not-a-virus:AdWare.Win32.MultiPlug.oawt (Kaspersky), Win32.Ramnit.N (B) (Emsisoft), Win32.Ramnit.N (AdAware), Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Worm, Virus, Adware, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 71edf02ea5a8e3b1ce54f78a09d13e28
SHA1: 121c437054be6cd53fa871338327d9b59bc60330
SHA256: f53f0b3e89855ebfae9221d8f15063d11f40043222b38dd973785ffdee2b29bc
SSDeep: 24576:J wTk15lz5bGVImgEfeGBdDmCSCSC iZqUNp2hZhj3op W:J sk1BGVIbajBt9pSC AChZhUL
Size: 1917946 bytes
File type: DLL
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-04-19 02:05:34
Analyzed on: WindowsXP SP3 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Worm creates the following process(es):
regsvr32.exe:500
regsvr32mgr.exe:1388
The Worm injects its code into the following process(es):
Explorer.EXE:1684
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process regsvr32.exe:500 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp-log.txt (11204 bytes)
%System%\regsvr32mgr.exe (5442 bytes)
The process regsvr32mgr.exe:1388 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%WinDir%\system.ini (72 bytes)
Registry activity
The process regsvr32.exe:500 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF E6 43 81 4E 18 A5 90 A5 77 50 DC 1C C0 39 E3"
The process regsvr32mgr.exe:1388 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Aas\695404737]
"35845605" = "343"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Aas\695404737]
"50183847" = "91B7B29E83DF27BD845620F31F81699AEA234A0AF364777AFD8013C50880BEED261AF09F76D756B22D8490BFC624276D3076D4A74CC35D08D3701A2CD26E8FE302DFAECE118977A4B1E380EEB284A8F1F5762C79B4FF22C5F28C90BFC5888DEA3DA748B07164541111D2655DA3E285F8167DE1B62CBC7E30883AFB31B5B55DA8"
"43014726" = "0A00687474703A2F2F616B7A696C2E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E63723473682E676F2E726F2F6C6F676F2E67696600687474703A2F2F6172746761732E636F6D2E62722F627574746F6E2E67696600687474703A2F2F6561726E6D6F6E657962642E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F736F68616D776F726C642E696E2F696D616765732F627574746F6E2E67696600687474703A2F2F73696D6963616E692E636F6D2F6C6F676F2E67696600687474703A2F2F7777772E73746F72667265652E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F6E65776E69726D616E2E696E2F627574746F6E2E67696600687474703A2F2F7777772E6D736963742E696E2F696D616765732F6C6F676F2E67696600687474703A2F2F67616E757A6173762E636F6D2F6C6F676F2E676966"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "198"
"21507363" = "0"
"28676484" = "35"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 68 46 21 CC 4A BC E5 FC 43 3C 3B 77 AD 63 CD"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\System32]
"regsvr32mgr.exe" = "%System%\regsvr32mgr.exe:*:Enabled:ipsec"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
Dropped PE files
MD5 | File path |
---|---|
0ba74ebf12f69c3e97e999ccbfff6920 | c:\WINDOWS\system32\regsvr32mgr.exe |
HOSTS file anomalies
The Worm modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:
127.0.0.1 | www.Brenz.pl |
Rootkit activity
The Worm installs the following user-mode hooks in ntdll.dll:
NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regsvr32.exe:500
regsvr32mgr.exe:1388 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Local Settings\Temp-log.txt (11204 bytes)
%System%\regsvr32mgr.exe (5442 bytes)
%WinDir%\system.ini (72 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 336257 | 336384 | 4.41408 | 4353327e7c370382de563f088c87535e |
.rdata | 344064 | 89200 | 89600 | 3.45699 | b552b88f3a193d16770366517f446976 |
.data | 434176 | 323732 | 311808 | 0.734163 | c9dad4475d355df49a1ae8fcd0ce82d6 |
.rsrc | 761856 | 480 | 512 | 3.27493 | c31f0039ae1631f5712fd39f46c1dc92 |
.reloc | 765952 | 98700 | 98816 | 1.64638 | e8d3f58e4e0cbc1cdaf177bfb4f7045a |
.text | 868352 | 1081344 | 1079296 | 5.48309 | 9fd3f4c6cfbecd4a8c1da0071521f7e2 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
Explorer.EXE_1684_rwx_00EE0000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
Explorer.EXE_1684_rwx_00EF0000_00001000:
|explorer.exeM_1684_
|explorer.exeM_1684_