Skip to main content

Worm.Win32.Ainslot.VB_b9b4b431a6


HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.SuspectCRC!IK (Emsisoft), Worm.Win32.Ainslot.VB.FD, WormAinslot_VariantOfZeus.YR, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: b9b4b431a671741ed66302ecade14208

SHA1: 018af81762cdfbd0af44f0c6f423cd9c97eab710

SHA256: ba50ecfc4a1f49cc413859850b24ed52ae8bfe1d9c9b94f49f7feb814f04344b

SSDeep: 12288:yR1vbTWZdMM5FOw2A4Pg TYDi3zVOyMVRO:C1vHYL5FOkJ Ta z4yMy

Size: 510464 bytes

File type: PE32

Platform: WIN32

Entropy: Packed

PEID: MicrosoftVisualC; UPolyXv05_v6; NETexecutable

Company: SetupManager

Created at: 2012-06-09 16:46:02

Summary: Worm. A program that is primarily replicating on networks or removable drives.

Dynamic Analysis

Payload

BehaviourDescription
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Worm creates the following process(es):

AppLaunch.exe:592
AppLaunch.exe:744
reg.exe:464
reg.exe:1760
reg.exe:336
reg.exe:2000

The Worm injects its code into the following process(es):

b9b4b431a671741ed66302ecade14208.exe:520
System.DirectoryServices.exe:1160
sysglobl.exe:1220

File activity

The process b9b4b431a671741ed66302ecade14208.exe:520 makes changes in a file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Templates\sysglobl.exe (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\System.DirectoryServices.exe (3073 bytes)

Registry activity

The process b9b4b431a671741ed66302ecade14208.exe:520 makes changes in a system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 EC E7 5A F0 79 F6 CF FA A0 5B 4E D5 C1 C9 7E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Templates]
"sysglobl.exe" = "System.Globalization.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The process AppLaunch.exe:592 makes changes in a system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 39 9C 3F AD 7F 04 EA 20 02 93 F7 28 0B A1 16"

[HKCU\Software\VB and VBA Program Settings\SrvID\ID]
"KZVPZAJ92H" = "Retard"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
"KZVPZAJ92H" = "July 14, 2013"

The process AppLaunch.exe:744 makes changes in a system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 D2 83 7F 57 2E 98 AE 5F ED E0 31 E2 95 82 F9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process reg.exe:464 makes changes in a system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 D9 97 62 14 64 CA 8C C8 37 41 A5 91 8E 72 80"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

The process reg.exe:1760 makes changes in a system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 5A 8F 93 1A A2 8B A9 18 07 2C A5 84 42 62 90"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\Microsoft.NET\Framework\v2.0.50727]
"AppLaunch.exe" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger"

The process reg.exe:336 makes changes in a system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 97 3E C2 55 DF C6 CB 97 A7 1F 2D 3B CD 65 53"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data\Googlechrome]
"protect.exe" = "%Documents and Settings%\%current user%\Application Data\Googlechrome\protect.exe:*:Enabled:Windows Messanger"

The process reg.exe:2000 makes changes in a system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 4C B9 10 4D 35 D4 60 E6 C4 35 19 18 D4 C5 AD"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

The process System.DirectoryServices.exe:1160 makes changes in a system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 3D E5 F5 7D 28 B8 42 7B 44 22 46 D1 CD 87 33"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process sysglobl.exe:1220 makes changes in a system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 D2 BF 1C 60 AB A1 E0 75 69 A7 2E B0 9D 18 AF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"System.DirectoryServices.exe" = "BlackHawk Browser"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft® Windows® Operating System" = "%Documents and Settings%\%current user%\Templates\sysglobl.exe"

Network activity (URLs)

No activity has been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    AppLaunch.exe:592
    AppLaunch.exe:744
    reg.exe:464
    reg.exe:1760
    reg.exe:336
    reg.exe:2000

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\Templates\sysglobl.exe (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\System.DirectoryServices.exe (3073 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft® Windows® Operating System" = "%Documents and Settings%\%current user%\Templates\sysglobl.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps