Trojan.SalityStub.F_ff706af86a
Trojan.SalityStub.F (BitDefender), Virus:Win32/Sality.AT (Microsoft), Trojan.Win32.Small.cox (Kaspersky), Virus.Win32.Sality.at!dam (v) (VIPRE), Win32.Sector.22 (DrWeb), Trojan.SalityStub.F (B) (Emsisoft), PWS-Zbot.gen.yh (McAfee), W32.Sality.AE (Symantec), Trojan.Win32.Salrenmetie (Ikarus), Trojan.SalityStub.F (FSecure), Agent.12.C (AVG), Win32:Sality (Avast), PE_SALITY.SM-O (TrendMicro), Trojan.SalityStub.F (AdAware), Virus.Win32.Sality.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: ff706af86a741943dd821218d2aeceda
SHA1: c7a8b30e0c8b5d6d757d9200372e49613f53d6e9
SHA256: e1e6299c9a327214d661ac9570f65d3c75d76996524ebb9ac8b8255481008171
SSDeep: 1536:IBEisD7SjhB/0kbkpg4FduChGYld3T1Hc6lnJJn3HwDcHUoY:IBZsD7SjLMpfFdfl118OJt3HqXo
Size: 99328 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-11-05 02:25:00
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):
%original file name%.exe:3884
taskhost.exe:252
Explorer.EXE:284
Dwm.exe:528
TPAutoConnect.exe:2068
conhost.exe:2076
conhost.exe:3452
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:3884 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winudhaw.exe (561 bytes)
C:\Windows\system.ini (72 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (20 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\reader_sl.exe (408 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (176 bytes)
C:\vvfkt.exe (99 bytes)
C:\autorun.inf (369 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ntixah.exe (561 bytes)
The Trojan deletes the following file(s):
C:\Windows\13f4ba (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winudhaw.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ntixah.exe (0 bytes)
Registry activity
The process %original file name%.exe:3884 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m4_0" = "0"
"m3_0" = "17001001"
[HKCU\Software\Stvncyfrlda\168128873]
"-1648771660" = "30"
[HKCU\Software\Stvncyfrlda]
"m2_0" = "6856"
[HKCU\Software\Stvncyfrlda\168128873]
"-737866757" = "4B278A835FE92988F90F7C3CA41943E954C2A3E5F485BE927C19BB1BE3A4606DACD30115F9A5DFCC9A54A9CBC970B3F5552946D7DCA330D47DB444FE33A74E4F3934F853C78E0DC6D9EEE227165CFE1E5F4DF951B4E949E9FD58BC2F492F3A5FE47491DA52289271F36B555070B2FE3D61BD99AA79CD32B302250EFC3B19E5BA5983117001ACB3CC3315F4E8A6E14E431831F637A045E8B2E9D85E4FE4BB17441E184C36D2CE87AFD142CC126B0B44025A35802EFB7597B96B29F209B5C200ABEF3AD8D9E89ED2BD716737EA3531C319A48A0859A5D987B1F40AD720852CD4BAEEFF0335C753F5B39E9B397C689313439635D8144E674989A2B7C1E13F1E2F2E"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Stvncyfrlda\168128873]
"1735290733" = "96"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
"FirewallOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m1_0" = "2828363382"
[HKCU\Software\Stvncyfrlda\168128873]
"-824385830" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Stvncyfrlda\168128873]
"910904903" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda\168128873]
"1821809806" = "0200687474703A2F2F736C776F6366642F736F62616B61312E67696600687474703A2F2F34362E3130352E3130332E3231392F736F62616B61766F6C6F732E676966"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda\168128873]
"86519073" = "67"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
A firewall is disabled:
"EnableFirewall" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
Dropped PE files
| MD5 | File path |
|---|---|
| dad59f5f2aeebab19195606c3adece5d | c:\vvfkt.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 69632 | 66048 | 5.53678 | 7c1d96cd6c642cef6f9a93398ac5e970 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 764
0fd1d5b37f2181ebedd1e9470041a4bd
28cb49fcebd7d430cd7e2a3081f1d40f
ee2d5e8d9a3cccec9e6779c45f750613
881545ecffa07303b951f6781830f195
f764c6b1ba500099e1cbcc975abe0420
7e311ab31b60b15830b51810c1264620
0520dee520620ed5b18c66db0610c6fd
9ec548ead927943185add7b0a599620a
380cd2be1830744fba36932742925c72
3081600875766398131f088d8902aeca
c6dffa71465a49ba06337b8aa4132c28
ed62de53ee02ff6d1ad943426c2a9d1a
ae5c2908cf7108e2cf9b6ac0e2c78f9b
6d0a423e96e8bbc26ff3e170c37eab45
570d9133391888b737e4ed8237b5ec7c
6fd30921621262c494716d675c4eaf35
3f68f43cfe3898062be106adb6c4aae7
7557c6e39adbd55fdc0d6bf363ee5605
2e6d717bbe55a36bda43ff1436282980
7e2d1db9f08fc5d180c2825ba77a79e0
7e1b85110747aebeec43825bae93dce0
0815861a0c3c467ddfbdc2d4495531a7
e63fc293a650d310e06f54c5b455cd51
94881345994fb9dbd6494157bc41384b
0fc6b457f337f01ccce06a3e97f63973
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
KERNEL32.dll
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
f706af86a741943dd821218d2aeceda.exe
hXXp://slwocfd/sobaka1.gif
hXXp://46.105.103.219/sobakavolos.gif
@s.gif
hXXp://89.11
.info/home.gifIh
bW.text
JKERNEL32.dll
%x.exe
h.rdla&
mH.MN8
T4.At%
S.twa
.klkjw:9fqwiBumW
.sysa
Zc.pBTa
~%s:*:yd:
.!.VF*
.d&?%x=
GUrlA'
"\'Web%w}
HTTP)s'PS
2GUARDCMD
o.ENHCDM
wWEBWUPD
MM.PF
%xn'[
>>?456789:;
!"#$%&'()* ,-./4
qn%CXf
UP*dB.PPd@.
%FoAN-x
ÄEW
%F" *" a
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA
%original file name%.exe_3884_rwx_00401000_00011000:
KERNEL32.dll
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
.text
f706af86a741943dd821218d2aeceda.exe
hXXp://slwocfd/sobaka1.gif
hXXp://46.105.103.219/sobakavolos.gif
@s.gif
hXXp://89.11
.info/home.gifIh
bW.text
JKERNEL32.dll
%x.exe
h.rdla&
mH.MN8
T4.At%
S.twa
.klkjw:9fqwiBumW
.sysa
Zc.pBTa
~%s:*:yd:
.!.VF*
.d&?%x=
GUrlA'
"\'Web%w}
HTTP)s'PS
2GUARDCMD
o.ENHCDM
wWEBWUPD
MM.PF
%xn'[
>>?456789:;
!"#$%&'()* ,-./4
qn%CXf
UP*dB.PPd@.
%FoAN-x
ÄEW
%F" *" a
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA
%original file name%.exe_3884_rwx_00420000_010BA000:
hXXp://89.11
.info/home.gifIh
bW.text
JKERNEL32.dll
%x.exe
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
.text
KERNEL32.dll
.reloc
USER32.dll
h.rdata
H.data
ntoskrnl.exe
Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
hXXp://
ipfltdrv.sys
VVV.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
KERNEL32.DLL
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
%c%d_%d
purity_control_%x
.adata
M_%d_
?456789:;<=
!"#$%&'()* ,-./0123
mongC:\Windows\
C:\Windows\hywjfubtsnl.log
hXXp://slwocfd/sobaka1.gif
hXXp://46.105.103.219/sobakavolos.gif
C:\Windows\system32\drivers\hkpnln.sys
13078491536
SHELL32.DLL
ShellExecuteA
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
&3&3&3&389
%F" *" a
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll
taskhost.exe_252_rwx_00290000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
%original file name%.exe_3884_rwx_03380000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
%original file name%.exe_3884_rwx_03490000_00001000:
u%original file name%.exeM_3884_
taskhost.exe_252_rwx_002A0000_00001000:
utaskhost.exeM_252_
Explorer.EXE_284_rwx_01DA0000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
Explorer.EXE_284_rwx_02CD0000_00001000:
uexplorer.exeM_284_
Dwm.exe_528_rwx_01040000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
Dwm.exe_528_rwx_010A0000_00001000:
udwm.exeM_528_
TPAutoConnect.exe_2068_rwx_00260000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
conhost.exe_2076_rwx_000D0000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
TPAutoConnect.exe_2068_rwx_00550000_00001000:
utpautoconnect.exeM_2068_
conhost.exe_2076_rwx_000E0000_00001000:
uconhost.exeM_2076_
conhost.exe_3452_rwx_00220000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
conhost.exe_3452_rwx_00230000_00001000:
uconhost.exeM_3452_
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winudhaw.exe (561 bytes)
C:\Windows\system.ini (72 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (20 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\reader_sl.exe (408 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (176 bytes)
C:\vvfkt.exe (99 bytes)
C:\autorun.inf (369 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ntixah.exe (561 bytes) - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
