Skip to main content

Worm.Win32.AutoIt_36ec310d2a


HEUR:Trojan-Downloader.Win32.Generic (Kaspersky), Backdoor.Win32.PcClient.FD, Trojan.Win32.Swrort.3.FD, Worm.Win32.AutoIt.FD, mzpefinder_pcap_file.YR, WormAutoItGen.YR, GenericAutorunWorm.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Banker, Trojan, Backdoor, Worm, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 36ec310d2a0e4de33221b7f2c36bd64c

SHA1: fb9e3e148119d909330cd4092d28d264aac0e822

SHA256: 3c768dfd6a7512e8a597d37f65803bf88e1b61bad5831978f9c3951faf85db1a

SSDeep: 12288:AhkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4a74FfH8RpLexD:IRmJkcoQricOIQxiZY1ia7i/6p6xD

Size: 781097 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2012-01-29 23:32:28

Summary: Worm. A program that is primarily replicating on networks or removable drives.

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Worm creates the following process(es):

hitman.exe:1940
taskkill.exe:280
taskkill.exe:176
%original file name%.exe:696
ping.exe:332
jrt.exe:1748
findstr.exe:236
QuickTuneUp.exe:1468
NIRCMD.DAT:556
rundll32.exe:1484
fsutil.exe:1700
reg.exe:648

File activity

The process hitman.exe:1940 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPPATHS.dat (4 bytes)
%Program Files%\Wireshark\plugins\0.99.6a (4 bytes)
C:\ (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\PREAPPROVED_clsid.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\INTERFACE_clsid.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\modules.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\serviceseventlog.cfg (4 bytes)
%Documents and Settings%\All Users\Application Data\HitmanPro\Banner.bin (1956 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHRregkey_x64.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\defaultscope.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askservices.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IEwhtlst.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFpluginREG.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\WGET.DAT (1040 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNTWIN.LOC (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\EXT.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregvalue_x86.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badLNK.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_extensions.cfg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\BHO_name.dat (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FF_open_x86.reg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNTDOS.LOC (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues.bat (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (77783 bytes)
%System%\drivers (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERScom.cfg (4 bytes)
%Documents and Settings%\%current user% (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%System%\wbem\Logs\wbemcore.log (344 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPID_files.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\datamngr_del.reg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\appinit64_null.reg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\iexplore.bat (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\prelim.bat (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FWCLSID.dat (8 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\QuickTuneUp.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\HitmanPro[1].exe (13229 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49 bytes)
C:\Perl (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\browsermngr_keys.cfg (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (111 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (412 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_and_hklm_software.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN (4 bytes)
%WinDir% (1152 bytes)
C:\$Directory (1564 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CLSID_clsid.dat (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_software_microsoft.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERS.cfg (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\ELEVATIONPOLICY_clsid.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_and_hklm_allow.cfg (4 bytes)
%System%\config\systemprofile (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\JRT[1].exe (7361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhklm_software_classes.cfg (36 bytes)
%Program Files%\Wireshark\radius (32 bytes)
%System%\wbem (1064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGISTRYUSERSID.cfg (4 bytes)
%System%\drivers\hitmanpro37.sys (30 bytes)
%Program Files%\Wireshark\snmp\mibs (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.EXE (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFregkey_x64.dat (4 bytes)
%Documents and Settings%\All Users\Application Data (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregkey_x64.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\moduleservices.dat (4 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\jrt.exe (7401 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFbrowsermngr.dat (4 bytes)
%Documents and Settings% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFplugins.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FF_open_x64.reg (4 bytes)
%Program Files%\Wireshark\dtds (4 bytes)
%System%\config (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\PRODUCTS.dat (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\NIRCMD.DAT (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.LOC (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\All Users\Application Data\HitmanPro\Remnants.bin (1948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFregkey_x86.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SED.DAT (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (10147 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (412 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IE_open_x86.reg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\appinit_null.reg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\medfos.bat (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\README.TXT (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHOICE.DAT (45 bytes)
%WinDir%\REGISTRATION (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IFEO.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IE_open_x64.reg (4 bytes)
%System% (6608 bytes)
%System%\config\SysEvent.Evt (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TYPELIB_clsid.dat (4 bytes)
%Program Files%\COMMON FILES (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\S1518COMPONENTS.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFwhtlist.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\UpgradeCodes.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregvalue_x64.dat (4 bytes)
%Program Files%\Wireshark (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERSstart.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\searchlnk.bat (28 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\sednewline.txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_software_appdatalow.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CUT.DAT (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHRregkey_x86.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\modules.bat (8 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\WOW6432NODE.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFextensions.dat (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFXML.dat (4 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badAPPINIT.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\services.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TRACING.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\clean_shortcut.vbs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\MENUEXT.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FWPolicy.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (1156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badvalues.cfg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregkey_x86.dat (4 bytes)
%Documents and Settings%\All Users (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFXPI.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TDL4.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\browsermngr_values.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\misc.bat (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPID_clsid.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNT.E_E (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SHORTCUT.DAT (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_open_x64.reg (4 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\BHO_clsid.dat (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\NOTIFY.dat (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_7ac.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFprefs.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues_x64.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\UNINSTALL.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\currentmd5.txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\STATS_clsid.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\JRT.bat (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SETTINGS_clsid.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues_x86.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPROVEDEXTENSIONS_clsid.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhcr.cfg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\firefox.bat (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askCLSID.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_open_x86.reg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Cookies (96 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (0 bytes)

The process %original file name%.exe:696 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shit[1].txt (501047 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\QuickTuneUp.exe (132327 bytes)

The process jrt.exe:1748 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPPATHS.dat (84 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\modules.bat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\PREAPPROVED_clsid.dat (878 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNT.E_E (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\delorphans.bat (85 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\serviceseventlog.cfg (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHRregkey_x64.cfg (174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\defaultscope.cfg (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\chrome.bat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IEwhtlst.cfg (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFpluginREG.dat (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\WGET.DAT (1682 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNTWIN.LOC (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHRregkey_x86.cfg (107 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregvalue_x86.dat (345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badLNK.cfg (194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_extensions.cfg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\get.bat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\BHO_name.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FF_open_x86.reg (376 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNTDOS.LOC (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\delfolders.bat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues.bat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERScom.cfg (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPID_files.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\datamngr_del.reg (386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\appinit64_null.reg (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\iexplore.bat (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\prelim.bat (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\ev_clear.bat (732 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TYPELIB_clsid.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\modules.dat (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\browsermngr_keys.cfg (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\INTERFACE_clsid.dat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_and_hklm_software.cfg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CLSID_clsid.dat (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_software_microsoft.cfg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askservices.dat (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\ELEVATIONPOLICY_clsid.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_and_hklm_allow.cfg (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhklm_software_classes.cfg (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGISTRYUSERSID.cfg (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IFEO.dat (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.EXE (959 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFregkey_x64.dat (177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregkey_x64.dat (488 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\moduleservices.dat (178 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFbrowsermngr.dat (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFplugins.dat (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FF_open_x64.reg (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\PRODUCTS.dat (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.LOC (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFregkey_x86.dat (109 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SED.DAT (98 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IE_open_x86.reg (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\appinit_null.reg (132 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\medfos.bat (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\README.TXT (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHOICE.DAT (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IE_open_x64.reg (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\S1518COMPONENTS.dat (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFwhtlist.cfg (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\UpgradeCodes.dat (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregvalue_x64.dat (424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FWCLSID.dat (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERSstart.cfg (931 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.EXE.manifest (565 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\searchlnk.bat (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\sednewline.txt (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_software_appdatalow.cfg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CUT.DAT (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERS.cfg (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\EXT.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\ask.bat (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\WOW6432NODE.dat (489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFextensions.dat (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFXML.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\services.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TRACING.dat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\clean_shortcut.vbs (370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\MENUEXT.dat (182 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FWPolicy.bat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhcr.cfg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badvalues.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregkey_x86.dat (260 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFXPI.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TDL4.bat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\browsermngr_values.cfg (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\misc.bat (148 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPID_clsid.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SHORTCUT.DAT (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_open_x64.reg (414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\BHO_clsid.dat (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\NOTIFY.dat (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\NIRCMD.DAT (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFprefs.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues_x64.cfg (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\UNINSTALL.dat (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\currentmd5.txt (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\STATS_clsid.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\JRT.bat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SETTINGS_clsid.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues_x86.cfg (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPROVEDEXTENSIONS_clsid.dat (78 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badAPPINIT.dat (142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\firefox.bat (153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askCLSID.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_open_x86.reg (402 bytes)

The process QuickTuneUp.exe:1468 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\JRT[1].exe (488731 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\jrt.exe (129151 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\QuickTuneUp.ini (1071 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\HitmanPro[1].exe (4554091 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\hitman.exe (1192518 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\HitmanPro[2].exe (0 bytes)

Registry activity

The process hitman.exe:1940 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\HitmanPro]
"MiniportHash" = "F8 03 F8 14 8C 1A EA 33 32 30 78 D8 BF 02 FB BA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\HitmanPro]
"UID" = "{534FA476-4147-4A1B-A960-C4F81103C566}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\HitmanPro]
"BannerURL" = "http://www.surfright.com/shop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\HitmanPro]
"BannerID" = "_default"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 6F 43 A1 94 50 B8 73 EE 77 A0 73 04 D6 BC 8C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 91 DE 06 25"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\HitmanPro]
"LastCFU" = "2013-11-03 06:05:50"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"2796BAE63F1801E277261BA0D77770028F20EEE4"

The process taskkill.exe:280 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 1E FD 7D 31 7D 7F 29 91 09 FB 19 DE 17 12 6C"

The process taskkill.exe:176 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B E1 71 1D B3 C8 B9 84 A9 46 F3 51 DD 8F 3B FD"

The process %original file name%.exe:696 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 7D E7 FA EE 80 3A 70 24 DE A5 86 29 09 36 7F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

The process ping.exe:332 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 13 6C 52 30 D0 55 3C 6F 12 FD 02 0F 84 6E 60"

The process jrt.exe:1748 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"NetHood" = "%Documents and Settings%\%current user%\NetHood"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\jrt]
"get.bat" = "get"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Administrative Tools" = "%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Templates" = "%Documents and Settings%\All Users\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 46 94 7E 79 AB FE 26 A3 21 EE 9A 21 52 76 9D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The process findstr.exe:236 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 47 8A EE A9 7E A2 05 03 EB C2 00 5D 13 1C 1A"

The process QuickTuneUp.exe:1468 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\Directory\Background\shell\Restart Quick Tune Up\command]
"(Default)" = "%Documents and Settings%\All Users\Application Data\QuickTuneUp\QuickTuneUp.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 68 63 12 AA EF 5F 87 A8 4E 49 31 AA 3F E0 21"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

The process NIRCMD.DAT:556 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 72 05 B6 EB 47 8B 33 3A 7F 96 74 F9 16 2E F3"

The process rundll32.exe:1484 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B FC E5 C8 62 40 47 D6 DE 31 AA B5 49 86 C2 65"

The process fsutil.exe:1700 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 2B 2F EF 45 AC C7 36 52 9C 77 5D 56 59 E4 A1"

The process reg.exe:648 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 FB 21 40 F5 3A 35 15 28 62 1C 3D 92 7E C1 CA"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\MSIServer]
"(Default)" = "Service"

Network activity (URLs)

URL IP
hxxp://www.google.com/173.194.43.82
hxxp://cloud.hitmanpro.com/banner.aspx?lc=en&v=3.7.8.208&c=&lic=free77.222.64.235
hxxp://thisisudax.org/downloads/JRT.exe (Malicious)173.201.97.1
hxxp://files.surfright.nl/HitmanPro.exe (Malicious)213.189.27.250
hxxp://files.surfright.nl/nobanner-en.png
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/2796BAE63F1801E277261BA0D77770028F20EEE4.crt
www.download.windowsupdate.com165.254.155.11
4.4.8.8.zen.spamhaus.orgUnresolvable
8.8.8.8.zen.spamhaus.orgUnresolvable


HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Worm installs the following kernel-mode hooks:

NtAllocateVirtualMemory

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    hitman.exe:1940
    taskkill.exe:280
    taskkill.exe:176
    %original file name%.exe:696
    ping.exe:332
    jrt.exe:1748
    findstr.exe:236
    QuickTuneUp.exe:1468
    NIRCMD.DAT:556
    rundll32.exe:1484
    fsutil.exe:1700
    reg.exe:648

  3. Delete the original Worm file.
  4. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPPATHS.dat (4 bytes)
    %Program Files%\Wireshark\plugins\0.99.6a (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\PREAPPROVED_clsid.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\INTERFACE_clsid.dat (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\modules.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\serviceseventlog.cfg (4 bytes)
    %Documents and Settings%\All Users\Application Data\HitmanPro\Banner.bin (1956 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHRregkey_x64.cfg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\defaultscope.cfg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\askservices.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\IEwhtlst.cfg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFpluginREG.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\WGET.DAT (1040 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNTWIN.LOC (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\EXT.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregvalue_x86.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5 (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\badLNK.cfg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_extensions.cfg (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\BHO_name.dat (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FF_open_x86.reg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNTDOS.LOC (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues.bat (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\test.pml (77783 bytes)
    %System%\drivers (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERScom.cfg (4 bytes)
    %System%\wbem\Logs\wbemcore.log (344 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPID_files.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\datamngr_del.reg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\appinit64_null.reg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\iexplore.bat (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\prelim.bat (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FWCLSID.dat (8 bytes)
    %Documents and Settings%\All Users\Application Data\QuickTuneUp\QuickTuneUp.ini (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\HitmanPro[1].exe (13229 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49 bytes)
    C:\Perl (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\browsermngr_keys.cfg (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (111 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (412 bytes)
    %Documents and Settings%\All Users\Start Menu (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_and_hklm_software.cfg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN (4 bytes)
    C:\$Directory (1564 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\CLSID_clsid.dat (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_software_microsoft.cfg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERS.cfg (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\ELEVATIONPOLICY_clsid.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_and_hklm_allow.cfg (4 bytes)
    %System%\config\systemprofile (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\JRT[1].exe (7361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhklm_software_classes.cfg (36 bytes)
    %Program Files%\Wireshark\radius (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGISTRYUSERSID.cfg (4 bytes)
    %System%\drivers\hitmanpro37.sys (30 bytes)
    %Program Files%\Wireshark\snmp\mibs (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.EXE (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFregkey_x64.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregkey_x64.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\moduleservices.dat (4 bytes)
    %Documents and Settings%\All Users\Application Data\QuickTuneUp\jrt.exe (7401 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFbrowsermngr.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFplugins.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FF_open_x64.reg (4 bytes)
    %Program Files%\Wireshark\dtds (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\PRODUCTS.dat (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\NIRCMD.DAT (45 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.LOC (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
    %Documents and Settings%\All Users\Application Data\HitmanPro\Remnants.bin (1948 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFregkey_x86.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\SED.DAT (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (10147 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (412 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\IE_open_x86.reg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\appinit_null.reg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\medfos.bat (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\README.TXT (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHOICE.DAT (45 bytes)
    %WinDir%\REGISTRATION (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\IFEO.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\IE_open_x64.reg (4 bytes)
    %System%\config\SysEvent.Evt (400 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\TYPELIB_clsid.dat (4 bytes)
    %Program Files%\COMMON FILES (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\S1518COMPONENTS.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFwhtlist.cfg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\UpgradeCodes.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregvalue_x64.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERSstart.cfg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\searchlnk.bat (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\sednewline.txt (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_software_appdatalow.cfg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\CUT.DAT (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHRregkey_x86.cfg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\modules.bat (8 bytes)
    %Program Files%\Common Files\VMware\Drivers (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\WOW6432NODE.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFextensions.dat (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFXML.dat (4 bytes)
    %System%\config\systemprofile\Application Data\Microsoft (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\badAPPINIT.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\services.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\TRACING.dat (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\clean_shortcut.vbs (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\MENUEXT.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FWPolicy.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (1156 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\badvalues.cfg (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregkey_x86.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFXPI.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\TDL4.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\browsermngr_values.cfg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\misc.bat (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPID_clsid.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNT.E_E (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\SHORTCUT.DAT (57 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_open_x64.reg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\BHO_clsid.dat (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\NOTIFY.dat (4 bytes)
    %WinDir%\Temp\Perflib_Perfdata_7ac.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFprefs.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues_x64.cfg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\UNINSTALL.dat (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\currentmd5.txt (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\STATS_clsid.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\JRT.bat (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\SETTINGS_clsid.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues_x86.cfg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPROVEDEXTENSIONS_clsid.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhcr.cfg (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\firefox.bat (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\askCLSID.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_open_x86.reg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shit[1].txt (501047 bytes)
    %Documents and Settings%\All Users\Application Data\QuickTuneUp\QuickTuneUp.exe (132327 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\delorphans.bat (85 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\chrome.bat (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\get.bat (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\delfolders.bat (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\ev_clear.bat (732 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.EXE.manifest (565 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\ask.bat (29 bytes)
    %Documents and Settings%\All Users\Application Data\QuickTuneUp\hitman.exe (1192518 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps