Trojan.SalityStub.F_e65187f5df
Trojan.SalityStub.F (BitDefender), Virus:Win32/Sality.AT (Microsoft), Trojan.Win32.Small.cox (Kaspersky), Virus.Win32.Sality.at!dam (v) (VIPRE), Win32.Sector.22 (DrWeb), PWS-Zbot.gen.yh (McAfee), W32.Sality.AE (Symantec), Trojan.Win32.Salrenmetie (Ikarus), Trojan.SalityStub.F (FSecure), Agent.12.C (AVG), Win32:Sality (Avast), PE_SALITY.SM-O (TrendMicro), Trojan.SalityStub.F (AdAware), Virus.Win32.Sality.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: e65187f5df3959035564f5635082300f
SHA1: 90980cfa5d3d0edeafeb0e477149dc4701a70a63
SHA256: 87f7f7e4f1981fb13412225bbbcf5072d33ba64b05c55bb2bca3f4a3a474b232
SSDeep: 1536:BQ7rSQtgSeiofPAArwaEs33y7 nBdt/UYPUuMqy:BQ6QSSjFdaEs3i7 nPdUAUu5
Size: 99328 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-11-05 02:25:00
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):
%original file name%.exe:3400
taskhost.exe:252
Explorer.EXE:284
Dwm.exe:528
TPAutoConnect.exe:2068
conhost.exe:2076
conhost.exe:3448
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:3400 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\system.ini (72 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (52 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\reader_sl.exe (840 bytes)
C:\obgbwx.pif (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winiwktf.exe (561 bytes)
C:\autorun.inf (273 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (688 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wyooc.exe (561 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winiwktf.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wyooc.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0014F363_Rar (0 bytes)
C:\Windows\13f508 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0014F363_Rar\wincheck.exe (0 bytes)
Registry activity
The process %original file name%.exe:3400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Stvncyfrlda]
"m2_8" = "997419842"
"m2_9" = "2732718101"
"m2_2" = "3470574366"
"m2_3" = "910908339"
"m2_0" = "9675"
"m2_1" = "1735293835"
"m2_6" = "1821804010"
"m2_7" = "3557102913"
"m2_4" = "2646189118"
"m2_5" = "86509802"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Stvncyfrlda]
"m4_222" = "2982453382"
"m1_151" = "4208013893"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m1_78" = "220286584"
"m4_226" = "1333681722"
"m4_227" = "3068972455"
"m4_224" = "2158067552"
"m1_150" = "4230543213"
"m1_73" = "2983374029"
"m1_72" = "488841078"
"m1_71" = "3009405568"
"m1_70" = "3457790654"
"m1_77" = "3758147263"
"m1_76" = "2606049515"
"m1_75" = "2194157492"
"m1_74" = "3056225775"
"m3_166" = "278866567"
"m3_167" = "2013911602"
"m3_164" = "1136397309"
"m2_98" = "2554770761"
"m1_144" = "3039226010"
"m3_163" = "3662911566"
"m3_160" = "2751909385"
"m3_161" = "225933732"
"m1_155" = "632896065"
"m4_208" = "163219600"
"m3_168" = "3782899105"
"m1_154" = "4212137973"
[HKCU\Software\Stvncyfrlda\168128873]
"-737866757" = "4B278A835FE92988F90F7C3CA41943E954C2A3E5F485BE927C19BB1BE3A4606DACD30115F9A5DFCC9A54A9CBC970B3F5552946D7DCA330D47DB444FE33A74E4F3934F853C78E0DC6D9EEE227165CFE1E5F4DF951B4E949E9FD58BC2F492F3A5FE47491DA52289271F36B555070B2FE3D61BD99AA79CD32B302250EFC3B19E5BA5983117001ACB3CC3315F4E8A6E14E431831F637A045E8B2E9D85E4FE4BB17441E184C36D2CE87AFD142CC126B0B44025A35802EFB7597B96B29F209B5C200ABEF3AD8D9E89ED2BD716737EA3531C319A48A0859A5D987B1F40AD720852CD4BAEEFF0335C753F5B39E9B397C689313439635D8144E674989A2B7C1E13F1E2F2E"
[HKCU\Software\Stvncyfrlda]
"m2_147" = "1684659804"
"m1_148" = "2787949007"
"m1_149" = "3369000632"
"m1_146" = "580867661"
"m1_147" = "2148285365"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Stvncyfrlda]
"m1_145" = "211906074"
"m1_142" = "2071719757"
"m1_143" = "302643037"
"m1_140" = "2854155748"
"m2_107" = "992513077"
"m2_99" = "4290053473"
"m2_148" = "3419960176"
"m4_209" = "1898510333"
"m1_250" = "1178688673"
"m3_255" = "100898746"
"m1_251" = "323052289"
"m2_210" = "3633803897"
"m3_35" = "622481870"
"m3_34" = "3182011987"
"m3_37" = "4092948712"
"m3_36" = "2323956093"
"m3_31" = "2270958618"
"m3_30" = "535979247"
"m3_33" = "1413429028"
"m3_32" = "3972958089"
"m3_39" = "3234960306"
"m3_38" = "1533534215"
"m4_0" = "0"
"m4_1" = "1735290733"
"m4_2" = "3470581466"
"m4_3" = "910904903"
"m4_4" = "2646195636"
"m4_5" = "86519073"
"m4_6" = "1821809806"
"m4_7" = "3557100539"
"m4_8" = "997423976"
"m4_9" = "2732714709"
"m2_213" = "249736945"
"m2_212" = "2809420480"
"m2_215" = "3720327715"
"m2_214" = "1985034771"
"m2_217" = "2895930915"
"m2_216" = "1160648064"
"m2_69" = "3770948931"
"m2_68" = "2035661299"
"m4_251" = "1766277087"
"m2_61" = "2773517027"
"m2_60" = "1038222962"
"m2_63" = "1949123293"
"m2_62" = "213839024"
"m2_65" = "1124752597"
"m2_64" = "3684421373"
"m2_67" = "300365931"
"m2_66" = "2860032204"
"m4_204" = "1811991260"
"m1_241" = "265203450"
"m4_223" = "422776819"
"m1_79" = "1269276100"
"m4_205" = "3547281993"
"m4_221" = "1247162649"
"m4_129" = "514205165"
"m4_128" = "3073881728"
"m4_125" = "2162976825"
"m4_124" = "427686092"
"m4_127" = "1338590995"
"m4_126" = "3898267558"
"m4_121" = "3811748485"
"m4_120" = "2076457752"
"m4_123" = "2987362655"
"m4_122" = "1252071922"
"m4_158" = "3592996166"
"m4_159" = "1033319603"
"m2_250" = "30985472"
"m3_249" = "2607352620"
"m3_185" = "3217944556"
"m4_150" = "2595572190"
"m4_151" = "35895627"
"m4_152" = "1771186360"
"m4_153" = "3506477093"
"m4_154" = "946800530"
"m4_155" = "2682091263"
"m4_156" = "122414700"
"m4_157" = "1857705433"
"m2_134" = "600719698"
"m2_135" = "2336021183"
"m4_29" = "3078791001"
"m4_28" = "1343500268"
"m2_130" = "2249494165"
"m2_131" = "3984793252"
"m2_132" = "1425106368"
"m2_133" = "3160405364"
"m4_23" = "1256981195"
"m4_22" = "3816657758"
"m4_21" = "2081367025"
"m4_20" = "346076292"
"m4_27" = "3903176831"
"m4_26" = "2167886098"
"m4_25" = "432595365"
"m4_24" = "2992271928"
"m1_195" = "2528246133"
"m4_229" = "2244586625"
"m3_182" = "2306891095"
"m1_194" = "3186098133"
"m3_247" = "3398363138"
"m3_183" = "4008889538"
"m1_197" = "2694184860"
"m3_246" = "1696364695"
"m1_24" = "1038283694"
"m1_25" = "1282433075"
"m1_26" = "724268859"
"m1_27" = "3394893070"
"m1_20" = "2524466679"
"m1_21" = "2182413112"
"m1_22" = "2907067942"
"m1_23" = "393813168"
"m1_191" = "297432201"
"m3_244" = "2487310797"
"m1_28" = "3798861461"
"m1_29" = "49632012"
"m3_199" = "1742469010"
"m1_190" = "3773109143"
"m3_122" = "1268937691"
"m3_123" = "3003966326"
"m3_120" = "2059882801"
"m3_121" = "3794911404"
"m3_126" = "3914972559"
"m3_127" = "1321872698"
"m3_124" = "410948325"
"m3_125" = "2179924496"
"m3_128" = "3056917673"
"m3_129" = "530927556"
"m3_165" = "2871966568"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m3_162" = "1927407827"
"m1_214" = "2242880175"
[HKCU\Software\Stvncyfrlda\168128873]
"86519073" = "67"
[HKCU\Software\Stvncyfrlda]
"m1_99" = "2881770223"
"m1_98" = "2184739966"
"m1_215" = "3754530866"
"m3_253" = "958887056"
"m1_91" = "1100067598"
"m1_90" = "1935705892"
"m1_93" = "3405711523"
"m1_92" = "3383649047"
"m1_95" = "217328077"
"m1_94" = "1359281597"
"m1_97" = "4047509893"
"m1_96" = "3317639325"
"m2_254" = "2677182994"
"m3_231" = "1436934514"
"m1_202" = "3464322676"
"m1_45" = "3310707707"
"m1_221" = "531386404"
"m1_108" = "3611819082"
"m1_109" = "657464178"
"m1_102" = "1608911286"
"m1_103" = "607640236"
"m1_100" = "916300330"
"m1_101" = "3693167039"
"m1_106" = "647683409"
"m1_107" = "3718479942"
"m1_104" = "3578411254"
"m1_105" = "53172369"
"m3_3" = "927474798"
"m3_2" = "3487544563"
"m3_1" = "1718420804"
"m3_0" = "17001001"
"m3_7" = "3573965266"
"m3_6" = "1838544551"
"m3_5" = "69945096"
"m3_4" = "2629490589"
"m1_216" = "551837866"
"m1_217" = "816076763"
"m3_9" = "2749530364"
"m3_8" = "980422977"
"m1_199" = "4098298737"
"m1_198" = "1431374576"
"m1_210" = "2559513815"
"m1_211" = "2060853101"
"m3_93" = "2451378352"
"m3_92" = "716398853"
"m3_91" = "3309498774"
"m3_90" = "1573930619"
"m3_97" = "836457060"
"m3_96" = "3362431689"
"m3_95" = "1626878810"
"m3_94" = "4220485679"
[HKCU\Software\Stvncyfrlda\168128873]
"1735290733" = "96"
[HKCU\Software\Stvncyfrlda]
"m4_241" = "1593238941"
"m3_99" = "4273372430"
"m2_94" = "4203530338"
"m3_98" = "2571488659"
"m3_169" = "1189405916"
"m2_251" = "1766270433"
"m2_146" = "4244346519"
"m1_5" = "1394450043"
"m1_4" = "2007711615"
"m1_7" = "319400586"
"m1_6" = "876577525"
"m1_1" = "1800611547"
"m1_0" = "2089599813"
"m3_68" = "2018964189"
"m3_69" = "3787940424"
"m3_66" = "2877018163"
"m3_67" = "283394990"
"m3_64" = "3667439977"
"m3_65" = "1107894404"
"m3_62" = "230528591"
"m3_63" = "1965949434"
"m3_60" = "1021409189"
"m3_61" = "2756962000"
"m2_220" = "3806846174"
"m2_221" = "1247159846"
"m2_222" = "2982458396"
"m2_223" = "422783545"
"m2_224" = "2158061245"
"m2_225" = "3893359145"
"m2_226" = "1333675952"
"m2_227" = "3068975431"
"m2_228" = "509290632"
"m2_229" = "2244590892"
"m2_149" = "860289045"
"m3_241" = "1609928628"
"m3_229" = "2227881640"
"m3_228" = "525883197"
"m3_225" = "3909911780"
"m3_224" = "2174883145"
"m3_227" = "3085936526"
"m1_141" = "2300219197"
"m3_221" = "1263885104"
"m3_220" = "3823414149"
"m3_223" = "405824986"
"m3_222" = "2965883567"
"m2_29" = "3078799337"
"m2_28" = "1343489762"
"m2_253" = "941885284"
"m2_25" = "432600092"
"m2_24" = "2992269185"
"m2_27" = "3903184671"
"m2_26" = "2167885736"
"m2_21" = "2081371740"
"m2_20" = "346071459"
"m2_23" = "1256989385"
"m2_22" = "3816655187"
"m3_240" = "4136311833"
"m4_244" = "2504143844"
"m1_209" = "2975465637"
"m4_220" = "3806839212"
"m2_169" = "1206362029"
"m2_168" = "3766026372"
"m2_252" = "3501568502"
[HKCU\Software\Stvncyfrlda\168128873]
"-1648771660" = "30"
[HKCU\Software\Stvncyfrlda]
"m2_163" = "3679512663"
"m2_162" = "1944228028"
"m2_161" = "208932249"
"m2_160" = "2768613842"
"m2_167" = "2030743002"
"m2_166" = "295463328"
"m2_165" = "2855126377"
"m2_164" = "1119845012"
"m4_114" = "254647946"
"m4_115" = "1989938679"
"m4_116" = "3725229412"
"m4_117" = "1165552849"
"m4_110" = "1903419606"
"m4_111" = "3638710339"
"m4_112" = "1079033776"
"m4_113" = "2814324509"
"m4_119" = "341167019"
"m4_74" = "3857462658"
"m4_75" = "1297786095"
"m4_76" = "3033076828"
"m4_77" = "473400265"
"m4_70" = "1211267022"
"m4_71" = "2946557755"
"m4_72" = "386881192"
"m4_73" = "2122171925"
"m4_78" = "2208690998"
"m4_79" = "3943981731"
"m4_246" = "1679758014"
"m4_228" = "509295892"
"m4_189" = "1552434041"
"m4_188" = "4112110604"
"m4_187" = "2376819871"
"m4_186" = "641529138"
"m4_185" = "3201205701"
"m4_184" = "1465914968"
"m4_183" = "4025591531"
"m4_182" = "2290300798"
"m4_181" = "555010065"
"m4_180" = "3114686628"
"m1_213" = "3324699942"
"m1_3" = "616426801"
"m1_2" = "634785120"
"m4_247" = "3415048747"
"m2_90" = "1557346374"
"m2_91" = "3292630076"
"m2_92" = "732962123"
"m1_68" = "3031289260"
"m1_69" = "1565981352"
"m4_237" = "3242010601"
"m2_93" = "2468241613"
"m4_231" = "1420200795"
"m4_230" = "3979877358"
"m4_233" = "595814965"
"m4_232" = "3155491528"
"m1_60" = "4209424893"
"m1_61" = "1482874775"
"m1_62" = "2596200733"
"m1_63" = "35013546"
"m1_64" = "59124105"
"m1_65" = "1592829150"
"m1_66" = "2238311123"
"m1_67" = "396331498"
"m3_179" = "1395950366"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m2_96" = "3379158260"
"m3_130" = "2266496883"
"m3_171" = "398919654"
"m3_170" = "2924909643"
"m3_173" = "3835831936"
"m2_97" = "819471234"
"m3_175" = "3044884906"
"m3_174" = "1275909695"
"m3_177" = "2186829940"
"m3_176" = "451932377"
"m4_249" = "2590662917"
"m4_235" = "4066396431"
"m1_152" = "815477440"
"m1_252" = "222942193"
"m3_22" = "3799972215"
"m3_23" = "1273981154"
"m3_20" = "363060909"
"m3_21" = "2097957336"
"m3_26" = "2150906683"
"m3_27" = "3920013910"
"m3_24" = "3008960529"
"m3_25" = "415992716"
"m1_159" = "3372096477"
"m1_158" = "864092157"
"m3_28" = "1360479685"
"m3_29" = "3061970288"
"m1_254" = "2733294892"
"m1_255" = "3002733286"
"m1_253" = "663048967"
[HKCU\Software\Stvncyfrlda\168128873]
"910904903" = "0"
[HKCU\Software\Stvncyfrlda]
"m2_76" = "3033072528"
"m2_77" = "473406573"
"m2_74" = "3857454461"
"m2_75" = "1297792653"
"m2_72" = "386875988"
"m2_73" = "2122175282"
"m2_70" = "1211257348"
"m2_71" = "2946560865"
"m2_78" = "2208688019"
"m2_79" = "3943987027"
"m3_57" = "110470508"
"m3_56" = "2703963633"
"m3_55" = "968530498"
"m3_54" = "3494439639"
"m3_53" = "1759411128"
"m3_52" = "57526285"
"m3_51" = "2583910558"
"m3_50" = "848472419"
"m3_59" = "3614491702"
"m3_58" = "1845908635"
"m2_219" = "2071545523"
"m2_218" = "336262078"
"m1_156" = "570671062"
"m3_214" = "2001882935"
"m3_215" = "3703373474"
"m3_216" = "1143826897"
"m3_217" = "2912885068"
"m3_210" = "3650358595"
"m3_211" = "1090960638"
"m3_212" = "2792828013"
"m3_213" = "266461080"
"m3_218" = "352946427"
"m3_219" = "2054830102"
"m2_127" = "1338594055"
"m4_149" = "860281457"
"m4_148" = "3419958020"
"m3_226" = "1316828179"
"m2_126" = "3898262239"
"m4_143" = "3333438947"
"m4_142" = "1598148214"
"m4_141" = "4157824777"
"m4_140" = "2422534044"
"m4_147" = "1684667287"
"m4_146" = "4244343850"
"m4_145" = "2509053117"
"m4_144" = "773762384"
"m4_38" = "1516538414"
"m4_39" = "3251829147"
"m2_125" = "2162981053"
"m2_124" = "427683307"
"m2_123" = "2987364400"
"m2_122" = "1252072499"
"m2_121" = "3811751591"
"m2_120" = "2076454687"
"m4_30" = "519114438"
"m4_31" = "2254405171"
"m4_32" = "3989695904"
"m4_33" = "1430019341"
"m4_34" = "3165310074"
"m4_35" = "605633511"
"m4_36" = "2340924244"
"m4_37" = "4076214977"
"m2_192" = "2463334552"
"m2_193" = "4198634880"
"m2_190" = "3287721697"
"m2_191" = "728055141"
"m2_196" = "814569560"
"m2_197" = "2549851384"
"m2_194" = "1638946128"
"m2_195" = "3374251758"
[HKCU\Software\Stvncyfrlda\168128873]
"-824385830" = "0"
[HKCU\Software\Stvncyfrlda]
"m2_198" = "4285149694"
"m2_199" = "1725465959"
"m1_11" = "965258240"
"m1_10" = "2538879900"
"m1_13" = "3945926714"
"m1_12" = "2856535591"
"m1_15" = "1687664734"
"m1_14" = "802076295"
"m1_17" = "1807780234"
"m1_16" = "3700743450"
"m1_19" = "697317037"
"m1_18" = "2725015268"
"m3_184" = "1449360497"
"m4_206" = "987605430"
"m3_135" = "2319427666"
"m3_134" = "583874855"
"m3_137" = "1528482684"
"m3_136" = "4087897025"
"m4_89" = "4117019877"
"m4_88" = "2381729144"
"m3_133" = "3176958344"
"m3_132" = "1441930781"
"m4_85" = "1470824241"
"m4_84" = "4030500804"
"m4_87" = "646438411"
"m4_86" = "3206114974"
"m4_81" = "3119595901"
"m4_80" = "1384305168"
"m4_83" = "2295210071"
"m4_82" = "559919338"
"m3_250" = "14400091"
"m2_129" = "514211423"
"m3_251" = "1749308918"
"m2_128" = "3073877623"
"m3_252" = "3518416229"
"m1_86" = "766272349"
"m1_87" = "1165334710"
"m1_84" = "921628083"
"m1_85" = "2657072783"
"m1_82" = "694735515"
"m1_83" = "3352385792"
"m1_80" = "4123623585"
"m1_81" = "4133259203"
"m3_254" = "2660361231"
"m1_229" = "3941256919"
"m1_88" = "2490965287"
"m1_89" = "2905780831"
"m3_198" = "4268311655"
"m1_228" = "811669930"
"m3_186" = "658480923"
"m3_140" = "2439480757"
"m3_141" = "4140840224"
"m3_142" = "1581425759"
"m3_143" = "3350419402"
"m1_119" = "426510066"
"m1_118" = "2842064005"
"m3_146" = "4260947459"
"m3_147" = "1701482942"
"m1_115" = "1757858633"
"m1_114" = "934505539"
"m1_117" = "299583184"
"m1_116" = "208609033"
"m1_111" = "3606449913"
"m1_110" = "4166692866"
"m1_113" = "93101228"
"m1_112" = "2876722911"
"m1_168" = "3330933492"
"m1_169" = "1364633490"
"m1_220" = "2963863254"
"m4_219" = "2071548479"
"m1_160" = "1760651422"
"m1_161" = "1266998821"
"m1_162" = "2395436851"
"m1_163" = "3026690048"
"m1_164" = "1182967402"
"m1_165" = "2888484902"
"m1_166" = "2435875877"
"m1_167" = "2831126692"
"m3_80" = "1401010233"
"m3_81" = "3102878548"
"m3_82" = "542956227"
"m3_83" = "2311932542"
"m3_84" = "4047496685"
"m3_85" = "1453954328"
"m3_86" = "3189376183"
"m3_87" = "663008290"
"m3_88" = "2364876625"
"m3_89" = "4100445900"
"m4_215" = "3720320139"
"m4_214" = "1985029406"
"m4_225" = "3893358285"
"m4_194" = "1638953114"
"m1_201" = "1527142115"
"m1_200" = "890996889"
"m3_19" = "2888904510"
"m3_18" = "1153482627"
"m1_205" = "3904055955"
"m1_204" = "3131192196"
"m1_207" = "2396660731"
"m1_206" = "3395874752"
"m3_13" = "1100530336"
"m3_12" = "3626914613"
"m3_11" = "1891476358"
"m3_10" = "190001259"
"m3_17" = "3746958356"
"m3_16" = "2011536633"
"m3_15" = "243002698"
"m3_14" = "2835971551"
"m2_233" = "595817987"
"m2_232" = "3155486752"
"m2_231" = "1420202890"
"m2_230" = "3979872298"
"m2_237" = "3242013013"
"m2_236" = "1506715334"
"m2_235" = "4066400971"
"m2_234" = "2331101262"
"m2_239" = "2417629305"
"m2_238" = "682331852"
"m2_49" = "3424864218"
"m2_48" = "1689580346"
"m2_47" = "4249249827"
"m2_46" = "2513967245"
"m2_45" = "778679851"
"m2_44" = "3338348710"
"m2_43" = "1603055547"
"m2_42" = "4162739638"
"m2_41" = "2427438728"
"m2_40" = "692158018"
"m2_38" = "1516543064"
"m2_39" = "3251823481"
"m2_32" = "3989698644"
"m2_33" = "1430013453"
"m2_30" = "519115154"
"m2_31" = "2254399975"
"m2_36" = "2340916894"
"m2_37" = "4076208924"
"m2_34" = "3165314094"
"m2_35" = "605629971"
"m2_247" = "3415053217"
"m4_240" = "4152915504"
"m2_158" = "3593001980"
"m2_159" = "1033318364"
"m2_156" = "122419251"
"m2_157" = "1857700212"
"m2_154" = "946803015"
"m2_155" = "2682086360"
"m2_152" = "1771176374"
"m2_153" = "3506471416"
"m2_150" = "2595575652"
"m2_151" = "35890657"
"m4_107" = "992514703"
"m4_106" = "3552191266"
"m4_105" = "1816900533"
"m4_104" = "81609800"
"m4_103" = "2641286363"
"m4_102" = "905995630"
"m4_101" = "3465672193"
"m4_100" = "1730381460"
"m3_131" = "3967839982"
"m4_242" = "3328529674"
"m4_109" = "168128873"
"m4_108" = "2727805436"
"m4_41" = "2427443317"
"m4_40" = "692152584"
"m4_43" = "1603057487"
"m4_42" = "4162734050"
"m4_45" = "778671657"
"m4_44" = "3338348220"
"m4_47" = "4249253123"
"m4_46" = "2513962390"
"m4_49" = "3424867293"
"m4_48" = "1689576560"
"m3_245" = "4256418168"
"m3_139" = "703982086"
"m3_138" = "3230366443"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Stvncyfrlda]
"m4_250" = "30986354"
"m1_55" = "2864311568"
"m1_54" = "2300626272"
"m1_57" = "831765389"
"m1_56" = "898118285"
"m1_51" = "1895674476"
"m1_50" = "4122132282"
"m1_53" = "3479986658"
"m1_52" = "2911305630"
"m4_118" = "2900843582"
"m1_59" = "728126377"
"m1_58" = "1103963073"
"m2_241" = "1593245385"
"m3_108" = "2744413141"
"m3_109" = "184949568"
"m3_104" = "98446945"
"m3_105" = "1833490844"
"m3_106" = "3535358219"
"m3_107" = "975960230"
"m3_100" = "1713433789"
"m3_101" = "3482491944"
"m3_102" = "922947399"
"m3_103" = "2624438002"
"m2_248" = "855369252"
"m2_249" = "2590670192"
"m4_234" = "2331105698"
"m1_124" = "4260220937"
"m1_125" = "1480592521"
"m1_126" = "4126383128"
"m1_127" = "2407754970"
"m1_120" = "4262668367"
"m1_121" = "3607526220"
"m1_122" = "1500468652"
"m1_123" = "980963041"
"m1_245" = "3175396652"
"m1_244" = "1942380602"
"m1_247" = "2848022520"
"m1_246" = "1730213274"
"m1_128" = "3541554830"
"m1_129" = "2535414486"
"m1_243" = "1814832425"
"m1_242" = "2479150016"
"m1_238" = "195973349"
"m1_239" = "1792595312"
"m3_248" = "871930801"
"m3_187" = "2359824054"
"m1_230" = "1366516786"
"m1_231" = "2196784357"
"m1_232" = "2618863104"
"m1_233" = "4251358655"
"m1_234" = "3958423455"
"m1_235" = "1638165249"
"m1_236" = "3393647042"
"m1_237" = "3126995922"
"m3_243" = "751873630"
"m3_44" = "3354938517"
"m3_45" = "795540480"
"m3_46" = "2497408959"
"m3_47" = "4232388394"
"m3_40" = "675414817"
"m3_41" = "2444014172"
"m3_42" = "4179439051"
"m3_43" = "1586486630"
"m3_48" = "1706528345"
"m3_49" = "3441441268"
"m3_144" = "790480761"
"m3_207" = "2739893002"
"m3_206" = "1004454815"
"m3_205" = "3530313824"
"m3_204" = "1828954357"
"m3_203" = "93401414"
"m3_202" = "2619377195"
"m3_201" = "884348604"
"m3_200" = "3477366529"
"m3_145" = "2492364436"
"m3_209" = "1881906644"
"m3_208" = "146399929"
"m4_178" = "3939072458"
"m4_179" = "1379395895"
"m4_176" = "468490992"
"m4_177" = "2203781725"
"m4_174" = "1292876822"
"m4_175" = "3028167555"
"m4_172" = "2117262652"
"m4_173" = "3852553385"
"m4_170" = "2941648482"
"m4_171" = "381971919"
"m2_118" = "2900836996"
"m2_119" = "341171719"
"m2_112" = "1079028442"
"m2_113" = "2814327086"
"m2_110" = "1903426088"
"m2_111" = "3638708519"
"m2_116" = "3725223650"
"m2_117" = "1165555909"
"m2_114" = "254643112"
"m2_115" = "1989942527"
"m2_185" = "3201208671"
"m2_184" = "1465922450"
"m2_187" = "2376811063"
"m2_186" = "641520944"
"m2_181" = "555015656"
"m2_180" = "3114682127"
"m2_183" = "4025597147"
"m2_182" = "2290297531"
"m2_189" = "1552438921"
"m2_188" = "4112106161"
"m3_180" = "3097834125"
"m1_153" = "2214453372"
"m4_253" = "941891257"
"m4_98" = "2554767290"
"m4_99" = "4290058023"
"m4_252" = "3501567820"
"m4_92" = "732957484"
"m4_93" = "2468248217"
"m4_90" = "1557343314"
"m4_91" = "3292634047"
"m4_96" = "3379153120"
"m4_97" = "819476557"
"m4_94" = "4203538950"
"m4_95" = "1643862387"
"m3_242" = "3345366819"
"m2_137" = "1511634857"
"m1_249" = "17530750"
"m1_248" = "1945046716"
"m4_255" = "117505427"
"m4_254" = "2677181990"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m2_138" = "3246917308"
"m2_139" = "687250169"
"m3_153" = "3489919500"
"m3_152" = "1754350225"
"m3_151" = "52482914"
"m3_150" = "2612405239"
"m3_157" = "1874411504"
"m3_156" = "105417797"
"m3_155" = "2665356502"
"m3_154" = "963407291"
"m4_217" = "2895934309"
"m4_216" = "1160643576"
"m3_159" = "1016356506"
"m3_158" = "3609964399"
"m4_213" = "249738673"
"m4_212" = "2809415236"
"m4_211" = "1074124503"
"m4_210" = "3633801066"
"m1_179" = "239412588"
"m1_178" = "3764497045"
"m1_173" = "3727934051"
"m1_172" = "1843261177"
"m1_171" = "4064329424"
"m1_170" = "2955622364"
"m1_177" = "3303766016"
"m1_176" = "1165093077"
"m1_175" = "1456002295"
"m1_174" = "1458729128"
"m1_9" = "2805781023"
"m4_245" = "4239434577"
"m4_218" = "336257746"
"m3_181" = "538419768"
"m1_8" = "2352617276"
"m2_211" = "1074121908"
"m2_108" = "2727810700"
"m2_206" = "987608067"
"m2_207" = "2722893521"
"m2_204" = "1812000534"
"m2_205" = "3547303600"
"m2_202" = "2636369505"
"m2_203" = "76693949"
"m2_200" = "3460764917"
"m2_201" = "901081340"
"m4_207" = "2722896163"
"m2_208" = "163221606"
"m2_209" = "1898507678"
"m3_148" = "3403350317"
"m4_236" = "1506719868"
"m2_58" = "1862604732"
"m2_59" = "3597906194"
"m3_149" = "843427928"
"m2_54" = "3511391708"
"m2_55" = "951707993"
"m2_56" = "2686996012"
"m2_57" = "127324671"
"m2_50" = "865196468"
"m2_51" = "2600479787"
"m2_52" = "40811328"
"m2_53" = "1776103631"
"m3_197" = "2532889800"
"m2_106" = "3552194646"
"m3_196" = "831399261"
"m4_200" = "3460762920"
"m3_195" = "3357379118"
"m4_201" = "901086357"
"m3_194" = "1622350515"
"m4_202" = "2636377090"
"m3_193" = "4215368452"
"m4_203" = "76700527"
"m3_192" = "2479946729"
"m3_191" = "711346298"
"m1_218" = "143073923"
"m4_239" = "2417624771"
"m3_190" = "3270891727"
"m4_238" = "682334038"
"m4_138" = "3246919874"
"m4_139" = "687243311"
"m4_132" = "1425110068"
"m4_133" = "3160400801"
"m4_130" = "2249495898"
"m4_131" = "3984786631"
"m4_136" = "4071305704"
"m4_137" = "1511629141"
"m4_134" = "600724238"
"m4_135" = "2336014971"
"m1_219" = "3502678518"
"m3_178" = "3955889123"
"m2_136" = "4071304392"
"m1_196" = "285070533"
"m2_141" = "4157831585"
"m2_140" = "2422523538"
"m2_143" = "3333433755"
"m2_142" = "1598156657"
"m2_145" = "2509061311"
"m2_144" = "773765036"
"m4_58" = "1862614706"
"m4_59" = "3597905439"
"m4_56" = "2687000536"
"m4_57" = "127323973"
"m4_54" = "3511386366"
"m4_55" = "951709803"
"m4_52" = "40804900"
"m4_53" = "1776095633"
"m4_50" = "865190730"
"m4_51" = "2600481463"
"m3_172" = "2133964565"
"m2_255" = "117500228"
"m1_37" = "1737167624"
"m1_36" = "2371335471"
"m1_35" = "1575503068"
"m1_34" = "2918155135"
"m1_33" = "314250110"
"m1_32" = "3159838170"
"m1_31" = "1214707176"
"m1_30" = "2284681653"
"m3_188" = "4095393317"
"m3_189" = "1569401168"
"m1_39" = "231408256"
"m1_38" = "2044372971"
"m1_42" = "351942104"
"m1_43" = "2100746101"
"m1_40" = "3323378808"
"m1_41" = "2976593602"
"m1_46" = "397233952"
"m1_47" = "3627445112"
"m1_44" = "1808819302"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKCU\Software\Stvncyfrlda]
"m1_48" = "1033757463"
"m1_49" = "1375409772"
"m3_119" = "357998978"
"m3_118" = "2917414423"
"m3_117" = "1148946168"
"m3_116" = "3741914957"
"m3_115" = "2006935518"
"m3_114" = "237958307"
"m3_113" = "2797356340"
"m3_112" = "1096013209"
"m3_111" = "3655416426"
"m3_110" = "1886423807"
"m1_193" = "2751906460"
"m2_95" = "1643857691"
"m1_192" = "1652825743"
"m4_243" = "768853111"
"m1_137" = "3636331919"
"m1_136" = "3443342829"
"m1_135" = "3374464352"
"m1_134" = "368475479"
"m1_133" = "711717333"
"m1_132" = "4044516744"
"m1_131" = "339212968"
"m1_130" = "4059667858"
"m1_212" = "2915860259"
"m1_240" = "3771298829"
"m1_139" = "2782279326"
"m1_138" = "3157402977"
"m1_182" = "1453291465"
"m1_183" = "3564167325"
"m1_180" = "2190338713"
"m1_181" = "3283782831"
"m1_186" = "557535555"
"m1_187" = "2442245291"
"m1_184" = "3251257222"
"m1_185" = "3945023867"
"m1_223" = "405999500"
"m1_222" = "520062008"
"m1_188" = "1463138153"
"m1_189" = "3393594644"
"m1_227" = "717523690"
"m1_226" = "3726966603"
"m1_225" = "1150544570"
"m1_224" = "2463261916"
"m2_10" = "173032154"
"m2_11" = "1908334458"
"m2_12" = "3643643436"
"m2_13" = "1083946049"
"m2_14" = "2819228921"
"m2_15" = "259563223"
"m2_16" = "1994845302"
"m2_17" = "3730130587"
"m2_18" = "1170459408"
"m2_19" = "2905759543"
"m1_208" = "3756268632"
"m3_71" = "2929954066"
"m3_70" = "1227955687"
"m3_73" = "2139008060"
"m3_72" = "369900673"
"m3_75" = "1280954054"
"m3_74" = "3840892843"
"m3_77" = "490007008"
"m3_76" = "3049946741"
"m3_79" = "3927378058"
"m3_78" = "2191956255"
"m2_242" = "3328527946"
"m2_243" = "768857077"
"m2_89" = "4117013747"
"m2_88" = "2381730230"
"m2_246" = "1679754560"
"m2_240" = "4152912728"
"m2_244" = "2504140576"
"m2_245" = "4239440375"
"m2_83" = "2295215027"
"m2_82" = "559919079"
"m2_81" = "3119601393"
"m2_80" = "1384304277"
"m2_87" = "646432726"
"m2_86" = "3206118179"
"m2_85" = "1470819865"
"m2_84" = "4030501232"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m3_238" = "698940799"
"m3_239" = "2434362602"
"m3_232" = "3172438241"
"m3_233" = "578813980"
"m3_230" = "3963318727"
"m2_109" = "168127142"
"m3_236" = "1489883733"
"m3_237" = "3225308608"
"m3_234" = "2347938699"
"m3_235" = "4083360550"
"m1_203" = "774728106"
"m4_12" = "3643619612"
"m4_13" = "1083943049"
"m4_10" = "173038146"
"m4_11" = "1908328879"
"m4_16" = "1994847952"
"m4_17" = "3730138685"
"m4_14" = "2819233782"
"m4_15" = "259557219"
"m2_105" = "1816897964"
"m2_104" = "81615187"
"m4_18" = "1170462122"
"m4_19" = "2905752855"
"m2_101" = "3465663585"
"m2_100" = "1730385869"
"m2_103" = "2641284751"
"m2_102" = "905986894"
"m2_178" = "3939070217"
"m2_179" = "1379401443"
"m2_170" = "2941642502"
"m2_171" = "381962245"
"m2_172" = "2117256070"
"m2_173" = "3852554504"
"m2_174" = "1292872835"
"m2_175" = "3028170527"
"m2_176" = "468488163"
"m2_177" = "2203786473"
"m4_161" = "208933773"
"m4_160" = "2768610336"
"m4_163" = "3679515239"
"m4_162" = "1944224506"
"m4_165" = "2855129409"
"m4_164" = "1119838676"
"m4_167" = "2030743579"
"m4_166" = "295452846"
"m4_169" = "1206357749"
"m4_168" = "3766034312"
[HKCU\Software\Stvncyfrlda\168128873]
"1821809806" = "0200687474703A2F2F736C776F6366642F736F62616B61312E67696600687474703A2F2F34362E3130352E3130332E3231392F736F62616B61766F6C6F732E676966"
[HKCU\Software\Stvncyfrlda]
"m4_248" = "855372184"
"m4_67" = "300362119"
"m4_66" = "2860038682"
"m4_65" = "1124747949"
"m4_64" = "3684424512"
"m4_63" = "1949133779"
"m4_62" = "213843046"
"m4_61" = "2773519609"
"m4_60" = "1038228876"
"m4_69" = "3770943585"
"m4_68" = "2035652852"
"m4_198" = "4285148750"
"m4_199" = "1725472187"
"m1_157" = "2226627917"
"m4_195" = "3374243847"
"m4_196" = "814567284"
"m4_197" = "2549858017"
"m4_190" = "3287724774"
"m4_191" = "728048211"
"m4_192" = "2463338944"
"m4_193" = "4198629677"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Dropped PE files
| MD5 | File path |
|---|---|
| d6e82d590ccdf558af56da81992e00d8 | c:\obgbwx.pif |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 69632 | 66048 | 5.53525 | 7029355edb554d47a416b3fad7a3d69c |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 257
6c682d9e9d637ded9652171d5e9c34ed
b6a683943ded6acf762339f41ad26b44
f9fc5a473918e9f5baa5dc38e60b72dd
2fbf3c3388657dde3294d2ee28a12d17
1d2903b3a38a207051d2b79874c4b434
a6915afc04a1bf7cc45e42d4870acde6
3d8d64fe839fb46058e9a47385200b73
a40a0fbf72c3ccdcb67f1264c705d880
4b556618d47c721f32bb1aff7c9fdac8
493b4f0df5da59dd06350e4126dbbca9
20106afd56d1d7434375443d99997861
015edc340668844316a395916799d8bc
76cf3a655f1cf3a2a52a6653f0bf2d48
c095a34c2b117840158c88e02150c0e1
33f7e03b1caa32cab6d4a22c99546b35
e83d38366d8f0a64a0c2df3081928e4b
028f25658cada10afc3b622d4d51a3a6
101d7d0f3380a7f2cf72a80dae12d385
97f42b6abff9994515b4f4fb4542e49a
00af02525daf45296fdb2f85bbcfbfcd
3921bd578d3bc50fa1a673506e03e07a
3812eb8deeb5949802cc2619bb300f0c
9241fb19826439381f1923832cd396ea
821efbb5fbe57ff7e78199a18c7e6f64
e4a92d0d1a9b25ec512b3366ff46695d
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
KERNEL32.dll
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
65187f5df3959035564f5635082300f.exe
hXXp://slwocfd/sobaka1.gif
hXXp://46.105.103.219/sobakavolos.gif
@s.gif
hXXp://89.11
.info/home.gifIh
bW.text
JKERNEL32.dll
%x.exe
h.rdla&
mH.MN8
T4.At%
S.twa
.klkjw:9fqwiBumW
.sysa
Zc.pBTa
~%s:*:yd:
.!.VF*
.d&?%x=
GUrlA'
"\'Web%w}
HTTP)s'PS
2GUARDCMD
o.ENHCDM
wWEBWUPD
MM.PF
%xn'[
>>?456789:;<=
!"#$%&'()* ,-./01
B.PPP
%fvq(
TCp|Q
%F" *" a
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA
%original file name%.exe_3400_rwx_00401000_00011000:
KERNEL32.dll
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
.text
65187f5df3959035564f5635082300f.exe
hXXp://slwocfd/sobaka1.gif
hXXp://46.105.103.219/sobakavolos.gif
@s.gif
hXXp://89.11
.info/home.gifIh
bW.text
JKERNEL32.dll
%x.exe
h.rdla&
mH.MN8
T4.At%
S.twa
.klkjw:9fqwiBumW
.sysa
Zc.pBTa
~%s:*:yd:
.!.VF*
.d&?%x=
GUrlA'
"\'Web%w}
HTTP)s'PS
2GUARDCMD
o.ENHCDM
wWEBWUPD
MM.PF
%xn'[
>>?456789:;<=
!"#$%&'()* ,-./01
B.PPP
%fvq(
TCp|Q
%F" *" a
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA
%original file name%.exe_3400_rwx_00520000_010BA000:
hXXp://89.11
.info/home.gifIh
bW.text
JKERNEL32.dll
%x.exe
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
.text
KERNEL32.dll
.reloc
USER32.dll
h.rdata
H.data
ntoskrnl.exe
Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
hXXp://
ipfltdrv.sys
VVV.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
KERNEL32.DLL
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
%c%d_%d
purity_control_%x
.adata
M_%d_
?456789:;<=
!"#$%&'()* ,-./0123
mongC:\Windows\
C:\Windows\hywjfubtsnl.log
hXXp://slwocfd/sobaka1.gif
hXXp://46.105.103.219/sobakavolos.gif
C:\Windows\system32\drivers\hlloin.sys
13081774053
SHELL32.DLL
ShellExecuteA
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
&3&3&3&389
%F" *" a
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll
taskhost.exe_252_rwx_00290000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
%original file name%.exe_3400_rwx_017A0000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
%original file name%.exe_3400_rwx_017B0000_00001000:
u%original file name%.exeM_3400_
taskhost.exe_252_rwx_002A0000_00001000:
utaskhost.exeM_252_
Explorer.EXE_284_rwx_01DA0000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
Explorer.EXE_284_rwx_02CD0000_00001000:
uexplorer.exeM_284_
Dwm.exe_528_rwx_01040000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
Dwm.exe_528_rwx_010A0000_00001000:
udwm.exeM_528_
TPAutoConnect.exe_2068_rwx_00260000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
conhost.exe_2076_rwx_000D0000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
TPAutoConnect.exe_2068_rwx_00550000_00001000:
utpautoconnect.exeM_2068_
conhost.exe_2076_rwx_000E0000_00001000:
uconhost.exeM_2076_
conhost.exe_3448_rwx_00070000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
conhost.exe_3448_rwx_00080000_00001000:
uconhost.exeM_3448_
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\system.ini (72 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (52 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\reader_sl.exe (840 bytes)
C:\obgbwx.pif (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winiwktf.exe (561 bytes)
C:\autorun.inf (273 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (688 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wyooc.exe (561 bytes) - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
