TrojanDropper:Win32/Maptrepol.A

The following can indicate that you have this threat on your PC:

• You see a file similar to:
  
  • %ProgramData%\microsoft\windows\start menu\programs\winrar\console rar-handleiding.lnk
  • %ProgramData%\microsoft\windows\start menu\programs\winrar\wat is nieuw in de meest recente versie.lnk
  • %ProgramFiles%\winrar\rar.exe
  • %ProgramFiles%\winrar\rarext.dll
  • %ProgramFiles%\winrar\unacev2.dll
  • %ProgramFiles%\winrar\winrar.exe
  • %TEMP%\sega\nvvscv.exe
  • %TEMP%\sega\prst.dll
  • %TEMP%\sega\wndplyr.exe
  • <start menu>\programs\winrar\winrar.lnk

• You see registry modifications such as:
  
  • In subkey: HKLM\Software\Classes\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32
    Sets value: "(default)"
    With data: "%ProgramData%\winrar\rarext.dll"
    
  • In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver
    Sets value: "DisplayIcon"
    With data: "%ProgramData%\winrar\winrar.exe"
    
  • In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver
    Sets value: "DisplayName"
    With data: "winrar 5.31 (32-bit)"
    
  • In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver
    Sets value: "DisplayVersion"
    With data: "5.31.0"
    
  • In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver
    Sets value: "InstallLocation"
    With data: "%ProgramData%\winrar\"
    
  • In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver
    Sets value: "Language"
    With data: "0x00000000"
    
  • In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver
    Sets value: "NoModify"
    With data: "0x00000001"
    
  • In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver
    Sets value: "NoRepair"
    With data: "0x00000001"
    
  • In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver
    Sets value: "Publisher"
    With data: "win.rar gmbh"
    
  • In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver
    Sets value: "UninstallString"
    With data: "%ProgramData%\winrar\uninstall.exe"
    
  • In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver
    Sets value: "VersionMajor"
    With data: "0x00000005"
    
  • In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver
    Sets value: "VersionMinor"
    With data: "0x0000001f"
    
  • In subkey: HKLM\Software\RegisteredApplications
    Sets value: "WinRAR"
    With data: "software\winrar\capabilities"
    
  • In subkey: HKLM\Software\WinRAR\Capabilities\FileAssociations
    Sets value: ".001"
    With data: "winrar"
    
  • In subkey: HKLM\Software\WinRAR\Capabilities\FileAssociations
    Sets value: ".arj"
    With data: "winrar"
    
  • In subkey: HKLM\Software\WinRAR\Capabilities\FileAssociations
    Sets value: ".bz2"
    With data: "winrar"
    
  • In subkey: HKLM\Software\WinRAR\Capabilities\FileAssociations
    Sets value: ".rar"
    With data: "winrar"
    
  • In subkey: HKLM\Software\WinRAR\Capabilities\FileAssociations
    Sets value: ".xz"
    With data: "winrar"
    
  • In subkey: HKLM\Software\WinRAR\Capabilities\FileAssociations
    Sets value: ".zip"
    With data: "winrar.zip"
    
  • In subkey: HKLM\Software\WinRAR
    Sets value: "exe32"
    With data: "%ProgramData%\winrar\winrar.exe"
    

• You see the following mutex:
  • {C20CD437-BA6D-4ebb-B190-70B43DE3B0F3}
  • ms_com_hzyf_microsoft_app_com_1.0