Trojan.Win32.Generic!BT (VIPRE), GenericAutorunWorm.YR, WormAinslot_VariantOfZeus.YR (Lavasoft MAS)Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 13b3653645a50f152e59f821d2945f1e
SHA1: 8846ac051a6b13b8e31f2e6e96a38c0a521c077a
SHA256: 22ba74fb4e2e9b2bdd797274b48f71a6df7a4ac9ccdab2a7f1b85a79773648de
SSDeep: 24576:tnJ1kPyZvjUTiVgyr2Dgqb3HWncEoTZ9YL1IZGD4O2YsGsevZjzPWC7A0o:tJ1hZbUTi6cqb2Fod9vQ52YR1zPWC7AX
Size: 1216855 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2005-10-07 12:05:22
Analyzed on: WindowsXP SP3 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Worm creates the following process(es):
taskkill.exe:672
KSDEQ.cmd:500
KSDEQ.cmd:1668
%original file name%.exe:1508
reg.exe:1784
reg.exe:548
reg.exe:1612
reg.exe:1660
mshta.exe:1788
mshta.exe:1140
mshta.exe:632
mshta.exe:1064
mshta.exe:1264
mshta.exe:1536
mshta.exe:828
The Worm injects its code into the following process(es):
RegSvcs.exe:1044
File activity
The process KSDEQ.cmd:500 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\TPOAA\spd (4 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\TPOAA\UUVHD (0 bytes)
The process KSDEQ.cmd:1668 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\TPOAA\UUVHD (121 bytes)
The process %original file name%.exe:1508 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\TPOAA\WOAYE.JHG (242 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\ARTQJ.AAC (1698 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\JURRZ.hxi (4 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\JECMR.IRI (673 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\OADVF.bbu (5 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\WYNWY.bse (4 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\DNZAY.rul (4 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\UIIKM.grb (5 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\VGOAL.xkt (4 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\IAKWT.pjc (5 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\RJXCV.xid (4 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\FFEIL.ikg (5 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\TKQAU.aqi (5 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\JEBPP.ant (5 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\BZCKX.cqp (4 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\KSDEQ.cmd (26040 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\OAICV.nhh (4 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\GCVEM.vke (5 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\POASD.gda (4 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\SRFJM.rih (5 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\MVKMT.wpj (4 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\OJTOB.gpv (5 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\CAQYL.ddm (5 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\LDQNJ.hoe (5 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\YMQGIX (29 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\UXXMC.ulo (4 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\YNRRE.lll (4 bytes)
The process RegSvcs.exe:1044 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ZX351 (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vbc.exe (32 bytes)
Registry activity
The process taskkill.exe:672 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 C2 5C 71 A9 8B 6D 72 23 EB 0D E2 7D 8B 1F 2B"
The process KSDEQ.cmd:500 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 E9 C3 36 1B 14 A1 60 84 D6 27 4B C0 63 D0 28"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"mshta.exe" = "Microsoft (R) HTML Application host"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KLREW" = "%Documents and Settings%\%current user%\Application Data\TPOAA\KSDEQ.cmd C:\DOCUME~1\"%CurrentUserName%"\APPLIC~1\TPOAA\ARTQJ.AAC"
The process KSDEQ.cmd:1668 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 C9 EE F2 83 66 98 95 FD 92 F4 5A 9E 5D D0 35"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:1508 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 7E B0 9C 87 7B A9 E3 29 D3 35 C7 C8 91 C4 DE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\TPOAA]
"KSDEQ.cmd" = "AutoIt v3 Script"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process reg.exe:1784 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 CB C2 64 A3 C3 1F DE C4 14 F0 76 DB E8 C1 A5"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"vbc.exe" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\vbc.exe:*:Enabled:Windows Messanger"
The process reg.exe:548 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 51 43 5F 9D F8 1B 23 8D 2C 89 2E F4 DD 64 D6"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
The process reg.exe:1612 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 CA C5 9A BB E4 05 09 9F D3 DA 14 D3 46 A1 C6"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\Microsoft.NET\Framework\v2.0.50727]
"RegSvcs.exe" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:*:Enabled:Windows Messanger"
The process reg.exe:1660 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 A6 AD 88 EC 04 E7 0C AC 2E 56 FB CA 45 FA 53"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
The process RegSvcs.exe:1044 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 65 05 08 2C 80 CB D0 0D FC EC 74 18 24 AE 5E"
[HKCU\Software\VB and VBA Program Settings\SrvID\ID]
"AZ05D7JSX4" = "553b"
[HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
"AZ05D7JSX4" = "March 15, 2014"
The process mshta.exe:1788 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 F8 3C D6 91 20 0F 80 0B 4B 3F DE C0 04 A7 9A"
The process mshta.exe:1140 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A EF D2 CB A6 10 1A 98 2A 28 66 6F 93 2E A7 AA"
The process mshta.exe:632 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 F8 2C B1 95 BB 1E 53 9C 28 A3 04 16 31 51 56"
The process mshta.exe:1064 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 87 11 BD C5 55 BF 2A 98 A9 78 65 9B 13 37 85"
The process mshta.exe:1264 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 41 AB 98 A0 4C 47 57 35 6A 3C B7 F3 97 48 40"
The process mshta.exe:1536 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B AA EA E8 C0 89 EF 8E 41 8C 50 B2 87 18 29 AD"
The process mshta.exe:828 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 16 65 EA 32 04 0D 6F E9 4C 79 69 9F 40 65 F0"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://api.ipinfodb.com/v2/ip_query_country.php?key=e2daa9f80efccf69baa89f5a6844da3778f9895aebd266425ee713814c74c902&timezone=off | 192.187.109.60 |
| hxxp://api.ipinfodb.com/v2/ip_query.php?key=e2daa9f80efccf69baa89f5a6844da3778f9895aebd266425ee713814c74c902&timezone=off | |
| razorback.chickenkiller.com | 77.97.227.65 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
taskkill.exe:672
KSDEQ.cmd:500
KSDEQ.cmd:1668
%original file name%.exe:1508
reg.exe:1784
reg.exe:548
reg.exe:1612
reg.exe:1660
mshta.exe:1788
mshta.exe:1140
mshta.exe:632
mshta.exe:1064
mshta.exe:1264
mshta.exe:1536
mshta.exe:828 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Application Data\TPOAA\spd (4 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\UUVHD (121 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\WOAYE.JHG (242 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\ARTQJ.AAC (1698 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\JURRZ.hxi (4 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\JECMR.IRI (673 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\OADVF.bbu (5 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\WYNWY.bse (4 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\DNZAY.rul (4 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\UIIKM.grb (5 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\VGOAL.xkt (4 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\IAKWT.pjc (5 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\RJXCV.xid (4 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\FFEIL.ikg (5 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\TKQAU.aqi (5 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\JEBPP.ant (5 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\BZCKX.cqp (4 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\KSDEQ.cmd (26040 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\OAICV.nhh (4 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\GCVEM.vke (5 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\POASD.gda (4 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\SRFJM.rih (5 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\MVKMT.wpj (4 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\OJTOB.gpv (5 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\CAQYL.ddm (5 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\LDQNJ.hoe (5 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\YMQGIX (29 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\UXXMC.ulo (4 bytes)
%Documents and Settings%\%current user%\Application Data\TPOAA\YNRRE.lll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZX351 (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vbc.exe (32 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KLREW" = "%Documents and Settings%\%current user%\Application Data\TPOAA\KSDEQ.cmd C:\DOCUME~1\"%CurrentUserName%"\APPLIC~1\TPOAA\ARTQJ.AAC" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.