search

TROJ_KREDO.SMM

October 03, 2012
 ALIASES:

Generic Downloader.x!gf3 (McAfee); Backdoor.Trojan (Symantec); Trojan.Win32.Generic!BT (Sunbelt); Trojan.Generic.2297770 (FSecure)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

98,816 bytes

File Type:

EXE

Memory Resident:

No

Initial Samples Received Date:

03 Oct 2012

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

  • %System%\mnmsrvc.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Other System Modifications

This Trojan deletes the following files:

  • %Windows%\ServicePackFiles\i386\mnmsrvc.exe
  • %System%\dllcache_bk\mnmsrvc.exe
  • %System%\dllcache\mnmsrvc.exe
  • %System%\mnmsrvc.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion
SN = "mnmsrvc"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion
VersionA = "9.30"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion
AP = "%System%\mnmsrvc.exe"

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://cd42.{BLOCKED}ade.com.cn/client_register_av.do?{random characters}
  • http://cd62.{BLOCKED}a.com.cn/update/aversion.txt
  • http://cd33.{BLOCKED}esy.com.cn/update/version.txt
  • http://e07c.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://e08c.{BLOCKED}rk.com.cn/update/aversion.txt
  • http://e0f9.{BLOCKED}baptist.com.cn/update/aversion.txt
  • http://e196.{BLOCKED}esy.com.cn/update/aversion.txt
  • http://e1f3.{BLOCKED}alimusic.com.cn/update/aversion.txt
  • http://e08c.{BLOCKED}rk.com.cn/update/version.txt
  • http://e261.{BLOCKED}esy.com.cn/update/version.txt
  • http://e251.{BLOCKED}esy.com.cn/update/aversion.txt
  • http://e2ce.{BLOCKED}alimusic.com.cn/update/version.txt
  • http://e3a9.{BLOCKED}alimusic.com.cn/update/aversion.txt
  • http://e416.{BLOCKED}ade.com.cn/update/version.txt
  • http://e445.{BLOCKED}baptist.com.cn/update/aversion.txt
  • http://e4c2.{BLOCKED}esy.com.cn/update/version.txt
  • http://e55e.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://e6d5.{BLOCKED}alimusic.com.cn/update/version.txt
  • http://e743.{BLOCKED}esy.com.cn/update/version.txt
  • http://e7a0.{BLOCKED}alimusic.com.cn/update/version.txt
  • http://e82d.{BLOCKED}ade.com.cn/update/version.txt
  • http://e87b.{BLOCKED}alimusic.com.cn/update/version.txt
  • http://e88b.{BLOCKED}alimusic.com.cn/update/aversion.txt
  • http://e927.{BLOCKED}baptist.com.cn/update/aversion.txt
  • http://e985.{BLOCKED}rk.com.cn/update/aversion.txt
  • http://ea02.{BLOCKED}baptist.com.cn/update/aversion.txt
  • http://ea60.{BLOCKED}rk.com.cn/update/aversion.txt
  • http://eabd.{BLOCKED}baptist.com.cn/update/aversion.txt
  • http://eb1b.{BLOCKED}rk.com.cn/update/aversion.txt
  • http://eb79.{BLOCKED}rk.com.cn/update/aversion.txt
  • http://ec15.{BLOCKED}alimusic.com.cn/update/version.txt
  • http://ec63.{BLOCKED}esy.com.cn/update/version.txt
  • http://ecb1.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://edea.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://edea.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://ee48.{BLOCKED}ade.com.cn/update/aversion.txt
  • http://eec5.{BLOCKED}rk.com.cn/update/aversion.txt
  • http://efbf.{BLOCKED}esy.com.cn/update/version.txt
  • http://f349.{BLOCKED}baptist.com.cn/update/aversion.txt
  • http://f4cf.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://f54c.{BLOCKED}s.com.cn/update/version.txt
  • http://f5aa.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://f5f8.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://f646.{BLOCKED}ade.com.cn/update/version.txt
  • http://f695.{BLOCKED}baptist.com.cn/update/version.txt
  • http://f702.{BLOCKED}esy.com.cn/update/version.txt
  • http://f740.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://f7ae.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://f80c.{BLOCKED}ade.com.cn/update/aversion.txt
  • http://f8d7.{BLOCKED}ade.com.cn/update/version.txt
  • http://f934.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://f9a2.{BLOCKED}ade.com.cn/update/aversion.txt
  • http://fa0f.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://faab.{BLOCKED}alimusic.com.cn/update/version.txt
  • http://fafa.{BLOCKED}rk.com.cn/update/version.txt
  • http://fb19.{BLOCKED}esy.com.cn/update/aversion.txt
  • http://fb77.{BLOCKED}baptist.com.cn/update/aversion.txt
  • http://fbe4.{BLOCKED}esy.com.cn/update/aversion.txt
  • http://fc51.{BLOCKED}alimusic.com.cn/update/aversion.txt
  • http://fcee.{BLOCKED}ade.com.cn/update/aversion.txt
  • http://fd4b.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://fbe4.{BLOCKED}esy.com.cn/update/version.txt
  • http://fdc8.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://fde8.{BLOCKED}baptist.com.cn/update/aversion.txt
  • http://fe55.{BLOCKED}esy.com.cn/update/aversion.txt
  • http://fe93.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://feb3.{BLOCKED}baptist.com.cn/update/aversion.txt
  • http://fee2.{BLOCKED}alimusic.com.cn/update/version.txt
  • http://ff20.{BLOCKED}esy.com.cn/update/aversion.txt
  • http://ff3f.{BLOCKED}ade.com.cn/update/version.txt
  • http://ffad.{BLOCKED}alimusic.com.cn/update/version.txt
  • http://10039.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://10087.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://10097.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://100e5.{BLOCKED}ade.com.cn/update/aversion.txt
  • http://10143.{BLOCKED}alimusic.com.cn/update/aversion.txt
  • http://101a1.{BLOCKED}esy.com.cn/update/aversion.txt
  • http://101fe.{BLOCKED}alimusic.com.cn/update/aversion.txt
  • http://1021e.{BLOCKED}alimusic.com.cn/update/version.txt
  • http://1026c.{BLOCKED}esy.com.cn/update/aversion.txt
  • http://1028b.{BLOCKED}ade.com.cn/update/version.txt
  • http://103c4.{BLOCKED}alimusic.com.cn/update/version.txt
  • http://1046f.{BLOCKED}alimusic.com.cn/update/aversion.txt
  • http://10598.{BLOCKED}s.com.cn/update/version.txt
  • http://105b8.{BLOCKED}esy.com.cn/update/aversion.txt
  • http://10625.{BLOCKED}alimusic.com.cn/update/aversion.txt
  • http://10644.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://10683.{BLOCKED}esy.com.cn/update/aversion.txt
  • http://10692.{BLOCKED}ade.com.cn/update/version.txt
  • http://1071f.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://1074e.{BLOCKED}esy.com.cn/update/version.txt
  • http://1077d.{BLOCKED}ade.com.cn/update/aversion.txt
  • http://1079c.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://107da.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://107fa.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://10848.{BLOCKED}ade.com.cn/update/version.txt
  • http://10932.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://10971.{BLOCKED}alimusic.com.cn/update/version.txt
  • http://109a0.{BLOCKED}rk.com.cn/update/aversion.txt
  • http://109a0.{BLOCKED}rk.com.cn/update/version.txt
  • http://109fd.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://10ac8.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://10ad8.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://109fd.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://10b36.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://10ad8.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://10b94.{BLOCKED}ade.com.cn/update/aversion.txt
  • http://10bc2.{BLOCKED}alimusic.com.cn/update/version.txt
  • http://10bf1.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://10cad.{BLOCKED}alimusic.com.cn/update/aversion.txt
  • http://10dc6.{BLOCKED}esy.com.cn/update/version.txt
  • http://10e43.{BLOCKED}alimusic.com.cn/update/aversion.txt
  • http://10ea1.{BLOCKED}esy.com.cn/update/aversion.txt
  • http://10f0e.{BLOCKED}alimusic.com.cn/update/version.txt
  • http://10f5c.{BLOCKED}s.com.cn/update/version.txt
  • http://10faa.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://10fd9.{BLOCKED}alimusic.com.cn/update/aversion.txt
  • http://10ff9.{BLOCKED}alimusic.com.cn/update/version.txt
  • http://11056.{BLOCKED}ade.com.cn/update/aversion.txt
  • http://11056.{BLOCKED}ade.com.cn/update/version.txt
  • http://110f3.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://11102.{BLOCKED}s.com.cn/update/aversion.txt
  • http://11289.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://112f6.{BLOCKED}s.com.cn/update/aversion.txt
  • http://11344.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://11383.{BLOCKED}alimusic.com.cn/update/version.txt
  • http://113a2.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://1140f.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://1145e.{BLOCKED}alimusic.com.cn/update/version.txt
  • http://114bb.{BLOCKED}ade.com.cn/update/aversion.txt
  • http://11509.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://11577.{BLOCKED}s.com.cn/update/aversion.txt
  • http://11596.{BLOCKED}ade.com.cn/update/version.txt
  • http://11623.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://11661.{BLOCKED}ade.com.cn/update/version.txt
  • http://11690.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://116af.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://1174c.{BLOCKED}ade.com.cn/update/version.txt
  • http://117a9.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://117c9.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://11836.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://11894.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://118d2.{BLOCKED}ade.com.cn/update/version.txt
  • http://11901.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://11920.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://1195f.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://1198e.{BLOCKED}esy.com.cn/update/version.txt
  • http://119fb.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://11ac6.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://11bff.{BLOCKED}esy.com.cn/update/version.txt
  • http://11c6c.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://11d18.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://11e31.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://11e70.{BLOCKED}esy.com.cn/update/version.txt
  • http://11ecd.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://11ecd.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://11f2b.{BLOCKED}s.com.cn/update/version.txt
  • http://11f3b.{BLOCKED}s.com.cn/update/aversion.txt
  • http://12054.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://120d1.{BLOCKED}s.com.cn/update/version.txt
  • http://1212f.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://1217d.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://121fa.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://12258.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://122a6.{BLOCKED}ade.com.cn/update/version.txt
  • http://12323.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://12381.{BLOCKED}ade.com.cn/update/aversion.txt
  • http://12381.{BLOCKED}ade.com.cn/update/version.txt
  • http://123de.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://12526.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://12546.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://123de.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://125d2.{BLOCKED}an.com.cn/update/version.txt
  • http://1266f.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://1267e.{BLOCKED}s.com.cn/update/aversion.txt
  • http://1270b.{BLOCKED}alimusic.com.cn/update/aversion.txt
  • http://12778.{BLOCKED}ade.com.cn/update/aversion.txt
  • http://12824.{BLOCKED}s.com.cn/update/aversion.txt
  • http://1296c.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://1298b.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://129da.{BLOCKED}esy.com.cn/update/aversion.txt
  • http://12a18.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://12a37.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://12a76.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://12ac4.{BLOCKED}ade.com.cn/update/aversion.txt
  • http://12bbe.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://12cb8.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://12cf6.{BLOCKED}s.com.cn/update/version.txt
  • http://12d25.{BLOCKED}an.com.cn/update/aversion.txt
  • http://12d93.{BLOCKED}alimusic.com.cn/update/aversion.txt
  • http://12dc2.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://12e10.{BLOCKED}ade.com.cn/update/version.txt
  • http://12e5e.{BLOCKED}alimusic.com.cn/update/version.txt
  • http://12eac.{BLOCKED}s.com.cn/update/version.txt
  • http://12f0a.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://12f87.{BLOCKED}s.com.cn/update/aversion.txt
  • http://12f96.{BLOCKED}an.com.cn/update/version.txt
  • http://12fe4.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://13081.{BLOCKED}ade.com.cn/update/version.txt
  • http://130cf.{BLOCKED}alimusic.com.cn/update/version.txt
  • http://130de.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://1314c.{BLOCKED}ade.com.cn/update/aversion.txt
  • http://1316b.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://131aa.{BLOCKED}alimusic.com.cn/update/aversion.txt
  • http://13217.{BLOCKED}ade.com.cn/update/aversion.txt
  • http://132b3.{BLOCKED}s.com.cn/update/version.txt
  • http://13301.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://1339e.{BLOCKED}s.com.cn/update/version.txt
  • http://13498.{BLOCKED}ade.com.cn/update/aversion.txt
  • http://134d6.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://13543.{BLOCKED}an.com.cn/update/aversion.txt
  • http://1361e.{BLOCKED}an.com.cn/update/version.txt
  • http://1365d.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://136ba.{BLOCKED}s.com.cn/update/aversion.txt
  • http://13718.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://13747.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://13776.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://137e3.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://13831.{BLOCKED}ualassistant.com.cn/update/version.txt
  • http://1388f.{BLOCKED}an.com.cn/update/version.txt
  • http://138dd.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://1393b.{BLOCKED}s.com.cn/update/version.txt
  • http://139d7.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://13a35.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://13a74.{BLOCKED}s.com.cn/update/version.txt
  • http://13b7d.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://13b9c.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://13beb.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://13cd5.{BLOCKED}s.com.cn/update/aversion.txt
  • http://13d13.{BLOCKED}a.com.cn/update/version.txt
  • http://13d42.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://13d71.{BLOCKED}ualassistant.com.cn/update/version.txt
  • http://13e0d.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://13fe2.{BLOCKED}ualassistant.com.cn/update/aversion.txt
  • http://1405f.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://1409e.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://140fb.{BLOCKED}an.com.cn/update/version.txt
  • http://14234.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://14282.{BLOCKED}s.com.cn/update/version.txt
  • http://142c1.{BLOCKED}ade.com.cn/update/aversion.txt
  • http://142d0.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://1431e.{BLOCKED}ualassistant.com.cn/update/version.txt
  • http://1431e.{BLOCKED}ualassistant.com.cn/update/aversion.txt
  • http://14476.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://14486.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://14522.{BLOCKED}an.com.cn/update/aversion.txt
  • http://14570.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://14580.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://1461c.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://1467a.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://146a9.{BLOCKED}s.com.cn/update/version.txt
  • http://146d7.{BLOCKED}a.com.cn/update/aversion.txt
  • http://14745.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://147a3.{BLOCKED}ade.com.cn/update/aversion.txt
  • http://14800.{BLOCKED}ualassistant.com.cn/update/aversion.txt
  • http://14820.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://1486e.{BLOCKED}an.com.cn/update/aversion.txt
  • http://1488d.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://148fa.{BLOCKED}s.com.cn/update/aversion.txt
  • http://148fa.{BLOCKED}s.com.cn/update/version.txt
  • http://14968.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://149b6.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://14a52.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://14adf.{BLOCKED}an.com.cn/update/version.txt
  • http://14afe.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://14b5c.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://14baa.{BLOCKED}an.com.cn/update/version.txt
  • http://14c08.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://14c75.{BLOCKED}an.com.cn/update/version.txt
  • http://14cb3.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://14d02.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://14dcd.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://14dcd.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://14e3a.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://14e88.{BLOCKED}ualassistant.com.cn/update/version.txt
  • http://14e98.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://14e3a.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://14e98.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://14fff.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://1503e.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://1505d.{BLOCKED}s.com.cn/update/aversion.txt
  • http://1509b.{BLOCKED}a.com.cn/update/version.txt
  • http://150f9.{BLOCKED}ualassistant.com.cn/update/aversion.txt
  • http://15138.{BLOCKED}s.com.cn/update/version.txt
  • http://15157.{BLOCKED}an.com.cn/update/aversion.txt
  • http://151c4.{BLOCKED}ualassistant.com.cn/update/aversion.txt
  • http://151f3.{BLOCKED}s.com.cn/update/version.txt
  • http://15232.{BLOCKED}an.com.cn/update/aversion.txt
  • http://1528f.{BLOCKED}ualassistant.com.cn/update/aversion.txt
  • http://152fd.{BLOCKED}an.com.cn/update/aversion.txt
  • http://1531c.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://1535b.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://153c8.{BLOCKED}an.com.cn/update/aversion.txt
  • http://15445.{BLOCKED}ualassistant.com.cn/update/version.txt
  • http://15464.{BLOCKED}s.com.cn/update/aversion.txt
  • http://15493.{BLOCKED}an.com.cn/update/version.txt
  • http://15510.{BLOCKED}ualassistant.com.cn/update/aversion.txt
  • http://15520.{BLOCKED}alpensa.com.cn/update/version.txt
  • http://1556e.{BLOCKED}an.com.cn/update/version.txt
  • http://1558d.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://155eb.{BLOCKED}alpensa.com.cn/update/aversion.txt
  • http://155fa.{BLOCKED}s.com.cn/update/version.txt
  • http://15649.{BLOCKED}an.com.cn/update/version.txt
  • http://15697.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://15714.{BLOCKED}an.com.cn/update/version.txt
  • http://15771.{BLOCKED}ualassistant.com.cn/update/version.txt
  • http://157b0.{BLOCKED}s.com.cn/update/aversion.txt
  • http://158aa.{BLOCKED}an.com.cn/update/version.txt
  • http://158f8.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://159b4.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://15a11.{BLOCKED}s.com.cn/update/aversion.txt
  • http://15aec.{BLOCKED}s.com.cn/update/version.txt
  • http://15b59.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://15c34.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://15c82.{BLOCKED}s.com.cn/update/version.txt
  • http://15ce0.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://15d2e.{BLOCKED}ualassistant.com.cn/update/version.txt
  • http://15d7c.{BLOCKED}an.com.cn/update/version.txt
  • http://15dab.{BLOCKED}a.com.cn/update/aversion.txt
  • http://15e09.{BLOCKED}ualassistant.com.cn/update/aversion.txt
  • http://15e67.{BLOCKED}an.com.cn/update/aversion.txt
  • http://15e86.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://15ed4.{BLOCKED}ualassistant.com.cn/update/version.txt
  • http://15f32.{BLOCKED}an.com.cn/update/version.txt
  • http://15f80.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://15f90.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://15f32.{BLOCKED}an.com.cn/update/aversion.txt
  • http://15ffd.{BLOCKED}an.com.cn/update/version.txt
  • http://15f90.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://1606a.{BLOCKED}ualassistant.com.cn/update/aversion.txt
  • http://160c8.{BLOCKED}ualassistant.com.cn/update/aversion.txt
  • http://16164.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://161c2.{BLOCKED}s.com.cn/update/aversion.txt
  • http://161c2.{BLOCKED}s.com.cn/update/version.txt
  • http://16220.{BLOCKED}a.com.cn/update/aversion.txt
  • http://1625e.{BLOCKED}ualassistant.com.cn/update/version.txt
  • http://162eb.{BLOCKED}a.com.cn/update/version.txt
  • http://16387.{BLOCKED}an.com.cn/update/aversion.txt
  • http://163b6.{BLOCKED}a.com.cn/update/version.txt
  • http://163e5.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://16404.{BLOCKED}ualassistant.com.cn/update/version.txt
  • http://16443.{BLOCKED}s.com.cn/update/aversion.txt
  • http://16452.{BLOCKED}an.com.cn/update/version.txt
  • http://164a0.{BLOCKED}rk.com.cn/update/aversion.txt
  • http://164fe.{BLOCKED}a.com.cn/update/aversion.txt
  • http://1655c.{BLOCKED}a.com.cn/update/aversion.txt
  • http://165e9.{BLOCKED}s.com.cn/update/aversion.txt
  • http://16637.{BLOCKED}ssconquered.com.cn/update/version.txt
  • http://16685.{BLOCKED}ualassistant.com.cn/update/version.txt
  • http://166d3.{BLOCKED}an.com.cn/update/version.txt
  • http://16740.{BLOCKED}ualassistant.com.cn/update/aversion.txt
  • http://16760.{BLOCKED}ualassistant.com.cn/update/version.txt
  • http://1679e.{BLOCKED}an.com.cn/update/aversion.txt
  • http://167fc.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://16869.{BLOCKED}an.com.cn/update/aversion.txt
  • http://16888.{BLOCKED}a.com.cn/update/version.txt
  • http://168f6.{BLOCKED}ualassistant.com.cn/update/version.txt
  • http://16944.{BLOCKED}an.com.cn/update/version.txt
  • http://169a2.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://169f0.{BLOCKED}s.com.cn/update/version.txt
  • http://16a3e.{BLOCKED}a.com.cn/update/version.txt
  • http://16a7c.{BLOCKED}ualassistant.com.cn/update/aversion.txt
  • http://16aab.{BLOCKED}a.com.cn/update/version.txt
  • http://16b19.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://16ba5.{BLOCKED}an.com.cn/update/aversion.txt
  • http://16be4.{BLOCKED}a.com.cn/update/version.txt
  • http://16ba5.{BLOCKED}an.com.cn/update/version.txt
  • http://16c51.{BLOCKED}a.com.cn/update/aversion.txt
  • http://16c90.{BLOCKED}an.com.cn/update/version.txt
  • http://16caf.{BLOCKED}a.com.cn/update/aversion.txt
