Win32.Sality.3_a6429bbc5f

by malwarelabrobot on July 25th, 2015 in Malware Descriptions.

Trojan.Win32.Agentb.aanb (Kaspersky), Win32.Sality.3 (B) (Emsisoft), Win32.Sality.3 (AdAware), Trojan.Win32.Swrort.3.FD, Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Virus, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a6429bbc5f3fb4d1bac655df954b0841
SHA1: 991c5611085bb7d087a9edbe0278e5ed4719f05a
SHA256: 70f83678819fb8f941bf540c0b65930509957548f2917d345e38574ce99e17ba
SSDeep: 12288:zTyjXW 48qWywrU4kGFezOAVuJ5PIpww7F5DO3HYff5igVT6WSg:vIXW/8yw1ez54lIRF5SXYH5DVWWH
Size: 758427 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-01-18 16:44:33
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:1736

The Trojan injects its code into the following process(es):

rundll32.exe:2060
Explorer.EXE:888

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\00043506_Rar\%original file name%.exe (5441 bytes)
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe (5441 bytes)

The process rundll32.exe:2060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\0004412C_Rar\rundll32.exe (5441 bytes)

Registry activity

The process %original file name%.exe:1736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Aas]
"a4_116" = "831618036"
"a4_157" = "1125551997"
"a3_149" = "1051199068"
"a4_156" = "1118382876"
"a4_299" = "2143567179"
"a3_148" = "1044210237"
"a2_180" = "1290437227"
"a4_159" = "1139890239"
"a2_182" = "1304773289"
"a2_183" = "1311956826"
"a2_184" = "1319123775"
"a2_185" = "1326292408"
"a2_186" = "1333459728"
"a4_158" = "1132721118"
"a2_188" = "1347785995"
"a2_189" = "1354956926"
"a3_263" = "1902212494"
"a3_223" = "1581849174"
"a1_185" = "3594249814"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKCU\Software\Aas]
"a1_184" = "826773243"
"a2_255" = "1828120514"
"a1_183" = "3436965252"
"a1_182" = "3750646165"
"a3_193" = "1400620808"
"a1_181" = "444652748"
"a1_180" = "674544493"
"a4_298" = "2136398058"
"a3_78" = "542637991"
"a3_79" = "549622726"
"a4_206" = "1476838926"
"a3_72" = "533156193"
"a3_73" = "506656128"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Aas]
"a3_71" = "525712590"
"a3_76" = "561686245"
"a3_77" = "568613636"
"a3_74" = "513568291"
"a3_75" = "554631746"
"a4_181" = "1297610901"
"a4_218" = "1562868378"
"a4_219" = "1570037499"
"a4_216" = "1548530136"
"a4_217" = "1555699257"
"a4_214" = "1534191894"
"a4_215" = "1541361015"
"a4_212" = "1519853652"
"a4_213" = "1527022773"
"a4_210" = "1505515410"
"a4_211" = "1512684531"
"a3_152" = "1106310065"
"a3_153" = "1080268752"
"a4_108" = "774265068"
"a4_109" = "781434189"
"a3_156" = "1135231285"
"a3_157" = "1108731220"
"a3_154" = "1087178867"
"a3_155" = "1127787666"
"a4_102" = "731250342"
"a4_103" = "738419463"
"a4_100" = "716912100"
"a4_101" = "724081221"
"a4_106" = "759926826"
"a4_107" = "767095947"
"a4_104" = "745588584"
"a4_105" = "752757705"
"a2_59" = "422984450"
"a2_58" = "415802968"
"a2_53" = "379972038"
"a2_52" = "372799793"
"a2_51" = "365619674"
"a2_50" = "358449583"
"a2_57" = "408634468"
"a2_56" = "401466235"
"a2_55" = "394299729"
"a2_54" = "387136433"
"a3_290" = "2062081995"
"a2_187" = "1340623924"
"a4_251" = "1799449371"
"a4_55" = "394301655"
"a4_54" = "387132534"
"a4_57" = "408639897"
"a4_56" = "401470776"
"a4_51" = "365625171"
"a4_50" = "358456050"
"a4_53" = "379963413"
"a4_52" = "372794292"

[HKCU\Software\Aas\695404737]
"50183847" = "83AD022F944CCF21DDECD41871254667172BA39F3E949513F4CC29B07060AC534912E5BCB155880C2C4326E6FB83E6FA099D4219F6885291D527824C5507229614A07CE2AF035D97263FF7F26AD2ACC9D5D4395D4B8B3109DC5C0C87B31A1505E6E94E08EF20E71B91B96D3856F531DADFD78A894AD6A6C177136C5657B01661"

[HKCU\Software\Aas]
"a4_59" = "422978139"
"a4_58" = "415809018"
"a1_248" = "3613613238"
"a3_249" = "1801832560"
"a1_178" = "359370572"
"a1_179" = "3571262085"
"a1_176" = "1804677856"
"a3_135" = "950830350"
"a1_174" = "1215382954"
"a1_175" = "2386967442"
"a1_172" = "4290965648"

[HKCU\Software\Aas\695404737]
"21507363" = "0"

[HKCU\Software\Aas]
"a1_170" = "2184583479"
"a1_171" = "607069330"
"a4_296" = "2122059816"
"a2_236" = "1691916186"
"a2_237" = "1699084810"
"a2_234" = "1677581729"
"a2_235" = "1684747092"
"a2_232" = "1663232452"
"a2_233" = "1670413532"
"a2_230" = "1648898347"
"a2_231" = "1656064411"
"a3_287" = "2074141334"
"a4_209" = "1498346289"
"a2_238" = "1706249014"
"a2_239" = "1713412824"
"a3_94" = "690598327"
"a3_95" = "698045910"
"a3_96" = "671534665"
"a3_97" = "678453992"
"a3_90" = "662052915"
"a3_91" = "669107282"
"a3_92" = "643004661"
"a3_93" = "649993492"
"a3_209" = "1481480472"
"a3_98" = "685967115"
"a3_99" = "726580138"
"a4_295" = "2114890695"
"a3_282" = "2038692083"
"a3_271" = "1926113414"
"a2_181" = "1297605554"
"a3_254" = "1837822487"
"a1_138" = "262026771"
"a1_139" = "3177427701"
"a3_293" = "2083555628"
"a3_270" = "1918678119"
"a1_159" = "4083213820"
"a1_266" = "793064871"
"a1_267" = "3102854550"
"a1_264" = "3778598213"
"a1_265" = "50174773"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas]
"a1_263" = "265058250"
"a1_260" = "2026958904"
"a1_261" = "481241016"
"a3_280" = "1990631473"
"a1_130" = "2126950191"
"a1_268" = "1666662101"
"a1_269" = "1773755316"
"a2_157" = "1125556410"
"a2_156" = "1118385456"
"a2_155" = "1111218358"
"a1_131" = "1693252214"
"a2_153" = "1096868252"
"a2_152" = "1089701247"
"a2_99" = "709742340"
"a2_98" = "702576277"
"a2_97" = "695413740"
"a2_96" = "688241421"
"a2_95" = "681058818"
"a2_94" = "673891358"
"a2_93" = "666726084"
"a2_92" = "659556418"
"a2_91" = "652381760"
"a2_90" = "645224189"
"a4_151" = "1082537271"
"a4_150" = "1075368150"
"a4_153" = "1096875513"
"a4_152" = "1089706392"
"a4_155" = "1111213755"
"a4_154" = "1104044634"
"a1_58" = "3665371554"
"a1_59" = "3383193877"
"a1_56" = "776211010"
"a1_57" = "3096474560"
"a1_54" = "622265903"
"a1_55" = "2017316994"
"a1_52" = "638804490"
"a1_53" = "1560123974"
"a1_50" = "4267342224"
"a1_51" = "2008350609"
"a3_215" = "1524377438"
"a3_214" = "1517454143"
"a3_217" = "1572437008"
"a3_216" = "1565514737"
"a3_211" = "1529532890"
"a3_210" = "1488928187"
"a3_213" = "1510469276"
"a3_212" = "1536445053"
"a3_136" = "991836577"
"a3_219" = "1553446098"
"a3_218" = "1545867443"
"a1_155" = "1495585536"
"a4_208" = "1491177168"
"a1_217" = "27098726"
"a3_275" = "1954659866"
"a3_269" = "1945179076"
"a4_266" = "1906986186"
"a3_43" = "324843106"
"a3_42" = "284237251"
"a3_41" = "277248416"
"a3_40" = "269796609"
"a3_47" = "353765350"
"a3_46" = "313221959"
"a3_45" = "305778468"
"a3_44" = "332278405"
"a1_132" = "3681524841"
"a1_133" = "2096452664"
"a3_49" = "368270520"
"a3_48" = "360822809"
"a1_136" = "3410250205"
"a2_119" = "853128188"
"a1_134" = "632268447"
"a1_135" = "817929245"
"a4_99" = "709742979"
"a4_98" = "702573858"
"a4_280" = "2007353880"
"a2_118" = "845962847"
"a3_274" = "1947600379"
"a1_189" = "2130963411"
"a4_91" = "652390011"
"a4_90" = "645220890"
"a4_93" = "666728253"
"a4_92" = "659559132"
"a4_95" = "681066495"
"a4_94" = "673897374"
"a4_97" = "695404737"
"a4_96" = "688235616"
"a3_109" = "798021476"
"a3_108" = "790966981"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKCU\Software\Aas]
"a4_259" = "1856802339"
"a3_245" = "1773304572"
"a1_160" = "1371279971"
"a3_101" = "707522668"
"a3_100" = "733503437"
"a3_103" = "754977070"
"a3_102" = "714511503"
"a3_105" = "769475040"
"a3_104" = "762555713"
"a3_107" = "750493346"
"a3_106" = "742980099"
"a3_284" = "2019045813"
"a2_113" = "810111928"
"a1_250" = "3244944736"
"a2_112" = "802932983"
"a4_264" = "1892647944"
"a1_165" = "2327434187"
"a3_262" = "1861734767"

"a3_70" = "485103791"
"a1_164" = "3744214392"
"a3_297" = "2146049696"
"a2_110" = "788610148"
"a2_117" = "838794346"
"a4_258" = "1849633218"
"a3_285" = "2026624468"
"a2_116" = "831612111"
"a1_169" = "2037227722"
"a2_115" = "824443057"
"a4_263" = "1885478823"
"a1_168" = "4180837862"
"a2_114" = "817276585"
"a2_179" = "1283275188"
"a3_279" = "1983582110"
"a4_252" = "1806618492"
"a3_232" = "1646370241"
"a4_262" = "1878309702"
"a4_253" = "1813787613"
"a4_250" = "1792280250"
"a2_215" = "1541364564"
"a1_222" = "3284626768"
"a2_144" = "1032350863"
"a1_104" = "2211553854"
"a1_221" = "3867268576"
"a1_226" = "140860444"
"a1_227" = "1242290815"
"a1_224" = "3973884712"
"a2_145" = "1039519218"
"a4_256" = "1835294976"
"a1_228" = "154068522"
"a2_217" = "1555696464"
"a3_278" = "2009623423"
"a2_146" = "1046684736"
"a4_257" = "1842464097"
"a4_261" = "1871140581"
"a2_147" = "1053867486"
"a4_254" = "1820956734"
"a2_140" = "1003668759"
"a2_253" = "1813786617"
"a2_141" = "1010851811"
"a2_272" = "1950005683"
"a2_273" = "1957172615"
"a2_270" = "1935655467"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a2_276" = "1978672592"
"a2_142" = "1018016104"
"a2_274" = "1964340469"
"a2_275" = "1971505218"
"a2_278" = "1993024135"
"a2_143" = "1025182016"
"a4_260" = "1863971460"
"a4_297" = "2129228937"
"a2_298" = "2136395577"
"a3_259" = "1873798154"
"a1_246" = "3232512105"
"a3_258" = "1866220523"
"a2_290" = "2079035432"
"a2_291" = "2086207717"
"a2_292" = "2093375459"
"a1_240" = "755317378"
"a2_294" = "2107726256"
"a3_150" = "1092336383"
"a2_296" = "2122058319"
"a2_297" = "2129221520"
"a2_193" = "1383641308"
"a2_192" = "1376474119"
"a2_191" = "1369308376"
"a3_151" = "1099259678"
"a3_133" = "970345548"
"a2_196" = "1405141334"

[HKCU\Software\Aas\695404737]
"35845605" = "476"

[HKCU\Software\Aas]
"a2_194" = "1390817383"
"a2_199" = "1426660191"
"a2_198" = "1419493182"
"a3_116" = "814879197"
"a3_288" = "2048100105"
"a3_117" = "821922428"
"a1_241" = "1093463944"
"a3_114" = "834001179"
"a4_182" = "1304780022"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_180" = "1290441780"
"a3_115" = "807894458"
"a1_89" = "1586180983"
"a1_88" = "803751692"
"a4_184" = "1319118264"
"a4_185" = "1326287385"
"a1_85" = "3909588577"
"a1_84" = "1311025949"
"a1_87" = "1816827822"
"a1_86" = "1403657822"
"a1_81" = "1387330828"
"a1_80" = "3564317705"
"a1_83" = "1132120614"
"a1_82" = "1931154089"
"a3_159" = "1123168790"
"a3_110" = "771902343"
"a2_128" = "917646179"
"a2_129" = "924813704"
"a2_126" = "903315013"
"a2_127" = "910482040"
"a2_124" = "888978979"
"a3_111" = "778955814"
"a2_122" = "874631107"
"a2_123" = "881793651"
"a2_120" = "860296020"
"a2_121" = "867460864"
"a1_67" = "3223544122"
"a1_66" = "3611810380"
"a1_65" = "2815399669"
"a1_64" = "3666968892"
"a1_63" = "2098580106"
"a1_62" = "3507496498"
"a1_61" = "332242240"
"a1_60" = "3182891493"
"a3_138" = "1006335587"
"a3_139" = "979823234"
"a4_162" = "1161397602"
"a4_163" = "1168566723"
"a4_164" = "1175735844"
"a4_165" = "1182904965"
"a1_69" = "283849579"
"a1_68" = "1609745042"
"a1_12" = "1174665665"
"a1_13" = "4076776892"
"a1_10" = "1071546649"
"a1_11" = "2318739959"
"a1_16" = "1472144990"
"a1_17" = "3772702960"
"a1_14" = "4170948361"
"a1_15" = "247433699"
"a4_115" = "824448915"
"a4_114" = "817279794"
"a1_18" = "1449162629"
"a1_19" = "3052690794"
"a4_111" = "795772431"
"a4_110" = "788603310"
"a4_113" = "810110673"
"a4_112" = "802941552"
"a2_48" = "344126011"
"a2_49" = "351278618"
"a4_140" = "1003676940"
"a2_40" = "286766458"
"a2_41" = "293932015"
"a2_42" = "301100597"
"a2_43" = "308266908"
"a2_44" = "315449677"
"a2_45" = "322613994"
"a2_46" = "329785115"
"a2_47" = "336951251"
"a1_244" = "1930848537"
"a3_203" = "1472066242"
"a4_148" = "1061029908"
"a4_146" = "1046691666"
"a4_42" = "301103082"
"a4_43" = "308272203"
"a4_40" = "286764840"
"a4_41" = "293933961"
"a4_46" = "329779566"
"a4_47" = "336948687"
"a4_44" = "315441324"
"a4_45" = "322610445"
"a4_48" = "344117808"
"a4_49" = "351286929"
"a4_198" = "1419485958"
"a4_278" = "1993015638"
"a4_137" = "982169577"
"a4_255" = "1828125855"
"a4_136" = "975000456"
"a3_205" = "1452936068"
"a4_147" = "1053860787"
"a3_244" = "1765852765"
"a1_161" = "992511352"
"a3_140" = "986812197"
"a1_163" = "71829920"
"a1_162" = "1779274073"
"a3_18" = "112354555"
"a3_19" = "152901914"
"a1_167" = "1020868498"
"a1_166" = "2095080895"
"a3_14" = "83367783"
"a3_15" = "124488582"
"a3_16" = "131411001"
"a3_17" = "104906840"
"a3_10" = "88506851"
"a3_11" = "95435266"
"a3_12" = "69459621"
"a3_13" = "76378820"
"a4_37" = "265257477"
"a4_36" = "258088356"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_33" = "236580993"
"a4_32" = "229411872"
"a4_31" = "222242751"
"a4_30" = "215073630"
"a3_241" = "1744311672"
"a4_39" = "279595719"
"a4_38" = "272426598"
"a2_175" = "1254589458"
"a2_174" = "1247421669"
"a1_103" = "444958039"
"a2_178" = "1276108325"
"a2_177" = "1268940390"
"a4_292" = "2093383332"
"a4_244" = "1749265524"
"a4_268" = "1921324428"
"a2_176" = "1261772302"
"a1_196" = "1247873550"
"a4_145" = "1039522545"
"a2_171" = "1225927978"
"a3_251" = "1782710578"
"a2_170" = "1218753913"
"a2_283" = "2028857820"
"a3_289" = "2055027624"
"a4_139" = "996507819"
"a1_102" = "1322041885"
"a4_138" = "989338698"

[HKCU\Software\Aas\695404737]
"28676484" = "35"

[HKCU\Software\Aas]
"a1_279" = "474477038"
"a1_278" = "3193507843"
"a2_209" = "1498343068"
"a4_131" = "939154851"
"a1_270" = "1654893587"
"a1_273" = "2548576460"
"a1_272" = "494520747"
"a1_275" = "3849870442"
"a1_274" = "3622541454"
"a3_261" = "1854160076"
"a1_276" = "2952713506"
"a3_228" = "1617824845"
"a1_101" = "2819443449"
"a1_249" = "2178098149"
"a1_237" = "1864736660"
"a4_149" = "1068199029"
"a3_141" = "1027810116"
"a3_247" = "1753789374"
"a2_221" = "1584378282"
"a2_220" = "1577211133"
"a2_223" = "1598711876"
"a2_222" = "1591548121"
"a2_225" = "1613046355"
"a2_224" = "1605880248"
"a2_227" = "1627398089"
"a2_226" = "1620215426"
"a1_229" = "253926568"
"a3_229" = "1624875244"
"a2_207" = "1483999789"
"a3_181" = "1280611004"
"a4_267" = "1914155307"
"a2_88" = "630888401"
"a2_89" = "638057599"
"a3_180" = "1307180573"
"a2_84" = "602206565"
"a2_85" = "609372177"
"a2_86" = "616539373"
"a2_87" = "623721910"
"a2_80" = "573523851"
"a3_34" = "260325067"
"a2_82" = "587874101"
"a2_83" = "595039398"
"a4_124" = "888971004"
"a4_125" = "896140125"
"a1_29" = "2974281407"
"a1_28" = "3228685785"
"a4_120" = "860294520"
"a4_121" = "867463641"
"a4_122" = "874632762"
"a4_123" = "881801883"
"a1_23" = "1393522403"
"a1_22" = "767601794"
"a1_21" = "3088289700"
"a1_20" = "1050578346"
"a1_27" = "889908127"
"a1_26" = "675954575"
"a1_25" = "2922091070"
"a1_24" = "2020335726"
"a4_141" = "1010846061"
"a1_285" = "2524762016"
"a1_286" = "582086917"
"a1_287" = "1974893675"
"a1_280" = "4051501990"
"a3_187" = "1324038386"
"a1_282" = "4201119768"
"a1_283" = "373603973"
"a3_186" = "1316586579"
"a1_288" = "3433708153"
"a1_289" = "2949852375"
"a3_189" = "1371566516"
"a4_269" = "1928493549"
"a2_268" = "1921322667"
"a3_227" = "1610836010"
"a3_291" = "2103079018"
"a3_50" = "341766363"
"a3_51" = "348755322"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_53" = "396796476"
"a3_54" = "370165343"
"a3_55" = "377748222"
"a3_56" = "384737041"
"a3_57" = "425210800"
"a3_58" = "432789459"
"a3_59" = "406145138"
"a1_127" = "826778688"
"a1_126" = "257202663"
"a1_121" = "983010832"
"a1_120" = "3699315254"
"a1_123" = "3193270353"
"a1_122" = "1034703985"
"a4_238" = "1706250798"
"a4_239" = "1713419919"
"a3_267" = "1930746626"
"a1_277" = "1007037611"
"a2_111" = "795775190"
"a4_230" = "1648897830"
"a4_231" = "1656066951"
"a4_232" = "1663236072"
"a4_233" = "1670405193"
"a4_234" = "1677574314"
"a4_235" = "1684743435"
"a4_236" = "1691912556"
"a4_237" = "1699081677"
"a3_178" = "1292673371"
"a3_179" = "1300121082"
"a3_174" = "1264145351"
"a3_175" = "1271198822"
"a3_176" = "1245079705"
"a3_177" = "1252068664"
"a3_170" = "1235731011"
"a3_171" = "1209100002"
"a3_172" = "1216092933"
"a3_173" = "1223671716"
"a2_31" = "222234361"
"a2_30" = "215079550"
"a2_33" = "236579903"
"a2_32" = "229414781"
"a2_35" = "250911624"
"a2_34" = "243747348"
"a2_37" = "265263361"
"a2_36" = "258081705"
"a2_39" = "279598592"
"a2_38" = "272431981"
"a4_79" = "566360559"
"a4_78" = "559191438"
"a3_226" = "1636956043"
"a1_223" = "3859520039"
"a4_73" = "523345833"
"a4_72" = "516176712"
"a4_71" = "509007591"
"a4_70" = "501838470"
"a4_77" = "552022317"
"a4_76" = "544853196"
"a4_75" = "537684075"
"a4_74" = "530514954"
"a2_264" = "1892651589"
"a3_266" = "1890133731"
"a1_137" = "2419547187"
"a2_265" = "1899819196"
"a4_86" = "616544406"
"a4_87" = "623713527"
"a4_84" = "602206164"
"a4_85" = "609375285"
"a4_82" = "587867922"
"a4_83" = "595037043"
"a4_80" = "573529680"
"a4_81" = "580698801"
"a4_183" = "1311949143"
"a1_225" = "2787314717"
"a4_197" = "1412316837"
"a4_88" = "630882648"
"a4_89" = "638051769"
"a1_158" = "1843825035"
"a2_100" = "716903321"
"a4_196" = "1405147716"

[HKCU\Software\Aas\695404737]
"14338242" = "0"

[HKCU\Software\Aas]
"a1_150" = "1607416066"
"a1_151" = "3179680616"

[HKCU\Software\Aas\695404737]
"7169121" = "144"

[HKCU\Software\Aas]
"a1_153" = "548893316"
"a1_154" = "2159520996"
"a2_102" = "731242157"
"a1_156" = "1985578463"
"a1_157" = "3359480390"
"a1_235" = "939181873"
"a2_229" = "1641731088"
"a1_188" = "647973971"
"a2_103" = "738425008"
"a1_231" = "2225263454"
"a1_230" = "3402199707"
"a1_233" = "1932399933"
"a2_228" = "1634564709"
"a2_104" = "745593561"
"a4_201" = "1440993321"
"a1_247" = "2307822889"
"a1_239" = "2953552820"
"a1_238" = "1066212186"
"a2_105" = "752750083"
"a2_210" = "1505512761"
"a2_211" = "1512678900"
"a2_212" = "1519860719"
"a2_213" = "1527028356"
"a2_214" = "1534194303"
"a2_106" = "759924573"
"a2_216" = "1548528580"
"a1_177" = "792532830"
"a2_218" = "1562862938"
"a2_219" = "1570044721"
"a3_253" = "1830771188"
"a2_107" = "767094226"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Aas]
"a1_187" = "660744334"
"a3_221" = "1600966036"
"a2_267" = "1914147202"
"a2_266" = "1906989801"
"a2_261" = "1871137615"
"a2_260" = "1863964322"
"a2_263" = "1885471404"
"a2_262" = "1878303149"
"a1_96" = "2898512924"
"a2_269" = "1928488662"
"a3_185" = "1309597744"
"a4_275" = "1971508275"
"a1_173" = "4202804954"
"a2_244" = "1749269045"
"a1_232" = "1449218731"
"a3_183" = "1328655230"
"a1_186" = "3570620965"
"a3_222" = "1608410679"
"a4_272" = "1950000912"
"a2_131" = "939148892"
"a2_289" = "2071874398"
"a2_288" = "2064708749"
"a2_130" = "931983020"
"a4_179" = "1283272659"
"a2_282" = "2021700087"
"a2_281" = "2014525281"
"a2_280" = "2007362169"
"a2_287" = "2057545815"
"a2_133" = "953497833"
"a2_285" = "2043192569"
"a2_284" = "2036024833"
"a2_132" = "946331253"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas]
"a2_135" = "967832323"
"a3_182" = "1288058591"
"a4_273" = "1957170033"
"a2_134" = "960664109"
"a1_107" = "3230798553"
"a1_294" = "495494821"
"a2_137" = "982163752"
"a4_178" = "1276103538"
"a1_106" = "3280004727"
"a4_227" = "1627390467"
"a2_136" = "974999533"
"a1_105" = "1766187217"
"a4_265" = "1899817065"
"a4_195" = "1397978595"
"a4_194" = "1390809474"
"a1_98" = "2645168756"
"a1_99" = "317835327"
"a4_191" = "1369302111"
"a4_190" = "1362132990"
"a4_193" = "1383640353"
"a4_192" = "1376471232"
"a1_92" = "479923809"
"a1_93" = "2617805663"
"a1_90" = "91595604"
"a1_91" = "2057942215"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_97" = "2728917768"
"a1_94" = "4239588295"
"a1_95" = "1819763499"
"a2_75" = "537689948"
"a2_74" = "530522317"
"a2_77" = "552013931"
"a2_76" = "544854311"
"a2_71" = "509015248"
"a2_70" = "501835868"
"a2_73" = "523339378"
"a2_72" = "516171623"
"a2_139" = "996516730"
"a2_138" = "989332905"
"a1_100" = "1709071803"
"a2_79" = "566353306"
"a2_78" = "559186802"
"a1_74" = "826027859"
"a1_75" = "1345752357"
"a1_76" = "672156095"
"a1_77" = "4190342251"
"a1_70" = "3035074501"
"a1_71" = "528275036"
"a1_72" = "3427455530"
"a1_73" = "2262222866"
"a4_173" = "1240257933"
"a4_172" = "1233088812"
"a3_129" = "907869896"
"a3_128" = "934369961"
"a1_78" = "3120882369"
"a1_79" = "1365400886"
"a4_175" = "1254596175"
"a4_174" = "1247427054"
"a4_291" = "2086214211"
"a3_123" = "898388146"
"a3_239" = "1730403494"
"a3_122" = "891468819"
"a3_237" = "1682343908"
"a3_236" = "1708909381"
"a3_235" = "1701334818"
"a3_234" = "1660856963"
"a3_233" = "1653814880"
"a3_121" = "850861040"
"a3_231" = "1672935854"
"a3_230" = "1665877263"
"a3_252" = "1789764949"
"a4_288" = "2064706848"
"a3_120" = "843343697"
"a1_109" = "4246980379"
"a2_173" = "1240255714"
"a3_127" = "927442486"
"a4_283" = "2028861243"
"a1_108" = "95649362"
"a4_285" = "2043199485"
"a4_284" = "2036030364"
"a4_287" = "2057537727"
"a3_126" = "886312343"
"a1_0" = "3299283285"
"a2_279" = "2000176374"
"a4_276" = "1978677396"
"a3_125" = "879323508"
"a3_198" = "1436076335"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKCU\Software\Aas]
"a3_196" = "1388556397"
"a3_197" = "1429034124"
"a3_194" = "1407548331"
"a3_124" = "905966805"
"a3_192" = "1393042153"
"a1_2" = "3712339979"
"a3_190" = "1345525207"
"a3_191" = "1352568438"
"a1_242" = "3221864939"
"a1_3" = "2620474486"
"a2_172" = "1233085302"
"a3_283" = "2045680914"
"a1_4" = "83174613"
"a4_171" = "1225919691"
"a1_5" = "616562248"
"a4_170" = "1218750570"
"a1_6" = "454656014"
"a4_177" = "1268934417"
"a1_7" = "2401786110"
"a4_176" = "1261765296"
"a3_29" = "224867540"
"a3_28" = "183865525"
"a1_116" = "1707665197"
"a1_117" = "62633481"
"a1_110" = "51788306"
"a1_111" = "1093749887"
"a1_112" = "3546121677"
"a1_9" = "2948510009"
"a3_21" = "167399900"
"a3_20" = "159956413"
"a3_23" = "148336286"
"a3_22" = "140888703"
"a3_25" = "195929936"
"a3_24" = "188875569"
"a3_27" = "176880658"
"a3_26" = "169827315"
"a4_24" = "172058904"
"a4_25" = "179228025"
"a4_26" = "186397146"
"a4_27" = "193566267"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a2_81" = "580705329"
"a4_279" = "2000184759"
"a4_203" = "1455331563"
"a3_273" = "1974165848"
"a3_272" = "1966722361"
"a3_238" = "1689270279"
"a4_126" = "903309246"
"a1_190" = "2131824957"
"a4_127" = "910478367"
"a3_277" = "2002712284"
"a3_276" = "1962103485"
"a1_208" = "2980724756"
"a1_209" = "4255338127"
"a3_255" = "1844811446"
"a2_299" = "2143561756"
"a1_204" = "3662124057"
"a1_205" = "2365133812"
"a1_206" = "1109703758"
"a1_207" = "3265381307"
"a1_200" = "4005370983"
"a1_201" = "4222001776"
"a1_202" = "3485218782"
"a1_203" = "1953740722"
"a2_162" = "1161401255"
"a3_286" = "2067091063"
"a3_112" = "785940569"
"a2_163" = "1168558830"
"a4_277" = "1985846517"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"

[HKCU\Software\Aas]
"a2_160" = "1147051555"
"a4_289" = "2071875969"
"a2_161" = "1154220752"
"a2_258" = "1849634845"
"a2_259" = "1856802957"
"a1_243" = "2295046218"
"a2_254" = "1820951680"
"a4_128" = "917647488"
"a2_256" = "1835300673"
"a2_257" = "1842467574"
"a2_250" = "1792282747"
"a2_251" = "1799441168"
"a2_252" = "1806592737"
"a4_129" = "924816609"
"a4_290" = "2079045090"
"a3_113" = "826942712"
"a2_164" = "1175736875"
"a2_165" = "1182901708"
"a1_284" = "1065187269"
"a2_293" = "2100545231"
"a2_101" = "724077854"
"a2_295" = "2114891818"
"a1_38" = "213872447"
"a1_39" = "3964775043"
"a4_135" = "967831335"
"a4_134" = "960662214"
"a4_133" = "953493093"
"a4_132" = "946323972"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_130" = "931985730"
"a1_30" = "2646907918"
"a1_31" = "3886322426"
"a1_32" = "1167938370"
"a1_33" = "2462240188"
"a1_34" = "2225036716"
"a1_35" = "370808629"
"a1_36" = "2012235382"
"a1_37" = "3198637671"
"a1_297" = "268306996"
"a1_296" = "3081225195"
"a1_295" = "1228629625"
"a4_282" = "2021692122"
"a1_293" = "3932817244"
"a1_292" = "108152601"
"a1_291" = "2838970138"
"a1_290" = "534812079"
"a1_299" = "1720555780"
"a1_298" = "4191090867"
"a2_190" = "1362127713"
"a3_158" = "1115724279"
"a2_197" = "1412311272"
"a4_286" = "2050368606"
"a2_168" = "1204419755"
"a1_251" = "2437167570"
"a2_108" = "774262729"
"a2_109" = "781429634"
"a3_69" = "478110732"
"a3_68" = "470664173"
"a3_65" = "449123976"
"a3_64" = "442135145"
"a3_67" = "497168202"
"a3_66" = "489720619"
"a3_61" = "454263092"
"a3_60" = "413199509"
"a3_63" = "468244982"
"a3_62" = "461186391"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Msversion" = "2007"

[HKCU\Software\Aas]
"a4_229" = "1641728709"
"a4_228" = "1634559588"
"a3_299" = "2126993250"
"a4_223" = "1598713983"
"a4_222" = "1591544862"
"a4_221" = "1584375741"
"a4_220" = "1577206620"
"a2_169" = "1211586988"
"a4_226" = "1620221346"
"a4_225" = "1613052225"
"a4_224" = "1605883104"
"a1_1" = "3386940473"
"a3_169" = "1228156448"
"a3_168" = "1187689857"
"a3_167" = "1180635502"
"a3_166" = "1206680783"
"a3_165" = "1199757484"
"a3_164" = "1192698893"
"a3_163" = "1151697898"
"a3_162" = "1144713035"
"a3_161" = "1171213096"
"a3_160" = "1163777673"
"a4_270" = "1935662670"
"a3_298" = "2119545539"
"a2_28" = "200730413"
"a2_29" = "207899426"
"a2_26" = "186388573"
"a2_27" = "193573873"
"a2_24" = "172061634"
"a2_25" = "179228956"
"a2_22" = "157728729"
"a2_23" = "164896728"
"a2_20" = "143379083"
"a2_21" = "150544185"
"a4_68" = "487500228"
"a4_69" = "494669349"
"a3_195" = "1380982730"
"a4_60" = "430147260"
"a4_61" = "437316381"
"a4_62" = "444485502"
"a4_63" = "451654623"
"a4_64" = "458823744"
"a4_65" = "465992865"
"a4_66" = "473161986"
"a4_67" = "480331107"
"a1_271" = "1947436775"
"a1_220" = "3385766037"
"a3_246" = "1746738975"
"a3_256" = "1818692393"
"a1_198" = "736460622"
"a3_250" = "1809280147"
"a4_200" = "1433824200"
"a2_7" = "50176954"
"a2_6" = "43009444"
"a2_5" = "35841042"
"a2_4" = "28673537"
"a2_3" = "21498089"
"a2_2" = "14346572"
"a2_1" = "7173091"
"a2_0" = "9832"
"a1_236" = "1874456889"
"a2_9" = "64528830"

"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a1_143" = "466382169"
"a1_142" = "1925498775"
"a1_141" = "3696359475"
"a1_140" = "2537411029"
"a4_9" = "64522089"
"a4_8" = "57352968"
"a1_145" = "1258044847"
"a1_144" = "929369797"
"a3_52" = "389745053"
"a3_295" = "2131608046"
"a2_203" = "1455329146"
"a2_202" = "1448159917"
"a2_201" = "1440992090"
"a2_200" = "1433825508"
"a4_202" = "1448162442"
"a2_206" = "1476846532"
"a2_205" = "1469674079"
"a2_204" = "1462493261"
"a1_129" = "2785209228"
"a1_192" = "2813932438"
"a2_8" = "57360172"
"a3_292" = "2110067853"
"a1_128" = "3648551230"
"a3_87" = "607024862"
"a3_86" = "633131711"
"a3_85" = "626081308"
"a3_84" = "585598461"
"a3_83" = "578085210"
"a3_82" = "571034939"
"a3_81" = "597665944"
"a3_80" = "590099577"
"a2_154" = "1104051136"
"a1_218" = "2704188908"
"a3_294" = "2091003215"
"a1_149" = "4211163692"
"a3_89" = "654610320"
"a3_88" = "614067057"
"a1_125" = "2005880547"
"a4_205" = "1469669805"
"a1_148" = "3095623490"
"a1_124" = "2194599603"
"a4_186" = "1333456506"
"a4_168" = "1204412328"
"a4_187" = "1340625627"
"a3_268" = "1938194341"
"a1_234" = "648264702"
"a4_271" = "1942831791"
"a3_199" = "1409969486"
"a1_281" = "2221510969"
"a4_274" = "1964339154"
"a3_242" = "1718323611"
"a1_194" = "1339167033"
"a1_212" = "2396300066"
"a4_204" = "1462500684"
"a1_245" = "3019955342"
"a4_245" = "1756434645"
"a4_294" = "2107721574"
"a4_169" = "1211581449"
"a4_188" = "1347794748"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 00 0B 30 D0 33 A0 C3 4C 9E 5A 44 79 68 2A FB"

[HKCU\Software\Aas]
"a4_189" = "1354963869"
"a2_125" = "896147817"
"a3_296" = "2139060737"
"a1_147" = "2942956766"
"a3_243" = "1725243962"
"a1_195" = "118090347"
"a3_257" = "1825746760"
"a4_207" = "1484008047"
"a1_146" = "3410060697"
"a3_220" = "1593911669"
"a1_252" = "1640079666"
"a1_8" = "310532945"
"a4_199" = "1426655079"
"a1_257" = "2838101978"
"a1_256" = "2742109519"
"a1_255" = "9689377"
"a1_254" = "4221489504"
"a1_259" = "3968162207"
"a1_258" = "1626282000"
"a4_281" = "2014523001"
"a2_62" = "444493003"
"a2_63" = "451653186"
"a2_60" = "430153701"
"a2_61" = "437320717"
"a2_66" = "473168804"
"a2_67" = "480337451"
"a2_64" = "458821396"
"a2_65" = "465987022"
"a3_240" = "1737322713"
"a2_68" = "487503795"
"a2_69" = "494671922"
"a2_148" = "1061032595"
"a2_149" = "1068202552"
"a1_41" = "1175678420"
"a1_40" = "3112489572"
"a1_43" = "812055938"
"a1_42" = "608335292"
"a1_45" = "2664743508"
"a1_44" = "806423141"
"a1_47" = "3114940119"
"a1_46" = "382469827"
"a1_49" = "1624578760"
"a1_48" = "262978150"
"a4_144" = "1032353424"

[HKCU\Software\Aas\695404737]
"43014726" = "0C00687474703A2F2F7777772E6C656479617A696C696D2E636F6D2F6C6F676F2E67696600687474703A2F2F6B73616E64726166617368696F6E2E636F6D2F6C6F676F2E67696600687474703A2F2F7777772E6C6166796572692E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6B756C7070617375722E636F6D2F6C6F676F2E67696600687474703A2F2F746F616C6C616465706170656C2E636F6D2E61722F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E65636F6C652D7361696E742D73696D6F6E2E6E65742F696E6465785F746F702F6C6F676F2E67696600687474703A2F2F6C617A617265612E726F2F696D616765732F6C6F676F2E67696600687474703A2F2F6B6F6F6E6164616E6365322E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6B75706C752E62656C2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E6C69646572616E636173706F6C6974696361732E636F6D2E62722F6C6F676F2E67696600687474703A2F2F7777772E6C6567616C62696C676973617961722E636F6D2F696D672F6C6F676F2E67696600687474703A2F2F6C696665636F6D32342E636F2E63632F696D616765732F6C6F676F2E676966"

[HKCU\Software\Aas]
"a4_142" = "1018015182"
"a4_143" = "1025184303"
"a3_118" = "862924447"
"a3_119" = "869974846"
"a3_202" = "1465015971"
"a1_114" = "2372408656"
"a3_200" = "1416954337"
"a3_201" = "1424013824"
"a3_206" = "1493543975"
"a3_207" = "1500987462"
"a3_204" = "1445500773"
"a1_115" = "1433143777"
"a1_197" = "3384758008"
"a2_166" = "1190069132"
"a3_208" = "1508041977"
"a2_195" = "1397976420"
"a1_199" = "2671395383"
"a4_246" = "1763603766"
"a4_293" = "2100552453"
"a1_262" = "3369308703"
"a3_36" = "241268621"
"a3_37" = "248309804"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_35" = "267899754"
"a3_32" = "212854281"
"a3_33" = "253401768"
"a3_30" = "231909751"
"a3_31" = "205278614"
"a2_167" = "1197235853"
"a3_188" = "1364647189"
"a1_113" = "4024075904"
"a4_241" = "1727758161"
"a3_38" = "289377359"
"a3_39" = "296296686"

"a4_249" = "1785111129"
"a3_184" = "1336102801"
"a2_277" = "1985839394"
"a4_248" = "1777942008"

"a3_130" = "915379051"
"a1_191" = "1167890182"
"a3_131" = "922302346"
"a1_118" = "713380749"

"a3_132" = "962897965"
"a1_119" = "1474186411"
"a2_17" = "121878036"
"a2_16" = "114708582"
"a2_15" = "107543232"
"a2_14" = "100362012"
"a2_13" = "93206883"
"a2_12" = "86027549"
"a2_11" = "78860252"
"a2_10" = "71693673"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKCU\Software\Aas]
"a3_134" = "943841519"
"a4_247" = "1770772887"
"a2_19" = "136209430"
"a2_18" = "129046589"
"a4_11" = "78860331"
"a4_10" = "71691210"
"a4_13" = "93198573"
"a4_12" = "86029452"
"a4_15" = "107536815"
"a4_14" = "100367694"
"a4_17" = "121875057"
"a4_16" = "114705936"
"a4_19" = "136213299"
"a4_18" = "129044178"
"a3_137" = "998890944"
"a4_240" = "1720589040"
"a4_160" = "1147059360"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Aas]
"a4_243" = "1742096403"
"a3_8" = "40388897"
"a3_9" = "47967552"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_4" = "11991981"
"a3_5" = "52535244"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"
"a1_193" = "333417848"
"a2_208" = "1491179740"
"a2_151" = "1082529042"
"a4_242" = "1734927282"
"a2_150" = "1075367212"
"a3_281" = "2031109200"
"a2_271" = "1942839550"
"a4_166" = "1190074086"
"a2_286" = "2050373776"
"a4_167" = "1197243207"
"a3_145" = "1022800088"
"a1_219" = "46245038"
"a3_144" = "1015749817"
"a4_161" = "1154228481"
"a1_216" = "1741330581"
"a1_215" = "3996332577"
"a1_214" = "1809422411"
"a1_213" = "3855608840"
"a3_147" = "1070844314"
"a1_211" = "3443060169"
"a1_210" = "2541116352"

"a3_146" = "1063277947"
"a2_159" = "1139884864"
"a4_119" = "853125399"
"a2_158" = "1132717433"
"a1_253" = "3891439492"
"a4_118" = "845956278"
"a3_260" = "1847236781"
"a3_143" = "1008236550"
"a2_249" = "1785116152"
"a2_248" = "1777936222"
"a2_247" = "1770781370"
"a2_246" = "1763599249"
"a2_245" = "1756442847"
"a3_142" = "1034864615"
"a2_243" = "1742098472"
"a2_242" = "1734931813"
"a2_241" = "1727751411"
"a2_240" = "1720598330"
"a3_224" = "1588903625"
"a1_152" = "183643077"
"a3_225" = "1629901672"
"a3_248" = "1761236945"
"a3_264" = "1909255713"
"a4_117" = "838787157"
"a3_265" = "1883210304"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

A firewall is disabled:

"EnableFirewall" = "0"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe"

The process rundll32.exe:2060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C C5 86 19 3E 6F 6B B2 AD C0 54 0A E0 AB 23 C8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

Dropped PE files

MD5 File path
dbd184d717bd49620729c69948d1a287 c:\drsg.pif

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 569841 569856 4.61311 e25ac90b8e7a37ba3aec31583eb109e8
.rdata 577536 58474 58880 3.75497 e40dfac2aa919c953afc3e5f529b3350
.data 638976 36632 10752 2.54749 e27b8dce8893e88554c3004d7188b557
.rsrc 675840 114688 113664 5.13275 eb05476660cfc0cdf3cb3cd3c756d0de

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
1c043dbca1ccd59cb3d2da464ec62e5a

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

rundll32.exe_2060:

.text
.rdata
.data
.rsrc
!"#$%%&'())* ,-./0123456789:;<""=>
T$%UR
RSSh<RI
RSSh@SI
xSSSh
FTPjKS
FtPj;S
C.PjRV
portuguese-brazilian
GetProcessWindowStation
operator
AutoHotkey
AppsKey
ListHotkeys
KeyHistory
DetectHiddenWindows
SetKeyDelay
KeyWait
GetKeyState
URLDownloadToFile
MsgBox
IfMsgBox
Hotkey
AHK Keybd
Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.
Modifiers (Hook's Logical) = %s
Modifiers (Hook's Physical) = %s
Prefix key is down: %s
NOTE: Only the script's own keyboard events are shown
(not the user's), because the keyboard hook isn't installed.
NOTE: To disable the key history shown below, add the line "#KeyHistory 0" anywhere in the script. The same method can be used to change the size of the history buffer. For example: #KeyHistory 100 (Default is 40, Max is 500)
The oldest are listed first. VK=Virtual Key, SC=Scan Code, Elapsed=Seconds since the previous event. Types: h=Hook Hotkey, s=Suppressed (blocked), i=Ignored because it was generated by an AHK script, a=Artificial, #=Disabled via #IfWinActive/Exist, U=Unicode character (SendInput).
E7 X
X X
%u hotkeys have been received in the last %ums.
(see #MaxHotkeysPerInterval in the help file)
Nonexistent hotkey. The current thread will exit.
Nonexistent hotkey variant (IfWin). The current thread will exit.
Max hotkeys.
The AltTab hotkey "%s" must specify which key (L or R).
The AltTab hotkey "%s" must have exactly one modifier/prefix.
"%s" is not allowed as a prefix key.
"%s" is not a valid key name. The current thread will exit.
SCx
%s[%Iu of %Iu]: %-1.60s%s
%s[Object]: 0x%p
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_USERS
%s\%s
AutoHotkey2
Critical Error: %s
<>=/|^,:*&~!()[] -?."'\;`{}
>AUTOHOTKEY SCRIPT<
Could not extract script from EXE.
<>=/|^,:
<>=/|^,:. -*&!?~
Join
Hotkeys/hotstrings are not allowed inside functions.
Duplicate hotkey.
Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.
*%s::
if not GetKeyState("%s")
{Blind}%s%s{%s DownTemp}
*%s up::
{Blind}{%s Up}
#InstallKeybdHook
#HotkeyModifierTimeout
#HotkeyInterval
#MaxHotkeysPerInterval
#MaxThreadsPerHotkey
#KeyHistory
#MenuMaskKey
: -*/|&^.
<>=/|^,:*&~!()[] -?."
Invalid hotkey.
"%s" requires at least %d parameter%s.
"%s" requires that parameter #%u be non-blank.
<>=/|^,:*&~!()[]"
<>=/|^,:*&~!()[] -?
Unsupported use of "."
<>=/|^,:*&~!()[] -?.
Unsupported parameter default.
HasKey
detecthiddenwindows
keydelay
subkey
thishotkey
priorhotkey
timesincethishotkey
timesincepriorhotkey
Unsupported use of "["
Too many parameters passed to function.
Too few parameters passed to function.
%s%s%s
%%%s%s%s
Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after it is in parentheses to the right (if not 0). The bottommost line's elapsed time is the number of seconds since it executed.
u:
if %s %s %s and %s
%s%s %s %s
For %s,%s in %s
%s (%d) : ==> %s
Specifically: %s
in #include file "%s"
%s%s:%s %-1.500s
Specifically: %-1.100s%s
Error at line %u
Line Text: %-1.100s%s
Local Variables for %s()%s
%sGlobal Variables (alphabetical)%s
Window: %s
Keybd hook: %s
Mouse hook: %s
Enabled Timers: %u of %u (%s)
Interrupted threads: %d%s
Paused threads: %d of %d (%d layers)
Modifiers (GetKeyState() now) = %s
Key History has been disabled via #KeyHistory 0.
System verbs unsupported with RunAs. The current thread will exit.
%s %s
.exe.bat.com.cmd.hta
Verb: <%s>
Action: <%-0.400s%s>%s
Params: <%-0.400s%s>
EndKey:
0xX
0xX
%sLeft
%sTop
%sRight
%sBottom
\AU3_Spy.exe"
%sAU3_Spy.exe"
\AutoHotkey.chm"
%sAutoHotkey.chm"
hh.exe
hXXp://VVV.autohotkey.com
Could not open URL hXXp://VVV.autohotkey.com in default browser.
SOFTWARE\AutoHotkey
AutoHotkey v1.0.92.02
set cdaudio door %s wait
open %s type cdaudio alias cd wait shareable
set cd door %s wait
\\.\%c:
Mixer Doesn't Support This Component Type
Component Doesn't Support This Control Type
open "%s" alias AHK_PlayMe
Select File - %s
%s%c%sÊll Files (*.*)%c*.*%c
All Files (*.*)
Text Documents (*.txt)
*.txt
1.0.92.02
\AutoHotkey.exe
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Pos%s
Len%s
Pos%d
Len%d
Compile error %d at offset %d: %s
RunAs: Missing advapi32.dll. The current thread will exit.
0.0.0.0
InternetOpenUrlA
Select Folder - %s
%u.%u.%u.%u
0xX -
%s%ws
AutoHotkeyGUI
%dGui
Button%s
msctls_hotkey32
Report
Password
vkX
Supported only for the tray menu The current thread will exit.
&Suspend Hotkeys
dd
dddddd
GdiplusShutdown
The following %s name contains an illegal character:
"%-1.300s"%s
The maximum number of MsgBoxes has been reached.
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
erroffset passed as NULL
POSIX collating elements are not supported
this version of PCRE is not compiled with PCRE_UTF8 support
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with PCRE_UCP support
Error text not found (please report)
WSOCK32.dll
WINMM.dll
VERSION.dll
COMCTL32.dll
GetWindowsDirectoryA
KERNEL32.dll
GetKeyboardLayout
SetWindowsHookExA
UnhookWindowsHookEx
RegisterHotKey
UnregisterHotKey
GetAsyncKeyState
GetKeyboardState
SetKeyboardState
keybd_event
VkKeyScanExA
GetKeyNameTextA
MapVirtualKeyA
EnumChildWindows
EnumWindows
ExitWindowsEx
USER32.dll
GDI32.dll
COMDLG32.dll
RegCloseKey
RegOpenKeyExA
RegQueryInfoKeyA
RegEnumKeyExA
RegCreateKeyExA
RegDeleteKeyA
ADVAPI32.dll
ShellExecuteExA
SHFileOperationA
SHELL32.dll
ole32.dll
OLEAUT32.dll
GetCPInfo
GetProcessHeap
zcÁ
-()[]{}:;'"/\,.?!
%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Office
#%'''<[[^^\\]
"%<aabm^^m
$-8GGhnsrr}
$-9GGggs}s
%Mgr.RhY4RfE5Qd:f
PA<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.48.05" processorArchitecture="*" name="Microsoft.Windows.AutoHotkey" type="win32"></assemblyIdentity><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>PADDINGXXPADDINGPADD
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\0004412C_Rar\rundll32.exe
rundll32.exe
hXXp://VVV.ledyazilim.com/logo.gif
hXXp://ksandrafashion.com/logo.gif
hXXp://VVV.lafyeri.com/images/logo.gif
hXXp://kulppasur.com/logo.gif
hXXp://toalladepapel.com.ar/images/logo.gif
hXXp://VVV.ecole-saint-simon.net/index_top/logo.gif
hXXp://lazarea.ro/images/logo.gif
hXXp://koonadance2.com/images/logo.gif
hXXp://kuplu.bel.tr/images/logo.gif
hXXp://VVV.liderancaspoliticas.com.br/logo.gif
hXXp://VVV.legalbilgisayar.com/img/logo.gif
hXXp://lifecom24.co.cc/images/logo.gif
.info/J
home.gifI888
h.rata
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
MSVCRT.dll
WS2_32.dll
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
&Lines most recently executed
&Hotkeys and their methods
&Key history and script info
&Web Site

rundll32.exe_2060_rwx_003C0000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

rundll32.exe_2060_rwx_003D0000_00001000:

|rundll32.exeM_2060_

rundll32.exe_2060_rwx_004AE000_00011000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\0004412C_Rar\rundll32.exe
rundll32.exe
.rsrc
.text
%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe
hXXp://VVV.ledyazilim.com/logo.gif
hXXp://ksandrafashion.com/logo.gif
hXXp://VVV.lafyeri.com/images/logo.gif
hXXp://kulppasur.com/logo.gif
hXXp://toalladepapel.com.ar/images/logo.gif
hXXp://VVV.ecole-saint-simon.net/index_top/logo.gif
hXXp://lazarea.ro/images/logo.gif
hXXp://koonadance2.com/images/logo.gif
hXXp://kuplu.bel.tr/images/logo.gif
hXXp://VVV.liderancaspoliticas.com.br/logo.gif
hXXp://VVV.legalbilgisayar.com/img/logo.gif
hXXp://lifecom24.co.cc/images/logo.gif
.info/J
home.gifI888
KERNEL32.dll
h.rata
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA

Explorer.EXE_888_rwx_00FF0000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

Explorer.EXE_888_rwx_022A0000_00001000:

|explorer.exeM_888_

Explorer.EXE_888_rwx_02710000_0108E000:

c:\windows
hXXp://VVV.ledyazilim.com/logo.gif
hXXp://ksandrafashion.com/logo.gif
hXXp://VVV.lafyeri.com/images/logo.gif
hXXp://kulppasur.com/logo.gif
hXXp://toalladepapel.com.ar/images/logo.gif
hXXp://VVV.ecole-saint-simon.net/index_top/logo.gif
hXXp://lazarea.ro/images/logo.gif
hXXp://koonadance2.com/images/logo.gif
hXXp://kuplu.bel.tr/images/logo.gif
hXXp://VVV.liderancaspoliticas.com.br/logo.gif
hXXp://VVV.legalbilgisayar.com/img/logo.gif
hXXp://lifecom24.co.cc/images/logo.gif
%System%\drivers\mnpnj.sys
2755933760
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
KERNEL32.dll
USER32.dll
h.rdata
H.data
.reloc
ntoskrnl.exe
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
hXXp://
ipfltdrv.sys
VVV.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
.adata
M_%d_
%c%d_%d
?456789:;<=
!"#$%&'()* ,-./0123
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
&3&3&3&389
.rdata
.data
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1736

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\00043506_Rar\%original file name%.exe (5441 bytes)
    %WinDir%\system.ini (70 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe (5441 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0004412C_Rar\rundll32.exe (5441 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Windows" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now