Trojan.Win32.Inject.dvlq (Kaspersky), Virus.Win32.VBInject!IK (Emsisoft), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR, GenericIRCBot.YR (Lavasoft MAS)Behaviour: Trojan, Worm, Virus, WormAutorun, IRCBot
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 096d666de7694ab9cfc1e5c44dca0df0
SHA1: ee8ee95da0436af56d171c48ae1bff53d0eec80c
SHA256: 251f7b57cee6a5d84e944bf9f19a65d223d958fbaaf6c94e82d56ffc0f6145b2
SSDeep: 12288:oa/njQgocGnWpWO2Ok8bTd40U9RxgP8smH8zUNONBnkQBVw:oSnsnnWpWO2ODTiRxgPdm3NIw
Size: 748032 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PECompactV2X, PECompactv25Retail, PECompactv20, UPolyXv05_v6
Company: no certificate found
Created at: 2012-03-28 11:21:44
Analyzed on: WindowsXP SP3 32-bit
Summary: Virus. A program that recursively replicates a possibly evolved copy of itself.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer. |
IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Virus creates the following process(es):
TELNET.EXE:3592
TELNET.EXE:1236
TELNET.EXE:3776
TELNET.EXE:2720
TELNET.EXE:2580
TELNET.EXE:2552
TELNET.EXE:2832
TELNET.EXE:3084
TELNET.EXE:2256
TELNET.EXE:2112
TELNET.EXE:1740
TELNET.EXE:3304
NOTEPAD.EXE:3420
NOTEPAD.EXE:2864
NOTEPAD.EXE:2960
NOTEPAD.EXE:3036
NOTEPAD.EXE:2656
NOTEPAD.EXE:3276
NOTEPAD.EXE:3048
NOTEPAD.EXE:2192
NOTEPAD.EXE:2480
NOTEPAD.EXE:496
NOTEPAD.EXE:3244
NOTEPAD.EXE:472
NOTEPAD.EXE:1632
NOTEPAD.EXE:2780
NOTEPAD.EXE:2888
NOTEPAD.EXE:2220
NOTEPAD.EXE:3020
NOTEPAD.EXE:2144
NOTEPAD.EXE:2688
NOTEPAD.EXE:1116
NOTEPAD.EXE:2748
NOTEPAD.EXE:1676
NOTEPAD.EXE:3188
NOTEPAD.EXE:2288
NOTEPAD.EXE:2708
NOTEPAD.EXE:2444
NOTEPAD.EXE:2936
NOTEPAD.EXE:3216
NOTEPAD.EXE:2492
NOTEPAD.EXE:3388
NOTEPAD.EXE:2680
NOTEPAD.EXE:2080
NOTEPAD.EXE:2896
NOTEPAD.EXE:2160
NOTEPAD.EXE:2396
NOTEPAD.EXE:2412
NOTEPAD.EXE:2992
%original file name%.exe:1828
The Virus injects its code into the following process(es):
msconfig.exe:388
msconfig.exe:1168
%original file name%.exe:956
File activity
The process msconfig.exe:1168 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (0 bytes)
D:\disablejavawarnsec.exe (984 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (648 bytes)
%System%\drivers\mpguk.sys (5 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\google_cache2.tmp (9 bytes)
The Virus deletes the following file(s):
D:\715a8 (0 bytes)
%System%\drivers\mpguk.sys (0 bytes)
C:\711a1 (0 bytes)
The process %original file name%.exe:1828 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Application Data\msconfig.exe (5441 bytes)
The process %original file name%.exe:956 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\88603cb2913a7df3fbd16b5f958e6447_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (51 bytes)
Registry activity
The process msconfig.exe:388 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 2D 87 A9 56 CA 92 40 3A 26 5C D7 0F EC AC D6"
The process msconfig.exe:1168 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 A0 90 67 E6 99 9D 91 42 8C E4 C8 07 B9 F9 21"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data]
"msconfig.exe" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe:*:Enabled:ipsec"
The Virus deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys]
The Virus deletes the following value(s) in system registry:
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot]
"AlternateShell"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration]
"(Default)"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
"(Default)"
The process TELNET.EXE:3592 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 83 B8 3C 88 5E 9A 0D 3E 14 5D 96 E6 91 4C FF"
The process TELNET.EXE:1236 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 2A E8 6F BD 2E 65 57 13 E8 8F DB E3 D1 80 FB"
The process TELNET.EXE:3776 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB E4 6C 8A D8 B7 46 A8 6A 33 5A FD 4A AD F0 F7"
The process TELNET.EXE:2720 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 59 82 11 61 34 87 52 76 25 C6 B1 27 AA 38 79"
The process TELNET.EXE:2580 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 8E 3D E0 6C 40 EE AE 14 DE 0C 74 A7 F5 87 6C"
The process TELNET.EXE:2552 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 02 0F 0B 58 2A D8 04 05 51 5A 2F 52 12 70 7A"
The process TELNET.EXE:2832 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 43 8B 80 48 11 63 B4 3D 6B 90 D9 05 CB 7B C0"
The process TELNET.EXE:3084 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 42 AA F0 4C 0F E1 E2 27 0C 86 CF E7 C2 D8 65"
The process TELNET.EXE:2256 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 CD 7D B6 A7 4F 0B F2 DD 1F 3F D9 1E 99 B7 AF"
The process TELNET.EXE:2112 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 0B D3 17 E7 52 1E AE BA B1 28 83 C9 25 59 F8"
The process TELNET.EXE:1740 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 7D 30 4F FB D4 BB FD 87 46 F0 A4 39 F7 A0 CF"
The process TELNET.EXE:3304 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 4B 69 BF 02 1E 42 BC F9 A6 F0 6E 63 9B 40 E8"
The process NOTEPAD.EXE:3420 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 84 4B 71 DC 95 5D 66 40 54 0B 36 CC 39 34 70"
The process NOTEPAD.EXE:2864 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 A8 C7 C3 7A 3E 61 1B 0F D7 90 E6 68 2E 48 C4"
The process NOTEPAD.EXE:2960 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 DA C0 38 80 56 1E F5 8E 83 84 74 8F 9C CE CE"
The process NOTEPAD.EXE:3036 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 F2 88 43 62 A2 AE 36 CF 9C 78 79 87 F6 D8 65"
The process NOTEPAD.EXE:2656 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 6A A9 62 9C 12 C0 55 BB 06 DC E3 9E D8 61 B6"
The process NOTEPAD.EXE:3276 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 DF FD ED E0 94 C4 1F 3C 93 9A 2D 2E FA CB ED"
The process NOTEPAD.EXE:3048 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 92 7E 93 3E 5B E3 F5 C4 B4 5B 59 EF FD 0B 54"
The process NOTEPAD.EXE:2192 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 38 E3 16 3D E0 B6 1A B7 B7 15 7B 0A A3 C2 D4"
The process NOTEPAD.EXE:2480 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 B9 19 F0 86 80 FD 37 CD AC A1 00 11 A2 87 2E"
The process NOTEPAD.EXE:496 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 D1 BA 45 A4 D4 9C C7 28 6E 42 F3 09 80 DF 8C"
The process NOTEPAD.EXE:3244 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 0B F3 F1 E8 83 54 33 04 5A D7 13 89 A9 D2 26"
The process NOTEPAD.EXE:472 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 F9 52 52 D6 65 C7 F4 63 AE 3E 60 55 F1 3E E4"
The process NOTEPAD.EXE:1632 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 84 4A 1E 3E 37 F3 ED D4 32 F0 B5 33 DE 41 5E"
The process NOTEPAD.EXE:2780 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 4F 7D 7B 80 3B 47 94 5B D0 95 FA 29 9F F4 C4"
The process NOTEPAD.EXE:2888 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 2E 9F 02 A0 27 1E 64 B7 F8 DA 9F 0E F4 81 B6"
The process NOTEPAD.EXE:2220 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 53 2F C1 E1 D2 1A 84 0B DD 8A B7 A0 03 0D C7"
The process NOTEPAD.EXE:3020 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 27 3B 49 A2 24 41 1D 77 C9 B1 D7 88 25 70 AA"
The process NOTEPAD.EXE:2144 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 CC 6E C5 A9 07 82 64 57 F3 B1 EC 34 89 64 9A"
The process NOTEPAD.EXE:2688 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 E6 DF 1C F6 DE BA BD E9 A4 F9 D2 54 8D F7 FE"
The process NOTEPAD.EXE:1116 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E BA D9 7C 00 17 78 AC A2 2A 9E 85 22 A5 4A E9"
The process NOTEPAD.EXE:2748 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 0B 7E D3 6E F6 71 1A FD CE 83 40 73 CD 62 BD"
The process NOTEPAD.EXE:1676 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 CB BA 5C AC 18 44 FC 96 98 4B 56 A2 53 A1 89"
The process NOTEPAD.EXE:3188 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 4A 20 7C DA B4 CF 43 85 FD EC 07 E2 17 11 90"
The process NOTEPAD.EXE:2288 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 27 DA FF 9D 5A 07 84 39 6D 7B C7 0F E8 F3 5D"
The process NOTEPAD.EXE:2708 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 68 4E 92 92 59 9C 95 AE 4A 2D C2 E1 32 EC 1F"
The process NOTEPAD.EXE:2444 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 27 F7 1D 37 8F 36 45 0F AF 79 CD D9 FD EE 41"
The process NOTEPAD.EXE:2936 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD B4 66 E9 DF 50 4F ED 90 D8 BC AA 5A 19 55 77"
The process NOTEPAD.EXE:3216 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 55 02 4A 69 D6 B6 9A B4 73 33 B8 81 A8 50 DD"
The process NOTEPAD.EXE:2492 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 BE AC EC FD 57 A6 F9 50 FA 2C 14 2E 93 62 26"
The process NOTEPAD.EXE:3388 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 72 61 5A 80 84 5B 61 3A FC 76 1B 41 8D 58 EB"
The process NOTEPAD.EXE:2680 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 A1 09 6A B0 A9 7C FA 25 EF AD 63 10 B6 FF 3E"
The process NOTEPAD.EXE:2080 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 51 CB 38 F5 2E CC FF 28 F9 BB 27 C1 AB 0F 4E"
The process NOTEPAD.EXE:2896 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 93 C0 57 2C A9 D0 9F B2 78 41 EA 5C 95 1A 3D"
The process NOTEPAD.EXE:2160 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 80 0A 57 2D 7D 00 85 42 A5 2F 8A 9E D7 A4 A6"
The process NOTEPAD.EXE:2396 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 EC A1 57 05 12 50 1C 08 5B 90 06 C1 55 FE B4"
The process NOTEPAD.EXE:2412 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 02 74 13 5F 81 E0 80 E5 B8 8B 88 27 5E F8 D6"
The process NOTEPAD.EXE:2992 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 83 38 D1 34 D1 48 65 F9 40 53 05 DC 4D 8F 70"
The process %original file name%.exe:1828 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKCU\Software\adm914]
"a2_267" = "1914153731"
"a2_266" = "1906988372"
"a2_265" = "1899822743"
"a2_264" = "1892651736"
"a2_263" = "1885473653"
"a1_241" = "1479289362"
"a2_261" = "1871136002"
"a2_260" = "1863969024"
"a2_269" = "1928492997"
"a2_268" = "1921321144"
"a3_158" = "1115723167"
"a3_159" = "1123171966"
"a2_226" = "1620214662"
"a3_150" = "1092335255"
"a3_151" = "1099256694"
"a3_152" = "1106313177"
"a3_153" = "1080269752"
"a3_154" = "1087177755"
"a3_155" = "1127784698"
"a3_156" = "1135234397"
"a3_157" = "1108732220"
"a2_15" = "107528839"
"a2_14" = "100361347"
"a2_17" = "121880394"
"a2_16" = "114711086"
"a2_11" = "78857808"
"a2_10" = "71692484"
"a2_13" = "93195329"
"a2_12" = "86027719"
"a2_292" = "2093374318"
"a3_288" = "2048101217"
"a2_290" = "2079041741"
"a3_203" = "1472069290"
"a2_19" = "136210971"
"a2_18" = "129046322"
"a3_289" = "2055026624"
"a2_28" = "200729512"
"a2_251" = "1799450747"
"a1_219" = "2396592828"
"a3_92" = "643003549"
"a4_237" = "1699081677"
"a3_93" = "649990524"
"a2_111" = "795778425"
"a3_129" = "907866784"
"a2_110" = "788608149"
"a2_113" = "810112240"
"a4_70" = "501838470"
"a4_73" = "523345833"
"a4_72" = "516176712"
"a4_75" = "537684075"
"a4_74" = "530514954"
"a4_77" = "552022317"
"a4_76" = "544853196"
"a4_79" = "566360559"
"a4_78" = "559191438"
"a2_114" = "817275589"
"a2_230" = "1648900673"
"a3_128" = "934368961"
"a2_117" = "838792213"
"a2_116" = "831613110"
"a4_184" = "1319118264"
"a4_185" = "1326287385"
"a4_186" = "1333456506"
"a4_187" = "1340625627"
"a4_180" = "1290441780"
"a3_98" = "685968227"
"a1_129" = "2785556380"
"a2_118" = "845963086"
"a1_127" = "4287558985"
"a1_126" = "205693925"
"a1_125" = "735640330"
"a3_99" = "726579138"
"a1_123" = "3652803797"
"a1_122" = "3445013358"
"a1_121" = "772893835"
"a1_120" = "1323338669"
"a1_291" = "3528945685"
"a2_225" = "1613047487"
"a1_262" = "2678150717"
"a4_119" = "853125399"
"a4_118" = "845956278"
"a4_117" = "838787157"
"a4_116" = "831618036"
"a4_115" = "824448915"
"a4_114" = "817279794"
"a4_113" = "810110673"
"a4_112" = "802941552"
"a4_111" = "795772431"
"a4_110" = "788603310"
"a2_160" = "1147056098"
"a2_161" = "1154234367"
"a2_162" = "1161404584"
"a2_163" = "1168571844"
"a2_164" = "1175732400"
"a2_165" = "1182897999"
"a2_166" = "1190074830"
"a2_167" = "1197238191"
"a2_168" = "1204407122"
"a2_169" = "1211588007"
"a1_216" = "491568011"
"a1_238" = "2748286028"
"a1_98" = "1888415864"
"a1_99" = "1378215511"
"a1_94" = "4126652367"
"a1_95" = "3637800610"
"a1_96" = "2539940914"
"a1_97" = "3263515906"
"a1_90" = "3181761814"
"a1_91" = "2727026245"
"a1_92" = "1775533990"
"a1_93" = "2468268646"
"a1_21" = "38241967"
"a1_20" = "1298703816"
"a1_23" = "1175878880"
"a1_22" = "4049762536"
"a1_25" = "704362530"
"a1_24" = "2991665494"
"a1_27" = "1635171834"
"a1_26" = "3703259285"
"a1_29" = "149387940"
"a1_28" = "4093186248"
"a3_279" = "1983579126"
"a3_278" = "2009622295"
"a1_252" = "1232666667"
"a4_196" = "1405147716"
"a2_293" = "2100557756"
"a2_234" = "1677580622"
"a1_138" = "3642256389"
"a1_265" = "2011691633"
"a1_139" = "1754276466"
"a3_69" = "478111844"
"a3_68" = "470667141"
"a2_258" = "1849637522"
"a3_63" = "468243870"
"a3_62" = "461187391"
"a3_61" = "454266204"
"a3_60" = "413196541"
"a3_67" = "497165090"
"a3_66" = "489719619"
"a3_65" = "449125088"
"a3_64" = "442138113"
"a3_114" = "834000243"
"a3_115" = "807891410"
"a3_116" = "814882229"
"a3_117" = "821921300"
"a3_110" = "771901423"
"a3_111" = "778952782"
"a3_112" = "785943601"
"a3_113" = "826943632"
"a4_243" = "1742096403"
"a4_242" = "1734927282"
"a4_241" = "1727758161"
"a4_240" = "1720589040"
"a3_118" = "862921463"
"a3_119" = "869977942"
"a4_245" = "1756434645"
"a4_244" = "1749265524"
"a3_226" = "1636957155"
"a1_213" = "2589765612"
"a4_238" = "1706250798"
"a3_227" = "1610835010"
"a4_236" = "1691912556"
"a1_130" = "194177046"
"a4_234" = "1677574314"
"a2_190" = "1362126416"
"a4_232" = "1663236072"
"a3_224" = "1588900513"
"a4_230" = "1648897830"
"a1_131" = "1781511287"
"a1_248" = "3117305252"
"a4_194" = "1390809474"
"a3_225" = "1629904640"
"a2_250" = "1792284818"
"a3_189" = "1371569628"
"a3_188" = "1364644221"
"a3_187" = "1324037274"
"a3_186" = "1316587579"
"a3_185" = "1309600856"
"a3_184" = "1336099833"
"a3_183" = "1328654102"
"a3_182" = "1288059575"
"a3_181" = "1280614100"
"a3_180" = "1307177589"
[HKCU\Software\adm914\695404737]
"35845605" = "315"
[HKCU\Software\adm914]
"a4_229" = "1641728709"
"a1_212" = "3857117565"
"a4_39" = "279595719"
"a4_38" = "272426598"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_37" = "265257477"
"a4_36" = "258088356"
"a4_31" = "222242751"
"a4_30" = "215073630"
"a4_33" = "236580993"
"a4_32" = "229411872"
[HKCU\Software\adm914\695404737]
"28676484" = "35"
[HKCU\Software\adm914]
"a1_251" = "4088174771"
"a1_158" = "3007434640"
"a3_96" = "671531553"
"a3_97" = "678456960"
"a3_94" = "690601439"
"a3_95" = "698046910"
"a2_68" = "487504636"
"a2_69" = "494671970"
"a3_90" = "662056027"
"a3_91" = "669108282"
"a2_64" = "458819870"
"a2_65" = "465989170"
"a2_66" = "473167352"
"a2_67" = "480337527"
"a2_60" = "430150401"
"a2_61" = "437318245"
"a2_62" = "444487087"
"a2_63" = "451651743"
"a2_286" = "2050373272"
"a3_228" = "1617821733"
"a2_281" = "2014526033"
"a2_280" = "2007355502"
"a3_206" = "1493540943"
"a2_282" = "2021689898"
"a1_220" = "1711089944"
"a4_284" = "2036030364"
"a2_112" = "802944664"
"a2_88" = "630889543"
"a4_260" = "1863971460"
"a4_88" = "630882648"
"a4_89" = "638051769"
"a2_185" = "1326289683"
"a4_80" = "573529680"
"a4_81" = "580698801"
"a4_82" = "587867922"
"a4_83" = "595037043"
"a4_84" = "602206164"
"a4_85" = "609375285"
"a4_86" = "616544406"
"a4_87" = "623713527"
"a1_170" = "3325419988"
"a1_171" = "1768015074"
"a1_172" = "3227423728"
"a1_173" = "1314981284"
"a1_174" = "3643706701"
"a1_175" = "1780724635"
"a1_176" = "3189822948"
"a1_177" = "4177620584"
"a1_178" = "1187239969"
"a1_179" = "131914222"
"a2_128" = "917646226"
"a2_129" = "924823851"
"a1_279" = "1579860578"
"a1_278" = "3098048769"
"a2_124" = "888967104"
"a2_125" = "896143653"
"a2_126" = "903311483"
"a2_127" = "910482243"
"a2_120" = "860298999"
"a2_121" = "867461966"
"a2_122" = "874627841"
"a2_123" = "881798364"
"a4_140" = "1003676940"
"a4_141" = "1010846061"
"a4_142" = "1018015182"
"a4_143" = "1025184303"
"a4_144" = "1032353424"
"a4_145" = "1039522545"
"a4_146" = "1046691666"
"a4_147" = "1053860787"
"a4_148" = "1061029908"
"a4_149" = "1068199029"
"a4_235" = "1684743435"
"a3_231" = "1672934854"
"a3_230" = "1665878375"
"a3_233" = "1653815816"
"a3_232" = "1646367145"
"a1_69" = "407065080"
"a1_68" = "3774631069"
"a1_218" = "3646186703"
"a3_236" = "1708912429"
"a1_65" = "1384121580"
"a1_64" = "1701852420"
"a1_67" = "1541563554"
"a1_66" = "1531007041"
"a1_61" = "741396036"
"a1_60" = "3411924977"
"a1_63" = "2303425165"
"a1_62" = "615221046"
"a3_27" = "176877690"
"a3_26" = "169826203"
"a3_25" = "195930936"
"a3_24" = "188878681"
"a3_23" = "148333302"
"a3_22" = "140887575"
"a3_21" = "167402932"
"a3_20" = "159953365"
"a2_95" = "681060025"
"a2_94" = "673892422"
"a2_97" = "695404378"
"a2_96" = "688238909"
"a2_91" = "652392973"
"a2_90" = "645226473"
"a3_29" = "224868540"
"a3_28" = "183868637"
"a4_207" = "1484008047"
"a4_206" = "1476838926"
"a4_205" = "1469669805"
"a4_204" = "1462500684"
"a4_203" = "1455331563"
"a4_202" = "1448162442"
"a4_201" = "1440993321"
"a4_200" = "1433824200"
"a1_224" = "2421529529"
"a1_240" = "2013584043"
"a1_194" = "390288828"
"a4_209" = "1498346289"
"a4_208" = "1491177168"
"a3_85" = "626078324"
"a1_226" = "3618367735"
"a4_218" = "1562868378"
"a1_227" = "1829220933"
"a2_98" = "702576268"
"a4_219" = "1570037499"
"a2_223" = "1598710460"
"a1_221" = "433795459"
"a2_222" = "1591548045"
"a2_221" = "1584380111"
"a1_287" = "397381108"
"a2_274" = "1964341244"
"a3_84" = "585599381"
"a1_269" = "3073854928"
"a2_220" = "1577212330"
"a2_270" = "1935656058"
"a2_271" = "1942838899"
"a2_272" = "1950005242"
"a2_273" = "1957171757"
"a1_185" = "672113472"
"a2_278" = "1993020358"
"a3_275" = "1954656882"
"a1_184" = "2332641003"
"a3_169" = "1228153416"
"a3_168" = "1187690985"
"a3_165" = "1199756484"
"a3_164" = "1192700005"
"a3_167" = "1180638470"
"a3_166" = "1206677671"
"a3_161" = "1171212096"
"a3_160" = "1163778785"
"a3_163" = "1151700866"
"a3_162" = "1144709923"
"a1_289" = "1869408462"
[HKCU\Software\adm914\695404737]
"21507363" = "0"
[HKCU\Software\adm914]
"a3_52" = "389744117"
"a2_29" = "207899143"
"a3_50" = "341769395"
"a3_51" = "348756242"
"a3_56" = "384734073"
"a3_57" = "425213912"
"a3_54" = "370166327"
"a3_55" = "377747094"
"a2_20" = "143377262"
"a2_21" = "150575885"
"a2_22" = "157725079"
"a2_23" = "164895179"
"a2_24" = "172064574"
"a2_25" = "179232481"
"a2_26" = "186395053"
"a2_27" = "193564006"
"a2_212" = "1519858024"
"a3_291" = "2103081986"
"a2_213" = "1527026353"
"a3_277" = "2002713268"
"a3_290" = "2062078883"
"a2_210" = "1505512364"
"a1_263" = "583977358"
"a2_211" = "1512676921"
"a2_216" = "1548527058"
"a4_198" = "1419485958"
"a2_217" = "1555697535"
"a4_71" = "509007591"
"a2_214" = "1534195300"
"a3_276" = "1962106581"
"a3_190" = "1345526207"
"a2_215" = "1541361731"
"a3_262" = "1861737735"
"a4_44" = "315441324"
"a4_45" = "322610445"
"a4_46" = "329779566"
"a4_47" = "336948687"
"a4_40" = "286764840"
"a4_41" = "293933961"
"a4_42" = "301103082"
"a4_43" = "308272203"
"a3_220" = "1593910557"
"a4_48" = "344117808"
"a4_49" = "351286929"
"a1_2" = "1238029467"
"a1_3" = "2218235766"
"a1_0" = "316296286"
"a1_1" = "3634571327"
"a1_6" = "2110731024"
"a1_7" = "1596058878"
"a1_4" = "589896394"
"a1_5" = "1753689527"
"a1_222" = "929793351"
"a1_8" = "1810197841"
"a1_9" = "3280256295"
"a3_4" = "11990981"
"a3_5" = "52532132"
"a3_6" = "59980807"
"a3_7" = "67033318"
"a3_0" = "17000001"
"a3_1" = "23986720"
"a3_2" = "31043203"
"a3_3" = "4934498"
"a1_134" = "2675703699"
"a1_135" = "1684051562"
"a1_136" = "1326710493"
"a1_137" = "3806053286"
"a3_8" = "40387913"
"a3_9" = "47964456"
"a1_132" = "1940854871"
"a1_133" = "3582435675"
"a3_270" = "1918679055"
"a4_215" = "1541361015"
"a4_164" = "1175735844"
"a1_253" = "78284950"
"a3_260" = "1847235781"
"a3_148" = "1044213333"
"a4_108" = "774265068"
"a4_109" = "781434189"
"a4_104" = "745588584"
"a4_105" = "752757705"
"a4_106" = "759926826"
"a4_107" = "767095947"
"a4_100" = "716912100"
"a4_101" = "724081221"
"a4_102" = "731250342"
"a4_103" = "738419463"
"a2_155" = "1111220063"
"a2_154" = "1104036674"
"a2_157" = "1125554608"
"a2_156" = "1118384740"
"a2_151" = "1082534901"
"a2_150" = "1075366318"
"a2_153" = "1096871857"
"a2_152" = "1089701808"
"a1_181" = "3160277440"
"a1_180" = "1275033320"
"a1_183" = "2959365134"
"a1_182" = "4260274743"
"a2_159" = "1139885031"
"a2_158" = "1132719676"
"a1_187" = "659038343"
"a1_186" = "1958804782"
"a1_83" = "3877415722"
"a1_82" = "890647883"
"a1_81" = "837203855"
"a1_80" = "3945776366"
"a1_87" = "1978386084"
"a1_86" = "3907369044"
"a1_85" = "2053682530"
"a1_84" = "224042376"
"a3_274" = "1947601299"
"a1_89" = "823824111"
"a1_88" = "1740757270"
"a1_275" = "363766396"
"a1_14" = "2417224468"
"a1_15" = "4241677803"
"a1_16" = "1904974035"
"a1_17" = "4217324072"
"a1_10" = "100830084"
"a1_11" = "1170462834"
"a1_12" = "323591381"
"a1_13" = "3235987131"
"a1_273" = "764436901"
"a1_18" = "1510188780"
"a1_19" = "2362776421"
"a1_272" = "1763154758"
"a3_268" = "1938191309"
"a3_269" = "1945182124"
"a1_271" = "2430438909"
"a1_223" = "2029913783"
"a3_263" = "1902213606"
"a2_93" = "666726006"
"a3_144" = "1015746769"
"a3_266" = "1890134667"
"a3_267" = "1930745706"
"a3_264" = "1909252681"
"a3_265" = "1883213352"
"a4_210" = "1505515410"
"a1_292" = "43472381"
"a3_18" = "112355475"
"a3_19" = "152900978"
"a3_16" = "131407953"
"a3_17" = "104909872"
"a3_14" = "83368719"
"a3_15" = "124487662"
"a3_12" = "69456589"
"a3_13" = "76381868"
"a3_10" = "88509835"
"a3_11" = "95434346"
"a4_258" = "1849633218"
"a4_259" = "1856802339"
"a2_232" = "1663230902"
"a1_242" = "4038390671"
"a2_92" = "659554308"
"a4_251" = "1799449371"
"a4_252" = "1806618492"
"a4_253" = "1813787613"
"a4_254" = "1820956734"
"a4_255" = "1828125855"
"a1_189" = "2814538187"
"a4_257" = "1842464097"
"a1_246" = "3236005491"
"a3_261" = "1854156964"
"a2_227" = "1627400137"
"a1_247" = "3327606222"
"a3_240" = "1737325745"
"a1_244" = "2942235173"
"a1_245" = "2989804416"
"a3_198" = "1436075335"
"a3_199" = "1409966374"
"a3_194" = "1407547331"
"a3_195" = "1380979618"
"a3_196" = "1388559365"
"a3_197" = "1429035236"
"a1_188" = "1681291240"
"a3_191" = "1352565278"
"a3_192" = "1393045121"
"a4_181" = "1297610901"
"a3_135" = "950831462"
"a2_209" = "1498341719"
"a4_182" = "1304780022"
"a2_205" = "1469674853"
"a2_204" = "1462494829"
"a2_207" = "1484009543"
"a1_128" = "560770626"
"a2_201" = "1440990633"
"a2_200" = "1433828978"
"a2_203" = "1455328041"
"a2_202" = "1448161182"
"a2_241" = "1727752003"
"a1_290" = "2847795417"
"a2_240" = "1720598330"
"a4_213" = "1527022773"
"a1_268" = "1127542235"
"a2_243" = "1742098727"
"a2_73" = "523338667"
"a2_72" = "516173809"
"a2_71" = "509004817"
"a2_70" = "501833822"
"a3_81" = "597665008"
"a3_80" = "590100497"
"a2_75" = "537688531"
"a2_74" = "530518416"
"a3_121" = "850859928"
"a3_120" = "843344697"
"a2_79" = "566356047"
"a2_78" = "559188422"
"a3_89" = "654607352"
"a3_88" = "614065945"
"a3_127" = "927443550"
"a3_126" = "886309375"
"a2_284" = "2036027104"
"a1_230" = "3099320546"
"a3_235" = "1701331786"
"a2_246" = "1763599251"
"a3_234" = "1660856043"
"a2_224" = "1605879393"
"a3_237" = "1682344844"
"a2_191" = "1369305503"
"a4_233" = "1670405193"
"a1_255" = "1905293258"
"a1_228" = "4106957991"
"a3_239" = "1730400462"
"a4_292" = "2093383332"
"a3_238" = "1689269359"
"a2_279" = "2000190489"
"a3_142" = "1034865551"
"a2_199" = "1426658632"
"a4_239" = "1713419919"
"a1_229" = "2784876816"
"a4_99" = "709742979"
"a4_98" = "702573858"
"a4_97" = "695404737"
"a4_96" = "688235616"
"a4_95" = "681066495"
"a4_94" = "673897374"
"a4_93" = "666728253"
"a4_92" = "659559132"
"a4_91" = "652390011"
"a4_90" = "645220890"
"a1_145" = "3630045093"
"a1_144" = "2403467487"
"a1_147" = "2906048741"
"a1_146" = "2023062161"
"a1_141" = "3889503790"
"a1_140" = "2340905802"
"a1_143" = "1513541218"
"a1_142" = "3257331469"
"a1_149" = "852347211"
"a1_148" = "1270616666"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a4_1" = "7169121"
"a4_0" = "0"
"a2_119" = "853130454"
"a2_99" = "709738841"
"a1_266" = "208390277"
"a1_267" = "639193161"
"a1_260" = "846448477"
"a1_261" = "3017472944"
"a4_9" = "64522089"
"a4_8" = "57352968"
"a4_175" = "1254596175"
"a4_174" = "1247427054"
"a4_177" = "1268934417"
"a4_176" = "1261765296"
"a4_171" = "1225919691"
"a4_170" = "1218750570"
"a4_173" = "1240257933"
"a4_172" = "1233088812"
"a4_179" = "1283272659"
"a4_178" = "1276103538"
"a1_50" = "3019146403"
"a1_51" = "3707117899"
"a1_52" = "921541091"
"a1_53" = "3144594761"
"a1_54" = "1169150758"
"a1_55" = "2358742158"
"a1_56" = "4085189483"
"a1_57" = "1803066818"
"a1_58" = "1758106787"
"a1_59" = "4053111060"
"a2_193" = "1383643038"
"a2_195" = "1397976697"
"a3_229" = "1624878212"
"a1_254" = "3919791219"
"a2_192" = "1376473788"
"a3_47" = "353766286"
"a2_188" = "1347790052"
"a2_189" = "1354960341"
"a2_186" = "1333460132"
"a2_187" = "1340621209"
"a2_184" = "1319123568"
"a3_46" = "313225007"
"a2_182" = "1304772902"
"a2_183" = "1311953471"
"a2_180" = "1290437300"
"a2_181" = "1297604845"
"a4_214" = "1534191894"
"a2_37" = "265263221"
"a4_216" = "1548530136"
"a4_217" = "1555699257"
"a2_9" = "64526669"
"a2_8" = "57358848"
"a4_212" = "1519853652"
"a3_48" = "360821873"
"a2_5" = "35842429"
"a2_4" = "28675706"
"a2_7" = "50176367"
"a2_6" = "43022940"
"a2_1" = "7168686"
"a2_0" = "1743"
"a2_3" = "21509864"
"a2_2" = "14342942"
"a3_253" = "1830770076"
"a3_252" = "1789765949"
"a3_251" = "1782713690"
"a3_250" = "1809277179"
"a3_257" = "1825743648"
"a3_256" = "1818691393"
"a3_255" = "1844812510"
"a3_254" = "1837825663"
"a3_259" = "1873799266"
"a3_258" = "1866223491"
"a4_289" = "2071875969"
"a4_288" = "2064706848"
"a4_287" = "2057537727"
"a4_286" = "2050368606"
"a2_197" = "1412311301"
"a2_198" = "1419492796"
"a4_283" = "2028861243"
"a4_282" = "2021692122"
"a4_281" = "2014523001"
"a4_280" = "2007353880"
"a1_233" = "2497868304"
"a1_232" = "4077559742"
"a1_225" = "3040918804"
"a1_231" = "187389413"
"a3_222" = "1608411743"
"a3_172" = "1216092013"
"a3_173" = "1223668684"
"a3_170" = "1235734059"
"a3_171" = "1209100938"
"a3_176" = "1245078769"
"a3_177" = "1252065616"
"a3_174" = "1264148399"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\adm914]
"a2_196" = "1405144580"
"a1_237" = "1762923801"
"a3_178" = "1292676403"
"a3_179" = "1300122002"
"a2_245" = "1756431821"
"a2_244" = "1749269292"
"a2_247" = "1770769375"
"a1_236" = "3745969463"
"a1_235" = "1146245214"
"a1_234" = "2677546466"
"a3_41" = "277247432"
"a3_40" = "269797737"
"a3_43" = "324844042"
"a3_42" = "284234155"
"a3_45" = "305775436"
"a3_44" = "332277485"
"a2_39" = "279600860"
"a2_38" = "272430858"
"a3_49" = "368267472"
"a2_36" = "258081858"
"a2_35" = "250915371"
"a2_34" = "243745867"
"a2_33" = "236578075"
"a2_32" = "229415808"
"a2_31" = "222244951"
"a2_30" = "215080554"
"a4_59" = "422978139"
"a4_58" = "415809018"
"a2_235" = "1684749849"
"a4_53" = "379963413"
"a4_52" = "372794292"
"a4_51" = "365625171"
"a4_50" = "358456050"
"a4_57" = "408639897"
"a4_56" = "401470776"
"a4_55" = "394301655"
"a4_54" = "387132534"
"a2_89" = "638057086"
"a3_53" = "396799572"
"a3_241" = "1744312592"
"a3_271" = "1926112494"
"a2_48" = "344113216"
"a2_49" = "351284557"
"a2_42" = "301098188"
"a2_43" = "308266971"
"a2_40" = "286767057"
"a2_41" = "293929508"
"a2_46" = "329784405"
"a2_47" = "336951022"
"a2_44" = "315445318"
"a2_45" = "322613541"
"a2_115" = "824442884"
"a1_293" = "2954580316"
"a3_242" = "1718322675"
"a2_289" = "2071873477"
"a3_193" = "1400621920"
"a1_101" = "178144284"
"a1_100" = "2898805821"
"a1_103" = "1082331589"
"a1_102" = "250140671"
"a1_105" = "289579143"
"a1_104" = "1998974001"
"a1_107" = "1349789145"
"a1_106" = "916161842"
"a1_109" = "1637414787"
"a1_108" = "3173128633"
"a2_208" = "1491179972"
"a3_223" = "1581848126"
"a4_131" = "939154851"
"a4_130" = "931985730"
"a4_133" = "953493093"
"a4_132" = "946323972"
"a4_135" = "967831335"
"a4_134" = "960662214"
"a4_137" = "982169577"
"a4_136" = "975000456"
"a4_139" = "996507819"
"a4_138" = "989338698"
"a3_202" = "1465012939"
"a1_215" = "3990381614"
"a1_214" = "1180623823"
"a1_217" = "2002297969"
"a2_206" = "1476843978"
"a1_211" = "1563503009"
"a1_210" = "3326150367"
"a1_198" = "3229272400"
"a1_199" = "2820927294"
"a1_196" = "1354550550"
"a1_197" = "1058674428"
"a1_154" = "1267889639"
"a1_195" = "656514481"
"a1_192" = "2687142299"
"a1_193" = "1556685801"
"a1_190" = "2355009966"
"a1_191" = "1449585422"
"a3_284" = "2019048925"
"a3_285" = "2026625468"
"a2_148" = "1061032234"
"a2_149" = "1068189291"
"a3_280" = "1990634585"
"a3_281" = "2031110200"
"a3_282" = "2038690971"
"a3_283" = "2045677946"
"a2_142" = "1018019634"
"a2_143" = "1025214871"
"a2_140" = "1003680347"
"a2_141" = "1010851659"
"a2_146" = "1046687945"
"a2_147" = "1053867676"
"a2_144" = "1032348201"
"a2_145" = "1039516131"
"a3_273" = "1974168880"
"a2_231" = "1656064119"
"a2_248" = "1777939412"
"a3_272" = "1966719313"
"a1_256" = "2898057294"
"a4_250" = "1792280250"
"a1_209" = "3548420711"
"a3_219" = "1553447098"
"a3_218" = "1545870555"
"a3_217" = "1572434040"
"a3_216" = "1565513625"
"a3_215" = "1524378422"
"a3_214" = "1517457239"
"a3_213" = "1510466292"
"a3_212" = "1536443925"
"a3_211" = "1529535922"
"a3_210" = "1488925139"
"a2_275" = "1971503921"
"a2_276" = "1978671824"
"a2_285" = "2043194779"
"a1_202" = "1709672132"
"a2_287" = "2057543166"
"a2_277" = "1985841675"
"a4_269" = "1928493549"
"a4_268" = "1921324428"
"a2_283" = "2028858599"
"a1_203" = "3036943269"
"a4_265" = "1899817065"
"a4_264" = "1892647944"
"a4_267" = "1914155307"
"a4_266" = "1906986186"
"a4_261" = "1871140581"
"a1_200" = "3457910443"
"a4_263" = "1885478823"
"a4_262" = "1878309702"
"a1_201" = "3103389549"
"a3_221" = "1600963068"
"a1_206" = "2951658819"
"a1_207" = "1350514230"
"a1_282" = "1114468870"
"a1_283" = "838945377"
"a1_280" = "2647943634"
"a1_281" = "2857444906"
"a1_286" = "1235922705"
"a1_204" = "3438210693"
"a1_284" = "2933563829"
"a1_285" = "1658973118"
"a1_288" = "1355462517"
"a1_205" = "2875500307"
"a2_194" = "1390807066"
"a4_17" = "121875057"
"a4_16" = "114705936"
"a4_15" = "107536815"
"a4_14" = "100367694"
"a4_13" = "93198573"
"a4_12" = "86029452"
"a4_11" = "78860331"
"a4_10" = "71691210"
"a2_218" = "1562862179"
"a2_219" = "1570033115"
"a3_87" = "607025846"
"a4_19" = "136213299"
"a4_18" = "129044178"
"a3_149" = "1051200052"
"a3_86" = "633134807"
"a3_143" = "1008235630"
"a2_77" = "552020609"
"a3_141" = "1027813164"
"a3_140" = "986809165"
"a3_147" = "1070843378"
"a3_146" = "1063278867"
"a3_145" = "1022803120"
"a2_76" = "544854082"
"a1_155" = "150779111"
"a4_197" = "1412316837"
"a3_83" = "578088242"
"a3_138" = "1006336523"
"a3_139" = "979822314"
"a3_136" = "991835593"
"a3_137" = "998887848"
"a3_134" = "943844487"
"a3_82" = "571031891"
"a3_132" = "962896965"
"a3_133" = "970342436"
"a3_130" = "915382019"
"a3_131" = "922303458"
"a3_205" = "1452935148"
"a1_159" = "3447490682"
"a4_193" = "1383640353"
"a2_262" = "1878303185"
"a3_123" = "898391258"
"a4_192" = "1376471232"
"a3_122" = "891465851"
"a4_191" = "1369302111"
"a4_199" = "1426655079"
"a3_125" = "879322396"
"a4_190" = "1362132990"
"a2_259" = "1856804712"
"a1_264" = "1779461596"
"a3_124" = "905967805"
"a1_259" = "688507760"
"a1_258" = "3557183639"
"a2_288" = "2064711343"
"a4_256" = "1835294976"
[HKCU\Software\adm914\695404737]
"43014726" = "0800687474703A2F2F636174616E682E6E65742F696D616765732F6C6F676F2E67696600687474703A2F2F636869656E6773616E672E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F63686163617261626F6E616E7A612E636F6D2E62722F696D6167656E732F6C6F676F2E67696600687474703A2F2F6368616E647261706172612E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6561676C657475726B2E636F6D2F6C6F676F2E67696600687474703A2F2F646F67756167616373616E6179692E6E65742F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E646F616E686E6768696570766965742E636F6D2E766E2F696D616765732F6C6F676F2E67696600687474703A2F2F64726E682E69722F696D672F69636F6E732F6C6F676F2E676966"
[HKCU\Software\adm914]
"a4_62" = "444485502"
"a4_63" = "451654623"
"a4_60" = "430147260"
"a4_61" = "437316381"
"a4_66" = "473161986"
"a4_67" = "480331107"
"a4_64" = "458823744"
"a4_65" = "465992865"
"a3_208" = "1508042897"
"a4_68" = "487500228"
"a4_69" = "494669349"
"a4_211" = "1512684531"
"a2_291" = "2086210840"
"a2_106" = "759924394"
"a2_107" = "767094097"
"a2_104" = "745590957"
"a2_105" = "752762834"
"a2_102" = "731243956"
"a2_103" = "738424506"
"a2_100" = "716907007"
"a2_101" = "724076335"
"a1_152" = "2656932811"
"a1_153" = "3888549291"
"a1_150" = "841695885"
"a1_151" = "2400989411"
"a1_156" = "3985578816"
"a1_157" = "3107394341"
"a2_108" = "774262532"
"a2_109" = "781429611"
"a3_207" = "1500990510"
"a1_277" = "3159143601"
"a3_200" = "1416957321"
"a4_249" = "1785111129"
"a3_201" = "1424012904"
"a1_47" = "1996456987"
"a1_46" = "280126778"
"a1_45" = "2527461460"
"a1_44" = "4136709114"
"a1_43" = "2347937305"
"a1_42" = "3544028073"
"a1_41" = "1302150864"
"a1_40" = "4107243121"
"a4_162" = "1161397602"
"a4_163" = "1168566723"
"a4_160" = "1147059360"
"a4_161" = "1154228481"
"a4_166" = "1190074086"
"a4_167" = "1197243207"
"a1_49" = "918046164"
"a1_48" = "3904543849"
"a2_173" = "1240253327"
"a2_172" = "1233085701"
"a2_171" = "1225926913"
"a2_170" = "1218754066"
"a2_177" = "1268939967"
"a2_176" = "1261769612"
"a2_175" = "1254591222"
"a2_174" = "1247420924"
"a2_179" = "1283276527"
"a2_178" = "1276108309"
"a2_233" = "1670399299"
"a2_242" = "1734930845"
"a1_32" = "3351933935"
"a1_33" = "3564562880"
"a1_30" = "2285740553"
"a1_31" = "3166658290"
"a1_36" = "116732128"
"a1_37" = "3167137991"
"a1_34" = "2141858999"
"a1_35" = "2626719770"
"a3_248" = "1761237945"
"a4_247" = "1770772887"
"a1_38" = "1961610815"
"a1_39" = "2271683713"
"a4_168" = "1204412328"
"a4_246" = "1763603766"
"a2_86" = "616538558"
"a4_169" = "1211581449"
"a2_87" = "623710204"
"a4_290" = "2079045090"
"a4_291" = "2086214211"
"a1_274" = "2452747932"
"a1_243" = "296304198"
"a3_107" = "750490314"
"a3_106" = "742979179"
"a3_105" = "769478024"
"a3_104" = "762552617"
"a3_103" = "754976070"
"a3_102" = "714512615"
"a3_101" = "707525636"
"a3_100" = "733500325"
"a2_256" = "1835302022"
"a2_257" = "1842469725"
"a2_254" = "1820950901"
"a2_255" = "1828120926"
"a2_252" = "1806622191"
"a3_58" = "432790459"
"a3_109" = "798022412"
"a3_108" = "790970029"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 6A EB 0F 0C 17 B1 2A 59 82 B7 9B 75 4D FD 32"
[HKCU\Software\adm914]
"a4_228" = "1634559588"
"a3_59" = "406144026"
"a4_273" = "1957170033"
"a4_221" = "1584375741"
"a4_220" = "1577206620"
"a4_223" = "1598713983"
"a4_222" = "1591544862"
"a4_225" = "1613052225"
"a4_224" = "1605883104"
"a4_227" = "1627390467"
"a4_226" = "1620221346"
"a3_74" = "513565259"
"a3_75" = "554634794"
"a3_76" = "561687181"
"a3_77" = "568612716"
"a3_70" = "485102791"
"a3_71" = "525709478"
"a3_72" = "533159177"
"a3_73" = "506657256"
"a4_165" = "1182904965"
"a3_78" = "542634959"
"a3_79" = "549625774"
"a4_277" = "1985846517"
"a4_195" = "1397978595"
"a2_229" = "1641731501"
"a2_228" = "1634565964"
"a4_274" = "1964339154"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a4_26" = "186397146"
"a4_27" = "193566267"
"a4_24" = "172058904"
"a4_25" = "179228025"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_231" = "1656066951"
"a3_175" = "1271199758"
"a2_253" = "1813783677"
"a2_59" = "422982543"
"a2_58" = "415802608"
"a4_279" = "2000184759"
"a2_51" = "365618141"
"a2_50" = "358451015"
"a2_53" = "379968185"
"a2_52" = "372800190"
"a2_55" = "394299091"
"a2_54" = "387134142"
"a2_57" = "408636339"
"a2_56" = "401468690"
"a1_270" = "2175175168"
"a4_183" = "1311949143"
"a4_285" = "2043199485"
"a1_276" = "3965254625"
"a3_292" = "2110068965"
"a4_248" = "1777942008"
"a1_116" = "399071149"
"a1_117" = "1686866690"
"a1_114" = "1810995839"
"a1_115" = "1023799113"
"a1_112" = "2641795116"
"a1_113" = "428352903"
"a1_110" = "3579426301"
"a1_111" = "1566879318"
[HKCU\Software\adm914\695404737]
"50183847" = "7329B17EFD1799058CC507B8062C360BD9EAA93FEC92CD8196CE019C2B644F8B5AC11E54BC8D921572BC5C39CB0308531810224E18BC57A14754D33BC6678182373E7B47500C9E1C82FC29BF389B2B6F410B7B9F141B58DC2BA76EF625D3FD2F450761A6DFFF889DE058FDD1002052BDDBCDC8FCA7DFBA8BD347C7A4809EC681"
[HKCU\Software\adm914]
"a1_118" = "601110009"
"a1_119" = "3837402182"
"a4_126" = "903309246"
"a4_127" = "910478367"
"a4_124" = "888971004"
"a4_125" = "896140125"
"a4_122" = "874632762"
"a4_123" = "881801883"
"a4_120" = "860294520"
"a4_121" = "867463641"
"a1_257" = "3466989113"
"a4_128" = "917647488"
"a4_129" = "924816609"
"a1_163" = "1216647094"
"a1_162" = "998338326"
"a1_161" = "1927948357"
"a1_160" = "2569916916"
"a1_167" = "3438773266"
"a1_166" = "1361180850"
"a1_165" = "4050653911"
"a1_164" = "1534697078"
"a1_169" = "3137944902"
"a1_168" = "3982683925"
"a2_238" = "1706249526"
"a3_204" = "1445501709"
"a1_208" = "1228936350"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\adm914]
"a2_139" = "996514272"
"a2_138" = "989334986"
"a2_137" = "982163745"
"a2_136" = "974998176"
"a2_135" = "967834503"
"a2_134" = "960664580"
"a2_133" = "953498917"
"a2_132" = "946331526"
"a2_131" = "939149657"
"a2_130" = "931982164"
"a4_153" = "1096875513"
"a4_152" = "1089706392"
"a4_151" = "1082537271"
"a4_150" = "1075368150"
"a4_157" = "1125551997"
"a4_156" = "1118382876"
"a4_155" = "1111213755"
"a4_154" = "1104044634"
"a4_159" = "1139890239"
"a4_158" = "1132721118"
"a2_239" = "1713414447"
[HKCU\Software\adm914\695404737]
"14338242" = "0"
"7169121" = "247"
[HKCU\Software\adm914]
"a3_209" = "1481479536"
"a1_78" = "1966722496"
"a1_79" = "727336894"
"a1_76" = "2425129351"
"a1_77" = "3401860216"
"a1_74" = "4192425067"
"a1_75" = "3846701629"
"a1_72" = "1058937361"
"a1_73" = "967299607"
"a1_70" = "1425721303"
"a1_71" = "3380245658"
"a3_30" = "231908639"
"a3_31" = "205275646"
"a3_32" = "212855393"
"a3_33" = "253400768"
"a3_34" = "260321955"
"a3_35" = "267902722"
"a3_36" = "241269733"
"a3_37" = "248308804"
"a3_38" = "289374247"
"a3_39" = "296299654"
"a2_84" = "602196510"
"a2_85" = "609372023"
"a2_82" = "587870282"
"a2_83" = "595044569"
"a2_80" = "573523752"
"a2_81" = "580704833"
"a4_272" = "1950000912"
"a1_239" = "4010275398"
"a4_188" = "1347794748"
"a3_243" = "1725247058"
"a4_276" = "1978677396"
"a2_236" = "1691918268"
"a2_249" = "1785115669"
"a4_275" = "1971508275"
"a3_244" = "1765853749"
"a4_278" = "1993015638"
"a2_237" = "1699082466"
"a3_245" = "1773303444"
"a4_270" = "1935662670"
"a3_246" = "1746735991"
"a3_247" = "1753792470"
"a1_249" = "3855968542"
"a3_286" = "2067087903"
"a4_189" = "1354963869"
"a3_287" = "2074144510"
"a1_124" = "2896624056"
"a3_293" = "2083554628"
"a3_249" = "1801831448"
"a1_250" = "2761015030"
"a4_271" = "1942831791"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
The process %original file name%.exe:956 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 90 64 B2 2A 7D C5 88 C4 0C 3B F5 C8 B2 40 EC"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
TELNET.EXE:3592
TELNET.EXE:1236
TELNET.EXE:3776
TELNET.EXE:2720
TELNET.EXE:2580
TELNET.EXE:2552
TELNET.EXE:2832
TELNET.EXE:3084
TELNET.EXE:2256
TELNET.EXE:2112
TELNET.EXE:1740
TELNET.EXE:3304
NOTEPAD.EXE:3420
NOTEPAD.EXE:2864
NOTEPAD.EXE:2960
NOTEPAD.EXE:3036
NOTEPAD.EXE:2656
NOTEPAD.EXE:3276
NOTEPAD.EXE:3048
NOTEPAD.EXE:2192
NOTEPAD.EXE:2480
NOTEPAD.EXE:496
NOTEPAD.EXE:3244
NOTEPAD.EXE:472
NOTEPAD.EXE:1632
NOTEPAD.EXE:2780
NOTEPAD.EXE:2888
NOTEPAD.EXE:2220
NOTEPAD.EXE:3020
NOTEPAD.EXE:2144
NOTEPAD.EXE:2688
NOTEPAD.EXE:1116
NOTEPAD.EXE:2748
NOTEPAD.EXE:1676
NOTEPAD.EXE:3188
NOTEPAD.EXE:2288
NOTEPAD.EXE:2708
NOTEPAD.EXE:2444
NOTEPAD.EXE:2936
NOTEPAD.EXE:3216
NOTEPAD.EXE:2492
NOTEPAD.EXE:3388
NOTEPAD.EXE:2680
NOTEPAD.EXE:2080
NOTEPAD.EXE:2896
NOTEPAD.EXE:2160
NOTEPAD.EXE:2396
NOTEPAD.EXE:2412
NOTEPAD.EXE:2992
%original file name%.exe:1828 - Delete the original Virus file.
- Delete or disinfect the following files created/modified by the Virus:
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (0 bytes)
D:\disablejavawarnsec.exe (984 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (648 bytes)
%System%\drivers\mpguk.sys (5 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\google_cache2.tmp (9 bytes)
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Application Data\msconfig.exe (5441 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\88603cb2913a7df3fbd16b5f958e6447_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (51 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowsUpdate" = "%Documents and Settings%\%current user%\Application Data\msconfig.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.