Trojan.Win32.Patched.la (Kaspersky), Dropped:Trojan.Generic.8075968 (B) (Emsisoft), Dropped:Trojan.Generic.8075968 (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 3f033ccfae6f2ee6449d463cbbc1a891
SHA1: 07a8e5e1fbd0c65e00db8507269331c2f216b571
SHA256: 5c1bbdf8f8a39f5d3340eeee08a69a9fcc237dd65ef8b04ebd9ae94341dab520
SSDeep: 24576:EF0EQWl8ewe67CF4ED/dBDC7ftYZedd5eoqCss/lZE1NRELt:00SlkDe4ELmYZeVyC7ZE1rEx
Size: 1602357 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1972-12-25 08:33:23
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Dropped's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Dropped creates the following process(es):
sc.exe:1016
sc.exe:460
sc.exe:492
net1.exe:652
net1.exe:1476
%original file name%.exe:892
%original file name%.exe:1948
system.exe:1664
net.exe:1320
net.exe:228
Rundll32.exe:1936
Rundll32.exe:1276
The Dropped injects its code into the following process(es):
2ADE6B.EXE:1800
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process 2ADE6B.EXE:1800 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\¡¡¡¡¡¡.lnk (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\spec.fne (73 bytes)
%System%\10A216\internet.fne (673 bytes)
%System%\10A216\dp1.fne (601 bytes)
%System%\10A216\krnln.fnr (7433 bytes)
%System%\10A216\shell.fne (40 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\internet.fne (184 bytes)
%System%\B55985\0f10.inf (3856 bytes)
%System%\10A216\RegEx.fnr (1281 bytes)
%System%\10A216\spec.fne (601 bytes)
%System%\B55985\16eb.EDT (2008 bytes)
%System%\10A216\eAPI.fne (1425 bytes)
%System%\B55985\16eb.inf (2728 bytes)
%System%\10A216\com.run (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\RegEx.fnr (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\eAPI.fne (323 bytes)
The Dropped deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJ2BQLLP\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KRYJEE93\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41MBKHI3\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IZOJUTIX\desktop.ini (0 bytes)
The process %original file name%.exe:892 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%System%\system.exe (78 bytes)
C:\%original file name%.exe (8690 bytes)
The process %original file name%.exe:1948 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\dp1.fne (114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\krnln.fnr (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\spec.fne (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\shell.fne (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\internet.fne (184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\com.run (270 bytes)
%System%\36D0F1\2ADE6B.EXE (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\RegEx.fnr (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\eAPI.fne (323 bytes)
The process system.exe:1664 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%System%\oldod.dll (19 bytes)
%System%\gdhmd.dll (54 bytes)
The process Rundll32.exe:1936 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%WinDir%\Prefetch\WMIPRVSE.EXE-28F301A9.pf (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KRYJEE93\desktop.ini (67 bytes)
%System%\CatRoot2 (96 bytes)
%WinDir%\SoftwareDistribution (8 bytes)
%WinDir%\pchealth\helpctr\System\images (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJ2BQLLP\desktop.ini (67 bytes)
%WinDir%\SoftwareDistribution\Download\7dc26e8888d68d9e04bc52940c0f24b5 (4 bytes)
%WinDir%\SoftwareDistribution\Download\36a2296f631a54daefcc3b56e3d990e2 (4 bytes)
%WinDir%\pchealth\helpctr\System\Remote Assistance (4 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance (4 bytes)
%WinDir%\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee (4 bytes)
%WinDir%\pchealth\helpctr\System\panels (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs (4 bytes)
%WinDir%\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af (4 bytes)
%Documents and Settings%\Default User (540 bytes)
%WinDir%\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9 (4 bytes)
%WinDir%\pchealth\helpctr\System (4 bytes)
C:\$Directory (2952 bytes)
%WinDir%\Prefetch\3F033CCFAE6F2EE6449D463CBBC1A-30BABE0F.pf (56 bytes)
%System%\config (304 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\PresentationFramewo# (4 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%WinDir%\Prefetch (1728 bytes)
%WinDir%\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\ACCESSIBILITY (4 bytes)
%System%\CatRoot (4 bytes)
%WinDir%\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59 (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ACCESSORIES (4 bytes)
%WinDir%\assembly\GAC_32 (4 bytes)
%WinDir%\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.0 (4 bytes)
%System% (17236 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Program Files%\Adobe\Reader 9.0\Resource\Font (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles (4 bytes)
%WinDir%\Installer\$PatchCache$\Managed (4 bytes)
%WinDir%\SoftwareDistribution\Download\b5f880834ad67f3d383ffff5f2fa46bd (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client (8 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions (4 bytes)
%Program Files%\WIRESHARK (212 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs (96 bytes)
%Program Files%\Common Files\Microsoft Shared\OFFICE14 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\WPF (4 bytes)
%System%\10A216\shell.fne (40 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\WPF (4 bytes)
%WinDir%\assembly\GAC_MSIL (36 bytes)
%WinDir%\Microsoft.NET (4 bytes)
%Documents and Settings%\%current user%\MY DOCUMENTS (8 bytes)
%Documents and Settings%\NetworkService\Local Settings (4 bytes)
%Documents and Settings%\All Users\DOCUMENTS (4 bytes)
%WinDir%\WinSxS\Policies (8 bytes)
%WinDir%\SoftwareDistribution\Download (45 bytes)
%System%\oobe\html (4 bytes)
%WinDir%\SoftwareDistribution\Download\f0fea42f69058000617da24986c3b109 (4 bytes)
%WinDir%\ime (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ACCESSORIES (4 bytes)
%WinDir%\SoftwareDistribution\Download\196fa81559690e2494e56094df51cdd8 (4 bytes)
C:\ (12 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\SYSTEM TOOLS (4 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%WinDir%\SoftwareDistribution\Download\621a08ac003b616bcaa86aa4d4292d50 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (12 bytes)
%WinDir%\Prefetch\2ADE6B.EXE-15881028.pf (49 bytes)
%Documents and Settings%\ALL USERS (8 bytes)
%Program Files%\Movie Maker (4 bytes)
%System%\10A216 (4 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_32 (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (36 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation (4 bytes)
%Documents and Settings%\LocalService (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b (4 bytes)
%WinDir%\WinSxS (24 bytes)
%System%\10A216\spec.fne (601 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualBas# (4 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US (4 bytes)
%WinDir% (2632 bytes)
%WinDir%\pchealth\helpctr\OfflineCache (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users (4 bytes)
%WinDir%\SoftwareDistribution\Download\e0c0da396303f1dd2c82cd2ccc07020d (4 bytes)
%WinDir%\SoftwareDistribution\Download\e79028ac4f02e201b61b2c632cb0fc5e (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins3d (4 bytes)
C:\PROGRAM FILES (124 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer\Img (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32 (28 bytes)
%WinDir%\SoftwareDistribution\Download\bc81666f3868f34642e3f5adbc2719f9 (4 bytes)
%Documents and Settings%\%current user%\LOCAL SETTINGS (20 bytes)
%System%\10A216\internet.fne (673 bytes)
%Documents and Settings%\Default User\Local Settings (4 bytes)
%WinDir%\$hf_mig$ (8 bytes)
%System%\spool\XPSEP\amd64 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41MBKHI3\desktop.ini (67 bytes)
%WinDir%\ime\imjp8_1 (4 bytes)
%WinDir%\SoftwareDistribution\Download\e8252bbfa91fcf5afb38775b18691074 (4 bytes)
%Program Files%\Adobe\Reader 9.0\Resource (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\internet.fne (673 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\spec.fne (601 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft (4 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer (4 bytes)
%Documents and Settings%\NetworkService (4 bytes)
%WinDir%\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466 (4 bytes)
%System%\10A216\RegEx.fnr (1281 bytes)
%WinDir%\SoftwareDistribution\Download\8bb5f1c638778df6b77d80bc61ffc63c (4 bytes)
%WinDir%\SoftwareDistribution\Download\b91377d1d56820d9d699c0c2dc7c8e80 (4 bytes)
%WinDir%\SoftwareDistribution\Download\30438597a812a5d1d7979088d451747f (4 bytes)
%System%\oobe (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\RegEx.fnr (1281 bytes)
%Program Files%\Microsoft Office\Office14 (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games (4 bytes)
%WinDir%\Temp (4 bytes)
%WinDir%\Installer (8 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\PresentationFramewo# (4 bytes)
%WinDir%\SoftwareDistribution\Download\ee4e3d4bf0d346e1b8fdee8197195e59 (4 bytes)
%WinDir%\SoftwareDistribution\Download\211409fc1d99b95b32fb0344cad140df (4 bytes)
%WinDir%\SoftwareDistribution\Download\dffcab319e36b852e5b2d51802010a7a (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319 (1732 bytes)
%WinDir%\SoftwareDistribution\Download\299840a657dd26ca3bbf3cee3ec999ba (4 bytes)
%WinDir%\pchealth\helpctr (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\eAPI.fne (1425 bytes)
%WinDir%\SoftwareDistribution\Download\e5c5fc9bd7a4957f0a45c6db2957c5c9 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation (4 bytes)
%WinDir%\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9 (4 bytes)
%WinDir%\SoftwareDistribution\Download\906245b7f0992255b054322b77475594 (4 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\ime\imkr6_1 (4 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo\graphics (4 bytes)
%WinDir%\SoftwareDistribution\Download\248802b74506342031e926839639c729 (4 bytes)
%WinDir%\SoftwareDistribution\Download\cb88a2f03b29735db957d61a63df6504 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers (4 bytes)
%WinDir%\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501 (4 bytes)
%Documents and Settings%\All Users\Documents\My Music (4 bytes)
%Program Files%\Windows NT (8 bytes)
%WinDir%\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment (4 bytes)
%WinDir%\Web (4 bytes)
C:\totalcmd (4 bytes)
%Documents and Settings%\All Users\APPLICATION DATA (4 bytes)
%Program Files%\Common Files\System (4 bytes)
%Program Files%\Windows Media Player (4 bytes)
%WinDir%\Prefetch\PERL.EXE-28C02382.pf (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (792 bytes)
%WinDir%\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df (4 bytes)
%WinDir%\AppPatch (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG (4 bytes)
%WinDir%\SoftwareDistribution\Download\6b7f938fb3db15dab273f3f1702c318c (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 (384 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles (8 bytes)
%WinDir%\msagent (4 bytes)
%Program Files%\Movie Maker\Shared (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc8ea6c22fd142de8dd67336d23310cf (4 bytes)
%System%\wbem (1652 bytes)
%WinDir%\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944 (4 bytes)
%WinDir%\SoftwareDistribution\Download\21cbd3f70584651805685eba1753505f (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs (8 bytes)
%WinDir%\SoftwareDistribution\Download\b6f4642d2b8dc03c5ce1b1a4f77b1bda (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader (480 bytes)
%WinDir%\SoftwareDistribution\Download\9460002f6d8231358fc1eb590f9b1dce (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft (4 bytes)
%WinDir%\Microsoft.NET\Framework (96 bytes)
%System%\mui (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4 (4 bytes)
%WinDir%\REGISTRATION (8 bytes)
%System%\spool\XPSEP\i386 (4 bytes)
%WinDir%\SoftwareDistribution\Download\1c47f41cc76cde4c629564d7564f2795 (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_638.dat (12 bytes)
%WinDir%\SoftwareDistribution\Download\57b4b90cc3eead9f6c29b58581d03ae4 (4 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (20 bytes)
%System%\config\systemprofile\Start Menu\Programs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\System.DirectorySer# (4 bytes)
%System%\10A216\krnln.fnr (4360 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_MSIL (28 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\ENTERTAINMENT (4 bytes)
%WinDir%\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig (4 bytes)
%System%\config\systemprofile\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32 (28 bytes)
%WinDir%\SoftwareDistribution\Download\bc529fa49cb2cb097fdf1e22d25872da (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\¡¡¡¡¡¡.lnk (4 bytes)
%WinDir%\SoftwareDistribution\Download\e104dcd29adf1c6c473a5efad2d509be (4 bytes)
%WinDir%\pchealth\helpctr\Config (4 bytes)
%Program Files%\Adobe\Reader 9.0 (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\Common Files\Java\JAVA UPDATE (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727 (1848 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
%System%\drivers (704 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.ServiceModel# (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (4545 bytes)
%Program Files%\Common Files\Microsoft Shared\DW (4 bytes)
%Documents and Settings%\%current user% (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IZOJUTIX\desktop.ini (67 bytes)
%WinDir%\Web\printers (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\COMMUNICATIONS (4 bytes)
%WinDir%\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2 (4 bytes)
%WinDir%\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975 (4 bytes)
%WinDir%\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\APPLICATION DATA (4 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\cedca0128a48437390192d906f83a717 (4 bytes)
%WinDir%\Help (248 bytes)
%WinDir%\security (4 bytes)
%WinDir%\SoftwareDistribution\Download\a4c07d9275eb613d842cb1e140d8a426 (4 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo (4 bytes)
%System%\config\systemprofile (4 bytes)
%WinDir%\SoftwareDistribution\Download\17e46901add634f15d293735648771e6 (4 bytes)
%WinDir%\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260 (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0e4033a7ec549e982572f0d830cf5d0 (4 bytes)
%WinDir%\SoftwareDistribution\Download\0000894bab70b145c3629920ba907f7a (4 bytes)
%WinDir%\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154 (4 bytes)
%WinDir%\SoftwareDistribution\Download\0c1e5e0ffeb238b1ee5c9ea3a4878374 (4 bytes)
%WinDir%\Prefetch\WINCHECK.EXE-0C8073AD.pf (106 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\temp_wincheck.txt (32 bytes)
C:\DOCUMENTS AND SETTINGS (8 bytes)
%System%\config\systemprofile\Local Settings (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security (4 bytes)
%WinDir%\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e (4 bytes)
%Program Files%\Internet Explorer (4 bytes)
%WinDir%\SoftwareDistribution\Download\8b9a83d2cde55eb19dc502cc2dd04e0d (4 bytes)
%WinDir%\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5 (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.5 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5 (12 bytes)
%Documents and Settings%\LocalService\Local Settings (4 bytes)
%Program Files%\COMMON FILES (8 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ADMINISTRATIVE TOOLS (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (8 bytes)
%Program Files%\Common Files\Microsoft Shared (4 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
%WinDir%\Prefetch\EXPLORER.EXE-082F38A9.pf (98 bytes)
%Documents and Settings%\Default User\Start Menu\Programs (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.DirectorySer# (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard (4 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins (4 bytes)
%System%\oobe\html\mouse (4 bytes)
%WinDir%\SoftwareDistribution\Download\abaf10b7d55d3716fbb63e0b568cb4b6 (4 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2 (4 bytes)
%WinDir%\assembly (4 bytes)
%WinDir%\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0 (4 bytes)
The Dropped deletes the following file(s):
%System%\wininet.dll (0 bytes)
The process Rundll32.exe:1276 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Program Files%\KAV\CDriver.sys (13 bytes)
The Dropped deletes the following file(s):
%Program Files%\KAV\CDriver.sys (0 bytes)
%Program Files%\KAV (0 bytes)
Registry activity
The process 2ADE6B.EXE:1800 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 C8 43 51 AF CB B1 C7 1C 74 BD E5 FF 3E 34 62"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Dropped deletes the following registry key(s):
[HKCU\Software\Microsoft\Internet Explorer\TypedURLs]
The process sc.exe:1016 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 2D FD E0 3E E1 AE 3C 54 84 22 54 3B 6A E6 2D"
The process sc.exe:460 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 B3 E2 35 99 1C D0 2F F5 23 F0 29 1C D4 1F 41"
The process sc.exe:492 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 33 EC F2 F7 71 20 9A DA EA F1 F3 3A 64 F2 61"
The process net1.exe:652 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 81 FD 13 C9 D0 21 26 4C 88 10 06 99 0A 03 E8"
The process net1.exe:1476 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C D8 DE E3 57 30 3A 2B 95 E1 45 9F A4 24 93 0F"
The process %original file name%.exe:1948 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 C7 D6 06 1F 5D FD 08 DA C7 1B 07 15 AE 8E 05"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
The process net.exe:1320 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 4B 8D 81 06 08 AC 49 F8 22 90 23 92 38 82 F3"
The process net.exe:228 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E E3 E0 05 F3 B0 5C 66 50 40 E9 9C FF CF 56 13"
The process Rundll32.exe:1936 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 CD 06 CC 22 B3 12 FE 9F B5 A3 CF 57 4C 1A 4B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"System" = "%System%\system.exe"
The Dropped deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process Rundll32.exe:1276 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 8E 6B 5B 36 A7 68 F7 D4 50 C0 A9 0D F7 CF 5F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"sc.exe" = "A tool to aid in developing services for WindowsNT"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Dropped PE files
| MD5 | File path |
|---|---|
| b0bdf36903b4df97ff16a2e9392cd65f | c:\%original file name%.exe |
| 7a4f775abb2f1c97def3e73afa2faedd | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\1.tmp |
| 493dde767dd07971ff879af1d39e2871 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\RegEx.fnr |
| 02dff30ebc19aed131679756eb50a2be | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\com.run |
| 6bc845ca548877ffd05c335b89728425 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\dp1.fne |
| ecfc87b5c94d89b1fa1e2d575056145c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\eAPI.fne |
| 6aa9bb7655fc5e90550ee61355df8547 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\internet.fne |
| 987052e6354d7d2931286c5e4bdd92f7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\krnln.fnr |
| 59c8df28d012034a7492df1609ec2d1a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\shell.fne |
| 0d1ae5e6215353e69f354b0853e43348 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\spec.fne |
| 493dde767dd07971ff879af1d39e2871 | c:\WINDOWS\system32\10A216\RegEx.fnr |
| 02dff30ebc19aed131679756eb50a2be | c:\WINDOWS\system32\10A216\com.run |
| 6bc845ca548877ffd05c335b89728425 | c:\WINDOWS\system32\10A216\dp1.fne |
| ecfc87b5c94d89b1fa1e2d575056145c | c:\WINDOWS\system32\10A216\eAPI.fne |
| 6aa9bb7655fc5e90550ee61355df8547 | c:\WINDOWS\system32\10A216\internet.fne |
| 987052e6354d7d2931286c5e4bdd92f7 | c:\WINDOWS\system32\10A216\krnln.fnr |
| 59c8df28d012034a7492df1609ec2d1a | c:\WINDOWS\system32\10A216\shell.fne |
| 0d1ae5e6215353e69f354b0853e43348 | c:\WINDOWS\system32\10A216\spec.fne |
| b0bdf36903b4df97ff16a2e9392cd65f | c:\WINDOWS\system32\36D0F1\2ADE6B.EXE |
| 210995930b8b604e08ffa28b72be5cf6 | c:\WINDOWS\system32\gdhmd.dll |
| 969035e2164bd07b46d7b35ea766f47d | c:\WINDOWS\system32\oldod.dll |
| 074ddeb6196f0ddee8fa71afe5ae0cdd | c:\WINDOWS\system32\system.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Dropped's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
sc.exe:1016
sc.exe:460
sc.exe:492
net1.exe:652
net1.exe:1476
%original file name%.exe:892
%original file name%.exe:1948
system.exe:1664
net.exe:1320
net.exe:228
Rundll32.exe:1936
Rundll32.exe:1276 - Delete the original Dropped file.
- Delete or disinfect the following files created/modified by the Dropped:
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\¡¡¡¡¡¡.lnk (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\spec.fne (73 bytes)
%System%\10A216\internet.fne (673 bytes)
%System%\10A216\dp1.fne (601 bytes)
%System%\10A216\krnln.fnr (7433 bytes)
%System%\10A216\shell.fne (40 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\internet.fne (184 bytes)
%System%\B55985\0f10.inf (3856 bytes)
%System%\10A216\RegEx.fnr (1281 bytes)
%System%\10A216\spec.fne (601 bytes)
%System%\B55985\16eb.EDT (2008 bytes)
%System%\10A216\eAPI.fne (1425 bytes)
%System%\B55985\16eb.inf (2728 bytes)
%System%\10A216\com.run (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\RegEx.fnr (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\eAPI.fne (323 bytes)
%System%\system.exe (78 bytes)
C:\%original file name%.exe (8690 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\dp1.fne (114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\krnln.fnr (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\shell.fne (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\com.run (270 bytes)
%System%\36D0F1\2ADE6B.EXE (7972 bytes)
%System%\oldod.dll (19 bytes)
%System%\gdhmd.dll (54 bytes)
%WinDir%\Prefetch\WMIPRVSE.EXE-28F301A9.pf (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KRYJEE93\desktop.ini (67 bytes)
%System%\CatRoot2 (96 bytes)
%WinDir%\SoftwareDistribution (8 bytes)
%WinDir%\pchealth\helpctr\System\images (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJ2BQLLP\desktop.ini (67 bytes)
%WinDir%\SoftwareDistribution\Download\7dc26e8888d68d9e04bc52940c0f24b5 (4 bytes)
%WinDir%\SoftwareDistribution\Download\36a2296f631a54daefcc3b56e3d990e2 (4 bytes)
%WinDir%\pchealth\helpctr\System\Remote Assistance (4 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance (4 bytes)
%WinDir%\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee (4 bytes)
%WinDir%\pchealth\helpctr\System\panels (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs (4 bytes)
%WinDir%\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af (4 bytes)
%Documents and Settings%\Default User (540 bytes)
%WinDir%\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9 (4 bytes)
C:\$Directory (2952 bytes)
%WinDir%\Prefetch\3F033CCFAE6F2EE6449D463CBBC1A-30BABE0F.pf (56 bytes)
%System%\config (304 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\PresentationFramewo# (4 bytes)
%WinDir%\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\ACCESSIBILITY (4 bytes)
%WinDir%\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59 (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ACCESSORIES (4 bytes)
%WinDir%\assembly\GAC_32 (4 bytes)
%WinDir%\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.0 (4 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Program Files%\Adobe\Reader 9.0\Resource\Font (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles (4 bytes)
%WinDir%\Installer\$PatchCache$\Managed (4 bytes)
%WinDir%\SoftwareDistribution\Download\b5f880834ad67f3d383ffff5f2fa46bd (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client (8 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions (4 bytes)
%Program Files%\WIRESHARK (212 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs (96 bytes)
%Program Files%\Common Files\Microsoft Shared\OFFICE14 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\WPF (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\WPF (4 bytes)
%WinDir%\assembly\GAC_MSIL (36 bytes)
%Documents and Settings%\%current user%\MY DOCUMENTS (8 bytes)
%Documents and Settings%\NetworkService\Local Settings (4 bytes)
%Documents and Settings%\All Users\DOCUMENTS (4 bytes)
%WinDir%\WinSxS\Policies (8 bytes)
%System%\oobe\html (4 bytes)
%WinDir%\SoftwareDistribution\Download\f0fea42f69058000617da24986c3b109 (4 bytes)
%WinDir%\ime (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ACCESSORIES (4 bytes)
%WinDir%\SoftwareDistribution\Download\196fa81559690e2494e56094df51cdd8 (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\SYSTEM TOOLS (4 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%WinDir%\SoftwareDistribution\Download\621a08ac003b616bcaa86aa4d4292d50 (4 bytes)
%WinDir%\Prefetch\2ADE6B.EXE-15881028.pf (49 bytes)
%Documents and Settings%\ALL USERS (8 bytes)
%Program Files%\Movie Maker (4 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_32 (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (36 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation (4 bytes)
%Documents and Settings%\LocalService (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualBas# (4 bytes)
%WinDir%\pchealth\helpctr\OfflineCache (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users (4 bytes)
%WinDir%\SoftwareDistribution\Download\e0c0da396303f1dd2c82cd2ccc07020d (4 bytes)
%WinDir%\SoftwareDistribution\Download\e79028ac4f02e201b61b2c632cb0fc5e (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins3d (4 bytes)
C:\PROGRAM FILES (124 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer\Img (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc81666f3868f34642e3f5adbc2719f9 (4 bytes)
%Documents and Settings%\%current user%\LOCAL SETTINGS (20 bytes)
%Documents and Settings%\Default User\Local Settings (4 bytes)
%WinDir%\$hf_mig$ (8 bytes)
%System%\spool\XPSEP\amd64 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\41MBKHI3\desktop.ini (67 bytes)
%WinDir%\ime\imjp8_1 (4 bytes)
%WinDir%\SoftwareDistribution\Download\e8252bbfa91fcf5afb38775b18691074 (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466 (4 bytes)
%WinDir%\SoftwareDistribution\Download\8bb5f1c638778df6b77d80bc61ffc63c (4 bytes)
%WinDir%\SoftwareDistribution\Download\b91377d1d56820d9d699c0c2dc7c8e80 (4 bytes)
%WinDir%\SoftwareDistribution\Download\30438597a812a5d1d7979088d451747f (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
%Program Files%\Microsoft Office\Office14 (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games (4 bytes)
%WinDir%\Temp (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\PresentationFramewo# (4 bytes)
%WinDir%\SoftwareDistribution\Download\ee4e3d4bf0d346e1b8fdee8197195e59 (4 bytes)
%WinDir%\SoftwareDistribution\Download\211409fc1d99b95b32fb0344cad140df (4 bytes)
%WinDir%\SoftwareDistribution\Download\dffcab319e36b852e5b2d51802010a7a (4 bytes)
%WinDir%\SoftwareDistribution\Download\299840a657dd26ca3bbf3cee3ec999ba (4 bytes)
%WinDir%\SoftwareDistribution\Download\e5c5fc9bd7a4957f0a45c6db2957c5c9 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation (4 bytes)
%WinDir%\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9 (4 bytes)
%WinDir%\SoftwareDistribution\Download\906245b7f0992255b054322b77475594 (4 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\ime\imkr6_1 (4 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo\graphics (4 bytes)
%WinDir%\SoftwareDistribution\Download\248802b74506342031e926839639c729 (4 bytes)
%WinDir%\SoftwareDistribution\Download\cb88a2f03b29735db957d61a63df6504 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers (4 bytes)
%WinDir%\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501 (4 bytes)
%Documents and Settings%\All Users\Documents\My Music (4 bytes)
%Program Files%\Windows NT (8 bytes)
%WinDir%\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d (4 bytes)
%WinDir%\Web (4 bytes)
C:\totalcmd (4 bytes)
%Documents and Settings%\All Users\APPLICATION DATA (4 bytes)
%Program Files%\Common Files\System (4 bytes)
%Program Files%\Windows Media Player (4 bytes)
%WinDir%\Prefetch\PERL.EXE-28C02382.pf (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (792 bytes)
%WinDir%\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df (4 bytes)
%WinDir%\AppPatch (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG (4 bytes)
%WinDir%\SoftwareDistribution\Download\6b7f938fb3db15dab273f3f1702c318c (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 (384 bytes)
%WinDir%\msagent (4 bytes)
%Program Files%\Movie Maker\Shared (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc8ea6c22fd142de8dd67336d23310cf (4 bytes)
%System%\wbem (1652 bytes)
%WinDir%\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944 (4 bytes)
%WinDir%\SoftwareDistribution\Download\21cbd3f70584651805685eba1753505f (4 bytes)
%WinDir%\SoftwareDistribution\Download\b6f4642d2b8dc03c5ce1b1a4f77b1bda (4 bytes)
%WinDir%\SoftwareDistribution\Download\9460002f6d8231358fc1eb590f9b1dce (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft (4 bytes)
%System%\mui (4 bytes)
%WinDir%\REGISTRATION (8 bytes)
%System%\spool\XPSEP\i386 (4 bytes)
%WinDir%\SoftwareDistribution\Download\1c47f41cc76cde4c629564d7564f2795 (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_638.dat (12 bytes)
%WinDir%\SoftwareDistribution\Download\57b4b90cc3eead9f6c29b58581d03ae4 (4 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (20 bytes)
%System%\config\systemprofile\Start Menu\Programs (4 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\System.DirectorySer# (4 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_MSIL (28 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\ENTERTAINMENT (4 bytes)
%WinDir%\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig (4 bytes)
%System%\config\systemprofile\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc529fa49cb2cb097fdf1e22d25872da (4 bytes)
%WinDir%\SoftwareDistribution\Download\e104dcd29adf1c6c473a5efad2d509be (4 bytes)
%WinDir%\pchealth\helpctr\Config (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\Common Files\Java\JAVA UPDATE (4 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
%System%\drivers (704 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.ServiceModel# (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (4545 bytes)
%Program Files%\Common Files\Microsoft Shared\DW (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IZOJUTIX\desktop.ini (67 bytes)
%WinDir%\Web\printers (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\COMMUNICATIONS (4 bytes)
%WinDir%\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2 (4 bytes)
%WinDir%\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975 (4 bytes)
%WinDir%\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\APPLICATION DATA (4 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\cedca0128a48437390192d906f83a717 (4 bytes)
%WinDir%\security (4 bytes)
%WinDir%\SoftwareDistribution\Download\a4c07d9275eb613d842cb1e140d8a426 (4 bytes)
%WinDir%\SoftwareDistribution\Download\17e46901add634f15d293735648771e6 (4 bytes)
%WinDir%\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260 (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0e4033a7ec549e982572f0d830cf5d0 (4 bytes)
%WinDir%\SoftwareDistribution\Download\0000894bab70b145c3629920ba907f7a (4 bytes)
%WinDir%\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154 (4 bytes)
%WinDir%\SoftwareDistribution\Download\0c1e5e0ffeb238b1ee5c9ea3a4878374 (4 bytes)
%WinDir%\Prefetch\WINCHECK.EXE-0C8073AD.pf (106 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\temp_wincheck.txt (32 bytes)
C:\DOCUMENTS AND SETTINGS (8 bytes)
%System%\config\systemprofile\Local Settings (4 bytes)
%WinDir%\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e (4 bytes)
%Program Files%\Internet Explorer (4 bytes)
%WinDir%\SoftwareDistribution\Download\8b9a83d2cde55eb19dc502cc2dd04e0d (4 bytes)
%WinDir%\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5 (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.5 (4 bytes)
%Documents and Settings%\LocalService\Local Settings (4 bytes)
%Program Files%\COMMON FILES (8 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ADMINISTRATIVE TOOLS (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (8 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
%WinDir%\Prefetch\EXPLORER.EXE-082F38A9.pf (98 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.DirectorySer# (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard (4 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
%System%\oobe\html\mouse (4 bytes)
%WinDir%\SoftwareDistribution\Download\abaf10b7d55d3716fbb63e0b568cb4b6 (4 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2 (4 bytes)
%WinDir%\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0 (4 bytes)
%Program Files%\KAV\CDriver.sys (13 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"System" = "%System%\system.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 20924 | 24576 | 4.82977 | 10a62e25f72034b83f773af1f0aa1d17 |
| .rdata | 28672 | 2634 | 4096 | 2.48317 | 777ac25ec7bba2eed5c97e65e8a812c4 |
| .data | 32768 | 8024 | 8192 | 3.25705 | b6c015dfa2e16f862ec372372d77f8a8 |
| .data | 40960 | 122880 | 122880 | 4.77098 | 4e998da8cbf3307bfcd88b0453ab1d7d |
| .rsrc | 163840 | 17848 | 20480 | 2.29665 | 648c3a5969b0f4793aef2b2434130798 |
| nnuewjw | 184320 | 4288 | 8192 | 2.50322 | 75483d8e01507c07a703083e88099279 |
| 192512 | 78848 | 81920 | 4.1764 | bb70c7d982cced251cb220987af1e3ec |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Dropped connects to the servers at the folowing location(s):
Strings from Dumps
Rundll32.exe_1936:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s
2ADE6B.EXE_1800:
.text
.text
.rdata
.rdata
@.data
@.data
.data
.data
.rsrc
.rsrc
user32.dll
user32.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GetCPInfo
GetCPInfo
krnln.fne
krnln.fne
krnln.fnr
krnln.fnr
1.1.3
1.1.3
%System%\36D0F1\2ADE6B.EXE
%System%\36D0F1\2ADE6B.EXE
@@shdocvw.dll
@@shdocvw.dll
{8856F961-340A-11D0-A96B-00C04FD705A2}##0
{8856F961-340A-11D0-A96B-00C04FD705A2}##0
2,{34A226E0-DF30-11CF-89A9-00A0C9054129},CommandStateChangeConstants,{},{1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDID,{},{1073741880,1073741879,1073741878,1073741877,1073741876,1073741875,1073741874,1073741873,1073741872,1073741871,1073741870,1073741869,1073741868,1073741867,1073741866,1073741865,1073741864,1073741863,1073741862,1073741861,1073741860,1073741859,1073741858,1073741857,1073741856,1073741855,1073741854,1073741853,1073741852,1073741851,1073741850,1073741849,1073741848,1073741847,1073741846,1073741845,1073741844,1073741843,1073741842,1073741841,1073741840,1073741839,1073741838,1073741837,1073741836,1073741835,1073741834,1073741833,1073741832,1073741831,1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDF,{},{1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDEXECOPT,{},{1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},tagREADYSTATE,{},{1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{65507BE0-91A8-11D3-A845-009027220E6D},SecureLockIconConstants,{},{1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}0,{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B},WebBrowser_V1,{100,101,102,103,104,-550,105,106,200,201,202,203,},{212,211,210,209,208,207,206,205,204,},{100,101,102,108,104,105,106,107,113,200,201,204,103,109,110,111,112,}1,{8856F961-340A-11D0-A96B-00C04FD705A2},WebBrowser,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}0,{0002DF01-0000-0000-C000-000000000046},InternetExplorer,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}2,{F41E6981-28E5-11D0-82B4-00A0C90C29C5},ShellWindowTypeConstants,{},{1073741827,1073741826,1073741825,1073741824,},{}0,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},ShellWindows,{0,-4,},{1610743808,},{200,201,}0,{64AB4BB7-111E-11D1-8F79-00C04FC2FBE1},ShellUIHelper,{4,5,6,7,8,9,10,11,13,},{},{}0,{55136805-B2DE-11D1-B9F2-00A0C98BC547},ShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}0,{2F2F1F96-2BC1-4B1C-BE28-EA3774F4676A},ShellShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}
2,{34A226E0-DF30-11CF-89A9-00A0C9054129},CommandStateChangeConstants,{},{1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDID,{},{1073741880,1073741879,1073741878,1073741877,1073741876,1073741875,1073741874,1073741873,1073741872,1073741871,1073741870,1073741869,1073741868,1073741867,1073741866,1073741865,1073741864,1073741863,1073741862,1073741861,1073741860,1073741859,1073741858,1073741857,1073741856,1073741855,1073741854,1073741853,1073741852,1073741851,1073741850,1073741849,1073741848,1073741847,1073741846,1073741845,1073741844,1073741843,1073741842,1073741841,1073741840,1073741839,1073741838,1073741837,1073741836,1073741835,1073741834,1073741833,1073741832,1073741831,1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDF,{},{1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDEXECOPT,{},{1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},tagREADYSTATE,{},{1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{65507BE0-91A8-11D3-A845-009027220E6D},SecureLockIconConstants,{},{1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}0,{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B},WebBrowser_V1,{100,101,102,103,104,-550,105,106,200,201,202,203,},{212,211,210,209,208,207,206,205,204,},{100,101,102,108,104,105,106,107,113,200,201,204,103,109,110,111,112,}1,{8856F961-340A-11D0-A96B-00C04FD705A2},WebBrowser,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}0,{0002DF01-0000-0000-C000-000000000046},InternetExplorer,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}2,{F41E6981-28E5-11D0-82B4-00A0C90C29C5},ShellWindowTypeConstants,{},{1073741827,1073741826,1073741825,1073741824,},{}0,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},ShellWindows,{0,-4,},{1610743808,},{200,201,}0,{64AB4BB7-111E-11D1-8F79-00C04FC2FBE1},ShellUIHelper,{4,5,6,7,8,9,10,11,13,},{},{}0,{55136805-B2DE-11D1-B9F2-00A0C98BC547},ShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}0,{2F2F1F96-2BC1-4B1C-BE28-EA3774F4676A},ShellShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}
.cn/ul.htm
.cn/ul.htm
hXXp://
hXXp://
.com/ul.htm
.com/ul.htm
[%s%]
[%s%]
[%f%]
[%f%]
document.all('
document.all('
document.frames('
document.frames('
.value='';};catch(e){};function a(){};a();
.value='';};catch(e){};function a(){};a();
.value='
.value='
].selected=true;};catch(e){};function a(){};a();
].selected=true;};catch(e){};function a(){};a();
.options[
.options[
.checked='';};catch(e){};function a(){};a();
.checked='';};catch(e){};function a(){};a();
.checked='checked';};catch(e){};function a(){};a();
.checked='checked';};catch(e){};function a(){};a();
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Notepad.exe
Notepad.exe
:\autorun.inf
:\autorun.inf
shellexecute
shellexecute
shlwapi.dll
shlwapi.dll
OLEACC.DLL
OLEACC.DLL
keybd_event
keybd_event
WebBrowser
WebBrowser
2ADE6B.EXE_1800_rwx_0040A000_0001E000:
@@shdocvw.dll
@@shdocvw.dll
{8856F961-340A-11D0-A96B-00C04FD705A2}##0
{8856F961-340A-11D0-A96B-00C04FD705A2}##0
2,{34A226E0-DF30-11CF-89A9-00A0C9054129},CommandStateChangeConstants,{},{1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDID,{},{1073741880,1073741879,1073741878,1073741877,1073741876,1073741875,1073741874,1073741873,1073741872,1073741871,1073741870,1073741869,1073741868,1073741867,1073741866,1073741865,1073741864,1073741863,1073741862,1073741861,1073741860,1073741859,1073741858,1073741857,1073741856,1073741855,1073741854,1073741853,1073741852,1073741851,1073741850,1073741849,1073741848,1073741847,1073741846,1073741845,1073741844,1073741843,1073741842,1073741841,1073741840,1073741839,1073741838,1073741837,1073741836,1073741835,1073741834,1073741833,1073741832,1073741831,1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDF,{},{1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDEXECOPT,{},{1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},tagREADYSTATE,{},{1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{65507BE0-91A8-11D3-A845-009027220E6D},SecureLockIconConstants,{},{1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}0,{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B},WebBrowser_V1,{100,101,102,103,104,-550,105,106,200,201,202,203,},{212,211,210,209,208,207,206,205,204,},{100,101,102,108,104,105,106,107,113,200,201,204,103,109,110,111,112,}1,{8856F961-340A-11D0-A96B-00C04FD705A2},WebBrowser,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}0,{0002DF01-0000-0000-C000-000000000046},InternetExplorer,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}2,{F41E6981-28E5-11D0-82B4-00A0C90C29C5},ShellWindowTypeConstants,{},{1073741827,1073741826,1073741825,1073741824,},{}0,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},ShellWindows,{0,-4,},{1610743808,},{200,201,}0,{64AB4BB7-111E-11D1-8F79-00C04FC2FBE1},ShellUIHelper,{4,5,6,7,8,9,10,11,13,},{},{}0,{55136805-B2DE-11D1-B9F2-00A0C98BC547},ShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}0,{2F2F1F96-2BC1-4B1C-BE28-EA3774F4676A},ShellShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}
2,{34A226E0-DF30-11CF-89A9-00A0C9054129},CommandStateChangeConstants,{},{1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDID,{},{1073741880,1073741879,1073741878,1073741877,1073741876,1073741875,1073741874,1073741873,1073741872,1073741871,1073741870,1073741869,1073741868,1073741867,1073741866,1073741865,1073741864,1073741863,1073741862,1073741861,1073741860,1073741859,1073741858,1073741857,1073741856,1073741855,1073741854,1073741853,1073741852,1073741851,1073741850,1073741849,1073741848,1073741847,1073741846,1073741845,1073741844,1073741843,1073741842,1073741841,1073741840,1073741839,1073741838,1073741837,1073741836,1073741835,1073741834,1073741833,1073741832,1073741831,1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDF,{},{1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDEXECOPT,{},{1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},tagREADYSTATE,{},{1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{65507BE0-91A8-11D3-A845-009027220E6D},SecureLockIconConstants,{},{1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}0,{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B},WebBrowser_V1,{100,101,102,103,104,-550,105,106,200,201,202,203,},{212,211,210,209,208,207,206,205,204,},{100,101,102,108,104,105,106,107,113,200,201,204,103,109,110,111,112,}1,{8856F961-340A-11D0-A96B-00C04FD705A2},WebBrowser,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}0,{0002DF01-0000-0000-C000-000000000046},InternetExplorer,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}2,{F41E6981-28E5-11D0-82B4-00A0C90C29C5},ShellWindowTypeConstants,{},{1073741827,1073741826,1073741825,1073741824,},{}0,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},ShellWindows,{0,-4,},{1610743808,},{200,201,}0,{64AB4BB7-111E-11D1-8F79-00C04FC2FBE1},ShellUIHelper,{4,5,6,7,8,9,10,11,13,},{},{}0,{55136805-B2DE-11D1-B9F2-00A0C98BC547},ShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}0,{2F2F1F96-2BC1-4B1C-BE28-EA3774F4676A},ShellShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}
.cn/ul.htm
.cn/ul.htm
hXXp://
hXXp://
.com/ul.htm
.com/ul.htm
[%s%]
[%s%]
[%f%]
[%f%]
document.all('
document.all('
document.frames('
document.frames('
.value='';};catch(e){};function a(){};a();
.value='';};catch(e){};function a(){};a();
.value='
.value='
].selected=true;};catch(e){};function a(){};a();
].selected=true;};catch(e){};function a(){};a();
.options[
.options[
.checked='';};catch(e){};function a(){};a();
.checked='';};catch(e){};function a(){};a();
.checked='checked';};catch(e){};function a(){};a();
.checked='checked';};catch(e){};function a(){};a();
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Notepad.exe
Notepad.exe
:\autorun.inf
:\autorun.inf
shellexecute
shellexecute
shlwapi.dll
shlwapi.dll
OLEACC.DLL
OLEACC.DLL
user32.dll
user32.dll
keybd_event
keybd_event
WebBrowser
WebBrowser
2ADE6B.EXE_1800_rwx_01401000_00030000:
t.It It
t.It It
SShH$D
SShH$D
QhT%D
QhT%D
SVWPhd%D
SVWPhd%D
Phd%D
Phd%D
D$ThX%D
D$ThX%D
.tTPV
.tTPV
FTPjK
FTPjK
FtPj;
FtPj;
F.PjRWj
F.PjRWj
u.WWj
u.WWj
u.VVj
u.VVj
2ADE6B.EXE_1800_rwx_10001000_000C1000:
|$D.tm
|$D.tm
~%UVW
~%UVW
L$$SSh
L$$SSh
t%SVh
t%SVh
t$(SSh
t$(SSh
u$SShe
u$SShe