Gen:Variant.Hiloti.12 (BitDefender), Worm:Win32/Autorun.ADC (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic.pak!cobra (VIPRE), Win32.HLLW.Autoruner.58732 (DrWeb), Gen:Variant.Hiloti.12 (B) (Emsisoft), Generic Dropper.yx (McAfee), WS.Reputation.1 (Symantec), Trojan.Win32.Alureon (Ikarus), Gen:Variant.Hiloti.12 (FSecure), SHeur3.COWS (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R08NC0DLS13 (TrendMicro), Backdoor.Win32.PcClient.FD, Worm.Win32.Vobfus.11.FD, Tdl4.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Worm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: f4268fde1d83c4bdc741bf82510db2e4
SHA1: 716907fcd8fd11fc3f8642773d81161ecc3dadac
SHA256: 9f68b6717e7277d92532e007a1a7269f7b677bf19540f0f31a476b9d2100f8d4
SSDeep: 12288:joA/ocRgN60h/yLy3MP9cPklXk5k7g/Ha/Gcd7:PAcRgI0lyLmm05k7go/7
Size: 644654 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-08-18 17:36:06
Analyzed on: WindowsXP SP3 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Worm creates the following process(es):
%original file name%.exe:1980
seal.exe:796
qqo9L6YpB3.exe:896
dwwin.exe:236
tasklist.exe:1620
rundll32.exe:1612
real.exe:572
The Worm injects its code into the following process(es):
spoolsv.exe:1444
rundll32.exe:1344
rioup.exe:864
ctfmon.exe:536
File activity
The process %original file name%.exe:1980 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\real.exe (239624 bytes)
%Documents and Settings%\%current user%\seal.exe (143368 bytes)
%Documents and Settings%\%current user%\qqo9L6YpB3.exe (172036 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b023_appcompat.txt (21034 bytes)
The process seal.exe:796 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%WinDir%\ms42xog.dll (104960 bytes)
The process qqo9L6YpB3.exe:896 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\rioup.exe (155608 bytes)
The process dwwin.exe:236 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6BCCCD.dmp (55027 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
The process spoolsv.exe:1444 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%WinDir%\Temp\4.tmp (37376 bytes)
The Worm deletes the following file(s):
%WinDir%\Temp\4.tmp (0 bytes)
%System%\drivers\etc\hosts (0 bytes)
The process real.exe:572 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user% (4096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (175104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (16384 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\3.tmp (0 bytes)
Registry activity
The process %original file name%.exe:1980 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 18 23 AE 5E 5B 1E 8A 00 D8 5D F2 87 67 93 18"
The Worm deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"
The process seal.exe:796 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 6F 9C B3 8F 20 69 5B E0 15 F1 5D FC 1F 59 C9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Jlojohapuveb]
"Bxabagimogoy" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"
"Xramibewavatebi" = "38 01 46 03 3C 05 42 07 39 09 4F 0B 39 0D 3F 0F"
The process qqo9L6YpB3.exe:896 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 26 F1 01 84 51 FE 30 84 3B 85 99 45 EB 33 7C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Ãâ€Ã¾ÃºÑƒÃ¼ÃµÃ½Ñ‚Ñ‹"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%]
"rioup.exe" = "rioup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Üþø ôþúуüõýты"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"rioup" = "%Documents and Settings%\%current user%\rioup.exe /j"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process dwwin.exe:236 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 64 B9 36 7E 34 1F F2 35 84 8A A0 6A 62 32 75"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2F 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Üþø ôþúуüõýты"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process tasklist.exe:1620 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 AB 2F 7D A8 7C A2 0A 7D 99 24 D9 74 43 84 B3"
The process spoolsv.exe:1444 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Print\Providers\2011527104]
"Name" = "C:\DOCUME~1\test\LOCALS~1\Temp\3.tmp"
[HKLM\System\CurrentControlSet\Services\68ff0190]
"ImagePath" = "\??\%WinDir%\TEMP\4.tmp"
[HKLM\System\CurrentControlSet\Control\Print\Providers]
"Order" = "LanMan Print Services, Internet Print Provider, 2011527104"
[HKLM\System\CurrentControlSet\Services\68ff0190]
"Type" = "1"
The Worm deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Control\Print\Providers\2011527104]
[HKLM\System\CurrentControlSet\Services\68ff0190]
[HKLM\System\CurrentControlSet\Services\68ff0190\Enum]
The process rundll32.exe:1612 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 27 33 A3 53 FC 77 4B E2 A1 03 A7 E7 0F 94 6B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Jlojohapuveb]
"Bxabagimogoy" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"
The process rundll32.exe:1344 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 AD E7 85 91 80 DA AC C7 2E E5 ED 34 AC 37 AD"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Jlojohapuveb]
"Ybodajakucuraq" = "196"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Vvozuwupomu" = "rundll32.exe %WinDir%\ms42xog.dll,Startup"
The process rioup.exe:864 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 C3 35 CC 17 93 BE DA AC 96 CD 4F 3A D7 44 91"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"rioup" = "%Documents and Settings%\%current user%\rioup.exe /k"
The process real.exe:572 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E B7 3C FA E5 B1 1B 57 58 8A 75 86 B8 6C B4 84"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\test\LOCALS~1\Temp\5.tmp,"
The process ctfmon.exe:536 makes changes in the system registry.
The Worm deletes the following value(s) in system registry:
The Worm disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "UNKNOWN" the Worm controls loading executable images into a memory by installing the Load image notifier.
The Worm intercepts DriverStartIO in a miniport driver of a hard drive controller (ATAPI) to handle request to its own files:
StartIo
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1980
seal.exe:796
qqo9L6YpB3.exe:896
dwwin.exe:236
tasklist.exe:1620
rundll32.exe:1612
real.exe:572 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\real.exe (239624 bytes)
%Documents and Settings%\%current user%\seal.exe (143368 bytes)
%Documents and Settings%\%current user%\qqo9L6YpB3.exe (172036 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b023_appcompat.txt (21034 bytes)
%WinDir%\ms42xog.dll (104960 bytes)
%Documents and Settings%\%current user%\rioup.exe (155608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6BCCCD.dmp (55027 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%WinDir%\Temp\4.tmp (37376 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (175104 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"rioup" = "%Documents and Settings%\%current user%\rioup.exe /j"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Vvozuwupomu" = "rundll32.exe %WinDir%\ms42xog.dll,Startup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"rioup" = "%Documents and Settings%\%current user%\rioup.exe /k" - Reboot the computer.