Skip to main content

Worm.Win32.AutoIt_c1c13dece0


Trojan-Downloader.Win32.Genome.fnok (Kaspersky), Backdoor.Win32.PcClient.FD, Trojan.Win32.Swrort.3.FD, Worm.Win32.AutoIt.FD, mzpefinder_pcap_file.YR, WormAutoItGen.YR, GenericAutorunWorm.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Banker, Trojan, Backdoor, Worm, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: c1c13dece02211e9d3a20e9c6a305201

SHA1: 93aaac892d041adfe207da650fae91357dbd32aa

SHA256: 0088f6211abf2e5d633fb2690bc3032317baf65068cb8067288eff59fbff902c

SSDeep: 12288:hhkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aNptt:vRmJkcoQricOIQxiZY1iaNvt

Size: 662577 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2012-01-29 23:32:28

Summary: Worm. A program that is primarily replicating on networks or removable drives.

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Worm creates the following process(es):

hitman.exe:2004
taskkill.exe:1696
taskkill.exe:1776
fsutil.exe:1612
ping.exe:1208
jrt.exe:632
findstr.exe:1636
QuickTuneUp.exe:1564
NIRCMD.DAT:600
rundll32.exe:672
%original file name%.exe:1676
reg.exe:1044

File activity

The process hitman.exe:2004 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%System%\config\SysEvent.Evt (824 bytes)
%Program Files%\Wireshark (196 bytes)
%WinDir%\REGISTRATION (4 bytes)
%Program Files%\Windows Media Player (16 bytes)
%WinDir%\WinSxS (212 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (49 bytes)
%WinDir%\repair (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (8 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%WinDir%\Temp (4 bytes)
%Documents and Settings%\All Users\Application Data\HitmanPro\Banner.bin (5825 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b4.dat (4 bytes)
%Program Files%\Internet Explorer (4 bytes)
%System%\wbem\Logs\wbemcore.log (248 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (576 bytes)
%Documents and Settings%\All Users\Application Data\HitmanPro\Remnants.bin (2500 bytes)
%Documents and Settings%\%current user%\Local Settings (16 bytes)
C:\Perl\lib (40 bytes)
%WinDir%\Help (248 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\Default User (540 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\All Users (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%WinDir%\Microsoft.NET (4 bytes)
%WinDir%\$hf_mig$ (392 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
C:\$Directory (28 bytes)
%Program Files%\Movie Maker (4 bytes)
%Program Files%\Windows NT (4 bytes)
%System% (15036 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt (36 bytes)
%System%\config\systemprofile (4 bytes)
%Program Files%\COMMON FILES (4 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp (4 bytes)
C:\Perl\eg (4 bytes)
%WinDir%\msagent (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (54 bytes)
%Documents and Settings%\NetworkService (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (42241 bytes)
%WinDir%\assembly (4 bytes)
%System%\config (124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (389 bytes)
%System%\wbem (388 bytes)
%System%\drivers (192 bytes)
%System%\drivers\hitmanpro37.sys (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (2712 bytes)
%WinDir%\Prefetch (964 bytes)
%Documents and Settings%\%current user% (8 bytes)
%WinDir%\Installer (8 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
%WinDir%\ime (4 bytes)
%Documents and Settings%\All Users\Application Data (8 bytes)
%WinDir%\security (4 bytes)
%WinDir%\Web (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
C:\Perl\html (8 bytes)
%Documents and Settings%\LocalService (4 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (0 bytes)

The process jrt.exe:632 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPPATHS.dat (84 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\modules.bat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\PREAPPROVED_clsid.dat (878 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNT.E_E (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\delorphans.bat (85 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\serviceseventlog.cfg (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHRregkey_x64.cfg (174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\defaultscope.cfg (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\chrome.bat (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IEwhtlst.cfg (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFpluginREG.dat (353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\WGET.DAT (1682 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNTWIN.LOC (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHRregkey_x86.cfg (107 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregvalue_x86.dat (345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badLNK.cfg (194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_extensions.cfg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\get.bat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\BHO_name.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FF_open_x86.reg (376 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNTDOS.LOC (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\delfolders.bat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues.bat (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERScom.cfg (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPID_files.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\datamngr_del.reg (386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\appinit64_null.reg (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\iexplore.bat (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\prelim.bat (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\ev_clear.bat (732 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TYPELIB_clsid.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\modules.dat (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\browsermngr_keys.cfg (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\INTERFACE_clsid.dat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_and_hklm_software.cfg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CLSID_clsid.dat (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_software_microsoft.cfg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askservices.dat (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\ELEVATIONPOLICY_clsid.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_and_hklm_allow.cfg (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhklm_software_classes.cfg (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGISTRYUSERSID.cfg (79 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IFEO.dat (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.EXE (959 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFregkey_x64.dat (177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregkey_x64.dat (488 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\moduleservices.dat (178 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFbrowsermngr.dat (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFplugins.dat (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FF_open_x64.reg (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\PRODUCTS.dat (107 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.LOC (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFregkey_x86.dat (109 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SED.DAT (98 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IE_open_x86.reg (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\appinit_null.reg (132 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\medfos.bat (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\README.TXT (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHOICE.DAT (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IE_open_x64.reg (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\S1518COMPONENTS.dat (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFwhtlist.cfg (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\UpgradeCodes.dat (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregvalue_x64.dat (424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FWCLSID.dat (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERSstart.cfg (967 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.EXE.manifest (565 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\searchlnk.bat (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\sednewline.txt (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_software_appdatalow.cfg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CUT.DAT (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERS.cfg (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\EXT.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\ask.bat (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\WOW6432NODE.dat (489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFextensions.dat (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFXML.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\services.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TRACING.dat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\clean_shortcut.vbs (370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\MENUEXT.dat (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FWPolicy.bat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhcr.cfg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badvalues.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregkey_x86.dat (260 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFXPI.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TDL4.bat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\browsermngr_values.cfg (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\misc.bat (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPID_clsid.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SHORTCUT.DAT (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_open_x64.reg (414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\BHO_clsid.dat (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\NOTIFY.dat (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\NIRCMD.DAT (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFprefs.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues_x64.cfg (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\UNINSTALL.dat (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\currentmd5.txt (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\STATS_clsid.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\JRT.bat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SETTINGS_clsid.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues_x86.cfg (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPROVEDEXTENSIONS_clsid.dat (78 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badAPPINIT.dat (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\firefox.bat (153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askCLSID.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_open_x86.reg (402 bytes)

The process QuickTuneUp.exe:1564 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\QuickTuneUp\jrt.exe (129151 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\QuickTuneUp.ini (1071 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3VWX\JRT[1].exe (488765 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TOJWX4Z\HitmanPro[1].exe (4554091 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\hitman.exe (1192518 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3VWX\HitmanPro[1].exe (0 bytes)

The process %original file name%.exe:1676 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\QuickTuneUp\QuickTuneUp.exe (129227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\PPPPPP[1].txt (489073 bytes)

Registry activity

The process hitman.exe:2004 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\HitmanPro]
"MiniportHash" = "6D 47 31 94 A2 50 F6 1E 1C F2 E8 22 8F AC 58 B1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\HitmanPro]
"UID" = "{D5C304AC-D486-42E4-90BE-8A66324F5B06}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\HitmanPro]
"BannerURL" = "http://hitmanpro.linktrackr.com/blackfriday13"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\HitmanPro]
"BannerID" = "blackfriday13-en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 98 AA 96 0B 25 A0 B8 D7 46 39 5B FB BA 85 AB"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4]
"Blob" = "19 00 00 00 01 00 00 00 10 00 00 00 63 66 4B 08"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\HitmanPro]
"LastCFU" = "2013-11-28 21:17:11"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"2796BAE63F1801E277261BA0D77770028F20EEE4"

The process taskkill.exe:1696 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 5E D1 81 2A C4 15 78 8A 8A F7 05 C7 FA 1A 92"

The process taskkill.exe:1776 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 7E A1 2A ED E2 7E C0 58 B5 45 07 52 33 EB E9"

The process fsutil.exe:1612 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 D2 ED DC 52 E2 EA 4E 43 8E 2A D2 E1 CE E4 ED"

The process ping.exe:1208 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 91 20 F3 98 8D DB 85 C3 99 B4 B4 CE 93 91 3E"

The process jrt.exe:632 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\jrt]
"get.bat" = "get"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Administrative Tools" = "%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Templates" = "%Documents and Settings%\All Users\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 F6 F0 8F 55 5B D4 D7 E4 11 D0 5C 1B F9 0B B0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process findstr.exe:1636 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 35 75 99 84 2B CA 55 FF 68 E9 83 2A D9 A4 11"

The process QuickTuneUp.exe:1564 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\Directory\Background\shell\Restart Quick Tune Up\command]
"(Default)" = "%Documents and Settings%\All Users\Application Data\QuickTuneUp\QuickTuneUp.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 78 A5 45 CF 01 F0 4A 93 34 FE 54 BD D1 71 80"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\Directory\Background\shell\Reconnect to SMPC Now\command]
"(Default)" = "iexplore www.SMPCNOW.com"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process NIRCMD.DAT:600 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF BD 71 4B E5 8C A5 0C FF 73 52 E4 8B 86 54 98"

The process rundll32.exe:672 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 0B 68 62 C5 7A C5 9D 45 97 E5 F8 7D BC 80 12"

The process %original file name%.exe:1676 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 12 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 EF 0A 01 17 EA EA 3A 17 B3 F4 CA 93 68 B6 2B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process reg.exe:1044 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 93 D6 95 C4 51 B8 43 E9 9E 13 62 D8 22 CC 7D"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\MSIServer]
"(Default)" = "Service"

Network activity (URLs)

URL IP
hxxp://thisisudax.org/downloads/JRT.exe (Malicious)173.201.97.1
hxxp://cloud.hitmanpro.com/banner.aspx?lc=en&v=3.7.8.208&c=&lic=free77.222.64.235
hxxp://www.surfright.nl/images/banners/blackfriday13en.png87.249.108.118
hxxp://files.surfright.nl/HitmanPro.exe (Malicious)213.189.27.250
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/2796BAE63F1801E277261BA0D77770028F20EEE4.crt
www.google.com173.194.43.84
www.download.windowsupdate.com63.216.54.152


HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Worm installs the following kernel-mode hooks:

NtAllocateVirtualMemory

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    hitman.exe:2004
    taskkill.exe:1696
    taskkill.exe:1776
    fsutil.exe:1612
    ping.exe:1208
    jrt.exe:632
    findstr.exe:1636
    QuickTuneUp.exe:1564
    NIRCMD.DAT:600
    rundll32.exe:672
    %original file name%.exe:1676
    reg.exe:1044

  3. Delete the original Worm file.
  4. Delete or disinfect the following files created/modified by the Worm:

    %System%\config\SysEvent.Evt (824 bytes)
    %Program Files%\Wireshark (196 bytes)
    %WinDir%\REGISTRATION (4 bytes)
    %Program Files%\Windows Media Player (16 bytes)
    %WinDir%\WinSxS (212 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (49 bytes)
    %WinDir%\repair (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
    %WinDir%\Temp (4 bytes)
    %Documents and Settings%\All Users\Application Data\HitmanPro\Banner.bin (5825 bytes)
    %WinDir%\Temp\Perflib_Perfdata_7b4.dat (4 bytes)
    %Program Files%\Internet Explorer (4 bytes)
    %System%\wbem\Logs\wbemcore.log (248 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (576 bytes)
    %Documents and Settings%\All Users\Application Data\HitmanPro\Remnants.bin (2500 bytes)
    C:\Perl\lib (40 bytes)
    %WinDir%\Help (248 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
    %Documents and Settings%\Default User (540 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
    %WinDir%\Microsoft.NET (4 bytes)
    %WinDir%\$hf_mig$ (392 bytes)
    %WinDir%\SoftwareDistribution (4 bytes)
    C:\$Directory (28 bytes)
    %Program Files%\Movie Maker (4 bytes)
    %Program Files%\Windows NT (4 bytes)
    %System%\config\systemprofile\Application Data\Microsoft (4 bytes)
    %Program Files%\COMMON FILES (4 bytes)
    %Documents and Settings%\All Users\Application Data\QuickTuneUp (4 bytes)
    C:\Perl\eg (4 bytes)
    %WinDir%\msagent (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (54 bytes)
    %Documents and Settings%\NetworkService (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\test.pml (42241 bytes)
    %WinDir%\assembly (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (389 bytes)
    %System%\drivers (192 bytes)
    %System%\drivers\hitmanpro37.sys (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (2712 bytes)
    %WinDir%\Prefetch (964 bytes)
    %WinDir%\Installer (8 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
    %WinDir%\ime (4 bytes)
    %WinDir%\security (4 bytes)
    %WinDir%\Web (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
    C:\Perl\html (8 bytes)
    %Documents and Settings%\LocalService (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPPATHS.dat (84 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\modules.bat (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\PREAPPROVED_clsid.dat (878 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNT.E_E (163 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\delorphans.bat (85 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\serviceseventlog.cfg (45 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHRregkey_x64.cfg (174 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\defaultscope.cfg (38 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\chrome.bat (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\IEwhtlst.cfg (86 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFpluginREG.dat (353 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\WGET.DAT (1682 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNTWIN.LOC (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHRregkey_x86.cfg (107 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregvalue_x86.dat (345 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\badLNK.cfg (194 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_extensions.cfg (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\get.bat (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\BHO_name.dat (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FF_open_x86.reg (376 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNTDOS.LOC (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\delfolders.bat (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues.bat (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERScom.cfg (119 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPID_files.dat (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\datamngr_del.reg (386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\appinit64_null.reg (144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\iexplore.bat (31 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\prelim.bat (39 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\ev_clear.bat (732 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\TYPELIB_clsid.dat (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\modules.dat (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\browsermngr_keys.cfg (128 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\INTERFACE_clsid.dat (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_and_hklm_software.cfg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\CLSID_clsid.dat (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_software_microsoft.cfg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\askservices.dat (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\ELEVATIONPOLICY_clsid.dat (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_and_hklm_allow.cfg (48 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhklm_software_classes.cfg (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGISTRYUSERSID.cfg (79 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\IFEO.dat (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.EXE (959 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFregkey_x64.dat (177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregkey_x64.dat (488 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\moduleservices.dat (178 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFbrowsermngr.dat (119 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFplugins.dat (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FF_open_x64.reg (388 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\PRODUCTS.dat (107 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.LOC (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFregkey_x86.dat (109 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\SED.DAT (98 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\IE_open_x86.reg (388 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\appinit_null.reg (132 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\medfos.bat (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\README.TXT (31 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHOICE.DAT (45 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\IE_open_x64.reg (388 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\S1518COMPONENTS.dat (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFwhtlist.cfg (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\UpgradeCodes.dat (100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregvalue_x64.dat (424 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FWCLSID.dat (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERSstart.cfg (967 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.EXE.manifest (565 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\searchlnk.bat (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\sednewline.txt (100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_software_appdatalow.cfg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\CUT.DAT (17 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERS.cfg (17 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\EXT.dat (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\ask.bat (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\WOW6432NODE.dat (489 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFextensions.dat (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFXML.dat (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\services.dat (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\TRACING.dat (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\clean_shortcut.vbs (370 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\MENUEXT.dat (277 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FWPolicy.bat (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhcr.cfg (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\badvalues.cfg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregkey_x86.dat (260 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFXPI.dat (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\TDL4.bat (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\browsermngr_values.cfg (94 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\misc.bat (150 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPID_clsid.dat (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\SHORTCUT.DAT (57 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_open_x64.reg (414 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\BHO_clsid.dat (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\NOTIFY.dat (33 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\NIRCMD.DAT (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFprefs.dat (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues_x64.cfg (211 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\UNINSTALL.dat (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\currentmd5.txt (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\STATS_clsid.dat (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\JRT.bat (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\SETTINGS_clsid.dat (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues_x86.cfg (129 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPROVEDEXTENSIONS_clsid.dat (78 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\badAPPINIT.dat (150 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\firefox.bat (153 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\askCLSID.dat (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_open_x86.reg (402 bytes)
    %Documents and Settings%\All Users\Application Data\QuickTuneUp\jrt.exe (129151 bytes)
    %Documents and Settings%\All Users\Application Data\QuickTuneUp\QuickTuneUp.ini (1071 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3VWX\JRT[1].exe (488765 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TOJWX4Z\HitmanPro[1].exe (4554091 bytes)
    %Documents and Settings%\All Users\Application Data\QuickTuneUp\hitman.exe (1192518 bytes)
    %Documents and Settings%\All Users\Application Data\QuickTuneUp\QuickTuneUp.exe (129227 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\PPPPPP[1].txt (489073 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps