Installation
This threat can create files on your PC, including:
It modifies the registry so that it runs each time you start your PC. For example:
In subkey: HKLM\software\microsoft\windows\currentversion\run
Sets value: "TTravelerx"
With data: "%ALLUSERSPROFILE%\common files\ttravelerx.exe"
It can also make registry changes during its installation, including:
In subkey: HKLM\software\classes\clsid\{3f30c968-480a-4c6c-862d-efc0897bb84b}\inprocserver32
Sets value: "(default)"
With data: "<system folder>\shimgvw.dll"
In subkey: HKLM\software\classes\clsid\{50f16b26-467e-11d1-8271-00c04fc3183b}\inprocserver32
Sets value: "(default)"
With data: "<system folder>\shimgvw.dll"
In subkey: HKLM\software\classes\clsid\{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}\inprocserver32
Sets value: "(default)"
With data: "%systemroot%\system32\shimgvw.dll"
In subkey: HKLM\software\classes\clsid\{9dbd2c50-62ad-11d0-b806-00c04fd706ec}\inprocserver32
Sets value: "(default)"
With data: "<system folder>\shimgvw.dll"
In subkey: HKLM\software\classes\clsid\{eab841a0-9550-11cf-8c16-00805f1408f3}\inprocserver32
Sets value: "(default)"
With data: "<system folder>\shimgvw.dll"
In subkey: HKLM\software\classes\jpegfile\shell\open\command
Sets value: "(default)"
With data: "rundll32.exe <system folder>\shimgvw.dll,imageview_fullscreen %1"
In subkey: HKLM\software\classes\jpegfile\shell\printto\command
Sets value: "(default)"
With data: "rundll32.exe <system folder>\shimgvw.dll,imageview_printto /pt "%1" "%2" "%3" "%4""
In subkey: HKLM\software\classes\pngfile\shell\open\command
Sets value: "(default)"
With data: "rundll32.exe <system folder>\shimgvw.dll,imageview_fullscreen %1"
In subkey: HKLM\software\classes\shell.thumbnailextract.docfile.1\clsid
Sets value: "(default)"
With data: "{9dbd2c50-62ad-11d0-b806-00c04fd706ec}"
In subkey: HKLM\software\classes\shell.thumbnailextract.html.1\clsid
Sets value: "(default)"
With data: "{eab841a0-9550-11cf-8c16-00805f1408f3}"
Payload
Records your keystrokes
This threat can monitor which keys you press. It might record your:
- Information saved in forms, such as your user names and passwords
- Sent emails
- Instant messaging conversations
- Applications you start
- Browser history and activity
Connects to a remote host
We have seen this threat connect to a remote host using port 80, including:
-
www.adakaobiri.com
-
adakaobiri.com
-
xxbladurxx.ws
Malware can connect to a remote host to:
-
Check for an Internet connection.
-
Download and run files (including updates or other malware).
-
Report a new infection to its author.
-
Receive configuration or other data.
-
Receive instructions from a malicious hacker.
-
Search for your PC location.
-
Upload information taken from your PC.
-
Validate a digital certificate.
We have seen this threat access online content, including:
It can stop some processes from running on your PC, including:
This malware description was published using automated analysis of file SHA1 589ba5d773b4eb338f62e5839838f4f15cae5255.
