Systweak Spyware Library
Systweak Spyware Library text
More than 1309737 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Monitoring.Any@Web Analysis Report
Threat Submitted On: 3/21/2007 2:18:55 PM
Threat Analysed On: 3/21/2007 7:18:55 PM
Threat Updated On: 11/9/2009 4:31:08 AM
Type : Monitoring
Symptoms of Any@Web
  • Capture the activities performed by the user on a system
  • Captured information is sent to the intruder.
  • The intruder can access the compromised machine at real-time.
Information
Alias : Any@Web
Md5 Hash : [Not Available]
File Size : [ Not Available ]

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: any@web.exe
Path : %homepath%\desktop\any@web

Md5Hash :975e03168e815bdbec537b491e589337 ( 6334930 bytes)
File: cj609lib.dll
Path : %programfiles%\anyatweb.com\any@web

Md5Hash :e3bdcbeb4de2a139cf8f9ff13d18ad06 ( 462848 bytes)
File: mimepp_core.dll
Path : %programfiles%\anyatweb.com\any@web

Md5Hash :23e744b02aae40c86e104bbcc85e841a ( 274432 bytes)
File: hosts.fl2
Path : %programfiles%\anyatweb.com\any@web\repository

Md5Hash :b4b33165e978bd26adc9b89da95ad25b ( 16 bytes)
File: hosts.txt
Path : %programfiles%\anyatweb.com\any@web\repository

Md5Hash :c1669f5940891f273f4c55f1e94943cd ( 523 bytes)
File: tips.txt
Path : %programfiles%\anyatweb.com\any@web

Md5Hash :7a83cb9bdac4d17f9c5934730dfbda21 ( 3350 bytes)
File: webchk.exe
Path : %programfiles%\anyatweb.com\any@web

Md5Hash :4c01095b2e4359511bbe611d086795d7 ( 176128 bytes)
File: webdog.exe
Path : %programfiles%\anyatweb.com\any@web

Md5Hash :78e69f0eb0897690e54aee7014fc61b8 ( 32768 bytes)
File: webdumpii.exe
Path : %programfiles%\anyatweb.com\any@web

Md5Hash :a0456632c99a7c8e5eb27b6d395b7295 ( 143360 bytes)
File: websrvman.exe
Path : %programfiles%\anyatweb.com\any@web

Md5Hash :662cffc04e8ec51dd1700e744b3867f1 ( 53248 bytes)
File: webview.exe
Path : %programfiles%\anyatweb.com\any@web

Md5Hash :9c5d82ebbc657667294b2885ade2e593 ( 1122304 bytes)
File: any@web.chm
Path : %windir%\help

Md5Hash :5d1faa658225e6f895d8f363c9b6c6fa ( 1635373 bytes)
File: any@web.exe-0935c34f.pf
Path : %windir%\prefetch

Md5Hash :3ef0ca4707ade4d1217032b645b798a8 ( 11532 bytes)
File: webchk.exe-24818b90.pf
Path : %windir%\prefetch

Md5Hash :2192f90d5f36c55b05a1659ad935be57 ( 8998 bytes)
File: webdog.exe-1ad65605.pf
Path : %windir%\prefetch

Md5Hash :327fc0068a1e664e7ea7a9c14ada9adb ( 8412 bytes)
File: webdumpii.exe-266892ab.pf
Path : %windir%\prefetch

Md5Hash :214926c5e6bc31f49cf27209610585cb ( 8734 bytes)
File: websrvman.exe-08bfc6a9.pf
Path : %windir%\prefetch

Md5Hash :f9c9d12eefe1e5b5ca361a18d5625c5c ( 12126 bytes)
File: webview.exe-32bf8c7e.pf
Path : %windir%\prefetch

Md5Hash :cec175263a0088f7d46069a1268fd8ca ( 15900 bytes)
File: awpacket.dll
Path : %windir%\system32

Md5Hash :97ceb3dca0c8218a72a00447cebb88bd ( 57344 bytes)
File: awpcap.dll
Path : %windir%\system32

Md5Hash :5b4b616ca1da9c5e6a24fe8e30a5b82a ( 172032 bytes)
File: awnpf.sys
Path : %windir%\system32\drivers

Md5Hash :c374a7241d42f22f4798effce5ff531a ( 31506 bytes)
Also creates the following files on user's System which are also created by Genuine Software :-
Note:
These file(s) can be kept as they are also created by genuine Software.
File : _isres1033.dll
Path : %programfiles%\common files\installshield\driver\1050\intel 32

Md5Hash :c164cee82dc73d55f9d9a85f7c79e386 ( 548964 bytes)
File : id
Path : %programfiles%\common files\installshield\driver\1050\intel 32

Md5Hash :d41d8cd98f00b204e9800998ecf8427e ( 0 bytes)
File : idriver.exe
Path : %programfiles%\common files\installshield\driver\1050\intel 32

Md5Hash :d82c9d45c46477906daddcab7dc43068 ( 774144 bytes)
File : idriver2.exe
Path : %programfiles%\common files\installshield\driver\1050\intel 32

Md5Hash :d82c9d45c46477906daddcab7dc43068 ( 774144 bytes)
File : idrivert.exe
Path : %programfiles%\common files\installshield\driver\1050\intel 32

Md5Hash :6f95324909b502e2651442c1548ab12f ( 73728 bytes)
File : igdicnv.dll
Path : %programfiles%\common files\installshield\driver\1050\intel 32

Md5Hash :fb47d347683eb249c7fd8e136eda8c12 ( 192512 bytes)
File : iscrcnv.dll
Path : %programfiles%\common files\installshield\driver\1050\intel 32

Md5Hash :48234044d58bf2bd43e7b30faa2b0f9e ( 274432 bytes)
File : isrt.dll
Path : %programfiles%\common files\installshield\driver\1050\intel 32

Md5Hash :5cbf3ed91a3cfa71f9b618e8aa63dfb3 ( 413696 bytes)
File : iusercnv.dll
Path : %programfiles%\common files\installshield\driver\1050\intel 32

Md5Hash :b5377ba5ed7ecc5ba5d804a99aedd076 ( 180224 bytes)
File : objpscnv.dll
Path : %programfiles%\common files\installshield\driver\1050\intel 32

Md5Hash :2ed2b8f6ad90238c15092481a3ce76c3 ( 32768 bytes)
File : ~df6f80.tmp
Path : %systemdrive%\temp

Md5Hash :( 49152 bytes)
File : jet24.tmp
Path : %systemdrive%\temp

Md5Hash :( 0 bytes)
File : idriver.exe-205a2558.pf
Path : %windir%\prefetch

Md5Hash :37c2fc94674cba971ecd07062015e28c ( 13350 bytes)
File : idrivert.exe-19bbeabb.pf
Path : %windir%\prefetch

