Win32.Sality.OG (B) (Emsisoft), Win32.Sality.OG (AdAware), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, mzpefinder_pcap_file.YR, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 3c61cb16daa1d0a2e19638ac66f4569c
SHA1: aa35b20145d9d10931b316f6caf75a00b29064e7
SHA256: 0ea2dd3c14466f9f9c2c8b80e82f98882703f40f70a0a821b140f64f1f0b8be4
SSDeep: 3072:w5BxYAVrgUCPnwCW4WuNwgmDzG8zgA9vBAGWdpEDiNt6McYPUoyjZW5SEvrGmZJi:w5BgUCRhNwgR8zgAklMiQvoyjZErGmTi
Size: 158760 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-02-24 21:20:04
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Worm creates the following process(es):
statisticsStub.:272
netsh.exe:320
The Worm injects its code into the following process(es):
%original file name%.exe:1572
Explorer.EXE:512
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process statisticsStub.:272 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB6.tmp\InetC.dll (24 bytes)
C:\END (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\usage[1].ashx (9 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nseB6.tmp\InetC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB6.tmp\1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\conduitStatistics.csf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB5.tmp (0 bytes)
The process %original file name%.exe:1572 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%WinDir%\system.ini (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\statisticsstub[1].exe (6340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\001DF1A6_Rar\%original file name%.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\nsB4.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\InetC.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\statisticsStub.exe (6340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\conduitStatistics.csf (1475 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\nsB4.tmp (0 bytes)
C:\1df928 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\InetC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB2.tmp (0 bytes)
Registry activity
The process statisticsStub.:272 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nseB6.tmp\,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B D0 96 FE 4C 31 AA 13 DA C7 A3 0F 40 27 6A 10"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process netsh.exe:320 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 9E 04 EB 4D 48 10 14 E4 88 9F F8 C1 0F 98 B9"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
The process %original file name%.exe:1572 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\adm914]
"a1_2" = "725158170"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\adm914]
"a3_2" = "31040235"
"a1_3" = "1782450922"
"a4_0" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\adm914]
"a1_0" = "3432392762"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\adm914]
"a4_3" = "21507363"
"a4_2" = "14338242"
"a4_1" = "7169121"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nseB6.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKCU\Software\adm914\695404737]
"43014726" = "0400687474703A2F2F38392E3131392E36372E3135342F746573746F352F00687474703A2F2F6B756B7574727573746E65743737372E696E666F2F686F6D652E67696600687474703A2F2F6B756B7574727573746E65743838382E696E666F2F686F6D652E67696600687474703A2F2F6B756B7574727573746E65743938372E696E666F2F686F6D652E67696600"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\adm914\695404737]
"14338242" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\adm914\695404737]
"7169121" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\adm914\695404737]
"35845605" = "143"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\adm914]
"a1_1" = "643681716"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\adm914\695404737]
"28676484" = "30"
[HKCU\Software\adm914]
"a3_0" = "17001001"
"a3_1" = "23989832"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\adm914]
"a3_3" = "4933386"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\adm914\695404737]
"50183847" = "7439D18CF99ADB97C70A1EA4EA1DDEB3A46AF9AF9995ACD22104A39789171EB3633818AD029260106FF7F47FE0DE6244028206B85FFFAD226E9742031F5914A424C8AAD11CCC09A683D5C288F7B6E1F47648BB6509895D8CEFEAA4FC96A6440B61FA7545CEB6A4B60F5D6273763CD021B75224603D4E837AD74FFC1C93A050D600"
[HKCU\Software\adm914]
"a2_1" = "7173761"
"a2_0" = "5517"
"a2_3" = "21509101"
"a2_2" = "14342466"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 20 01 D8 DF 52 5B 15 76 E5 ED 0A CD 9B A8 D6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\adm914\695404737]
"21507363" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| 9954bdf0d57b7cd53c5434360ce4923f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\001DF1A6_Rar\%original file name%.exe |
| 6a0f411ca91a97a709b98e114f4052d5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\statisticsStub.exe |
| 6a0f411ca91a97a709b98e114f4052d5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\statisticsstub[1].exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
statisticsStub.:272
netsh.exe:320 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB6.tmp\InetC.dll (24 bytes)
C:\END (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\usage[1].ashx (9 bytes)
%WinDir%\system.ini (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\statisticsstub[1].exe (6340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\001DF1A6_Rar\%original file name%.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\nsB4.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\InetC.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\statisticsStub.exe (6340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\conduitStatistics.csf (1475 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Conduit
Product Name:
Product Version:
Legal Copyright: Conduit Ltd.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.7.4.0
File Description:
Comments:
Language: English (United States)
Company Name: ConduitProduct Name: Product Version: Legal Copyright: Conduit Ltd.Legal Trademarks: Original Filename: Internal Name: File Version: 5.7.4.0File Description: Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 29324 | 29696 | 4.51998 | 1f4aa5e35db2d1893ac5a7044048d07d |
| .rdata | 36864 | 11118 | 11264 | 3.11773 | cca1ca3fbf99570f6de9b43ce767f368 |
| .data | 49152 | 469916 | 512 | 1.25109 | 77f0839f8ebea31040e462523e1c770e |
| .ndata | 520192 | 2772992 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 3293184 | 3008 | 3072 | 3.01394 | c5a749bab698d47d47acff6534f569b7 |
| .reloc | 3297280 | 4054 | 4096 | 3.78201 | b56452d6d4550b55f6f232e5f2ca8121 |
| .brdata | 3301376 | 69632 | 69632 | 5.53972 | f45f37eb7c27439ebb4e73e407ab8e07 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://e6321.g.akamaiedge.net/ps/conduitinstaller/statisticsstub.exe | |
| hxxp://usage.integration.toolbar.va.conduit-services.com/usage.ashx | |
| hxxp://storage.conduit.com/ps/conduitinstaller/statisticsstub.exe | 23.9.99.136 |
| hxxp://usage.integration.toolbar.conduit-services.com/usage.ashx | 199.101.114.117 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /ps/conduitinstaller/statisticsstub.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: storage.conduit.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Mon, 17 Dec 2012 13:49:50 GMT
ETag: "9ff9b7625ddccd1:0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: private, max-age=86400
Expires: Thu, 22 Jan 2015 10:43:26 GMT
Date: Wed, 21 Jan 2015 10:43:26 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Connection: Transfer-Encoding
Access-Control-Max-Age: 604800
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: origin, content-type
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Origin: *
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
00006000..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8............@..........................`............@.................................@........@..............h........`.......................................................................................text....r.......t.................. ..`.rdata..n .......,...x..............@..@.data.... ..........................@....ndata...P...............................rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u.....@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.jG.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[
<<< skipped >>>
POST /usage.ashx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: usage.integration.toolbar.conduit-services.com
Content-Length: 1101
Connection: Keep-Alive
Cache-Control: no-cache
{"installationType":"NSISBundle","installationVersion":"5.7.4.0","actionType":"postInstallReport","bundleGUID":"","parentProcess":"NULL","ctid":"","installtype":"","installid":"","cmdline":"","startpage":"","initStartpage":"","defaultsearch":"","initDefaultsearch":"","showwelcomepage":"","openwelcomedialog":"","fix404":"","searchfromaddress":"","openuninstallpage":"","defaultsearchdisplayname":"","defaultsearchurl":"","enablealerts":"","searchrevert":"","usermode":"","returnCode":"3","returnMessage":"Command Line Error: CTID Parameter Missing - Bad Usage","ieBrowserVersion":"","ieToolbarVersion":"","ieReturnCode":"","ieReturnMessage":"","ffBrowserVersion":"","ffToolbarVersion":"","ffReturnCode":"","ffReturnMessage":"","chBrowserVersion":"","chToolbarVersion":"","chReturnCode":"","chReturnMessage":"","singleInstall":"","iePreviouslyInstalled":"","ffPreviouslyInstalled":"","chPreviouslyInstalled":"","ieInstallVerified":"","ffInstallVerified":"","chInstallVerified":"","defaultBrowser":"","isUnicodeOSLanguage":"","installBlockerDetected":"","isFFActive":"","isCHActive":"","isIEActive":""}
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 21 Jan 2015 10:43:30 GMT
Content-Length: 9
ConduitOK..
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1572:
.text
.text
.rdata
.rdata
.data
.data
.ndata
.ndata
.rsrc
.rsrc
@.reloc
@.reloc
B.brdata
B.brdata
RegDeleteKeyExW
RegDeleteKeyExW
Kernel32.DLL
Kernel32.DLL
PSAPI.DLL
PSAPI.DLL
%s=%s
%s=%s
GetWindowsDirectoryW
GetWindowsDirectoryW
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
GetAsyncKeyState
GetAsyncKeyState
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationW
SHFileOperationW
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
RegDeleteKeyW
RegDeleteKeyW
RegCloseKey
RegCloseKey
RegEnumKeyW
RegEnumKeyW
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
Vv.Vf
Vv.Vf
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
SSh4!
SSh4!
u.hl!
u.hl!
PeekNamedPipe
PeekNamedPipe
CreatePipe
CreatePipe
nsExec.dll
nsExec.dll
MSVCRT.dll
MSVCRT.dll
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExW
HttpSendRequestExW
HttpQueryInfoW
HttpQueryInfoW
FtpCreateDirectoryW
FtpCreateDirectoryW
FtpOpenFileW
FtpOpenFileW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestW
HttpOpenRequestW
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpEndRequestW
HttpEndRequestW
InternetCrackUrlW
InternetCrackUrlW
WININET.dll
WININET.dll
inetc.dll
inetc.dll
FtpCommandW
FtpCommandW
Filename: %s
Filename: %s
qb.aL,
qb.aL,
Nullsoft Install System v2.46.5-Unicode
Nullsoft Install System v2.46.5-Unicode
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\001DF1A6_Rar\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\001DF1A6_Rar\%original file name%.exe
%original file name%.exe
%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\nsExec.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\nsExec.dll
c:\%original file name%.exe
c:\%original file name%.exe
hXXp://89.119.67.154/testo5/
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
hXXp://kukutrustnet987.info/home.gif
Q*G.Cwtt$
Q*G.Cwtt$
\.lhh
\.lhh
/34@.NSP
/34@.NSP
K.FX>Q
K.FX>Q
.LK'E
.LK'E
PhXXp://89.11;
PhXXp://89.11;
.info/home.gifv*y
.info/home.gifv*y
.text^
.text^
]6.dB
]6.dB
4.At%
4.At%
toskrnl.exe
toskrnl.exe
.klkjw:9fqwielu
.klkjw:9fqwielu
sc.pBT
sc.pBT
PAD.EXE
PAD.EXE
UrlA'G
UrlA'G
\'Web%f
\'Web%f
HTTP)e
HTTP)e
/KPCKwWEBWUP
/KPCKwWEBWUP
.SEdAUD
.SEdAUD
MM.PFW.
MM.PFW.
?.cmd
?.cmd
>>?456789:;
>>?456789:;
!"#$%&'()* ,-./012
!"#$%&'()* ,-./012
WS2_32.dll
WS2_32.dll
SHFileOperationA
SHFileOperationA
logging set to %d
logging set to %d
settings logging to %d
settings logging to %d
created uninstaller: %d, "%s"
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: success ("%s")
Exec: command="%s"
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack
Exch: stack
RMDir: "%s"
RMDir: "%s"
MessageBox: %d,"%s"
MessageBox: %d,"%s"
Delete: "%s"
Delete: "%s"
File: wrote %d to "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename failed: %s
Rename on reboot: %s
Rename on reboot: %s
Rename: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
SetFileAttributes: "%s":X
Sleep(%d)
Sleep(%d)
detailprint: %s
detailprint: %s
Call: %d
Call: %d
Aborting: "%s"
Aborting: "%s"
Jump: %d
Jump: %d
verifying installer: %d%%
verifying installer: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
install.log
install.log
%u.%u%s%s
%u.%u%s%s
Skipping section: "%s"
Skipping section: "%s"
Section: "%s"
Section: "%s"
New install of "%s" to "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
*?|/":
*?|/":
invalid registry key
invalid registry key
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
x%c
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
%s: failed opening file "%s"
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\nsExec.dll
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\nsExec.dll
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\nsExec.dll
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\nsExec.dll
Open URL Error
Open URL Error
URL Parts Error
URL Parts Error
FtpCreateDir failed (550)
FtpCreateDir failed (550)
Error FTP path (550)
Error FTP path (550)
Downloading %s
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
(%d %s%s remaining)
REST %d
REST %d
SIZE %s
SIZE %s
Content-Length: %d
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Authorization: basic %s
Proxy-authorization: basic %s
Proxy-authorization: basic %s
%s:%s
%s:%s
Wwininet.dll
Wwininet.dll
%u MB
%u MB
%u kB
%u kB
%u bytes
%u bytes
%d:d:d
%d:d:d
%s - %s
%s - %s
(Err=%d)
(Err=%d)
NSIS_Inetc (Mozilla)
NSIS_Inetc (Mozilla)
/password
/password
Uploading %s
Uploading %s
nsoB3.tmp
nsoB3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\*.*
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\*.*
RMDir: RemoveDirectory on Reboot("C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\")
RMDir: RemoveDirectory on Reboot("C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\")
emp\nsoB3.tmp\nsExec.dll"
emp\nsoB3.tmp\nsExec.dll"
-statistics=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\\conduitStatistics.csf
-statistics=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\\conduitStatistics.csf
\%original file name%.exe
\%original file name%.exe
:\%original file name%.exe
:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nszB2.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nszB2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\
ystem.dll
ystem.dll
5.7.4.0
5.7.4.0
%original file name%.exe_1572_rwx_00727000_00010000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\001DF1A6_Rar\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\001DF1A6_Rar\%original file name%.exe
%original file name%.exe
%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\nsExec.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\nsExec.dll
.text
.text
c:\%original file name%.exe
c:\%original file name%.exe
hXXp://89.119.67.154/testo5/
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
hXXp://kukutrustnet987.info/home.gif
Q*G.Cwtt$
Q*G.Cwtt$
\.lhh
\.lhh
/34@.NSP
/34@.NSP
K.FX>Q
K.FX>Q
.LK'E
.LK'E
PhXXp://89.11;
PhXXp://89.11;
.info/home.gifv*y
.info/home.gifv*y
.text^
.text^
.rdata
.rdata
]6.dB
]6.dB
4.At%
4.At%
toskrnl.exe
toskrnl.exe
.klkjw:9fqwielu
.klkjw:9fqwielu
sc.pBT
sc.pBT
PAD.EXE
PAD.EXE
UrlA'G
UrlA'G
\'Web%f
\'Web%f
HTTP)e
HTTP)e
/KPCKwWEBWUP
/KPCKwWEBWUP
.SEdAUD
.SEdAUD
MM.PFW.
MM.PFW.
?.cmd
?.cmd
>>?456789:;
>>?456789:;
!"#$%&'()* ,-./012
!"#$%&'()* ,-./012
ADVAPI32.dll
ADVAPI32.dll
MSVCRT.dll
MSVCRT.dll
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
WS2_32.dll
WS2_32.dll
RegCloseKey
RegCloseKey
SHFileOperationA
SHFileOperationA
Explorer.EXE_512_rwx_00F30000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.text
.text
%original file name%.exe_1572_rwx_00D20000_01033000:
c:\windows
c:\windows
hXXp://89.119.67.154/testo5/
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
hXXp://kukutrustnet987.info/home.gif
%System%\drivers\nlgrmg.sys
%System%\drivers\nlgrmg.sys
196221860921
196221860921
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.text
.text
h.rdata
h.rdata
H.data
H.data
.reloc
.reloc
ntoskrnl.exe
ntoskrnl.exe
Opera/8.81 (Windows NT 6.0; U; en)
Opera/8.81 (Windows NT 6.0; U; en)
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
%s:*:Enabled:ipsec
NOTEPAD.EXE
NOTEPAD.EXE
WINMINE.EXE
WINMINE.EXE
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
GdiPlus.dll
hXXp://
hXXp://
hXXp://klkjwre77638dfqwieuoi888.info/
hXXp://klkjwre77638dfqwieuoi888.info/
VVV.microsoft.com
VVV.microsoft.com
?%x=%d
?%x=%d
&%x=%d
&%x=%d
SYSTEM.INI
SYSTEM.INI
USER32.DLL
USER32.DLL
.%c%s
.%c%s
\\.\abp470n5
\\.\abp470n5
WINDOWS
WINDOWS
NTDLL.DLL
NTDLL.DLL
autorun.inf
autorun.inf
ADVAPI32.DLL
ADVAPI32.DLL
win%s.exe
win%s.exe
%s.exe
%s.exe
WININET.DLL
WININET.DLL
InternetOpenUrlA
InternetOpenUrlA
avast! Web Scanner
avast! Web Scanner
Avira AntiVir Premium WebGuard
Avira AntiVir Premium WebGuard
BackWeb Plug-in - 4476822
BackWeb Plug-in - 4476822
Eset HTTP Server
Eset HTTP Server
ProtoPort Firewall service
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
SpIDer FS Monitor for Windows NT
Symantec Password Validation
Symantec Password Validation
tcpsr
tcpsr
WebrootDesktopFirewallDataService
WebrootDesktopFirewallDataService
WebrootFirewall
WebrootFirewall
%d%d.tmp
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
Explorer.exe
ASHWEBSV.
ASHWEBSV.
DRWEB32W.
DRWEB32W.
DRWEBSCD.
DRWEBSCD.
DRWEBUPW.
DRWEBUPW.
DWEBLLIO
DWEBLLIO
DWEBIO
DWEBIO
FSGUIEXE.
FSGUIEXE.
MCVSSHLD.
MCVSSHLD.
NPFMSG.
NPFMSG.
SYMSPORT.
SYMSPORT.
WEBPROXY.
WEBPROXY.
WEBSCANX.
WEBSCANX.
WEBTRAP.
WEBTRAP.
sfc_os.dll
sfc_os.dll
M_%d_
M_%d_
%c%d_%d
%c%d_%d
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
GetWindowsDirectoryA
GetWindowsDirectoryA
GetProcessHeap
GetProcessHeap
WinExec
WinExec
RegEnumKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyA
RegCloseKey
RegCloseKey
SHFileOperationA
SHFileOperationA
.rdata
.rdata
.data
.data
.xdata
.xdata
@.CRT
@.CRT
/KPCKwWEBWUP
/KPCKwWEBWUP
.SEdAUD
.SEdAUD
MM.PFW.
MM.PFW.
?.cmd
?.cmd
>>?456789:;
>>?456789:;
!"#$%&'()* ,-./012
!"#$%&'()* ,-./012
ADVAPI32.dll
ADVAPI32.dll
MSVCRT.dll
MSVCRT.dll
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
WS2_32.dll
WS2_32.dll
%original file name%.exe_1572_rwx_02260000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.text
.text
%original file name%.exe_1572_rwx_02370000_00001000:
|%original file name%.exeM_1572_
|%original file name%.exeM_1572_
Explorer.EXE_512_rwx_00F40000_00001000:
|explorer.exeM_512_
|explorer.exeM_512_