Win32.Sality.3_90a914dd99 – Adaware

Trojan.Win32.Agentb.aanb (Kaspersky), Win32.Sality.3 (B) (Emsisoft), Win32.Sality.3 (AdAware), Trojan.Win32.Swrort.3.FD, Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Worm, Virus, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 90a914dd9913e7158f5c079030668d5d

SHA1: 0be834a9e2d3badbb543321e56e10290b2831596

SHA256: 2ab4b5f6b1d98c7dfd68581e4057ca2d2a9b83336c88d68589d9054bd70ba29d

SSDeep: 12288:VTyjXW 48qWywrU4kGFezOAVuJ5PINww7F5DO3HYffh2vTH:ZIXW/8yw1ez54lItF5SXYHh0H

Size: 758427 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2011-01-18 16:44:33

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:704

The Trojan injects its code into the following process(es):

rundll32.exe:1056
Explorer.EXE:532

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:704 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe (5441 bytes)
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB0C7_Rar\%original file name%.exe (5441 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\000CB0C7_Rar\%original file name%.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB0C7_Rar (0 bytes)

The process rundll32.exe:1056 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\000CBB85_Rar\rundll32.exe (5441 bytes)

Registry activity

The process %original file name%.exe:704 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Aas]
"a4_116" = "831618036"
"a3_149" = "1051199068"
"a3_148" = "1044210237"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKCU\Software\Aas]
"a3_78" = "542637991"
"a3_79" = "549622726"
"a3_72" = "533156193"
"a3_73" = "506656128"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Aas]
"a3_71" = "525712590"
"a3_76" = "561686245"
"a3_77" = "568613636"
"a3_74" = "513568291"
"a3_75" = "554631746"
"a3_152" = "1106310065"
"a3_153" = "1080268752"
"a4_108" = "774265068"
"a4_109" = "781434189"
"a3_154" = "1087178867"
"a3_155" = "1127787666"
"a4_102" = "731250342"
"a4_103" = "738419463"
"a4_100" = "716912100"
"a4_101" = "724081221"
"a4_106" = "759926826"
"a4_107" = "767095947"
"a4_104" = "745588584"
"a4_105" = "752757705"
"a2_59" = "422982872"
"a2_58" = "415799606"
"a2_53" = "379969460"
"a2_52" = "372801337"
"a2_51" = "365618531"
"a2_50" = "358453144"
"a2_57" = "408633617"
"a2_56" = "401468839"
"a2_55" = "394299472"
"a2_54" = "387134097"
"a4_55" = "394301655"
"a4_54" = "387132534"
"a4_57" = "408639897"
"a4_56" = "401470776"
"a4_51" = "365625171"
"a4_50" = "358456050"
"a4_53" = "379963413"
"a4_52" = "372794292"

[HKCU\Software\Aas\695404737]
"50183847" = "7374DA7B4CB6B8BEA6353FFA4E6A0EBD13A1BBA13D882624F171304B4452F2B6D354D7AF2253C465A533BE00222BFE3FF7E8F1F2A055267764C0820B45B0D6343781D54D569FBFF3F20A9EC53F3B06F20E30DA8DE1B970E96E0A2E102FDF1BBB4F8917852ECD77AE573144FB4CA9F7D9E600166CD9DF1E1AF69E566E24112410"

[HKCU\Software\Aas]
"a4_59" = "422978139"
"a4_58" = "415809018"
"a3_135" = "950830350"

[HKCU\Software\Aas\695404737]
"21507363" = "0"

[HKCU\Software\Aas]
"a3_94" = "690598327"
"a3_95" = "698045910"
"a3_96" = "671534665"
"a3_97" = "678453992"
"a3_90" = "662052915"
"a3_91" = "669107282"
"a3_92" = "643004661"
"a3_93" = "649993492"
"a3_98" = "685967115"
"a3_99" = "726580138"
"a1_138" = "3767915578"
"a1_139" = "4098051861"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas]
"a1_130" = "4248472063"
"a2_155" = "1111220172"
"a1_131" = "3414221539"
"a2_153" = "1096868927"
"a2_152" = "1089701710"
"a2_99" = "709739566"
"a2_98" = "702575871"
"a2_97" = "695408273"
"a2_96" = "688242367"
"a2_95" = "681060116"
"a2_94" = "673906260"
"a2_93" = "666722820"
"a2_92" = "659557127"
"a2_91" = "652392892"
"a2_90" = "645223498"
"a4_151" = "1082537271"
"a4_150" = "1075368150"
"a4_153" = "1096875513"
"a4_152" = "1089706392"
"a4_155" = "1111213755"
"a4_154" = "1104044634"
"a1_58" = "2978767031"
"a1_59" = "1948942902"
"a1_56" = "2342288737"
"a1_57" = "2858909479"
"a1_54" = "2042258888"
"a1_55" = "1495675559"
"a1_52" = "4048879594"
"a1_53" = "1473469772"
"a1_50" = "2111704480"
"a1_51" = "3695325421"
"a3_136" = "991836577"
"a1_155" = "1945735382"
"a3_43" = "324843106"
"a3_42" = "284237251"
"a3_41" = "277248416"
"a3_40" = "269796609"
"a3_47" = "353765350"
"a3_46" = "313221959"
"a3_45" = "305778468"
"a3_44" = "332278405"
"a1_132" = "1117229897"
"a1_133" = "3874582488"
"a3_49" = "368270520"
"a3_48" = "360822809"
"a1_136" = "463649362"
"a2_119" = "853130768"
"a1_134" = "4278971016"
"a1_135" = "2772783844"
"a4_99" = "709742979"
"a4_98" = "702573858"
"a2_118" = "845959889"
"a4_91" = "652390011"
"a4_90" = "645220890"
"a4_93" = "666728253"
"a4_92" = "659559132"
"a4_95" = "681066495"
"a4_94" = "673897374"
"a4_97" = "695404737"
"a4_96" = "688235616"
"a3_109" = "798021476"
"a3_108" = "790966981"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKCU\Software\Aas]
"a3_101" = "707522668"
"a3_100" = "733503437"
"a3_103" = "754977070"
"a3_102" = "714511503"
"a3_105" = "769475040"
"a3_104" = "762555713"
"a3_107" = "750493346"
"a3_106" = "742980099"
"a2_113" = "810118713"
"a2_112" = "802933559"

"a3_70" = "485103791"
"a2_110" = "788610250"
"a2_117" = "838794664"
"a2_116" = "831612363"
"a2_115" = "824446666"
"a2_114" = "817277599"
"a2_144" = "1032350139"
"a1_104" = "607441841"
"a2_145" = "1039517531"
"a2_146" = "1046685741"
"a2_147" = "1053866261"
"a2_140" = "1003679905"
"a2_141" = "1010854322"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a2_142" = "1018016234"
"a2_143" = "1025181667"
"a3_150" = "1092336383"
"a3_151" = "1099259678"
"a3_133" = "970345548"

[HKCU\Software\Aas\695404737]
"35845605" = "367"

[HKCU\Software\Aas]
"a3_116" = "814879197"
"a3_117" = "821922428"
"a3_114" = "834001179"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_115" = "807894458"
"a1_89" = "288499719"
"a1_88" = "3725461814"
"a1_85" = "858988136"
"a1_84" = "2359230873"
"a1_87" = "3000977484"
"a1_86" = "406110915"
"a1_81" = "2863634940"
"a1_80" = "1372199662"
"a1_83" = "1124493734"

"a3_110" = "771902343"
"a2_128" = "917646045"
"a2_129" = "924824056"
"a2_126" = "903315333"
"a2_127" = "910487346"
"a2_124" = "888965297"
"a3_111" = "778955814"
"a2_122" = "874630552"
"a2_123" = "881794635"
"a2_120" = "860297772"
"a2_121" = "867461936"
"a1_67" = "461340971"
"a1_66" = "4106376505"
"a1_65" = "3170945634"
"a1_64" = "2950582829"
"a1_63" = "2219207046"
"a1_62" = "3487412795"
"a1_61" = "211409830"
"a1_60" = "873425128"
"a3_138" = "1006335587"
"a3_139" = "979823234"
"a1_69" = "1899251483"
"a1_68" = "2682665734"
"a1_12" = "1327564497"
"a1_13" = "3304576595"
"a1_10" = "2829770515"
"a1_11" = "2198744957"
"a1_16" = "83704404"
"a1_17" = "669489697"
"a1_14" = "718236021"
"a1_15" = "1199964620"
"a4_115" = "824448915"
"a4_114" = "817279794"
"a1_18" = "2018944401"
"a1_19" = "4255909989"
"a4_111" = "795772431"
"a4_110" = "788603310"
"a4_113" = "810110673"
"a4_112" = "802941552"
"a2_48" = "344116878"
"a2_49" = "351281456"
"a4_140" = "1003676940"
"a2_40" = "286765770"
"a2_41" = "293930310"
"a2_42" = "301099450"
"a2_43" = "308266732"
"a2_44" = "315449595"
"a2_45" = "322616222"
"a2_46" = "329785186"
"a2_47" = "336951016"
"a4_148" = "1061029908"
"a4_146" = "1046691666"
"a4_42" = "301103082"
"a4_43" = "308272203"
"a4_40" = "286764840"
"a4_41" = "293933961"
"a4_46" = "329779566"
"a4_47" = "336948687"
"a4_44" = "315441324"
"a4_45" = "322610445"
"a4_48" = "344117808"
"a4_49" = "351286929"
"a4_137" = "982169577"
"a4_136" = "975000456"
"a4_147" = "1053860787"
"a3_140" = "986812197"
"a3_18" = "112354555"
"a3_19" = "152901914"
"a3_14" = "83367783"
"a3_15" = "124488582"
"a3_16" = "131411001"
"a3_17" = "104906840"
"a3_10" = "88506851"
"a3_11" = "95435266"
"a3_12" = "69459621"
"a3_13" = "76378820"
"a4_37" = "265257477"
"a4_36" = "258088356"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_33" = "236580993"
"a4_32" = "229411872"
"a4_31" = "222242751"
"a4_30" = "215073630"
"a4_39" = "279595719"
"a4_38" = "272426598"
"a1_103" = "2165118280"
"a4_145" = "1039522545"
"a4_139" = "996507819"
"a1_102" = "3973547763"
"a4_138" = "989338698"

