WormAutoItGen.YR (Lavasoft MAS)Behaviour: Worm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: ce77711973deeca12d946693d81266a6
SHA1: c46f1c5cbc1462154d3bd9679ff587dc7b3588c0
SHA256: d3ef7d45c8a7dad2fc0db60e13a9e18ab0ec11f5e9f803d67b986b3294c3a5a5
SSDeep: 98304:myviZ9nx34zC6mCFwNR8bN9a5CppqVsNUC:mkiznx34flKqNAMoqNd
Size: 3369920 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: Viber Media Inc
Created at: 2007-11-27 16:14:43
Analyzed on: Windows7Ada SP1 64-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Worm creates the following process(es):
TPAutoConnSvc.exe:1844
InfDefaultInstall.exe:2016
regsvr32.exe:2440
runonce.exe:2388
runonce.exe:1412
setup.exe:1960
The Worm injects its code into the following process(es):
%original file name%.exe:212
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process InfDefaultInstall.exe:2016 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Windows\SysWOW64\SET8F.tmp (1281 bytes)
C:\Windows\SysWOW64\SETA0.tmp (7809 bytes)
C:\Windows\SysWOW64\SETA1.tmp (2321 bytes)
C:\Windows\inf\SET5E.tmp (2 bytes)
C:\Windows\SysWOW64\SET8E.tmp (4984 bytes)
The process regsvr32.exe:2440 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Windows\SysWOW64\MPG4DS32.AX (245 bytes)
The process %original file name%.exe:212 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Program Files% (x86)\Your Camera\Audio_ang\Kam1.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Konwerter\exceptions.$$A (10 bytes)
%Program Files% (x86)\Your Camera\setup.$$A (16341 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam3.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Konwerter\_tkinter.$$A (707 bytes)
%Program Files% (x86)\Your Camera\YourCamera.exe (291 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam13.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam11.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\WWW\tlo_dvr_mini.$$A (3 bytes)
%Program Files% (x86)\Your Camera\Java application for mobile\YourCamera.$$A (998 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Your Camera\User's Guide.lnk (1 bytes)
%Program Files% (x86)\Your Camera\Konwerter\zlib.$$A (2543 bytes)
%Program Files% (x86)\Your Camera\Konwerter\python15.$$A (10504 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam15.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam10.$$A (2104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Your Camera\Uninstall.lnk (1 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam14.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\setup.exe (16 bytes)
%Program Files% (x86)\Your Camera\Konwerter\wbmpconv.$$A (16040 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam16.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Konwerter\tk80.$$A (13968 bytes)
%Program Files% (x86)\Your Camera\Uninstal.exe (104947 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam8.$$A (2104 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Your Camera.lnk (1 bytes)
%Program Files% (x86)\Your Camera\Uninstal.$$A (1921 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Your Camera\Your Camera.lnk (1 bytes)
%Program Files% (x86)\Your Camera\User's guide.$$A (12487 bytes)
%Program Files% (x86)\Your Camera\YourCamera.$$A (51548 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam2.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Konwerter\_imaging.$$A (6040 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam12.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Konwerter\tcl80.$$A (7168 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam4.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam6.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam9.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam7.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam5.$$A (2104 bytes)
The process runonce.exe:1412 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl (712 bytes)
Registry activity
The process TPAutoConnSvc.exe:1844 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\ThinPrint\TPPrnUI\HP LaserJet Professional M1212nf MFP#:3]
"TrayData" = "2,Tray 3, 3,Tray 2, 1,Tray 1, 4,Manual Feed, 7,Auto Select"
"FormData" = "1,2159,2794,Letter¶40,40,2086,2712, 5,2159,3556,Legal¶40,40,2086,3474, 9,2100,2970,A4¶39,39,2032,2890, 7,1842,2667,Executive¶40,40,1761,2585, 258,2159,3302,8.5 x 13 (custom)¶40,40,2086,3220, 11,1480,2100,A5¶39,39,1408,2020, 70,1050,1480,A6¶39,39,975,1399, 13,1820,2570,B5 (JIS)¶39,39,1747,2490, 264,1950,2700,16K 195x270¶39,39,1882,2620, 263,1840,2600,16K 184x260¶39,39,1761,2520, 257,1970,2730,16K 197x273¶39,39,1896,2650, 43,1000,1480,Japanese Postcard¶39,39,921,1399, 82,1480,2000,Double Japan Postcard Rotated¶39,39,1408,1919, 20,1046,2413,Envelope #10¶40,40,975,2331, 37,983,1905,Envelope Monarch¶40,40,907,1823, 34,1760,2500,Envelope B5¶39,39,1693,2420, 28,1620,2290,Envelope C5¶39,39,1544,2209, 27,1100,2200,Envelope DL¶39,39,1029,2120"
"DelAfterCreate" = "1"
[HKU\.DEFAULT\Printers\DevModes2]
"HP LaserJet Professional M1212nf MFP#:3" = "48 00 50 00 20 00 4C 00 61 00 73 00 65 00 72 00"
The Worm deletes the following registry key(s):
[HKLM\SOFTWARE\ThinPrint\TPPrnUI\HP LaserJet Professional M1212nf MFP#:3]
The process InfDefaultInstall.exe:2016 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.I420" = "iyuv_32.dll"
"midimapper" = "midimap.dll"
"msacm.msg711" = "msg711.acm"
"vidc.cvid" = "iccvid.dll"
[HKLM\System\CurrentControlSet\Control\MediaResources\icm\vidc.mp43]
"Description" = "nAVI Vx3 MPEG-4 Codec"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32]
"wave" = "wdmaud.drv"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DIVXCodec]
"DisplayName" = "nAVI Vx3 MPEG-4 Codec"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.yuy2" = "msyuv.dll"
"vidc.mrle" = "msrle32.dll"
"midi" = "wdmaud.drv"
"wavemapper" = "msacm32.drv"
[HKLM\SYSTEM\Setup\SetupapiLogStatus]
"setupapi.app.log" = "4096"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.msvc" = "msvidc32.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"(Default)" = "0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.yvyu" = "msyuv.dll"
"msacm.imaadpcm" = "imaadp32.acm"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer]
"GlobalAssocChangedCounter" = "35"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.uyvy" = "msyuv.dll"
"aux" = "wdmaud.drv"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DIVXCodec]
"UninstallString" = "C:\Windows\rundll.exe setupx.dll,InstallHinfSection Remove_nAVI 132 C:\Windows\INF\divx.inf"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.mp43" = "mpg4c32.dll"
"msacm.msgsm610" = "msgsm32.acm"
"Mixer" = "wdmaud.drv"
[HKLM\System\CurrentControlSet\Control\MediaResources\icm\vidc.mp43]
"driver" = "mpg4c32.dll"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.iyuv" = "iyuv_32.dll"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\setup]
"DisplayName" = "setup (Remove only)"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32]
"msacm.msadpcm" = "msadp32.acm"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\setup]
"UninstallString" = "C:\Windows\rundll32.exe advpack.dll,LaunchINFSection C:\Windows\INF\setup.inf,DefaultUninstall"
[HKLM\System\CurrentControlSet\Control\MediaResources\icm\vidc.mp43]
"FriendlyName" = "nAVI Vx3 MPEG-4 Codec"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"Wallpaper" = ""
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.yvu9" = "tsbyuv.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"TileWallpaper" = "0"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup]
"Registering nAVI Vx3 MPEG-4 Codec" = "C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\mpg4ds32.ax"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Wrapper" = "runonce"
"GrpConv" = "grpconv -o"
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.i420"
"msacm.msgsm610"
"midimapper"
"msacm.msg711"
"mixer"
"msacm.msadpcm"
"vidc.msvc"
"vidc.cvid"
"vidc.yvyu"
"aux"
"msacm.imaadpcm"
"vidc.uyvy"
"wave"
"vidc.yvu9"
"vidc.yuy2"
"vidc.mrle"
"vidc.iyuv"
"wavemapper"
"midi"
The process regsvr32.exe:2440 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCR\Wow6432Node\CLSID\{82CCD3E0-F71A-11D0-9FE5-00609778EA66}\InprocServer32]
"(Default)" = "C:\Windows\SysWow64\mpg4ds32.ax"
[HKCR\Wow6432Node\CLSID\{075BB8A1-B7D8-11D2-A1C6-00609778EA66}]
"(Default)" = "Microcrap MPEG-4 Video Decompressor About Page"
[HKCR\Wow6432Node\CLSID\{075BB8A1-B7D8-11D2-A1C6-00609778EA66}\InprocServer32]
"(Default)" = "C:\Windows\SysWow64\mpg4ds32.ax"
[HKCR\Wow6432Node\CLSID\{598EBA02-B49A-11D2-A1C1-00609778EA66}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{82CCD3E0-F71A-11D0-9FE5-00609778EA66}]
"FilterData" = "02 00 00 00 00 00 80 00 02 00 00 00 00 00 00 00"
[HKCR\Wow6432Node\CLSID\{598EBA02-B49A-11D2-A1C1-00609778EA66}\InprocServer32]
"(Default)" = "C:\Windows\SysWow64\mpg4ds32.ax"
[HKCR\Wow6432Node\CLSID\{82CCD3E0-F71A-11D0-9FE5-00609778EA66}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{598EBA02-B49A-11D2-A1C1-00609778EA66}]
"(Default)" = "Microcrap MPEG-4 Video Decompressor Property page"
[HKCR\Wow6432Node\CLSID\{075BB8A1-B7D8-11D2-A1C6-00609778EA66}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{82CCD3E0-F71A-11D0-9FE5-00609778EA66}]
"FriendlyName" = "Microcrap MPEG-4 Video Decompressor"
"CLSID" = "{82CCD3E0-F71A-11D0-9FE5-00609778EA66}"
[HKCR\Wow6432Node\CLSID\{82CCD3E0-F71A-11D0-9FE5-00609778EA66}]
"(Default)" = "Microcrap MPEG-4 Video Decompressor"
The process %original file name%.exe:212 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Your Camera]
"DisplayName" = "Your Camera"
"UninstallString" = "%Program Files% (x86)\Your Camera\Uninstal.exe"
The process runonce.exe:2388 makes changes in the system registry.
The Worm deletes the following registry key(s):
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup]
The Worm deletes the following value(s) in system registry:
The Worm disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"WarnTimeChanged"
The process runonce.exe:1412 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
The Worm disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Wrapper"
"GrpConv"
The process setup.exe:1960 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
Dropped PE files
MD5 | File path |
---|---|
7b993b3d92615c5f00e7f60817589fa2 | c:\Program Files (x86)\Your Camera\Konwerter\_imaging.dll |
68fa6e397d02f943e3fba9fd37fd95ce | c:\Program Files (x86)\Your Camera\Konwerter\_tkinter.pyd |
b4d91220658a37890b2c31630d303c14 | c:\Program Files (x86)\Your Camera\Konwerter\python15.dll |
40bf108c70798eeceb2fd6a8fd45424b | c:\Program Files (x86)\Your Camera\Konwerter\tcl80.dll |
58fc4540e4b0d8839f9b4e3591a5719d | c:\Program Files (x86)\Your Camera\Konwerter\tk80.dll |
618f3bfeab6c8a2634cdc142b5875e44 | c:\Program Files (x86)\Your Camera\Konwerter\wbmpconv.exe |
571a2db9cd16dcf77e6016754edaa4ea | c:\Program Files (x86)\Your Camera\Konwerter\zlib.pyd |
e60617324ca9729ef191dc98f9fdbc1e | c:\Program Files (x86)\Your Camera\Uninstal.exe |
6e08bbc98f423b054177f474e060836d | c:\Program Files (x86)\Your Camera\YourCamera.exe |
fa07ca8837b7fe9ca6d1978bad6d260d | c:\Program Files (x86)\Your Camera\setup.exe |
1c1e13493b46c3f79880a5dc37414424 | c:\Windows\SysWOW64\MPG4C32.DLL |
2b6ae88abfa78beb6e55e721cd632361 | c:\Windows\SysWOW64\MPG4DS32.AX |
1c1e13493b46c3f79880a5dc37414424 | c:\Windows\System32\MPG4C32.DLL |
2b6ae88abfa78beb6e55e721cd632361 | c:\Windows\System32\MPG4DS32.AX |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
TPAutoConnSvc.exe:1844
InfDefaultInstall.exe:2016
regsvr32.exe:2440
runonce.exe:2388
runonce.exe:1412
setup.exe:1960 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
C:\Windows\SysWOW64\SET8F.tmp (1281 bytes)
C:\Windows\SysWOW64\SETA0.tmp (7809 bytes)
C:\Windows\SysWOW64\SETA1.tmp (2321 bytes)
C:\Windows\inf\SET5E.tmp (2 bytes)
C:\Windows\SysWOW64\SET8E.tmp (4984 bytes)
C:\Windows\SysWOW64\MPG4DS32.AX (245 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam1.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Konwerter\exceptions.$$A (10 bytes)
%Program Files% (x86)\Your Camera\setup.$$A (16341 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam3.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Konwerter\_tkinter.$$A (707 bytes)
%Program Files% (x86)\Your Camera\YourCamera.exe (291 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam13.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam11.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\WWW\tlo_dvr_mini.$$A (3 bytes)
%Program Files% (x86)\Your Camera\Java application for mobile\YourCamera.$$A (998 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Your Camera\User's Guide.lnk (1 bytes)
%Program Files% (x86)\Your Camera\Konwerter\zlib.$$A (2543 bytes)
%Program Files% (x86)\Your Camera\Konwerter\python15.$$A (10504 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam15.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam10.$$A (2104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Your Camera\Uninstall.lnk (1 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam14.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\setup.exe (16 bytes)
%Program Files% (x86)\Your Camera\Konwerter\wbmpconv.$$A (16040 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam16.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Konwerter\tk80.$$A (13968 bytes)
%Program Files% (x86)\Your Camera\Uninstal.exe (104947 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam8.$$A (2104 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Your Camera.lnk (1 bytes)
%Program Files% (x86)\Your Camera\Uninstal.$$A (1921 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Your Camera\Your Camera.lnk (1 bytes)
%Program Files% (x86)\Your Camera\User's guide.$$A (12487 bytes)
%Program Files% (x86)\Your Camera\YourCamera.$$A (51548 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam2.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Konwerter\_imaging.$$A (6040 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam12.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Konwerter\tcl80.$$A (7168 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam4.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam6.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam9.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam7.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam5.$$A (2104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl (712 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup]
"Registering nAVI Vx3 MPEG-4 Codec" = "C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\mpg4ds32.ax"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Wrapper" = "runonce"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv" = "grpconv -o" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: Your Camera Install Program
Product Version: 2, 0, 0, 31
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2, 0, 0, 31
File Description:
Comments:
Language: Language Neutral
Company Name: Product Name: Your Camera Install ProgramProduct Version: 2, 0, 0, 31Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 2, 0, 0, 31File Description: Comments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 90112 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 94208 | 57344 | 56832 | 5.48311 | f9849246c739e98d2072e551bae77523 |
.rsrc | 151552 | 12288 | 11776 | 3.34702 | 22d21d3c9e8ad1acce8e77703b4bf87d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2ce2d2aa7691b7eb | |
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl | |
hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl | |
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl | |
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl | |
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6dfbde8ddb02bd83 | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | |
hxxp://e6845.ce.akamaiedge.net/pca3.crl | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | |
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | 87.245.202.16 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | 23.43.139.27 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | 23.43.139.27 |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6dfbde8ddb02bd83 | 87.245.202.24 |
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | 87.245.202.16 |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2ce2d2aa7691b7eb | 87.245.202.24 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= | 23.43.139.27 |
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl | 87.245.202.16 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | 23.43.139.27 |
hxxp://crl.verisign.com/pca3.crl | 23.43.133.163 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= | 23.43.139.27 |
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl | 87.245.202.16 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2ce2d2aa7691b7eb HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 05 Dec 2013 22:47:50 GMT
If-None-Match: "0af536cf2ce1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Type: application/octet-stream
Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT
Accept-Ranges: bytes
ETag: "0b2464b1797cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 6408
Date: Mon, 15 Dec 2014 17:00:49 GMT
Connection: keep-alive
MSCF............,...................O.......'#.........D.z .disallowedcert.stl....2..'#CK...8T...g........g.k..".....mlI."d..m...P$"....e.J........z.....\..........9g.9....~.........Q.Q......Q..DL.8.C.PS.K0.!P.0........#.DY.8.....V.....$.C....a.0...........`......;.S.....0#...m... ..`0...?.!vR?.....d....`......_@..}....$...i..OR'..$....K..'Z....o.g..*.Vc.....[nY e./.EJ...B.Y.......Ag......!....9......u..!..1Yy.......r...Ss^@...M.Dtl\....i.k....3...B.Z.:.p.N....*......x,...ah/..].[....GB..T..$A....SY..t.E5R..R...9!....*.*68V....1... ...Q{...".Op@L.2M...1;xd{.C.u?..e.U.=f.nx.........y.G..0.......\L .'.^....$......N=..m...UjrZs...J.I.C....;......q_..e......?.T..2..bw....E.L.{...S...~.<.........-.Q..|.l. .1..6r....[}!J..,...naPk.U.... ..{@LH..W....>.Sq...8.5.,.z..0.jL.S..........]...yW_...Y.1..h.7...9{.....I......g.Y.,1...i8n.6..........4.]...........=........^..n.K7...c.g).Z. .0..$7.ys.p...B.5.].f...|(3!.|..P...j..^..j....#(...@...As..*.O..i..u....9..S.Y.n..HXW...F ..i...:.......!.] r......D..*ld.b.>>:Pp.....5:1 o=..5.'..4.......hO....{.V.rx..V...%.}..u...6Wv-..".iV.b..B0.Q..,...E.Dy...x..5....?Z.$L..1.....4...=.....g!....%..:..c..j..v~....._R.6.......;.#.Y*p..J.4.#'..Vo...g^K...J....._.^..u...)....&/.....q....o......4.....S...,q.....p.8IIe.....d|.3{)...M.0.X...4.."..P.......Hk.... ]!.!... ..#.x..<..X.........'.E(<b[.......#.. ....XiLl|..=.....&P.@H.J.oo...a...x B....l.....@.P......!8..@...q2..;.......mm....>~............j%..>.X.,V...J...C ....*..Z.8- RKGW...0./Z.__..)7g_'{.......pr......;.
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=457404, public, no-transform, must-revalidate
Last-Modified: Sun, 14 Dec 2014 00:03:56 GMT
Expires: Sun, 21 Dec 2014 00:03:56 GMT
Date: Mon, 15 Dec 2014 17:02:11 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20141214000356Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20141214000356Z....20141221000356Z0...*.H................t.(:....I.m....0..C...1...5.....3.E._.'=.B...T0...&KN9..[.....'......F....>..o"9T...Jn......]..K....`$_......Rb....K*...ln......F.>/..^.V...]..]..a..2..QO .Jw>....4.Q6..;..S...%4......h.v%...VM......}...on.=,...6..._..\p@4..<R...Pm..XkK..f7U.-...a....2B....0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=434486, public, no-transform, must-revalidate
Last-Modified: Sat, 13 Dec 2014 17:38:38 GMT
Expires: Sat, 20 Dec 2014 17:38:38 GMT
Date: Mon, 15 Dec 2014 17:02:16 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20141213173838Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20141213173838Z....20141220173838Z0...*.H................;....f...2H.:.v...h.n...1..N4.1..PppH[vj(....I..T.`..!.G..>F.....OK..I.......U4.......qF3qe..'VB.n...X..#..."j:.?......... ..6{e._........l..|.....6...H.4z.Mw6....\.!..B..^A..e....;Gm.BqF.1...Y....L.A...0.T...Tb...n.uC..3.$....^{..@j.Q.v...i...........>...#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=580578, public, no-transform, must-revalidate
Last-Modified: Mon, 15 Dec 2014 10:19:02 GMT
Expires: Mon, 22 Dec 2014 10:19:02 GMT
Date: Mon, 15 Dec 2014 17:02:46 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20141215101902Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20141215101902Z....20141222101902Z0...*.H.............A.?v....x...R..IV..........9.%...OQ.&lm..L81!.l4......v,.....:e.......m.2\$K.I.GS..E95.J.G;...T...lj.....f.=.5!$..cM..0'....F.k.n.$.6s...V.<.xbrT....).nC...`Q.m18d.....V...?9O..X.$...bZ...[.....%z^.....'...l..e....b.(q..CH. .........T.M.d.:...@4.Sk.d!..-,....#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U...
GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 01 Jul 2014 05:04:34 GMT
If-None-Match: "924558f3e994cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT
Accept-Ranges: bytes
ETag: "88cab6f7ffcf1:0"
Server: Microsoft-IIS/8.5
VTag: 791936916300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Mon, 15 Dec 2014 17:01:36 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......W0... .....7......150210174206Z0...*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K..[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%.b(0.L@..i..Kn.......fX... ,...K\....U1cp).........y.T..?rm.t..Y.}.E..-@.HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT..Accept-Ranges: bytes..ETag: "88cab6f7ffcf1:0"..Server: Microsoft-IIS/8.5..VTag: 791936916300000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 554..Cache-Control: max-age=900..Date: Mon, 15 Dec 2014 17:01:36 GMT..Connection: keep-alive..0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......W0... .....7......150210174206Z0...*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K..[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%.b(0.L@..i..Kn.......fX... ,...K\.
<<< skipped >>>
GET /pca3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.verisign.com
HTTP/1.1 200 OK
Server: Apache
ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"
Last-Modified: Wed, 24 Sep 2014 00:15:16 GMT
Date: Mon, 15 Dec 2014 17:02:22 GMT
Content-Length: 933
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140922000000Z..141231235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H............M....s#..Lo...TU...tM.3...'.U......:Z...w.x.=....K.0;...!....D....9...,!....B.t. <..........-.....k.$<i{O.<.E...*.......Ow _..J.HTTP/1.1 200 OK..Server: Apache..ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"..Last-Modified: Wed, 24 Sep 2014 00:15:16 GMT..Date: Mon, 15 Dec 2014 17:02:22 GMT..Content-Length: 933..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140922000000Z..141231235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....0209231715
<<< skipped >>>
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 24 May 2014 05:04:51 GMT
If-None-Match: "96bfbfb1d77cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT
Accept-Ranges: bytes
ETag: "a2f3ff97eeecf1:0"
Server: Microsoft-IIS/8.5
VTag: 791939326400000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 813
Cache-Control: max-age=900
Date: Mon, 15 Dec 2014 17:00:55 GMT
Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authority..141022204822Z..150121090822Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......'0... .....7......150120205822Z0...*.H.............4....w.h.Y..L.p.Q... ..?.~.q.......'.a[... ]G........t.....^p..De..0*r.n....G|....$b-{......d/....m...r.xQ...t..XtF...OW~.....@6...*x.h........wi.L.%.,<}.rULPR..T........P..g...._V.\z`..../..^...e.............r.%...:.S..W.....Qy...6.W..Fo.;.~.e9.]...;7..[.$wzD....|.%\.w..o...X.....R.2u.w."J\.&q.f.d<&.p....[31.....il.....dI2.#...h.Y.._e........H.%2.r.w..M.(~...W.{?...@n0.X.v..Wa.^o]...K....f[.oN\.V.../<..&.)@P.A.......p....D.Gj.M}PhUY?s...YX>..e...PC...@.^....v...:._[.l.....z.._(..>.l....O....ReP...M.%.B1..)HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT..Accept-Ranges: bytes..ETag: "a2f3ff97eeecf1:0"..Server: Microsoft-IIS/8.5..VTag: 791939326400000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 813..Cache-Control: max-age=900..Date: Mon, 15 Dec 2014 17:00:55 GMT..Connection: keep-alive..0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authority..141022204822Z..150121090822Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......'0... ..
<<< skipped >>>
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 07 May 2014 05:04:02 GMT
If-None-Match: "a413fc3b169cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Mon, 06 Oct 2014 05:06:02 GMT
Accept-Ranges: bytes
ETag: "3e1c83923e1cf1:0"
Server: Microsoft-IIS/8.0
VTag: 438466244800000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 561
Cache-Control: max-age=900
Date: Mon, 15 Dec 2014 17:01:01 GMT
Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..141005213147Z..150104095147Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......20... .....7......150103214147Z0...*.H.................C>....... ..3yv..N...Q...&..U...u(..8.2.,.K.r.M..m0..BdE..(@.bu//J.......b...H.Z...B..7zS.>......G....{..C..}p.......9d..Q.E/.N......fM.._A{7RI*.....t.B...d..>w'.. ..0xJ...'.0.6...o. ..(.......1..TU[..<..|F.>x..j.....xA2....b.'..{.t.H......A...@.{{ip..HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Mon, 06 Oct 2014 05:06:02 GMT..Accept-Ranges: bytes..ETag: "3e1c83923e1cf1:0"..Server: Microsoft-IIS/8.0..VTag: 438466244800000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 561..Cache-Control: max-age=900..Date: Mon, 15 Dec 2014 17:01:01 GMT..Connection: keep-alive..0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..141005213147Z..150104095147Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......20... .....7......150103214147Z0...*.H.................C>....... ..3yv..N...Q...&..U...u(..8.2.,.K.r.M..m0..BdE..(@.bu//J.......b...H.Z...B..7zS.>......G....{..C..}p.......9d..Q.E/.N......fM.._A{7RI*.....t.B...d..>w'.. ..0xJ...'.0.6...o. ..(
<<< skipped >>>
GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 05 May 2014 05:04:34 GMT
If-None-Match: "87fbb3811f68cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sat, 04 Oct 2014 05:06:12 GMT
Accept-Ranges: bytes
ETag: "58cddbea90dfcf1:0"
Server: Microsoft-IIS/8.5
VTag: 279619316300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 550
Cache-Control: max-age=900
Date: Mon, 15 Dec 2014 17:01:06 GMT
Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-Stamp PCA..141003211553Z..150102093553Z._0]0...U.#..0...#4..RFp..@.v.. ..5..0... .....7.......0...U......00... .....7......150101212553Z0...*.H.............:...h:O..9..a.M8.}*.........A....f......SG....(...g...>.!.4o7P....O...`x.h.W.F..x.9...1....C.......5..9..p ....1 ........$..P.......?.6...2.....(.."C1aF..B....I.V.u.4=Cs....~d5X..R...BRo............1Q-b.... ..P.M/SfvX..l..Mm.j9..A|.q.W=...Wy.Y]<....._!.../..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=434323, public, no-transform, must-revalidate
Last-Modified: Sat, 13 Dec 2014 17:38:40 GMT
Expires: Sat, 20 Dec 2014 17:38:40 GMT
Date: Mon, 15 Dec 2014 17:02:35 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20141213173840Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......l$.%t...............20141213173840Z....20141220173840Z0...*.H.............!..d..........w [7*A.u.&....n.k...Z.@c..5....;5..D....W1.....d....oj....c....R...&....6[._.?..../...(h.......&.C............kL$....|.h$.A.MJ....=%....7.....b....Z.g.W.2.6.t...".....4.4......Y.....,.'=m..#).E_..}.E.L`. ...O....Ruc1:..=.,.$.Sk.is...'K.....PI...#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H......
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?6dfbde8ddb02bd83 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT
If-None-Match: "0b96c77303ecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT
Accept-Ranges: bytes
ETag: "805a83f2b9cecf1:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Content-Length: 56928
Date: Mon, 15 Dec 2014 17:01:42 GMT
Connection: keep-alive
MSCF....`.......,...................I.................,E.Y .authroot.stl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.....................@.....L.........KNAy8/"...f.......k..Jm7j....R.5q....Rz..!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m..._.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|.@.M.._.....7._6...C.0...A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?...........WE.Or..O>..{.'W2.........3m.O.u..Z8....H4@.w}.o:?~....]<!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!.........`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=...f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..].|......3..y..-./....K..6{...s.<R`.}6....?.......-..@.g..S....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1697
content-transfer-encoding: binary
Cache-Control: max-age=561100, public, no-transform, must-revalidate
Last-Modified: Mon, 15 Dec 2014 04:54:07 GMT
Expires: Mon, 22 Dec 2014 04:54:07 GMT
Date: Mon, 15 Dec 2014 17:02:28 GMT
Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder..20141215045407Z0s0q0I0... ........?.@..w.........Y.!......Q...==d6|h.[x....7..`..........cV.!.....20141215045407Z....20141222045407Z0...*.H.............O.1.P*........i..]w.. ..P.Z.....4....t#..LzE8>.4".....:..t9..eUg.U....1..J\=.'...I....?,.mr. |4<I..!..........Vd...m. ......H[x.1H./........f).........}....W8..bv?.CHZ2.hK..wx..ia....z@.f-o8.l....)>..Z..`$.p9.E..p...y..;4.n^.o.........Q....p..3.,..Lz>...3.....0...0...0..{.........[..I|.....Zm..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140428000000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder0.."0...*.H.............0.........Y....h..@..>.....%.-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l.....f..;]s!.\"v...|....].@.....K7m2...N......-S.I......5n...G7. ..W....n..*..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....<..6.....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%..0... .......0...U...........0... .....0......0f..U. ._0]0[..`.H...E....0L0#.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>q..i1o...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..wo......E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|..
<<< skipped >>>
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_212:
.rsrc
.rsrc
zhXXp://w.clic
zhXXp://w.clic
kteam.com
kteam.com
%S<:w>
%S<:w>
zhXXp://VVV.clickteam.com
zhXXp://VVV.clickteam.com
D$%S<:w>
D$%S<:w>
.clit/
.clit/
.clit
.clit
(hXXp://VVV.clickteam.com/pub
(hXXp://VVV.clickteam.com/pub
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\Uninstall\
Software\Microsoft\Windows\CurrentVersion\Uninstall\
Software\Microsoft\Windows\CurrentVersion\Fonts
Software\Microsoft\Windows\CurrentVersion\Fonts
Software\Microsoft\Windows NT\CurrentVersion\Fonts
Software\Microsoft\Windows NT\CurrentVersion\Fonts
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
KERNEL32.DLL
KERNEL32.DLL
hXXps://
hXXps://
hXXp://
hXXp://
uxtheme.dll
uxtheme.dll
1.1.3
1.1.3
msiexec
msiexec
#Windows#
#Windows#
%s "%s"
%s "%s"
%s%3.3d
%s%3.3d
-q "%s"
-q "%s"
oleaut32.dll
oleaut32.dll
-s "%s"
-s "%s"
Software\Microsoft\Windows\CurrentVersion\SharedDLLs
Software\Microsoft\Windows\CurrentVersion\SharedDLLs
\WININIT.INI
\WININIT.INI
/B%d /DEL
/B%d /DEL
_inst%d.exe
_inst%d.exe
rundll32 desk.cpl,InstallScreenSaver %s
rundll32 desk.cpl,InstallScreenSaver %s
RICHED32.DLL
RICHED32.DLL
RICHED20.DLL
RICHED20.DLL
c:\%original file name%.exe
c:\%original file name%.exe
GetCPInfo
GetCPInfo
WinExec
WinExec
GetWindowsDirectoryA
GetWindowsDirectoryA
RegCreateKeyExA
RegCreateKeyExA
RegCreateKeyA
RegCreateKeyA
RegCloseKey
RegCloseKey
RegOpenKeyA
RegOpenKeyA
RegOpenKeyExA
RegOpenKeyExA
ShellExecuteA
ShellExecuteA
ExitWindowsEx
ExitWindowsEx
.text
.text
`.rdata
`.rdata
@.data
@.data
version="1.0.0.0"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
ole32.dll
ole32.dll
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
VERSION.dll
VERSION.dll
2, 0, 0, 31
2, 0, 0, 31
%original file name%.exe_212_rwx_00401000_00023000:
zhXXp://VVV.clickteam.com
zhXXp://VVV.clickteam.com
D$%S<:w>
D$%S<:w>
.clit/
.clit/
.clit
.clit
(hXXp://VVV.clickteam.com/pub
(hXXp://VVV.clickteam.com/pub
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\Uninstall\
Software\Microsoft\Windows\CurrentVersion\Uninstall\
Software\Microsoft\Windows\CurrentVersion\Fonts
Software\Microsoft\Windows\CurrentVersion\Fonts
Software\Microsoft\Windows NT\CurrentVersion\Fonts
Software\Microsoft\Windows NT\CurrentVersion\Fonts
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
KERNEL32.DLL
KERNEL32.DLL
hXXps://
hXXps://
hXXp://
hXXp://
uxtheme.dll
uxtheme.dll
1.1.3
1.1.3
msiexec
msiexec
#Windows#
#Windows#
%s "%s"
%s "%s"
%s%3.3d
%s%3.3d
-q "%s"
-q "%s"
oleaut32.dll
oleaut32.dll
-s "%s"
-s "%s"
Software\Microsoft\Windows\CurrentVersion\SharedDLLs
Software\Microsoft\Windows\CurrentVersion\SharedDLLs
\WININIT.INI
\WININIT.INI
/B%d /DEL
/B%d /DEL
_inst%d.exe
_inst%d.exe
rundll32 desk.cpl,InstallScreenSaver %s
rundll32 desk.cpl,InstallScreenSaver %s
RICHED32.DLL
RICHED32.DLL
RICHED20.DLL
RICHED20.DLL
c:\%original file name%.exe
c:\%original file name%.exe
GetCPInfo
GetCPInfo
WinExec
WinExec
GetWindowsDirectoryA
GetWindowsDirectoryA
RegCreateKeyExA
RegCreateKeyExA
RegCreateKeyA
RegCreateKeyA
RegCloseKey
RegCloseKey
RegOpenKeyA
RegOpenKeyA
RegOpenKeyExA
RegOpenKeyExA
ShellExecuteA
ShellExecuteA
ExitWindowsEx
ExitWindowsEx
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc