Trojan.GenericKDV.1311723 (BitDefender), Trojan:Win32/Dynamer!dtc (Microsoft), Worm.Win32.Shakblades.qib (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.GenericKDV.1311723 (B) (Emsisoft), Artemis!044DE297A0C0 (McAfee), Trojan.Gen (Symantec), Worm.Win32.Shakblades (Ikarus), Trojan.GenericKDV.1311723 (FSecure), Inject.BYWV (AVG)Behaviour: Trojan, Worm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 044de297a0c023d939300d84e95074ee
SHA1: f8b9310d7d3df883b1a42dbb7028206be2e86dc4
SHA256: fa249945664b5447ca33862f6bb1dca03dcf1370fc49e15cc852eae5bfb6adba
SSDeep:
Size: 247710 bytes
File type: broken
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftWindowsShortcutfile
Company: no certificate found
Created at: 2013-09-30 16:34:07
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse). Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Worm creates the following process(es):
044de297a0c023d939300d84e95074ee.exe:816
File activity
The process 044de297a0c023d939300d84e95074ee.exe:816 makes changes in a file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0 (24576 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML.bak (58342 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML (25574 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML.bak (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML.done (0 bytes)
Registry activity
The process 044de297a0c023d939300d84e95074ee.exe:816 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS]
"ProxyPort" = "1755"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP]
"ProxyExclude" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows Media\WMSDK\Namespace]
"DTDFile" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD"
[HKCU\Software\Microsoft\Windows Media\WMSDK\Namespace]
"LocalDelta" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML"
[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS]
"ProxyName" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS]
"ProxyExclude" = ""
[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP]
"ProxyPort" = "80"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP]
"ProxyName" = ""
[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP]
"ProxyBypass" = "0"
[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS]
"ProxyBypass" = "0"
[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP]
"ProxyName" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP]
"ProxyExclude" = ""
[HKCU\Software\Microsoft\Windows Media\WMSDK\General]
"UniqueID" = "{53279927-02F5-4CF5-B0F6-5D3237CAD393}"
[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP]
"ProxyStyle" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 22 D3 B1 5A 0C E0 76 ED FA 91 A8 81 22 49 B3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows Media\WMSDK\General]
"ComputerName" = "%ComputerName%"
[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP]
"ProxyBypass" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS]
"ProxyStyle" = "0"
[HKCU\Software\Microsoft\Windows Media\WMSDK\Namespace]
"RemoteDelta" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSR.XML"
[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP]
"ProxyPort" = "554"
[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP]
"ProxyStyle" = "0"
[HKCU\Software\Microsoft\Windows Media\WMSDK\General]
"VolumeSerialNumber" = "1886890347"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows Media\WMSDK\Namespace]
"LocalBase" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML"
[HKCU\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying]
"InitFlags" = "1"
The Worm deletes the following registry key(s):
[HKCU\Software\Microsoft\MediaPlayer\Health\{C5716CCD-C130-413E-B6BF-D22675CA3CD4}]
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\MediaPlayer\Player\Settings]
"Client ID"
Network activity (URLs)
No activity has been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
044de297a0c023d939300d84e95074ee.exe:816
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0 (24576 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML.bak (58342 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML (53 bytes)