  • http://16c51.{BLOCKED}a.com.cn/update/version.txt
  • http://16d0d.{BLOCKED}ualassistant.com.cn/update/aversion.txt
  • http://16d3c.{BLOCKED}s.com.cn/update/version.txt
  • http://16d8a.{BLOCKED}a.com.cn/update/version.txt
  • http://16dd8.{BLOCKED}ualassistant.com.cn/update/version.txt
  • http://16e64.{BLOCKED}rk.com.cn/update/aversion.txt
  • http://16e64.{BLOCKED}rk.com.cn/update/version.txt
  • http://16ec2.{BLOCKED}a.com.cn/update/aversion.txt
  • http://1702a.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://17039.{BLOCKED}ualassistant.com.cn/update/version.txt
  • http://17087.{BLOCKED}an.com.cn/update/aversion.txt
  • http://17097.{BLOCKED}an.com.cn/update/version.txt
  • http://170e5.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://17133.{BLOCKED}a.com.cn/update/version.txt
  • http://17133.{BLOCKED}a.com.cn/update/aversion.txt
  • http://171b0.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://1721e.{BLOCKED}s.com.cn/update/aversion.txt
  • http://1725c.{BLOCKED}a.com.cn/update/version.txt
  • http://1725c.{BLOCKED}a.com.cn/update/aversion.txt
  • http://172ba.{BLOCKED}ualassistant.com.cn/update/version.txt
  • http://17327.{BLOCKED}a.com.cn/update/version.txt
  • http://17337.{BLOCKED}a.com.cn/update/aversion.txt
  • http://173b4.{BLOCKED}s.com.cn/update/aversion.txt
  • http://17412.{BLOCKED}ssconquered.com.cn/update/aversion.txt
  • http://1747f.{BLOCKED}a.com.cn/update/aversion.txt
  • http://174ae.{BLOCKED}an.com.cn/update/version.txt
  • http://174ec.{BLOCKED}rk.com.cn/update/aversion.txt
  • http://174ec.{BLOCKED}rk.com.cn/update/version.txt
  • http://1754a.{BLOCKED}a.com.cn/update/aversion.txt
  • http://17589.{BLOCKED}an.com.cn/update/version.txt
  • http://175b7.{BLOCKED}rk.com.cn/update/aversion.txt
  • http://17644.{BLOCKED}an.com.cn/update/aversion.txt
  • http://176c1.{BLOCKED}ualassistant.com.cn/update/aversion.txt
  • http://176e0.{BLOCKED}a.com.cn/update/version.txt
  • http://176c1.{BLOCKED}ualassistant.com.cn/update/version.txt
  • http://1773e.{BLOCKED}a.com.cn/update/aversion.txt
  • http://177da.{BLOCKED}an.com.cn/update/aversion.txt
  • http://17838.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://17877.{BLOCKED}ualassistant.com.cn/update/version.txt
  • http://179ce.{BLOCKED}rk.com.cn/update/aversion.txt
  • http://17a4b.{BLOCKED}an.com.cn/update/aversion.txt
  • http://17aa9.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://17b93.{BLOCKED}ualassistant.com.cn/update/version.txt
  • http://17be2.{BLOCKED}s.com.cn/update/version.txt
  • http://17c3f.{BLOCKED}rk.com.cn/update/version.txt
  • http://17c4f.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://17d1a.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://17c4f.{BLOCKED}jininsesi.com.cn/update/version.txt
  • http://17d87.{BLOCKED}an.com.cn/update/aversion.txt
  • http://17df5.{BLOCKED}jininsesi.com.cn/update/aversion.txt
  • http://17ea1.{BLOCKED}a.com.cn/update/version.txt
  • http://17eef.{BLOCKED}ualassistant.com.cn/update/version.txt
  • http://17f3d.{BLOCKED}an.com.cn/update/aversion.txt
  • http://17f4d.{BLOCKED}an.com.cn/update/version.txt
  • http://17faa.{BLOCKED}ualassistant.com.cn/update/version.txt
  • http://17eef.{BLOCKED}ualassistant.com.cn/update/aversion.txt
  • http://17ff8.{BLOCKED}baptist.com.cn/update/version.txt
  • http://18056.{BLOCKED}rk.com.cn/update/aversion.txt
  • http://180f2.{BLOCKED}a.com.cn/update/aversion.txt
  • http://18150.{BLOCKED}ualassistant.com.cn/update/aversion.txt
  • http://18056.{BLOCKED}rk.com.cn/update/version.txt
  • http://1821b.{BLOCKED}ualassistant.com.cn/update/aversion.txt
  • http://18150.{BLOCKED}ualassistant.com.cn/update/version.txt
  • http://18298.{BLOCKED}a.com.cn/update/aversion.txt
  • http://1821b.{BLOCKED}ualassistant.com.cn/update/version.txt

This report is generated via an automated analysis system.

  SOLUTION

Minimum Scan Engine:

9.200

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    • SN = "mnmsrvc"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    • VersionA = "9.30"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    • AP = "%System%\mnmsrvc.exe"

Step 3

Scan your computer with your Trend Micro product to delete files detected as TROJ_KREDO.SMM. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 4

Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.

  • %Windows%\ServicePackFiles\i386\mnmsrvc.exe
  • %System%\dllcache_bk\mnmsrvc.exe
  • %System%\dllcache\mnmsrvc.exe
  • %System%\mnmsrvc.exe


Did this description help? Tell us how we did.