not-a-virus:AdWare.Win32.SearchProtect.tt (Kaspersky), Win32.Sality.3 (B) (Emsisoft), Win32.Sality.3 (AdAware), Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Worm, Virus, Adware, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 975f6d58bad9754535b4695d52b31614
SHA1: d67a264faf9c238695ce777f43d0a78739256ac4
SHA256: 31a783f9c999369f8dafbd3a060a49c1ac4a61f62f62b73977debc903f782231
SSDeep: 196608:D5447w7Wefjb1qX60GnT2SOdFAzzg8OWzqNGDBCThG:D55WHoX600CSwFC04zNR
Size: 9322192 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-07-06 17:31:20
Analyzed on: WindowsXP SP3 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Worm creates the following process(es):
%original file name%.exe:1076
The Worm injects its code into the following process(es):
Explorer.EXE:1140
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1076 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\System.dll (11 bytes)
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\SPTool.dll (101109 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp (80185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CARRIER_ID[1] (892 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp (892 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F1A1_Rar\%original file name%.exe (69845 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wgxb.exe (561 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp (0 bytes)
%WinDir%\7f0e5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\SPTool.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wgxb.exe (0 bytes)
Registry activity
The process %original file name%.exe:1076 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Stvncyfrlda]
"m2_8" = "997419344"
"m2_9" = "2732706519"
"m2_2" = "3470575550"
"m2_3" = "910907341"
"m2_0" = "5620"
"m2_1" = "1735292633"
"m2_6" = "1821817157"
"m2_7" = "3557102913"
"m2_4" = "2646191988"
"m2_5" = "86509802"
"m4_222" = "2982453382"
"m1_151" = "1556007790"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m1_78" = "1162427528"
"m4_226" = "1333681722"
"m4_227" = "3068972455"
"m4_224" = "2158067552"
"m1_150" = "1073761770"
"m1_73" = "1660785988"
"m1_72" = "531598977"
"m1_71" = "3584595940"
"m1_70" = "302339199"
"m1_77" = "2488034740"
"m1_76" = "3275875682"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Stvncyfrlda]
"m1_74" = "338841045"
"m3_166" = "278866567"
"m3_167" = "2013911602"
"m3_164" = "1136397309"
"m2_98" = "2554772129"
"m1_144" = "3550739096"
"m3_163" = "3662911566"
"m3_160" = "2751909385"
"m3_161" = "225933732"
"m1_155" = "1182601783"
"m4_208" = "163219600"
"m3_168" = "3782899105"
"m1_154" = "2691449391"
[HKCU\Software\Stvncyfrlda\168128873]
"-737866757" = "4B278A835FE92988F90F7C3CA41943E954C2A3E5F485BE927C19BB1BE3A4606DACD30115F9A5DFCC9A54A9CBC970B3F5552946D7DCA330D47DB444FE33A74E4F3934F853C78E0DC6D9EEE227165CFE1E5F4DF951B4E949E9FD58BC2F492F3A5FE47491DA52289271F36B555070B2FE3D61BD99AA79CD32B302250EFC3B19E5BA5983117001ACB3CC3315F4E8A6E14E431831F637A045E8B2E9D85E4FE4BB17441E184C36D2CE87AFD142CC126B0B44025A35802EFB7597B96B29F209B5C200ABEF3AD8D9E89ED2BD716737EA3531C319A48A0859A5D987B1F40AD720852CD4BAEEFF0335C753F5B39E9B397C689313439635D8144E674989A2B7C1E13F1E2F2E"
[HKCU\Software\Stvncyfrlda]
"m2_147" = "1684659093"
"m1_148" = "3953717429"
"m1_149" = "2129603000"
"m1_146" = "1884293019"
"m1_147" = "1668177894"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Stvncyfrlda]
"m1_145" = "1472157451"
"m1_142" = "3370725921"
"m1_143" = "630481753"
"m1_140" = "3699249287"
"m2_107" = "992511217"
"m2_99" = "4290053509"
"m2_148" = "3419963139"
"m4_209" = "1898510333"
"m2_210" = "3633805582"
"m3_35" = "622481870"
"m3_34" = "3182011987"
"m3_37" = "4092948712"
"m3_36" = "2323956093"
"m3_31" = "2270958618"
"m3_30" = "535979247"
"m3_33" = "1413429028"
"m3_32" = "3972958089"
"m3_39" = "3234960306"
"m3_38" = "1533534215"
"m4_0" = "0"
"m4_1" = "1735290733"
"m4_2" = "3470581466"
"m4_3" = "910904903"
"m4_4" = "2646195636"
"m4_5" = "86519073"
"m4_6" = "1821809806"
"m4_7" = "3557100539"
"m4_8" = "997423976"
"m4_9" = "2732714709"
"m2_213" = "249733711"
"m2_212" = "2809423683"
"m2_215" = "3720318687"
"m2_214" = "1985021206"
"m2_217" = "2895929409"
"m2_216" = "1160648200"
"m2_69" = "3770949552"
"m2_68" = "2035649045"
"m2_61" = "2773523398"
"m2_60" = "1038223205"
"m2_63" = "1949138617"
"m2_62" = "213839024"
"m2_65" = "1124756485"
"m2_64" = "3684417570"
"m2_67" = "300367565"
"m2_66" = "2860033647"
"m4_204" = "1811991260"
"m1_241" = "3504044995"
"m4_223" = "422776819"
"m1_79" = "2345350265"
"m4_205" = "3547281993"
"m4_221" = "1247162649"
"m4_129" = "514205165"
"m4_128" = "3073881728"
"m4_125" = "2162976825"
"m4_124" = "427686092"
"m4_127" = "1338590995"
"m4_126" = "3898267558"
"m4_121" = "3811748485"
"m4_120" = "2076457752"
"m4_123" = "2987362655"
"m4_122" = "1252071922"
"m4_158" = "3592996166"
"m4_159" = "1033319603"
"m3_185" = "3217944556"
"m4_150" = "2595572190"
"m4_151" = "35895627"
"m4_152" = "1771186360"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Stvncyfrlda]
"m4_154" = "946800530"
"m4_155" = "2682091263"
"m4_156" = "122414700"
"m4_157" = "1857705433"
"m2_134" = "600721990"
"m2_135" = "2336023893"
"m4_29" = "3078791001"
"m4_28" = "1343500268"
"m2_130" = "2249491458"
"m2_131" = "3984789563"
"m2_132" = "1425108947"
"m2_133" = "3160405075"
"m4_23" = "1256981195"
"m4_22" = "3816657758"
"m4_21" = "2081367025"
"m4_20" = "346076292"
"m4_27" = "3903176831"
"m4_26" = "2167886098"
"m4_25" = "432595365"
"m4_24" = "2992271928"
"m1_195" = "855033273"
"m4_229" = "2244586625"
"m3_182" = "2306891095"
"m1_194" = "725302401"
"m3_183" = "4008889538"
"m1_197" = "1478701508"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Stvncyfrlda]
"m3_246" = "1696364695"
"m1_24" = "2715653604"
"m1_25" = "1582394742"
"m1_26" = "3007476027"
"m1_27" = "362255121"
"m1_20" = "309373695"
"m1_21" = "3669906306"
"m1_22" = "3228447279"
"m1_23" = "3888594961"
"m1_191" = "2835580571"
"m3_244" = "2487310797"
"m1_28" = "1290480215"
"m1_29" = "2314333073"
"m3_199" = "1742469010"
"m1_190" = "178700765"
"m3_122" = "1268937691"
"m3_123" = "3003966326"
"m3_120" = "2059882801"
"m3_121" = "3794911404"
"m3_126" = "3914972559"
"m3_127" = "1321872698"
"m3_124" = "410948325"
"m3_125" = "2179924496"
"m3_128" = "3056917673"
"m3_129" = "530927556"
"m3_165" = "2871966568"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m3_162" = "1927407827"
"m1_214" = "3829791413"
[HKCU\Software\Stvncyfrlda\168128873]
"86519073" = "67"
[HKCU\Software\Stvncyfrlda]
"m1_99" = "2265724798"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 3F 3A 0F D9 D0 73 14 BC 41 BE 94 57 89 96 EB"
[HKCU\Software\Stvncyfrlda]
"m1_215" = "3688590880"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Stvncyfrlda]
"m1_91" = "3495771849"
"m1_90" = "1524375700"
"m1_93" = "1391752326"
"m1_92" = "3078942027"
"m1_95" = "434560630"
"m1_94" = "3627452988"
"m1_97" = "2463574267"
"m1_96" = "53770204"
"m3_231" = "1436934514"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Stvncyfrlda]
"m1_202" = "1488363545"
"m1_221" = "222562620"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Stvncyfrlda]
"m1_108" = "1231716647"
"m1_109" = "3831820759"
"m4_201" = "901086357"
"m1_102" = "2698777117"
"m1_103" = "4182417006"
"m1_100" = "4139152942"
"m1_101" = "3005121467"
"m1_106" = "822926422"
"m1_107" = "2028039993"
"m1_104" = "853028992"
"m1_105" = "3102166764"
"m3_3" = "927474798"
"m3_2" = "3487544563"
"m3_1" = "1718420804"
"m3_0" = "17001001"
"m3_7" = "3573965266"
"m3_6" = "1838544551"
"m3_5" = "69945096"
"m3_4" = "2629490589"
"m1_216" = "3594632771"
"m1_217" = "2473613019"
"m3_9" = "2749530364"
"m3_8" = "980422977"
"m1_199" = "1581965573"
"m1_198" = "707637565"
"m1_210" = "399516188"
"m1_211" = "3541584396"
"m3_93" = "2451378352"
"m3_92" = "716398853"
"m3_91" = "3309498774"
"m3_90" = "1573930619"
"m3_97" = "836457060"
"m3_96" = "3362431689"
"m3_95" = "1626878810"
"m3_94" = "4220485679"
[HKCU\Software\Stvncyfrlda\168128873]
"1735290733" = "96"
[HKCU\Software\Stvncyfrlda]
"m4_241" = "1593238941"
"m3_99" = "4273372430"
"m2_94" = "4203541234"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m3_98" = "2571488659"
"m3_169" = "1189405916"
"m1_75" = "4280343859"
"m2_146" = "4244346441"
"m1_5" = "1394450043"
"m1_4" = "2556724606"
"m1_7" = "2115579346"
"m1_6" = "270163915"
"m1_1" = "209801296"
"m1_0" = "318153590"
"m3_68" = "2018964189"
"m3_69" = "3787940424"
"m3_66" = "2877018163"
"m3_67" = "283394990"
"m3_64" = "3667439977"
"m3_65" = "1107894404"
"m3_62" = "230528591"
"m3_63" = "1965949434"
"m3_60" = "1021409189"
"m3_61" = "2756962000"
"m2_220" = "3806843697"
"m2_221" = "1247162275"
"m2_222" = "2982459210"
"m2_223" = "422779552"
"m2_224" = "2158063278"
"m2_225" = "3893361713"
"m2_226" = "1333675012"
"m2_227" = "3068974202"
"m2_228" = "509291496"
"m2_229" = "2244590577"
"m2_149" = "860278525"
"m3_241" = "1609928628"
"m3_229" = "2227881640"
"m3_228" = "525883197"
"m3_225" = "3909911780"
"m3_224" = "2174883145"
"m3_227" = "3085936526"
"m1_141" = "959655750"
"m3_221" = "1263885104"
"m3_220" = "3823414149"
"m3_223" = "405824986"
"m3_222" = "2965883567"
"m2_29" = "3078783645"
"m2_28" = "1343503286"
"m2_25" = "432602327"
"m2_24" = "2992269318"
"m2_27" = "3903180389"
"m2_26" = "2167884423"
"m2_21" = "2081358511"
"m2_20" = "346067278"
"m2_23" = "1256983761"
"m2_22" = "3816654681"
"m3_240" = "4136311833"
"m4_244" = "2504143844"
"m1_209" = "2224904068"
"m4_220" = "3806839212"
"m2_169" = "1206359544"
"m2_168" = "3766028380"
[HKCU\Software\Stvncyfrlda\168128873]
"-1648771660" = "30"
[HKCU\Software\Stvncyfrlda]
"m2_163" = "3679512160"
"m2_162" = "1944229454"
"m2_161" = "208931310"
"m2_160" = "2768617415"
"m2_167" = "2030739779"
"m2_166" = "295458518"
"m2_165" = "2855125637"
"m2_164" = "1119843697"
"m4_114" = "254647946"
"m4_115" = "1989938679"
"m4_116" = "3725229412"
"m4_117" = "1165552849"
"m4_110" = "1903419606"
"m4_111" = "3638710339"
"m4_112" = "1079033776"
"m4_113" = "2814324509"
"m4_118" = "2900843582"
"m4_119" = "341167019"
"m4_74" = "3857462658"
"m4_75" = "1297786095"
"m4_76" = "3033076828"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m4_70" = "1211267022"
"m4_71" = "2946557755"
"m4_72" = "386881192"
"m4_73" = "2122171925"
"m4_78" = "2208690998"
"m4_79" = "3943981731"
"m4_246" = "1679758014"
"m4_228" = "509295892"
"m4_189" = "1552434041"
"m4_188" = "4112110604"
"m4_187" = "2376819871"
"m4_186" = "641529138"
"m4_185" = "3201205701"
"m4_184" = "1465914968"
"m4_183" = "4025591531"
"m4_182" = "2290300798"
"m4_181" = "555010065"
"m4_180" = "3114686628"
"m1_213" = "232608405"
"m1_3" = "3696872588"
"m1_2" = "2524299425"
"m2_90" = "1557347139"
"m2_91" = "3292627343"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Stvncyfrlda]
"m2_92" = "732958720"
"m1_68" = "2392388924"
"m1_69" = "1470144539"
"m4_237" = "3242010601"
"m2_93" = "2468245044"
"m4_231" = "1420200795"
"m4_230" = "3979877358"
"m4_233" = "595814965"
"m4_232" = "3155491528"
"m1_60" = "2957567414"
"m1_62" = "2663309597"
"m1_63" = "1294480572"
"m1_64" = "2357227656"
"m1_65" = "3939391641"
"m1_66" = "1488845893"
"m1_67" = "4273011959"
"m3_179" = "1395950366"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Stvncyfrlda]
"m2_96" = "3379161273"
"m3_130" = "2266496883"
"m3_171" = "398919654"
"m3_170" = "2924909643"
"m3_173" = "3835831936"
"m2_97" = "819473444"
"m3_175" = "3044884906"
"m3_174" = "1275909695"
"m3_177" = "2186829940"
"m3_176" = "451932377"
"m4_235" = "4066396431"
"m1_152" = "3033424392"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Stvncyfrlda]
"m3_22" = "3799972215"
"m3_23" = "1273981154"
"m3_20" = "363060909"
"m3_21" = "2097957336"
"m3_26" = "2150906683"
"m3_27" = "3920013910"
"m3_24" = "3008960529"
"m3_25" = "415992716"
"m1_159" = "4126862314"
"m1_158" = "566425853"
"m3_28" = "1360479685"
"m3_29" = "3061970288"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Stvncyfrlda\168128873]
"910904903" = "0"
[HKCU\Software\Stvncyfrlda]
"m2_76" = "3033085178"
"m2_77" = "473403437"
"m2_74" = "3857457286"
"m2_75" = "1297787541"
"m2_72" = "386875954"
"m2_73" = "2122176415"
"m2_70" = "1211258282"
"m2_71" = "2946560719"
"m2_78" = "2208686786"
"m2_79" = "3943988629"
"m3_57" = "110470508"
"m3_56" = "2703963633"
"m3_55" = "968530498"
"m3_54" = "3494439639"
"m3_53" = "1759411128"
"m3_52" = "57526285"
"m3_51" = "2583910558"
"m3_50" = "848472419"
"m3_59" = "3614491702"
"m3_58" = "1845908635"
"m2_219" = "2071545807"
"m2_218" = "336261398"
"m1_156" = "830639012"
"m3_214" = "2001882935"
"m3_215" = "3703373474"
"m3_216" = "1143826897"
"m3_217" = "2912885068"
"m3_210" = "3650358595"
"m3_211" = "1090960638"
"m3_212" = "2792828013"
"m3_213" = "266461080"
"m3_218" = "352946427"
"m3_219" = "2054830102"
"m2_127" = "1338597140"
"m4_149" = "860281457"
"m4_148" = "3419958020"
"m3_226" = "1316828179"
"m2_126" = "3898262145"
"m4_143" = "3333438947"
"m4_142" = "1598148214"
"m4_141" = "4157824777"
"m4_140" = "2422534044"
"m4_147" = "1684667287"
"m4_146" = "4244343850"
"m4_145" = "2509053117"
"m4_144" = "773762384"
"m4_38" = "1516538414"
"m4_39" = "3251829147"
"m2_125" = "2162981005"
"m2_124" = "427680293"
"m2_123" = "2987367739"
"m2_122" = "1252066432"
"m2_121" = "3811740380"
"m2_120" = "2076451804"
"m4_30" = "519114438"
"m4_31" = "2254405171"
"m4_32" = "3989695904"
"m4_33" = "1430019341"
"m4_34" = "3165310074"
"m4_35" = "605633511"
"m4_36" = "2340924244"
"m4_37" = "4076214977"
"m2_192" = "2463335302"
"m2_193" = "4198635814"
"m2_190" = "3287721999"
"m2_191" = "728055703"
"m2_196" = "814574270"
"m2_197" = "2549854101"
"m2_194" = "1638951006"
"m2_195" = "3374249219"
[HKCU\Software\Stvncyfrlda\168128873]
"-824385830" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Stvncyfrlda]
"m2_198" = "4285152538"
"m2_199" = "1725464736"
"m1_11" = "604391481"
"m1_10" = "3965842312"
"m1_13" = "3712216376"
"m1_12" = "3403904322"
"m1_15" = "1397147664"
"m1_14" = "1802833809"
"m1_17" = "1933685767"
"m1_16" = "4097707939"
"m1_19" = "4095427184"
"m1_18" = "341407184"
"m3_184" = "1449360497"
"m4_206" = "987605430"
"m3_135" = "2319427666"
"m3_134" = "583874855"
"m3_137" = "1528482684"
"m3_136" = "4087897025"
"m4_89" = "4117019877"
"m4_88" = "2381729144"
"m3_133" = "3176958344"
"m3_132" = "1441930781"
"m4_85" = "1470824241"
"m4_87" = "646438411"
"m4_86" = "3206114974"
"m4_81" = "3119595901"
"m4_80" = "1384305168"
"m4_83" = "2295210071"
"m4_82" = "559919338"
"m2_129" = "514208734"
"m2_128" = "3073879670"
"m1_86" = "1363116474"
"m1_87" = "2302235834"
"m1_84" = "893052537"
"m1_85" = "2754352869"
"m1_82" = "2950368676"
"m1_83" = "168360173"
"m1_80" = "2155446734"
"m1_81" = "4055829807"
"m1_180" = "118355146"
"m1_88" = "3984157382"
"m1_89" = "2175053100"
"m3_198" = "4268311655"
"m1_229" = "3637168117"
"m1_228" = "3240051247"
"m3_186" = "658480923"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Stvncyfrlda]
"m3_140" = "2439480757"
"m3_141" = "4140840224"
"m3_142" = "1581425759"
"m3_143" = "3350419402"
"m1_119" = "385032435"
"m1_118" = "1510701440"
"m3_146" = "4260947459"
"m3_147" = "1701482942"
"m1_115" = "2226650540"
"m1_114" = "2716591847"
"m1_117" = "243285735"
"m1_116" = "1694081743"
"m1_111" = "1172934539"
"m1_110" = "2145354085"
"m1_113" = "889856734"
"m1_112" = "3102404619"
"m1_168" = "2198590419"
"m1_169" = "432326475"
"m1_220" = "1939894742"
"m4_219" = "2071548479"
"m1_160" = "472513435"
"m1_161" = "3059305526"
"m1_162" = "3111298116"
"m1_163" = "590564308"
"m1_164" = "86977386"
"m1_165" = "3434280959"
"m1_166" = "1951802364"
"m1_167" = "1628623125"
"m3_80" = "1401010233"
"m3_81" = "3102878548"
"m3_82" = "542956227"
"m3_83" = "2311932542"
"m3_84" = "4047496685"
"m3_85" = "1453954328"
"m3_86" = "3189376183"
"m3_87" = "663008290"
"m3_88" = "2364876625"
"m3_89" = "4100445900"
"m4_215" = "3720320139"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Stvncyfrlda]
"m4_214" = "1985029406"
"m4_225" = "3893358285"
"m4_194" = "1638953114"
"m1_201" = "2542516004"
"m1_200" = "2108303510"
"m3_19" = "2888904510"
"m3_18" = "1153482627"
"m1_205" = "1468795251"
"m1_204" = "972729313"
"m1_207" = "1807340115"
"m1_206" = "3895692296"
"m3_13" = "1100530336"
"m3_12" = "3626914613"
"m3_11" = "1891476358"
"m3_10" = "190001259"
"m3_17" = "3746958356"
"m3_16" = "2011536633"
"m3_15" = "243002698"
"m3_14" = "2835971551"
"m2_233" = "595817615"
"m2_232" = "3155487164"
"m2_231" = "1420202630"
"m2_230" = "3979873978"
"m2_237" = "3242014186"
"m2_236" = "1506717680"
"m2_235" = "4066405573"
"m2_234" = "2331102739"
"m2_239" = "2417627246"
"m2_238" = "682331745"
"m2_49" = "3424863256"
"m2_48" = "1689581460"
"m2_47" = "4249249007"
"m2_46" = "2513966674"
"m2_45" = "778679961"
"m2_44" = "3338351021"
"m2_43" = "1603054539"
"m2_42" = "4162737411"
"m2_41" = "2427437850"
"m2_40" = "692155243"
"m2_38" = "1516540686"
"m2_39" = "3251825839"
"m2_32" = "3989699942"
"m2_33" = "1430014322"
"m2_30" = "519116976"
"m2_31" = "2254398613"
"m2_36" = "2340926311"
"m2_37" = "4076208290"
"m2_34" = "3165313043"
"m2_35" = "605628707"
"m4_240" = "4152915504"
"m2_158" = "3592999147"
"m2_159" = "1033321584"
"m2_156" = "122418072"
"m2_157" = "1857699957"
"m2_154" = "946805032"
"m2_155" = "2682088067"
"m2_152" = "1771188481"
"m2_153" = "3506471647"
"m2_150" = "2595580949"
"m2_151" = "35892312"
"m4_107" = "992514703"
"m4_106" = "3552191266"
"m4_105" = "1816900533"
"m4_104" = "81609800"
"m4_103" = "2641286363"
"m4_102" = "905995630"
"m4_101" = "3465672193"
"m4_100" = "1730381460"
"m3_131" = "3967839982"
"m4_242" = "3328529674"
"m4_109" = "168128873"
"m4_108" = "2727805436"
"m4_41" = "2427443317"
"m4_40" = "692152584"
"m4_43" = "1603057487"
"m4_42" = "4162734050"
"m4_45" = "778671657"
"m4_44" = "3338348220"
"m4_47" = "4249253123"
"m4_46" = "2513962390"
"m4_49" = "3424867293"
"m4_48" = "1689576560"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Stvncyfrlda]
"m3_100" = "1713433789"
"m4_84" = "4030500804"
"m3_245" = "4256418168"
"m3_139" = "703982086"
"m3_138" = "3230366443"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Stvncyfrlda]
"m1_55" = "4039289439"
"m1_54" = "1118742336"
"m1_57" = "3845688315"
"m1_56" = "1616554112"
"m1_51" = "2264587460"
"m1_50" = "2676256124"
"m1_53" = "3518609899"
"m1_52" = "1458160794"
"m1_59" = "4190035347"
"m1_58" = "4061093176"
"m2_241" = "1593242211"
"m3_108" = "2744413141"
"m3_109" = "184949568"
"m3_104" = "98446945"
"m3_105" = "1833490844"
"m3_106" = "3535358219"
"m3_107" = "975960230"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m3_101" = "3482491944"
"m3_102" = "922947399"
"m3_103" = "2624438002"
"m2_83" = "2295217901"
"m4_77" = "473400265"
"m4_234" = "2331105698"
"m1_124" = "3173690856"
"m1_125" = "2105820747"
"m1_126" = "2186348654"
"m1_127" = "740756558"
"m1_120" = "2883240963"
"m1_121" = "799876175"
"m1_122" = "3066242872"
"m1_123" = "2618906356"
"m1_245" = "2206832421"
"m1_244" = "52711582"
"m1_246" = "4135316441"
"m1_128" = "1713950769"
"m1_129" = "1730502331"
"m1_243" = "3961416310"
"m1_242" = "1073675531"
"m1_238" = "3062437656"
"m1_239" = "991025846"
"m3_187" = "2359824054"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKCU\Software\Stvncyfrlda]
"m1_230" = "2262777424"
"m1_231" = "402840959"
"m1_232" = "2167127998"
"m1_233" = "1319661639"
"m1_234" = "3883898396"
"m1_235" = "561752107"
"m1_236" = "2182436184"
"m1_237" = "4196711218"
"m3_243" = "751873630"
"m3_44" = "3354938517"
"m3_45" = "795540480"
"m3_46" = "2497408959"
"m3_47" = "4232388394"
"m3_40" = "675414817"
"m3_41" = "2444014172"
"m3_42" = "4179439051"
"m3_43" = "1586486630"
"m3_48" = "1706528345"
"m3_49" = "3441441268"
"m3_144" = "790480761"
"m3_239" = "2434362602"
"m2_186" = "641524843"
"m3_207" = "2739893002"
"m3_206" = "1004454815"
"m3_205" = "3530313824"
"m3_204" = "1828954357"
"m3_203" = "93401414"
"m3_202" = "2619377195"
"m3_201" = "884348604"
"m3_200" = "3477366529"
"m3_145" = "2492364436"
"m3_209" = "1881906644"
"m3_208" = "146399929"
"m4_178" = "3939072458"
"m4_179" = "1379395895"
"m4_176" = "468490992"
"m4_177" = "2203781725"
"m4_174" = "1292876822"
"m4_175" = "3028167555"
"m4_172" = "2117262652"
"m4_173" = "3852553385"
"m4_170" = "2941648482"
"m4_171" = "381971919"
"m2_118" = "2900838490"
"m2_119" = "341168584"
"m2_112" = "1079025930"
"m2_113" = "2814326157"
"m2_110" = "1903424686"
"m2_111" = "3638707556"
"m2_116" = "3725223664"
"m2_117" = "1165543706"
"m2_114" = "254642434"
"m2_115" = "1989941723"
"m2_185" = "3201212380"
"m2_184" = "1465912544"
"m2_187" = "2376822905"
"m4_153" = "3506477093"
"m2_181" = "555015153"
"m2_180" = "3114680832"
"m2_183" = "4025596963"
"m2_182" = "2290295794"
"m2_189" = "1552441261"
"m2_188" = "4112106913"
"m3_180" = "3097834125"
"m1_153" = "3623435132"
"m4_98" = "2554767290"
"m4_99" = "4290058023"
"m4_92" = "732957484"
"m4_93" = "2468248217"
"m4_90" = "1557343314"
"m4_91" = "3292634047"
"m4_96" = "3379153120"
"m4_97" = "819476557"
"m4_94" = "4203538950"
"m4_95" = "1643862387"
"m3_242" = "3345366819"
"m2_137" = "1511622747"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m2_138" = "3246917034"
"m2_139" = "687249451"
"m3_153" = "3489919500"
"m3_152" = "1754350225"
"m3_151" = "52482914"
"m3_150" = "2612405239"
"m3_157" = "1874411504"
"m3_156" = "105417797"
"m3_155" = "2665356502"
"m3_154" = "963407291"
"m4_217" = "2895934309"
"m4_216" = "1160643576"
"m3_159" = "1016356506"
"m3_158" = "3609964399"
"m4_213" = "249738673"
"m4_212" = "2809415236"
"m4_211" = "1074124503"
"m4_210" = "3633801066"
"m1_179" = "1039006304"
"m1_178" = "3324821159"
"m1_173" = "1508520821"
"m1_172" = "2108396418"
"m1_171" = "4098277582"
"m1_170" = "298362072"
"m1_177" = "609659133"
"m1_176" = "405993850"
"m1_175" = "4290827756"
"m1_174" = "1511315810"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Stvncyfrlda]
"m1_9" = "1239228167"
"m4_245" = "4239434577"
"m4_218" = "336257746"
"m3_181" = "538419768"
"m1_8" = "3814596414"
"m2_211" = "1074119825"
"m2_108" = "2727812960"
"m2_206" = "987610530"
"m2_207" = "2722889748"
"m2_204" = "1811996131"
"m2_205" = "3547275483"
"m2_202" = "2636378306"
"m2_203" = "76693633"
"m2_200" = "3460766028"
"m2_201" = "901081447"
"m4_207" = "2722896163"
"m2_208" = "163222960"
"m2_209" = "1898505433"
"m3_148" = "3403350317"
"m4_236" = "1506719868"
"m2_58" = "1862606856"
"m2_59" = "3597907906"
"m3_149" = "843427928"
"m2_54" = "3511391702"
"m2_55" = "951702944"
"m2_56" = "2686993851"
"m2_57" = "127326908"
"m2_50" = "865199745"
"m2_51" = "2600477903"
"m2_52" = "40811817"
"m2_53" = "1776094341"
"m3_197" = "2532889800"
"m2_106" = "3552196052"
"m3_196" = "831399261"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Stvncyfrlda]
"m4_200" = "3460762920"
"m3_195" = "3357379118"
"m3_194" = "1622350515"
"m4_202" = "2636377090"
"m1_61" = "3725294921"
"m3_193" = "4215368452"
"m4_203" = "76700527"
"m3_192" = "2479946729"
"m3_191" = "711346298"
"m1_218" = "1173276524"
"m4_239" = "2417624771"
"m3_190" = "3270891727"
"m4_238" = "682334038"
"m4_138" = "3246919874"
"m4_139" = "687243311"
"m4_132" = "1425110068"
"m4_133" = "3160400801"
"m4_130" = "2249495898"
"m4_131" = "3984786631"
"m4_136" = "4071305704"
"m4_137" = "1511629141"
"m4_134" = "600724238"
"m4_135" = "2336014971"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Stvncyfrlda]
"m1_219" = "3157001026"
"m3_178" = "3955889123"
"m2_136" = "4071301803"
"m1_196" = "1947577680"
"m2_141" = "4157820627"
"m2_140" = "2422537924"
"m2_143" = "3333432626"
"m2_142" = "1598150272"
"m2_145" = "2509046279"
"m2_144" = "773764791"
"m4_58" = "1862614706"
"m4_59" = "3597905439"
"m4_56" = "2687000536"
"m4_57" = "127323973"
"m4_54" = "3511386366"
"m4_55" = "951709803"
"m4_52" = "40804900"
"m4_53" = "1776095633"
"m4_50" = "865190730"
"m4_51" = "2600481463"
"m3_172" = "2133964565"
"m1_37" = "2094550174"
"m1_36" = "959290607"
"m1_35" = "694745020"
"m1_34" = "728795437"
"m1_33" = "1386546615"
"m1_32" = "1535847198"
"m1_31" = "741168633"
"m1_30" = "2705499847"
"m3_188" = "4095393317"
"m3_189" = "1569401168"
"m1_39" = "1576713942"
"m1_38" = "504141973"
"m1_42" = "3129261703"
"m1_43" = "1429507624"
"m1_40" = "2519254793"
"m1_41" = "365033243"
"m1_46" = "3608946584"
"m1_47" = "3613009330"
"m1_44" = "3570152707"
"m1_45" = "2518571644"
"m1_48" = "3268774703"
"m1_49" = "510209295"
"m3_119" = "357998978"
"m3_118" = "2917414423"
"m3_117" = "1148946168"
"m3_116" = "3741914957"
"m3_115" = "2006935518"
"m3_114" = "237958307"
"m3_113" = "2797356340"
"m3_112" = "1096013209"
"m3_111" = "3655416426"
"m3_110" = "1886423807"
"m1_193" = "2852878053"
"m2_95" = "1643856261"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Stvncyfrlda]
"m1_192" = "4287227400"
"m4_243" = "768853111"
"m1_137" = "3898837036"
"m1_136" = "1385261906"
"m1_135" = "1264783045"
"m1_134" = "1104583541"
"m1_133" = "3493262352"
"m1_132" = "1484129166"
"m1_131" = "2683699738"
"m1_130" = "1151145631"
"m1_212" = "2926454941"
"m1_240" = "3584399361"
"m1_139" = "2320998406"
"m1_138" = "4051489144"
"m1_182" = "2689489590"
"m1_183" = "3936510854"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m1_181" = "31369542"
"m1_186" = "30714760"
"m1_187" = "4120110426"
"m1_184" = "2620117559"
"m1_185" = "156672439"
"m1_223" = "219404720"
"m1_222" = "761214660"
"m1_188" = "104850958"
"m1_189" = "2259157447"
"m1_227" = "1394906909"
"m1_226" = "897057508"
"m1_225" = "2949440528"
"m1_224" = "3973948682"
"m2_10" = "173033015"
"m2_11" = "1908333590"
"m2_12" = "3643620573"
"m2_13" = "1083948174"
"m2_14" = "2819227939"
"m2_15" = "259561945"
"m2_16" = "1994843127"
"m2_17" = "3730143029"
"m2_18" = "1170456670"
"m2_19" = "2905756253"
"m1_208" = "751474411"
"m3_71" = "2929954066"
"m3_70" = "1227955687"
"m3_73" = "2139008060"
"m3_72" = "369900673"
"m3_75" = "1280954054"
"m3_74" = "3840892843"
"m3_77" = "490007008"
"m3_76" = "3049946741"
"m3_79" = "3927378058"
"m3_78" = "2191956255"
"m2_242" = "3328525180"
"m2_243" = "768859850"
"m2_89" = "4117014067"
"m2_88" = "2381733832"
"m2_246" = "1679754438"
"m2_240" = "4152910615"
"m2_244" = "2504139048"
"m2_245" = "4239438821"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m2_82" = "559916044"
"m2_81" = "3119602951"
"m2_80" = "1384302528"
"m2_87" = "646432383"
"m2_86" = "3206105940"
"m2_85" = "1470819661"
"m2_84" = "4030501923"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m1_98" = "439610636"
"m3_238" = "698940799"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Stvncyfrlda]
"m3_232" = "3172438241"
"m3_233" = "578813980"
"m3_230" = "3963318727"
"m2_109" = "168126477"
"m3_236" = "1489883733"
"m3_237" = "3225308608"
"m3_234" = "2347938699"
"m3_235" = "4083360550"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Stvncyfrlda]
"m1_203" = "232942810"
"m4_12" = "3643619612"
"m4_13" = "1083943049"
"m4_10" = "173038146"
"m4_11" = "1908328879"
"m4_16" = "1994847952"
"m4_17" = "3730138685"
"m4_14" = "2819233782"
"m4_15" = "259557219"
"m2_105" = "1816898178"
"m2_104" = "81615602"
"m4_18" = "1170462122"
"m4_19" = "2905752855"
"m2_101" = "3465668795"
"m2_100" = "1730389232"
"m2_103" = "2641283716"
"m2_102" = "906000954"
"m2_178" = "3939069088"
"m2_179" = "1379401008"
"m2_170" = "2941644278"
"m2_171" = "381962245"
"m2_172" = "2117258868"
"m2_173" = "3852558189"
"m2_174" = "1292868060"
"m2_175" = "3028169184"
"m2_176" = "468484856"
"m2_177" = "2203783293"
"m4_161" = "208933773"
"m4_160" = "2768610336"
"m4_163" = "3679515239"
"m4_162" = "1944224506"
"m4_165" = "2855129409"
"m4_164" = "1119838676"
"m4_167" = "2030743579"
"m4_166" = "295452846"
"m4_169" = "1206357749"
"m4_168" = "3766034312"
[HKCU\Software\Stvncyfrlda\168128873]
"1821809806" = "0200687474703A2F2F736C776F6366642F736F62616B61312E67696600687474703A2F2F34362E3130352E3130332E3231392F736F62616B61766F6C6F732E676966"
[HKCU\Software\Stvncyfrlda]
"m4_67" = "300362119"
"m4_66" = "2860038682"
"m4_65" = "1124747949"
"m4_64" = "3684424512"
"m4_63" = "1949133779"
"m4_62" = "213843046"
"m4_61" = "2773519609"
"m4_60" = "1038228876"
"m4_69" = "3770943585"
"m4_68" = "2035652852"
"m4_198" = "4285148750"
"m4_199" = "1725472187"
"m1_157" = "2243532928"
"m4_195" = "3374243847"
"m4_196" = "814567284"
"m4_197" = "2549858017"
"m4_190" = "3287724774"
"m4_191" = "728048211"
"m4_192" = "2463338944"
"m4_193" = "4198629677"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| b3d4ccb5694b66458333bf73cc5cb088 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F1A1_Rar\%original file name%.exe |
| 9d67a955a3ae83966a95969d77009934 | c:\vreiwq.pif |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1076
- Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\System.dll (11 bytes)
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\SPTool.dll (101109 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp (80185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CARRIER_ID[1] (892 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp (892 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F1A1_Rar\%original file name%.exe (69845 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wgxb.exe (561 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Client Connect LTD
Product Name: Search Protect
Product Version: 3.1.2.6
Legal Copyright: (c) 2014 ClientConnect Ltd.
Legal Trademarks:
Original Filename: SearchProtect
Internal Name: Unknown
File Version: 3.1.2.6
File Description: Search Protect
Comments:
Language: English (United States)
Company Name: Client Connect LTDProduct Name: Search ProtectProduct Version: 3.1.2.6Legal Copyright: (c) 2014 ClientConnect Ltd.Legal Trademarks: Original Filename: SearchProtectInternal Name: UnknownFile Version: 3.1.2.6File Description: Search ProtectComments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 25506 | 25600 | 4.51106 | 0ee1742ef01bb5e61c448d0122d416fb |
| .rdata | 32768 | 6386 | 6656 | 3.3883 | 170563e94de7ebfd6e622a164ce38c8a |
| .data | 40960 | 419484 | 512 | 0.991115 | 23d69b1e3a55dee07701198b7650a06b |
| .ndata | 462848 | 2658304 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 3121152 | 167936 | 166912 | 4.35772 | 072fd53316d4a56137a4d917f6437c1c |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://e3937.g.akamaiedge.net/spinstallersettings/3.1.2.6/test/ABTEST_SETTINGS_ID/carrierId/CARRIER_ID | |
| hxxp://sp-settings.spccint.com/spinstallersettings/3.1.2.6/test/ABTEST_SETTINGS_ID/carrierId/CARRIER_ID |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /spinstallersettings/3.1.2.6/test/ABTEST_SETTINGS_ID/carrierId/CARRIER_ID HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-settings.spccint.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/json; charset=text/plain
Last-Modified: Wed, 06 Apr 2016 11:41:14 GMT
ETag: "bf29e8d43d5ca9542480eabe12f6d572"
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 892
Cache-Control: private, max-age=900
Expires: Wed, 04 May 2016 11:30:06 GMT
Date: Wed, 04 May 2016 11:15:06 GMT
Connection: keep-alive
{"InstallerSettings":{"CHExtension_Id":null,"CHExtension_LandingPage":null,"CHExtension_Name":null,"DEFAULT_CMD":"-carrier_type=CTID -carrier_id=CT3331172 -Platform=all -startpage=true -defaultsearch=true -install_time_revert=true","DUM":"2","InstallSPPDriver":null,"IsAUAllowednoTB":"true","LOST_USERS":"false","ObeyGoogleGuildlinesProviders":null,"PING":"false","ProtectionEnabled":null,"SERVICE_LOST_USERS":null,"SERVICE_NAMES":"[\"Cltmngsvc\",\"NSCltmngsvc\"]","TbExternalAssetsEnable":"false","UNINSTALL_PING":null},"AbTestSettings":{"Experiment":"","Variant":"","TestParameter":""},"CarrierSettings":{"CHExtensionMode":"false","RBuilder":"false","v_env":"true","v_env_10":"true","v_env_12":"false"},"signature":"JafLbVRhKFzcBuhF5Pus/Y7pC4neq9mv0hNpFErMakc0dHIAUsYtuLJ7Jx5rfYfSHRlRoDFrQunAvJw9OSTimEgCZWqH1yvV1olKFMQEhsOfriiDVIhxbBG lgd6VtITX/aQKdx5Ne1 lgBf9p9uRy/QDv6rzD3Xg7LkLxfxyc8="}HTTP/1.1 200 OK..Content-Type: application/json; charset=text/plain..Last-Modified: Wed, 06 Apr 2016 11:41:14 GMT..ETag: "bf29e8d43d5ca9542480eabe12f6d572"..Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"..Content-Length: 892..Cache-Control: private, max-age=900..Expires: Wed, 04 May 2016 11:30:06 GMT..Date: Wed, 04 May 2016 11:15:06 GMT..Connection: keep-alive..{"InstallerSettings":{"CHExtension_Id":null,"CHExtension_LandingPage":null,"CHExtension_Name":null,"DEFAULT_CMD":"-carrier_type=CTID -carrier_id=CT3331172 -Platform=all -startpag
<<< skipped >>>
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
Explorer.EXE_1140_rwx_00FF0000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.rsrc
.rsrc
.text
.text
Explorer.EXE_1140_rwx_01E00000_00001000:
|explorer.exeM_1140_
|explorer.exeM_1140_