Skip to main content

Worm.Win32.AutoItGen_da0c526ee8


Trojan.Ciusky.Gen.17 (AdAware), Worm.Win32.AutoIt.FD, WormAutoItGen.YR (Lavasoft MAS)Behaviour: Trojan, Worm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: da0c526ee855e15a9f1946818e54ad2f

SHA1: 2dfd34e02adfa1889255c38a578bf9d626f73cd5

SHA256: eb960aa9f1e3faf23c031a62a35c622f3342dfc59f1a7d1c24ea7ffee454a1bb

SSDeep: 12288:Cat0EAH49n8BdYQqLWsDz8E6Cuw78YOJEn1GUEVQqYHQFOH9LPsv5mrNm4D29E:tt24CYJLDDz8mu68GGUEtsh7N1D2q

Size: 798814 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2013-08-22 16:00:50

Analyzed on: WindowsXP SP3 32-bit

Summary: Worm. A program that is primarily replicating on networks or removable drives.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

taskdvr.exe:204
%original file name%.exe:1540

The Worm injects its code into the following process(es):

RegSvcs.exe:1876

File activity

The process taskdvr.exe:204 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\4l9f86k7\75780.vbs (129 bytes)
%Documents and Settings%\%current user%\4l9f86k7\93740.cmd (72 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\start.lnk (712 bytes)
%Documents and Settings%\%current user%\4l9f86k7\run.vbs (95 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Start Menu\Programs\Startup\desktop.ini (0 bytes)

The process %original file name%.exe:1540 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\4l9f86k7\RqjSpEctJSk.PWA (242633 bytes)
%Documents and Settings%\%current user%\4l9f86k7\taskdvr.exe (31505 bytes)
%Documents and Settings%\%current user%\4l9f86k7\hVilT.IDN (35 bytes)
%Documents and Settings%\%current user%\4l9f86k7\DNPXQm.DPJ (337 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\4l9f86k7\__tmp_rar_sfx_access_check_1047265 (0 bytes)

The process RegSvcs.exe:1876 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

C:\s.ini (4 bytes)

Registry activity

The process taskdvr.exe:204 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 36 6C 9B 77 EB 4C 61 5D 88 26 19 C1 7E 2D 35"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"4l9f86k7" = "C:\DOCUME~1\"%CurrentUserName%"\4l9f86k7\75780.vbs"

The Worm deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

The process %original file name%.exe:1540 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 F5 41 1F A3 5C D5 34 30 B5 CD C4 6B AF E4 6C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\4l9f86k7]
"taskdvr.exe" = "AutoIt v3 Script"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process RegSvcs.exe:1876 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 A7 FD 1B DD 43 27 08 2A A8 0C A2 BB C6 3D 76"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"taskdvr" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

Dropped PE files

MD5 File path
e01ced5c12390ff5256694eda890b33ac:\Documents and Settings\"%CurrentUserName%"\4l9f86k7\taskdvr.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    taskdvr.exe:204
    %original file name%.exe:1540

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\4l9f86k7\75780.vbs (129 bytes)
    %Documents and Settings%\%current user%\4l9f86k7\93740.cmd (72 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\start.lnk (712 bytes)
    %Documents and Settings%\%current user%\4l9f86k7\run.vbs (95 bytes)
    %Documents and Settings%\%current user%\4l9f86k7\RqjSpEctJSk.PWA (242633 bytes)
    %Documents and Settings%\%current user%\4l9f86k7\taskdvr.exe (31505 bytes)
    %Documents and Settings%\%current user%\4l9f86k7\hVilT.IDN (35 bytes)
    %Documents and Settings%\%current user%\4l9f86k7\DNPXQm.DPJ (337 bytes)
    C:\s.ini (4 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "4l9f86k7" = "C:\DOCUME~1\"%CurrentUserName%"\4l9f86k7\75780.vbs"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "taskdvr" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40961519341520644.6444492abffc6a56a40e47e60620bc02b652e
.rdata15974420291204803.691443bc937cdae1248917ecca2bfbd21ec86
.data18022413667251201.76024ec6b38244c52a1c8d4b504f9e1522d10
.rsrc3194881053921054724.42652db4e4e7884de1404bebee8919c7889d7

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://fudcrypt.com/fd/1/m.php?do=getvers141.101.116.148
hxxp://fudcrypt.com/fd/1/m.php?do=status&cname=XP1&hw=&vers=&pr=&rm=141.101.116.148
hxxp://fudcrypt.com/fd/1/m.php?do=getcmd141.101.116.148

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Worm connects to the servers at the folowing location(s):

Strings from Dumps