Md5Hash :9c3256fda140abe898ccca2a7ea7a65a ( 11060 bytes)
Creates the following infected Registry Keys on user's System
Note:
Delete these Registries to remove Infection
The following Registry Values are added to the provided Registry Keys :-
Note:
Delete the added Values from the Key to remove Infection
|__ Value Added :
CJToolBar 1 = "FF FF FF FF 01 00 00 00 02 00 00 00 03 00 00 00 04 00 00 00"
|__ Value Added :
CJToolBar 2 = "04 80 00 00 12 80 00 00 FF FF FF FF 09 80 00 00 29 80 00 00 0A 80 00 00 FF FF FF FF 24 E1 00 00 61 80 00 00 FF FF FF FF 54 80 00 00 10 80 00 00 FF FF FF FF 25 80 00 00 05 80 00 00 FF FF FF FF 18 80 00 00 40 E1 00 00"
|__ Value Added :
Window Pos = "0,1,-1,-1,-1,-1,132,132,896,549"
|__ Value Added :
FilePos = "257"
|__ Value Added :
StartUp = "0"
|__ Value Added :
TimeStamp = "Mon Nov 04 16:38:44 2002"
|__ Value Added :
FtpListV = "(5,5) 34 200 200 200 100 0 1 2 3 4"
|__ Value Added :
ImListV = "(7,7) 34 34 160 160 160 200 60 0 1 2 3 4 5 6"
|__ Value Added :
ListV = "(7,7) 34 34 34 200 200 200 200 0 1 2 3 4 5 6"
|__ Value Added :
PageListV = "(5,5) 34 200 200 200 100 0 1 2 3 4"
|__ Value Added :
Adapter = "\Device\AWPACK_{8A4888C5-F61F-4B82-9A1B-8E6FA198E511}"
|__ Value Added :
ChkThreadId = "1948"
|__ Value Added :
DogThreadId = "1828"
|__ Value Added :
DUMPSRV = "NT"
|__ Value Added :
Message Folder = "%PROGRAMFILES%\anyatweb.com\Any@Web\Repository"
|__ Value Added :
PackageCode = "829E6999D1E37E645A58FFCABEA565B3"
|__ Value Added :
ProductIcon = "%WINDIR%\Installer\{AC4D0905-C68B-4C04-B3FC-457B260E282E}\ARPPRODUCTICON.exe"
|__ Value Added :
LastUsedSource = "n;1;%SYSTEMDRIVE%\TEMP\_is2\"
|__ Value Added :
5090D4CAB86C40C43BCF54B762E082E2 = ""
|__ Value Added :
%ALLUSERSPROFILE%\Start Menu\Programs\Any@Web for Windows(Demo)\ = ""
|__ Value Added :
%WINDIR%\Installer\{AC4D0905-C68B-4C04-B3FC-457B260E282E}\ = ""
|__ Value Added :
5090D4CAB86C40C43BCF54B762E082E2 = "%PROGRAMFILES%\anyatweb.com\Any@Web\WebDumpII.exe"
|__ Value Added :
5090D4CAB86C40C43BCF54B762E082E2 = "C?\WINDOWS\system32\msvcirt.dll"
|__ Value Added :
5090D4CAB86C40C43BCF54B762E082E2 = "C?\WINDOWS\system32\msvcrt.dll"
|__ Value Added :
5090D4CAB86C40C43BCF54B762E082E2 = "C?\WINDOWS\system32\comcat.dll"
|__ Value Added :
5090D4CAB86C40C43BCF54B762E082E2 = "C?\WINDOWS\system32\stdole2.tlb"
|__ Value Added :
5090D4CAB86C40C43BCF54B762E082E2 = "C?\WINDOWS\system32\oleaut32.dll"
|__ Value Added :
5090D4CAB86C40C43BCF54B762E082E2 = "C?\WINDOWS\system32\mfc42.dll"
|__ Value Added :
5090D4CAB86C40C43BCF54B762E082E2 = "C?\WINDOWS\system32\AWPCAP.dll"
|__ Value Added :
5090D4CAB86C40C43BCF54B762E082E2 = "C?\WINDOWS\system32\olepro32.dll"
|__ Value Added :
5090D4CAB86C40C43BCF54B762E082E2 = "%PROGRAMFILES%\anyatweb.com\Any@Web\WebView.exe"
|__ Value Added :
5090D4CAB86C40C43BCF54B762E082E2 = "C?\WINDOWS\system32\msvcp60.dll"
|__ Value Added :
5090D4CAB86C40C43BCF54B762E082E2 = "%PROGRAMFILES%\anyatweb.com\Any@Web\"
|__ Value Added :
5090D4CAB86C40C43BCF54B762E082E2 = "%PROGRAMFILES%\anyatweb.com\Any@Web\"
|__ Value Added :
5090D4CAB86C40C43BCF54B762E082E2 = "C?\WINDOWS\system32\AWPacket.dll"
|__ Value Added :
00000000000000000000000000000000 = "%PROGRAMFILES%\anyatweb.com\Any@Web\Repository\"
|__ Value Added :
5090D4CAB86C40C43BCF54B762E082E2 = "%PROGRAMFILES%\anyatweb.com\Any@Web\Repository\"
|__ Value Added :
5090D4CAB86C40C43BCF54B762E082E2 = "%WINDIR%\system32\drivers\awnpf.sys"
|__ Value Added :
5090D4CAB86C40C43BCF54B762E082E2 = "%PROGRAMFILES%\anyatweb.com\Any@Web\WebChk.exe"
|__ Value Added :
MailService = "4V-b_B}^~8hoMfDb2Ic4JwCJ.2*9~8Y*bMAEOo[$.gs?Q*7]SAsPURX&Z's?3nh&`z6rI=_.gWQ*dy,`67k)4s6tf(JR`qF-Q9q.=3&5,B^pf(V%eqFgkW_B83&5,B^pf(V%eqFgkW_B'jY0(z7qf(fVbqFgkW_BhY,w=mgsf(YJ*L[lj+'(M5KDYSUnf(HA*L[xeX)y"
|__ Value Added :
MailView = "kZ(!vSzO)?SpqMM{Q4wa,n!MA@{N[=xC1I!Q'u0I4V-b_B}^~8hoMfDb2Ic4'5By(tTEO?P{OoPd&V&=67k)4s6tf(JR`qF-Q9q.=3&5,B^pf(V%eqFgkW_B7YK?{]tuf(^?eqFgkW_BB3&5,B^pf(V%eqFgkW_B83&5,B^pf(V%eqFgkW_B'jY0(z7qf(fVbqFgkW_BhY,w=mgsf(YJ*L[lj+'(M5KDYSUnf(HA*L[xeX)y"
|__ Value Added :
WPCAP = "Iz'dAi8Rg@EOEhFjVWm9(!O.Q=RqG9Pj}B%4tXODTyUNG'{mj8'Z7zdHG['RDV[r-&4Ru=%Br[Tc+Sw70)ZUcMwMA?Q(mBes,g^2fIElq~@%E=I&~4cY3k@YMailService"
|__ Value Added :
%WINDIR%\system32\AWPacket.dll = "1"
|__ Value Added :
%WINDIR%\system32\AWPCAP.dll = "1"
|__ Value Added :
UninstallString = "MsiExec.exe /X{AC4D0905-C68B-4C04-B3FC-457B260E282E}"
|__ Value Added :
NextInstance = "1"
|__ Value Added :
Class = "LegacyDriver"
|__ Value Added :
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
|__ Value Added :
DeviceDesc = "Any@Web Network Packet Filter"
|__ Value Added :
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
|__ Value Added :
DeviceDesc = "Any@Web Dump Service 2.10"
|__ Value Added :
DisplayName = "Any@Web Network Packet Filter"
|__ Value Added :
ErrorControl = "1"
|__ Value Added :
ImagePath = "system32\drivers\awnpf.sys"
|__ Value Added :
0 = "Root\LEGACY_AWNPF\0000"
|__ Value Added :
NextInstance = "1"
|__ Value Added :
Security = "01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00"
|__ Value Added :
Description = "The message dump service of Any@Web, version 2.10"
|__ Value Added :
DisplayName = "Any@Web Dump Service 2.10"
|__ Value Added :
ErrorControl = "0"
|__ Value Added :
ImagePath = ""%PROGRAMFILES%\anyatweb.com\Any@Web\WebDumpII.exe""
|__ Value Added :
ObjectName = "LocalSystem"
|__ Value Added :
0 = "Root\LEGACY_WEBDUMPII\0000"
|__ Value Added :
Security = "01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00"
Also creates the following legitmate Registries on user's Systems which are also created by Genuine Software :-
Note:
These Keys can be kept as they are also created by genuine Software
The following Registry Values are added to the provided Registry Keys which are also created by Genuine Software :-
Note:
These Values can be left as they are also created by legitimate Software :-
|__ Value Added :
%PROGRAMFILES%\Common Files\InstallShield\
|__ Value Added :
%PROGRAMFILES%\Common Files\InstallShield\Driver\
|__ Value Added :
%PROGRAMFILES%\Common Files\InstallShield\Driver\1050\
|__ Value Added :
%PROGRAMFILES%\Common Files\InstallShield\Driver\1050\Intel 32\
|__ Value Added :
%WINDIR%\system32\msvcirt.dll
|__ Value Added :
Security"01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 1
4 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 0
2 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 0
0 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 0
2 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 0
0 00 00 00 00 05 12 00 00 00"

NOTE:

1. %allusersprofile% Refers to the windows all users profile folder. By default it is 'C:\Documents and Settings\All Users'
2. %homepath% Refers to the windows current user's profile folder. By default it is 'C:\Documents and Settings\[user]'
3. %programfiles% Refers to the program files folder. By default it is 'C:\Program Files'
4. %windir% Refers to the windows root folder. By default it is 'C:\Windows'
5. %systemdrive% Refers to the windows System drive folder. By default it is 'C:\'

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.


Microsoft Gold Certified Partner

© Systweak Inc., 1999-2009 All rights reserved.