Skip to main content

Virus.Win32.Sality_096d666de7


Trojan.Win32.Inject.dvlq (Kaspersky), Virus.Win32.VBInject!IK (Emsisoft), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR, GenericIRCBot.YR (Lavasoft MAS)Behaviour: Trojan, Worm, Virus, WormAutorun, IRCBot

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 096d666de7694ab9cfc1e5c44dca0df0

SHA1: ee8ee95da0436af56d171c48ae1bff53d0eec80c

SHA256: 251f7b57cee6a5d84e944bf9f19a65d223d958fbaaf6c94e82d56ffc0f6145b2

SSDeep: 12288:oa/njQgocGnWpWO2Ok8bTd40U9RxgP8smH8zUNONBnkQBVw:oSnsnnWpWO2ODTiRxgPdm3NIw

Size: 748032 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: PECompactV2X, PECompactv25Retail, PECompactv20, UPolyXv05_v6

Company: no certificate found

Created at: 2012-03-28 11:21:44

Analyzed on: WindowsXP SP3 32-bit

Summary: Virus. A program that recursively replicates a possibly evolved copy of itself.

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
IRCBotA bot can communicate with command and control servers via IRC channel.


Process activity

The Virus creates the following process(es):

TELNET.EXE:3592
TELNET.EXE:1236
TELNET.EXE:3776
TELNET.EXE:2720
TELNET.EXE:2580
TELNET.EXE:2552
TELNET.EXE:2832
TELNET.EXE:3084
TELNET.EXE:2256
TELNET.EXE:2112
TELNET.EXE:1740
TELNET.EXE:3304
NOTEPAD.EXE:3420
NOTEPAD.EXE:2864
NOTEPAD.EXE:2960
NOTEPAD.EXE:3036
NOTEPAD.EXE:2656
NOTEPAD.EXE:3276
NOTEPAD.EXE:3048
NOTEPAD.EXE:2192
NOTEPAD.EXE:2480
NOTEPAD.EXE:496
NOTEPAD.EXE:3244
NOTEPAD.EXE:472
NOTEPAD.EXE:1632
NOTEPAD.EXE:2780
NOTEPAD.EXE:2888
NOTEPAD.EXE:2220
NOTEPAD.EXE:3020
NOTEPAD.EXE:2144
NOTEPAD.EXE:2688
NOTEPAD.EXE:1116
NOTEPAD.EXE:2748
NOTEPAD.EXE:1676
NOTEPAD.EXE:3188
NOTEPAD.EXE:2288
NOTEPAD.EXE:2708
NOTEPAD.EXE:2444
NOTEPAD.EXE:2936
NOTEPAD.EXE:3216
NOTEPAD.EXE:2492
NOTEPAD.EXE:3388
NOTEPAD.EXE:2680
NOTEPAD.EXE:2080
NOTEPAD.EXE:2896
NOTEPAD.EXE:2160
NOTEPAD.EXE:2396
NOTEPAD.EXE:2412
NOTEPAD.EXE:2992
%original file name%.exe:1828

The Virus injects its code into the following process(es):

msconfig.exe:388
msconfig.exe:1168
%original file name%.exe:956

File activity

The process msconfig.exe:1168 makes changes in the file system.


The Virus creates and/or writes to the following file(s):

%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (0 bytes)
D:\disablejavawarnsec.exe (984 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (648 bytes)
%System%\drivers\mpguk.sys (5 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\google_cache2.tmp (9 bytes)

The Virus deletes the following file(s):

D:\715a8 (0 bytes)
%System%\drivers\mpguk.sys (0 bytes)
C:\711a1 (0 bytes)

The process %original file name%.exe:1828 makes changes in the file system.


The Virus creates and/or writes to the following file(s):

%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Application Data\msconfig.exe (5441 bytes)

The process %original file name%.exe:956 makes changes in the file system.


The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\88603cb2913a7df3fbd16b5f958e6447_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (51 bytes)

Registry activity

The process msconfig.exe:388 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 2D 87 A9 56 CA 92 40 3A 26 5C D7 0F EC AC D6"

The process msconfig.exe:1168 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 A0 90 67 E6 99 9D 91 42 8C E4 C8 07 B9 F9 21"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"

To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data]
"msconfig.exe" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe:*:Enabled:ipsec"

The Virus deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys]

The Virus deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot]
"AlternateShell"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm.sys]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration]
"(Default)"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
"(Default)"

The process TELNET.EXE:3592 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 83 B8 3C 88 5E 9A 0D 3E 14 5D 96 E6 91 4C FF"

The process TELNET.EXE:1236 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 2A E8 6F BD 2E 65 57 13 E8 8F DB E3 D1 80 FB"

The process TELNET.EXE:3776 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB E4 6C 8A D8 B7 46 A8 6A 33 5A FD 4A AD F0 F7"

The process TELNET.EXE:2720 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 59 82 11 61 34 87 52 76 25 C6 B1 27 AA 38 79"

The process TELNET.EXE:2580 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 8E 3D E0 6C 40 EE AE 14 DE 0C 74 A7 F5 87 6C"

The process TELNET.EXE:2552 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 02 0F 0B 58 2A D8 04 05 51 5A 2F 52 12 70 7A"

The process TELNET.EXE:2832 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 43 8B 80 48 11 63 B4 3D 6B 90 D9 05 CB 7B C0"

The process TELNET.EXE:3084 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 42 AA F0 4C 0F E1 E2 27 0C 86 CF E7 C2 D8 65"

The process TELNET.EXE:2256 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 CD 7D B6 A7 4F 0B F2 DD 1F 3F D9 1E 99 B7 AF"

The process TELNET.EXE:2112 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 0B D3 17 E7 52 1E AE BA B1 28 83 C9 25 59 F8"

The process TELNET.EXE:1740 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 7D 30 4F FB D4 BB FD 87 46 F0 A4 39 F7 A0 CF"

The process TELNET.EXE:3304 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 4B 69 BF 02 1E 42 BC F9 A6 F0 6E 63 9B 40 E8"

The process NOTEPAD.EXE:3420 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 84 4B 71 DC 95 5D 66 40 54 0B 36 CC 39 34 70"

The process NOTEPAD.EXE:2864 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 A8 C7 C3 7A 3E 61 1B 0F D7 90 E6 68 2E 48 C4"

The process NOTEPAD.EXE:2960 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 DA C0 38 80 56 1E F5 8E 83 84 74 8F 9C CE CE"

The process NOTEPAD.EXE:3036 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 F2 88 43 62 A2 AE 36 CF 9C 78 79 87 F6 D8 65"

The process NOTEPAD.EXE:2656 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 6A A9 62 9C 12 C0 55 BB 06 DC E3 9E D8 61 B6"

The process NOTEPAD.EXE:3276 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 DF FD ED E0 94 C4 1F 3C 93 9A 2D 2E FA CB ED"

The process NOTEPAD.EXE:3048 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 92 7E 93 3E 5B E3 F5 C4 B4 5B 59 EF FD 0B 54"

The process NOTEPAD.EXE:2192 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 38 E3 16 3D E0 B6 1A B7 B7 15 7B 0A A3 C2 D4"

The process NOTEPAD.EXE:2480 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 B9 19 F0 86 80 FD 37 CD AC A1 00 11 A2 87 2E"

The process NOTEPAD.EXE:496 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 D1 BA 45 A4 D4 9C C7 28 6E 42 F3 09 80 DF 8C"

The process NOTEPAD.EXE:3244 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 0B F3 F1 E8 83 54 33 04 5A D7 13 89 A9 D2 26"

The process NOTEPAD.EXE:472 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 F9 52 52 D6 65 C7 F4 63 AE 3E 60 55 F1 3E E4"

The process NOTEPAD.EXE:1632 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 84 4A 1E 3E 37 F3 ED D4 32 F0 B5 33 DE 41 5E"

The process NOTEPAD.EXE:2780 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 4F 7D 7B 80 3B 47 94 5B D0 95 FA 29 9F F4 C4"

The process NOTEPAD.EXE:2888 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 2E 9F 02 A0 27 1E 64 B7 F8 DA 9F 0E F4 81 B6"

The process NOTEPAD.EXE:2220 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 53 2F C1 E1 D2 1A 84 0B DD 8A B7 A0 03 0D C7"

The process NOTEPAD.EXE:3020 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 27 3B 49 A2 24 41 1D 77 C9 B1 D7 88 25 70 AA"

The process NOTEPAD.EXE:2144 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 CC 6E C5 A9 07 82 64 57 F3 B1 EC 34 89 64 9A"

The process NOTEPAD.EXE:2688 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 E6 DF 1C F6 DE BA BD E9 A4 F9 D2 54 8D F7 FE"

The process NOTEPAD.EXE:1116 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E BA D9 7C 00 17 78 AC A2 2A 9E 85 22 A5 4A E9"

The process NOTEPAD.EXE:2748 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 0B 7E D3 6E F6 71 1A FD CE 83 40 73 CD 62 BD"

The process NOTEPAD.EXE:1676 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 CB BA 5C AC 18 44 FC 96 98 4B 56 A2 53 A1 89"

The process NOTEPAD.EXE:3188 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 4A 20 7C DA B4 CF 43 85 FD EC 07 E2 17 11 90"

The process NOTEPAD.EXE:2288 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 27 DA FF 9D 5A 07 84 39 6D 7B C7 0F E8 F3 5D"

The process NOTEPAD.EXE:2708 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 68 4E 92 92 59 9C 95 AE 4A 2D C2 E1 32 EC 1F"

The process NOTEPAD.EXE:2444 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 27 F7 1D 37 8F 36 45 0F AF 79 CD D9 FD EE 41"

The process NOTEPAD.EXE:2936 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD B4 66 E9 DF 50 4F ED 90 D8 BC AA 5A 19 55 77"

The process NOTEPAD.EXE:3216 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 55 02 4A 69 D6 B6 9A B4 73 33 B8 81 A8 50 DD"

The process NOTEPAD.EXE:2492 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 BE AC EC FD 57 A6 F9 50 FA 2C 14 2E 93 62 26"

The process NOTEPAD.EXE:3388 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 72 61 5A 80 84 5B 61 3A FC 76 1B 41 8D 58 EB"

The process NOTEPAD.EXE:2680 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 A1 09 6A B0 A9 7C FA 25 EF AD 63 10 B6 FF 3E"

The process NOTEPAD.EXE:2080 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 51 CB 38 F5 2E CC FF 28 F9 BB 27 C1 AB 0F 4E"

The process NOTEPAD.EXE:2896 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 93 C0 57 2C A9 D0 9F B2 78 41 EA 5C 95 1A 3D"

The process NOTEPAD.EXE:2160 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 80 0A 57 2D 7D 00 85 42 A5 2F 8A 9E D7 A4 A6"

The process NOTEPAD.EXE:2396 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 EC A1 57 05 12 50 1C 08 5B 90 06 C1 55 FE B4"

The process NOTEPAD.EXE:2412 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 02 74 13 5F 81 E0 80 E5 B8 8B 88 27 5E F8 D6"

The process NOTEPAD.EXE:2992 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 83 38 D1 34 D1 48 65 F9 40 53 05 DC 4D 8F 70"

The process %original file name%.exe:1828 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKCU\Software\adm914]
"a2_267" = "1914153731"
"a2_266" = "1906988372"
"a2_265" = "1899822743"
"a2_264" = "1892651736"
"a2_263" = "1885473653"
"a1_241" = "1479289362"
"a2_261" = "1871136002"
"a2_260" = "1863969024"
"a2_269" = "1928492997"
"a2_268" = "1921321144"
"a3_158" = "1115723167"
"a3_159" = "1123171966"
"a2_226" = "1620214662"
"a3_150" = "1092335255"
"a3_151" = "1099256694"
"a3_152" = "1106313177"
"a3_153" = "1080269752"
"a3_154" = "1087177755"
"a3_155" = "1127784698"
"a3_156" = "1135234397"
"a3_157" = "1108732220"
"a2_15" = "107528839"
"a2_14" = "100361347"
"a2_17" = "121880394"
"a2_16" = "114711086"
"a2_11" = "78857808"
"a2_10" = "71692484"
"a2_13" = "93195329"
"a2_12" = "86027719"
"a2_292" = "2093374318"
"a3_288" = "2048101217"
"a2_290" = "2079041741"
"a3_203" = "1472069290"
"a2_19" = "136210971"
"a2_18" = "129046322"
"a3_289" = "2055026624"
"a2_28" = "200729512"
"a2_251" = "1799450747"
"a1_219" = "2396592828"
"a3_92" = "643003549"
"a4_237" = "1699081677"
"a3_93" = "649990524"
"a2_111" = "795778425"
"a3_129" = "907866784"
"a2_110" = "788608149"
"a2_113" = "810112240"

"a4_70" = "501838470"
"a4_73" = "523345833"
"a4_72" = "516176712"
"a4_75" = "537684075"
"a4_74" = "530514954"
"a4_77" = "552022317"
"a4_76" = "544853196"
"a4_79" = "566360559"
"a4_78" = "559191438"
"a2_114" = "817275589"
"a2_230" = "1648900673"
"a3_128" = "934368961"
"a2_117" = "838792213"
"a2_116" = "831613110"
"a4_184" = "1319118264"
"a4_185" = "1326287385"
"a4_186" = "1333456506"
"a4_187" = "1340625627"
"a4_180" = "1290441780"
"a3_98" = "685968227"
"a1_129" = "2785556380"
"a2_118" = "845963086"
"a1_127" = "4287558985"
"a1_126" = "205693925"
"a1_125" = "735640330"
"a3_99" = "726579138"
"a1_123" = "3652803797"
"a1_122" = "3445013358"
"a1_121" = "772893835"
"a1_120" = "1323338669"
"a1_291" = "3528945685"
"a2_225" = "1613047487"
"a1_262" = "2678150717"
"a4_119" = "853125399"
"a4_118" = "845956278"
"a4_117" = "838787157"
"a4_116" = "831618036"
"a4_115" = "824448915"
"a4_114" = "817279794"
"a4_113" = "810110673"
"a4_112" = "802941552"
"a4_111" = "795772431"
"a4_110" = "788603310"
"a2_160" = "1147056098"
"a2_161" = "1154234367"
"a2_162" = "1161404584"
"a2_163" = "1168571844"
"a2_164" = "1175732400"
"a2_165" = "1182897999"
"a2_166" = "1190074830"
"a2_167" = "1197238191"
"a2_168" = "1204407122"
"a2_169" = "1211588007"
"a1_216" = "491568011"
"a1_238" = "2748286028"
"a1_98" = "1888415864"
"a1_99" = "1378215511"
"a1_94" = "4126652367"
"a1_95" = "3637800610"
"a1_96" = "2539940914"
"a1_97" = "3263515906"
"a1_90" = "3181761814"
"a1_91" = "2727026245"
"a1_92" = "1775533990"
"a1_93" = "2468268646"
"a1_21" = "38241967"
"a1_20" = "1298703816"
"a1_23" = "1175878880"
"a1_22" = "4049762536"
"a1_25" = "704362530"
"a1_24" = "2991665494"
"a1_27" = "1635171834"
"a1_26" = "3703259285"
"a1_29" = "149387940"
"a1_28" = "4093186248"
"a3_279" = "1983579126"
"a3_278" = "2009622295"
"a1_252" = "1232666667"
"a4_196" = "1405147716"
"a2_293" = "2100557756"
"a2_234" = "1677580622"
"a1_138" = "3642256389"
"a1_265" = "2011691633"
"a1_139" = "1754276466"
"a3_69" = "478111844"
"a3_68" = "470667141"
"a2_258" = "1849637522"
"a3_63" = "468243870"
"a3_62" = "461187391"
"a3_61" = "454266204"
"a3_60" = "413196541"
"a3_67" = "497165090"
"a3_66" = "489719619"
"a3_65" = "449125088"
"a3_64" = "442138113"
"a3_114" = "834000243"
"a3_115" = "807891410"
"a3_116" = "814882229"
"a3_117" = "821921300"
"a3_110" = "771901423"
"a3_111" = "778952782"
"a3_112" = "785943601"
"a3_113" = "826943632"
"a4_243" = "1742096403"
"a4_242" = "1734927282"
"a4_241" = "1727758161"
"a4_240" = "1720589040"
"a3_118" = "862921463"
"a3_119" = "869977942"
"a4_245" = "1756434645"
"a4_244" = "1749265524"
"a3_226" = "1636957155"
"a1_213" = "2589765612"
"a4_238" = "1706250798"
"a3_227" = "1610835010"
"a4_236" = "1691912556"
"a1_130" = "194177046"
"a4_234" = "1677574314"
"a2_190" = "1362126416"
"a4_232" = "1663236072"
"a3_224" = "1588900513"
"a4_230" = "1648897830"
"a1_131" = "1781511287"
"a1_248" = "3117305252"
"a4_194" = "1390809474"
"a3_225" = "1629904640"
"a2_250" = "1792284818"
"a3_189" = "1371569628"
"a3_188" = "1364644221"
"a3_187" = "1324037274"
"a3_186" = "1316587579"
"a3_185" = "1309600856"
"a3_184" = "1336099833"
"a3_183" = "1328654102"
"a3_182" = "1288059575"
"a3_181" = "1280614100"
"a3_180" = "1307177589"

[HKCU\Software\adm914\695404737]
"35845605" = "315"

[HKCU\Software\adm914]
"a4_229" = "1641728709"
"a1_212" = "3857117565"
"a4_39" = "279595719"
"a4_38" = "272426598"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_37" = "265257477"
"a4_36" = "258088356"
"a4_31" = "222242751"
"a4_30" = "215073630"
"a4_33" = "236580993"
"a4_32" = "229411872"

[HKCU\Software\adm914\695404737]
"28676484" = "35"

[HKCU\Software\adm914]
"a1_251" = "4088174771"
"a1_158" = "3007434640"
"a3_96" = "671531553"
"a3_97" = "678456960"
"a3_94" = "690601439"
"a3_95" = "698046910"
"a2_68" = "487504636"
"a2_69" = "494671970"
"a3_90" = "662056027"
"a3_91" = "669108282"
"a2_64" = "458819870"
"a2_65" = "465989170"
"a2_66" = "473167352"
"a2_67" = "480337527"
"a2_60" = "430150401"
"a2_61" = "437318245"
"a2_62" = "444487087"
"a2_63" = "451651743"
"a2_286" = "2050373272"
"a3_228" = "1617821733"
"a2_281" = "2014526033"
"a2_280" = "2007355502"
"a3_206" = "1493540943"
"a2_282" = "2021689898"
"a1_220" = "1711089944"
"a4_284" = "2036030364"
"a2_112" = "802944664"
"a2_88" = "630889543"
"a4_260" = "1863971460"
"a4_88" = "630882648"
"a4_89" = "638051769"
"a2_185" = "1326289683"
"a4_80" = "573529680"
"a4_81" = "580698801"
"a4_82" = "587867922"
"a4_83" = "595037043"
"a4_84" = "602206164"
"a4_85" = "609375285"
"a4_86" = "616544406"
"a4_87" = "623713527"
"a1_170" = "3325419988"
"a1_171" = "1768015074"
"a1_172" = "3227423728"
"a1_173" = "1314981284"
"a1_174" = "3643706701"
"a1_175" = "1780724635"
"a1_176" = "3189822948"
"a1_177" = "4177620584"
"a1_178" = "1187239969"
"a1_179" = "131914222"
"a2_128" = "917646226"
"a2_129" = "924823851"
"a1_279" = "1579860578"
"a1_278" = "3098048769"
"a2_124" = "888967104"
"a2_125" = "896143653"
"a2_126" = "903311483"
"a2_127" = "910482243"
"a2_120" = "860298999"
"a2_121" = "867461966"
"a2_122" = "874627841"
"a2_123" = "881798364"
"a4_140" = "1003676940"
"a4_141" = "1010846061"
"a4_142" = "1018015182"
"a4_143" = "1025184303"
"a4_144" = "1032353424"
"a4_145" = "1039522545"
"a4_146" = "1046691666"
"a4_147" = "1053860787"
"a4_148" = "1061029908"
"a4_149" = "1068199029"
"a4_235" = "1684743435"
"a3_231" = "1672934854"
"a3_230" = "1665878375"
"a3_233" = "1653815816"
"a3_232" = "1646367145"
"a1_69" = "407065080"
"a1_68" = "3774631069"
"a1_218" = "3646186703"
"a3_236" = "1708912429"
"a1_65" = "1384121580"
"a1_64" = "1701852420"
"a1_67" = "1541563554"
"a1_66" = "1531007041"
"a1_61" = "741396036"
"a1_60" = "3411924977"
"a1_63" = "2303425165"
"a1_62" = "615221046"
"a3_27" = "176877690"
"a3_26" = "169826203"
"a3_25" = "195930936"
"a3_24" = "188878681"
"a3_23" = "148333302"
"a3_22" = "140887575"
"a3_21" = "167402932"
"a3_20" = "159953365"
"a2_95" = "681060025"
"a2_94" = "673892422"
"a2_97" = "695404378"
"a2_96" = "688238909"
"a2_91" = "652392973"
"a2_90" = "645226473"
"a3_29" = "224868540"
"a3_28" = "183868637"
"a4_207" = "1484008047"
"a4_206" = "1476838926"
"a4_205" = "1469669805"
"a4_204" = "1462500684"
"a4_203" = "1455331563"
"a4_202" = "1448162442"
"a4_201" = "1440993321"
"a4_200" = "1433824200"
"a1_224" = "2421529529"
"a1_240" = "2013584043"
"a1_194" = "390288828"
"a4_209" = "1498346289"
"a4_208" = "1491177168"
"a3_85" = "626078324"
"a1_226" = "3618367735"
"a4_218" = "1562868378"
"a1_227" = "1829220933"
"a2_98" = "702576268"
"a4_219" = "1570037499"
"a2_223" = "1598710460"
"a1_221" = "433795459"
"a2_222" = "1591548045"
"a2_221" = "1584380111"
"a1_287" = "397381108"
"a2_274" = "1964341244"
"a3_84" = "585599381"
"a1_269" = "3073854928"
"a2_220" = "1577212330"
"a2_270" = "1935656058"
"a2_271" = "1942838899"
"a2_272" = "1950005242"
"a2_273" = "1957171757"
"a1_185" = "672113472"
"a2_278" = "1993020358"
"a3_275" = "1954656882"
"a1_184" = "2332641003"
"a3_169" = "1228153416"
"a3_168" = "1187690985"
"a3_165" = "1199756484"
"a3_164" = "1192700005"
"a3_167" = "1180638470"
"a3_166" = "1206677671"
"a3_161" = "1171212096"
"a3_160" = "1163778785"
"a3_163" = "1151700866"
"a3_162" = "1144709923"
"a1_289" = "1869408462"

[HKCU\Software\adm914\695404737]
"21507363" = "0"

[HKCU\Software\adm914]
"a3_52" = "389744117"
"a2_29" = "207899143"
"a3_50" = "341769395"
"a3_51" = "348756242"
"a3_56" = "384734073"
"a3_57" = "425213912"
"a3_54" = "370166327"
"a3_55" = "377747094"
"a2_20" = "143377262"
"a2_21" = "150575885"
"a2_22" = "157725079"
"a2_23" = "164895179"
"a2_24" = "172064574"
"a2_25" = "179232481"
"a2_26" = "186395053"
"a2_27" = "193564006"
"a2_212" = "1519858024"
"a3_291" = "2103081986"
"a2_213" = "1527026353"
"a3_277" = "2002713268"
"a3_290" = "2062078883"
"a2_210" = "1505512364"
"a1_263" = "583977358"
"a2_211" = "1512676921"
"a2_216" = "1548527058"
"a4_198" = "1419485958"
"a2_217" = "1555697535"
"a4_71" = "509007591"
"a2_214" = "1534195300"
"a3_276" = "1962106581"
"a3_190" = "1345526207"
"a2_215" = "1541361731"
"a3_262" = "1861737735"
"a4_44" = "315441324"
"a4_45" = "322610445"
"a4_46" = "329779566"
"a4_47" = "336948687"
"a4_40" = "286764840"
"a4_41" = "293933961"
"a4_42" = "301103082"
"a4_43" = "308272203"
"a3_220" = "1593910557"
"a4_48" = "344117808"
"a4_49" = "351286929"
"a1_2" = "1238029467"
"a1_3" = "2218235766"
"a1_0" = "316296286"
"a1_1" = "3634571327"
"a1_6" = "2110731024"
"a1_7" = "1596058878"
"a1_4" = "589896394"
"a1_5" = "1753689527"
"a1_222" = "929793351"
"a1_8" = "1810197841"
"a1_9" = "3280256295"
"a3_4" = "11990981"
"a3_5" = "52532132"
"a3_6" = "59980807"
"a3_7" = "67033318"
"a3_0" = "17000001"
"a3_1" = "23986720"
"a3_2" = "31043203"
"a3_3" = "4934498"
"a1_134" = "2675703699"
"a1_135" = "1684051562"
"a1_136" = "1326710493"
"a1_137" = "3806053286"
"a3_8" = "40387913"
"a3_9" = "47964456"
"a1_132" = "1940854871"
"a1_133" = "3582435675"
"a3_270" = "1918679055"
"a4_215" = "1541361015"
"a4_164" = "1175735844"
"a1_253" = "78284950"
"a3_260" = "1847235781"
"a3_148" = "1044213333"
"a4_108" = "774265068"
"a4_109" = "781434189"
"a4_104" = "745588584"
"a4_105" = "752757705"
"a4_106" = "759926826"
"a4_107" = "767095947"
"a4_100" = "716912100"
"a4_101" = "724081221"
"a4_102" = "731250342"
"a4_103" = "738419463"
"a2_155" = "1111220063"
"a2_154" = "1104036674"
"a2_157" = "1125554608"
"a2_156" = "1118384740"
"a2_151" = "1082534901"
"a2_150" = "1075366318"
"a2_153" = "1096871857"
"a2_152" = "1089701808"
"a1_181" = "3160277440"
"a1_180" = "1275033320"
"a1_183" = "2959365134"
"a1_182" = "4260274743"
"a2_159" = "1139885031"
"a2_158" = "1132719676"
"a1_187" = "659038343"
"a1_186" = "1958804782"
"a1_83" = "3877415722"
"a1_82" = "890647883"
"a1_81" = "837203855"
"a1_80" = "3945776366"
"a1_87" = "1978386084"
"a1_86" = "3907369044"
"a1_85" = "2053682530"
"a1_84" = "224042376"
"a3_274" = "1947601299"
"a1_89" = "823824111"
"a1_88" = "1740757270"
"a1_275" = "363766396"
"a1_14" = "2417224468"
"a1_15" = "4241677803"
"a1_16" = "1904974035"
"a1_17" = "4217324072"
"a1_10" = "100830084"
"a1_11" = "1170462834"
"a1_12" = "323591381"
"a1_13" = "3235987131"
"a1_273" = "764436901"
"a1_18" = "1510188780"
"a1_19" = "2362776421"
"a1_272" = "1763154758"
"a3_268" = "1938191309"
"a3_269" = "1945182124"
"a1_271" = "2430438909"
"a1_223" = "2029913783"
"a3_263" = "1902213606"
"a2_93" = "666726006"
"a3_144" = "1015746769"
"a3_266" = "1890134667"
"a3_267" = "1930745706"
"a3_264" = "1909252681"
"a3_265" = "1883213352"
"a4_210" = "1505515410"
"a1_292" = "43472381"
"a3_18" = "112355475"
"a3_19" = "152900978"
"a3_16" = "131407953"
"a3_17" = "104909872"
"a3_14" = "83368719"
"a3_15" = "124487662"
"a3_12" = "69456589"
"a3_13" = "76381868"
"a3_10" = "88509835"
"a3_11" = "95434346"
"a4_258" = "1849633218"
"a4_259" = "1856802339"
"a2_232" = "1663230902"
"a1_242" = "4038390671"
"a2_92" = "659554308"
"a4_251" = "1799449371"
"a4_252" = "1806618492"
"a4_253" = "1813787613"
"a4_254" = "1820956734"
"a4_255" = "1828125855"
"a1_189" = "2814538187"
"a4_257" = "1842464097"
"a1_246" = "3236005491"
"a3_261" = "1854156964"
"a2_227" = "1627400137"
"a1_247" = "3327606222"
"a3_240" = "1737325745"
"a1_244" = "2942235173"
"a1_245" = "2989804416"
"a3_198" = "1436075335"
"a3_199" = "1409966374"
"a3_194" = "1407547331"
"a3_195" = "1380979618"
"a3_196" = "1388559365"
"a3_197" = "1429035236"
"a1_188" = "1681291240"
"a3_191" = "1352565278"
"a3_192" = "1393045121"
"a4_181" = "1297610901"
"a3_135" = "950831462"
"a2_209" = "1498341719"
"a4_182" = "1304780022"
"a2_205" = "1469674853"
"a2_204" = "1462494829"
"a2_207" = "1484009543"
"a1_128" = "560770626"
"a2_201" = "1440990633"
"a2_200" = "1433828978"
"a2_203" = "1455328041"
"a2_202" = "1448161182"
"a2_241" = "1727752003"
"a1_290" = "2847795417"
"a2_240" = "1720598330"
"a4_213" = "1527022773"
"a1_268" = "1127542235"
"a2_243" = "1742098727"
"a2_73" = "523338667"
"a2_72" = "516173809"
"a2_71" = "509004817"
"a2_70" = "501833822"
"a3_81" = "597665008"
"a3_80" = "590100497"
"a2_75" = "537688531"
"a2_74" = "530518416"
"a3_121" = "850859928"
"a3_120" = "843344697"
"a2_79" = "566356047"
"a2_78" = "559188422"
"a3_89" = "654607352"
"a3_88" = "614065945"
"a3_127" = "927443550"
"a3_126" = "886309375"
"a2_284" = "2036027104"
"a1_230" = "3099320546"
"a3_235" = "1701331786"
"a2_246" = "1763599251"
"a3_234" = "1660856043"
"a2_224" = "1605879393"
"a3_237" = "1682344844"
"a2_191" = "1369305503"
"a4_233" = "1670405193"
"a1_255" = "1905293258"
"a1_228" = "4106957991"
"a3_239" = "1730400462"
"a4_292" = "2093383332"
"a3_238" = "1689269359"
"a2_279" = "2000190489"
"a3_142" = "1034865551"
"a2_199" = "1426658632"
"a4_239" = "1713419919"
"a1_229" = "2784876816"
"a4_99" = "709742979"
"a4_98" = "702573858"
"a4_97" = "695404737"
"a4_96" = "688235616"
"a4_95" = "681066495"
"a4_94" = "673897374"
"a4_93" = "666728253"
"a4_92" = "659559132"
"a4_91" = "652390011"
"a4_90" = "645220890"
"a1_145" = "3630045093"
"a1_144" = "2403467487"
"a1_147" = "2906048741"
"a1_146" = "2023062161"
"a1_141" = "3889503790"
"a1_140" = "2340905802"
"a1_143" = "1513541218"
"a1_142" = "3257331469"
"a1_149" = "852347211"
"a1_148" = "1270616666"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a4_1" = "7169121"
"a4_0" = "0"
"a2_119" = "853130454"
"a2_99" = "709738841"
"a1_266" = "208390277"
"a1_267" = "639193161"
"a1_260" = "846448477"
"a1_261" = "3017472944"
"a4_9" = "64522089"
"a4_8" = "57352968"
"a4_175" = "1254596175"
"a4_174" = "1247427054"
"a4_177" = "1268934417"
"a4_176" = "1261765296"
"a4_171" = "1225919691"
"a4_170" = "1218750570"
"a4_173" = "1240257933"
"a4_172" = "1233088812"
"a4_179" = "1283272659"
"a4_178" = "1276103538"
"a1_50" = "3019146403"
"a1_51" = "3707117899"
"a1_52" = "921541091"
"a1_53" = "3144594761"
"a1_54" = "1169150758"
"a1_55" = "2358742158"
"a1_56" = "4085189483"
"a1_57" = "1803066818"
"a1_58" = "1758106787"
"a1_59" = "4053111060"
"a2_193" = "1383643038"
"a2_195" = "1397976697"
"a3_229" = "1624878212"
"a1_254" = "3919791219"
"a2_192" = "1376473788"
"a3_47" = "353766286"
"a2_188" = "1347790052"
"a2_189" = "1354960341"
"a2_186" = "1333460132"
"a2_187" = "1340621209"
"a2_184" = "1319123568"
"a3_46" = "313225007"
"a2_182" = "1304772902"
"a2_183" = "1311953471"
"a2_180" = "1290437300"
"a2_181" = "1297604845"
"a4_214" = "1534191894"
"a2_37" = "265263221"
"a4_216" = "1548530136"
"a4_217" = "1555699257"
"a2_9" = "64526669"
"a2_8" = "57358848"
"a4_212" = "1519853652"
"a3_48" = "360821873"
"a2_5" = "35842429"
"a2_4" = "28675706"
"a2_7" = "50176367"
"a2_6" = "43022940"
"a2_1" = "7168686"
"a2_0" = "1743"
"a2_3" = "21509864"
"a2_2" = "14342942"
"a3_253" = "1830770076"
"a3_252" = "1789765949"
"a3_251" = "1782713690"
"a3_250" = "1809277179"
"a3_257" = "1825743648"
"a3_256" = "1818691393"
"a3_255" = "1844812510"
"a3_254" = "1837825663"
"a3_259" = "1873799266"
"a3_258" = "1866223491"
"a4_289" = "2071875969"
"a4_288" = "2064706848"
"a4_287" = "2057537727"
"a4_286" = "2050368606"
"a2_197" = "1412311301"
"a2_198" = "1419492796"
"a4_283" = "2028861243"
"a4_282" = "2021692122"
"a4_281" = "2014523001"
"a4_280" = "2007353880"
"a1_233" = "2497868304"
"a1_232" = "4077559742"
"a1_225" = "3040918804"
"a1_231" = "187389413"
"a3_222" = "1608411743"
"a3_172" = "1216092013"
"a3_173" = "1223668684"
"a3_170" = "1235734059"
"a3_171" = "1209100938"
"a3_176" = "1245078769"
"a3_177" = "1252065616"
"a3_174" = "1264148399"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\adm914]
"a2_196" = "1405144580"
"a1_237" = "1762923801"
"a3_178" = "1292676403"
"a3_179" = "1300122002"
"a2_245" = "1756431821"
"a2_244" = "1749269292"
"a2_247" = "1770769375"
"a1_236" = "3745969463"
"a1_235" = "1146245214"
"a1_234" = "2677546466"
"a3_41" = "277247432"
"a3_40" = "269797737"
"a3_43" = "324844042"
"a3_42" = "284234155"
"a3_45" = "305775436"
"a3_44" = "332277485"
"a2_39" = "279600860"
"a2_38" = "272430858"
"a3_49" = "368267472"
"a2_36" = "258081858"
"a2_35" = "250915371"
"a2_34" = "243745867"
"a2_33" = "236578075"
"a2_32" = "229415808"
"a2_31" = "222244951"
"a2_30" = "215080554"
"a4_59" = "422978139"
"a4_58" = "415809018"
"a2_235" = "1684749849"
"a4_53" = "379963413"
"a4_52" = "372794292"
"a4_51" = "365625171"
"a4_50" = "358456050"
"a4_57" = "408639897"
"a4_56" = "401470776"
"a4_55" = "394301655"
"a4_54" = "387132534"
"a2_89" = "638057086"
"a3_53" = "396799572"
"a3_241" = "1744312592"
"a3_271" = "1926112494"
"a2_48" = "344113216"
"a2_49" = "351284557"
"a2_42" = "301098188"
"a2_43" = "308266971"
"a2_40" = "286767057"
"a2_41" = "293929508"
"a2_46" = "329784405"
"a2_47" = "336951022"
"a2_44" = "315445318"
"a2_45" = "322613541"
"a2_115" = "824442884"
"a1_293" = "2954580316"
"a3_242" = "1718322675"
"a2_289" = "2071873477"
"a3_193" = "1400621920"
"a1_101" = "178144284"
"a1_100" = "2898805821"
"a1_103" = "1082331589"
"a1_102" = "250140671"
"a1_105" = "289579143"
"a1_104" = "1998974001"
"a1_107" = "1349789145"
"a1_106" = "916161842"
"a1_109" = "1637414787"
"a1_108" = "3173128633"
"a2_208" = "1491179972"
"a3_223" = "1581848126"
"a4_131" = "939154851"
"a4_130" = "931985730"
"a4_133" = "953493093"
"a4_132" = "946323972"
"a4_135" = "967831335"
"a4_134" = "960662214"
"a4_137" = "982169577"
"a4_136" = "975000456"
"a4_139" = "996507819"
"a4_138" = "989338698"
"a3_202" = "1465012939"
"a1_215" = "3990381614"
"a1_214" = "1180623823"
"a1_217" = "2002297969"
"a2_206" = "1476843978"
"a1_211" = "1563503009"
"a1_210" = "3326150367"
"a1_198" = "3229272400"
"a1_199" = "2820927294"
"a1_196" = "1354550550"
"a1_197" = "1058674428"
"a1_154" = "1267889639"
"a1_195" = "656514481"
"a1_192" = "2687142299"
"a1_193" = "1556685801"
"a1_190" = "2355009966"
"a1_191" = "1449585422"
"a3_284" = "2019048925"
"a3_285" = "2026625468"
"a2_148" = "1061032234"
"a2_149" = "1068189291"
"a3_280" = "1990634585"
"a3_281" = "2031110200"
"a3_282" = "2038690971"
"a3_283" = "2045677946"
"a2_142" = "1018019634"
"a2_143" = "1025214871"
"a2_140" = "1003680347"
"a2_141" = "1010851659"
"a2_146" = "1046687945"
"a2_147" = "1053867676"
"a2_144" = "1032348201"
"a2_145" = "1039516131"
"a3_273" = "1974168880"
"a2_231" = "1656064119"
"a2_248" = "1777939412"
"a3_272" = "1966719313"
"a1_256" = "2898057294"
"a4_250" = "1792280250"
"a1_209" = "3548420711"
"a3_219" = "1553447098"
"a3_218" = "1545870555"
"a3_217" = "1572434040"
"a3_216" = "1565513625"
"a3_215" = "1524378422"
"a3_214" = "1517457239"
"a3_213" = "1510466292"
"a3_212" = "1536443925"
"a3_211" = "1529535922"
"a3_210" = "1488925139"
"a2_275" = "1971503921"
"a2_276" = "1978671824"
"a2_285" = "2043194779"
"a1_202" = "1709672132"
"a2_287" = "2057543166"
"a2_277" = "1985841675"
"a4_269" = "1928493549"
"a4_268" = "1921324428"
"a2_283" = "2028858599"
"a1_203" = "3036943269"
"a4_265" = "1899817065"
"a4_264" = "1892647944"
"a4_267" = "1914155307"
"a4_266" = "1906986186"
"a4_261" = "1871140581"
"a1_200" = "3457910443"
"a4_263" = "1885478823"
"a4_262" = "1878309702"
"a1_201" = "3103389549"
"a3_221" = "1600963068"
"a1_206" = "2951658819"
"a1_207" = "1350514230"
"a1_282" = "1114468870"
"a1_283" = "838945377"
"a1_280" = "2647943634"
"a1_281" = "2857444906"
"a1_286" = "1235922705"
"a1_204" = "3438210693"
"a1_284" = "2933563829"
"a1_285" = "1658973118"
"a1_288" = "1355462517"
"a1_205" = "2875500307"
"a2_194" = "1390807066"
"a4_17" = "121875057"
"a4_16" = "114705936"
"a4_15" = "107536815"
"a4_14" = "100367694"
"a4_13" = "93198573"
"a4_12" = "86029452"
"a4_11" = "78860331"
"a4_10" = "71691210"
"a2_218" = "1562862179"
"a2_219" = "1570033115"
"a3_87" = "607025846"
"a4_19" = "136213299"
"a4_18" = "129044178"
"a3_149" = "1051200052"
"a3_86" = "633134807"
"a3_143" = "1008235630"
"a2_77" = "552020609"
"a3_141" = "1027813164"
"a3_140" = "986809165"
"a3_147" = "1070843378"
"a3_146" = "1063278867"
"a3_145" = "1022803120"
"a2_76" = "544854082"
"a1_155" = "150779111"
"a4_197" = "1412316837"
"a3_83" = "578088242"
"a3_138" = "1006336523"
"a3_139" = "979822314"
"a3_136" = "991835593"
"a3_137" = "998887848"
"a3_134" = "943844487"
"a3_82" = "571031891"
"a3_132" = "962896965"
"a3_133" = "970342436"
"a3_130" = "915382019"
"a3_131" = "922303458"
"a3_205" = "1452935148"
"a1_159" = "3447490682"
"a4_193" = "1383640353"
"a2_262" = "1878303185"
"a3_123" = "898391258"
"a4_192" = "1376471232"
"a3_122" = "891465851"
"a4_191" = "1369302111"
"a4_199" = "1426655079"
"a3_125" = "879322396"
"a4_190" = "1362132990"
"a2_259" = "1856804712"
"a1_264" = "1779461596"
"a3_124" = "905967805"
"a1_259" = "688507760"
"a1_258" = "3557183639"
"a2_288" = "2064711343"
"a4_256" = "1835294976"

[HKCU\Software\adm914\695404737]
"43014726" = "0800687474703A2F2F636174616E682E6E65742F696D616765732F6C6F676F2E67696600687474703A2F2F636869656E6773616E672E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F63686163617261626F6E616E7A612E636F6D2E62722F696D6167656E732F6C6F676F2E67696600687474703A2F2F6368616E647261706172612E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6561676C657475726B2E636F6D2F6C6F676F2E67696600687474703A2F2F646F67756167616373616E6179692E6E65742F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E646F616E686E6768696570766965742E636F6D2E766E2F696D616765732F6C6F676F2E67696600687474703A2F2F64726E682E69722F696D672F69636F6E732F6C6F676F2E676966"

[HKCU\Software\adm914]
"a4_62" = "444485502"
"a4_63" = "451654623"
"a4_60" = "430147260"
"a4_61" = "437316381"
"a4_66" = "473161986"
"a4_67" = "480331107"
"a4_64" = "458823744"
"a4_65" = "465992865"
"a3_208" = "1508042897"
"a4_68" = "487500228"
"a4_69" = "494669349"
"a4_211" = "1512684531"
"a2_291" = "2086210840"
"a2_106" = "759924394"
"a2_107" = "767094097"
"a2_104" = "745590957"
"a2_105" = "752762834"
"a2_102" = "731243956"
"a2_103" = "738424506"
"a2_100" = "716907007"
"a2_101" = "724076335"
"a1_152" = "2656932811"
"a1_153" = "3888549291"
"a1_150" = "841695885"
"a1_151" = "2400989411"
"a1_156" = "3985578816"
"a1_157" = "3107394341"
"a2_108" = "774262532"
"a2_109" = "781429611"
"a3_207" = "1500990510"
"a1_277" = "3159143601"
"a3_200" = "1416957321"
"a4_249" = "1785111129"
"a3_201" = "1424012904"
"a1_47" = "1996456987"
"a1_46" = "280126778"
"a1_45" = "2527461460"
"a1_44" = "4136709114"
"a1_43" = "2347937305"
"a1_42" = "3544028073"
"a1_41" = "1302150864"
"a1_40" = "4107243121"
"a4_162" = "1161397602"
"a4_163" = "1168566723"
"a4_160" = "1147059360"
"a4_161" = "1154228481"
"a4_166" = "1190074086"
"a4_167" = "1197243207"
"a1_49" = "918046164"
"a1_48" = "3904543849"
"a2_173" = "1240253327"
"a2_172" = "1233085701"
"a2_171" = "1225926913"
"a2_170" = "1218754066"
"a2_177" = "1268939967"
"a2_176" = "1261769612"
"a2_175" = "1254591222"
"a2_174" = "1247420924"
"a2_179" = "1283276527"
"a2_178" = "1276108309"
"a2_233" = "1670399299"
"a2_242" = "1734930845"
"a1_32" = "3351933935"
"a1_33" = "3564562880"
"a1_30" = "2285740553"
"a1_31" = "3166658290"
"a1_36" = "116732128"
"a1_37" = "3167137991"
"a1_34" = "2141858999"
"a1_35" = "2626719770"
"a3_248" = "1761237945"
"a4_247" = "1770772887"
"a1_38" = "1961610815"
"a1_39" = "2271683713"
"a4_168" = "1204412328"
"a4_246" = "1763603766"
"a2_86" = "616538558"
"a4_169" = "1211581449"
"a2_87" = "623710204"
"a4_290" = "2079045090"
"a4_291" = "2086214211"
"a1_274" = "2452747932"
"a1_243" = "296304198"
"a3_107" = "750490314"
"a3_106" = "742979179"
"a3_105" = "769478024"
"a3_104" = "762552617"
"a3_103" = "754976070"
"a3_102" = "714512615"
"a3_101" = "707525636"
"a3_100" = "733500325"
"a2_256" = "1835302022"
"a2_257" = "1842469725"
"a2_254" = "1820950901"
"a2_255" = "1828120926"
"a2_252" = "1806622191"
"a3_58" = "432790459"
"a3_109" = "798022412"
"a3_108" = "790970029"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 6A EB 0F 0C 17 B1 2A 59 82 B7 9B 75 4D FD 32"

[HKCU\Software\adm914]
"a4_228" = "1634559588"
"a3_59" = "406144026"
"a4_273" = "1957170033"
"a4_221" = "1584375741"
"a4_220" = "1577206620"
"a4_223" = "1598713983"
"a4_222" = "1591544862"
"a4_225" = "1613052225"
"a4_224" = "1605883104"
"a4_227" = "1627390467"
"a4_226" = "1620221346"
"a3_74" = "513565259"
"a3_75" = "554634794"
"a3_76" = "561687181"
"a3_77" = "568612716"
"a3_70" = "485102791"
"a3_71" = "525709478"
"a3_72" = "533159177"
"a3_73" = "506657256"
"a4_165" = "1182904965"
"a3_78" = "542634959"
"a3_79" = "549625774"
"a4_277" = "1985846517"
"a4_195" = "1397978595"
"a2_229" = "1641731501"
"a2_228" = "1634565964"
"a4_274" = "1964339154"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a4_26" = "186397146"
"a4_27" = "193566267"
"a4_24" = "172058904"
"a4_25" = "179228025"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_231" = "1656066951"
"a3_175" = "1271199758"
"a2_253" = "1813783677"
"a2_59" = "422982543"
"a2_58" = "415802608"
"a4_279" = "2000184759"
"a2_51" = "365618141"
"a2_50" = "358451015"
"a2_53" = "379968185"
"a2_52" = "372800190"
"a2_55" = "394299091"
"a2_54" = "387134142"
"a2_57" = "408636339"
"a2_56" = "401468690"
"a1_270" = "2175175168"
"a4_183" = "1311949143"
"a4_285" = "2043199485"
"a1_276" = "3965254625"
"a3_292" = "2110068965"
"a4_248" = "1777942008"
"a1_116" = "399071149"
"a1_117" = "1686866690"
"a1_114" = "1810995839"
"a1_115" = "1023799113"
"a1_112" = "2641795116"
"a1_113" = "428352903"
"a1_110" = "3579426301"
"a1_111" = "1566879318"

[HKCU\Software\adm914\695404737]
"50183847" = "7329B17EFD1799058CC507B8062C360BD9EAA93FEC92CD8196CE019C2B644F8B5AC11E54BC8D921572BC5C39CB0308531810224E18BC57A14754D33BC6678182373E7B47500C9E1C82FC29BF389B2B6F410B7B9F141B58DC2BA76EF625D3FD2F450761A6DFFF889DE058FDD1002052BDDBCDC8FCA7DFBA8BD347C7A4809EC681"

[HKCU\Software\adm914]
"a1_118" = "601110009"
"a1_119" = "3837402182"
"a4_126" = "903309246"
"a4_127" = "910478367"
"a4_124" = "888971004"
"a4_125" = "896140125"
"a4_122" = "874632762"
"a4_123" = "881801883"
"a4_120" = "860294520"
"a4_121" = "867463641"
"a1_257" = "3466989113"
"a4_128" = "917647488"
"a4_129" = "924816609"
"a1_163" = "1216647094"
"a1_162" = "998338326"
"a1_161" = "1927948357"
"a1_160" = "2569916916"
"a1_167" = "3438773266"
"a1_166" = "1361180850"
"a1_165" = "4050653911"
"a1_164" = "1534697078"
"a1_169" = "3137944902"
"a1_168" = "3982683925"
"a2_238" = "1706249526"
"a3_204" = "1445501709"
"a1_208" = "1228936350"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\adm914]
"a2_139" = "996514272"
"a2_138" = "989334986"
"a2_137" = "982163745"
"a2_136" = "974998176"
"a2_135" = "967834503"
"a2_134" = "960664580"
"a2_133" = "953498917"
"a2_132" = "946331526"
"a2_131" = "939149657"
"a2_130" = "931982164"
"a4_153" = "1096875513"
"a4_152" = "1089706392"
"a4_151" = "1082537271"
"a4_150" = "1075368150"
"a4_157" = "1125551997"
"a4_156" = "1118382876"
"a4_155" = "1111213755"
"a4_154" = "1104044634"
"a4_159" = "1139890239"
"a4_158" = "1132721118"
"a2_239" = "1713414447"

[HKCU\Software\adm914\695404737]
"14338242" = "0"
"7169121" = "247"

[HKCU\Software\adm914]
"a3_209" = "1481479536"
"a1_78" = "1966722496"
"a1_79" = "727336894"
"a1_76" = "2425129351"
"a1_77" = "3401860216"
"a1_74" = "4192425067"
"a1_75" = "3846701629"
"a1_72" = "1058937361"
"a1_73" = "967299607"
"a1_70" = "1425721303"
"a1_71" = "3380245658"
"a3_30" = "231908639"
"a3_31" = "205275646"
"a3_32" = "212855393"
"a3_33" = "253400768"
"a3_34" = "260321955"
"a3_35" = "267902722"
"a3_36" = "241269733"
"a3_37" = "248308804"
"a3_38" = "289374247"
"a3_39" = "296299654"
"a2_84" = "602196510"
"a2_85" = "609372023"
"a2_82" = "587870282"
"a2_83" = "595044569"
"a2_80" = "573523752"
"a2_81" = "580704833"
"a4_272" = "1950000912"
"a1_239" = "4010275398"
"a4_188" = "1347794748"
"a3_243" = "1725247058"
"a4_276" = "1978677396"
"a2_236" = "1691918268"
"a2_249" = "1785115669"
"a4_275" = "1971508275"
"a3_244" = "1765853749"
"a4_278" = "1993015638"
"a2_237" = "1699082466"
"a3_245" = "1773303444"
"a4_270" = "1935662670"
"a3_246" = "1746735991"
"a3_247" = "1753792470"
"a1_249" = "3855968542"
"a3_286" = "2067087903"
"a4_189" = "1354963869"
"a3_287" = "2074144510"
"a1_124" = "2896624056"
"a3_293" = "2083554628"
"a3_249" = "1801831448"
"a1_250" = "2761015030"
"a4_271" = "1942831791"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

The process %original file name%.exe:956 makes changes in the system registry.


The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 90 64 B2 2A 7D C5 88 C4 0C 3B F5 C8 B2 40 EC"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    TELNET.EXE:3592
    TELNET.EXE:1236
    TELNET.EXE:3776
    TELNET.EXE:2720
    TELNET.EXE:2580
    TELNET.EXE:2552
    TELNET.EXE:2832
    TELNET.EXE:3084
    TELNET.EXE:2256
    TELNET.EXE:2112
    TELNET.EXE:1740
    TELNET.EXE:3304
    NOTEPAD.EXE:3420
    NOTEPAD.EXE:2864
    NOTEPAD.EXE:2960
    NOTEPAD.EXE:3036
    NOTEPAD.EXE:2656
    NOTEPAD.EXE:3276
    NOTEPAD.EXE:3048
    NOTEPAD.EXE:2192
    NOTEPAD.EXE:2480
    NOTEPAD.EXE:496
    NOTEPAD.EXE:3244
    NOTEPAD.EXE:472
    NOTEPAD.EXE:1632
    NOTEPAD.EXE:2780
    NOTEPAD.EXE:2888
    NOTEPAD.EXE:2220
    NOTEPAD.EXE:3020
    NOTEPAD.EXE:2144
    NOTEPAD.EXE:2688
    NOTEPAD.EXE:1116
    NOTEPAD.EXE:2748
    NOTEPAD.EXE:1676
    NOTEPAD.EXE:3188
    NOTEPAD.EXE:2288
    NOTEPAD.EXE:2708
    NOTEPAD.EXE:2444
    NOTEPAD.EXE:2936
    NOTEPAD.EXE:3216
    NOTEPAD.EXE:2492
    NOTEPAD.EXE:3388
    NOTEPAD.EXE:2680
    NOTEPAD.EXE:2080
    NOTEPAD.EXE:2896
    NOTEPAD.EXE:2160
    NOTEPAD.EXE:2396
    NOTEPAD.EXE:2412
    NOTEPAD.EXE:2992
    %original file name%.exe:1828

  2. Delete the original Virus file.
  3. Delete or disinfect the following files created/modified by the Virus:

    %Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (0 bytes)
    D:\disablejavawarnsec.exe (984 bytes)
    %Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (648 bytes)
    %System%\drivers\mpguk.sys (5 bytes)
    %Program Files%\Common Files\Java\Java Update\jusched.exe (80 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\google_cache2.tmp (9 bytes)
    %WinDir%\system.ini (70 bytes)
    %Documents and Settings%\%current user%\Application Data\msconfig.exe (5441 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\88603cb2913a7df3fbd16b5f958e6447_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (51 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps