Virus.Win32.Virut.n (Kaspersky), BehavesLike.Win32.Malware (v) (VIPRE), Virus.Win32.Ramnit!IK (Emsisoft), GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 1bfad4b6ce1fbba89b064c26fd537df1
SHA1: 3a935da640826c23cd2221453d02d8260f0992a7
SHA256: e7203995965e50152da884c05282b2a7c3f99adad1a449fb89455218f27f4386
SSDeep: 1536:abIZvbUOzHrLgbPhcySGOTl6MPFXyE9lTw oEJTS6gh:vzrbrL PhETl6MPtyE9lTNoEJTxg
Size: 84397 bytes
File type: broken
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1987-01-30 06:38:08
Analyzed on: Windows7 SP1 32-bit
Summary: Virus. A program that recursively replicates a possibly evolved copy of itself.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Virus creates the following process(es):No processes have been created.The Virus injects its code into the following process(es):
WerFault.exe:3100
WerFault.exe:2952
%original file name%.exe:3568
File activity
The process %original file name%.exe:3568 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Program Files%\Microsoft\WaterMark.exe (687 bytes)
The Virus deletes the following file(s):
%Program Files%\Microsoft\px89A8.tmp (0 bytes)
Registry activity
The process WerFault.exe:3100 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "96 00 00 C0 08 00 00 00 00 00 00 00 07 50 40 00"
[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"
[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"
The process WerFault.exe:2952 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "96 00 00 C0 08 00 00 00 00 00 00 00 07 50 40 00"
[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"
[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"
Network activity (URLs)
URL | IP |
---|---|
google.com | 74.125.143.113 |
rterybrstutnrsbberve.com | 195.22.26.232 |
dns.msftncsi.com | 131.107.255.255 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Virus installs the following user-mode hooks in WS2_32.dll:
WSASendTo
WSARecvFrom
recvfrom
WSARecv
send
recv
WSASend
closesocket
sendto
The Virus installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
ZwResumeThread
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Virus file.
- Delete or disinfect the following files created/modified by the Virus:
%Program Files%\Microsoft\WaterMark.exe (687 bytes)
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.