Susp_Dropper (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, TrojanDropperVtimrun.YR, GenericInjector.YR, VirusSality.YR, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: e1d5b7cf243b5d1391b6285b28fa88f5
SHA1: 90a696732a5bd137d3c24766518a97927e61b9a7
SHA256: 267242208c1ec7223a048d7052db5b3ed3c414b265f4f918a4a369e08e0a632e
SSDeep: 24576:Ny2tnn5BZVh 0Jr50sQNRxYpo1 wqu5W/K/5iBuC1taINPr:o2VZ5Jr5pQFYGTH5W93t7z
Size: 1124352 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Jottix
Created at: 2011-03-08 14:46:37
Summary: Virus. A program that recursively replicates a possibly evolved copy of itself.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Virus creates the following process(es):The Virus injects its code into the following process(es):
e1d5b7cf243b5d1391b6285b28fa88f5.exe:1280
PALKAZ~1.EXE:740
File activity
The process e1d5b7cf243b5d1391b6285b28fa88f5.exe:1280 makes changes in a file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Server.exe (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PALKAZ~1.EXE (81671 bytes)
The process PALKAZ~1.EXE:740 makes changes in a file system.
The Virus creates and/or writes to the following file(s):
%WinDir%\system.ini (70 bytes)
D:\ebqg.exe (103 bytes)
D:\disablejavawarnsec.exe (1176 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (1336 bytes)
D:\autorun.inf (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winerdas.exe (741 bytes)
C:\bjigp.exe (103 bytes)
C:\autorun.inf (346 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
The Virus deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\winerdas.exe (0 bytes)
Registry activity
The process e1d5b7cf243b5d1391b6285b28fa88f5.exe:1280 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 18 81 62 74 B1 24 E2 FE 2C 21 8F E8 EA 72 35"
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
The process PALKAZ~1.EXE:740 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_0" = "3299283285"
[HKCU\Software\Aas\695404737]
"35845605" = "463"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Aas\695404737]
"50183847" = "46481C6470CB6053A2944ECDB4DDE4665193DA4B365617F8DA3A7326E04FD138F32C7957E43E337B787B1FCE134E25C8FA8DDBE4C1B3A071973E11A56D33E05BAE13122A827142E165599DED991297931C47B4D5893CF802CE6B34169D08445CA2A755591705B86FAD56E544425A439E5A1200FA860F72B58819476DE5B7A125"
[HKCU\Software\Aas]
"a3_0" = "17001001"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas\695404737]
"43014726" = "0D00687474703A2F2F6B6C75637A6577736B6F2E676D696E612E706C2F696D616765732F78732E6A706700687474703A2F2F342D656475636174696F6E746563682E636F6D2F732E6A706700687474703A2F2F6172746535372E636F6D2E62722F696D616765732F78732E6A706700687474703A2F2F7777772E746F75722D73746172742E636F6D2E75612F696D616765732F6C6F676F662E67696600687474703A2F2F76756E677461756361722E636F6D2F696D616765732F78732E6A706700687474703A2F2F61686D65646661686D792E6E616D652F6C6F676F662E67696600687474703A2F2F61706164616E617075622E636F6D2F6C6F676F662E67696600687474703A2F2F726F63657374657266632E636F6D2F696D616765732F78732E6A706700687474703A2F2F736F6E656F2E66722F696D672F78732E6A706700687474703A2F2F6D656C696B6E616B69732E636F6D2F6C6F676F2E67696600687474703A2F2F7374726574666F7264656E64666C6167732E636F6D2F696D616765732F78732E6A706700687474703A2F2F7A6F6E61656C656374726F2E726F2F696D616765732F78732E6A706700687474703A2F2F36382E3136382E3232322E3230362F6C6F676F732E676966"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Aas\695404737]
"14338242" = "0"
[HKCU\Software\Aas\695404737]
"7169121" = "129"
[HKCU\Software\Aas\695404737]
"21507363" = "0"
[HKCU\Software\Aas\695404737]
"28676484" = "35"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 03 05 0C 9D 9E B1 EF 64 95 D0 93 76 0C 4D DD"
[HKCU\Software\Aas]
"a2_0" = "9832"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_0" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP]
"PALKAZ~1.EXE" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\PALKAZ~1.EXE:*:Enabled:ipsec"
Network activity (URLs)
No activity has been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate the original Virus's process (How to End a Process With the Task Manager).
- Delete the original Virus file.
- Delete or disinfect the following files created/modified by the Virus:
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Server.exe (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PALKAZ~1.EXE (81671 bytes)
%WinDir%\system.ini (70 bytes)
D:\ebqg.exe (103 bytes)
D:\disablejavawarnsec.exe (1176 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (1336 bytes)
D:\autorun.inf (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winerdas.exe (741 bytes)
C:\bjigp.exe (103 bytes)
C:\autorun.inf (346 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.