Trojan.Win32.Agent.hwms (Kaspersky), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: e4206a39ac291abff0450c7d3a196d47
SHA1: b51c74e60ed1c87138c4069c168b1282a842c854
SHA256: cc1cc16159dc57a2b58edd68849639fa015d7c098e2e9095af576f658410ac48
SSDeep: 3072:kS8YCfoDaXJUQyKnblrzdMUoX5CLUNwsR6fjqIKyJ66N4oTytmVbk:kPY6dFMsLud0/9A6N4LtmC
Size: 137954 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:58
Analyzed on: WindowsXP SP3 32-bit
Summary: Virus. A program that recursively replicates a possibly evolved copy of itself.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Virus creates the following process(es):
nvupd32.exe:1996
%original file name%.exe:1780
The Virus injects its code into the following process(es):No processes have been created.
File activity
The process %original file name%.exe:1780 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\0008BD8C_rar\%original file name%.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\nsProcess.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winjuhs.exe (849 bytes)
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TerminateAndDelete.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fkgbh.exe (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\NVIDIA Corporation\Update\nvupd32.exe (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp (2104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\System.dll (11 bytes)
The Virus deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\nsProcess.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winjuhs.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw1.tmp (0 bytes)
%WinDir%\8bbb7 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TerminateAndDelete.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fkgbh.exe (0 bytes)
C:\%original file name%.exe (0 bytes)
Registry activity
The process nvupd32.exe:1996 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 34 68 F0 E8 CF 93 96 98 CA 55 56 57 30 57 3E"
[HKLM\SOFTWARE\NVIDIA Corporation\Global\nvUpdSrv]
"value" = "20121218"
"GUID" = "fb1e6bc2-6b4b-4b3d-8e60-8d73ff4a060a"
The process %original file name%.exe:1780 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKCU\Software\Stvncyfrlda]
"m2_8" = "997420773"
"m2_9" = "2732719960"
"m2_2" = "3470576471"
"m2_3" = "910908362"
"m2_0" = "5517"
"m2_1" = "1735293664"
"m2_6" = "1821804803"
"m2_7" = "3557105270"
"m2_4" = "2646190137"
"m2_5" = "86522028"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m1_78" = "496890157"
"m1_73" = "4016171852"
"m1_72" = "669845477"
"m1_71" = "2088517138"
"m1_70" = "2833234694"
"m1_77" = "158145522"
"m1_76" = "466998487"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Stvncyfrlda]
"m1_74" = "2146080585"
"m2_98" = "2554772804"
"m1_144" = "1016182680"
"m1_146" = "4262087002"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Stvncyfrlda]
"m1_145" = "4240694470"
"m1_142" = "1688260649"
"m1_143" = "1231434809"
"m1_140" = "1111617513"
"m2_107" = "992512885"
"m2_99" = "4290055621"
"m3_35" = "622481870"
"m3_34" = "3182011987"
"m3_37" = "4092948712"
"m3_36" = "2323956093"
"m3_31" = "2270958618"
"m3_30" = "535979247"
"m3_33" = "1413429028"
"m3_32" = "3972958089"
"m3_39" = "3234960306"
"m3_38" = "1533534215"
"m4_0" = "0"
"m4_1" = "1735290733"
"m4_2" = "3470581466"
"m4_3" = "910904903"
"m4_4" = "2646195636"
"m4_5" = "86519073"
"m4_6" = "1821809806"
"m4_7" = "3557100539"
"m4_8" = "997423976"
"m4_9" = "2732714709"
"m2_69" = "3770948725"
"m2_68" = "2035647188"
"m2_61" = "2773521814"
"m2_60" = "1038225466"
"m2_63" = "1949136233"
"m2_62" = "213838740"
"m2_65" = "1124752575"
"m2_64" = "3684420318"
"m2_67" = "300363776"
"m2_66" = "2860033184"
"m1_79" = "2790714074"
"m4_129" = "514205165"
"m4_128" = "3073881728"
"m4_125" = "2162976825"
"m4_124" = "427686092"
"m4_127" = "1338590995"
"m4_126" = "3898267558"
"m4_121" = "3811748485"
"m4_120" = "2076457752"
"m4_123" = "2987362655"
"m4_122" = "1252071922"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Stvncyfrlda]
"m2_134" = "600723418"
"m2_135" = "2336020653"
"m4_29" = "3078791001"
"m4_28" = "1343500268"
"m2_130" = "2249490722"
"m2_131" = "3984789978"
"m2_132" = "1425106115"
"m2_133" = "3160406377"
"m4_23" = "1256981195"
"m4_22" = "3816657758"
"m4_21" = "2081367025"
"m4_20" = "346076292"
"m4_27" = "3903176831"
"m4_26" = "2167886098"
"m4_25" = "432595365"
"m4_24" = "2992271928"
"m1_24" = "2112193355"
"m1_25" = "2181166612"
"m1_26" = "2783849177"
"m1_27" = "1144466001"
"m1_20" = "480859198"
"m1_21" = "3559623819"
"m1_22" = "3042679330"
"m1_23" = "1478140349"
"m1_28" = "1162819486"
"m1_29" = "3669763340"
"m3_122" = "1268937691"
"m3_123" = "3003966326"
"m3_120" = "2059882801"
"m3_121" = "3794911404"
"m3_126" = "3914972559"
"m3_127" = "1321872698"
"m3_124" = "410948325"
"m3_125" = "2179924496"
"m3_128" = "3056917673"
"m3_129" = "530927556"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m1_99" = "165019942"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 55 66 45 62 62 E9 C3 4F 4F 7C EB B3 02 E6 54"
[HKCU\Software\Stvncyfrlda]
"m1_91" = "2051716867"
"m1_90" = "1029108706"
"m1_93" = "4115819492"
"m1_92" = "4066794608"
"m1_95" = "3262248306"
"m1_94" = "1906517587"
"m1_97" = "35254771"
"m1_96" = "1305171134"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Stvncyfrlda]
"m1_108" = "3600036583"
"m1_109" = "1361232034"
"m1_102" = "1006028312"
"m1_103" = "646318433"
"m1_100" = "3722719213"
"m1_101" = "1657642839"
"m1_106" = "1682219155"
"m1_107" = "2574215857"
"m1_104" = "3861228572"
"m1_105" = "71901328"
"m3_3" = "927474798"
"m3_2" = "3487544563"
"m3_1" = "1718420804"
"m3_0" = "17001001"
"m3_7" = "3573965266"
"m3_6" = "1838544551"
"m3_5" = "69945096"
"m3_4" = "2629490589"
"m3_9" = "2749530364"
"m3_8" = "980422977"
"m3_93" = "2451378352"
"m3_92" = "716398853"
"m3_91" = "3309498774"
"m3_90" = "1573930619"
"m3_97" = "836457060"
"m3_96" = "3362431689"
"m3_95" = "1626878810"
"m3_94" = "4220485679"
[HKCU\Software\Stvncyfrlda\168128873]
"1735290733" = "87"
[HKCU\Software\Stvncyfrlda]
"m3_99" = "4273372430"
"m2_94" = "4203540783"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m3_98" = "2571488659"
"m1_75" = "3884680605"
"m2_146" = "4244348646"
"m1_5" = "990974441"
"m1_4" = "2043211597"
"m1_7" = "2820037032"
"m1_6" = "942015960"
"m1_1" = "692605188"
"m1_0" = "1431655765"
"m3_68" = "2018964189"
"m3_69" = "3787940424"
"m3_66" = "2877018163"
"m3_67" = "283394990"
"m3_64" = "3667439977"
"m3_65" = "1107894404"
"m3_62" = "230528591"
"m3_63" = "1965949434"
"m3_60" = "1021409189"
"m3_61" = "2756962000"
"m1_141" = "2125166459"
"m2_29" = "3078784361"
"m2_28" = "1343503986"
"m2_25" = "432600617"
"m2_24" = "2992270466"
"m2_27" = "3903184141"
"m2_26" = "2167896592"
"m2_21" = "2081373437"
"m2_20" = "346071270"
"m2_23" = "1256986257"
"m2_22" = "3816666772"
[HKCU\Software\Stvncyfrlda\168128873]
"-1648771660" = "30"
[HKCU\Software\Stvncyfrlda]
"m4_114" = "254647946"
"m4_115" = "1989938679"
"m4_116" = "3725229412"
"m4_117" = "1165552849"
"m4_110" = "1903419606"
"m4_111" = "3638710339"
"m4_112" = "1079033776"
"m4_113" = "2814324509"
"m4_118" = "2900843582"
"m4_119" = "341167019"
"m4_74" = "3857462658"
"m4_75" = "1297786095"
"m4_76" = "3033076828"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m4_70" = "1211267022"
"m4_71" = "2946557755"
"m4_72" = "386881192"
"m4_73" = "2122171925"
"m4_78" = "2208690998"
"m4_79" = "3943981731"
"m1_3" = "553799287"
"m1_2" = "2322242303"
"m2_90" = "1557347139"
"m2_91" = "3292629698"
"m2_92" = "732959114"
"m1_68" = "1969928109"
"m1_69" = "7623848"
"m2_93" = "2468241613"
"m1_60" = "3058324726"
"m1_62" = "185503965"
"m1_63" = "3055034906"
"m1_64" = "1713976635"
"m1_65" = "4148594982"
"m1_66" = "3018234535"
"m1_67" = "1682329809"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m2_96" = "3379157030"
"m3_130" = "2266496883"
"m2_97" = "819470841"
"m3_22" = "3799972215"
"m3_23" = "1273981154"
"m3_20" = "363060909"
"m3_21" = "2097957336"
"m3_26" = "2150906683"
"m3_27" = "3920013910"
"m3_24" = "3008960529"
"m3_25" = "415992716"
"m3_28" = "1360479685"
"m3_29" = "3061970288"
[HKCU\Software\Stvncyfrlda\168128873]
"910904903" = "0"
[HKCU\Software\Stvncyfrlda]
"m2_76" = "3033071995"
"m2_77" = "473406283"
"m2_74" = "3857460694"
"m2_75" = "1297789211"
"m2_72" = "386875799"
"m2_73" = "2122176396"
"m2_70" = "1211262086"
"m2_71" = "2946563951"
"m2_78" = "2208687796"
"m2_79" = "3943985447"
"m3_57" = "110470508"
"m3_56" = "2703963633"
"m3_55" = "968530498"
"m3_54" = "3494439639"
"m3_53" = "1759411128"
"m3_52" = "57526285"
"m3_51" = "2583910558"
"m3_50" = "848472419"
"m3_59" = "3614491702"
"m3_58" = "1845908635"
"m2_127" = "1338594359"
"m2_126" = "3898265228"
"m4_143" = "3333438947"
"m4_142" = "1598148214"
"m4_141" = "4157824777"
"m4_140" = "2422534044"
"m4_146" = "4244343850"
"m4_145" = "2509053117"
"m4_144" = "773762384"
"m4_38" = "1516538414"
"m4_39" = "3251829147"
"m2_125" = "2162978893"
"m2_124" = "427682167"
"m2_123" = "2987367843"
"m2_122" = "1252066758"
"m2_121" = "3811750321"
"m2_120" = "2076451886"
"m4_30" = "519114438"
"m4_31" = "2254405171"
"m4_32" = "3989695904"
"m4_33" = "1430019341"
"m4_34" = "3165310074"
"m4_35" = "605633511"
"m4_36" = "2340924244"
"m4_37" = "4076214977"
[HKCU\Software\Stvncyfrlda\168128873]
"-824385830" = "0"
[HKCU\Software\Stvncyfrlda]
"m1_11" = "31487998"
"m1_10" = "3127516927"
"m1_13" = "3959391552"
"m1_12" = "1954038609"
"m1_15" = "481741629"
"m1_14" = "628379951"
"m1_17" = "3003209313"
"m1_16" = "2981283468"
"m1_19" = "1354185793"
"m1_18" = "857169174"
"m3_135" = "2319427666"
"m3_134" = "583874855"
"m3_137" = "1528482684"
"m3_136" = "4087897025"
"m4_89" = "4117019877"
"m4_88" = "2381729144"
"m3_133" = "3176958344"
"m3_132" = "1441930781"
"m4_85" = "1470824241"
"m4_84" = "4030500804"
"m4_87" = "646438411"
"m4_86" = "3206114974"
"m4_81" = "3119595901"
"m4_80" = "1384305168"
"m4_83" = "2295210071"
"m4_82" = "559919338"
"m2_129" = "514207751"
"m2_128" = "3073876868"
"m1_86" = "2649054191"
"m1_87" = "1925033915"
"m1_84" = "3128572172"
"m1_85" = "3969956330"
"m1_82" = "1814322384"
"m1_83" = "1448494473"
"m1_80" = "1214350173"
"m1_81" = "2229866676"
"m1_88" = "956473009"
"m1_89" = "4124865492"
"m3_140" = "2439480757"
"m3_141" = "4140840224"
"m3_142" = "1581425759"
"m3_143" = "3350419402"
"m1_119" = "765342999"
"m1_118" = "248882171"
"m3_146" = "4260947459"
"m1_115" = "938637217"
"m1_114" = "4216106464"
"m1_117" = "3464095184"
"m1_116" = "975394621"
"m1_111" = "3632489257"
"m1_110" = "1588378220"
"m1_113" = "786271069"
"m1_112" = "1751031529"
"m3_80" = "1401010233"
"m3_81" = "3102878548"
"m3_82" = "542956227"
"m3_83" = "2311932542"
"m3_84" = "4047496685"
"m3_85" = "1453954328"
"m3_86" = "3189376183"
"m3_87" = "663008290"
"m3_88" = "2364876625"
"m3_89" = "4100445900"
"m3_19" = "2888904510"
"m3_18" = "1153482627"
"m3_13" = "1100530336"
"m3_12" = "3626914613"
"m3_11" = "1891476358"
"m3_10" = "190001259"
"m3_17" = "3746958356"
"m3_16" = "2011536633"
"m3_15" = "243002698"
"m3_14" = "2835971551"
[HKCU\Software\Stvncyfrlda\168128873]
"-737866757" = "58885256CEB138BF289B3FE61C5E671D2E4D94225C4FBCE4F0DE94D4B7C6392939AA4886E4653CEE7B60948B66308353C8BBD5AE9DDF9D8811FEE480E8441E72BE888FD57C7DF806E086A0E5DB748F0253CF7C7D80F1B655BBDC36A6B023154295785206CD56E65771B4CF0086E88C785CF8C0E79612D1A27360920106C8FD553BA45DC6F2A1000AB402F36DBF857C1185A98D2E85109D9FD5DA5D9DAC6CF78DD42468E6AAA565B58EBD7520B7BC8A2F1C00B75D6B842D36E293F4AF3B51E71EE226DED82E8165CB677EE0EA5BDDA27433B041F67665D554619E5A8CC804F9380D19D04300BC619829CDC374400D9780AF7BBAE5BA38A609F7EDFA8C4C4A9E5B"
[HKCU\Software\Stvncyfrlda]
"m2_49" = "3424863984"
"m2_48" = "1689567674"
"m2_47" = "4249249463"
"m2_46" = "2513965233"
"m2_45" = "778669791"
"m2_44" = "3338351236"
"m2_43" = "1603053585"
"m2_42" = "4162736658"
"m2_41" = "2427438881"
"m2_40" = "692154396"
"m2_38" = "1516540042"
"m2_39" = "3251823525"
"m2_32" = "3989700179"
"m2_33" = "1430014817"
"m2_30" = "519121676"
"m2_31" = "2254399646"
"m2_36" = "2340928256"
"m2_37" = "4076210421"
"m2_34" = "3165312108"
"m2_35" = "605629671"
"m4_107" = "992514703"
"m4_106" = "3552191266"
"m4_105" = "1816900533"
"m4_104" = "81609800"
"m4_103" = "2641286363"
"m4_102" = "905995630"
"m4_101" = "3465672193"
"m4_100" = "1730381460"
"m3_131" = "3967839982"
"m4_109" = "168128873"
"m4_108" = "2727805436"
"m4_41" = "2427443317"
"m4_40" = "692152584"
"m4_43" = "1603057487"
"m4_42" = "4162734050"
"m4_45" = "778671657"
"m4_44" = "3338348220"
"m4_47" = "4249253123"
"m4_46" = "2513962390"
"m4_49" = "3424867293"
"m4_48" = "1689576560"
"m3_100" = "1713433789"
"m3_139" = "703982086"
"m3_138" = "3230366443"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Stvncyfrlda]
"m1_55" = "869080572"
"m1_54" = "936325280"
"m1_57" = "2127420660"
"m1_56" = "2209700707"
"m1_51" = "2330347000"
"m1_50" = "2958820596"
"m1_53" = "1723007679"
"m1_52" = "2581220447"
"m1_59" = "1154213488"
"m1_58" = "4066474636"
"m3_108" = "2744413141"
"m3_109" = "184949568"
"m3_104" = "98446945"
"m3_105" = "1833490844"
"m3_106" = "3535358219"
"m3_107" = "975960230"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m3_101" = "3482491944"
"m3_102" = "922947399"
"m3_103" = "2624438002"
"m2_83" = "2295218147"
"m4_77" = "473400265"
"m1_124" = "2434404267"
"m1_125" = "1308835936"
"m1_126" = "1950560213"
"m1_127" = "2787039010"
"m1_120" = "3348298643"
"m1_121" = "3754038516"
"m1_122" = "665180793"
"m1_123" = "3625339348"
"m1_128" = "934007257"
"m1_129" = "1187006103"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKCU\Software\Stvncyfrlda]
"m3_44" = "3354938517"
"m3_45" = "795540480"
"m3_46" = "2497408959"
"m3_47" = "4232388394"
"m3_40" = "675414817"
"m3_41" = "2444014172"
"m3_42" = "4179439051"
"m3_43" = "1586486630"
"m3_48" = "1706528345"
"m3_49" = "3441441268"
"m3_144" = "790480761"
"m3_145" = "2492364436"
"m2_118" = "2900836589"
"m2_119" = "341171289"
"m2_112" = "1079030500"
"m2_113" = "2814328779"
"m2_110" = "1903427405"
"m2_111" = "3638708175"
"m2_116" = "3725225075"
"m2_117" = "1165554821"
"m2_114" = "254643117"
"m2_115" = "1989941830"
"m4_98" = "2554767290"
"m4_99" = "4290058023"
"m4_92" = "732957484"
"m4_93" = "2468248217"
"m4_90" = "1557343314"
"m4_91" = "3292634047"
"m4_96" = "3379153120"
"m4_97" = "819476557"
"m4_94" = "4203538950"
"m4_95" = "1643862387"
"m2_137" = "1511634973"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m2_138" = "3246916711"
"m2_139" = "687249728"
"m1_9" = "151879564"
"m1_8" = "3256253133"
"m2_108" = "2727810816"
"m2_58" = "1862610710"
"m2_59" = "3597909434"
"m2_54" = "3511393050"
"m2_55" = "951706087"
"m2_56" = "2686992738"
"m2_57" = "127325810"
"m2_50" = "865194941"
"m2_51" = "2600479459"
"m2_52" = "40811178"
"m2_53" = "1776091217"
"m2_106" = "3552184040"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\c:\%original file name%.exe,"
[HKCU\Software\Stvncyfrlda]
"m1_61" = "27768135"
"m4_138" = "3246919874"
"m4_139" = "687243311"
"m4_132" = "1425110068"
"m4_133" = "3160400801"
"m4_130" = "2249495898"
"m4_131" = "3984786631"
"m4_136" = "4071305704"
"m4_137" = "1511629141"
"m4_134" = "600724238"
"m4_135" = "2336014971"
"m2_136" = "4071301233"
"m2_141" = "4157818829"
"m2_140" = "2422537115"
"m2_143" = "3333434644"
"m2_142" = "1598150498"
"m2_145" = "2509061137"
"m2_144" = "773765463"
"m4_58" = "1862614706"
"m4_59" = "3597905439"
"m4_56" = "2687000536"
"m4_57" = "127323973"
"m4_54" = "3511386366"
"m4_55" = "951709803"
"m4_52" = "40804900"
"m4_53" = "1776095633"
"m4_50" = "865190730"
"m4_51" = "2600481463"
"m1_37" = "3754015242"
"m1_36" = "3274605069"
"m1_35" = "2161529661"
"m1_34" = "1003101363"
"m1_33" = "1943819026"
"m1_32" = "2731709687"
"m1_31" = "790639245"
"m1_30" = "1973672093"
"m1_39" = "571943250"
"m1_38" = "3655391382"
"m1_42" = "557879107"
"m1_43" = "2474203956"
"m1_40" = "739755721"
"m1_41" = "2015799742"
"m1_46" = "796432676"
"m1_47" = "3896583602"
"m1_44" = "1149988469"
"m1_45" = "3272971938"
"m1_48" = "1130703054"
"m1_49" = "3113898838"
"m3_119" = "357998978"
"m3_118" = "2917414423"
"m3_117" = "1148946168"
"m3_116" = "3741914957"
"m3_115" = "2006935518"
"m3_114" = "237958307"
"m3_113" = "2797356340"
"m3_112" = "1096013209"
"m3_111" = "3655416426"
"m3_110" = "1886423807"
"m2_95" = "1643859302"
"m1_137" = "1354978574"
"m1_136" = "4126179874"
"m1_135" = "3750719942"
"m1_134" = "2767697203"
"m1_133" = "3534992108"
"m1_132" = "2976761342"
"m1_131" = "2275606011"
"m1_130" = "3550298598"
"m1_139" = "1407045521"
"m1_138" = "1008508540"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m2_10" = "173032746"
"m2_11" = "1908331499"
"m2_12" = "3643615808"
"m2_13" = "1083945517"
"m2_14" = "2819228168"
"m2_15" = "259556002"
"m2_16" = "1994846993"
"m2_17" = "3730138108"
"m2_18" = "1170458986"
"m2_19" = "2905758723"
"m3_71" = "2929954066"
"m3_70" = "1227955687"
"m3_73" = "2139008060"
"m3_72" = "369900673"
"m3_75" = "1280954054"
"m3_74" = "3840892843"
"m3_77" = "490007008"
"m3_76" = "3049946741"
"m3_79" = "3927378058"
"m3_78" = "2191956255"
"m2_89" = "4117013649"
"m2_88" = "2381731014"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m2_82" = "559916891"
"m2_81" = "3119600977"
"m2_80" = "1384301287"
"m2_87" = "646433310"
"m2_86" = "3206115838"
"m2_85" = "1470817537"
"m2_84" = "4030504192"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m1_98" = "2437606373"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Stvncyfrlda]
"m2_109" = "168126038"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Stvncyfrlda]
"m4_12" = "3643619612"
"m4_13" = "1083943049"
"m4_10" = "173038146"
"m4_11" = "1908328879"
"m4_16" = "1994847952"
"m4_17" = "3730138685"
"m4_14" = "2819233782"
"m4_15" = "259557219"
"m2_105" = "1816896086"
"m2_104" = "81613218"
"m4_18" = "1170462122"
"m4_19" = "2905752855"
"m2_101" = "3465667997"
"m2_100" = "1730386994"
"m2_103" = "2641283973"
"m2_102" = "906000462"
[HKCU\Software\Stvncyfrlda\168128873]
"1821809806" = "0200687474703A2F2F7061647275702E636F6D2E64732F736F62616B61312E67696600687474703A2F2F34362E3130352E3130332E3231392F736F62616B61766F6C6F732E676966"
[HKCU\Software\Stvncyfrlda]
"m4_67" = "300362119"
"m4_66" = "2860038682"
"m4_65" = "1124747949"
"m4_64" = "3684424512"
"m4_63" = "1949133779"
"m4_62" = "213843046"
"m4_61" = "2773519609"
"m4_60" = "1038228876"
"m4_69" = "3770943585"
"m4_68" = "2035652852"
[HKCU\Software\Stvncyfrlda\168128873]
"86519073" = "73"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
The Virus deletes the following value(s) in system registry:
The Virus disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"GoogleUpdateBeta"
"NvUpdSrv"
"GoogleUpdate"
"nvUpdService"
"Google Update"
Network activity (URLs)
| URL | IP |
|---|---|
| kafeshka.org | 178.79.190.156 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
nvupd32.exe:1996
%original file name%.exe:1780 - Delete the original Virus file.
- Delete or disinfect the following files created/modified by the Virus:
%Documents and Settings%\%current user%\Local Settings\Temp\0008BD8C_rar\%original file name%.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\nsProcess.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winjuhs.exe (849 bytes)
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TerminateAndDelete.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fkgbh.exe (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\NVIDIA Corporation\Update\nvupd32.exe (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp (2104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\System.dll (11 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.