HEUR:Trojan-Downloader.Win32.Generic (Kaspersky), Backdoor.Win32.PcClient.FD, Trojan.Win32.Swrort.3.FD, Worm.Win32.AutoIt.FD, mzpefinder_pcap_file.YR, WormAutoItGen.YR, GenericAutorunWorm.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Banker, Trojan, Backdoor, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 36ec310d2a0e4de33221b7f2c36bd64c
SHA1: fb9e3e148119d909330cd4092d28d264aac0e822
SHA256: 3c768dfd6a7512e8a597d37f65803bf88e1b61bad5831978f9c3951faf85db1a
SSDeep: 12288:AhkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4a74FfH8RpLexD:IRmJkcoQricOIQxiZY1ia7i/6p6xD
Size: 781097 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-01-29 23:32:28
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Worm creates the following process(es):
hitman.exe:1940
taskkill.exe:280
taskkill.exe:176
%original file name%.exe:696
ping.exe:332
jrt.exe:1748
findstr.exe:236
QuickTuneUp.exe:1468
NIRCMD.DAT:556
rundll32.exe:1484
fsutil.exe:1700
reg.exe:648
File activity
The process hitman.exe:1940 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPPATHS.dat (4 bytes)
%Program Files%\Wireshark\plugins\0.99.6a (4 bytes)
C:\ (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\PREAPPROVED_clsid.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\INTERFACE_clsid.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\modules.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\serviceseventlog.cfg (4 bytes)
%Documents and Settings%\All Users\Application Data\HitmanPro\Banner.bin (1956 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHRregkey_x64.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\defaultscope.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askservices.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IEwhtlst.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFpluginREG.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\WGET.DAT (1040 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNTWIN.LOC (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\EXT.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregvalue_x86.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badLNK.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_extensions.cfg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\BHO_name.dat (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FF_open_x86.reg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNTDOS.LOC (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues.bat (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (77783 bytes)
%System%\drivers (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERScom.cfg (4 bytes)
%Documents and Settings%\%current user% (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%System%\wbem\Logs\wbemcore.log (344 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPID_files.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\datamngr_del.reg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\appinit64_null.reg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\iexplore.bat (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\prelim.bat (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FWCLSID.dat (8 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\QuickTuneUp.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\HitmanPro[1].exe (13229 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49 bytes)
C:\Perl (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\browsermngr_keys.cfg (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (111 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (412 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_and_hklm_software.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN (4 bytes)
%WinDir% (1152 bytes)
C:\$Directory (1564 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CLSID_clsid.dat (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_software_microsoft.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERS.cfg (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\ELEVATIONPOLICY_clsid.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_and_hklm_allow.cfg (4 bytes)
%System%\config\systemprofile (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\JRT[1].exe (7361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhklm_software_classes.cfg (36 bytes)
%Program Files%\Wireshark\radius (32 bytes)
%System%\wbem (1064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGISTRYUSERSID.cfg (4 bytes)
%System%\drivers\hitmanpro37.sys (30 bytes)
%Program Files%\Wireshark\snmp\mibs (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.EXE (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFregkey_x64.dat (4 bytes)
%Documents and Settings%\All Users\Application Data (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregkey_x64.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\moduleservices.dat (4 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\jrt.exe (7401 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFbrowsermngr.dat (4 bytes)
%Documents and Settings% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFplugins.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FF_open_x64.reg (4 bytes)
%Program Files%\Wireshark\dtds (4 bytes)
%System%\config (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\PRODUCTS.dat (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\NIRCMD.DAT (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.LOC (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\All Users\Application Data\HitmanPro\Remnants.bin (1948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFregkey_x86.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SED.DAT (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (10147 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (412 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IE_open_x86.reg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\appinit_null.reg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\medfos.bat (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\README.TXT (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHOICE.DAT (45 bytes)
%WinDir%\REGISTRATION (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IFEO.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IE_open_x64.reg (4 bytes)
%System% (6608 bytes)
%System%\config\SysEvent.Evt (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TYPELIB_clsid.dat (4 bytes)
%Program Files%\COMMON FILES (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\S1518COMPONENTS.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFwhtlist.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\UpgradeCodes.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregvalue_x64.dat (4 bytes)
%Program Files%\Wireshark (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERSstart.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\searchlnk.bat (28 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\sednewline.txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_software_appdatalow.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CUT.DAT (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHRregkey_x86.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\modules.bat (8 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\WOW6432NODE.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFextensions.dat (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFXML.dat (4 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badAPPINIT.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\services.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TRACING.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\clean_shortcut.vbs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\MENUEXT.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FWPolicy.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (1156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badvalues.cfg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregkey_x86.dat (4 bytes)
%Documents and Settings%\All Users (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFXPI.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TDL4.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\browsermngr_values.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\misc.bat (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPID_clsid.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNT.E_E (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SHORTCUT.DAT (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_open_x64.reg (4 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\BHO_clsid.dat (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\NOTIFY.dat (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_7ac.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFprefs.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues_x64.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\UNINSTALL.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\currentmd5.txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\STATS_clsid.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\JRT.bat (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SETTINGS_clsid.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues_x86.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPROVEDEXTENSIONS_clsid.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhcr.cfg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\firefox.bat (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askCLSID.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_open_x86.reg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Cookies (96 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (0 bytes)
The process %original file name%.exe:696 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shit[1].txt (501047 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\QuickTuneUp.exe (132327 bytes)
The process jrt.exe:1748 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPPATHS.dat (84 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\modules.bat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\PREAPPROVED_clsid.dat (878 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNT.E_E (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\delorphans.bat (85 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\serviceseventlog.cfg (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHRregkey_x64.cfg (174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\defaultscope.cfg (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\chrome.bat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IEwhtlst.cfg (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFpluginREG.dat (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\WGET.DAT (1682 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNTWIN.LOC (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHRregkey_x86.cfg (107 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregvalue_x86.dat (345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badLNK.cfg (194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_extensions.cfg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\get.bat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\BHO_name.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FF_open_x86.reg (376 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNTDOS.LOC (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\delfolders.bat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues.bat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERScom.cfg (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPID_files.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\datamngr_del.reg (386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\appinit64_null.reg (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\iexplore.bat (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\prelim.bat (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\ev_clear.bat (732 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TYPELIB_clsid.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\modules.dat (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\browsermngr_keys.cfg (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\INTERFACE_clsid.dat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_and_hklm_software.cfg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CLSID_clsid.dat (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_software_microsoft.cfg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askservices.dat (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\ELEVATIONPOLICY_clsid.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_and_hklm_allow.cfg (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhklm_software_classes.cfg (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGISTRYUSERSID.cfg (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IFEO.dat (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.EXE (959 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFregkey_x64.dat (177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregkey_x64.dat (488 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\moduleservices.dat (178 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFbrowsermngr.dat (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFplugins.dat (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FF_open_x64.reg (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\PRODUCTS.dat (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.LOC (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFregkey_x86.dat (109 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SED.DAT (98 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IE_open_x86.reg (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\appinit_null.reg (132 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\medfos.bat (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\README.TXT (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHOICE.DAT (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IE_open_x64.reg (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\S1518COMPONENTS.dat (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFwhtlist.cfg (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\UpgradeCodes.dat (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregvalue_x64.dat (424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FWCLSID.dat (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERSstart.cfg (931 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.EXE.manifest (565 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\searchlnk.bat (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\sednewline.txt (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_software_appdatalow.cfg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CUT.DAT (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERS.cfg (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\EXT.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\ask.bat (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\WOW6432NODE.dat (489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFextensions.dat (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFXML.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\services.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TRACING.dat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\clean_shortcut.vbs (370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\MENUEXT.dat (182 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FWPolicy.bat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhcr.cfg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badvalues.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregkey_x86.dat (260 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFXPI.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TDL4.bat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\browsermngr_values.cfg (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\misc.bat (148 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPID_clsid.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SHORTCUT.DAT (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_open_x64.reg (414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\BHO_clsid.dat (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\NOTIFY.dat (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\NIRCMD.DAT (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFprefs.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues_x64.cfg (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\UNINSTALL.dat (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\currentmd5.txt (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\STATS_clsid.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\JRT.bat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SETTINGS_clsid.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues_x86.cfg (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPROVEDEXTENSIONS_clsid.dat (78 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badAPPINIT.dat (142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\firefox.bat (153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askCLSID.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_open_x86.reg (402 bytes)
The process QuickTuneUp.exe:1468 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\JRT[1].exe (488731 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\jrt.exe (129151 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\QuickTuneUp.ini (1071 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\HitmanPro[1].exe (4554091 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\hitman.exe (1192518 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\HitmanPro[2].exe (0 bytes)
Registry activity
The process hitman.exe:1940 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\HitmanPro]
"MiniportHash" = "F8 03 F8 14 8C 1A EA 33 32 30 78 D8 BF 02 FB BA"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\HitmanPro]
"UID" = "{534FA476-4147-4A1B-A960-C4F81103C566}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\HitmanPro]
"BannerURL" = "http://www.surfright.com/shop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\HitmanPro]
"BannerID" = "_default"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 6F 43 A1 94 50 B8 73 EE 77 A0 73 04 D6 BC 8C"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 91 DE 06 25"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\HitmanPro]
"LastCFU" = "2013-11-03 06:05:50"
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"2796BAE63F1801E277261BA0D77770028F20EEE4"
The process taskkill.exe:280 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 1E FD 7D 31 7D 7F 29 91 09 FB 19 DE 17 12 6C"
The process taskkill.exe:176 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B E1 71 1D B3 C8 B9 84 A9 46 F3 51 DD 8F 3B FD"
The process %original file name%.exe:696 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 7D E7 FA EE 80 3A 70 24 DE A5 86 29 09 36 7F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
The process ping.exe:332 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 13 6C 52 30 D0 55 3C 6F 12 FD 02 0F 84 6E 60"
The process jrt.exe:1748 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\jrt]
"get.bat" = "get"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Administrative Tools" = "%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Templates" = "%Documents and Settings%\All Users\Templates"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 46 94 7E 79 AB FE 26 A3 21 EE 9A 21 52 76 9D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The process findstr.exe:236 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 47 8A EE A9 7E A2 05 03 EB C2 00 5D 13 1C 1A"
The process QuickTuneUp.exe:1468 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCR\Directory\Background\shell\Restart Quick Tune Up\command]
"(Default)" = "%Documents and Settings%\All Users\Application Data\QuickTuneUp\QuickTuneUp.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 68 63 12 AA EF 5F 87 A8 4E 49 31 AA 3F E0 21"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
The process NIRCMD.DAT:556 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 72 05 B6 EB 47 8B 33 3A 7F 96 74 F9 16 2E F3"
The process rundll32.exe:1484 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B FC E5 C8 62 40 47 D6 DE 31 AA B5 49 86 C2 65"
The process fsutil.exe:1700 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 2B 2F EF 45 AC C7 36 52 9C 77 5D 56 59 E4 A1"
The process reg.exe:648 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 FB 21 40 F5 3A 35 15 28 62 1C 3D 92 7E C1 CA"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\MSIServer]
"(Default)" = "Service"
Network activity (URLs)
URL | IP |
---|---|
hxxp://www.google.com/ | 173.194.43.82 |
hxxp://cloud.hitmanpro.com/banner.aspx?lc=en&v=3.7.8.208&c=&lic=free | 77.222.64.235 |
hxxp://thisisudax.org/downloads/JRT.exe (Malicious) | 173.201.97.1 |
hxxp://files.surfright.nl/HitmanPro.exe (Malicious) | 213.189.27.250 |
hxxp://files.surfright.nl/nobanner-en.png | |
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt | |
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab | |
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/2796BAE63F1801E277261BA0D77770028F20EEE4.crt | |
www.download.windowsupdate.com | 165.254.155.11 |
4.4.8.8.zen.spamhaus.org | Unresolvable |
8.8.8.8.zen.spamhaus.org | Unresolvable |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Worm installs the following kernel-mode hooks:
NtAllocateVirtualMemory
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
hitman.exe:1940
taskkill.exe:280
taskkill.exe:176
%original file name%.exe:696
ping.exe:332
jrt.exe:1748
findstr.exe:236
QuickTuneUp.exe:1468
NIRCMD.DAT:556
rundll32.exe:1484
fsutil.exe:1700
reg.exe:648 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPPATHS.dat (4 bytes)
%Program Files%\Wireshark\plugins\0.99.6a (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\PREAPPROVED_clsid.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\INTERFACE_clsid.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\modules.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\serviceseventlog.cfg (4 bytes)
%Documents and Settings%\All Users\Application Data\HitmanPro\Banner.bin (1956 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHRregkey_x64.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\defaultscope.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askservices.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IEwhtlst.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFpluginREG.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\WGET.DAT (1040 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNTWIN.LOC (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\EXT.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregvalue_x86.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badLNK.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_extensions.cfg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\BHO_name.dat (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FF_open_x86.reg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNTDOS.LOC (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues.bat (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (77783 bytes)
%System%\drivers (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERScom.cfg (4 bytes)
%System%\wbem\Logs\wbemcore.log (344 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPID_files.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\datamngr_del.reg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\appinit64_null.reg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\iexplore.bat (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\prelim.bat (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FWCLSID.dat (8 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\QuickTuneUp.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\HitmanPro[1].exe (13229 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49 bytes)
C:\Perl (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\browsermngr_keys.cfg (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (111 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (412 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_and_hklm_software.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN (4 bytes)
C:\$Directory (1564 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CLSID_clsid.dat (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_software_microsoft.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERS.cfg (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\ELEVATIONPOLICY_clsid.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_and_hklm_allow.cfg (4 bytes)
%System%\config\systemprofile (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\JRT[1].exe (7361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhklm_software_classes.cfg (36 bytes)
%Program Files%\Wireshark\radius (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGISTRYUSERSID.cfg (4 bytes)
%System%\drivers\hitmanpro37.sys (30 bytes)
%Program Files%\Wireshark\snmp\mibs (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.EXE (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFregkey_x64.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregkey_x64.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\moduleservices.dat (4 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\jrt.exe (7401 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFbrowsermngr.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFplugins.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FF_open_x64.reg (4 bytes)
%Program Files%\Wireshark\dtds (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\PRODUCTS.dat (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\NIRCMD.DAT (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.LOC (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\All Users\Application Data\HitmanPro\Remnants.bin (1948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFregkey_x86.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SED.DAT (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (10147 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (412 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IE_open_x86.reg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\appinit_null.reg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\medfos.bat (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\README.TXT (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHOICE.DAT (45 bytes)
%WinDir%\REGISTRATION (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IFEO.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IE_open_x64.reg (4 bytes)
%System%\config\SysEvent.Evt (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TYPELIB_clsid.dat (4 bytes)
%Program Files%\COMMON FILES (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\S1518COMPONENTS.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFwhtlist.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\UpgradeCodes.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregvalue_x64.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERSstart.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\searchlnk.bat (28 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\sednewline.txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_software_appdatalow.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CUT.DAT (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHRregkey_x86.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\modules.bat (8 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\WOW6432NODE.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFextensions.dat (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFXML.dat (4 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badAPPINIT.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\services.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TRACING.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\clean_shortcut.vbs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\MENUEXT.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FWPolicy.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (1156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badvalues.cfg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregkey_x86.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFXPI.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TDL4.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\browsermngr_values.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\misc.bat (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPID_clsid.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNT.E_E (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SHORTCUT.DAT (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_open_x64.reg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\BHO_clsid.dat (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\NOTIFY.dat (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_7ac.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFprefs.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues_x64.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\UNINSTALL.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\currentmd5.txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\STATS_clsid.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\JRT.bat (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SETTINGS_clsid.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues_x86.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPROVEDEXTENSIONS_clsid.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhcr.cfg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\firefox.bat (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askCLSID.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_open_x86.reg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shit[1].txt (501047 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\QuickTuneUp.exe (132327 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\delorphans.bat (85 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\chrome.bat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\get.bat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\delfolders.bat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\ev_clear.bat (732 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.EXE.manifest (565 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\ask.bat (29 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\hitman.exe (1192518 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.