Trojan.Win32.Agentb.aanb (Kaspersky), Win32.Sality.3 (B) (Emsisoft), Win32.Sality.3 (AdAware), Trojan.Win32.Swrort.3.FD, Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 55a14e7f3d6b234ac12d063e41524f50
SHA1: 3f5f19b59de704c66433967374096991b9249756
SHA256: e051e5a91be289068b041f0232127f3af00df7ac96b60ad8295aac1dd2a38456
SSDeep: 12288:KTyjXW 48qWywrU4kGFezOAVuJ5PIXww7F5DO3HYffINNxvt1H:gIXW/8yw1ez54lIbF5SXYH6NL1H
Size: 758427 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: P i r i f o r m L t d .
Created at: 2011-01-18 16:44:33
Analyzed on: WindowsXP SP3 32-bit
Summary: Virus. A program that recursively replicates a possibly evolved copy of itself.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Virus creates the following process(es):
%original file name%.exe:1664
The Virus injects its code into the following process(es):
rundll32.exe:1784
Explorer.EXE:840
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1664 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe (5441 bytes)
%WinDir%\system.ini (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\001A062B_Rar\%original file name%.exe (5441 bytes)
The process rundll32.exe:1784 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\uvdnv.exe (741 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (1336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\001A1260_Rar\rundll32.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winlkir.exe (15019 bytes)
C:\autorun.inf (272 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
%System%\drivers\likrhn.sys (5 bytes)
C:\cyypay.pif (103 bytes)
The Virus deletes the following file(s):
%System%\drivers\likrhn.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\001A062B_Rar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winlkir.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\001A062B_Rar\%original file name%.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uvdnv.exe (0 bytes)
Registry activity
The process %original file name%.exe:1664 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_0" = "383921497"
[HKCU\Software\Aas\695404737]
"35845605" = "419"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Aas\695404737]
"50183847" = "247D32B83D47435F2ED0E33C5DD34E729A41500BEC3D7263C63EA032241876F9CA2AB0B709E472865D6C4A30392434DF4508B4552311855571DEB262EFB3B690133A5F283FE741ABB1DFAAE9E664B81EDE3B4A95232E0898017CACF1EB56D1F98C1AFB26401F8945DB790B927771E8A250144DE11B6B0D0D4F0F193516E9AAD7"
"43014726" = "0B00687474703A2F2F7777772E6572692E6564752E706B2F696D616765732F6C6F676F2E67696600687474703A2F2F666F75726C696E652E636F6D2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F65796C656E6972696B2E62697A2F6C6F676F2E67696600687474703A2F2F666F7462616C6261736B612E79632E637A2F696D616765732F666D61696E2E67696600687474703A2F2F65736B696D6F7669652E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F657374657469636165737061636F62656D65737461722E636F6D2E62722F6C6F676F2E67696600687474703A2F2F666F7263656C696E652E636F6D2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F65736F757263652E636F2E696E2F696D616765732F6C6F676F322E67696600687474703A2F2F6164732E797570706164732E636F6D2F6C6F676F2E67696600687474703A2F2F636172743133332E6F72672F696D616765732F6D61696E2E67696600687474703A2F2F66696E65706561726C2E636F6D2E686B2F696D616765732F6C6F676F2E676966"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
[HKCU\Software\Aas]
"a3_0" = "17001001"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Aas\695404737]
"14338242" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Msversion" = "2007"
[HKCU\Software\Aas\695404737]
"7169121" = "138"
"21507363" = "0"
"28676484" = "35"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A DE 21 84 9E 76 90 B9 42 FB 16 38 DD 78 12 02"
[HKCU\Software\Aas]
"a2_0" = "7269"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_0" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
The process rundll32.exe:1784 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Aas\695404737]
"35845605" = "419"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Aas\695404737]
"50183847" = "247D32B83D47435F2ED0E33C5DD34E729A41500BEC3D7263C63EA032241876F9CA2AB0B709E472865D6C4A30392434DF4508B4552311855571DEB262EFB3B690133A5F283FE741ABB1DFAAE9E664B81EDE3B4A95232E0898017CACF1EB56D1F98C1AFB26401F8945DB790B927771E8A250144DE11B6B0D0D4F0F193516E9AAD7"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas\695404737]
"43014726" = "0B00687474703A2F2F7777772E6572692E6564752E706B2F696D616765732F6C6F676F2E67696600687474703A2F2F666F75726C696E652E636F6D2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F65796C656E6972696B2E62697A2F6C6F676F2E67696600687474703A2F2F666F7462616C6261736B612E79632E637A2F696D616765732F666D61696E2E67696600687474703A2F2F65736B696D6F7669652E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F657374657469636165737061636F62656D65737461722E636F6D2E62722F6C6F676F2E67696600687474703A2F2F666F7263656C696E652E636F6D2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F65736F757263652E636F2E696E2F696D616765732F6C6F676F322E67696600687474703A2F2F6164732E797570706164732E636F6D2F6C6F676F2E67696600687474703A2F2F636172743133332E6F72672F696D616765732F6D61696E2E67696600687474703A2F2F66696E65706561726C2E636F6D2E686B2F696D616765732F6C6F676F2E676966"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "138"
"21507363" = "0"
"28676484" = "35"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 0D 0D EF C4 1E 6D 8D CF 1A 56 33 29 1D 31 5C"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Firewall notifications are disabled:
"DisableNotifications" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data\Microsoft\Office]
"Rundll32.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe:*:Enabled:ipsec"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
The Virus deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys]
The Virus deletes the following value(s) in system registry:
[HKLM\System\CurrentControlSet\Control\SafeBoot]
"AlternateShell"
Dropped PE files
| MD5 | File path |
|---|---|
| fe9261575638dec5742ddfba5b5fb19c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\001A1260_Rar\rundll32.exe |
| 951edcadf2363c5b1ff5711264d7748e | c:\cyypay.pif |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1664
- Delete the original Virus file.
- Delete or disinfect the following files created/modified by the Virus:
%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe (5441 bytes)
%WinDir%\system.ini (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\001A062B_Rar\%original file name%.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uvdnv.exe (741 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (1336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\001A1260_Rar\rundll32.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winlkir.exe (15019 bytes)
C:\autorun.inf (272 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
%System%\drivers\likrhn.sys (5 bytes)
C:\cyypay.pif (103 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 569841 | 569856 | 4.61284 | 256132fea20837d2e598fb8d4f01d959 |
| .rdata | 577536 | 58474 | 58880 | 3.75497 | e40dfac2aa919c953afc3e5f529b3350 |
| .data | 638976 | 36632 | 10752 | 2.54749 | e27b8dce8893e88554c3004d7188b557 |
| .rsrc | 675840 | 114688 | 113664 | 5.12956 | bb1991214b9f49c6cb77b45981dbfeec |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 2
d13f99c6b34deee4508a46fb6e697d7b
c73a79c442f40c43136a90a94bc984e5
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Virus connects to the servers at the folowing location(s):
Strings from Dumps
rundll32.exe_1784:
.text
.text
.rdata
.rdata
.data
.data
.rsrc
.rsrc
!"#$%%&'())* ,-./0123456789:;<""=>
!"#$%%&'())* ,-./0123456789:;<""=>
T$%UR
T$%UR
RSSh<RI><pre>RSSh@SI</pre><pre>xSSSh</pre><pre>FTPjKS</pre><pre>FtPj;S</pre><pre>C.PjRV</pre><pre>portuguese-brazilian</pre><pre>GetProcessWindowStation</pre><pre>operator</pre><pre>AutoHotkey</pre><pre>AppsKey</pre><pre>ListHotkeys</pre><pre>KeyHistory</pre><pre>DetectHiddenWindows</pre><pre>SetKeyDelay</pre><pre>KeyWait</pre><pre>GetKeyState</pre><pre>URLDownloadToFile</pre><pre>MsgBox</pre><pre>IfMsgBox</pre><pre>Hotkey</pre><pre>AHK Keybd</pre><pre>Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.</pre><pre>Modifiers (Hook's Logical) = %s</pre><pre>Modifiers (Hook's Physical) = %s</pre><pre>Prefix key is down: %s</pre><pre>NOTE: Only the script's own keyboard events are shown</pre><pre>(not the user's), because the keyboard hook isn't installed.</pre><pre>NOTE: To disable the key history shown below, add the line "#KeyHistory 0" anywhere in the script. The same method can be used to change the size of the history buffer. For example: #KeyHistory 100 (Default is 40, Max is 500)</pre><pre>The oldest are listed first. VK=Virtual Key, SC=Scan Code, Elapsed=Seconds since the previous event. Types: h=Hook Hotkey, s=Suppressed (blocked), i=Ignored because it was generated by an AHK script, a=Artificial, #=Disabled via #IfWinActive/Exist, U=Unicode character (SendInput).</pre><pre>E7 X</pre><pre>X X</pre><pre>%u hotkeys have been received in the last %ums.</pre><pre>(see #MaxHotkeysPerInterval in the help file)</pre><pre>Nonexistent hotkey. The current thread will exit.</pre><pre>Nonexistent hotkey variant (IfWin). The current thread will exit.</pre><pre>Max hotkeys.</pre><pre>The AltTab hotkey "%s" must specify which key (L or R).</pre><pre>The AltTab hotkey "%s" must have exactly one modifier/prefix.</pre><pre>"%s" is not allowed as a prefix key.</pre><pre>"%s" is not a valid key name. The current thread will exit.</pre><pre>SCx</pre><pre>%s[%Iu of %Iu]: %-1.60s%s</pre><pre>%s[Object]: 0x%p</pre><pre>HKEY_LOCAL_MACHINE</pre><pre>HKEY_CLASSES_ROOT</pre><pre>HKEY_CURRENT_CONFIG</pre><pre>HKEY_CURRENT_USER</pre><pre>HKEY_USERS</pre><pre>%s\%s</pre><pre>AutoHotkey2</pre><pre>Critical Error: %s</pre><pre><>=/|^,:*&~!()[] -?."'\;`{}</pre><pre>>AUTOHOTKEY SCRIPT<</pre><pre>Could not extract script from EXE.</pre><pre><>=/|^,:</pre><pre><>=/|^,:. -*&!?~</pre><pre>Join</pre><pre>Hotkeys/hotstrings are not allowed inside functions.</pre><pre>Duplicate hotkey.</pre><pre>Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.</pre><pre>*%s::</pre><pre>if not GetKeyState("%s")</pre><pre>{Blind}%s%s{%s DownTemp}</pre><pre>*%s up::</pre><pre>{Blind}{%s Up}</pre><pre>#InstallKeybdHook</pre><pre>#HotkeyModifierTimeout</pre><pre>#HotkeyInterval</pre><pre>#MaxHotkeysPerInterval</pre><pre>#MaxThreadsPerHotkey</pre><pre>#KeyHistory</pre><pre>#MenuMaskKey</pre><pre>: -*/|&^.</pre><pre><>=/|^,:*&~!()[] -?."</pre><pre>Invalid hotkey.</pre><pre>"%s" requires at least %d parameter%s.</pre><pre>"%s" requires that parameter #%u be non-blank.</pre><pre><>=/|^,:*&~!()[]"</pre><pre><>=/|^,:*&~!()[] -?</pre><pre>Unsupported use of "."</pre><pre><>=/|^,:*&~!()[] -?.</pre><pre>Unsupported parameter default.</pre><pre>HasKey</pre><pre>detecthiddenwindows</pre><pre>keydelay</pre><pre>subkey</pre><pre>thishotkey</pre><pre>priorhotkey</pre><pre>timesincethishotkey</pre><pre>timesincepriorhotkey</pre><pre>Unsupported use of "["</pre><pre>Too many parameters passed to function.</pre><pre>Too few parameters passed to function.</pre><pre>%s%s%s</pre><pre>%%%s%s%s</pre><pre>Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after it is in parentheses to the right (if not 0). The bottommost line's elapsed time is the number of seconds since it executed.</pre><pre>u:</pre><pre>if %s %s %s and %s</pre><pre>%s%s %s %s</pre><pre>For %s,%s in %s</pre><pre>%s (%d) : ==> %s</pre><pre>Specifically: %s</pre><pre>in #include file "%s"</pre><pre>%s%s:%s %-1.500s</pre><pre>Specifically: %-1.100s%s</pre><pre>Error at line %u</pre><pre>Line Text: %-1.100s%s</pre><pre>Local Variables for %s()%s</pre><pre>%sGlobal Variables (alphabetical)%s</pre><pre>Window: %s</pre><pre>Keybd hook: %s</pre><pre>Mouse hook: %s</pre><pre>Enabled Timers: %u of %u (%s)</pre><pre>Interrupted threads: %d%s</pre><pre>Paused threads: %d of %d (%d layers)</pre><pre>Modifiers (GetKeyState() now) = %s</pre><pre>Key History has been disabled via #KeyHistory 0.</pre><pre>System verbs unsupported with RunAs. The current thread will exit.</pre><pre>%s %s</pre><pre>.exe.bat.com.cmd.hta</pre><pre>Verb: <%s></pre><pre>Action: <%-0.400s%s>%s</pre><pre>Params: <%-0.400s%s></pre><pre>EndKey:</pre><pre>0xX</pre><pre>0xX</pre><pre>%sLeft</pre><pre>%sTop</pre><pre>%sRight</pre><pre>%sBottom</pre><pre>\AU3_Spy.exe"</pre><pre>%sAU3_Spy.exe"</pre><pre>\AutoHotkey.chm"</pre><pre>%sAutoHotkey.chm"</pre><pre>hh.exe</pre><pre>http://www.autohotkey.com</pre><pre>Could not open URL http://www.autohotkey.com in default browser.</pre><pre>SOFTWARE\AutoHotkey</pre><pre>AutoHotkey v1.0.92.02</pre><pre>set cdaudio door %s wait</pre><pre>open %s type cdaudio alias cd wait shareable</pre><pre>set cd door %s wait</pre><pre>\\.\%c:</pre><pre>Mixer Doesn't Support This Component Type</pre><pre>Component Doesn't Support This Control Type</pre><pre>open "%s" alias AHK_PlayMe</pre><pre>Select File - %s</pre><pre>%s%c%sÊll Files (*.*)%c*.*%c</pre><pre>All Files (*.*)</pre><pre>Text Documents (*.txt)</pre><pre>*.txt</pre><pre>1.0.92.02</pre><pre>\AutoHotkey.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>Pos%s</pre><pre>Len%s</pre><pre>Pos%d</pre><pre>Len%d</pre><pre>Compile error %d at offset %d: %s</pre><pre>RunAs: Missing advapi32.dll. The current thread will exit.</pre><pre>0.0.0.0</pre><pre>InternetOpenUrlA</pre><pre>Select Folder - %s</pre><pre>%u.%u.%u.%u</pre><pre>0xX -</pre><pre>%s%ws</pre><pre>AutoHotkeyGUI</pre><pre>%dGui</pre><pre>Button%s</pre><pre>msctls_hotkey32</pre><pre>Report</pre><pre>Password</pre><pre>vkX</pre><pre>Supported only for the tray menu The current thread will exit.</pre><pre>&Suspend Hotkeys</pre><pre>dd</pre><pre>dddddd</pre><pre>GdiplusShutdown</pre><pre>The following %s name contains an illegal character:</pre><pre>"%-1.300s"%s</pre><pre>The maximum number of MsgBoxes has been reached.</pre><pre>operand of unlimited repeat could match the empty string</pre><pre>POSIX named classes are supported only within a class</pre><pre>erroffset passed as NULL</pre><pre>POSIX collating elements are not supported</pre><pre>this version of PCRE is not compiled with PCRE_UTF8 support</pre><pre>PCRE does not support \L, \l, \N{name}, \U, or \u</pre><pre>support for \P, \p, and \X has not been compiled</pre><pre>this version of PCRE is not compiled with PCRE_UCP support</pre><pre>Error text not found (please report)</pre><pre>WSOCK32.dll</pre><pre>WINMM.dll</pre><pre>VERSION.dll</pre><pre>COMCTL32.dll</pre><pre>GetWindowsDirectoryA</pre><pre>KERNEL32.dll</pre><pre>GetKeyboardLayout</pre><pre>SetWindowsHookExA</pre><pre>UnhookWindowsHookEx</pre><pre>RegisterHotKey</pre><pre>UnregisterHotKey</pre><pre>GetAsyncKeyState</pre><pre>GetKeyboardState</pre><pre>SetKeyboardState</pre><pre>keybd_event</pre><pre>VkKeyScanExA</pre><pre>GetKeyNameTextA</pre><pre>MapVirtualKeyA</pre><pre>EnumChildWindows</pre><pre>EnumWindows</pre><pre>ExitWindowsEx</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>COMDLG32.dll</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExA</pre><pre>RegQueryInfoKeyA</pre><pre>RegEnumKeyExA</pre><pre>RegCreateKeyExA</pre><pre>RegDeleteKeyA</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteExA</pre><pre>SHFileOperationA</pre><pre>SHELL32.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>GetCPInfo</pre><pre>GetProcessHeap</pre><pre>zcÁ</pre><pre>-()[]{}:;'"/\,.?!</pre><pre>%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe</pre><pre>%Documents and Settings%\%current user%\Application Data\Microsoft\Office</pre><pre>#%'''<[[^^\\]</pre><pre>"%Â<aabm><pre>$-8GGhnsrr}</pre><pre>$-9GGggs}s</pre><pre>%Mgr.RhY4RfE5Qd:f</pre><pre>PA<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.48.05" processorArchitecture="*" name="Microsoft.Windows.AutoHotkey" type="win32"></assemblyIdentity><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>PADDINGXXPADDINGPADD</pre><pre>SHELL32.DLL</pre><pre>ShellExecuteA</pre><pre>KERNEL32.DLL</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\001A1260_Rar\rundll32.exe</pre><pre>rundll32.exe</pre><pre>http://www.eri.edu.pk/images/logo.gif</pre><pre>http://fourline.com.tr/images/logo.gif</pre><pre>http://eylenirik.biz/logo.gif</pre><pre>http://fotbalbaska.yc.cz/images/fmain.gif</pre><pre>http://eskimovie.com/images/logo.gif</pre><pre>http://esteticaespacobemestar.com.br/logo.gif</pre><pre>http://forceline.com.tr/images/logo.gif</pre><pre>http://esource.co.in/images/logo2.gif</pre><pre>http://ads.yuppads.com/logo.gif</pre><pre>http://cart133.org/images/main.gif</pre><pre>http://finepearl.com.hk/images/logo.gif</pre><pre>uCo9%f</pre><pre>%F`;O</pre><pre>http://89.11</pre><pre>.info/home.gifI</pre><pre>W.text</pre><pre>L32.dll</pre><pre>^p.At%</pre><pre>rnl.exe?</pre><pre>= =$=(=,=0=4=8=<=@</pre><pre>rv:1.9.2.3)</pre><pre>.NEtCLR</pre><pre>.klkjw:9fqwiBu</pre><pre>f3a.sysB</pre><pre>D6c.pBTab</pre><pre>drfig%s:*:</pre><pre>0}.T&?%x=</pre><pre>~UrlA'W</pre><pre>\'Web%</pre><pre>HTTP)s'PJ</pre><pre>o.ENHCD</pre><pre>KPCKwWEBWUPD</pre><pre>>*?456789:;<=</pre><pre>!"#$%&'()* ,-./01230 0</pre><pre>MSVCRT.dll</pre><pre>WS2_32.dll</pre><pre>.xJnN</pre><pre>C.el3</pre><pre>mscoree.dll</pre><pre>nKERNEL32.DLL</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>WUSER32.DLL</pre><pre>&Lines most recently executed</pre><pre>&Hotkeys and their methods</pre><pre>&Key history and script info</pre><pre>&Web Site</pre><b>rundll32.exe_1784_rwx_003D0000_00002000:</b><pre>SHELL32.DLL</pre><pre>ShellExecuteA</pre><pre>KERNEL32.DLL</pre><pre>.rsrc</pre><pre>.text</pre><b>rundll32.exe_1784_rwx_003E0000_00001000:</b><pre>|rundll32.exeM_1784_</pre><b>rundll32.exe_1784_rwx_004AE000_00011000:</b><pre>SHELL32.DLL</pre><pre>ShellExecuteA</pre><pre>KERNEL32.DLL</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\001A1260_Rar\rundll32.exe</pre><pre>rundll32.exe</pre><pre>.rsrc</pre><pre>.text</pre><pre>%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe</pre><pre>http://www.eri.edu.pk/images/logo.gif</pre><pre>http://fourline.com.tr/images/logo.gif</pre><pre>http://eylenirik.biz/logo.gif</pre><pre>http://fotbalbaska.yc.cz/images/fmain.gif</pre><pre>http://eskimovie.com/images/logo.gif</pre><pre>http://esteticaespacobemestar.com.br/logo.gif</pre><pre>http://forceline.com.tr/images/logo.gif</pre><pre>http://esource.co.in/images/logo2.gif</pre><pre>http://ads.yuppads.com/logo.gif</pre><pre>http://cart133.org/images/main.gif</pre><pre>http://finepearl.com.hk/images/logo.gif</pre><pre>uCo9%f</pre><pre>%F`;O</pre><pre>http://89.11</pre><pre>.info/home.gifI</pre><pre>W.text</pre><pre>L32.dll</pre><pre>^p.At%</pre><pre>rnl.exe?</pre><pre>= =$=(=,=0=4=8=<=@</pre><pre>rv:1.9.2.3)</pre><pre>.NEtCLR</pre><pre>.klkjw:9fqwiBu</pre><pre>f3a.sysB</pre><pre>D6c.pBTab</pre><pre>drfig%s:*:</pre><pre>0}.T&?%x=</pre><pre>~UrlA'W</pre><pre>\'Web%</pre><pre>HTTP)s'PJ</pre><pre>o.ENHCD</pre><pre>KPCKwWEBWUPD</pre><pre>>*?456789:;<=</pre><pre>!"#$%&'()* ,-./01230 0</pre><pre>ADVAPI32.dll</pre><pre>MSVCRT.dll</pre><pre>SHELL32.dll</pre><pre>USER32.dll</pre><pre>WS2_32.dll</pre><pre>RegCloseKey</pre><pre>SHFileOperationA</pre><b>rundll32.exe_1784_rwx_010E0000_0108E000:</b><pre>c:\windows</pre><pre>http://www.eri.edu.pk/images/logo.gif</pre><pre>http://fourline.com.tr/images/logo.gif</pre><pre>http://eylenirik.biz/logo.gif</pre><pre>http://fotbalbaska.yc.cz/images/fmain.gif</pre><pre>http://eskimovie.com/images/logo.gif</pre><pre>http://esteticaespacobemestar.com.br/logo.gif</pre><pre>http://forceline.com.tr/images/logo.gif</pre><pre>http://esource.co.in/images/logo2.gif</pre><pre>http://ads.yuppads.com/logo.gif</pre><pre>http://cart133.org/images/main.gif</pre><pre>http://finepearl.com.hk/images/logo.gif</pre><pre>%System%\drivers\likrhn.sys</pre><pre>17054377310</pre><pre>SHELL32.DLL</pre><pre>ShellExecuteA</pre><pre>KERNEL32.DLL</pre><pre>.rsrc</pre><pre>.text</pre><pre>http://89.119.67.154/testo5/</pre><pre>http://kukutrustnet777.info/home.gif</pre><pre>http://kukutrustnet888.info/home.gif</pre><pre>http://kukutrustnet987.info/home.gif</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>h.rdata</pre><pre>H.data</pre><pre>.reloc</pre><pre>ntoskrnl.exe</pre><pre>Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)</pre><pre>Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache</pre><pre>Software\Microsoft\Windows\CurrentVersion\Internet Settings</pre><pre>Software\Microsoft\Windows\CurrentVersion</pre><pre>http://www.klkjwre9fqwieluoi.info/</pre><pre>http://kukutrustnet777888.info/</pre><pre>Software\Microsoft\Windows\CurrentVersion\policies\system</pre><pre>Software\Microsoft\Windows\ShellNoRoam\MUICache</pre><pre>%s:*:Enabled:ipsec</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced</pre><pre>GdiPlus.dll</pre><pre>http://</pre><pre>ipfltdrv.sys</pre><pre>www.microsoft.com</pre><pre>?%x=%d</pre><pre>&%x=%d</pre><pre>SYSTEM.INI</pre><pre>USER32.DLL</pre><pre>.%c%s</pre><pre>\\.\amsint32</pre><pre>NTDLL.DLL</pre><pre>autorun.inf</pre><pre>ADVAPI32.DLL</pre><pre>win%s.exe</pre><pre>%s.exe</pre><pre>WININET.DLL</pre><pre>InternetOpenUrlA</pre><pre>avast! Web Scanner</pre><pre>Avira AntiVir Premium WebGuard</pre><pre>cmdGuard</pre><pre>cmdAgent</pre><pre>Eset HTTP Server</pre><pre>ProtoPort Firewall service</pre><pre>SpIDer FS Monitor for Windows NT</pre><pre>Symantec Password Validation</pre><pre>WebrootDesktopFirewallDataService</pre><pre>WebrootFirewall</pre><pre>%d%d.tmp</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</pre><pre>%s\%s</pre><pre>%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats</pre><pre>Software\Microsoft\Windows\CurrentVersion\Ext\Stats</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects</pre><pre>Explorer.exe</pre><pre>A2CMD.</pre><pre>ASHWEBSV.</pre><pre>AVGCC.AVGCHSVX.</pre><pre>DRWEB</pre><pre>DWEBLLIO</pre><pre>DWEBIO</pre><pre>FSGUIEXE.</pre><pre>MCVSSHLD.</pre><pre>NPFMSG.</pre><pre>SYMSPORT.</pre><pre>WEBSCANX.</pre><pre>.adata</pre><pre>M_%d_</pre><pre>%c%d_%d</pre><pre>?456789:;<=</pre><pre>!"#$%&'()* ,-./0123</pre><pre>GetProcessHeap</pre><pre>GetWindowsDirectoryA</pre><pre>RegEnumKeyExA</pre><pre>RegDeleteKeyA</pre><pre>RegOpenKeyExA</pre><pre>RegCreateKeyA</pre><pre>RegCloseKey</pre><pre>SHFileOperationA</pre><pre>&3&3&3&389</pre><pre>.rdata</pre><pre>.data</pre><pre>rnl.exe?</pre><pre>= =$=(=,=0=4=8=<=@</pre><pre>rv:1.9.2.3)</pre><pre>.NEtCLR</pre><pre>.klkjw:9fqwiBu</pre><pre>f3a.sysB</pre><pre>D6c.pBTab</pre><pre>drfig%s:*:</pre><pre>0}.T&?%x=</pre><pre>~UrlA'W</pre><pre>\'Web%</pre><pre>HTTP)s'PJ</pre><pre>o.ENHCD</pre><pre>KPCKwWEBWUPD</pre><pre>>*?456789:;<=</pre><pre>!"#$%&'()* ,-./01230 0</pre><pre>ADVAPI32.dll</pre><pre>MSVCRT.dll</pre><pre>SHELL32.dll</pre><pre>WS2_32.dll</pre><b>Explorer.EXE_840_rwx_01450000_00002000:</b><pre>SHELL32.DLL</pre><pre>ShellExecuteA</pre><pre>KERNEL32.DLL</pre><pre>.rsrc</pre><pre>.text</pre><b>Explorer.EXE_840_rwx_01D60000_00001000:</b><pre>|explorer.exeM_840_</pre></aabm></pre></pre></RI>