-EF998F697CE7}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87DE8A1A-96C5-4420-B222-EF998F697CE7}\InprocServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A6A5B34-D995-4C5D-9338-B5E264B4A87}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A6A5B34-D995-4C5D-9338-B5E264B4A87}\InprocServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A2BCFCEE-C939-433F-A32A-7353A6E720DB}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A2BCFCEE-C939-433F-A32A-7353A6E720DB}\InprocServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B59F0A61-EF3E-4A2B-9E3A-4A84EDDF2308}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B59F0A61-EF3E-4A2B-9E3A-4A84EDDF2308}\InprocServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7F1BFDC-4B6C-4E2F-AF7A-638D2D47802C}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7F1BFDC-4B6C-4E2F-AF7A-638D2D47802C}\InprocServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C07B914B-C164-42D2-9838-1422C3F70D99}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C07B914B-C164-42D2-9838-1422C3F70D99}\InprocServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CB661471-055A-4C5B-9ED0-497B9908FEF5}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CB661471-055A-4C5B-9ED0-497B9908FEF5}\InprocServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1639D0B-CC74-4C22-B662-F2F9367CBEFC}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1639D0B-CC74-4C22-B662-F2F9367CBEFC}\InprocServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F181F067-7046-4DCB-993F-200990736305}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F181F067-7046-4DCB-993F-200990736305}\InprocServer32HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\693Vdiher{.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\693VriwPjuVyf.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\693ghod|v.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\693wud|.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DjhqwVyu.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FFhqwhu.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuXsgdwh.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IudphzrunVhuylfh.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NDEdfnUhsruw.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NLVVyf.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSIZ65.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSizVyf.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NVZheVklhog.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NYVuyS.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NZdwfk.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NdyVwduw.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSPrq.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSVYF.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSVYF4.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSVYF5.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PfSur{|.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PfWud|.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PsiVuy.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TTGrfwru.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Udy.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UdyPrq.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UdyPrqG.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UdyVwxe.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UdyWdvn.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UhjJxlgh.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UvDjhqw.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UvWud|.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VKVWDW.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VfdqIup.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dqwldus.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dys.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egdjhqw.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ffHywPju.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ffVhwPju.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ffVyfKvw.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ffdss.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ghizdwfk.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hjxl.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnuq.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hqjlqhvhuyhu.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ndffruh.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npdloprq.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\olyhvuy.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfdjhqw.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pflqvxsg.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfpvfvyf.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfqdvyf.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfvkhoo.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfvklhog.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfv|vprq.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfxsgpju.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pihdqq.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pihywsv.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qdSugPju.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\txwpvhuy.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uizvuy.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uvqhwvyu.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uvvdihw|.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uwyvfdq.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vdiher{Wud|.exeHKEY..\..\..\..{RegistryKeys}HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0200804HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E0200804

Mal/Packer

Aliases

File System Modifications

Registry Modifications

Leave a Reply