not-a-virus:AdWare.Win32.Agent.aljt (Kaspersky), Win32.Sality.OG (B) (Emsisoft), Win32.Sality.OG (AdAware), VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Worm, Virus, Adware, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 9a823a7df914083f2895740194ce98a5
SHA1: 769fdf6c3cfdb19f72925e507d093e0f7c9068e5
SHA256: 5eea160e898bc0c0855ba151d5e61873a0f579a8359467566142a86127636088
SSDeep: 24576:og4l47j qTZePRf7RVZ6v4ml8aSugTLCk U2iAqS6cIIK37:UWXNSfdVIzpgfmDi5zuA7
Size: 1150536 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-03-22 02:59:20
Analyzed on: WindowsXP SP3 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Worm creates the following process(es):
netsh.exe:1992
WINMINE.EXE:3612
WINMINE.EXE:3740
WINMINE.EXE:3852
WINMINE.EXE:3672
WINMINE.EXE:3720
WINMINE.EXE:3176
NOTEPAD.EXE:3452
NOTEPAD.EXE:3580
NOTEPAD.EXE:3384
NOTEPAD.EXE:3816
NOTEPAD.EXE:4064
NOTEPAD.EXE:3884
NOTEPAD.EXE:3516
NOTEPAD.EXE:3420
NOTEPAD.EXE:3548
NOTEPAD.EXE:3220
NOTEPAD.EXE:3484
NOTEPAD.EXE:4092
NOTEPAD.EXE:3144
NOTEPAD.EXE:3336
NOTEPAD.EXE:3760
NOTEPAD.EXE:3268
NOTEPAD.EXE:3644
NOTEPAD.EXE:3788
NOTEPAD.EXE:3300
The Worm injects its code into the following process(es):
%original file name%.exe:212
Explorer.EXE:932
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:212 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\winljhgh.exe (601 bytes)
%WinDir%\system.ini (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\System.dll (11 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (528 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\LangDLL.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00112DB4_Rar\%original file name%.exe (7547 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (856 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\winljhgh.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp (0 bytes)
C:\113a85 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1.tmp (0 bytes)
Registry activity
The process %original file name%.exe:212 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_0" = "3432392762"
[HKCU\Software\Aas\695404737]
"35845605" = "476"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Aas\695404737]
"50183847" = "83AD022F944CCF21DDECD41871254667172BA39F3E949513F4CC29B07060AC534912E5BCB155880C2C4326E6FB83E6FA099D4219F6885291D527824C5507229614A07CE2AF035D97263FF7F26AD2ACC9D5D4395D4B8B3109DC5C0C87B31A1505E6E94E08EF20E71B91B96D3856F531DADFD78A894AD6A6C177136C5657B01661"
"43014726" = "0C00687474703A2F2F7777772E6C656479617A696C696D2E636F6D2F6C6F676F2E67696600687474703A2F2F6B73616E64726166617368696F6E2E636F6D2F6C6F676F2E67696600687474703A2F2F7777772E6C6166796572692E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6B756C7070617375722E636F6D2F6C6F676F2E67696600687474703A2F2F746F616C6C616465706170656C2E636F6D2E61722F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E65636F6C652D7361696E742D73696D6F6E2E6E65742F696E6465785F746F702F6C6F676F2E67696600687474703A2F2F6C617A617265612E726F2F696D616765732F6C6F676F2E67696600687474703A2F2F6B6F6F6E6164616E6365322E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6B75706C752E62656C2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E6C69646572616E636173706F6C6974696361732E636F6D2E62722F6C6F676F2E67696600687474703A2F2F7777772E6C6567616C62696C676973617961722E636F6D2F696D672F6C6F676F2E67696600687474703A2F2F6C696665636F6D32342E636F2E63632F696D616765732F6C6F676F2E676966"
[HKCU\Software\Aas]
"a3_0" = "17001001"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "144"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas\695404737]
"21507363" = "0"
"28676484" = "35"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 9A 7B F0 3E 85 34 0E E2 97 8D 5A AF D9 75 8C"
[HKCU\Software\Aas]
"a2_0" = "5517"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_0" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
The process netsh.exe:1992 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 6F 44 7C 27 87 6E 7D A9 58 7E 5B 25 F1 F1 29"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
The process WINMINE.EXE:3612 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 1F 87 DD 13 94 6D 2F C2 C3 B7 AB 99 F1 88 66"
The process WINMINE.EXE:3740 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 3E 23 A4 A0 BE B9 36 DB D9 B2 76 D6 65 B5 D9"
The process WINMINE.EXE:3852 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 24 6D C5 B4 18 75 B6 94 6F B8 C8 35 0E 6F 1F"
The process WINMINE.EXE:3672 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB CA E5 B0 FD AB 42 BE 72 F6 59 13 EC DC CB 39"
The process WINMINE.EXE:3720 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 25 DC 92 8D D3 94 88 61 49 75 B8 EA E8 AF 76"
The process WINMINE.EXE:3176 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B A5 A9 B5 CC 20 6A A9 3D 2B B0 BC 13 E7 32 40"
The process NOTEPAD.EXE:3452 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 82 C7 32 CD 7A EE 7B 11 D5 53 24 DE 36 9F 91"
The process NOTEPAD.EXE:3580 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 D8 0F F9 BB BC F2 A2 08 B3 04 4C D5 70 6C 5F"
The process NOTEPAD.EXE:3384 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 BD FB 82 4E 49 D8 A7 83 93 FA 88 B6 80 FB 9B"
The process NOTEPAD.EXE:3816 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E CD FF 7E 09 7D C8 B0 D0 2D 93 CB 79 42 6A 39"
The process NOTEPAD.EXE:4064 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA ED A5 DB 6E 45 7F 92 B1 36 DD 28 6C BB 2F 2F"
The process NOTEPAD.EXE:3884 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 D6 56 A4 AD F5 87 D1 42 6A 2B 2C F0 CC 9C FD"
The process NOTEPAD.EXE:3516 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 F6 36 D9 61 EB 13 D9 34 47 FD 90 B1 77 02 16"
The process NOTEPAD.EXE:3420 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 8C C6 4B 9B E0 79 F3 4A FF EA C6 74 40 1C D4"
The process NOTEPAD.EXE:3548 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 FB BA 36 3B 78 35 54 97 1C 03 56 EC FF F7 7B"
The process NOTEPAD.EXE:3220 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A D1 80 6B 3E 8A C1 0E 1B 89 76 08 2F 8C 5E 7A"
The process NOTEPAD.EXE:3484 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 71 E7 4F 47 EE AE AE 8D CE 62 0D 77 BD 3A 7E"
The process NOTEPAD.EXE:4092 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 F2 6B 77 63 A4 FE 3F 6D 81 34 11 CB 77 48 E0"
The process NOTEPAD.EXE:3144 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 19 78 17 73 FB BC 33 FA 03 3F 38 D5 86 F7 AD"
The process NOTEPAD.EXE:3336 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 D1 12 97 7E D6 76 C5 A4 23 0F AA 23 0E 11 07"
The process NOTEPAD.EXE:3760 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 3E D4 E8 C0 54 0F 97 E4 A2 E9 88 3A E9 B3 F7"
The process NOTEPAD.EXE:3268 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 C3 1F 13 25 8E BF 84 C5 1E B7 29 90 5D 2C A7"
The process NOTEPAD.EXE:3644 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 6D A3 C1 DA 66 B1 89 DD 01 F9 C5 C5 84 14 60"
The process NOTEPAD.EXE:3788 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 50 6D 67 67 43 DF 87 E7 82 E2 42 22 86 18 A3"
The process NOTEPAD.EXE:3300 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 C5 61 2F 31 33 36 7A B4 2E 59 5B A2 3B FF 2A"
Dropped PE files
MD5 | File path |
---|---|
442996bdc46c9f00dc8ed2bad3e98bcf | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00112DB4_Rar\%original file name%.exe |
8e806ea2e205dc508a2fb5adda3419db | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsh2.tmp\LangDLL.dll |
b9f430f71c7144d8ff4ab94be2785aa6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsh2.tmp\System.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
netsh.exe:1992
WINMINE.EXE:3612
WINMINE.EXE:3740
WINMINE.EXE:3852
WINMINE.EXE:3672
WINMINE.EXE:3720
WINMINE.EXE:3176
NOTEPAD.EXE:3452
NOTEPAD.EXE:3580
NOTEPAD.EXE:3384
NOTEPAD.EXE:3816
NOTEPAD.EXE:4064
NOTEPAD.EXE:3884
NOTEPAD.EXE:3516
NOTEPAD.EXE:3420
NOTEPAD.EXE:3548
NOTEPAD.EXE:3220
NOTEPAD.EXE:3484
NOTEPAD.EXE:4092
NOTEPAD.EXE:3144
NOTEPAD.EXE:3336
NOTEPAD.EXE:3760
NOTEPAD.EXE:3268
NOTEPAD.EXE:3644
NOTEPAD.EXE:3788
NOTEPAD.EXE:3300 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Local Settings\Temp\winljhgh.exe (601 bytes)
%WinDir%\system.ini (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\System.dll (11 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (528 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\LangDLL.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00112DB4_Rar\%original file name%.exe (7547 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (856 bytes) - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 63112 | 63488 | 3.71134 | bb246b2e8bb5ebf52ef134899676b801 |
.rdata | 69632 | 13410 | 13824 | 4.1366 | 40d5f9c280cd19e695bfa3031030672e |
.data | 86016 | 572668 | 9216 | 2.15433 | 42bb0055f20c98883b72c276c3d7a845 |
.idata | 659456 | 6011 | 6144 | 3.19775 | 0bbda7738b276a7bd2a8f8f4ea0ad05e |
.ndata | 667648 | 1019904 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 1687552 | 17088 | 17408 | 4.09046 | 96c7dba99bd846c35760ea25b4267cdb |
.brdata | 1708032 | 73728 | 73728 | 5.54218 | f81854d4d4e571115fa0edafd3b100e7 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_212:
.text
.text
.rdata
.rdata
@.data
@.data
.idata
.idata
.ndata
.ndata
.rsrc
.rsrc
@.brdata
@.brdata
C:\Work\nsis-unicode\build\udebug\stub_zlib\stub_zlib.pdb
C:\Work\nsis-unicode\build\udebug\stub_zlib\stub_zlib.pdb
%s=%s
%s=%s
RegDeleteKeyExW
RegDeleteKeyExW
PSAPI.DLL
PSAPI.DLL
Kernel32.DLL
Kernel32.DLL
RH.HU
RH.HU
M%DI1
M%DI1
_.xcA
_.xcA
`.rdata
`.rdata
@.reloc
@.reloc
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
LangDLL.dll
LangDLL.dll
ole32.dll
ole32.dll
System.dll
System.dll
4E.iQ3
4E.iQ3
:2.Pq:
:2.Pq:
'6e.sn
'6e.sn
n.irA!
n.irA!
V2%cp1%
V2%cp1%
GetWindowsDirectoryW
GetWindowsDirectoryW
ExitWindowsEx
ExitWindowsEx
GetAsyncKeyState
GetAsyncKeyState
SHFileOperationW
SHFileOperationW
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
RegEnumKeyW
RegEnumKeyW
RegCreateKeyExW
RegCreateKeyExW
RegCloseKey
RegCloseKey
RegDeleteKeyW
RegDeleteKeyW
RegOpenKeyExW
RegOpenKeyExW
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
VERSION.dll
VERSION.dll
)-.Yln
)-.Yln
Nullsoft Install System v2.45.1-Unicode
Nullsoft Install System v2.45.1-Unicode
p.azU'
p.azU'
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\00112DB4_Rar\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\00112DB4_Rar\%original file name%.exe
%original file name%.exe
%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\LangDLL.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\LangDLL.dll
c:\%original file name%.exe
c:\%original file name%.exe
hXXp://VVV.ledyazilim.com/logo.gif
hXXp://VVV.ledyazilim.com/logo.gif
hXXp://ksandrafashion.com/logo.gif
hXXp://ksandrafashion.com/logo.gif
hXXp://VVV.lafyeri.com/images/logo.gif
hXXp://VVV.lafyeri.com/images/logo.gif
hXXp://kulppasur.com/logo.gif
hXXp://kulppasur.com/logo.gif
hXXp://toalladepapel.com.ar/images/logo.gif
hXXp://toalladepapel.com.ar/images/logo.gif
hXXp://VVV.ecole-saint-simon.net/index_top/logo.gif
hXXp://VVV.ecole-saint-simon.net/index_top/logo.gif
hXXp://lazarea.ro/images/logo.gif
hXXp://lazarea.ro/images/logo.gif
hXXp://koonadance2.com/images/logo.gif
hXXp://koonadance2.com/images/logo.gif
hXXp://kuplu.bel.tr/images/logo.gif
hXXp://kuplu.bel.tr/images/logo.gif
hXXp://VVV.liderancaspoliticas.com.br/logo.gif
hXXp://VVV.liderancaspoliticas.com.br/logo.gif
hXXp://VVV.legalbilgisayar.com/img/logo.gif
hXXp://VVV.legalbilgisayar.com/img/logo.gif
hXXp://lifecom24.co.cc/images/logo.gif
hXXp://lifecom24.co.cc/images/logo.gif
\.ttpU2I
\.ttpU2I
hXXp://89.
hXXp://89.
.info/home.giN%
.info/home.giN%
[Wr%S
[Wr%S
?%XYZ[_
?%XYZ[_
.text^
.text^
4.AtT
4.AtT
toskrnl.exe
toskrnl.exe
.klkjw:9fqwielu
.klkjw:9fqwielu
sc.pBT
sc.pBT
PAD.EXE
PAD.EXE
o4&?%x=
o4&?%x=
J.DLL
J.DLL
GUrlA'G5
GUrlA'G5
HTTP)s'cfp
HTTP)s'cfp
Lxo.ENHCDM
Lxo.ENHCDM
wWEBWUPD
wWEBWUPD
n .pZ
n .pZ
?456789:;
?456789:;
'()* ,-./01230 0
'()* ,-./01230 0
.HpT.#[3
.HpT.#[3
av%xQ
av%xQ
MSVCRT.dll
MSVCRT.dll
WS2_32.dll
WS2_32.dll
SHFileOperationA
SHFileOperationA
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
@Jump: %d
@Jump: %d
Aborting: "%s"
Aborting: "%s"
Call: %d
Call: %d
detailprint: %s
detailprint: %s
Sleep(%d)
Sleep(%d)
SetFileAttributes: "%s":X
SetFileAttributes: "%s":X
CreateDirectory: "%s" (%d)
CreateDirectory: "%s" (%d)
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: "%s" created
CreateDirectory: "%s" created
Rename on reboot: %s
Rename on reboot: %s
IfFileExists: file "%s" exists, jumping %d
IfFileExists: file "%s" exists, jumping %d
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" does not exist, jumping %d
Rename: %s
Rename: %s
Rename failed: %s
Rename failed: %s
File: error creating "%s"
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
File: skipped: "%s" (overwriteflag=%d)
File: skipped: "%s" (overwriteflag=%d)
File: wrote %d to "%s"
File: wrote %d to "%s"
Delete: "%s"
Delete: "%s"
MessageBox: %d,"%s"
MessageBox: %d,"%s"
RMDir: "%s"
RMDir: "%s"
Exch: stack
Exch: stack
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: success ("%s": file:"%s" params:"%s")
Exec: command="%s"
Exec: command="%s"
Exec: success ("%s")
Exec: success ("%s")
Exec: failed createprocess ("%s")
Exec: failed createprocess ("%s")
Error registering DLL: %s not found in %s
Error registering DLL: %s not found in %s
CopyFiles "%s"->"%s"
CopyFiles "%s"->"%s"
Error registering DLL: Could not load %s
Error registering DLL: Could not load %s
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
WriteINIStr: wrote [%s] %s=%s in %s
WriteINIStr: wrote [%s] %s=%s in %s
DeleteRegValue: "%s\%s" "%s"
DeleteRegValue: "%s\%s" "%s"
DeleteRegKey: "%s\%s"
DeleteRegKey: "%s\%s"
WriteRegStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteReg: error writing into "%s\%s" "%s"
WriteReg: error writing into "%s\%s" "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error creating key "%s\%s"
created uninstaller: %d, "%s"
created uninstaller: %d, "%s"
settings logging to %d
settings logging to %d
logging set to %d
logging set to %d
verifying installer: %d%%
verifying installer: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
install.log
install.log
%u.%u%s%s
%u.%u%s%s
Section: "%s"
Section: "%s"
Skipping section: "%s"
Skipping section: "%s"
New install of "%s" to "%s"
New install of "%s" to "%s"
Delete: DeleteFile("%s")
Delete: DeleteFile("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile failed("%s")
RMDir: RemoveDirectory invalid input("%s")
RMDir: RemoveDirectory invalid input("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory failed("%s")
*?|/":
*?|/":
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_DYN_DATA
invalid registry key
invalid registry key
x%c
x%c
\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\LangDLL.dll
\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\LangDLL.dll
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\LangDLL.dll
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\LangDLL.dll
p\nsh2.tmp
p\nsh2.tmp
ME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\LangDLL.dll
ME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\LangDLL.dll
callback%d
callback%d
%Program Files%
%Program Files%
\System.dll
\System.dll
\LangDLL.dll
\LangDLL.dll
SupTab.dll
SupTab.dll
BHOEnabler.exe
BHOEnabler.exe
SupIePluginServiceUpdate.exe
SupIePluginServiceUpdate.exe
indexIE.html
indexIE.html
indexIE8.html
indexIE8.html
skin.css
skin.css
style.css
style.css
ver.txt
ver.txt
\web\_locales
\web\_locales
\web\_locales\en-US
\web\_locales\en-US
messages.json
messages.json
\web\_locales\es-419
\web\_locales\es-419
\web\_locales\es-ES
\web\_locales\es-ES
\web\_locales\fr-BE
\web\_locales\fr-BE
\web\_locales\fr-CA
\web\_locales\fr-CA
\web\_locales\fr-CH
\web\_locales\fr-CH
\web\_locales\fr-FR
\web\_locales\fr-FR
\web\_locales\fr-LU
\web\_locales\fr-LU
\web\_locales\it-CH
\web\_locales\it-CH
\web\_locales\it-IT
\web\_locales\it-IT
\web\_locales\pl
\web\_locales\pl
\web\_locales\pt-BR
\web\_locales\pt-BR
\web\_locales\ru
\web\_locales\ru
\web\_locales\ru-MO
\web\_locales\ru-MO
\web\_locales\tr-TR
\web\_locales\tr-TR
\web\_locales\vi-VI
\web\_locales\vi-VI
\web\_locales\zh-CN
\web\_locales\zh-CN
\web\_locales\zh-TW
\web\_locales\zh-TW
\web\img
\web\img
default_logo.png
default_logo.png
google.com.png
google.com.png
icon128.png
icon128.png
icon16.png
icon16.png
icon48.png
icon48.png
loading.gif
loading.gif
\web\js
\web\js
background.js
background.js
ga.js
ga.js
jquery-base.js
jquery-base.js
jquery.autocomplete.js
jquery.autocomplete.js
js.js
js.js
json2.js
json2.js
xa.js
xa.js
xagainit.js
xagainit.js
Software\Microsoft\Windows\CurrentVersion\Uninstall\SupTab
Software\Microsoft\Windows\CurrentVersion\Uninstall\SupTab
\uninstall.exe
\uninstall.exe
1.1.1.0
1.1.1.0
\SupTab.dll
\SupTab.dll
\BHOEnabler.exe" -enablebho -bhoid={3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}
\BHOEnabler.exe" -enablebho -bhoid={3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}
\SupIePluginServiceUpdate.exe"
\SupIePluginServiceUpdate.exe"
Nullsoft Install System (Unicode) v2.45.1-Unicode
Nullsoft Install System (Unicode) v2.45.1-Unicode
\wininit.ini
\wininit.ini
%Program Files%\
%Program Files%\
\Temp\nsh2.tmp
\Temp\nsh2.tmp
File: wrote 5120 to "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\LangDLL.dll"
File: wrote 5120 to "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\LangDLL.dll"
~1\Temp\nsh2.tmp\LangDLL.dll"
~1\Temp\nsh2.tmp\LangDLL.dll"
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp
%Program Files%\SupTab
%Program Files%\SupTab
p\nsm1.tmp
p\nsm1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp
1441914
1441914
1376500
1376500
1179988
1179988
1114414
1114414
%original file name%.exe_212_rwx_005A1000_00011000:
p.azU'
p.azU'
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\00112DB4_Rar\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\00112DB4_Rar\%original file name%.exe
%original file name%.exe
%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\LangDLL.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\LangDLL.dll
.text
.text
c:\%original file name%.exe
c:\%original file name%.exe
hXXp://VVV.ledyazilim.com/logo.gif
hXXp://VVV.ledyazilim.com/logo.gif
hXXp://ksandrafashion.com/logo.gif
hXXp://ksandrafashion.com/logo.gif
hXXp://VVV.lafyeri.com/images/logo.gif
hXXp://VVV.lafyeri.com/images/logo.gif
hXXp://kulppasur.com/logo.gif
hXXp://kulppasur.com/logo.gif
hXXp://toalladepapel.com.ar/images/logo.gif
hXXp://toalladepapel.com.ar/images/logo.gif
hXXp://VVV.ecole-saint-simon.net/index_top/logo.gif
hXXp://VVV.ecole-saint-simon.net/index_top/logo.gif
hXXp://lazarea.ro/images/logo.gif
hXXp://lazarea.ro/images/logo.gif
hXXp://koonadance2.com/images/logo.gif
hXXp://koonadance2.com/images/logo.gif
hXXp://kuplu.bel.tr/images/logo.gif
hXXp://kuplu.bel.tr/images/logo.gif
hXXp://VVV.liderancaspoliticas.com.br/logo.gif
hXXp://VVV.liderancaspoliticas.com.br/logo.gif
hXXp://VVV.legalbilgisayar.com/img/logo.gif
hXXp://VVV.legalbilgisayar.com/img/logo.gif
hXXp://lifecom24.co.cc/images/logo.gif
hXXp://lifecom24.co.cc/images/logo.gif
\.ttpU2I
\.ttpU2I
hXXp://89.
hXXp://89.
.info/home.giN%
.info/home.giN%
[Wr%S
[Wr%S
?%XYZ[_
?%XYZ[_
.text^
.text^
4.AtT
4.AtT
toskrnl.exe
toskrnl.exe
.klkjw:9fqwielu
.klkjw:9fqwielu
sc.pBT
sc.pBT
PAD.EXE
PAD.EXE
o4&?%x=
o4&?%x=
J.DLL
J.DLL
GUrlA'G5
GUrlA'G5
HTTP)s'cfp
HTTP)s'cfp
Lxo.ENHCDM
Lxo.ENHCDM
wWEBWUPD
wWEBWUPD
n .pZ
n .pZ
?456789:;
?456789:;
'()* ,-./01230 0
'()* ,-./01230 0
.HpT.#[3
.HpT.#[3
av%xQ
av%xQ
ADVAPI32.dll
ADVAPI32.dll
MSVCRT.dll
MSVCRT.dll
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
WS2_32.dll
WS2_32.dll
RegCloseKey
RegCloseKey
SHFileOperationA
SHFileOperationA
%original file name%.exe_212_rwx_00BA0000_01033000:
c:\windows
c:\windows
hXXp://VVV.ledyazilim.com/logo.gif
hXXp://VVV.ledyazilim.com/logo.gif
hXXp://ksandrafashion.com/logo.gif
hXXp://ksandrafashion.com/logo.gif
hXXp://VVV.lafyeri.com/images/logo.gif
hXXp://VVV.lafyeri.com/images/logo.gif
hXXp://kulppasur.com/logo.gif
hXXp://kulppasur.com/logo.gif
hXXp://toalladepapel.com.ar/images/logo.gif
hXXp://toalladepapel.com.ar/images/logo.gif
hXXp://VVV.ecole-saint-simon.net/index_top/logo.gif
hXXp://VVV.ecole-saint-simon.net/index_top/logo.gif
hXXp://lazarea.ro/images/logo.gif
hXXp://lazarea.ro/images/logo.gif
hXXp://koonadance2.com/images/logo.gif
hXXp://koonadance2.com/images/logo.gif
hXXp://kuplu.bel.tr/images/logo.gif
hXXp://kuplu.bel.tr/images/logo.gif
hXXp://VVV.liderancaspoliticas.com.br/logo.gif
hXXp://VVV.liderancaspoliticas.com.br/logo.gif
hXXp://VVV.legalbilgisayar.com/img/logo.gif
hXXp://VVV.legalbilgisayar.com/img/logo.gif
hXXp://lifecom24.co.cc/images/logo.gif
hXXp://lifecom24.co.cc/images/logo.gif
%System%\drivers\flojpn.sys
%System%\drivers\flojpn.sys
11269215939
11269215939
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.text
.text
hXXp://89.119.67.154/testo5/
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
hXXp://kukutrustnet987.info/home.gif
h.rdata
h.rdata
H.data
H.data
.reloc
.reloc
ntoskrnl.exe
ntoskrnl.exe
Opera/8.89 (Windows NT 6.0; U; en)
Opera/8.89 (Windows NT 6.0; U; en)
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
%s:*:Enabled:ipsec
NOTEPAD.EXE
NOTEPAD.EXE
WINMINE.EXE
WINMINE.EXE
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
GdiPlus.dll
hXXp://
hXXp://
hXXp://klkjwre77638dfqwieuoi888.info/
hXXp://klkjwre77638dfqwieuoi888.info/
VVV.microsoft.com
VVV.microsoft.com
?%x=%d
?%x=%d
&%x=%d
&%x=%d
SYSTEM.INI
SYSTEM.INI
USER32.DLL
USER32.DLL
.%c%s
.%c%s
\\.\abp470n5
\\.\abp470n5
WINDOWS
WINDOWS
NTDLL.DLL
NTDLL.DLL
autorun.inf
autorun.inf
ADVAPI32.DLL
ADVAPI32.DLL
win%s.exe
win%s.exe
%s.exe
%s.exe
WININET.DLL
WININET.DLL
InternetOpenUrlA
InternetOpenUrlA
avast! Web Scanner
avast! Web Scanner
Avira AntiVir Premium WebGuard
Avira AntiVir Premium WebGuard
BackWeb Plug-in - 4476822
BackWeb Plug-in - 4476822
cmdGuard
cmdGuard
cmdAgent
cmdAgent
Eset HTTP Server
Eset HTTP Server
ProtoPort Firewall service
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
SpIDer FS Monitor for Windows NT
Symantec Password Validation
Symantec Password Validation
tcpsr
tcpsr
WebrootDesktopFirewallDataService
WebrootDesktopFirewallDataService
WebrootFirewall
WebrootFirewall
%d%d.tmp
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
Explorer.exe
ASHWEBSV.
ASHWEBSV.
DRWEB32W.
DRWEB32W.
DRWEBSCD.
DRWEBSCD.
DRWEBUPW.
DRWEBUPW.
DWEBLLIO
DWEBLLIO
DWEBIO
DWEBIO
FSGUIEXE.
FSGUIEXE.
MCVSSHLD.
MCVSSHLD.
NPFMSG.
NPFMSG.
SYMSPORT.
SYMSPORT.
WEBPROXY.
WEBPROXY.
WEBSCANX.
WEBSCANX.
WEBTRAP.
WEBTRAP.
sfc_os.dll
sfc_os.dll
M_%d_
M_%d_
%c%d_%d
%c%d_%d
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
GetWindowsDirectoryA
GetWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
RegEnumKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyA
RegCloseKey
RegCloseKey
SHFileOperationA
SHFileOperationA
.rdata
.rdata
.data
.data
.xdata
.xdata
@.CRT
@.CRT
GUrlA'G5
GUrlA'G5
HTTP)s'cfp
HTTP)s'cfp
Lxo.ENHCDM
Lxo.ENHCDM
wWEBWUPD
wWEBWUPD
n .pZ
n .pZ
'()* ,-./01230 0
'()* ,-./01230 0
.HpT.#[3
.HpT.#[3
av%xQ
av%xQ
ADVAPI32.dll
ADVAPI32.dll
MSVCRT.dll
MSVCRT.dll
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
WS2_32.dll
WS2_32.dll
%original file name%.exe_212_rwx_01CA0000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.text
.text
%original file name%.exe_212_rwx_01CB0000_00001000:
|%original file name%.exeM_212_
|%original file name%.exeM_212_
Explorer.EXE_932_rwx_00FF0000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.text
.text
Explorer.EXE_932_rwx_01DE0000_00001000:
|explorer.exeM_932_
|explorer.exeM_932_