My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Antiman.N

MEDIUM
MEDIUM
~237 KB
(Spoofer.Win32.DNS.b)

Symptoms

The presence of a file named User-Console.exe in c:\Documents and Settings\Adminstrator\ and the following value in the registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
C:\Documents and Settings\Administrator\User-Console.exe
Sending files to different contacts from Yahoo Messenger contact list.

Removal instructions:

Please let BitDefender disinfect your files.

Remove the entries presented in the technical section from the hosts file ( c:\Windows\System32\drivers\etc\hosts under Win XP).

Analyzed By

Dana Stanut, virus researcher

Technical Description:

The malware will make a copy of itself in c:\Documents and Settings\Adminstrator\ under User-Console.exe and modify the registry in order to execute itself after every system reboot.

Then it will scan the drives for multimedia files that contain names of interpreters of a romanian music style called "manele" (examples: adicopil, adiminune, adriancopil, neakalu, nelupeste, nicupaleru, nynobeto, paranghelya, petricacercel etc.) and remove them from user's computer.

Next, it modifies the hosts file in order to block access to many sites that may contain this sort of music, by adding the following entries:

127.0.0.1 www.hi5.com
127.0.0.1 hi5.com
127.0.0.1 images.hi5.com
127.0.0.1 static.hi5.com
127.0.0.1 picshi5.com
127.0.0.1 photos1.hi5.com
127.0.0.1 photos.hi5.com
127.0.0.1 api.hi5.com
127.0.0.1 www.images.hi5.com
127.0.0.1 www.static.hi5.com
127.0.0.1 www.pics.hi5.com
127.0.0.1 www.photos1.hi5.com
127.0.0.1 www.photos.hi5.cm
127.0.0.1 www.api.hi5.com
127.0.0.1 www.a.hi5modules.com
127.0.0.1 a.hi5modules.com
127.0.0.1 www.ro.netlog.om
127.0.0.1 ro.netlog.com
127.0.0.1 www.en.netlog.com
127.0.0.1 en.netlog.com
127.0.0.1 www.fr.netlog.com
127.0.0.1 fr.netlog.com
127.0.0.1 ingeri.ro
127.0.0.1 www.ingeri.ro
127.0.0.1 e-dragoste.ro
127.0.0.1 www.e-dragoste.ro
127.0.0.1 prieteni.ro
127.0.0.1 www.prieteni.ro
127.0.0.1 muziczone.net
127.0.0.1 www.top-muzica.net
127.0.0.1 top-muzica.net
127.0.0.1 www.b3st.ro
127.0.0.1 b3st.ro
127.0.0.1 www.euromanele.net
127.0.0.1 euromanele.net
127.0.0.1 www.manelevideoclipuri.weblog.ro
127.0.0.1 manelevideoclipuri.weblog.ro
127.0.0.1 www.e-manea.com
127.0.0.1 e-manea.com
127.0.0.1 www.manele.la-start.ro
127.0.0.1 manele.la-start.ro
127.0.0.1 www.maneleclub.com
127.0.0.1 maneleclub.com
127.0.0.1 www.talent.evolink.ro
127.0.0.1 talent.evolink.ro
127.0.0.1 www.adevaratu.go.ro
127.0.0.1 adevaratu.go.ro
127.0.0.1 www.manele-4-u.thumblogger.com
127.0.0.1 manele-4-u.thumblogger.com
127.0.0.1 www.muzica-ta.blogspot.com
127.0.0.1 muzica-ta.blogspot.com
127.0.0.1 www.muzicatv.com
127.0.0.1 muzicatv.com
127.0.0.1 www.ccmp3.net
127.0.0.1 ccmp3.net
127.0.0.1 www.livio.ro
127.0.0.1 livio.ro
127.0.0.1 www.ten28.com
127.0.0.1 ten28.com
127.0.0.1 www.cool28.com
127.0.0.1 cool28.com
127.0.0.1 www.noutatimp3.ro
127.0.0.1 noutatimp3.ro
127.0.0.1 www.unlimitedmp3.ro
127.0.0.1 unlimitedmp3.ro
127.0.0.1 www.top20.ro
127.0.0.1 top20.ro
127.0.0.1 www.foot.ro
127.0.0.1 foot.ro
127.0.0.1 www.muzica-mp3.ro
127.0.0.1 muzica-mp3.ro
127.0.0.1 www.redmp3.ro
127.0.0.1 redmp3.ro
127.0.0.1 www.50music.net
127.0.0.1 50music.net
127.0.0.1 www.taraf.cn
127.0.0.1 taraf.cn
127.0.0.1 www.manele.haipa.ro
127.0.0.1 manele.haipa.ro
127.0.0.1 www.videomanele.t2i.info
127.0.0.1 videomanele.t2i.info
127.0.0.1 www.musixmp3.ro
127.0.0.1 musixmp3.ro
127.0.0.1 www.maneleporno.com
127.0.0.1 maneleporno.com
127.0.0.1 www.videoclipuri-manele.com
127.0.0.1 videoclipuri-manele.com
127.0.0.1 www.comy-manele.tk
127.0.0.1 comy-manele.tk
127.0.0.1 www.raluca.org
127.0.0.1 raluca.org
127.0.0.1 www.fan-manele.ro
127.0.0.1 fan-manele.ro
127.0.0.1 www.bobo-music.com
127.0.0.1 bobo-music.com
127.0.0.1 www.muzicafm.com
127.0.0.1 muzicafm.com
127.0.0.1 www.manele-gratis.net
127.0.0.1 manele-gratis.net
127.0.0.1 www.manelenoi.org
127.0.0.1 manelenoi.org
127.0.0.1 www.manele.qoue.com
127.0.0.1 manele.qoue.com
127.0.0.1 www.muziczone.net
127.0.0.1 www.cautamp3.com
127.0.0.1 cautamp3.com
127.0.0.1 www.e-manele.ws
127.0.0.1 e-manele.ws
127.0.0.1 taraf.tv
127.0.0.1 www.taraf.tv
127.0.0.1 www.adyspeed.com
127.0.0.1 adyspeed.com
127.0.0.1 www.maneledemanele.net
127.0.0.1 maneledemanele.net
127.0.0.1 www.radiofavorit.net
127.0.0.1 radiofavorit.net
127.0.0.1 www.s-manele.net
127.0.0.1 s-manele.net
127.0.0.1 www.manele.ca
127.0.0.1 manele.ca
127.0.0.1 www.fresh28.net
127.0.0.1 fresh28.net
127.0.0.1 www.magicmp3.ro
127.0.0.1 magicmp3.ro
127.0.0.1 www.dolomp3.com
127.0.0.1 dolomp3.com
127.0.0.1 www.music.mygoblens.com
127.0.0.1 music.mygoblens.com
127.0.0.1 www.videomanele.3x.ro
127.0.0.1 videomanele.3x.ro
127.0.0.1 www.muzica-9.ro
127.0.0.1 muzica-9.ro
127.0.0.1 www.e-manea.ro
127.0.0.1 e-manea.ro
127.0.0.1 www.iamuzica.net
127.0.0.1 iamuzica.net
127.0.0.1 www.manelevideo.com
127.0.0.1 manelevideo.com
127.0.0.1 www.muzica.us
127.0.0.1 muzica.us
127.0.0.1 www.mp3manele.net
127.0.0.1 mp3manele.net
127.0.0.1 www.filemp3.biz
127.0.0.1 filemp3.biz
127.0.0.1 www.top-manele.ro.tl
127.0.0.1 top-manele.ro.tl
127.0.0.1 www.e-muzica.net
127.0.0.1 e-muzica.net
127.0.0.1 kalibra.ro
127.0.0.1 www.kalibra.ro
127.0.0.1 www.manele.fm
127.0.0.1 manele.fm
127.0.0.1 www.manele24.com
127.0.0.1 manele24.com
127.0.0.1 www.manele.muzica-gratis.net
127.0.0.1 manele.muzica-gratis.net
127.0.0.1 www.clipurimanele.com
127.0.0.1 clipurimanele.com
127.0.0.1 www.manele4all.com
127.0.0.1 manele4all.com
127.0.0.1 www.manea9.com
127.0.0.1 manea9.com
127.0.0.1 www.mynele.ro
127.0.0.1 mynele.ro
127.0.0.1 www.manea.hyperphp.com
127.0.0.1 manea.hyperphp.com
127.0.0.1 www.maneledetop.org
127.0.0.1 maneledetop.org
127.0.0.1 www.supermanele.com
127.0.0.1 supermanele.com
127.0.0.1 www.manelebune.com
127.0.0.1 manelebune.com
127.0.0.1 www.sexymp3.net
127.0.0.1 sexymp3.net
127.0.0.1 www.vitanclub.net
127.0.0.1 vitanclub.net
127.0.0.1 www.coolmanele.com
127.0.0.1 coolmanele.com
127.0.0.1 www.4manele.com
127.0.0.1 4manele.com
127.0.0.1 www.mp3ro.net
127.0.0.1 mp3ro.net
127.0.0.1 www.comymanele.ws
127.0.0.1 comymanele.ws
127.0.0.1 www.mp3alese.com
127.0.0.1 mp3alese.com
127.0.0.1 www.laurica.as.ro
127.0.0.1 laurica.as.ro

It will also try to send the infected file to the contacts in the Yahoo Messenger contact list with one of the following messages:
e misto programul, pt poze... e prea tare :D;
e pentru winamp, foarte tare programul;
foarte fain prog... pentru poze; chiar tare programul... pt winamp;
super fain programul, e pentru imagini;
incearca-l, e misto programul... pt muzica;
programu asta e PREA TARE... e pentru poze;
incearca-l si tu, e fain programul... e pt winamp;
pt imagini... e misto programul;
misto programul, e pentru muzica;
mi s-a parut super programu asta... e pentru winamp;
e pt filme programul... mi s-a parut prea tare;
cu asta vezi TOATE filmele... e mai bun decat toate
celelalte; era sa uit... uite un program super tare, e pt imagini;
am dat peste un prog. super fain... e pentru winamp;
programu asta e super :D e pt muzica;
deci prog. asta e prea tare... e pt imagini;
e super programu... pentru imagini;
misto programul, pt winamp;
e pentru poze programu, mie mi s-a parut prea tare;
uite un program misto, pt imagini;
incearca programu asta, e misto... pentru muzica;
e pt poze programul... mi s-a parut fain de tot;
uite un program tare de tot... e pt winamp;
incearca-l pe asta, e tare programul;
e misto programu, pt imagini;
e pt winamp... tare de tot programul;
incearca programul asta, e tare... e pt poze;
e tare de tot programul, pt winamp;
e fain programul, pentru imagini;

followed by:
revin... brb :D; brb... :D revin; tre sa plec... revin imediat :D;
brb... revin :D; revin imediat... :D;:D brb