Trojan.Win32.Small.cox (Kaspersky), Win32.Sality.3 (B) (Emsisoft), Win32.Sality.3 (AdAware), VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 67a2b2f9c8c77fa7d0dbffb7e268f8f1
SHA1: ef841289e2e0d8fc206a21659f1b91bba34c6c21
SHA256: d104a7392afd32af18242e3a594bb6f757989866fd4ffa07aa9c4f7e6571f894
SSDeep: 3072:5TgPP74t1voW2HkzhYRPNvTboYSYSILR3:584t1/skORPNvJzL1
Size: 99328 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: MiniApp
Created at: 2010-11-05 02:25:00
Analyzed on: WindowsXP SP3 32-bit
Summary: Virus. A program that recursively replicates a possibly evolved copy of itself.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Virus creates the following process(es):No processes have been created.The Virus injects its code into the following process(es):
%original file name%.exe:1312
File activity
The process %original file name%.exe:1312 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%WinDir%\system.ini (70 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (8 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (1336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fkxb.exe (561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wintyais.exe (561 bytes)
C:\cxqc.exe (99 bytes)
C:\autorun.inf (257 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)
C:\totalcmd\TOTALCMD.EXE (854 bytes)
The Virus deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\fkxb.exe (0 bytes)
%WinDir%\1bd7bf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wintyais.exe (0 bytes)
Registry activity
The process %original file name%.exe:1312 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m4_0" = "0"
"m3_1" = "1718420804"
"m3_0" = "17001001"
"m4_4" = "2646195636"
"m4_5" = "86519073"
"m3_5" = "69945096"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKCU\Software\Stvncyfrlda]
"m2_2" = "3470577538"
"m2_3" = "910907290"
"m2_0" = "1473"
"m2_1" = "1735292292"
"m2_6" = "1821803060"
"m4_2" = "3470581466"
"m2_4" = "2646192648"
"m2_5" = "86522729"
"m3_3" = "927474798"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Stvncyfrlda\168128873]
"1735290733" = "87"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Stvncyfrlda]
"m3_6" = "1838544551"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Stvncyfrlda]
"m1_5" = "1129885419"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m4_6" = "1821809806"
"m4_1" = "1735290733"
"m3_4" = "2629490589"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Stvncyfrlda]
"m3_2" = "3487544563"
"m1_4" = "596181994"
"m1_6" = "3872495669"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m1_0" = "332287070"
"m1_3" = "3076564622"
"m1_2" = "99455621"
"m1_1" = "2991013817"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda\168128873]
"-737866757" = "58885256CEB138BF289B3FE61C5E671D2E4D94225C4FBCE4F0DE94D4B7C6392939AA4886E4653CEE7B60948B66308353C8BBD5AE9DDF9D8811FEE480E8441E72BE888FD57C7DF806E086A0E5DB748F0253CF7C7D80F1B655BBDC36A6B023154295785206CD56E65771B4CF0086E88C785CF8C0E79612D1A27360920106C8FD553BA45DC6F2A1000AB402F36DBF857C1185A98D2E85109D9FD5DA5D9DAC6CF78DD42468E6AAA565B58EBD7520B7BC8A2F1C00B75D6B842D36E293F4AF3B51E71EE226DED82E8165CB677EE0EA5BDDA27433B041F67665D554619E5A8CC804F9380D19D04300BC619829CDC374400D9780AF7BBAE5BA38A609F7EDFA8C4C4A9E5B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Stvncyfrlda\168128873]
"-824385830" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\Stvncyfrlda\168128873]
"910904903" = "0"
"1821809806" = "0200687474703A2F2F7061647275702E636F6D2E64732F736F62616B61312E67696600687474703A2F2F34362E3130352E3130332E3231392F736F62616B61766F6C6F732E676966"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda\168128873]
"-1648771660" = "30"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 2E 21 0E 90 41 35 57 0A 67 E9 28 E3 16 DF DD"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Stvncyfrlda]
"m4_3" = "910904903"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda\168128873]
"86519073" = "73"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Dropped PE files
MD5 | File path |
---|---|
c42f441dae70eeaa5b44a53cc5e0755f | c:\cxqc.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Virus file.
- Delete or disinfect the following files created/modified by the Virus:
%WinDir%\system.ini (70 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (8 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (1336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fkxb.exe (561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wintyais.exe (561 bytes)
C:\cxqc.exe (99 bytes)
C:\autorun.inf (257 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)
C:\totalcmd\TOTALCMD.EXE (854 bytes) - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 69632 | 66048 | 5.5363 | ea8824d9b32186ca1fc46ed14b7393b2 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 587
0fd1d5b37f2181ebedd1e9470041a4bd
f9396072a0d4a36bf61ddec366d42069
e03636610a0bc5e37fc553117096a90d
261f0ed304fadfc7b364630f0af0af50
23ed3887b33be30ce42f34fbdfd3505e
1ab836ad3be35f122d3e469579c70a3a
0f15c6714bc9be285fecae2e8ea3089a
9b1a2ddd302abb1dc9a1ea41ed19a0de
5a1d60647e21b56748d9a8e355afd900
3cc98aa2b838fa4496c86de6a500209f
9266a217fd9c9b298e193637e8913f04
9f832cf3f4d476c5f165d19f70e0b5f1
fa735d69823ef85a00b1419c39c76c5c
698e3a04fddc5e13300bcffeec6dbf41
34169e4f8706da85fbf32bba4549b3eb
071298d5b939e7e8c669c4357150b9f2
83393408999f51e00c611cb008afb8e0
1c56765fd7a6a2479c330a25659f6a90
18b9622413957dc36c3bd2cc60f51a2c
85caea1ad18e9b921d4869e0e720e89b
60523c29207ba326902793c18ebc29d9
f17cb7913ac64b5d38d8b60344f768ad
abcf70a8328d8244a4762ead1b95889f
1488ab633acbdc80659da8003031640e
65d89d9f626d9c7c60f8b6997125d241
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic