Trojan-Downloader.Win32.Genome.fnok (Kaspersky), Backdoor.Win32.PcClient.FD, Trojan.Win32.Swrort.3.FD, Worm.Win32.AutoIt.FD, mzpefinder_pcap_file.YR, WormAutoItGen.YR, GenericAutorunWorm.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Banker, Trojan, Backdoor, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: c1c13dece02211e9d3a20e9c6a305201
SHA1: 93aaac892d041adfe207da650fae91357dbd32aa
SHA256: 0088f6211abf2e5d633fb2690bc3032317baf65068cb8067288eff59fbff902c
SSDeep: 12288:hhkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aNptt:vRmJkcoQricOIQxiZY1iaNvt
Size: 662577 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-01-29 23:32:28
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Worm creates the following process(es):
hitman.exe:2004
taskkill.exe:1696
taskkill.exe:1776
fsutil.exe:1612
ping.exe:1208
jrt.exe:632
findstr.exe:1636
QuickTuneUp.exe:1564
NIRCMD.DAT:600
rundll32.exe:672
%original file name%.exe:1676
reg.exe:1044
File activity
The process hitman.exe:2004 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%System%\config\SysEvent.Evt (824 bytes)
%Program Files%\Wireshark (196 bytes)
%WinDir%\REGISTRATION (4 bytes)
%Program Files%\Windows Media Player (16 bytes)
%WinDir%\WinSxS (212 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (49 bytes)
%WinDir%\repair (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (8 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%WinDir%\Temp (4 bytes)
%Documents and Settings%\All Users\Application Data\HitmanPro\Banner.bin (5825 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b4.dat (4 bytes)
%Program Files%\Internet Explorer (4 bytes)
%System%\wbem\Logs\wbemcore.log (248 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (576 bytes)
%Documents and Settings%\All Users\Application Data\HitmanPro\Remnants.bin (2500 bytes)
%Documents and Settings%\%current user%\Local Settings (16 bytes)
C:\Perl\lib (40 bytes)
%WinDir%\Help (248 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\Default User (540 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\All Users (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%WinDir%\Microsoft.NET (4 bytes)
%WinDir%\$hf_mig$ (392 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
C:\$Directory (28 bytes)
%Program Files%\Movie Maker (4 bytes)
%Program Files%\Windows NT (4 bytes)
%System% (15036 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt (36 bytes)
%System%\config\systemprofile (4 bytes)
%Program Files%\COMMON FILES (4 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp (4 bytes)
C:\Perl\eg (4 bytes)
%WinDir%\msagent (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (54 bytes)
%Documents and Settings%\NetworkService (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (42241 bytes)
%WinDir%\assembly (4 bytes)
%System%\config (124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (389 bytes)
%System%\wbem (388 bytes)
%System%\drivers (192 bytes)
%System%\drivers\hitmanpro37.sys (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (2712 bytes)
%WinDir%\Prefetch (964 bytes)
%Documents and Settings%\%current user% (8 bytes)
%WinDir%\Installer (8 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
%WinDir%\ime (4 bytes)
%Documents and Settings%\All Users\Application Data (8 bytes)
%WinDir%\security (4 bytes)
%WinDir%\Web (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
C:\Perl\html (8 bytes)
%Documents and Settings%\LocalService (4 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (0 bytes)
The process jrt.exe:632 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPPATHS.dat (84 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\modules.bat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\PREAPPROVED_clsid.dat (878 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNT.E_E (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\delorphans.bat (85 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\serviceseventlog.cfg (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHRregkey_x64.cfg (174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\defaultscope.cfg (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\chrome.bat (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IEwhtlst.cfg (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFpluginREG.dat (353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\WGET.DAT (1682 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNTWIN.LOC (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHRregkey_x86.cfg (107 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregvalue_x86.dat (345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badLNK.cfg (194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_extensions.cfg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\get.bat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\BHO_name.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FF_open_x86.reg (376 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNTDOS.LOC (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\delfolders.bat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues.bat (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERScom.cfg (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPID_files.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\datamngr_del.reg (386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\appinit64_null.reg (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\iexplore.bat (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\prelim.bat (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\ev_clear.bat (732 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TYPELIB_clsid.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\modules.dat (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\browsermngr_keys.cfg (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\INTERFACE_clsid.dat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_and_hklm_software.cfg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CLSID_clsid.dat (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_software_microsoft.cfg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askservices.dat (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\ELEVATIONPOLICY_clsid.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_and_hklm_allow.cfg (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhklm_software_classes.cfg (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGISTRYUSERSID.cfg (79 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IFEO.dat (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.EXE (959 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFregkey_x64.dat (177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregkey_x64.dat (488 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\moduleservices.dat (178 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFbrowsermngr.dat (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFplugins.dat (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FF_open_x64.reg (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\PRODUCTS.dat (107 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.LOC (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFregkey_x86.dat (109 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SED.DAT (98 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IE_open_x86.reg (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\appinit_null.reg (132 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\medfos.bat (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\README.TXT (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHOICE.DAT (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IE_open_x64.reg (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\S1518COMPONENTS.dat (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFwhtlist.cfg (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\UpgradeCodes.dat (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregvalue_x64.dat (424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FWCLSID.dat (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERSstart.cfg (967 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.EXE.manifest (565 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\searchlnk.bat (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\sednewline.txt (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_software_appdatalow.cfg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CUT.DAT (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERS.cfg (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\EXT.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\ask.bat (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\WOW6432NODE.dat (489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFextensions.dat (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFXML.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\services.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TRACING.dat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\clean_shortcut.vbs (370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\MENUEXT.dat (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FWPolicy.bat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhcr.cfg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badvalues.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregkey_x86.dat (260 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFXPI.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TDL4.bat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\browsermngr_values.cfg (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\misc.bat (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPID_clsid.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SHORTCUT.DAT (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_open_x64.reg (414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\BHO_clsid.dat (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\NOTIFY.dat (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\NIRCMD.DAT (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFprefs.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues_x64.cfg (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\UNINSTALL.dat (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\currentmd5.txt (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\STATS_clsid.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\JRT.bat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SETTINGS_clsid.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues_x86.cfg (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPROVEDEXTENSIONS_clsid.dat (78 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badAPPINIT.dat (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\firefox.bat (153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askCLSID.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_open_x86.reg (402 bytes)
The process QuickTuneUp.exe:1564 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\QuickTuneUp\jrt.exe (129151 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\QuickTuneUp.ini (1071 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3VWX\JRT[1].exe (488765 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TOJWX4Z\HitmanPro[1].exe (4554091 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\hitman.exe (1192518 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3VWX\HitmanPro[1].exe (0 bytes)
The process %original file name%.exe:1676 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\QuickTuneUp\QuickTuneUp.exe (129227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\PPPPPP[1].txt (489073 bytes)
Registry activity
The process hitman.exe:2004 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\HitmanPro]
"MiniportHash" = "6D 47 31 94 A2 50 F6 1E 1C F2 E8 22 8F AC 58 B1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\HitmanPro]
"UID" = "{D5C304AC-D486-42E4-90BE-8A66324F5B06}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\HitmanPro]
"BannerURL" = "http://hitmanpro.linktrackr.com/blackfriday13"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\HitmanPro]
"BannerID" = "blackfriday13-en"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 98 AA 96 0B 25 A0 B8 D7 46 39 5B FB BA 85 AB"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4]
"Blob" = "19 00 00 00 01 00 00 00 10 00 00 00 63 66 4B 08"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\HitmanPro]
"LastCFU" = "2013-11-28 21:17:11"
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"2796BAE63F1801E277261BA0D77770028F20EEE4"
The process taskkill.exe:1696 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 5E D1 81 2A C4 15 78 8A 8A F7 05 C7 FA 1A 92"
The process taskkill.exe:1776 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 7E A1 2A ED E2 7E C0 58 B5 45 07 52 33 EB E9"
The process fsutil.exe:1612 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 D2 ED DC 52 E2 EA 4E 43 8E 2A D2 E1 CE E4 ED"
The process ping.exe:1208 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 91 20 F3 98 8D DB 85 C3 99 B4 B4 CE 93 91 3E"
The process jrt.exe:632 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\jrt]
"get.bat" = "get"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Administrative Tools" = "%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Templates" = "%Documents and Settings%\All Users\Templates"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 F6 F0 8F 55 5B D4 D7 E4 11 D0 5C 1B F9 0B B0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process findstr.exe:1636 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 35 75 99 84 2B CA 55 FF 68 E9 83 2A D9 A4 11"
The process QuickTuneUp.exe:1564 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCR\Directory\Background\shell\Restart Quick Tune Up\command]
"(Default)" = "%Documents and Settings%\All Users\Application Data\QuickTuneUp\QuickTuneUp.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 78 A5 45 CF 01 F0 4A 93 34 FE 54 BD D1 71 80"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\Directory\Background\shell\Reconnect to SMPC Now\command]
"(Default)" = "iexplore www.SMPCNOW.com"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process NIRCMD.DAT:600 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF BD 71 4B E5 8C A5 0C FF 73 52 E4 8B 86 54 98"
The process rundll32.exe:672 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 0B 68 62 C5 7A C5 9D 45 97 E5 F8 7D BC 80 12"
The process %original file name%.exe:1676 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 12 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 EF 0A 01 17 EA EA 3A 17 B3 F4 CA 93 68 B6 2B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process reg.exe:1044 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 93 D6 95 C4 51 B8 43 E9 9E 13 62 D8 22 CC 7D"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\MSIServer]
"(Default)" = "Service"
Network activity (URLs)
URL | IP |
---|---|
hxxp://thisisudax.org/downloads/JRT.exe (Malicious) | 173.201.97.1 |
hxxp://cloud.hitmanpro.com/banner.aspx?lc=en&v=3.7.8.208&c=&lic=free | 77.222.64.235 |
hxxp://www.surfright.nl/images/banners/blackfriday13en.png | 87.249.108.118 |
hxxp://files.surfright.nl/HitmanPro.exe (Malicious) | 213.189.27.250 |
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt | |
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab | |
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/2796BAE63F1801E277261BA0D77770028F20EEE4.crt | |
www.google.com | 173.194.43.84 |
www.download.windowsupdate.com | 63.216.54.152 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Worm installs the following kernel-mode hooks:
NtAllocateVirtualMemory
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
hitman.exe:2004
taskkill.exe:1696
taskkill.exe:1776
fsutil.exe:1612
ping.exe:1208
jrt.exe:632
findstr.exe:1636
QuickTuneUp.exe:1564
NIRCMD.DAT:600
rundll32.exe:672
%original file name%.exe:1676
reg.exe:1044 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%System%\config\SysEvent.Evt (824 bytes)
%Program Files%\Wireshark (196 bytes)
%WinDir%\REGISTRATION (4 bytes)
%Program Files%\Windows Media Player (16 bytes)
%WinDir%\WinSxS (212 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (49 bytes)
%WinDir%\repair (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%WinDir%\Temp (4 bytes)
%Documents and Settings%\All Users\Application Data\HitmanPro\Banner.bin (5825 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b4.dat (4 bytes)
%Program Files%\Internet Explorer (4 bytes)
%System%\wbem\Logs\wbemcore.log (248 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (576 bytes)
%Documents and Settings%\All Users\Application Data\HitmanPro\Remnants.bin (2500 bytes)
C:\Perl\lib (40 bytes)
%WinDir%\Help (248 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\Default User (540 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%WinDir%\Microsoft.NET (4 bytes)
%WinDir%\$hf_mig$ (392 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
C:\$Directory (28 bytes)
%Program Files%\Movie Maker (4 bytes)
%Program Files%\Windows NT (4 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Program Files%\COMMON FILES (4 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp (4 bytes)
C:\Perl\eg (4 bytes)
%WinDir%\msagent (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (54 bytes)
%Documents and Settings%\NetworkService (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (42241 bytes)
%WinDir%\assembly (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (389 bytes)
%System%\drivers (192 bytes)
%System%\drivers\hitmanpro37.sys (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (2712 bytes)
%WinDir%\Prefetch (964 bytes)
%WinDir%\Installer (8 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
%WinDir%\ime (4 bytes)
%WinDir%\security (4 bytes)
%WinDir%\Web (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
C:\Perl\html (8 bytes)
%Documents and Settings%\LocalService (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPPATHS.dat (84 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\modules.bat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\PREAPPROVED_clsid.dat (878 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNT.E_E (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\delorphans.bat (85 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\serviceseventlog.cfg (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHRregkey_x64.cfg (174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\defaultscope.cfg (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\chrome.bat (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IEwhtlst.cfg (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFpluginREG.dat (353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\WGET.DAT (1682 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNTWIN.LOC (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHRregkey_x86.cfg (107 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregvalue_x86.dat (345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badLNK.cfg (194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_extensions.cfg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\get.bat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\BHO_name.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FF_open_x86.reg (376 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERDNTDOS.LOC (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\delfolders.bat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues.bat (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERScom.cfg (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPID_files.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\datamngr_del.reg (386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\appinit64_null.reg (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\iexplore.bat (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\prelim.bat (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\ev_clear.bat (732 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TYPELIB_clsid.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\modules.dat (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\browsermngr_keys.cfg (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\INTERFACE_clsid.dat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_and_hklm_software.cfg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CLSID_clsid.dat (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_software_microsoft.cfg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askservices.dat (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\ELEVATIONPOLICY_clsid.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_and_hklm_allow.cfg (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhklm_software_classes.cfg (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGISTRYUSERSID.cfg (79 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IFEO.dat (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.EXE (959 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFregkey_x64.dat (177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregkey_x64.dat (488 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\moduleservices.dat (178 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFbrowsermngr.dat (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFplugins.dat (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FF_open_x64.reg (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\PRODUCTS.dat (107 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.LOC (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFregkey_x86.dat (109 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SED.DAT (98 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IE_open_x86.reg (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\appinit_null.reg (132 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\medfos.bat (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\README.TXT (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHOICE.DAT (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\IE_open_x64.reg (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\S1518COMPONENTS.dat (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFwhtlist.cfg (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\UpgradeCodes.dat (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregvalue_x64.dat (424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FWCLSID.dat (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERSstart.cfg (967 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\erunt\ERUNT.EXE.manifest (565 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\searchlnk.bat (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\sednewline.txt (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhkcu_software_appdatalow.cfg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CUT.DAT (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badFOLDERS.cfg (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\EXT.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\ask.bat (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\WOW6432NODE.dat (489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFextensions.dat (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFXML.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\services.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TRACING.dat (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\clean_shortcut.vbs (370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\MENUEXT.dat (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FWPolicy.bat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\REGhcr.cfg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badvalues.cfg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askregkey_x86.dat (260 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFXPI.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\TDL4.bat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\browsermngr_values.cfg (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\misc.bat (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPID_clsid.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SHORTCUT.DAT (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_open_x64.reg (414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\BHO_clsid.dat (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\NOTIFY.dat (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\NIRCMD.DAT (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\FFprefs.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues_x64.cfg (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\UNINSTALL.dat (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\currentmd5.txt (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\STATS_clsid.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\JRT.bat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\SETTINGS_clsid.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\runvalues_x86.cfg (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\APPROVEDEXTENSIONS_clsid.dat (78 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\badAPPINIT.dat (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\firefox.bat (153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\askCLSID.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrt\CHR_open_x86.reg (402 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\jrt.exe (129151 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\QuickTuneUp.ini (1071 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3VWX\JRT[1].exe (488765 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TOJWX4Z\HitmanPro[1].exe (4554091 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\hitman.exe (1192518 bytes)
%Documents and Settings%\All Users\Application Data\QuickTuneUp\QuickTuneUp.exe (129227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\PPPPPP[1].txt (489073 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.