Worm.Generic.817983_a2470037af

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.
IRCBot	A bot can communicate with command and control servers via IRC channel.

Process activity

The Worm creates the following process(es):

%original file name%.exe:1200

The Worm injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:

***BELARUS-VIRUS-MAKER***RasPbFileWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_ZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutex

File activity

The process %original file name%.exe:1200 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

%System%\sychost.exe (61184 bytes)
C:\log.txt (143619 bytes)

The Worm deletes the following file(s):

Registry activity

The process %original file name%.exe:1200 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 E0 E8 29 50 51 7F 28 91 85 91 93 73 8A 51 6B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Worm adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe sychost.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   %original file name%.exe:1200

2. Delete the original Worm file.
   
3. Delete or disinfect the following files created/modified by the Worm:

   %System%\sychost.exe (61184 bytes)
   C:\log.txt (143619 bytes)
   

4. Remove the references to the Worm by modifying the following registry value(s) (How to Work with System Registry):

   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   "Shell" = "Explorer.exe sychost.exe"

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	103528	103936	4.48441	b0b32aefd49102438e42cdcb3c4a43fd
DATA	110592	1884	2048	3.0208	52d009bfc42c54050e7060b7e1329f36
BSS	114688	3229	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	118784	3498	3584	3.29529	08d25d1dbe3827c0addf247aa39ff605
.tls	122880	12	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	126976	24	512	0.14174	0b521eca375c4713ab2766a07b94127a
.reloc	131072	7700	8192	4.51414	5ac3b33c35653500f365755f3a4cb21d
.rsrc	139264	5632	5632	2.38708	c0d1e81925b48606f8fb78de3e9bad0b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 24
0f291c6c6294a6bdcfa78e4a984d1b60
df4bb8865fbdb4f0f7c1f084145da565
b7937dcb2e0248a365c6eeefdc031d61
a1ca40a9b7e7a011ae042a2a5f9f9f51
b28c8f30f74294927c1aad06bd969f8f
ef528871e96849312a0e49e36969e355
d55ab40c932297160cd6c243a2d92e5a
d1310044da9c68e82c1e2c780d2d547e
a427770d50fd77ce7603b2a526fb1d1c
e41f083bd0a161b3187c1d1bd4363a4e
d02aa190743d81de7b8854bc204670e3
c0936fa4648706b36db79d1e376a0654
da99e6cdbb5f16c090330b100388fb6d
d88072dc6974c9d040ead976ce5b0b33
b55275369988d0553dfbc07e0db0990f
c8c8feea78e4c618369e6691f1720c4a
a994241fb8021a62fdd6c9dc3da148da
a2375fd4ef87bf02dc3dbb81488654b2
eb9ad72fa2292695256096d0cc045568
a94827f223d5b9b1d1c40655c7300494
a503c7ed8172f754d08d4e84a04fae45
ccc306399b9e869442f0a86932307109
a5452b9b752ef8b0263721ea4a985b69
71a135a9d386470f1149d0caccb6d111

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Worm connects to the servers at the folowing location(s):

Strings from Dumps