Skip to main content

Worm.Win32.Ainslot_VariantOfZeus_75a0ac47db


Trojan-Dropper.Win32.Injector.vzv (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Win32.SuspectCrc!IK (Emsisoft), GenericAutorunWorm.YR, WormAinslot_VariantOfZeus.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 75a0ac47db72608da68583d632392f04

SHA1: a4e1b522335a644f1b945a70bbfed0aac306acf9

SHA256: f7e224f32d0d72aefd84d3b810248cba6bc94658e6ce4bdd88384dab06644ba3

SSDeep: 6144:vL4KtPW6AaADER78qn1NIbEzPg3tbYGNKZDVIV7qz/ObzkNfYSpqz2aUV:vk0 Il8iHNg3K7ZD2V7CY

Size: 290816 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6

Company: no certificate found

Created at: 2011-10-26 00:44:44

Analyzed on: WindowsXP SP3 32-bit

Summary: Worm. A program that is primarily replicating on networks or removable drives.

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Worm creates the following process(es):

%original file name%.exe:480
rundll32.exe:132
reg.exe:2024
reg.exe:1064
reg.exe:1548
reg.exe:644
dumprep.exe:1852
dumprep.exe:1092

The Worm injects its code into the following process(es):No processes have been created.

File activity

The process %original file name%.exe:480 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\svchost.exe (35 bytes)

The process dumprep.exe:1852 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WERde8e.dir00\svchost.exe.hdmp (211564 bytes)

The process dumprep.exe:1092 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WERde8e.dir00\svchost.exe.mdmp (102001 bytes)

Registry activity

The process %original file name%.exe:480 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 65 7D 70 E9 37 E3 04 5F 18 25 29 FE F3 BD 65"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Live" = "c:\%original file name%.exe"

The process rundll32.exe:132 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 DC 51 D4 78 39 3B E7 4E 7A BD 90 83 65 67 A5"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Documents and Settings%\%current user%\Local Settings\Temp]
"svchost.exe" = "EnableNXShowUI"

[HKLM\System\CurrentControlSet\Control\Session Manager\AppCompatibility]
"AppCompatCache" = "EF BE AD DE 60 00 00 00 00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"svchost.exe" = "Microsoft® Resource File To COFF Object Conversion Utility"

The process reg.exe:2024 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 8C 3B 99 5C 14 51 18 9B FD BC 6D 27 5A D5 8E"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

The process reg.exe:1064 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 7F 6E 31 C3 2D A2 80 0A CA B9 82 29 D6 3A BB"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"svchost.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\svchost.exe:*:Enabled:Windows Messanger"

The process reg.exe:1548 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 D5 47 D7 37 6B 05 31 A4 65 31 DA 4E A7 DE 98"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

The process reg.exe:644 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 50 BC 7A 4D ED 0D E5 A0 90 D4 28 8F 68 79 D3"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data]
"T70ZKG2UDZ.exe" = "%Documents and Settings%\%current user%\Application Data\T70ZKG2UDZ.exe:*:Enabled:Windows Messanger"

The process dumprep.exe:1852 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 47 F6 B6 8C 11 DF D6 E9 36 5F 93 CF AD 77 F8"

The process dumprep.exe:1092 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 DE 5B F4 BA 20 80 B3 E0 1F 52 7A CF DC 64 08"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:480
    rundll32.exe:132
    reg.exe:2024
    reg.exe:1064
    reg.exe:1548
    reg.exe:644
    dumprep.exe:1852
    dumprep.exe:1092

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\Local Settings\Temp\svchost.exe (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WERde8e.dir00\svchost.exe.hdmp (211564 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WERde8e.dir00\svchost.exe.mdmp (102001 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Windows Live" = "c:\%original file name%.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps