Trojan.Ciusky.Gen.17 (AdAware), Worm.Win32.AutoIt.FD, WormAutoItGen.YR (Lavasoft MAS)Behaviour: Trojan, Worm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: da0c526ee855e15a9f1946818e54ad2f
SHA1: 2dfd34e02adfa1889255c38a578bf9d626f73cd5
SHA256: eb960aa9f1e3faf23c031a62a35c622f3342dfc59f1a7d1c24ea7ffee454a1bb
SSDeep: 12288:Cat0EAH49n8BdYQqLWsDz8E6Cuw78YOJEn1GUEVQqYHQFOH9LPsv5mrNm4D29E:tt24CYJLDDz8mu68GGUEtsh7N1D2q
Size: 798814 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-08-22 16:00:50
Analyzed on: WindowsXP SP3 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Worm creates the following process(es):
taskdvr.exe:204
%original file name%.exe:1540
The Worm injects its code into the following process(es):
RegSvcs.exe:1876
File activity
The process taskdvr.exe:204 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\4l9f86k7\75780.vbs (129 bytes)
%Documents and Settings%\%current user%\4l9f86k7\93740.cmd (72 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\start.lnk (712 bytes)
%Documents and Settings%\%current user%\4l9f86k7\run.vbs (95 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\desktop.ini (0 bytes)
The process %original file name%.exe:1540 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\4l9f86k7\RqjSpEctJSk.PWA (242633 bytes)
%Documents and Settings%\%current user%\4l9f86k7\taskdvr.exe (31505 bytes)
%Documents and Settings%\%current user%\4l9f86k7\hVilT.IDN (35 bytes)
%Documents and Settings%\%current user%\4l9f86k7\DNPXQm.DPJ (337 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\4l9f86k7\__tmp_rar_sfx_access_check_1047265 (0 bytes)
The process RegSvcs.exe:1876 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\s.ini (4 bytes)
Registry activity
The process taskdvr.exe:204 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 36 6C 9B 77 EB 4C 61 5D 88 26 19 C1 7E 2D 35"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"4l9f86k7" = "C:\DOCUME~1\"%CurrentUserName%"\4l9f86k7\75780.vbs"
The Worm deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
The process %original file name%.exe:1540 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 F5 41 1F A3 5C D5 34 30 B5 CD C4 6B AF E4 6C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\4l9f86k7]
"taskdvr.exe" = "AutoIt v3 Script"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process RegSvcs.exe:1876 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 A7 FD 1B DD 43 27 08 2A A8 0C A2 BB C6 3D 76"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"taskdvr" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| e01ced5c12390ff5256694eda890b33a | c:\Documents and Settings\"%CurrentUserName%"\4l9f86k7\taskdvr.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
taskdvr.exe:204
%original file name%.exe:1540 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\4l9f86k7\75780.vbs (129 bytes)
%Documents and Settings%\%current user%\4l9f86k7\93740.cmd (72 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\start.lnk (712 bytes)
%Documents and Settings%\%current user%\4l9f86k7\run.vbs (95 bytes)
%Documents and Settings%\%current user%\4l9f86k7\RqjSpEctJSk.PWA (242633 bytes)
%Documents and Settings%\%current user%\4l9f86k7\taskdvr.exe (31505 bytes)
%Documents and Settings%\%current user%\4l9f86k7\hVilT.IDN (35 bytes)
%Documents and Settings%\%current user%\4l9f86k7\DNPXQm.DPJ (337 bytes)
C:\s.ini (4 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"4l9f86k7" = "C:\DOCUME~1\"%CurrentUserName%"\4l9f86k7\75780.vbs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"taskdvr" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 151934 | 152064 | 4.64444 | 92abffc6a56a40e47e60620bc02b652e |
| .rdata | 159744 | 20291 | 20480 | 3.69144 | 3bc937cdae1248917ecca2bfbd21ec86 |
| .data | 180224 | 136672 | 5120 | 1.76024 | ec6b38244c52a1c8d4b504f9e1522d10 |
| .rsrc | 319488 | 105392 | 105472 | 4.42652 | db4e4e7884de1404bebee8919c7889d7 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://fudcrypt.com/fd/1/m.php?do=getvers | 141.101.116.148 |
| hxxp://fudcrypt.com/fd/1/m.php?do=status&cname=XP1&hw=&vers=&pr=&rm= | 141.101.116.148 |
| hxxp://fudcrypt.com/fd/1/m.php?do=getcmd | 141.101.116.148 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Worm connects to the servers at the folowing location(s):