Trojan.StartPage.ZSB (BitDefender), Trojan:Win32/Virumulu.A (Microsoft), Trojan.Win32.Pasta.kri (Kaspersky), Virus.Win32.Sality.at (v) (VIPRE), Trojan.StartPage.49217 (DrWeb), Trojan.StartPage.ZSB (B) (Emsisoft), StartPage-NT (McAfee), W32.SillyFDC (Symantec), Trojan.Win32.Pasta (Ikarus), Trojan.StartPage.ZSB (FSecure), Generic_r.YA (AVG), Win32:Kukacka (Avast), PE_SALITY.RL (TrendMicro), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 88ecf6e0201394ef05447882d52bf490
SHA1: 46df57f65372ae327cb70004f1fab03eb5e2288d
SHA256: 4a2934f7a709b225b628e112339af1b22129ea8dca8fdff6f1b331c5077367ee
SSDeep: 3072:qQL/bCr7IPe5MLU3oc9BcuHSeiU2VUPIkp78:qQL/bCrSHthVOp8
Size: 231936 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1991-04-26 11:52:23
Analyzed on: WindowsXP SP3 32-bit
Summary: Virus. A program that recursively replicates a possibly evolved copy of itself.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Virus creates the following process(es):No processes have been created.The Virus injects its code into the following process(es):
cssrs.exe:3044
cssrs.exe:852
%original file name%.exe:2748
File activity
The process %original file name%.exe:2748 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00072846_Rar\%original file name%.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winpqtvh.exe (741 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000727E8_Rar\%original file name%.exe (1281 bytes)
%Documents and Settings%\%current user%\Application Data\cssrs.exe (1281 bytes)
C:\autorun.inf (463 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
C:\qwqvj.exe (103 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\cssrs.exe (2562 bytes)
The Virus deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\winpqtvh.exe (0 bytes)
Registry activity
The process cssrs.exe:3044 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 6A 39 67 9A D1 5A DB 9E 23 50 FC 25 83 2E DA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
The process cssrs.exe:852 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 73 C3 14 A6 8D 06 00 79 35 86 C8 46 11 E3 FB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
The process %original file name%.exe:2748 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Aas]
"a4_36" = "258088356"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKCU\Software\Microsoft\Internet Explorer\AboutURLs]
"Tabs" = "http://www.114116.info"
[HKCU\Software\Aas]
"a4_30" = "215073630"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableRegistryTools" = "1"
[HKCU\Software\Aas]
"a2_28" = "200730203"
[HKCU\Software\Aas\695404737]
"14338242" = "0"
[HKCU\Software\Aas]
"a2_26" = "186394451"
"a2_27" = "193563047"
[HKCU\Software\Aas\695404737]
"7169121" = "129"
[HKCU\Software\Aas]
"a2_25" = "179235166"
"a2_22" = "157726012"
"a2_23" = "164895329"
"a2_20" = "143380219"
"a2_21" = "150548078"
"a2_7" = "50177222"
"a4_11" = "78860331"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.114116.info"
[HKCU\Software\Aas\695404737]
"35845605" = "463"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"
[HKCU\Software\Aas]
"a4_10" = "71691210"
"a2_6" = "43011855"
"a2_5" = "35842072"
"a2_4" = "28676027"
"a2_3" = "21510861"
"a2_2" = "14341041"
"a2_1" = "7174278"
"a2_0" = "7005"
"a2_9" = "64526692"
"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a4_9" = "64522089"
"a4_8" = "57352968"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableTaskMgr" = "1"
[HKCU\Software\Aas]
"a3_35" = "267899754"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Aas\695404737]
"50183847" = "46481C6470CB6053A2944ECDB4DDE4665193DA4B365617F8DA3A7326E04FD138F32C7957E43E337B787B1FCE134E25C8FA8DDBE4C1B3A071973E11A56D33E05BAE13122A827142E165599DED991297931C47B4D5893CF802CE6B34169D08445CA2A755591705B86FAD56E544425A439E5A1200FA860F72B58819476DE5B7A125"
[HKCU\Software\Aas]
"a2_8" = "57344943"
"a1_28" = "3898948552"
"a1_12" = "825922261"
"a1_13" = "403945378"
"a1_10" = "2987639780"
"a1_11" = "58791782"
"a1_16" = "760911315"
"a1_17" = "302660683"
"a1_14" = "1113460503"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_18" = "3371584000"
"a1_19" = "3976137839"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas\695404737]
"21507363" = "0"
[HKCU\Software\Aas]
"a3_36" = "241268621"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 AC 14 AB 2E 6A 4F 3D 5C 59 D7 57 B8 29 76 70"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SuperHidden]
"CheckedValue" = "1"
[HKCU\Software\Aas]
"a3_18" = "112354555"
"a3_19" = "152901914"
"a3_14" = "83367783"
"a3_15" = "124488582"
"a3_16" = "131411001"
"a3_17" = "104906840"
"a3_10" = "88506851"
"a3_11" = "95435266"
"a3_12" = "69459621"
"a3_13" = "76378820"
"a4_37" = "265257477"
"a1_0" = "1211228002"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_33" = "236580993"
"a4_32" = "229411872"
"a4_31" = "222242751"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKCU\Software\Aas]
"a3_33" = "253401768"
"a4_13" = "93198573"
"a4_38" = "272426598"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Aas]
"a4_12" = "86029452"
"a4_15" = "107536815"
[HKCU\Software\Aas\695404737]
"43014726" = "0D00687474703A2F2F6B6C75637A6577736B6F2E676D696E612E706C2F696D616765732F78732E6A706700687474703A2F2F342D656475636174696F6E746563682E636F6D2F732E6A706700687474703A2F2F6172746535372E636F6D2E62722F696D616765732F78732E6A706700687474703A2F2F7777772E746F75722D73746172742E636F6D2E75612F696D616765732F6C6F676F662E67696600687474703A2F2F76756E677461756361722E636F6D2F696D616765732F78732E6A706700687474703A2F2F61686D65646661686D792E6E616D652F6C6F676F662E67696600687474703A2F2F61706164616E617075622E636F6D2F6C6F676F662E67696600687474703A2F2F726F63657374657266632E636F6D2F696D616765732F78732E6A706700687474703A2F2F736F6E656F2E66722F696D672F78732E6A706700687474703A2F2F6D656C696B6E616B69732E636F6D2F6C6F676F2E67696600687474703A2F2F7374726574666F7264656E64666C6167732E636F6D2F696D616765732F78732E6A706700687474703A2F2F7A6F6E61656C656374726F2E726F2F696D616765732F78732E6A706700687474703A2F2F36382E3136382E3232322E3230362F6C6F676F732E676966"
[HKCU\Software\Aas]
"a4_14" = "100367694"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.114116.info"
[HKCU\Software\Aas]
"a4_17" = "121875057"
"a3_28" = "183865525"
"a4_16" = "114705936"
"a3_29" = "224867540"
"a4_19" = "136213299"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Aas]
"a4_18" = "129044178"
"a3_21" = "167399900"
"a3_20" = "159956413"
"a3_23" = "148336286"
"a3_22" = "140888703"
"a3_25" = "195929936"
"a3_24" = "188875569"
"a3_27" = "176880658"
[HKCU\Software\Aas\695404737]
"28676484" = "35"
[HKCU\Software\Aas]
"a4_24" = "172058904"
"a4_25" = "179228025"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_27" = "193566267"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a2_29" = "207897060"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a3_38" = "289377359"
"a1_22" = "3043988746"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SuperHidden]
"CheckedValue" = "1"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"blank" = "http://www.114116.info"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.114116.info"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
"HideFileExt" = "1"
[HKCU\Software\Aas]
"a2_24" = "172051666"
"a3_37" = "248309804"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "0"
[HKCU\Software\Aas]
"a1_21" = "1788482465"
"a2_17" = "121878419"
"a2_16" = "114714455"
"a2_15" = "107543947"
"a2_14" = "100359779"
"a2_13" = "93193310"
"a2_12" = "86026708"
"a2_11" = "78859620"
"a2_10" = "71693911"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKCU\Software\Aas]
"a3_26" = "169827315"
"a3_34" = "260325067"
"a2_19" = "136208824"
"a2_18" = "129046021"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_1" = "1248646716"
"a1_2" = "2929703579"
"a1_3" = "656244854"
"a1_4" = "1116828728"
"a1_5" = "3210431419"
"a1_6" = "1065974032"
"a1_7" = "112904693"
"a1_8" = "3024539217"
"a1_9" = "3243063350"
"a4_26" = "186397146"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.114116.info"
[HKCU\Software\Aas]
"a1_23" = "612572393"
"a1_29" = "259411080"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Aas]
"a3_8" = "40388897"
"a3_9" = "47967552"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_4" = "11991981"
"a3_5" = "52535244"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\Aas]
"a1_20" = "3426680025"
"a3_30" = "231909751"
"a1_27" = "1288904525"
"a3_31" = "205278614"
"a1_26" = "607000963"
"a1_25" = "1809907629"
"a3_32" = "212854281"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt]
"CheckedValue" = "1"
[HKCU\Software\Aas]
"a1_24" = "1084996545"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Aas]
"a1_38" = "3510404379"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_30" = "2222232883"
"a1_31" = "3472283004"
"a1_32" = "747699833"
"a1_33" = "3998843608"
"a1_34" = "960655144"
"a1_35" = "921507071"
"a1_36" = "1181138427"
"a1_37" = "2430505052"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs" = "http://www.114116.info"
[HKCU\Software\Aas]
"a1_15" = "77382673"
"a2_31" = "222247643"
"a2_30" = "215078389"
"a2_33" = "236574186"
"a2_32" = "229416455"
"a2_35" = "250916704"
"a2_34" = "243747299"
"a2_37" = "265263322"
"a2_36" = "258082440"
"a2_38" = "272417873"
[HKCU\Software\Microsoft\Internet Explorer\AboutURLs]
"blank" = "http://www.114116.info"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TINTIMG" = "%Documents and Settings%\%current user%\Application Data\cssrs.exe"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Virus file.
- Delete or disinfect the following files created/modified by the Virus:
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00072846_Rar\%original file name%.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winpqtvh.exe (741 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000727E8_Rar\%original file name%.exe (1281 bytes)
%Documents and Settings%\%current user%\Application Data\cssrs.exe (1281 bytes)
C:\autorun.inf (463 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
C:\qwqvj.exe (103 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\cssrs.exe (2562 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TINTIMG" = "%Documents and Settings%\%current user%\Application Data\cssrs.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.