Trojan.Win32.Patched.la (Kaspersky), Trojan.Agent.AOMS (B) (Emsisoft), Trojan.Agent.AOMS (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 213eb3829509b5d4a3f5768867edcdc4
SHA1: 92d1671b63fce6c3cfd8dba571d858ed6ca8b455
SHA256: 047d3ab20fe3ef9565b92ce147f845580629e8824e3201d171cbc8bcb956ac0f
SSDeep: 24576:3h4brn/kG9Pwrn/POzMQGEvGHkZxZARDDtAi1PDxwQo79mRUwbSlcfSgQ n81v:3harn/x9Pwrn/POzMQGEvGHkoDtN1dwT
Size: 1308722 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: StdLib
Created at: 1970-01-02 09:19:01
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
taskkill.exe:1608
sc.exe:1432
sc.exe:1980
sc.exe:452
sc.exe:440
sc.exe:120
sc.exe:240
sc.exe:1688
net1.exe:704
net1.exe:372
system.exe:2008
net.exe:1796
net.exe:1312
Rundll32.exe:1664
Rundll32.exe:152
%original file name%.exe:1784
%original file name%.exe:744
cacls.exe:2040
The Trojan injects its code into the following process(es):
svchost.exe¡¡:488
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process svchost.exe¡¡:488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\autorun.inf.exe (7547 bytes)
%WinDir%.exe (7547 bytes)
C:\totalcmd.exe (7547 bytes)
%Program Files%.exe (7547 bytes)
%Documents and Settings%.exe (7547 bytes)
C:\RECYCLER.exe (7547 bytes)
C:\System Volume Information.exe (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\internet.fne (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\eAPI.fne (1620 bytes)
The Trojan deletes the following file(s):
C:\%original file name%.exe (0 bytes)
The process system.exe:2008 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\ouekpl.dll (77 bytes)
%System%\bmbqql.dll (24 bytes)
The process Rundll32.exe:1664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\AAV\CDriver.sys (11 bytes)
The Trojan deletes the following file(s):
%Program Files%\AAV\CDriver.sys (0 bytes)
%Program Files%\AAV (0 bytes)
The process Rundll32.exe:152 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\CatRoot2 (96 bytes)
C:\System Volume Information.exe (7547 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\autorun.inf\desktop.ini (4 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
%WinDir%\pchealth\helpctr\System\images (4 bytes)
%WinDir%\SoftwareDistribution\Download\7dc26e8888d68d9e04bc52940c0f24b5 (4 bytes)
%WinDir%\SoftwareDistribution\Download\36a2296f631a54daefcc3b56e3d990e2 (4 bytes)
%WinDir%\pchealth\helpctr\System\Remote Assistance (4 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance (4 bytes)
%WinDir%\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee (4 bytes)
%WinDir%\pchealth\helpctr\System\panels (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins3d (4 bytes)
%Program Files%\Windows Media Player\autorun.inf\desktop.ini (4 bytes)
%Documents and Settings%\Default User (540 bytes)
%WinDir%\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9 (4 bytes)
%WinDir%\pchealth\helpctr\System (4 bytes)
C:\$Directory (6236 bytes)
%Documents and Settings%\%current user%\My Documents (4 bytes)
%System%\config (300 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\PresentationFramewo# (4 bytes)
%WinDir%\Prefetch (2208 bytes)
%Documents and Settings%\All Users\Application Data (4 bytes)
%WinDir%\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f (4 bytes)
%System%\CatRoot (4 bytes)
%WinDir%\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59 (4 bytes)
%WinDir%\assembly\GAC_32 (4 bytes)
%WinDir%\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.0 (4 bytes)
%System% (23852 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Program Files%\Adobe\Reader 9.0\Resource\Font (4 bytes)
%WinDir%\SoftwareDistribution\Download\0c1e5e0ffeb238b1ee5c9ea3a4878374 (4 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\autorun.inf\desktop.ini (4 bytes)
%WinDir%\SoftwareDistribution\Download\b5f880834ad67f3d383ffff5f2fa46bd (4 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions (4 bytes)
%Program Files%\Common Files\Microsoft Shared\OFFICE14 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\WPF (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\WPF (4 bytes)
%WinDir%\assembly\GAC_MSIL (36 bytes)
%WinDir%\Microsoft.NET (4 bytes)
%Documents and Settings%\NetworkService\Local Settings (4 bytes)
%WinDir%\WinSxS\Policies (8 bytes)
%WinDir%\SoftwareDistribution\Download (45 bytes)
%System%\oobe\html (4 bytes)
%WinDir%\SoftwareDistribution\Download\f0fea42f69058000617da24986c3b109 (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\PresentationFramewo# (4 bytes)
%WinDir%\SoftwareDistribution\Download\196fa81559690e2494e56094df51cdd8 (4 bytes)
%Documents and Settings%\%current user%\Cookies (192 bytes)
C:\DOCUMENTS AND SETTINGS (4 bytes)
C:\ (132 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%WinDir%\SoftwareDistribution\Download\621a08ac003b616bcaa86aa4d4292d50 (4 bytes)
%Program Files%\autorun.inf\desktop.ini (4 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_32 (4 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\autorun.inf\desktop.ini (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_65c.dat (16 bytes)
%Program Files%\Windows Media Player\5\4\2\autorun.inf\desktop.ini (4 bytes)
%Documents and Settings%\LocalService (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b (4 bytes)
%Documents and Settings%.exe (7547 bytes)
%WinDir%\WinSxS (108 bytes)
C:\totalcmd.exe (7547 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US (4 bytes)
%WinDir% (1756 bytes)
%WinDir%\pchealth\helpctr\OfflineCache (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users (4 bytes)
%WinDir%\SoftwareDistribution\Download\e0c0da396303f1dd2c82cd2ccc07020d (4 bytes)
%Program Files%\Windows Media Player\5\4\autorun.inf\desktop.ini (4 bytes)
%WinDir%\SoftwareDistribution\Download\e79028ac4f02e201b61b2c632cb0fc5e (4 bytes)
C:\PROGRAM FILES (8 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer\Img (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32 (28 bytes)
%WinDir%\SoftwareDistribution\Download\bc81666f3868f34642e3f5adbc2719f9 (4 bytes)
%WinDir%\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af (4 bytes)
%Documents and Settings%\%current user%\LOCAL SETTINGS (16 bytes)
%Documents and Settings% (4 bytes)
%Documents and Settings%\Default User\Local Settings (4 bytes)
%WinDir%\$hf_mig$ (8 bytes)
%System%\spool\XPSEP\amd64 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles (4 bytes)
%WinDir%\ime\imjp8_1 (4 bytes)
%WinDir%\SoftwareDistribution\Download\e8252bbfa91fcf5afb38775b18691074 (4 bytes)
%Program Files%\Adobe\Reader 9.0\Resource (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft (4 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer (4 bytes)
%Documents and Settings%\NetworkService (4 bytes)
%WinDir%\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466 (4 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\autorun.inf\desktop.ini (4 bytes)
%WinDir%\SoftwareDistribution\Download\b91377d1d56820d9d699c0c2dc7c8e80 (8 bytes)
%WinDir%\SoftwareDistribution\Download\30438597a812a5d1d7979088d451747f (4 bytes)
%System%\oobe (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
%Program Files%\Microsoft Office\Office14 (4 bytes)
%System%\config\SysEvent.Evt (840 bytes)
%Program Files%\Windows Media Player\5\4\2\a\autorun.inf\desktop.ini (4 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\autorun.inf\desktop.ini (4 bytes)
%WinDir%\Temp (4 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_MSIL (28 bytes)
%WinDir%\ime (4 bytes)
%WinDir%\SoftwareDistribution\Download\ee4e3d4bf0d346e1b8fdee8197195e59 (4 bytes)
%WinDir%\SoftwareDistribution\Download\211409fc1d99b95b32fb0344cad140df (4 bytes)
%Documents and Settings%\All Users (4 bytes)
%WinDir%\SoftwareDistribution\Download\dffcab319e36b852e5b2d51802010a7a (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319 (1732 bytes)
%WinDir%\SoftwareDistribution\Download\299840a657dd26ca3bbf3cee3ec999ba (4 bytes)
%WinDir%\pchealth\helpctr (4 bytes)
%WinDir%\SoftwareDistribution\Download\e5c5fc9bd7a4957f0a45c6db2957c5c9 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation (4 bytes)
C:\RECYCLER.exe (162 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (8 bytes)
%WinDir%\SoftwareDistribution\Download\906245b7f0992255b054322b77475594 (4 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\ime\imkr6_1 (4 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\autorun.inf\desktop.ini (4 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo\graphics (4 bytes)
%WinDir%\SoftwareDistribution\Download\248802b74506342031e926839639c729 (4 bytes)
%WinDir%\SoftwareDistribution\Download\cb88a2f03b29735db957d61a63df6504 (4 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\autorun.inf\desktop.ini (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers (4 bytes)
%WinDir%\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\internet.fne (608 bytes)
%Documents and Settings%\All Users\Documents\My Music (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client (8 bytes)
%WinDir%\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment (4 bytes)
%WinDir%\Web (4 bytes)
%WinDir%\SoftwareDistribution\Download\8bb5f1c638778df6b77d80bc61ffc63c (4 bytes)
%System%\wbem\Logs\wbemcore.log (384 bytes)
C:\totalcmd (4 bytes)
%Program Files%\Common Files\System (4 bytes)
C:\autorun.inf.exe (7547 bytes)
%Program Files%\Windows Media Player (12 bytes)
%WinDir%\Prefetch\PERL.EXE-28C02382.pf (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
%WinDir%\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df (4 bytes)
%WinDir%\AppPatch (8 bytes)
%Program Files%\Common Files (8 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG (4 bytes)
%WinDir%\SoftwareDistribution\Download\6b7f938fb3db15dab273f3f1702c318c (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 (384 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles (8 bytes)
%WinDir%\pchealth\helpctr\Config (4 bytes)
%WinDir%\msagent (4 bytes)
%Program Files% (8 bytes)
%Program Files%\Movie Maker\Shared (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc8ea6c22fd142de8dd67336d23310cf (4 bytes)
%System%\wbem (1652 bytes)
%WinDir%\SoftwareDistribution\Download\1c47f41cc76cde4c629564d7564f2795 (4 bytes)
%WinDir%\SoftwareDistribution\Download\57b4b90cc3eead9f6c29b58581d03ae4 (4 bytes)
%WinDir%\SoftwareDistribution\Download\21cbd3f70584651805685eba1753505f (4 bytes)
%WinDir%\SoftwareDistribution\Download\b6f4642d2b8dc03c5ce1b1a4f77b1bda (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader (96 bytes)
%WinDir%\SoftwareDistribution\Download\9460002f6d8231358fc1eb590f9b1dce (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft (4 bytes)
%WinDir%\Microsoft.NET\Framework (96 bytes)
%System%\mui (4 bytes)
%WinDir%\REGISTRATION (4 bytes)
%System%\spool\XPSEP\i386 (4 bytes)
%WinDir%\Prefetch\RUNDLL32.EXE-29E6ED31.pf (20 bytes)
%WinDir%\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944 (4 bytes)
%System%\wbem\Logs\wbemess.log (768 bytes)
%System%\config\systemprofile\Start Menu\Programs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%WinDir%\Prefetch\SYSTEM.EXE-123095C8.pf (12 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\System.DirectorySer# (4 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%WinDir%\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig (4 bytes)
%System%\config\systemprofile\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32 (28 bytes)
%WinDir%\SoftwareDistribution\Download\bc529fa49cb2cb097fdf1e22d25872da (4 bytes)
%WinDir%\SoftwareDistribution\Download\e104dcd29adf1c6c473a5efad2d509be (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (16 bytes)
%Program Files%\Windows Media Player\5\autorun.inf\desktop.ini (4 bytes)
%Documents and Settings%\All Users\Documents (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.ServiceModel# (4 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
%System%\drivers (704 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727 (1848 bytes)
%Documents and Settings%\%current user% (20 bytes)
%Program Files%\Common Files\Microsoft Shared\DW (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (4545 bytes)
%WinDir%\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2 (4 bytes)
%WinDir%\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6 (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.DirectorySer# (4 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\cedca0128a48437390192d906f83a717 (4 bytes)
%WinDir%\Help (248 bytes)
%WinDir%\security (4 bytes)
%WinDir%\SoftwareDistribution\Download\a4c07d9275eb613d842cb1e140d8a426 (4 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo (4 bytes)
%System%\config\systemprofile (4 bytes)
%WinDir%\SoftwareDistribution\Download\17e46901add634f15d293735648771e6 (4 bytes)
%WinDir%\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260 (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0e4033a7ec549e982572f0d830cf5d0 (4 bytes)
%WinDir%\Prefetch\213EB3829509B5D4A3F5768867EDC-1375E030.pf (98 bytes)
%WinDir%\SoftwareDistribution\Download\0000894bab70b145c3629920ba907f7a (4 bytes)
%WinDir%\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154 (4 bytes)
%WinDir%\Installer\$PatchCache$\Managed (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft (4 bytes)
%WinDir%\Web\printers (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\temp_wincheck.txt (32 bytes)
%WinDir%.exe (7547 bytes)
%System%\config\systemprofile\Local Settings (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security (4 bytes)
%WinDir%\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e (4 bytes)
%WinDir%\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975 (4 bytes)
%Program Files%\Internet Explorer (4 bytes)
%WinDir%\SoftwareDistribution\Download\8b9a83d2cde55eb19dc502cc2dd04e0d (4 bytes)
%WinDir%\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5 (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.5 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5 (12 bytes)
%Documents and Settings%\LocalService\Local Settings (4 bytes)
%WinDir%\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9 (4 bytes)
%Program Files%\Common Files\Microsoft Shared (4 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
%Documents and Settings%\Default User\Start Menu\Programs (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard (4 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins (4 bytes)
%System%\oobe\html\mouse (4 bytes)
%WinDir%\Registration (4 bytes)
%WinDir%\SoftwareDistribution\Download\abaf10b7d55d3716fbb63e0b568cb4b6 (4 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2 (4 bytes)
%Program Files%.exe (7547 bytes)
%WinDir%\assembly (4 bytes)
C:\autorun.inf\desktop.ini (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualBas# (4 bytes)
%WinDir%\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0 (4 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\autorun.inf\desktop.ini (4 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\autorun.inf\desktop.ini (4 bytes)
The Trojan deletes the following file(s):
%System%\wininet.dll (0 bytes)
The process %original file name%.exe:1784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\krnln.fnr (5442 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\8\5\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\8\5\d\d\7\4\e\e\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\autorun.inf\desktop.ini (65 bytes)
C:\temp.bat (72 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\8\5\d\d\7\4\e\e\autorun.inf\svchost.exe¡¡ (7547 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\autorun.inf\desktop.ini (65 bytes)
%Program Files%\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\8\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\8\5\d\d\7\4\e\autorun.inf\desktop.ini (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\internet.fne (196 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\8\5\d\d\7\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\8\5\d\d\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\8\5\d\d\7\4\autorun.inf\desktop.ini (65 bytes)
C:\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\8\5\d\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\autorun.inf\desktop.ini (65 bytes)
C:\CQ.bat (30 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\autorun.inf\desktop.ini (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\Md5.fne (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\eAPI.fne (1620 bytes)
%Program Files%\Windows Media Player\5\4\2\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\autorun.inf\desktop.ini (65 bytes)
The process %original file name%.exe:744 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\%original file name%.exe (7774 bytes)
%System%\system.exe (147 bytes)
Registry activity
The process taskkill.exe:1608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B E0 DE B5 F1 46 2F 51 B6 E6 C8 8E CF 27 2C 4F"
The process svchost.exe¡¡:488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 46 3F AE 20 4E 0D DF F5 52 94 AA 22 87 93 F0"
The process sc.exe:1432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 B8 90 74 D8 DF 0F 58 CA FF 64 5D A0 FD 4E 99"
The process sc.exe:1980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 73 08 05 F0 A9 0C 16 79 F5 21 95 9F 6F 88 F9"
The process sc.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 F9 68 D9 3D EF F8 DD EC 73 20 36 F8 2A DD 96"
The process sc.exe:440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 05 99 B2 FE 18 59 98 CE 3A FF AC B5 1A BB 70"
The process sc.exe:120 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 52 37 82 2B 1B F2 AE 06 A8 0C FD A0 F3 AF FE"
The process sc.exe:240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 5B 0F E8 50 F5 D3 23 80 11 A5 08 AE 5A C8 31"
The process sc.exe:1688 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 BC 9B 8C 23 5C ED A3 67 4E 90 BD 5A 0D 22 66"
The process net1.exe:704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 05 4D AF 78 E4 60 C7 06 84 A3 63 2C D8 DB 42"
The process net1.exe:372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 98 0B 0D 8C 7B 72 E0 32 D0 48 82 21 95 9C E7"
The process system.exe:2008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D A9 46 92 AB 8C 6B CC CD D4 4C C3 B6 FA 09 BA"
The process net.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 1D C3 32 7A C9 B7 AA 92 07 FD 2E 04 98 22 D6"
The process net.exe:1312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 28 CF 34 A4 BC 97 36 5A 37 1C 6B 6E 54 DE 88"
The process Rundll32.exe:1664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 EA 15 0E BF D1 F8 FC 2A D4 7D 90 25 B1 77 11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"sc.exe" = "A tool to aid in developing services for WindowsNT"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process Rundll32.exe:152 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 2F 06 53 1C 45 D9 6B 6C 3A 98 49 27 E7 30 1B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"System" = "%System%\system.exe"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 5F B0 95 01 C8 87 6D 10 E1 29 AE 9A 3D 81 E7"
[HKCU\Software\LoveQ]
"First" = "closeQQ"
[HKCR\.exe¡¡]
"(Default)" = "exefile"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "Userinit,%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\8\5\d\d\7\4\e\e\autorun.inf\svchost.exe¡¡"
The process cacls.exe:2040 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 C3 5F 5C F3 FB 1A 81 93 E9 7B 52 59 51 C9 23"
Dropped PE files
| MD5 | File path |
|---|---|
| a1810ebd5da59c9b8db511e8cfbfdbcb | c:\Documents and Settings.exe |
| 7a4f775abb2f1c97def3e73afa2faedd | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\1.tmp |
| 992322b55f2684fe4c83b8e94dd54adb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_N4\Md5.fne |
| 3102c454a9543e58fe3ad5f783f5a690 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_N4\eAPI.fne |
| c1180974dd8a7c6d9f8fcc13096b4f7a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_N4\internet.fne |
| 4b30dbe1a79b2b7572ff637cb3765ced | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_N4\krnln.fnr |
| a1810ebd5da59c9b8db511e8cfbfdbcb | c:\Perl.exe |
| a1810ebd5da59c9b8db511e8cfbfdbcb | c:\Program Files.exe |
| a1810ebd5da59c9b8db511e8cfbfdbcb | c:\RECYCLER.exe |
| a1810ebd5da59c9b8db511e8cfbfdbcb | c:\System Volume Information.exe |
| a1810ebd5da59c9b8db511e8cfbfdbcb | c:\WINDOWS.exe |
| dfd590c47f7b14a963d90357e143b019 | c:\WINDOWS\system32\bmbqql.dll |
| 483a8229bc8477ddda2a0381a378489e | c:\WINDOWS\system32\ouekpl.dll |
| d43e0f4d26bc175d21816523a05d5cf1 | c:\WINDOWS\system32\system.exe |
| a1810ebd5da59c9b8db511e8cfbfdbcb | c:\autorun.inf.exe |
| a1810ebd5da59c9b8db511e8cfbfdbcb | c:\totalcmd.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
taskkill.exe:1608
sc.exe:1432
sc.exe:1980
sc.exe:452
sc.exe:440
sc.exe:120
sc.exe:240
sc.exe:1688
net1.exe:704
net1.exe:372
system.exe:2008
net.exe:1796
net.exe:1312
Rundll32.exe:1664
Rundll32.exe:152
%original file name%.exe:1784
%original file name%.exe:744
cacls.exe:2040 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\autorun.inf.exe (7547 bytes)
%WinDir%.exe (7547 bytes)
C:\totalcmd.exe (7547 bytes)
%Program Files%.exe (7547 bytes)
%Documents and Settings%.exe (7547 bytes)
C:\RECYCLER.exe (7547 bytes)
C:\System Volume Information.exe (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\internet.fne (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\eAPI.fne (1620 bytes)
%System%\ouekpl.dll (77 bytes)
%System%\bmbqql.dll (24 bytes)
%Program Files%\AAV\CDriver.sys (11 bytes)
%System%\CatRoot2 (96 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\autorun.inf\desktop.ini (4 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
%WinDir%\pchealth\helpctr\System\images (4 bytes)
%WinDir%\SoftwareDistribution\Download\7dc26e8888d68d9e04bc52940c0f24b5 (4 bytes)
%WinDir%\SoftwareDistribution\Download\36a2296f631a54daefcc3b56e3d990e2 (4 bytes)
%WinDir%\pchealth\helpctr\System\Remote Assistance (4 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance (4 bytes)
%WinDir%\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee (4 bytes)
%WinDir%\pchealth\helpctr\System\panels (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins3d (4 bytes)
%Program Files%\Windows Media Player\autorun.inf\desktop.ini (4 bytes)
%Documents and Settings%\Default User (540 bytes)
%WinDir%\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9 (4 bytes)
C:\$Directory (6236 bytes)
%Documents and Settings%\%current user%\My Documents (4 bytes)
%System%\config (300 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\PresentationFramewo# (4 bytes)
%WinDir%\Prefetch (2208 bytes)
%Documents and Settings%\All Users\Application Data (4 bytes)
%WinDir%\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f (4 bytes)
%WinDir%\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59 (4 bytes)
%WinDir%\assembly\GAC_32 (4 bytes)
%WinDir%\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.0 (4 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Program Files%\Adobe\Reader 9.0\Resource\Font (4 bytes)
%WinDir%\SoftwareDistribution\Download\0c1e5e0ffeb238b1ee5c9ea3a4878374 (4 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\autorun.inf\desktop.ini (4 bytes)
%WinDir%\SoftwareDistribution\Download\b5f880834ad67f3d383ffff5f2fa46bd (4 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions (4 bytes)
%Program Files%\Common Files\Microsoft Shared\OFFICE14 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\WPF (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\WPF (4 bytes)
%WinDir%\assembly\GAC_MSIL (36 bytes)
%Documents and Settings%\NetworkService\Local Settings (4 bytes)
%WinDir%\WinSxS\Policies (8 bytes)
%System%\oobe\html (4 bytes)
%WinDir%\SoftwareDistribution\Download\f0fea42f69058000617da24986c3b109 (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\PresentationFramewo# (4 bytes)
%WinDir%\SoftwareDistribution\Download\196fa81559690e2494e56094df51cdd8 (4 bytes)
%Documents and Settings%\%current user%\Cookies (192 bytes)
C:\DOCUMENTS AND SETTINGS (4 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%WinDir%\SoftwareDistribution\Download\621a08ac003b616bcaa86aa4d4292d50 (4 bytes)
%Program Files%\autorun.inf\desktop.ini (4 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_32 (4 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\autorun.inf\desktop.ini (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_65c.dat (16 bytes)
%Program Files%\Windows Media Player\5\4\2\autorun.inf\desktop.ini (4 bytes)
%Documents and Settings%\LocalService (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b (4 bytes)
%WinDir%\pchealth\helpctr\OfflineCache (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users (4 bytes)
%WinDir%\SoftwareDistribution\Download\e0c0da396303f1dd2c82cd2ccc07020d (4 bytes)
%Program Files%\Windows Media Player\5\4\autorun.inf\desktop.ini (4 bytes)
%WinDir%\SoftwareDistribution\Download\e79028ac4f02e201b61b2c632cb0fc5e (4 bytes)
C:\PROGRAM FILES (8 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer\Img (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc81666f3868f34642e3f5adbc2719f9 (4 bytes)
%WinDir%\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af (4 bytes)
%Documents and Settings%\%current user%\LOCAL SETTINGS (16 bytes)
%Documents and Settings%\Default User\Local Settings (4 bytes)
%WinDir%\$hf_mig$ (8 bytes)
%System%\spool\XPSEP\amd64 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles (4 bytes)
%WinDir%\ime\imjp8_1 (4 bytes)
%WinDir%\SoftwareDistribution\Download\e8252bbfa91fcf5afb38775b18691074 (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466 (4 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\autorun.inf\desktop.ini (4 bytes)
%WinDir%\SoftwareDistribution\Download\b91377d1d56820d9d699c0c2dc7c8e80 (8 bytes)
%WinDir%\SoftwareDistribution\Download\30438597a812a5d1d7979088d451747f (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
%Program Files%\Microsoft Office\Office14 (4 bytes)
%System%\config\SysEvent.Evt (840 bytes)
%Program Files%\Windows Media Player\5\4\2\a\autorun.inf\desktop.ini (4 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\autorun.inf\desktop.ini (4 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_MSIL (28 bytes)
%WinDir%\SoftwareDistribution\Download\ee4e3d4bf0d346e1b8fdee8197195e59 (4 bytes)
%WinDir%\SoftwareDistribution\Download\211409fc1d99b95b32fb0344cad140df (4 bytes)
%WinDir%\SoftwareDistribution\Download\dffcab319e36b852e5b2d51802010a7a (4 bytes)
%WinDir%\SoftwareDistribution\Download\299840a657dd26ca3bbf3cee3ec999ba (4 bytes)
%WinDir%\SoftwareDistribution\Download\e5c5fc9bd7a4957f0a45c6db2957c5c9 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (8 bytes)
%WinDir%\SoftwareDistribution\Download\906245b7f0992255b054322b77475594 (4 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\ime\imkr6_1 (4 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\autorun.inf\desktop.ini (4 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo\graphics (4 bytes)
%WinDir%\SoftwareDistribution\Download\248802b74506342031e926839639c729 (4 bytes)
%WinDir%\SoftwareDistribution\Download\cb88a2f03b29735db957d61a63df6504 (4 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\autorun.inf\desktop.ini (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers (4 bytes)
%WinDir%\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501 (4 bytes)
%Documents and Settings%\All Users\Documents\My Music (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client (8 bytes)
%WinDir%\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d (4 bytes)
%WinDir%\Web (4 bytes)
%WinDir%\SoftwareDistribution\Download\8bb5f1c638778df6b77d80bc61ffc63c (4 bytes)
%System%\wbem\Logs\wbemcore.log (384 bytes)
%Program Files%\Common Files\System (4 bytes)
%WinDir%\Prefetch\PERL.EXE-28C02382.pf (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
%WinDir%\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df (4 bytes)
%WinDir%\AppPatch (8 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG (4 bytes)
%WinDir%\SoftwareDistribution\Download\6b7f938fb3db15dab273f3f1702c318c (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 (384 bytes)
%WinDir%\pchealth\helpctr\Config (4 bytes)
%WinDir%\msagent (4 bytes)
%Program Files%\Movie Maker\Shared (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc8ea6c22fd142de8dd67336d23310cf (4 bytes)
%WinDir%\SoftwareDistribution\Download\1c47f41cc76cde4c629564d7564f2795 (4 bytes)
%WinDir%\SoftwareDistribution\Download\57b4b90cc3eead9f6c29b58581d03ae4 (4 bytes)
%WinDir%\SoftwareDistribution\Download\21cbd3f70584651805685eba1753505f (4 bytes)
%WinDir%\SoftwareDistribution\Download\b6f4642d2b8dc03c5ce1b1a4f77b1bda (4 bytes)
%WinDir%\SoftwareDistribution\Download\9460002f6d8231358fc1eb590f9b1dce (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft (4 bytes)
%System%\mui (4 bytes)
%WinDir%\REGISTRATION (4 bytes)
%System%\spool\XPSEP\i386 (4 bytes)
%WinDir%\Prefetch\RUNDLL32.EXE-29E6ED31.pf (20 bytes)
%WinDir%\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944 (4 bytes)
%System%\wbem\Logs\wbemess.log (768 bytes)
%System%\config\systemprofile\Start Menu\Programs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%WinDir%\Prefetch\SYSTEM.EXE-123095C8.pf (12 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\System.DirectorySer# (4 bytes)
%WinDir%\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig (4 bytes)
%System%\config\systemprofile\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc529fa49cb2cb097fdf1e22d25872da (4 bytes)
%WinDir%\SoftwareDistribution\Download\e104dcd29adf1c6c473a5efad2d509be (4 bytes)
%Program Files%\Windows Media Player\5\autorun.inf\desktop.ini (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.ServiceModel# (4 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
%System%\drivers (704 bytes)
%Program Files%\Common Files\Microsoft Shared\DW (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (4545 bytes)
%WinDir%\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2 (4 bytes)
%WinDir%\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6 (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.DirectorySer# (4 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\cedca0128a48437390192d906f83a717 (4 bytes)
%WinDir%\security (4 bytes)
%WinDir%\SoftwareDistribution\Download\a4c07d9275eb613d842cb1e140d8a426 (4 bytes)
%WinDir%\SoftwareDistribution\Download\17e46901add634f15d293735648771e6 (4 bytes)
%WinDir%\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260 (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0e4033a7ec549e982572f0d830cf5d0 (4 bytes)
%WinDir%\Prefetch\213EB3829509B5D4A3F5768867EDC-1375E030.pf (98 bytes)
%WinDir%\SoftwareDistribution\Download\0000894bab70b145c3629920ba907f7a (4 bytes)
%WinDir%\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154 (4 bytes)
%WinDir%\Installer\$PatchCache$\Managed (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft (4 bytes)
%WinDir%\Web\printers (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\temp_wincheck.txt (32 bytes)
%System%\config\systemprofile\Local Settings (4 bytes)
%WinDir%\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e (4 bytes)
%WinDir%\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975 (4 bytes)
%Program Files%\Internet Explorer (4 bytes)
%WinDir%\SoftwareDistribution\Download\8b9a83d2cde55eb19dc502cc2dd04e0d (4 bytes)
%WinDir%\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5 (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.5 (4 bytes)
%Documents and Settings%\LocalService\Local Settings (4 bytes)
%WinDir%\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9 (4 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard (4 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
%System%\oobe\html\mouse (4 bytes)
%WinDir%\Registration (4 bytes)
%WinDir%\SoftwareDistribution\Download\abaf10b7d55d3716fbb63e0b568cb4b6 (4 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2 (4 bytes)
C:\autorun.inf\desktop.ini (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualBas# (4 bytes)
%WinDir%\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0 (4 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\autorun.inf\desktop.ini (4 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\autorun.inf\desktop.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\krnln.fnr (5442 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\8\5\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\8\5\d\d\7\4\e\e\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\autorun.inf\desktop.ini (65 bytes)
C:\temp.bat (72 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\8\5\d\d\7\4\e\e\autorun.inf\svchost.exe¡¡ (7547 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\8\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\8\5\d\d\7\4\e\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\8\5\d\d\7\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\8\5\d\d\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\8\5\d\d\7\4\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\8\5\d\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\autorun.inf\desktop.ini (65 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\autorun.inf\desktop.ini (65 bytes)
C:\CQ.bat (30 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\autorun.inf\desktop.ini (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\Md5.fne (28 bytes)
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\autorun.inf\desktop.ini (65 bytes)
C:\%original file name%.exe (7774 bytes)
%System%\system.exe (147 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"System" = "%System%\system.exe" - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "Userinit,%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\8\5\d\d\7\4\e\e\autorun.inf\svchost.exe¡¡" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: ???
Product Name: ???
Product Version: 1.0.0.0
Legal Copyright: ??? ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ???
Comments: ???
Language: English (United States)
Company Name: ???Product Name: ???Product Version: 1.0.0.0Legal Copyright: ??? ????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ???Comments: ???Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 20480 | 20480 | 4.52066 | 2e50996cc73c4c2fb7ea8f79cf982b26 |
| .rdata | 24576 | 4096 | 4096 | 2.46749 | e5615fe4c75b4f7ba6eaedb684bf431c |
| .data | 28672 | 8192 | 8192 | 1.98389 | 65f79c130923371bceab73bb68dbb967 |
| .data | 36864 | 278528 | 278528 | 4.10453 | 7206bc4a341e72c3ccdba98c5187619d |
| .rsrc | 315392 | 81920 | 81920 | 3.50917 | d0790ff807797f436e5139b6e2bae844 |
| xeobvl | 397312 | 4288 | 8192 | 2.50322 | 0c887607a8264a27fd74453b2c498969 |
| 405504 | 147456 | 147456 | 4.52882 | d43e0f4d26bc175d21816523a05d5cf1 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
Rundll32.exe_152:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s
svchost.exe¡¡_488:
.text
.text
`.rdata
`.rdata
@.data
@.data
.data
.data
.rsrc
.rsrc
user32.dll
user32.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GetCPInfo
GetCPInfo
krnln.fne
krnln.fne
krnln.fnr
krnln.fnr
E_N%X
E_N%X
1.1.3
1.1.3
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\8\5\d\d\7\4\e\e\autorun.inf\svchost.exe
%Program Files%\Windows Media Player\5\4\2\a\d\e\6\b\3\6\d\0\f\1\0\a\2\1\6\e\b\5\5\9\8\5\d\d\7\4\e\e\autorun.inf\svchost.exe
@.exe
@.exe
?smtp.qq.com562489281laogong521562489281@QQ.COM562489281@QQ.COMcloseQQ[\|/]------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
?smtp.qq.com562489281laogong521562489281@QQ.COM562489281@QQ.COMcloseQQ[\|/]------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
\CQ.bat
\CQ.bat
taskkill /im qq.exe /f
taskkill /im qq.exe /f
\Users\All Users\QQ\registry.db
\Users\All Users\QQ\registry.db
%Program Files%\Windows Media Player\
%Program Files%\Windows Media Player\
\temp.bat
\temp.bat
cacls "%Program Files%\Windows Media Player\
cacls "%Program Files%\Windows Media Player\
autorun.inf\svchost.exe
autorun.inf\svchost.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
autorun.inf
autorun.inf
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
\desktop.ini
\desktop.ini
%Program Files%\Internet Explorer\IEXPLORE.EXE hXXps://account.qq.com/cgi-bin/auth_forget?ptlang=2052&ADUIN=0&ADSESSION=0&ADTAG=CLIENT.QQ.2173_ForgetPsw
%Program Files%\Internet Explorer\IEXPLORE.EXE hXXps://account.qq.com/cgi-bin/auth_forget?ptlang=2052&ADUIN=0&ADSESSION=0&ADTAG=CLIENT.QQ.2173_ForgetPsw
%Program Files%\Internet Explorer\IEXPLORE.EXE hXXp://freeqqm.qq.com/?ptlang=2052&ADUIN=0&ADSESSION=0&ADTAG=CLIENT.QQ.2173_NewAccount_Btn
%Program Files%\Internet Explorer\IEXPLORE.EXE hXXp://freeqqm.qq.com/?ptlang=2052&ADUIN=0&ADSESSION=0&ADTAG=CLIENT.QQ.2173_NewAccount_Btn
kernel32.dll
kernel32.dll
advapi32.dll
advapi32.dll
EnumChildWindows
EnumChildWindows
- #3$&2#%
- #3$&2#%
(%(#/9;@
(%(#/9;@
"-"$-"$-"$(%(-"$-"$(%((%(-"$-"$(%(*
"-"$-"$-"$(%(-"$-"$(%((%(-"$-"$(%(*
"-"$-"$-%
"-"$-"$-%
-"$-"$-"$*
-"$-"$-"$*
"-"$-"$-"$5)(5)(5)(-%
"-"$-"$-"$5)(5)(5)(-%
"-"$5)(-%
"-"$5)(-%
5)(5)(5)(-"$-"$*
5)(5)(5)(-"$-"$*
-"$-"$5)(5)(5)(5)(&
-"$-"$5)(5)(5)(5)(&
"-"$-"$5)(5)(5)(
"-"$-"$5)(5)(5)(
"-"$-"$-"$5)(-"$
"-"$-"$-"$5)(-"$
"-"$-"$*
"-"$-"$*
"-"$-"$'
"-"$-"$'
(%(-"$-"$*
(%(-"$-"$*
-"$-"$-"$-"$5)(5)(
-"$-"$-"$-"$5)(5)(
"5)(5)(5)(5)(5)(5)(5)(
"5)(5)(5)(5)(5)(5)(5)(
`5)(5)(-"$&
`5)(5)(-"$&
"5)(5)(5)(5)(5)(5)(5)(5)(5)(5)(-"$-"$*
"5)(5)(5)(5)(5)(5)(5)(5)(5)(5)(-"$-"$*
(%(
(%(
5)(
5)(
!(%((%(5)((
!(%((%(5)((
"-"$
"-"$
!(%(
!(%(
"(%(5)(
"(%(5)(
"(%(5)(5)(
"(%(5)(5)(
"(%((%((%(
"(%((%((%(
!
!
"-"$-"$-"$&
"-"$-"$-"$&
5)(
5)(
#
#
(%(5)(5)(-"$*
(%(5)(5)(-"$*
(%((%(-"$-"$*
(%((%(-"$-"$*
!(%(-"$-%
!(%(-"$-%
3333333330
3333333330
3333330
3333330
333333333333330
333333333333330
.LjR=W
.LjR=W
.Jbjx=
.Jbjx=
^_^\^_\^[__^^_^^__^^^^___^__^\_\\_^^^^\^^_[__^^__^_^__^^\[^^_^_^^_^\_^_^^\^\^[^[[__^\^^^\-
^_^\^_\^[__^^_^^__^^^^___^__^\_\\_^^^^\^^_[__^^__^_^__^^\[^^_^_^^_^\_^_^^\^\^[^[[__^\^^^\-
4444444
4444444
333333333333333
333333333333333
444444444
444444444
33333333333333
33333333333333
==`,./;'[]-*
==`,./;'[]-*
)!@#$%^&(~?:|{}_
)!@#$%^&(~?:|{}_
1.0.0.0
1.0.0.0
svchost.exe¡¡_488_rwx_00409000_00001000:
@.exe
@.exe
?smtp.qq.com562489281laogong521562489281@QQ.COM562489281@QQ.COMcloseQQ[\|/]------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
?smtp.qq.com562489281laogong521562489281@QQ.COM562489281@QQ.COMcloseQQ[\|/]------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
\CQ.bat
\CQ.bat
taskkill /im qq.exe /f
taskkill /im qq.exe /f
\Users\All Users\QQ\registry.db
\Users\All Users\QQ\registry.db
%Program Files%\Windows Media Player\
%Program Files%\Windows Media Player\
\temp.bat
\temp.bat
cacls "%Program Files%\Windows Media Player\
cacls "%Program Files%\Windows Media Player\
autorun.inf\svchost.exe
autorun.inf\svchost.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
autorun.inf
autorun.inf
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
\desktop.ini
\desktop.ini
%Program Files%\Internet Explorer\IEXPLORE.EXE hXXps://account.qq.com/cgi-bin/auth_forget?ptlang=2052&ADUIN=0&ADSESSION=0&ADTAG=CLIENT.QQ.2173_ForgetPsw
%Program Files%\Internet Explorer\IEXPLORE.EXE hXXps://account.qq.com/cgi-bin/auth_forget?ptlang=2052&ADUIN=0&ADSESSION=0&ADTAG=CLIENT.QQ.2173_ForgetPsw
%Program Files%\Internet Explorer\IEXPLORE.EXE hXXp://freeqqm.qq.com/?ptlang=2052&ADUIN=0&ADSESSION=0&ADTAG=CLIENT.QQ.2173_NewAccount_Btn
%Program Files%\Internet Explorer\IEXPLORE.EXE hXXp://freeqqm.qq.com/?ptlang=2052&ADUIN=0&ADSESSION=0&ADTAG=CLIENT.QQ.2173_NewAccount_Btn
user32.dll
user32.dll
kernel32.dll
kernel32.dll
advapi32.dll
advapi32.dll
EnumChildWindows
EnumChildWindows
==`,./;'[]-*
==`,./;'[]-*
)!@#$%^&(~?:|{}_
)!@#$%^&(~?:|{}_