Trojan.Win32.Agent.aotn (Kaspersky), GenPack:Backdoor.Generic.196837 (B) (Emsisoft), GenPack:Backdoor.Generic.196837 (AdAware), GenericAutorunWorm.YR, TrojanFlySky.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 21d702cf1b50dbe5f0e4058cbaae7eb6
SHA1: 05634ea6592401c3ae553b469abc79e099532444
SHA256: 269f7d0fd31e709210ea695d667024c23dae972ca6f232f741ec87e943903b8b
SSDeep: 24576:TgUNuC/LtjWARyXpT9K32CA9/kSlLKvbsimyqxogWdUG8MI1QTO5eJw:T6CjtjncDK32CE/kSkbbmytT1FtTOIC
Size: 1494917 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: LLC "Bundle"
Created at: 1972-12-25 08:33:23
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the GenPack's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The GenPack creates the following process(es):
system.exe:1588
Rundll32.exe:1412
Rundll32.exe:508
sc.exe:268
%original file name%.exe:836
%original file name%.exe:608
The GenPack injects its code into the following process(es):
2ADE6B.EXE:1656
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process system.exe:1588 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
%System%\ugwlwl.dll (57 bytes)
%System%\vodoxl.dll (19 bytes)
The process Rundll32.exe:1412 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
%Program Files%\KAV\CDriver.sys (12 bytes)
%Program Files%\KAV\CDriver.Inf (4 bytes)
The GenPack deletes the following file(s):
%Program Files%\KAV\CDriver.sys (0 bytes)
%Program Files%\KAV (0 bytes)
%Program Files%\KAV\CDriver.Inf (0 bytes)
The process Rundll32.exe:508 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
%WinDir%\Prefetch\WMIPRVSE.EXE-28F301A9.pf (90 bytes)
%System%\CatRoot2 (96 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
%WinDir%\pchealth\helpctr\System\images (4 bytes)
%WinDir%\SoftwareDistribution\Download\7dc26e8888d68d9e04bc52940c0f24b5 (4 bytes)
%WinDir%\SoftwareDistribution\Download\36a2296f631a54daefcc3b56e3d990e2 (4 bytes)
%WinDir%\pchealth\helpctr\System\Remote Assistance (4 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance (4 bytes)
%WinDir%\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee (4 bytes)
%WinDir%\pchealth\helpctr\System\panels (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins3d (4 bytes)
%WinDir%\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af (4 bytes)
%Documents and Settings%\Default User (540 bytes)
%WinDir%\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9 (4 bytes)
%WinDir%\pchealth\helpctr\System (4 bytes)
C:\$Directory (4380 bytes)
%System%\config (400 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\PresentationFramewo# (4 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%WinDir%\Prefetch (1440 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\cnvpe.fne (61 bytes)
%WinDir%\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f (4 bytes)
%System%\CatRoot (4 bytes)
%WinDir%\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59 (4 bytes)
%WinDir%\assembly\GAC_32 (4 bytes)
%WinDir%\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.0 (4 bytes)
%System% (33372 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Program Files%\Adobe\Reader 9.0\Resource\Font (4 bytes)
%WinDir%\Installer\$PatchCache$\Managed (4 bytes)
%WinDir%\SoftwareDistribution\Download\b5f880834ad67f3d383ffff5f2fa46bd (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\eAPI.fne (1425 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions (4 bytes)
%Program Files%\Common Files\Microsoft Shared\OFFICE14 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\WPF (4 bytes)
%System%\10A216\shell.fne (40 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\WPF (4 bytes)
%WinDir%\assembly\GAC_MSIL (36 bytes)
%WinDir%\Microsoft.NET (4 bytes)
%Documents and Settings%\%current user%\MY DOCUMENTS (8 bytes)
%Documents and Settings%\NetworkService\Local Settings (4 bytes)
%Documents and Settings%\All Users\DOCUMENTS (4 bytes)
%WinDir%\WinSxS\Policies (8 bytes)
%WinDir%\SoftwareDistribution\Download (45 bytes)
%System%\oobe\html (4 bytes)
%WinDir%\SoftwareDistribution\Download\f0fea42f69058000617da24986c3b109 (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\PresentationFramewo# (4 bytes)
%WinDir%\SoftwareDistribution\Download\196fa81559690e2494e56094df51cdd8 (4 bytes)
%Documents and Settings%\%current user%\Cookies (396 bytes)
C:\ (12 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%WinDir%\SoftwareDistribution\Download\621a08ac003b616bcaa86aa4d4292d50 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (24 bytes)
%System%\10A216\eAPI.fne (824 bytes)
%Documents and Settings%\ALL USERS (8 bytes)
%Program Files%\Movie Maker (4 bytes)
%System%\10A216 (12 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_32 (4 bytes)
%Documents and Settings%\%current user%\Application Data\MICROSOFT (8 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation (4 bytes)
%Documents and Settings%\LocalService (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b (4 bytes)
%WinDir%\WinSxS (216 bytes)
%System%\10A216\spec.fne (601 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US (4 bytes)
%WinDir% (4624 bytes)
%WinDir%\pchealth\helpctr\OfflineCache (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users (4 bytes)
%WinDir%\SoftwareDistribution\Download\e0c0da396303f1dd2c82cd2ccc07020d (4 bytes)
%WinDir%\SoftwareDistribution\Download\e79028ac4f02e201b61b2c632cb0fc5e (4 bytes)
C:\PROGRAM FILES (224 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer\Img (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_654.dat (24 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32 (28 bytes)
%WinDir%\SoftwareDistribution\Download\bc81666f3868f34642e3f5adbc2719f9 (4 bytes)
%Documents and Settings% (4 bytes)
%Documents and Settings%\Default User\Local Settings (4 bytes)
%WinDir%\$hf_mig$ (8 bytes)
%System%\spool\XPSEP\amd64 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles (4 bytes)
%WinDir%\ime\imjp8_1 (4 bytes)
%WinDir%\SoftwareDistribution\Download\e8252bbfa91fcf5afb38775b18691074 (4 bytes)
%Program Files%\Adobe\Reader 9.0\Resource (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft (4 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer (4 bytes)
%Documents and Settings%\NetworkService (4 bytes)
%WinDir%\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466 (4 bytes)
%System%\10A216\RegEx.fnr (1281 bytes)
%WinDir%\SoftwareDistribution\Download\8bb5f1c638778df6b77d80bc61ffc63c (4 bytes)
%WinDir%\SoftwareDistribution\Download\b91377d1d56820d9d699c0c2dc7c8e80 (4 bytes)
%WinDir%\SoftwareDistribution\Download\57b4b90cc3eead9f6c29b58581d03ae4 (4 bytes)
%WinDir%\SoftwareDistribution\Download\30438597a812a5d1d7979088d451747f (4 bytes)
%System%\oobe (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
%Program Files%\Microsoft Office\Office14 (4 bytes)
%WinDir%\Temp (768 bytes)
%WinDir%\Installer (8 bytes)
%WinDir%\ime (4 bytes)
%WinDir%\SoftwareDistribution\Download\ee4e3d4bf0d346e1b8fdee8197195e59 (4 bytes)
%WinDir%\SoftwareDistribution\Download\211409fc1d99b95b32fb0344cad140df (4 bytes)
%WinDir%\SoftwareDistribution\Download\dffcab319e36b852e5b2d51802010a7a (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319 (1732 bytes)
%System%\10A216\spec_a.fne (601 bytes)
%WinDir%\SoftwareDistribution\Download\299840a657dd26ca3bbf3cee3ec999ba (4 bytes)
%WinDir%\pchealth\helpctr (4 bytes)
%WinDir%\SoftwareDistribution\Download\e5c5fc9bd7a4957f0a45c6db2957c5c9 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (8 bytes)
%WinDir%\SoftwareDistribution\Download\906245b7f0992255b054322b77475594 (4 bytes)
%WinDir%\Prefetch\TSHARK.EXE-2564C650.pf (106 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\ime\imkr6_1 (4 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo\graphics (4 bytes)
%WinDir%\SoftwareDistribution\Download\248802b74506342031e926839639c729 (4 bytes)
%WinDir%\SoftwareDistribution\Download\cb88a2f03b29735db957d61a63df6504 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers (4 bytes)
%WinDir%\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501 (4 bytes)
%Documents and Settings%\All Users\Documents\My Music (4 bytes)
%Program Files%\Windows NT (8 bytes)
%WinDir%\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment (4 bytes)
%WinDir%\Web (4 bytes)
C:\totalcmd (4 bytes)
%Program Files%\Common Files\System (4 bytes)
%Program Files%\Windows Media Player (4 bytes)
%WinDir%\Prefetch\PERL.EXE-28C02382.pf (56 bytes)
%WinDir%\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df (4 bytes)
%WinDir%\AppPatch (8 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG (4 bytes)
%WinDir%\SoftwareDistribution\Download\6b7f938fb3db15dab273f3f1702c318c (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 (384 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles (8 bytes)
%WinDir%\pchealth\helpctr\Config (4 bytes)
%WinDir%\msagent (4 bytes)
%Program Files%\Movie Maker\Shared (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc8ea6c22fd142de8dd67336d23310cf (4 bytes)
%System%\wbem (2812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\shell.fne (40 bytes)
%WinDir%\SoftwareDistribution\Download\21cbd3f70584651805685eba1753505f (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs (4 bytes)
%WinDir%\SoftwareDistribution\Download\b6f4642d2b8dc03c5ce1b1a4f77b1bda (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader (96 bytes)
%WinDir%\SoftwareDistribution\Download\9460002f6d8231358fc1eb590f9b1dce (4 bytes)
%System%\42ADE6\DE6B36D0.TXT (896 bytes)
%WinDir%\Microsoft.NET\Framework (96 bytes)
%System%\mui (4 bytes)
%WinDir%\REGISTRATION (8 bytes)
%System%\spool\XPSEP\i386 (4 bytes)
%WinDir%\SoftwareDistribution\Download\1c47f41cc76cde4c629564d7564f2795 (4 bytes)
%WinDir%\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944 (4 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (12 bytes)
%System%\config\systemprofile\Start Menu\Programs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (32 bytes)
%System%\B55985\16eb.inf (4 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\System.DirectorySer# (4 bytes)
%System%\10A216\krnln.fnr (7433 bytes)
%Documents and Settings%\%current user%\Local Settings (24 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_MSIL (28 bytes)
%WinDir%\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig (4 bytes)
%System%\config\systemprofile\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32 (28 bytes)
%System%\B55985\16eb.EDT (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc529fa49cb2cb097fdf1e22d25872da (4 bytes)
%WinDir%\SoftwareDistribution\Download\e104dcd29adf1c6c473a5efad2d509be (4 bytes)
%Program Files%\Adobe\Reader 9.0 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727 (1848 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
%System%\drivers (704 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.ServiceModel# (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (4545 bytes)
%Program Files%\Common Files\Microsoft Shared\DW (4 bytes)
%Documents and Settings%\%current user% (20 bytes)
%WinDir%\Web\printers (4 bytes)
%WinDir%\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2 (4 bytes)
%WinDir%\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975 (4 bytes)
%WinDir%\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\APPLICATION DATA (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.DirectorySer# (4 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\cedca0128a48437390192d906f83a717 (4 bytes)
%WinDir%\Help (248 bytes)
%WinDir%\security (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\dp1.fne (601 bytes)
%WinDir%\SoftwareDistribution\Download\a4c07d9275eb613d842cb1e140d8a426 (4 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo (4 bytes)
%System%\config\systemprofile (4 bytes)
%WinDir%\SoftwareDistribution\Download\17e46901add634f15d293735648771e6 (4 bytes)
%WinDir%\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260 (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0e4033a7ec549e982572f0d830cf5d0 (4 bytes)
%WinDir%\SoftwareDistribution\Download\0000894bab70b145c3629920ba907f7a (4 bytes)
%WinDir%\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154 (4 bytes)
%WinDir%\SoftwareDistribution\Download\0c1e5e0ffeb238b1ee5c9ea3a4878374 (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\temp_wincheck.txt (676 bytes)
%System%\config\systemprofile\Local Settings (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security (4 bytes)
%WinDir%\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e (4 bytes)
%Program Files%\Internet Explorer (4 bytes)
%WinDir%\SoftwareDistribution\Download\8b9a83d2cde55eb19dc502cc2dd04e0d (4 bytes)
%WinDir%\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5 (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.5 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5 (12 bytes)
%Documents and Settings%\LocalService\Local Settings (4 bytes)
%Program Files%\COMMON FILES (8 bytes)
%WinDir%\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9 (4 bytes)
%Program Files%\Common Files\Microsoft Shared (4 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
%WinDir%\Prefetch\EXPLORER.EXE-082F38A9.pf (122 bytes)
%Documents and Settings%\Default User\Start Menu\Programs (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard (4 bytes)
%Documents and Settings%\All Users\APPLICATION DATA (4 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins (4 bytes)
%System%\oobe\html\mouse (4 bytes)
%System%\B55985\0f10.inf (8 bytes)
%WinDir%\SoftwareDistribution\Download\abaf10b7d55d3716fbb63e0b568cb4b6 (4 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2 (4 bytes)
%WinDir%\assembly (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualBas# (4 bytes)
%WinDir%\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0 (4 bytes)
The process 2ADE6B.EXE:1656 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\2ADE6B.lnk (677 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (202 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040920140410\index.dat (202 bytes)
%System%\B55985\0f10.inf (3856 bytes)
%System%\B55985\16eb.EDT (2008 bytes)
%System%\B55985\16eb.inf (2728 bytes)
The GenPack deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@ssl.bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@money.ca.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msnportal.112.2o7[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@auto.search.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hit.gemius[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.bing[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@pass.yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky.122.2o7[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.ca.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040920140410\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hm.baidu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040920140410 (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[3].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)
The process %original file name%.exe:836 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
C:\%original file name%.exe (6770 bytes)
%System%\system.exe (82 bytes)
The process %original file name%.exe:608 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
%System%\10A216\2ADE6B.EXE (113 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\shell.fne (40 bytes)
%System%\10A216\internet.fne (184 bytes)
%System%\10A216\krnln.fnr (7433 bytes)
%System%\10A216\shell.fne (40 bytes)
%System%\10A216\spec_a.fne (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\krnln.fnr (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\cnvpe.fne (61 bytes)
%System%\42ADE6\DE6B36D0.TXT (7386 bytes)
%System%\10A216\spec.fne (69 bytes)
%System%\10A216\RegEx.fnr (217 bytes)
%System%\10A216\eAPI.fne (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\dp1.fne (114 bytes)
%System%\10A216\cnvpe.fne (61 bytes)
%System%\10A216\dp1.fne (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\eAPI.fne (323 bytes)
%System%\10A216\com.run (266 bytes)
Registry activity
The process Rundll32.exe:1412 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 36 A5 67 58 4F 7E 0E 5F 4F 1F 55 85 B1 69 27"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"sc.exe" = "A tool to aid in developing services for WindowsNT"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The GenPack modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The GenPack modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The GenPack modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process Rundll32.exe:508 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 DB 81 63 49 AF 47 0E 50 CC 57 D7 2D 8E 76 18"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The GenPack modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The GenPack modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The GenPack modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the GenPack adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"System" = "%System%\system.exe"
The GenPack deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process 2ADE6B.EXE:1656 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 D9 FC D3 FE BE 68 E8 55 DF 0F F7 B0 BB 95 4B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The GenPack deletes the following registry key(s):
[HKCU\Software\Microsoft\Internet Explorer\TypedURLs]
The process sc.exe:268 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 34 F0 81 5B C8 4B DA FE AE 21 89 14 66 8D 18"
The process %original file name%.exe:608 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 C9 D1 24 F3 57 69 71 00 5A EA DC 92 81 74 91"
Dropped PE files
| MD5 | File path |
|---|---|
| 65f74279df649cd85c80814cada8e682 | c:\%original file name%.exe |
| 7a4f775abb2f1c97def3e73afa2faedd | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\1.tmp |
| 0713e629d1c307791fa93d65791d2852 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_N4\cnvpe.fne |
| bf9bd6ee5448a5ccb3571cbec6a96937 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_N4\dp1.fne |
| f093fb986ed4204e86c1445efd17d08e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_N4\eAPI.fne |
| 5d937119c44485d6c700d0e8a3e7ddbf | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_N4\krnln.fnr |
| 56738c76697df702dde485529bce2806 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_N4\shell.fne |
| f8e766e9302ff8078a8facec829460c4 | c:\WINDOWS\system32\10A216\2ADE6B.EXE |
| a67daddcb30335163cf7d99f282f5ae0 | c:\WINDOWS\system32\10A216\RegEx.fnr |
| 0713e629d1c307791fa93d65791d2852 | c:\WINDOWS\system32\10A216\cnvpe.fne |
| ce2f773275d3fe8b78f4cf067d5e6a0f | c:\WINDOWS\system32\10A216\com.run |
| bf9bd6ee5448a5ccb3571cbec6a96937 | c:\WINDOWS\system32\10A216\dp1.fne |
| f093fb986ed4204e86c1445efd17d08e | c:\WINDOWS\system32\10A216\eAPI.fne |
| 299c26fb72a3d286cc24c4a9a9a4a693 | c:\WINDOWS\system32\10A216\internet.fne |
| 5d937119c44485d6c700d0e8a3e7ddbf | c:\WINDOWS\system32\10A216\krnln.fnr |
| 56738c76697df702dde485529bce2806 | c:\WINDOWS\system32\10A216\shell.fne |
| 8985d73f08638b4b48ecd30759c9e53f | c:\WINDOWS\system32\10A216\spec.fne |
| 96cd4e5e083c1e24bfcf59bd3d5716da | c:\WINDOWS\system32\10A216\spec_a.fne |
| 1483e7587bc21c4bea15011371f62dd9 | c:\WINDOWS\system32\system.exe |
| 00b41049f0dac0f7042f300625ca1de6 | c:\WINDOWS\system32\ugwlwl.dll |
| 16b0efea64681fabad574afff300265e | c:\WINDOWS\system32\vodoxl.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the GenPack's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
system.exe:1588
Rundll32.exe:1412
Rundll32.exe:508
sc.exe:268
%original file name%.exe:836
%original file name%.exe:608 - Delete the original GenPack file.
- Delete or disinfect the following files created/modified by the GenPack:
%System%\ugwlwl.dll (57 bytes)
%System%\vodoxl.dll (19 bytes)
%Program Files%\KAV\CDriver.sys (12 bytes)
%Program Files%\KAV\CDriver.Inf (4 bytes)
%WinDir%\Prefetch\WMIPRVSE.EXE-28F301A9.pf (90 bytes)
%System%\CatRoot2 (96 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
%WinDir%\pchealth\helpctr\System\images (4 bytes)
%WinDir%\SoftwareDistribution\Download\7dc26e8888d68d9e04bc52940c0f24b5 (4 bytes)
%WinDir%\SoftwareDistribution\Download\36a2296f631a54daefcc3b56e3d990e2 (4 bytes)
%WinDir%\pchealth\helpctr\System\Remote Assistance (4 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance (4 bytes)
%WinDir%\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee (4 bytes)
%WinDir%\pchealth\helpctr\System\panels (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins3d (4 bytes)
%WinDir%\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af (4 bytes)
%Documents and Settings%\Default User (540 bytes)
%WinDir%\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9 (4 bytes)
C:\$Directory (4380 bytes)
%System%\config (400 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\PresentationFramewo# (4 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\cnvpe.fne (61 bytes)
%WinDir%\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f (4 bytes)
%WinDir%\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59 (4 bytes)
%WinDir%\assembly\GAC_32 (4 bytes)
%WinDir%\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.0 (4 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Program Files%\Adobe\Reader 9.0\Resource\Font (4 bytes)
%WinDir%\Installer\$PatchCache$\Managed (4 bytes)
%WinDir%\SoftwareDistribution\Download\b5f880834ad67f3d383ffff5f2fa46bd (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\eAPI.fne (1425 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions (4 bytes)
%Program Files%\Common Files\Microsoft Shared\OFFICE14 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\WPF (4 bytes)
%System%\10A216\shell.fne (40 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\WPF (4 bytes)
%WinDir%\assembly\GAC_MSIL (36 bytes)
%Documents and Settings%\%current user%\MY DOCUMENTS (8 bytes)
%Documents and Settings%\NetworkService\Local Settings (4 bytes)
%Documents and Settings%\All Users\DOCUMENTS (4 bytes)
%WinDir%\WinSxS\Policies (8 bytes)
%System%\oobe\html (4 bytes)
%WinDir%\SoftwareDistribution\Download\f0fea42f69058000617da24986c3b109 (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\PresentationFramewo# (4 bytes)
%WinDir%\SoftwareDistribution\Download\196fa81559690e2494e56094df51cdd8 (4 bytes)
%Documents and Settings%\%current user%\Cookies (396 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%WinDir%\SoftwareDistribution\Download\621a08ac003b616bcaa86aa4d4292d50 (4 bytes)
%System%\10A216\eAPI.fne (824 bytes)
%Documents and Settings%\ALL USERS (8 bytes)
%Program Files%\Movie Maker (4 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_32 (4 bytes)
%Documents and Settings%\%current user%\Application Data\MICROSOFT (8 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation (4 bytes)
%Documents and Settings%\LocalService (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b (4 bytes)
%System%\10A216\spec.fne (601 bytes)
%WinDir%\pchealth\helpctr\OfflineCache (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users (4 bytes)
%WinDir%\SoftwareDistribution\Download\e0c0da396303f1dd2c82cd2ccc07020d (4 bytes)
%WinDir%\SoftwareDistribution\Download\e79028ac4f02e201b61b2c632cb0fc5e (4 bytes)
C:\PROGRAM FILES (224 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer\Img (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_654.dat (24 bytes)
%WinDir%\SoftwareDistribution\Download\bc81666f3868f34642e3f5adbc2719f9 (4 bytes)
%Documents and Settings%\Default User\Local Settings (4 bytes)
%WinDir%\$hf_mig$ (8 bytes)
%System%\spool\XPSEP\amd64 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles (4 bytes)
%WinDir%\ime\imjp8_1 (4 bytes)
%WinDir%\SoftwareDistribution\Download\e8252bbfa91fcf5afb38775b18691074 (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466 (4 bytes)
%System%\10A216\RegEx.fnr (1281 bytes)
%WinDir%\SoftwareDistribution\Download\8bb5f1c638778df6b77d80bc61ffc63c (4 bytes)
%WinDir%\SoftwareDistribution\Download\b91377d1d56820d9d699c0c2dc7c8e80 (4 bytes)
%WinDir%\SoftwareDistribution\Download\57b4b90cc3eead9f6c29b58581d03ae4 (4 bytes)
%WinDir%\SoftwareDistribution\Download\30438597a812a5d1d7979088d451747f (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
%Program Files%\Microsoft Office\Office14 (4 bytes)
%WinDir%\SoftwareDistribution\Download\ee4e3d4bf0d346e1b8fdee8197195e59 (4 bytes)
%WinDir%\SoftwareDistribution\Download\211409fc1d99b95b32fb0344cad140df (4 bytes)
%WinDir%\SoftwareDistribution\Download\dffcab319e36b852e5b2d51802010a7a (4 bytes)
%System%\10A216\spec_a.fne (601 bytes)
%WinDir%\SoftwareDistribution\Download\299840a657dd26ca3bbf3cee3ec999ba (4 bytes)
%WinDir%\SoftwareDistribution\Download\e5c5fc9bd7a4957f0a45c6db2957c5c9 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (8 bytes)
%WinDir%\SoftwareDistribution\Download\906245b7f0992255b054322b77475594 (4 bytes)
%WinDir%\Prefetch\TSHARK.EXE-2564C650.pf (106 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\ime\imkr6_1 (4 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo\graphics (4 bytes)
%WinDir%\SoftwareDistribution\Download\248802b74506342031e926839639c729 (4 bytes)
%WinDir%\SoftwareDistribution\Download\cb88a2f03b29735db957d61a63df6504 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers (4 bytes)
%WinDir%\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501 (4 bytes)
%Documents and Settings%\All Users\Documents\My Music (4 bytes)
%Program Files%\Windows NT (8 bytes)
%WinDir%\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d (4 bytes)
%WinDir%\Web (4 bytes)
C:\totalcmd (4 bytes)
%Program Files%\Common Files\System (4 bytes)
%Program Files%\Windows Media Player (4 bytes)
%WinDir%\Prefetch\PERL.EXE-28C02382.pf (56 bytes)
%WinDir%\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df (4 bytes)
%WinDir%\AppPatch (8 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG (4 bytes)
%WinDir%\SoftwareDistribution\Download\6b7f938fb3db15dab273f3f1702c318c (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 (384 bytes)
%WinDir%\pchealth\helpctr\Config (4 bytes)
%WinDir%\msagent (4 bytes)
%Program Files%\Movie Maker\Shared (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc8ea6c22fd142de8dd67336d23310cf (4 bytes)
%System%\wbem (2812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\shell.fne (40 bytes)
%WinDir%\SoftwareDistribution\Download\21cbd3f70584651805685eba1753505f (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs (4 bytes)
%WinDir%\SoftwareDistribution\Download\b6f4642d2b8dc03c5ce1b1a4f77b1bda (4 bytes)
%WinDir%\SoftwareDistribution\Download\9460002f6d8231358fc1eb590f9b1dce (4 bytes)
%System%\42ADE6\DE6B36D0.TXT (896 bytes)
%System%\mui (4 bytes)
%WinDir%\REGISTRATION (8 bytes)
%System%\spool\XPSEP\i386 (4 bytes)
%WinDir%\SoftwareDistribution\Download\1c47f41cc76cde4c629564d7564f2795 (4 bytes)
%WinDir%\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944 (4 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (12 bytes)
%System%\config\systemprofile\Start Menu\Programs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (32 bytes)
%System%\B55985\16eb.inf (4 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\System.DirectorySer# (4 bytes)
%System%\10A216\krnln.fnr (7433 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_MSIL (28 bytes)
%WinDir%\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig (4 bytes)
%System%\config\systemprofile\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%System%\B55985\16eb.EDT (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc529fa49cb2cb097fdf1e22d25872da (4 bytes)
%WinDir%\SoftwareDistribution\Download\e104dcd29adf1c6c473a5efad2d509be (4 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
%System%\drivers (704 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.ServiceModel# (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (4545 bytes)
%Program Files%\Common Files\Microsoft Shared\DW (4 bytes)
%WinDir%\Web\printers (4 bytes)
%WinDir%\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2 (4 bytes)
%WinDir%\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975 (4 bytes)
%WinDir%\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\APPLICATION DATA (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.DirectorySer# (4 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\cedca0128a48437390192d906f83a717 (4 bytes)
%WinDir%\security (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\dp1.fne (601 bytes)
%WinDir%\SoftwareDistribution\Download\a4c07d9275eb613d842cb1e140d8a426 (4 bytes)
%WinDir%\SoftwareDistribution\Download\17e46901add634f15d293735648771e6 (4 bytes)
%WinDir%\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260 (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0e4033a7ec549e982572f0d830cf5d0 (4 bytes)
%WinDir%\SoftwareDistribution\Download\0000894bab70b145c3629920ba907f7a (4 bytes)
%WinDir%\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154 (4 bytes)
%WinDir%\SoftwareDistribution\Download\0c1e5e0ffeb238b1ee5c9ea3a4878374 (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\temp_wincheck.txt (676 bytes)
%System%\config\systemprofile\Local Settings (4 bytes)
%WinDir%\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e (4 bytes)
%Program Files%\Internet Explorer (4 bytes)
%WinDir%\SoftwareDistribution\Download\8b9a83d2cde55eb19dc502cc2dd04e0d (4 bytes)
%WinDir%\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5 (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.5 (4 bytes)
%Documents and Settings%\LocalService\Local Settings (4 bytes)
%Program Files%\COMMON FILES (8 bytes)
%WinDir%\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9 (4 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
%WinDir%\Prefetch\EXPLORER.EXE-082F38A9.pf (122 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard (4 bytes)
%Documents and Settings%\All Users\APPLICATION DATA (4 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
%System%\oobe\html\mouse (4 bytes)
%System%\B55985\0f10.inf (8 bytes)
%WinDir%\SoftwareDistribution\Download\abaf10b7d55d3716fbb63e0b568cb4b6 (4 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2 (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualBas# (4 bytes)
%WinDir%\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0 (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\2ADE6B.lnk (677 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040920140410\index.dat (202 bytes)
C:\%original file name%.exe (6770 bytes)
%System%\system.exe (82 bytes)
%System%\10A216\2ADE6B.EXE (113 bytes)
%System%\10A216\internet.fne (184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\krnln.fnr (5442 bytes)
%System%\10A216\cnvpe.fne (61 bytes)
%System%\10A216\dp1.fne (601 bytes)
%System%\10A216\com.run (266 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"System" = "%System%\system.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 20972 | 24576 | 4.85178 | 05aac8002ab98e89e2af4347b5cae6d2 |
| .rdata | 28672 | 2634 | 4096 | 2.48139 | 367b7ce38d0c4c17f01e370dc697df5b |
| .data | 32768 | 8024 | 8192 | 3.21214 | 9c43ab279df84fb1875438acc741e69e |
| .data | 40960 | 413696 | 413696 | 5.53896 | f7390ffe96413d868e0a5ce503aee0d1 |
| .rsrc | 454656 | 15344 | 16384 | 2.36013 | 825a8015620dc174a1747b2d60c4feb4 |
| mnbmpbh | 471040 | 4288 | 8192 | 2.50327 | 6405f5726a73e0fd37de3d9e4e169df6 |
| 479232 | 82432 | 86016 | 4.25099 | 96906064878a7c60258c016c5db270fb |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The GenPack connects to the servers at the folowing location(s):
Strings from Dumps
Rundll32.exe_508:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s
2ADE6B.EXE_1656:
.text
.text
.rdata
.rdata
@.data
@.data
.rsrc
.rsrc
krnln.fnr
krnln.fnr
krnln.fne
krnln.fne
USER32.dll
USER32.dll
KERNEL32.dll
KERNEL32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
@@shdocvw.dll
@@shdocvw.dll
{8856F961-340A-11D0-A96B-00C04FD705A2}##0
{8856F961-340A-11D0-A96B-00C04FD705A2}##0
2,{34A226E0-DF30-11CF-89A9-00A0C9054129},CommandStateChangeConstants,{},{1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDID,{},{1073741880,1073741879,1073741878,1073741877,1073741876,1073741875,1073741874,1073741873,1073741872,1073741871,1073741870,1073741869,1073741868,1073741867,1073741866,1073741865,1073741864,1073741863,1073741862,1073741861,1073741860,1073741859,1073741858,1073741857,1073741856,1073741855,1073741854,1073741853,1073741852,1073741851,1073741850,1073741849,1073741848,1073741847,1073741846,1073741845,1073741844,1073741843,1073741842,1073741841,1073741840,1073741839,1073741838,1073741837,1073741836,1073741835,1073741834,1073741833,1073741832,1073741831,1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDF,{},{1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDEXECOPT,{},{1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},tagREADYSTATE,{},{1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{65507BE0-91A8-11D3-A845-009027220E6D},SecureLockIconConstants,{},{1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}0,{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B},WebBrowser_V1,{100,101,102,103,104,-550,105,106,200,201,202,203,},{212,211,210,209,208,207,206,205,204,},{100,101,102,108,104,105,106,107,113,200,201,204,103,109,110,111,112,}1,{8856F961-340A-11D0-A96B-00C04FD705A2},WebBrowser,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}0,{0002DF01-0000-0000-C000-000000000046},InternetExplorer,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}2,{F41E6981-28E5-11D0-82B4-00A0C90C29C5},ShellWindowTypeConstants,{},{1073741827,1073741826,1073741825,1073741824,},{}0,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},ShellWindows,{0,-4,},{1610743808,},{200,201,}0,{64AB4BB7-111E-11D1-8F79-00C04FC2FBE1},ShellUIHelper,{4,5,6,7,8,9,10,11,13,},{},{}0,{55136805-B2DE-11D1-B9F2-00A0C98BC547},ShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}0,{2F2F1F96-2BC1-4B1C-BE28-EA3774F4676A},ShellShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}
2,{34A226E0-DF30-11CF-89A9-00A0C9054129},CommandStateChangeConstants,{},{1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDID,{},{1073741880,1073741879,1073741878,1073741877,1073741876,1073741875,1073741874,1073741873,1073741872,1073741871,1073741870,1073741869,1073741868,1073741867,1073741866,1073741865,1073741864,1073741863,1073741862,1073741861,1073741860,1073741859,1073741858,1073741857,1073741856,1073741855,1073741854,1073741853,1073741852,1073741851,1073741850,1073741849,1073741848,1073741847,1073741846,1073741845,1073741844,1073741843,1073741842,1073741841,1073741840,1073741839,1073741838,1073741837,1073741836,1073741835,1073741834,1073741833,1073741832,1073741831,1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDF,{},{1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDEXECOPT,{},{1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},tagREADYSTATE,{},{1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{65507BE0-91A8-11D3-A845-009027220E6D},SecureLockIconConstants,{},{1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}0,{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B},WebBrowser_V1,{100,101,102,103,104,-550,105,106,200,201,202,203,},{212,211,210,209,208,207,206,205,204,},{100,101,102,108,104,105,106,107,113,200,201,204,103,109,110,111,112,}1,{8856F961-340A-11D0-A96B-00C04FD705A2},WebBrowser,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}0,{0002DF01-0000-0000-C000-000000000046},InternetExplorer,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}2,{F41E6981-28E5-11D0-82B4-00A0C90C29C5},ShellWindowTypeConstants,{},{1073741827,1073741826,1073741825,1073741824,},{}0,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},ShellWindows,{0,-4,},{1610743808,},{200,201,}0,{64AB4BB7-111E-11D1-8F79-00C04FC2FBE1},ShellUIHelper,{4,5,6,7,8,9,10,11,13,},{},{}0,{55136805-B2DE-11D1-B9F2-00A0C98BC547},ShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}0,{2F2F1F96-2BC1-4B1C-BE28-EA3774F4676A},ShellShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}
Recycled.exe
Recycled.exe
.cn/ul.htm
.cn/ul.htm
hXXp://
hXXp://