[HKCU\Software\Aas\695404737]
"28676484" = "35"

[HKCU\Software\Aas]
"a4_131" = "939154851"
"a1_101" = "1590031870"
"a4_149" = "1068199029"
"a3_141" = "1027810116"
"a2_88" = "630887589"
"a2_89" = "638058068"
"a2_84" = "602209011"
"a2_85" = "609373463"
"a2_86" = "616541761"
"a2_87" = "623720765"
"a2_80" = "573537141"
"a3_34" = "260325067"
"a2_82" = "587859737"
"a2_83" = "595045156"
"a4_124" = "888971004"
"a4_125" = "896140125"
"a1_29" = "3519163567"
"a1_28" = "2874283239"
"a4_120" = "860294520"
"a4_121" = "867463641"
"a4_122" = "874632762"
"a4_123" = "881801883"
"a1_23" = "334921463"
"a1_22" = "3523662351"
"a1_21" = "3268050597"
"a1_20" = "287967198"
"a1_27" = "919025986"
"a1_26" = "1083642280"
"a1_25" = "437289997"
"a1_24" = "1427379021"
"a4_141" = "1010846061"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Msversion" = "2007"

[HKCU\Software\Aas]
"a3_50" = "341766363"
"a3_51" = "348755322"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_53" = "396796476"
"a3_54" = "370165343"
"a3_55" = "377748222"
"a3_56" = "384737041"
"a3_57" = "425210800"
"a3_58" = "432789459"
"a3_59" = "406145138"
"a1_127" = "554158038"
"a1_126" = "1543010176"
"a1_121" = "3161097861"
"a1_120" = "1179115185"
"a1_123" = "2259162590"
"a1_122" = "652688995"

"a2_111" = "795778256"
"a2_31" = "222248128"
"a2_30" = "215079437"
"a2_33" = "236580234"
"a2_32" = "229420462"
"a2_35" = "250913388"
"a2_34" = "243748455"
"a2_37" = "265264233"
"a2_36" = "258082523"
"a2_39" = "279612292"
"a2_38" = "272431906"
"a4_79" = "566360559"
"a4_78" = "559191438"
"a4_73" = "523345833"
"a4_72" = "516176712"
"a4_71" = "509007591"
"a4_70" = "501838470"
"a4_77" = "552022317"
"a4_76" = "544853196"
"a4_75" = "537684075"
"a4_74" = "530514954"
"a1_137" = "3758288211"
"a4_86" = "616544406"
"a4_87" = "623713527"
"a4_84" = "602206164"
"a4_85" = "609375285"
"a4_82" = "587867922"
"a4_83" = "595037043"
"a4_80" = "573529680"
"a4_81" = "580698801"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKCU\Software\Aas]
"a4_88" = "630882648"
"a4_89" = "638051769"
"a2_100" = "716906516"

[HKCU\Software\Aas\695404737]
"14338242" = "0"

[HKCU\Software\Aas]
"a1_150" = "2389226232"
"a1_151" = "3878438399"

[HKCU\Software\Aas\695404737]
"7169121" = "123"

[HKCU\Software\Aas]
"a1_153" = "2635771470"
"a1_154" = "2304537359"
"a2_102" = "731242634"
"a2_103" = "738423864"
"a2_104" = "745594442"
"a2_105" = "752760363"
"a2_106" = "759924717"
"a2_107" = "767093650"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Aas]
"a1_96" = "2706232892"
"a2_131" = "939148475"
"a2_130" = "931977839"
"a2_133" = "953497608"
"a2_132" = "946330345"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas]
"a2_135" = "967833655"
"a2_134" = "960667564"
"a1_107" = "782952190"
"a2_137" = "982166078"
"a1_106" = "1330558835"
"a2_136" = "974996571"
"a1_105" = "374304375"
"a1_98" = "4140502380"
"a1_99" = "576557497"
"a1_92" = "3342425486"
"a1_93" = "1586062086"
"a1_90" = "3772481185"
"a1_91" = "2605829941"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_97" = "243029257"
"a1_94" = "2923823450"
"a1_95" = "1751234470"
"a2_75" = "537686819"
"a2_74" = "530520955"
"a2_77" = "552021916"
"a2_76" = "544855771"
"a2_71" = "509001822"
"a2_70" = "501830171"
"a2_73" = "523338838"
"a2_72" = "516168479"
"a2_139" = "996515073"
"a2_138" = "989333167"
"a1_100" = "666273977"
"a2_79" = "566355000"
"a2_78" = "559188494"
"a1_74" = "1130615635"
"a1_75" = "690686929"
"a1_76" = "1473609080"
"a1_77" = "1415501028"
"a1_70" = "3708589279"
"a1_71" = "406658711"
"a1_72" = "2609427981"
"a1_73" = "1914291475"
"a3_129" = "907869896"
"a3_128" = "934369961"
"a1_78" = "2047195226"
"a1_79" = "3775692182"
"a3_123" = "898388146"
"a3_122" = "891468819"
"a3_121" = "850861040"
"a3_120" = "843343697"
"a1_109" = "4039422960"
"a3_127" = "927442486"
"a1_108" = "3707482032"
"a3_126" = "886312343"
"a1_0" = "3299283285"
"a3_125" = "879323508"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKCU\Software\Aas]
"a3_124" = "905966805"
"a1_2" = "919573244"
"a1_3" = "828583069"
"a1_4" = "1716250833"
"a1_5" = "3190497201"
"a1_6" = "4262868475"
"a1_7" = "3989152233"
"a3_29" = "224867540"
"a3_28" = "183865525"
"a1_116" = "3400036303"
"a1_117" = "2274793752"
"a1_110" = "3972584301"
"a1_111" = "4274369659"
"a1_112" = "2328916030"
"a1_9" = "2841996467"
"a3_21" = "167399900"
"a3_20" = "159956413"
"a3_23" = "148336286"
"a3_22" = "140888703"
"a3_25" = "195929936"
"a3_24" = "188875569"
"a3_27" = "176880658"
"a3_26" = "169827315"
"a4_24" = "172058904"
"a4_25" = "179228025"
"a4_26" = "186397146"
"a4_27" = "193566267"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a2_81" = "580705275"
"a4_126" = "903309246"
"a4_127" = "910478367"
"a3_112" = "785940569"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"

[HKCU\Software\Aas]
"a4_128" = "917647488"
"a4_129" = "924816609"
"a3_113" = "826942712"
"a2_101" = "724078348"
"a1_38" = "1132573485"
"a1_39" = "1539644586"
"a4_135" = "967831335"
"a4_134" = "960662214"
"a4_133" = "953493093"
"a4_132" = "946323972"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_130" = "931985730"
"a1_30" = "529336622"
"a1_31" = "2422352769"
"a1_32" = "4085025691"
"a1_33" = "1907857644"
"a1_34" = "3810007350"
"a1_35" = "2438776411"
"a1_36" = "1432891901"
"a1_37" = "2377724742"
"a2_108" = "774273145"
"a2_109" = "781428138"
"a3_69" = "478110732"
"a3_68" = "470664173"
"a3_65" = "449123976"
"a3_64" = "442135145"
"a3_67" = "497168202"
"a3_66" = "489720619"
"a3_61" = "454263092"
"a3_60" = "413199509"
"a3_63" = "468244982"
"a3_62" = "461186391"
"a1_1" = "1129195820"
"a2_28" = "200730131"
"a2_29" = "207912552"
"a2_26" = "186389520"
"a2_27" = "193560706"
"a2_24" = "172051666"
"a2_25" = "179236332"
"a2_22" = "157725604"
"a2_23" = "164897149"
"a2_20" = "143379590"
"a2_21" = "150546381"
"a4_68" = "487500228"
"a4_69" = "494669349"
"a4_60" = "430147260"
"a4_61" = "437316381"
"a4_62" = "444485502"
"a4_63" = "451654623"
"a4_64" = "458823744"
"a4_65" = "465992865"
"a4_66" = "473161986"
"a4_67" = "480331107"
"a2_7" = "50176139"
"a2_6" = "43022529"
"a2_5" = "35843210"
"a2_4" = "28675097"
"a2_3" = "21510054"
"a2_2" = "14341597"
"a2_1" = "7175664"
"a2_0" = "9832"
"a2_9" = "64524712"

"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a1_143" = "2964332635"
"a1_142" = "146780567"
"a1_141" = "3395938350"
"a1_140" = "3014508375"
"a4_9" = "64522089"
"a4_8" = "57352968"
"a1_145" = "2303971897"
"a1_144" = "2222538468"
"a3_52" = "389745053"
"a1_129" = "995106232"
"a2_8" = "57360237"
"a1_128" = "652215625"
"a3_87" = "607024862"
"a3_86" = "633131711"
"a3_85" = "626081308"
"a3_84" = "585598461"
"a3_83" = "578085210"
"a3_82" = "571034939"
"a3_81" = "597665944"
"a3_80" = "590099577"
"a2_154" = "1104036235"
"a1_149" = "778815788"
"a3_89" = "654610320"
"a3_88" = "614067057"
"a1_125" = "2391700498"
"a1_148" = "3272558557"
"a1_124" = "1282967730"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 4F AF 14 B9 B4 62 24 30 7A BF 83 80 16 7D B2"

[HKCU\Software\Aas]
"a2_125" = "896147114"
"a1_147" = "2152383229"
"a1_146" = "1203558022"
"a1_8" = "4063377757"
"a1_82" = "3641669083"
"a2_62" = "444487128"
"a2_63" = "451646997"
"a2_60" = "430152535"
"a2_61" = "437319392"
"a2_66" = "473169273"
"a2_67" = "480339762"
"a2_64" = "458833036"
"a2_65" = "465987462"
"a2_68" = "487492329"
"a2_69" = "494671494"
"a2_148" = "1061035752"
"a2_149" = "1068200424"
"a1_41" = "2467347674"
"a1_40" = "1971514006"
"a1_43" = "1653158786"
"a1_42" = "83234739"
"a1_45" = "404128563"
"a1_44" = "3231434740"
"a1_47" = "3068893843"
"a1_46" = "1480344229"
"a1_49" = "2276740806"
"a1_48" = "2207619950"
"a4_144" = "1032353424"

[HKCU\Software\Aas\695404737]
"43014726" = "0900687474703A2F2F70656C63706177656C2E666D2E696E74657269612E706C2F6C6F676F732E67696600687474703A2F2F636869636F73746172612E636F6D2F6C6F676F662E67696600687474703A2F2F73756577796C6C69652E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F646577706F696E742D65672E636F6D2F696D616765732F6C6F676F73612E67696600687474703A2F2F7777772E6365796C616E6F67756C6C6172692E636F6D2F6C6F676F662E67696600687474703A2F2F7777772E626C7565637562656372656174697665732E636F6D2F6C6F676F732E67696600687474703A2F2F37323468697A6D6574677275702E636F6D2F696D616765732F6C6F676F73612E67696600687474703A2F2F796176757A74756E63696C2E79612E66756E7069632E64652F696D616765732F6C6F676F732E67696600687474703A2F2F6365766174706173612E636F6D2F696D616765732F6C6F676F732E676966"

[HKCU\Software\Aas]
"a4_142" = "1018015182"
"a4_143" = "1025184303"
"a3_118" = "862924447"
"a3_119" = "869974846"
"a1_114" = "4010823525"
"a1_115" = "1713967243"
"a3_36" = "241268621"
"a3_37" = "248309804"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_35" = "267899754"
"a3_32" = "212854281"
"a3_33" = "253401768"
"a3_30" = "231909751"
"a3_31" = "205278614"
"a1_113" = "630860932"
"a3_38" = "289377359"
"a3_39" = "296296686"

"a3_130" = "915379051"
"a3_131" = "922302346"
"a1_118" = "1153902031"

"a3_132" = "962897965"
"a1_119" = "3599727070"
"a2_17" = "121878223"
"a2_16" = "114711323"
"a2_15" = "107528834"
"a2_14" = "100363147"
"a2_13" = "93192567"
"a2_12" = "86026347"
"a2_11" = "78858924"
"a2_10" = "71683025"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKCU\Software\Aas]
"a3_134" = "943841519"
"a2_19" = "136212468"
"a2_18" = "129044565"
"a4_11" = "78860331"
"a4_10" = "71691210"
"a4_13" = "93198573"
"a4_12" = "86029452"
"a4_15" = "107536815"
"a4_14" = "100367694"
"a4_17" = "121875057"
"a4_16" = "114705936"
"a4_19" = "136213299"
"a4_18" = "129044178"
"a3_137" = "998890944"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Aas]
"a3_8" = "40388897"
"a3_9" = "47967552"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_4" = "11991981"
"a3_5" = "52535244"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"
"a2_151" = "1082532560"
"a2_150" = "1075365891"
"a3_145" = "1022800088"
"a3_144" = "1015749817"
"a3_147" = "1070844314"
"a3_146" = "1063277947"
"a4_119" = "853125399"
"a4_118" = "845956278"
"a3_143" = "1008236550"
"a3_142" = "1034864615"
"a1_152" = "3769055733"
"a4_117" = "838787157"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

The process rundll32.exe:1056 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 6C 4D AB 83 CA 5A 1F 86 73 98 FE 70 ED 9F DA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

Dropped PE files

MD5	File path
82005fbde52b06c6744ad8176be2033b	c:\jogxxk.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:704
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe (5441 bytes)
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB0C7_Rar\%original file name%.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBB85_Rar\rundll32.exe (5441 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe"
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	569841	569856	4.61292	0fd9e616a22ca25c8dd4ffc4fe8d4bb7
.rdata	577536	58474	58880	3.75497	e40dfac2aa919c953afc3e5f529b3350
.data	638976	36632	10752	2.54749	e27b8dce8893e88554c3004d7188b557
.rsrc	675840	114688	113664	5.13211	082e6788da8a78037318b9731b0f74f2

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
0765c49460a50e4d83dd490686641e45

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

rundll32.exe_1056:

.text

.rdata

.data

.rsrc

!"#$%%&'())* ,-./0123456789:;

T$%UR

RSSh

RSSh@SI

xSSSh

FTPjKS

FtPj;S

C.PjRV

portuguese-brazilian

GetProcessWindowStation

operator

AutoHotkey

AppsKey

ListHotkeys

KeyHistory

DetectHiddenWindows

SetKeyDelay

KeyWait

GetKeyState

URLDownloadToFile

MsgBox

IfMsgBox

Hotkey

AHK Keybd

Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.

Modifiers (Hook's Logical) = %s

Modifiers (Hook's Physical) = %s

Prefix key is down: %s

NOTE: Only the script's own keyboard events are shown

(not the user's), because the keyboard hook isn't installed.

NOTE: To disable the key history shown below, add the line "#KeyHistory 0" anywhere in the script. The same method can be used to change the size of the history buffer. For example: #KeyHistory 100 (Default is 40, Max is 500)

The oldest are listed first. VK=Virtual Key, SC=Scan Code, Elapsed=Seconds since the previous event. Types: h=Hook Hotkey, s=Suppressed (blocked), i=Ignored because it was generated by an AHK script, a=Artificial, #=Disabled via #IfWinActive/Exist, U=Unicode character (SendInput).

E7 X

X X

%u hotkeys have been received in the last %ums.

(see #MaxHotkeysPerInterval in the help file)

Nonexistent hotkey. The current thread will exit.

Nonexistent hotkey variant (IfWin). The current thread will exit.

Max hotkeys.

The AltTab hotkey "%s" must specify which key (L or R).

The AltTab hotkey "%s" must have exactly one modifier/prefix.

"%s" is not allowed as a prefix key.

"%s" is not a valid key name. The current thread will exit.

SCx

%s[%Iu of %Iu]: %-1.60s%s

%s[Object]: 0x%p

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%s\%s

AutoHotkey2

Critical Error: %s

=/|^,:*&~!()[] -?."'\;`{}

>AUTOHOTKEY SCRIPT

Could not extract script from EXE.

=/|^,:

=/|^,:. -*&!?~

Join

Hotkeys/hotstrings are not allowed inside functions.

Duplicate hotkey.

Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.

*%s::

if not GetKeyState("%s")

{Blind}%s%s{%s DownTemp}

*%s up::

{Blind}{%s Up}

#InstallKeybdHook

#HotkeyModifierTimeout

#HotkeyInterval

#MaxHotkeysPerInterval

#MaxThreadsPerHotkey

#KeyHistory

#MenuMaskKey

: -*/|&^.

=/|^,:*&~!()[] -?."

Invalid hotkey.

"%s" requires at least %d parameter%s.

"%s" requires that parameter #%u be non-blank.

=/|^,:*&~!()[]"

=/|^,:*&~!()[] -?

Unsupported use of "."

=/|^,:*&~!()[] -?.

Unsupported parameter default.

HasKey

detecthiddenwindows

keydelay

subkey

thishotkey

priorhotkey

timesincethishotkey

timesincepriorhotkey

Unsupported use of "["

Too many parameters passed to function.

Too few parameters passed to function.

%s%s%s

%%%s%s%s

Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after it is in parentheses to the right (if not 0). The bottommost line's elapsed time is the number of seconds since it executed.

if %s %s %s and %s

%s%s %s %s

For %s,%s in %s

%s (%d) : ==> %s

Specifically: %s

in #include file "%s"

%s%s:%s %-1.500s

Specifically: %-1.100s%s

Error at line %u

Line Text: %-1.100s%s

Local Variables for %s()%s

%sGlobal Variables (alphabetical)%s

Window: %s

Keybd hook: %s

Mouse hook: %s

Enabled Timers: %u of %u (%s)

Interrupted threads: %d%s

Paused threads: %d of %d (%d layers)

Modifiers (GetKeyState() now) = %s

Key History has been disabled via #KeyHistory 0.

System verbs unsupported with RunAs. The current thread will exit.

%s %s

.exe.bat.com.cmd.hta

Verb:

Action: %s

Params:

EndKey:

0xX

%sLeft

%sTop

%sRight

%sBottom

\AU3_Spy.exe"

%sAU3_Spy.exe"

\AutoHotkey.chm"

%sAutoHotkey.chm"

hh.exe

hXXp://VVV.autohotkey.com

Could not open URL hXXp://VVV.autohotkey.com in default browser.

SOFTWARE\AutoHotkey

AutoHotkey v1.0.92.02

set cdaudio door %s wait

open %s type cdaudio alias cd wait shareable

set cd door %s wait

\\.\%c:

Mixer Doesn't Support This Component Type

Component Doesn't Support This Control Type

open "%s" alias AHK_PlayMe

Select File - %s

%s%c%sÃŠll Files (*.*)%c*.*%c

All Files (*.*)

Text Documents (*.txt)

*.txt

1.0.92.02

\AutoHotkey.exe

SOFTWARE\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Pos%s

Len%s

Pos%d

Len%d

Compile error %d at offset %d: %s

RunAs: Missing advapi32.dll. The current thread will exit.

0.0.0.0

InternetOpenUrlA

Select Folder - %s

%u.%u.%u.%u

0xX -

%s%ws

AutoHotkeyGUI

%dGui

Button%s

msctls_hotkey32

Report

Password

vkX

Supported only for the tray menu The current thread will exit.

&Suspend Hotkeys

dddddd

GdiplusShutdown

The following %s name contains an illegal character:

"%-1.300s"%s

The maximum number of MsgBoxes has been reached.

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is not compiled with PCRE_UTF8 support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with PCRE_UCP support

Error text not found (please report)

WSOCK32.dll

WINMM.dll

VERSION.dll

COMCTL32.dll

GetWindowsDirectoryA

KERNEL32.dll

GetKeyboardLayout

SetWindowsHookExA

UnhookWindowsHookEx

RegisterHotKey

UnregisterHotKey

GetAsyncKeyState

GetKeyboardState

SetKeyboardState

keybd_event

VkKeyScanExA

GetKeyNameTextA

MapVirtualKeyA

EnumChildWindows

EnumWindows

ExitWindowsEx

USER32.dll

GDI32.dll

COMDLG32.dll

RegCloseKey

RegOpenKeyExA

RegQueryInfoKeyA

RegEnumKeyExA

RegCreateKeyExA

RegDeleteKeyA

ADVAPI32.dll

ShellExecuteExA

SHFileOperationA

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

GetProcessHeap

zcÃ

-()[]{}:;'"/\,.?!

%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe

%Documents and Settings%\%current user%\Application Data\Microsoft\Office

#%'''

"%Â

$-8GGhnsrr}

$-9GGggs}s

%Mgr.RhY4RfE5Qd:f

PAPADDINGXXPADDINGPADD

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\000CBB85_Rar\rundll32.exe

rundll32.exe

%UzU_

hXXp://pelcpawel.fm.interia.pl/logos.gif

hXXp://chicostara.com/logof.gif

hXXp://suewyllie.com/images/logos.gif

hXXp://dewpoint-eg.com/images/logosa.gif

hXXp://VVV.ceylanogullari.com/logof.gif

hXXp://VVV.bluecubecreatives.com/logos.gif

hXXp://724hizmetgrup.com/images/logosa.gif

hXXp://yavuztuncil.ya.funpic.de/images/logos.gif

hXXp://cevatpasa.com/images/logos.gif

4/images/logos.gif

uCo9%f

%F`;O

hXXp://89.11

.info/home.gifI

W.text

L32.dll

^p.At%

rnl.exe?

= =$=(=,=0=4=8=

rv:1.9.2.3)

.NEtCLR

.klkjw:9fqwiBu

f3a.sysB

D6c.pBTab

drfig%s:*:

0}.T&?%x=

~UrlA'W

\'Web%

HTTP)s'PJ

o.ENHCD

KPCKwWEBWUPD

>*?456789:;

!"#$%&'()* ,-./01230 0

MSVCRT.dll

WS2_32.dll

[y$%f

0%s?\5

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

&Lines most recently executed

&Hotkeys and their methods

&Key history and script info

&Web Site

rundll32.exe_1056_rwx_003C0000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

.text

%UzU_

rundll32.exe_1056_rwx_003D0000_00001000:

|rundll32.exeM_1056_

rundll32.exe_1056_rwx_004AE000_00011000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\000CBB85_Rar\rundll32.exe

rundll32.exe

.rsrc

.text

%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe

%UzU_

hXXp://pelcpawel.fm.interia.pl/logos.gif

hXXp://chicostara.com/logof.gif

hXXp://suewyllie.com/images/logos.gif

hXXp://dewpoint-eg.com/images/logosa.gif

hXXp://VVV.ceylanogullari.com/logof.gif

hXXp://VVV.bluecubecreatives.com/logos.gif

hXXp://724hizmetgrup.com/images/logosa.gif

hXXp://yavuztuncil.ya.funpic.de/images/logos.gif

hXXp://cevatpasa.com/images/logos.gif

4/images/logos.gif

uCo9%f

%F`;O

hXXp://89.11

.info/home.gifI

W.text

L32.dll

^p.At%

rnl.exe?

= =$=(=,=0=4=8=

rv:1.9.2.3)

.NEtCLR

.klkjw:9fqwiBu

f3a.sysB

D6c.pBTab

drfig%s:*:

0}.T&?%x=

~UrlA'W

\'Web%

HTTP)s'PJ

o.ENHCD

KPCKwWEBWUPD

>*?456789:;

!"#$%&'()* ,-./01230 0

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

USER32.dll

WS2_32.dll

RegCloseKey

SHFileOperationA

Explorer.EXE_532_rwx_00FF0000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

.text

%UzU_

Explorer.EXE_532_rwx_01E00000_00001000:

|explorer.exeM_532_

Explorer.EXE_532_rwx_03CF0000_0108E000:

c:\windows

hXXp://pelcpawel.fm.interia.pl/logos.gif

hXXp://chicostara.com/logof.gif

hXXp://suewyllie.com/images/logos.gif

hXXp://dewpoint-eg.com/images/logosa.gif

hXXp://VVV.ceylanogullari.com/logof.gif

hXXp://VVV.bluecubecreatives.com/logos.gif

hXXp://724hizmetgrup.com/images/logosa.gif

hXXp://yavuztuncil.ya.funpic.de/images/logos.gif

hXXp://cevatpasa.com/images/logos.gif

%System%\drivers\okskr.sys

%UzU_

8316872595

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

.text

hXXp://89.119.67.154/testo5/

hXXp://kukutrustnet777.info/home.gif

hXXp://kukutrustnet888.info/home.gif

hXXp://kukutrustnet987.info/home.gif

KERNEL32.dll

USER32.dll

h.rdata

H.data

.reloc

ntoskrnl.exe

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)

Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion

hXXp://VVV.klkjwre9fqwieluoi.info/

hXXp://kukutrustnet777888.info/

Software\Microsoft\Windows\CurrentVersion\policies\system

Software\Microsoft\Windows\ShellNoRoam\MUICache

%s:*:Enabled:ipsec

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

GdiPlus.dll

hXXp://

ipfltdrv.sys

VVV.microsoft.com

?%x=%d

&%x=%d

SYSTEM.INI

USER32.DLL

.%c%s

\\.\amsint32

NTDLL.DLL

autorun.inf

ADVAPI32.DLL

win%s.exe

%s.exe

WININET.DLL

InternetOpenUrlA

avast! Web Scanner

Avira AntiVir Premium WebGuard

cmdGuard

cmdAgent

Eset HTTP Server

ProtoPort Firewall service

SpIDer FS Monitor for Windows NT

Symantec Password Validation

WebrootDesktopFirewallDataService

WebrootFirewall

%d%d.tmp

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

%s\%s

%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats

Software\Microsoft\Windows\CurrentVersion\Ext\Stats

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Explorer.exe

A2CMD.

ASHWEBSV.

AVGCC.AVGCHSVX.

DRWEB

DWEBLLIO

DWEBIO

FSGUIEXE.

MCVSSHLD.

NPFMSG.

SYMSPORT.

WEBSCANX.

.adata

M_%d_

%c%d_%d

?456789:;

!"#$%&'()* ,-./0123

GetProcessHeap

GetWindowsDirectoryA

RegEnumKeyExA

RegDeleteKeyA

RegOpenKeyExA

RegCreateKeyA

RegCloseKey

SHFileOperationA

&3&3&3&389

.rdata

.data

rnl.exe?

= =$=(=,=0=4=8=

rv:1.9.2.3)

.NEtCLR

.klkjw:9fqwiBu

f3a.sysB

D6c.pBTab

drfig%s:*:

0}.T&?%x=

~UrlA'W

\'Web%

HTTP)s'PJ

o.ENHCD

KPCKwWEBWUPD

>*?456789:;

!"#$%&'()* ,-./01230 0

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

WS2_32.dll