Virus.Win32.Virut.n_1bfad4b6ce – Adaware

Virus.Win32.Virut.n (Kaspersky), BehavesLike.Win32.Malware (v) (VIPRE), Virus.Win32.Ramnit!IK (Emsisoft), GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Worm, Virus, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 1bfad4b6ce1fbba89b064c26fd537df1

SHA1: 3a935da640826c23cd2221453d02d8260f0992a7

SHA256: e7203995965e50152da884c05282b2a7c3f99adad1a449fb89455218f27f4386

SSDeep: 1536:abIZvbUOzHrLgbPhcySGOTl6MPFXyE9lTw oEJTS6gh:vzrbrL PhETl6MPtyE9lTNoEJTxg

Size: 84397 bytes

File type: broken

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 1987-01-30 06:38:08

Analyzed on: Windows7 SP1 32-bit

Summary: Virus. A program that recursively replicates a possibly evolved copy of itself.

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Virus creates the following process(es):No processes have been created.The Virus injects its code into the following process(es):

WerFault.exe:3100
WerFault.exe:2952
%original file name%.exe:3568

File activity

The process %original file name%.exe:3568 makes changes in the file system.

The Virus creates and/or writes to the following file(s):

%Program Files%\Microsoft\WaterMark.exe (687 bytes)

The Virus deletes the following file(s):

%Program Files%\Microsoft\px89A8.tmp (0 bytes)

Registry activity

The process WerFault.exe:3100 makes changes in the system registry.

The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "96 00 00 C0 08 00 00 00 00 00 00 00 07 50 40 00"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

The process WerFault.exe:2952 makes changes in the system registry.

The Virus creates and/or sets the following values in system registry:

Network activity (URLs)

URL	IP
google.com	74.125.143.113
rterybrstutnrsbberve.com	195.22.26.232
dns.msftncsi.com	131.107.255.255

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Virus installs the following user-mode hooks in WS2_32.dll:

WSASendTo
WSARecvFrom
recvfrom
WSARecv
send
recv
WSASend
closesocket
sendto

The Virus installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
ZwResumeThread

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Virus file.
Delete or disinfect the following files created/modified by the Virus:
%Program Files%\Microsoft\WaterMark.exe (687 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps