Skip to main content

Worm.Win32.Ainslot_VariantOfZeus_61286fa635


mzpefinder_pcap_file.YR, GenericAutorunWorm.YR, WormAinslot_VariantOfZeus.YR (Lavasoft MAS)Behaviour: Worm, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 61286fa63517868c61ea0df24f670137

SHA1: 9791cc295edd62ab2b4f7f5df2d4cf2bb7afa695

SHA256: 7ca08979ad1f96e9f84a9ed7f20d48ef7cc5e06926f96fdcbd86089bcefdf453

SSDeep: 12288:uqQ9T5PzE4OOS/llyk7/J1pQWZ34E2fHLLAY0lVvXjoj61skTrYiTN:GPzE4GiW/fSWZ34NfLLAT/joj3kT8iT

Size: 596480 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6

Company: no certificate found

Created at: 2014-03-10 05:40:10

Analyzed on: WindowsXP SP3 32-bit

Summary: Worm. A program that is primarily replicating on networks or removable drives.

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Worm creates the following process(es):

WScript.exe:1732
WScript.exe:1508
WScript.exe:228
WScript.exe:1064
WScript.exe:736
dwwin.exe:2100
dwm.exe:816
snv.exe:1628
38285.exe:1768
msg.exe:752
AppLaunch.exe:628
AppLaunch.exe:1988
61768.exe:204
22499.exe:392
reg.exe:640
reg.exe:1492
reg.exe:1372
reg.exe:1504
reg.exe:1464
25697.exe:1468
36981.exe:1396
47672.exe:428

The Worm injects its code into the following process(es):

snv.exe:648
vbc.exe:1068
%original file name%.exe:596

File activity

The process dwwin.exe:2100 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\13F502.dmp (78634 bytes)

The process 38285.exe:1768 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\dwm.exe (2608 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\dwm.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\__tmp_rar_sfx_access_check_1274968 (0 bytes)

The process msg.exe:752 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ede6_appcompat.txt (3730 bytes)

The process AppLaunch.exe:628 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\logff.txt (2 bytes)

The process 61768.exe:204 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\msvcp100.dll (6283 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\msvcr100.dll (20705 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\cudart32_55.dll (6665 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\nvm.vbs (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\nvm.exe (1869 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\__tmp_rar_sfx_access_check_1286578 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\nvm.vbs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\nvm.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\cudart32_55.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\msvcp100.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\msvcr100.dll (0 bytes)

The process 22499.exe:392 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Sample.lnk (575 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Application Data\DataWork\22499.exe (166 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (0 bytes)

The process vbc.exe:1068 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\47672.exe (101477 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\amd[1].exe (214369 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\svc[1].exe (25739 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\nvm[1].exe (138637 bytes)
%Documents and Settings%\%current user%\Application Data\java\host (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ws[1].exe (34671 bytes)
%Documents and Settings%\%current user%\Application Data\java\css.exe (3860 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\22499.exe (18226 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25697.exe (23634 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\kl[1].exe (114479 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\36981.exe (64829 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\61768.exe (78435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cpu[1].exe (55049 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\38285.exe (19818 bytes)

The process 25697.exe:1468 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX3\pthreadGC2.dll (1737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX3\msg.exe (3113 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX3\libcurl-4.dll (4601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX3\libgcc_s_dw2-1.dll (1729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX3\msg.vbs (153 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX3\__tmp_rar_sfx_access_check_1299421 (0 bytes)

The process 36981.exe:1396 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX1\kl.bat (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX1\b.vbs (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX1\snv.exe (8395 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX1\k.vbs (50 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX1\__tmp_rar_sfx_access_check_1279812 (0 bytes)

The process %original file name%.exe:596 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\.exe (3669 bytes)

The process 47672.exe:428 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\alexkarold.cl (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\README.md (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\bmw.cl (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\jh.cl (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\nv.vbs (168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\pthreadGC2.dll (1737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\ssleay32.dll (8734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\cubehash.cl (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\luffa.cl (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\AUTHORS.md (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\libcurl.dll (8441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\qubitcoin.cl (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\aes_helper.cl (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\echo.cl (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\myriadcoin-groestl.cl (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\darkcoin.cl (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\shavite.cl (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\qubitcoinHawaiiglg2tc30592w128l4.bin (10333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\skein.cl (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\libpdcurses.dll (4201 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\keccak.cl (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\blake.cl (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\zuikkis.cl (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\example.conf (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\groestl.cl (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\simd.cl (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\quarkcoin.cl (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\libeay32.dll (21757 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\libgcc_s_dw2-1.dll (1729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\zlib1.dll (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\alexkarnew.cl (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\NEWS.md (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\libidn-11.dll (16249 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\amd.exe (6921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\ckolivas.cl (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\psw.cl (21 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\__tmp_rar_sfx_access_check_1296734 (0 bytes)

Registry activity

The process WScript.exe:1732 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 B4 51 98 DD 48 F7 D8 0B 5E FE 4D 17 E8 AC 32"

The process WScript.exe:1508 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 17 2D 58 79 3F 41 AC B4 75 36 98 11 87 63 4A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX3]
"msg.exe" = "msg"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process WScript.exe:228 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 F3 36 79 9A A7 D3 67 B7 30 0A B5 B8 75 20 A5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX2]
"nvm.exe" = "nvm"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process WScript.exe:1064 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA B4 C2 F3 B3 6F 52 DC 8B 02 D6 D6 EB 2E DA 6B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX2]
"amd.exe" = "amd"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process WScript.exe:736 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 3A 7B E0 70 BB 38 CE 7F DD D2 60 10 A1 34 DB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX1]
"snv.exe" = "snv"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process dwwin.exe:2100 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 66 66 50 FC E6 54 D7 96 28 75 A8 61 20 92 46"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process dwm.exe:816 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 1E E8 7D 11 D2 0B B0 85 5D D7 CB 6F 66 C8 0D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process snv.exe:648 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 B4 F8 2E E0 ED D6 A7 AC 97 46 E1 32 7A A3 6A"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\snv\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\snv\DEBUG]
"Trace Level"

The process snv.exe:1628 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 E6 DA D3 E2 6D 5F 43 C2 22 A4 71 55 86 F6 CA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process 38285.exe:1768 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C D2 F5 CF A4 6B 8B DD AF 6E 15 AB 01 27 DC 75"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0]
"dwm.exe" = "Microsoft® Windows®"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process msg.exe:752 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 2C 30 FA A4 BB 58 5F 70 3C 30 D6 3B 37 3A 46"

The Worm deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

The process AppLaunch.exe:628 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 85 25 31 C8 30 F8 7D D5 0B C6 35 21 80 77 1E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:1988 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 08 EA CE 5C F0 94 0A 24 B0 D0 E2 AA 87 2C 89"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process 61768.exe:204 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 5D 56 88 BD 2A 60 1D 71 F4 56 6B 2B F8 58 8E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process 22499.exe:392 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 40 22 EA 84 E8 3F 82 12 17 BA 2C D9 CE 69 18"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"sidebar" = "%Documents and Settings%\%current user%\Application Data\Sample.lnk"

The process vbc.exe:1068 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"22499.exe" = "22499"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"47672.exe" = "47672"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\VB and VBA Program Settings\SrvID\ID]
"S6T1NWP2IO" = "RAT3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
"S6T1NWP2IO" = "March 13, 2014"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"36981.exe" = "36981"
"61768.exe" = "61768"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"25697.exe" = "25697"
"38285.exe" = "38285"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 61 6C 0C 94 CC 2B 00 97 D2 63 9A 2C C1 89 75"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process reg.exe:640 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 AB 3F 4B 90 25 8A BE 59 D4 15 08 BC 2C 72 02"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"shell" = "explorer.exe,%Documents and Settings%\%current user%\Local Settings\Temp\.exe"

The process reg.exe:1492 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 F1 78 9B B4 43 70 45 AB B1 13 47 DD 75 E3 3D"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

The process reg.exe:1372 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 01 E7 EC D7 A0 E4 47 43 F2 DC 6F 96 B2 99 6B"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data\java]
"css.exe" = "%Documents and Settings%\%current user%\Application Data\java\css.exe:*:Enabled:Windows Messanger"

The process reg.exe:1504 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 2E 11 FC 8A 61 B6 30 D3 D3 A3 1A 70 9B 98 BC"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

The process reg.exe:1464 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 1C D3 5B EC 6A 72 AB 12 06 0D 91 04 D9 46 7E"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\Microsoft.NET\Framework\v2.0.50727]
"vbc.exe" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger"

The process 25697.exe:1468 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 A5 36 09 EB 62 4D 25 63 53 9D 78 C2 4D 0C C8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process 36981.exe:1396 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 18 44 4A AD 1D FA 4E A0 32 CA 40 A6 8D BC FF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%\System32]
"WScript.exe" = "Microsoft (R) Windows Based Script Host"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:596 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB 69 59 92 78 7E 61 09 A9 46 8E 95 FA 5A 64 F3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process 47672.exe:428 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 9F 10 C9 01 13 90 08 98 AD 34 FD B7 47 9A E9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Network activity (URLs)

URL IP
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://109.72.85.5/ws/amd.exe
hxxp://192.151.154.180/v2/ip_query_country.php?key=&timezone=off
hxxp://109.72.85.5/ws/cpu.exe
www.download.windowsupdate.com63.85.36.32
smtp.gmail.com74.125.142.108
xecuter2.zapto.org212.7.208.120
mine1.myr.nonce-pool.com198.27.67.130


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    WScript.exe:1732
    WScript.exe:1508
    WScript.exe:228
    WScript.exe:1064
    WScript.exe:736
    dwwin.exe:2100
    dwm.exe:816
    snv.exe:1628
    38285.exe:1768
    msg.exe:752
    AppLaunch.exe:628
    AppLaunch.exe:1988
    61768.exe:204
    22499.exe:392
    reg.exe:640
    reg.exe:1492
    reg.exe:1372
    reg.exe:1504
    reg.exe:1464
    25697.exe:1468
    36981.exe:1396
    47672.exe:428

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\Local Settings\Temp\13F502.dmp (78634 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\dwm.exe (2608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ede6_appcompat.txt (3730 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\logff.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\msvcp100.dll (6283 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\msvcr100.dll (20705 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\cudart32_55.dll (6665 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\nvm.vbs (96 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\nvm.exe (1869 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (54 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Application Data\Sample.lnk (575 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
    %Documents and Settings%\%current user%\Application Data\DataWork\22499.exe (166 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\47672.exe (101477 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\amd[1].exe (214369 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\svc[1].exe (25739 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\nvm[1].exe (138637 bytes)
    %Documents and Settings%\%current user%\Application Data\java\host (33 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ws[1].exe (34671 bytes)
    %Documents and Settings%\%current user%\Application Data\java\css.exe (3860 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\22499.exe (18226 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\25697.exe (23634 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\kl[1].exe (114479 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\36981.exe (64829 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\61768.exe (78435 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cpu[1].exe (55049 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\38285.exe (19818 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX3\pthreadGC2.dll (1737 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX3\msg.exe (3113 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX3\libcurl-4.dll (4601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX3\libgcc_s_dw2-1.dll (1729 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX3\msg.vbs (153 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX1\kl.bat (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX1\b.vbs (72 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX1\snv.exe (8395 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX1\k.vbs (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\.exe (3669 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\alexkarold.cl (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\README.md (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\bmw.cl (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\jh.cl (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\nv.vbs (168 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\pthreadGC2.dll (1737 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\ssleay32.dll (8734 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\cubehash.cl (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\luffa.cl (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\AUTHORS.md (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\libcurl.dll (8441 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\qubitcoin.cl (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\aes_helper.cl (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\echo.cl (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\myriadcoin-groestl.cl (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\darkcoin.cl (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\shavite.cl (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\qubitcoinHawaiiglg2tc30592w128l4.bin (10333 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\skein.cl (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\libpdcurses.dll (4201 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\keccak.cl (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\blake.cl (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\zuikkis.cl (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\example.conf (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\groestl.cl (66 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\simd.cl (55 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\quarkcoin.cl (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\libeay32.dll (21757 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\libgcc_s_dw2-1.dll (1729 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\zlib1.dll (3913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\alexkarnew.cl (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\NEWS.md (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\libidn-11.dll (16249 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\amd.exe (6921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\ckolivas.cl (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX2\kernel\psw.cl (21 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "sidebar" = "%Documents and Settings%\%current user%\Application Data\Sample.lnk"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps