HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan-Spy.Zbot!IK (Emsisoft), Backdoor.Win32.Fynloski.FD, Trojan.Win32.Iconomon.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, Worm.Win32.Ainslot.VB.FD, GenericAutorunWorm.YR, TrojanDownloaderAndromeda.YR, WormAinslot_VariantOfZeus.YR, GenericDownloader.YR, BackdoorFynloski.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan-Spy, Trojan, Backdoor, Worm, VirTool, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: c8cb626e812d9aa9c482bd4fdb33233e
SHA1: fc35a4e53574eb4e40b95faeae0d910febd760c5
SHA256: ea95814c170e78c983cc014574fb6e01337996fe762b19534fb52a7afdd3ec4a
SSDeep: 24576:2dyein9jvFP5HHS81p8ZUuFS1gHJipeAtLKEHM 8 vtcAo:2dSnZ3S81OS1gcV 6vbtdo
Size: 1114972 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-08-17 04:09:47
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Backdoor creates the following process(es):
msdcsc.exe:1252
attrib.exe:1256
attrib.exe:1280
dwwin.exe:1940
notepad.exe:1568
c8cb626e812d9aa9c482bd4fdb33233e.exe:548
c8cb626e812d9aa9c482bd4fdb33233e.exe:576
reg.exe:336
reg.exe:420
reg.exe:628
reg.exe:448
The Backdoor injects its code into the following process(es):
msdcsc.exe:484
msdcsc.exe:1056
notepad.exe:1728
Javascript.exe:1792
File activity
The process msdcsc.exe:484 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\5a24_appcompat.txt (3447 bytes)
The process dwwin.exe:1940 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WH2VKX2N\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\96B02.dmp (56093 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TGYVF1DX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QALB3X7H\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6UJDDQ19\desktop.ini (67 bytes)
The process notepad.exe:1568 makes changes in a file system.
The Backdoor deletes the following file(s):
C:\c8cb626e812d9aa9c482bd4fdb33233e.exe (0 bytes)
The process Javascript.exe:1792 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Javascript.exe (161 bytes)
%Documents and Settings%\%current user%\Application Data\JVB (33 bytes)
The process c8cb626e812d9aa9c482bd4fdb33233e.exe:548 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\My Documents\MSDCSC\msdcsc.exe (7547 bytes)
The process c8cb626e812d9aa9c482bd4fdb33233e.exe:576 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Javascript.exe (628 bytes)
Registry activity
The process msdcsc.exe:484 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 74 B4 F3 DE 9D 39 40 90 7E EE 08 9C DC 3F E4"
The Backdoor deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
The Backdoor deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"
The process msdcsc.exe:1056 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 71 B5 69 64 D3 95 FF 68 88 6A 20 2F 0D E5 26"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "%Documents and Settings%\%current user%\My Documents\MSDCSC\msdcsc.exe"
The process attrib.exe:1256 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 1D F8 36 45 86 8D 99 97 4F 9E 84 5B EB 09 0F"
The process attrib.exe:1280 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 75 31 05 5E 99 15 6D F1 44 FB 2B B1 F5 7D DA"
The process dwwin.exe:1940 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 34 B6 5D F8 21 C5 6D 59 D9 6F BA 23 93 4B 57"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
The process notepad.exe:1568 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 47 83 4E 21 29 8D 11 7F D4 E0 62 43 49 0A E5"
The process notepad.exe:1728 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 89 1A 90 BC 2F 9B 3F E8 B6 80 4D 4C 75 26 7A"
The process Javascript.exe:1792 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 93 F6 92 51 02 A3 A6 8F 92 E5 8C 43 1F C9 B5"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{FF1BBCCD-05CB-CFAE-EFC3-E83A7AA1BDCE}]
"StubPath" = "%Documents and Settings%\%current user%\Application Data\Javascript.exe"
[HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
"67WJPNBV2T" = "August 22, 2013"
[HKCU\Software\VB and VBA Program Settings\SrvID\ID]
"67WJPNBV2T" = "Anonymous's Bot"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]
"Windows Defender" = "%Documents and Settings%\%current user%\Application Data\Javascript.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Active Setup\Installed Components\{FF1BBCCD-05CB-CFAE-EFC3-E83A7AA1BDCE}]
"StubPath" = "%Documents and Settings%\%current user%\Application Data\Javascript.exe"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender" = "%Documents and Settings%\%current user%\Application Data\Javascript.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender" = "%Documents and Settings%\%current user%\Application Data\Javascript.exe"
The process c8cb626e812d9aa9c482bd4fdb33233e.exe:548 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 9C 28 FA 2A A4 96 7F 86 8F 09 A0 D1 EA 67 DB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\My Documents\MSDCSC]
"msdcsc.exe" = "msdcsc"
The Backdoor adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\%current user%\My Documents\MSDCSC\msdcsc.exe"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "%Documents and Settings%\%current user%\My Documents\MSDCSC\msdcsc.exe"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The process c8cb626e812d9aa9c482bd4fdb33233e.exe:576 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 B5 D4 DF DF 2E 60 A4 82 5E A0 2A 07 DC DF 87"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"Javascript.exe" = "Javascript"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The process reg.exe:336 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 5A 43 6A 69 23 C2 34 C6 D4 56 E5 D9 AC D6 43"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data]
"Javascript.exe" = "%Documents and Settings%\%current user%\Application Data\Javascript.exe:*:Enabled:Windows Messanger"
The process reg.exe:420 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F DD 9C 28 0B 60 32 CA A0 4F 7B 79 2A D5 34 42"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
The process reg.exe:628 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 C3 F1 23 BA 0A 88 B0 EE FF 3C 4A 09 9E 94 E2"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"Javascript.exe" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Javascript.exe:*:Enabled:Windows Messanger"
The process reg.exe:448 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 53 CE F6 9C 9E E0 5B 5B 51 83 1E D0 D3 18 E0"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
Network activity (URLs)
No activity has been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
msdcsc.exe:1252
attrib.exe:1256
attrib.exe:1280
dwwin.exe:1940
notepad.exe:1568
c8cb626e812d9aa9c482bd4fdb33233e.exe:548
c8cb626e812d9aa9c482bd4fdb33233e.exe:576
reg.exe:336
reg.exe:420
reg.exe:628
reg.exe:448 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\5a24_appcompat.txt (3447 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WH2VKX2N\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\96B02.dmp (56093 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TGYVF1DX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QALB3X7H\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6UJDDQ19\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Javascript.exe (161 bytes)
%Documents and Settings%\%current user%\Application Data\JVB (33 bytes)
%Documents and Settings%\%current user%\My Documents\MSDCSC\msdcsc.exe (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Javascript.exe (628 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "%Documents and Settings%\%current user%\My Documents\MSDCSC\msdcsc.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender" = "%Documents and Settings%\%current user%\Application Data\Javascript.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender" = "%Documents and Settings%\%current user%\Application Data\Javascript.exe" - Remove the references to the Backdoor by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\%current user%\My Documents\MSDCSC\msdcsc.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.