Skip to main content

Worm.Win32.Ainslot.VB_1aa25f4867


Gen:Variant.Kazy.332734 (BitDefender), Worm.Win32.Shakblades.roo (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Gen:Variant.Kazy.332734 (B) (Emsisoft), Artemis!1AA25F486717 (McAfee), Worm.Win32.Shakblades (Ikarus), Gen:Variant.Kazy.332734 (FSecure), Crypt2.CLFD (AVG), Packed.Win32.Themida.FD, Trojan-Downloader.Win32.Karagany.1.FD, Trojan.MSIL.Bladabindi.2.FD, Trojan.Win32.Ransom.FD, Trojan.Win32.Swrort.3.FD, Worm.Win32.Ainslot.VB.FD, mzpefinder_pcap_file.YR, GenericInjector.YR, GenericAutorunWorm.YR, WormAinslot_VariantOfZeus.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Ransom, Trojan, Worm, Packed, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 1aa25f486717823c66837a1a646f403b

SHA1: 5058012ce008b41a2ba02ad9849f774a2f6a9c94

SHA256: ed2f36a167a5091ec978a98655076fc2687e176a38b729238920838fa87779ea

SSDeep: 24576:P QmEIgyCCQSc0FV0Z/b5hUFtmgz4VSkjBMVMAqk9yPop:P8gyhNT0ZT5uFgeoSkjBMSXKyP

Size: 1009664 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6

Company: Frserira s

Created at: 2014-02-02 23:35:04

Analyzed on: WindowsXP SP3 32-bit

Summary: Worm. A program that is primarily replicating on networks or removable drives.

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Worm creates the following process(es):

19218.exe:1284
WScript.exe:880
WScript.exe:1088
%original file name%.exe:452
50710.exe:1572
nvm.exe:2080
21577.exe:812
43011.exe:428
37173.exe:1304
26932.exe:964
18965.exe:868
reg.exe:1868
reg.exe:440
reg.exe:1392
reg.exe:1056
DW20.EXE:640
DW20.EXE:1544

The Worm injects its code into the following process(es):

67065.exe:592
nvm.exe:1816
vbc.exe:996
88562.exe:1256

File activity

The process %original file name%.exe:452 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (724 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (724 bytes)

The process 50710.exe:1572 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\gpuhash_legacy (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\amd.vbs (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\libgcc_s_sjlj-1.dll (1777 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\OpenCL.lib (1062 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\amd.bat (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\gpuhash_gcn (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\libwinpthread-1.dll (5309 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\amd.exe (1497 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\libstdc -6.dll (6417 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\__tmp_rar_sfx_access_check_645546 (0 bytes)

The process 21577.exe:812 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX1\nvm.exe (55506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX1\msvcp100.dll (6283 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX1\nvm.vbs (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX1\nvm.bat (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX1\cudart32_55.dll (6665 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX1\msvcr100.dll (20705 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX1\__tmp_rar_sfx_access_check_653640 (0 bytes)

The process vbc.exe:996 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\96618.exe (1325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\09SXKHMN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GDE70LIR\nvm[1].exe (542725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\18965.exe (2263 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HIN4PEF\ws4[1].exe (15942 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\88562.exe (17726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\09SXKHMN\ws1[1].exe (13554 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\67065.exe (9828 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GDE70LIR\ws3[1].exe (15623 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GDE70LIR\64[1].exe (16917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HIN4PEF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\26932.exe (289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PPUM91RQ\amd[1].exe (69550 bytes)
%Documents and Settings%\%current user%\Application Data\Identities\svchost.exe (3860 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\19218.exe (6371 bytes)
%Documents and Settings%\%current user%\Application Data\Identities\host (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HIN4PEF\cr3[1].exe (21079 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\43011.exe (422 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\50710.exe (31706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PPUM91RQ\ws2[1].exe (17540 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PPUM91RQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\21577.exe (307788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\37173.exe (2421 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GDE70LIR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HIN4PEF\svc[1].exe (31365 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\09SXKHMN\ws[1].exe (12031 bytes)

The process 88562.exe:1256 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (0 bytes)

The process DW20.EXE:640 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dw.log (78 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A0464.dmp (190344 bytes)

The process DW20.EXE:1544 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\9F689.dmp (321049 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dw.log (78 bytes)

Registry activity

The process 19218.exe:1284 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 0A 7A 9F 92 3B C5 25 BA 0A 13 5C E9 41 53 42"

The process 67065.exe:592 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD E3 77 06 E1 69 F7 78 DC 79 3E 4F 13 18 84 2E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process WScript.exe:880 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 F0 F0 8E 9F AA A2 3D F8 E2 10 76 B1 0A 3E E3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX1]
"nvm.bat" = "nvm"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process WScript.exe:1088 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 FB 5C 83 27 95 41 09 8E DA 2F 37 45 6A 4C 2E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0]
"amd.bat" = "amd"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process %original file name%.exe:452 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 70 D0 C6 B7 A0 7A C1 28 16 42 7A 8E 5E 15 20"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process 50710.exe:1572 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 01 B0 14 01 A3 40 BD 87 00 DB D6 89 D6 06 71"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%\System32]
"WScript.exe" = "Microsoft (R) Windows Based Script Host"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process nvm.exe:1816 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 08 B1 84 0B E4 FD 1D 13 3F 74 B4 A7 81 13 D9"

The process 21577.exe:812 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D C3 4C C9 8B AE 8F 4C 35 6A 43 D4 B7 CA C8 2D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process 43011.exe:428 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 7A B4 2B 27 44 5E 7F E9 02 99 DB 3F 83 6B 28"

The process 37173.exe:1304 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 75 84 C9 CC 37 33 07 91 8A 3A 79 4A D5 F6 FD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\GDIPlus]
"FontCachePath" = "%System%"

The process 26932.exe:964 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 72 11 29 77 F3 43 15 7B 59 FB 71 1E E7 FE 41"

The process 18965.exe:868 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 3E 71 E5 84 1C 01 0E AD 67 A3 4A 1E 69 53 6F"

The process vbc.exe:996 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"43011.exe" = "Twain.dll Client's 32-Bit Thunking Server"

[HKCU\Software\VB and VBA Program Settings\SrvID\ID]
"AWVZBAN8D4" = "svv"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"67065.exe" = "Microsoft® Windows®"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"18965.exe" = "Twain.dll Client's 32-Bit Thunking Server"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
"AWVZBAN8D4" = "February 8, 2014"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"21577.exe" = "21577"

"19218.exe" = "Twain.dll Client's 32-Bit Thunking Server"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]
"Identities" = "%Documents and Settings%\%current user%\Application Data\Identities\svchost.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"96618.exe" = "96618"

"26932.exe" = "Twain.dll Client's 32-Bit Thunking Server"

[HKCU\Software\Microsoft\Active Setup\Installed Components\{F78BADAA-8DFF-DFE7-ECAB-E6E31EFCEF1B}]
"StubPath" = "%Documents and Settings%\%current user%\Application Data\Identities\svchost.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"88562.exe" = "88562"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"37173.exe" = "Twain.dll Client's 32-Bit Thunking Server"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 29 F2 D0 A5 31 D8 6B 7D 83 B6 0E 61 65 C9 FC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{F78BADAA-8DFF-DFE7-ECAB-E6E31EFCEF1B}]
"StubPath" = "%Documents and Settings%\%current user%\Application Data\Identities\svchost.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"50710.exe" = "50710"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Identities" = "%Documents and Settings%\%current user%\Application Data\Identities\svchost.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Identities" = "%Documents and Settings%\%current user%\Application Data\Identities\svchost.exe"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process reg.exe:1868 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 04 A2 E6 88 87 F3 79 3A 39 C4 9C 2B EE 86 33"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

The process reg.exe:440 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 15 1B 63 24 4F EB 20 B1 65 CA 2D C6 4A C5 63"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data\Identities]
"svchost.exe" = "%Documents and Settings%\%current user%\Application Data\Identities\svchost.exe:*:Enabled:Windows Messanger"

The process reg.exe:1392 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 49 A6 02 7D DC F6 4F B7 11 FC 22 D9 12 17 38"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\Microsoft.NET\Framework\v2.0.50727]
"vbc.exe" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger"

The process reg.exe:1056 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 12 F3 BF B6 ED 4A DD 67 38 A2 20 BF 96 43 0D"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

The process 88562.exe:1256 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 CB 5F 2B 9A 3B EA A3 61 67 A3 DD 36 7B 67 DC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process DW20.EXE:640 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 0D DF 89 D7 2C 23 58 E2 D1 02 E8 CF B0 69 E5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process DW20.EXE:1544 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 40 EC D6 FE D5 23 D3 77 51 77 EB 9D 97 C9 B4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Network activity (URLs)

URL IP
hxxp://api.ipinfodb.com/v2/ip_query_country.php?key=&timezone=off192.151.154.180
hxxp://atriumvillas.ca/fretwork/64.exe (ET POLICY PE EXE or DLL Windows file download , Malicious)67.43.6.64
hxxp://atriumvillas.ca/fretwork/kl.exe (ET POLICY PE EXE or DLL Windows file download , Malicious)
hxxp://atriumvillas.ca/fretwork/svc.exe (ET POLICY PE EXE or DLL Windows file download , Malicious)
hxxp://atriumvillas.ca/fretwork/ws.exe (ET POLICY PE EXE or DLL Windows file download , Malicious)
hxxp://atriumvillas.ca/fretwork/amd.exe (ET POLICY PE EXE or DLL Windows file download , Malicious)
hxxp://atriumvillas.ca/fretwork/nvm.exe (ET POLICY PE EXE or DLL Windows file download , Malicious)
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://atriumvillas.ca/fretwork/cr3.exe (ET POLICY PE EXE or DLL Windows file download , Malicious)
hxxp://atriumvillas.ca/fretwork/ws1.exe (ET POLICY PE EXE or DLL Windows file download , Malicious)
hxxp://atriumvillas.ca/fretwork/ws2.exe (ET POLICY PE EXE or DLL Windows file download , Malicious)
hxxp://atriumvillas.ca/fretwork/ws3.exe (ET POLICY PE EXE or DLL Windows file download , Malicious)
hxxp://atriumvillas.ca/fretwork/ws4.exe (ET POLICY PE EXE or DLL Windows file download , Malicious)
www.download.windowsupdate.com165.254.138.40
ypool.net213.208.129.126
pts.rpool.net54.238.185.113


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    19218.exe:1284
    WScript.exe:880
    WScript.exe:1088
    %original file name%.exe:452
    50710.exe:1572
    nvm.exe:2080
    21577.exe:812
    43011.exe:428
    37173.exe:1304
    26932.exe:964
    18965.exe:868
    reg.exe:1868
    reg.exe:440
    reg.exe:1392
    reg.exe:1056
    DW20.EXE:640
    DW20.EXE:1544

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (724 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (724 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\gpuhash_legacy (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\amd.vbs (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\libgcc_s_sjlj-1.dll (1777 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\OpenCL.lib (1062 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\amd.bat (31 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\gpuhash_gcn (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\libwinpthread-1.dll (5309 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\amd.exe (1497 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\libstdc -6.dll (6417 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX1\nvm.exe (55506 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX1\msvcp100.dll (6283 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX1\nvm.vbs (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX1\nvm.bat (51 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX1\cudart32_55.dll (6665 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX1\msvcr100.dll (20705 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\96618.exe (1325 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\09SXKHMN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GDE70LIR\nvm[1].exe (542725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\18965.exe (2263 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HIN4PEF\ws4[1].exe (15942 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\88562.exe (17726 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\09SXKHMN\ws1[1].exe (13554 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\67065.exe (9828 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GDE70LIR\ws3[1].exe (15623 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GDE70LIR\64[1].exe (16917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HIN4PEF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\26932.exe (289 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PPUM91RQ\amd[1].exe (69550 bytes)
    %Documents and Settings%\%current user%\Application Data\Identities\svchost.exe (3860 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\19218.exe (6371 bytes)
    %Documents and Settings%\%current user%\Application Data\Identities\host (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HIN4PEF\cr3[1].exe (21079 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\43011.exe (422 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\50710.exe (31706 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PPUM91RQ\ws2[1].exe (17540 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PPUM91RQ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\21577.exe (307788 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\37173.exe (2421 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GDE70LIR\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HIN4PEF\svc[1].exe (31365 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\09SXKHMN\ws[1].exe (12031 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (54 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dw.log (78 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\A0464.dmp (190344 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\9F689.dmp (321049 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Identities" = "%Documents and Settings%\%current user%\Application Data\Identities\svchost.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Identities" = "%Documents and Settings%\%current user%\Application Data\Identities\svchost.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps