Stay protected from the "Wanna DecryptOr" ransomware outbreak.     Learn More

W32/Renamer-I

Category: Viruses and Spyware Protection available since:09 Feb 2013 00:47:32 (GMT)
Type: Win32 worm Last Updated:09 Mar 2017 04:02:57 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of W32/Renamer-I include:

Example 1

File Information

Size
438K
SHA-1
00036ce51f83242abd8de37f3337f397180576d5
MD5
4c3f564ca79f8f3c3cf2067a39240c5e
CRC-32
439d8f06
File type
Windows executable
First seen
2015-11-10

Runtime Analysis

Dropped Files
  • C:\Program Files\CCleaner\CCleaner.cab
  • C:\Program Files\CCleaner\uninst.cab
  • C:\Program Files\CCleaner\RCX14.tmp
    Size
    400K
    SHA-1
    f76ffdfdfbb48023858dca684573f276cd4a36ac
    MD5
    df12d4defbdf81cf8e7225e7c5ad0419
    CRC-32
    dee55760
    File type
    Windows executable
    First seen
    2015-11-14
  • C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.cab
  • C:\Program Files\Adobe\Adobe Help Viewer\1.0\ahv.cab
  • C:\Program Files\ActiveX Sample\setup\SETUP.cab
  • C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.cab
Modified Files
  • %PROGRAM FILES%\Adobe\Reader 8.0\Reader\AcroRd32.exe
    • Changed the file contents
  • %PROGRAM FILES%\CCleaner\CCleaner.exe
    • Changed the file contents
  • %PROGRAM FILES%\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
    • Changed the file contents
  • %PROGRAM FILES%\ActiveX Sample\setup\SETUP.EXE
    • Changed the file contents
  • %PROGRAM FILES%\CCleaner\uninst.exe
    • Changed the file contents

Example 2

File Information

Size
445K
SHA-1
00d5997d62f33d8388c55457928ac1d4e5a10d80
MD5
de991c3007101e9deab7bb72a933b03c
CRC-32
f4eb7f94
File type
Windows executable
First seen
2015-11-05

Runtime Analysis

Dropped Files
  • C:\Program Files\Adobe\Adobe Help Viewer\1.0\ahv.cab
  • C:\Program Files\ImageMagick-6.7.6-Q16\animate.cab
  • C:\Program Files\ActiveX Sample\setup\SETUP.cab
  • C:\Program Files\Debugging Tools for Windows (x86)\adplusmanager.cab
  • C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.cab
  • C:\Program Files\CCleaner\uninst.cab
  • C:\Program Files\Debugging Tools for Windows (x86)\srcsrv\pdbstr.cab
  • C:\Program Files\CCleaner\CCleaner.cab
  • C:\Program Files\Common Files\Microsoft Shared\DW\DW20.cab
  • C:\Program Files\Common Files\Adobe\Updater5_DISABLED\AdobeUpdater.cab
  • C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.cab
  • C:\Program Files\Common Files\Adobe\Updater5_DISABLED\AdobeUpdaterInstallMgr.cab
  • C:\Program Files\Debugging Tools for Windows (x86)\adplus.cab
  • C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.cab
  • C:\Program Files\Debugging Tools for Windows (x86)\srcsrv\srctool.cab
  • C:\Program Files\ImageMagick-6.7.6-Q16\compare.cab
Modified Files
  • %PROGRAM FILES%\Adobe\Reader 8.0\Reader\AcroRd32.exe
    • Changed the file contents
  • %PROGRAM FILES%\Debugging Tools for Windows (x86)\srcsrv\srctool.exe
    • Changed the file contents
  • %PROGRAM FILES%\Common Files\Microsoft Shared\DW\DWTRIG20.EXE
    • Changed the file contents
  • %PROGRAM FILES%\Debugging Tools for Windows (x86)\srcsrv\pdbstr.exe
    • Changed the file contents
  • %PROGRAM FILES%\CCleaner\CCleaner.exe
    • Changed the file contents
  • %PROGRAM FILES%\ImageMagick-6.7.6-Q16\compare.exe
    • Changed the file contents
  • %PROGRAM FILES%\CCleaner\uninst.exe
    • Changed the file contents
  • %PROGRAM FILES%\Common Files\Microsoft Shared\DW\DW20.EXE
    • Changed the file contents
  • %PROGRAM FILES%\Debugging Tools for Windows (x86)\adplus.exe
    • Changed the file contents
  • %PROGRAM FILES%\Debugging Tools for Windows (x86)\adplusmanager.exe
    • Changed the file contents
  • %PROGRAM FILES%\ActiveX Sample\setup\SETUP.EXE
    • Changed the file contents
  • %PROGRAM FILES%\ImageMagick-6.7.6-Q16\animate.exe
    • Changed the file contents
  • %PROGRAM FILES%\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
    • Changed the file contents

Example 3

File Information

Size
213K
SHA-1
00f55393219d354b46a5f03eb58e6988be1f558a
MD5
f4231e3faaacfbffe33b0999804f0654
CRC-32
5e95b1f1
File type
Windows executable
First seen
2013-01-01

Runtime Analysis

Dropped Files
  • C:\Program Files\Adobe\Adobe Help Viewer\1.0\ahv.cab
  • c:\Documents and Settings\test user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
  • C:\WINDOWS\WallPapers.jpg
  • C:\Program Files\CCleaner\CCleaner.cab
  • C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.cab
  • C:\Program Files\Common Files\Adobe\Updater5_DISABLED\AdobeUpdater.cab
  • C:\Program Files\Debugging Tools for Windows (x86)\adplus.cab
  • C:\Program Files\Common Files\Adobe\Updater5_DISABLED\AdobeUpdaterInstallMgr.cab
  • C:\Program Files\Common Files\Microsoft Shared\DW\DW20.cab
  • C:\Program Files\Debugging Tools for Windows (x86)\adplusmanager.cab
  • C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.cab
  • C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.cab
  • C:\Program Files\CCleaner\uninst.cab
  • C:\Program Files\ActiveX Sample\setup\SETUP.cab
Modified Files
  • %PROGRAM FILES%\Debugging Tools for Windows (x86)\adplusmanager.exe
    • Changed the file contents
  • %PROGRAM FILES%\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
    • Changed the file contents
  • %PROFILE%\Application Data\Microsoft\Internet Explorer\Desktop.htt
    • Changed the file contents
  • %PROGRAM FILES%\Common Files\Microsoft Shared\DW\DWTRIG20.EXE
    • Changed the file contents
  • %PROGRAM FILES%\CCleaner\CCleaner.exe
    • Changed the file contents
  • %PROGRAM FILES%\CCleaner\uninst.exe
    • Changed the file contents
  • %PROGRAM FILES%\Debugging Tools for Windows (x86)\adplus.exe
    • Changed the file contents
  • %PROGRAM FILES%\ActiveX Sample\setup\SETUP.EXE
    • Changed the file contents
  • %PROGRAM FILES%\Common Files\Microsoft Shared\DW\DW20.EXE
    • Changed the file contents
  • %PROGRAM FILES%\Adobe\Reader 8.0\Reader\AcroRd32.exe
    • Changed the file contents
Registry Keys Created
  • HKCU\Control Panel\Desktop
    ConvertedWallpaper Last WriteTime
    V,□□□□□□□□□□
Registry Keys Modified
  • HKCU\Control Panel\Desktop
    OriginalWallpaper
    c:\Documents and Settings\test user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
  • HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0
    CurrentState
    0x40000004
  • HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
    GeneralFlags
    0x00000004
  • HKCU\Software\Microsoft\Internet Explorer\Desktop\General
    Wallpaper
    %USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

download Try Sophos products for free
Download now