.com/ul.htm
.com/ul.htm
[%s%]
[%s%]
[%f%]
[%f%]
:\autorun.inf
:\autorun.inf
shellexecute
shellexecute
&7http
&7http
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
shlwapi.dll
shlwapi.dll
user32.dll
user32.dll
OLEACC.DLL
OLEACC.DLL
keybd_event
keybd_event
WebBrowser
WebBrowser
2ADE6B.EXE_1656_rwx_00401000_00001000:
krnln.fnr
krnln.fnr
krnln.fne
krnln.fne
2ADE6B.EXE_1656_rwx_00403000_0001B000:
@@shdocvw.dll
@@shdocvw.dll
{8856F961-340A-11D0-A96B-00C04FD705A2}##0
{8856F961-340A-11D0-A96B-00C04FD705A2}##0
2,{34A226E0-DF30-11CF-89A9-00A0C9054129},CommandStateChangeConstants,{},{1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDID,{},{1073741880,1073741879,1073741878,1073741877,1073741876,1073741875,1073741874,1073741873,1073741872,1073741871,1073741870,1073741869,1073741868,1073741867,1073741866,1073741865,1073741864,1073741863,1073741862,1073741861,1073741860,1073741859,1073741858,1073741857,1073741856,1073741855,1073741854,1073741853,1073741852,1073741851,1073741850,1073741849,1073741848,1073741847,1073741846,1073741845,1073741844,1073741843,1073741842,1073741841,1073741840,1073741839,1073741838,1073741837,1073741836,1073741835,1073741834,1073741833,1073741832,1073741831,1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDF,{},{1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDEXECOPT,{},{1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},tagREADYSTATE,{},{1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{65507BE0-91A8-11D3-A845-009027220E6D},SecureLockIconConstants,{},{1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}0,{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B},WebBrowser_V1,{100,101,102,103,104,-550,105,106,200,201,202,203,},{212,211,210,209,208,207,206,205,204,},{100,101,102,108,104,105,106,107,113,200,201,204,103,109,110,111,112,}1,{8856F961-340A-11D0-A96B-00C04FD705A2},WebBrowser,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}0,{0002DF01-0000-0000-C000-000000000046},InternetExplorer,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}2,{F41E6981-28E5-11D0-82B4-00A0C90C29C5},ShellWindowTypeConstants,{},{1073741827,1073741826,1073741825,1073741824,},{}0,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},ShellWindows,{0,-4,},{1610743808,},{200,201,}0,{64AB4BB7-111E-11D1-8F79-00C04FC2FBE1},ShellUIHelper,{4,5,6,7,8,9,10,11,13,},{},{}0,{55136805-B2DE-11D1-B9F2-00A0C98BC547},ShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}0,{2F2F1F96-2BC1-4B1C-BE28-EA3774F4676A},ShellShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}
2,{34A226E0-DF30-11CF-89A9-00A0C9054129},CommandStateChangeConstants,{},{1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDID,{},{1073741880,1073741879,1073741878,1073741877,1073741876,1073741875,1073741874,1073741873,1073741872,1073741871,1073741870,1073741869,1073741868,1073741867,1073741866,1073741865,1073741864,1073741863,1073741862,1073741861,1073741860,1073741859,1073741858,1073741857,1073741856,1073741855,1073741854,1073741853,1073741852,1073741851,1073741850,1073741849,1073741848,1073741847,1073741846,1073741845,1073741844,1073741843,1073741842,1073741841,1073741840,1073741839,1073741838,1073741837,1073741836,1073741835,1073741834,1073741833,1073741832,1073741831,1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDF,{},{1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDEXECOPT,{},{1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},tagREADYSTATE,{},{1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{65507BE0-91A8-11D3-A845-009027220E6D},SecureLockIconConstants,{},{1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}0,{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B},WebBrowser_V1,{100,101,102,103,104,-550,105,106,200,201,202,203,},{212,211,210,209,208,207,206,205,204,},{100,101,102,108,104,105,106,107,113,200,201,204,103,109,110,111,112,}1,{8856F961-340A-11D0-A96B-00C04FD705A2},WebBrowser,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}0,{0002DF01-0000-0000-C000-000000000046},InternetExplorer,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}2,{F41E6981-28E5-11D0-82B4-00A0C90C29C5},ShellWindowTypeConstants,{},{1073741827,1073741826,1073741825,1073741824,},{}0,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},ShellWindows,{0,-4,},{1610743808,},{200,201,}0,{64AB4BB7-111E-11D1-8F79-00C04FC2FBE1},ShellUIHelper,{4,5,6,7,8,9,10,11,13,},{},{}0,{55136805-B2DE-11D1-B9F2-00A0C98BC547},ShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}0,{2F2F1F96-2BC1-4B1C-BE28-EA3774F4676A},ShellShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}
Recycled.exe
Recycled.exe
.cn/ul.htm
.cn/ul.htm
hXXp://
hXXp://
.com/ul.htm
.com/ul.htm
[%s%]
[%s%]
[%f%]
[%f%]
:\autorun.inf
:\autorun.inf
shellexecute
shellexecute
&7http
&7http
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
shlwapi.dll
shlwapi.dll
user32.dll
user32.dll
OLEACC.DLL
OLEACC.DLL
keybd_event
keybd_event
WebBrowser
WebBrowser
2ADE6B.EXE_1656_rwx_011E1000_00030000:
t.It It
t.It It
.tTPV
.tTPV
FTPjK
FTPjK
FtPj;
FtPj;
F.PjRWj
F.PjRWj
u.WWj
u.WWj
u.VVj
u.VVj
2ADE6B.EXE_1656_rwx_10001000_000C2000:
|$D.tm
|$D.tm
~%UVW
~%UVW
L$$SSh
L$$SSh
t%SVh
t%SVh
t$(SSh
t$(SSh
u$SShe
u$SShe