MD5: 1451176c0584f30f26bf748490cf15d2
SHA1: fb58b7c48ae0912ca901ca10e90f0683785a8388
SHA256: ac11eb3cc096ee7b8c397fd158bef5ffd343d600bd8d17f9bcc4424160e77eb4
SSDeep: 384:32v64cWqR8dGql2Mc7OuMBupMTcpjItkwQ zY8afDTiVo1wmcdk:3bfbR8dtlfdumTMjSrf12
Size: 44544 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: no data
Analyzed on: WindowsXP SP3 32-bit

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Process activity

The DeepScan creates the following process(es):

%original file name%.exe:956
ijrazyiya.iby:1464
ijrazyiya.iby:952

The DeepScan injects its code into the following process(es):
No processes have been created.

File activity

The process %original file name%.exe:956 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

%WinDir%\ime\imjp8_1\zqyjaaari.zar (44 bytes)
%WinDir%\ime\imjp8_1\rrziiirrq.yra (44 bytes)
%WinDir%\Network Diagnostic\zqyjaaari.zar (44 bytes)
%WinDir%\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\ijrazyiya.iby (44 bytes)
%WinDir%\ime\imjp8_1\brrararqq.jyz (44 bytes)
%Program Files%\NetMeeting\ijrazyiya.ibybzbyqqjby.jzb (44 bytes)
%Program Files%\Windows Media Player\zqyjaaari.zar (44 bytes)
%Program Files%\WinPcap\yjayayara.bribyqqjby.jzb.yra (44 bytes)
%Program Files%\Outlook Express\rrziiirrq.yra.zar (44 bytes)
%Program Files%\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A93000000001}\bzbyqqjby.jzbra.briqjby.jzb (44 bytes)
%WinDir%\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\qyajqiaqj.jrr (44 bytes)
%Program Files%\NetMeeting\azzzariby.qabbzbyqqjby.jzb (44 bytes)
%WinDir%\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\bzbyqqjby.jzb (44 bytes)
%WinDir%\ime\imjp8_1\qyajqiaqj.jrr (44 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\azzzariby.qab (44 bytes)
%WinDir%\ime\imjp8_1\azzzariby.qab (44 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\brrararqq.jyz (44 bytes)
%Program Files%\Windows NT\Pinball\bzbyqqjby.jzb.yra (44 bytes)
%WinDir%\pchealth\helpctr\binaries\brrararqq.jyz (44 bytes)
%Program Files%\Common Files\Adobe\Updater6\rrziiirrq.yra (44 bytes)
%Program Files%\Outlook Express\azzzariby.qab.zar (44 bytes)
%WinDir%\ime\imkr6_1\ijrazyiya.iby (44 bytes)
%Program Files%\NetMeeting\yjayayara.bribzbyqqjby.jzb (44 bytes)
%Program Files%\Common Files\Microsoft Shared\MSInfo\yjayayara.bri (44 bytes)
%Program Files%\Common Files\Microsoft Shared\DW\brrararqq.jyz (44 bytes)
C:\totalcmd\zqyjaaari.zar (44 bytes)
%Program Files%\Opera\updatechecker\zqyjaaari.zar (44 bytes)
%Program Files%\MSN Gaming Zone\Windows\zqyjaaari.zarr (44 bytes)
%WinDir%\ime\imjp8_1\bzbyqqjby.jzb (44 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\bzbyqqjby.jzb (44 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\zqyjaaari.zar (44 bytes)
%WinDir%\Microsoft.NET\Framework\azzzariby.qab (44 bytes)
%Program Files%\Windows Media Player\qyajqiaqj.jrr (44 bytes)
%Program Files%\Outlook Express\yjayayara.bri.zar (44 bytes)
%WinDir%\brrararqq.jyz (44 bytes)
%Program Files%\Windows NT\Accessories\rrziiirrq.yra (44 bytes)
%Program Files%\Windows Media Player\ijrazyiya.iby (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zaiyji.qiyr.yzb (44 bytes)
%Program Files%\MSN Gaming Zone\Windows\brrararqq.jyzr (44 bytes)
%WinDir%\pchealth\helpctr\binaries\azzzariby.qab (44 bytes)
%WinDir%\xwrm.exe (44 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\qyajqiaqj.jrr (44 bytes)
%Program Files%\Opera\qyajqiaqj.jrra.ibybzbyqqjby.jzb (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\bzbyqqjby.jzb (44 bytes)
%WinDir%\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\rrziiirrq.yra (44 bytes)
%Program Files%\Common Files\Microsoft Shared\DW\bzbyqqjby.jzb (44 bytes)
%WinDir%\ime\imjp8_1\yjayayara.bri (44 bytes)
%Program Files%\MSN Gaming Zone\Windows\bzbyqqjby.jzb (44 bytes)
%Program Files%\MSN Gaming Zone\Windows\rrziiirrq.yrar (44 bytes)
C:\totalcmd\yjayayara.bri (44 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\azzzariby.qab (44 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\qyajqiaqj.jrr (44 bytes)
%Program Files%\Windows NT\brrararqq.jyz (44 bytes)
C:\totalcmd\rrziiirrq.yra (44 bytes)
%WinDir%\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\zqyjaaari.zar (44 bytes)
%Program Files%\Outlook Express\brrararqq.jyz.zar (44 bytes)
%WinDir%\inf\zqyjaaari.zar (44 bytes)
%WinDir%\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\yjayayara.bri (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\yjayayara.briqjby.jzb (44 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\yjayayara.bri (44 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\rrziiirrq.yra (44 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\ijrazyiya.iby (44 bytes)

The process ijrazyiya.iby:1464 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

%Program Files%\MSN Gaming Zone\Windows\qqjbyjzby.jayi (44 bytes)
%Program Files%\Windows Media Player\zyiyaibyq.yaj (44 bytes)
%Program Files%\NetMeeting\aribyqabi.jraayarabria.zzz (44 bytes)
%WinDir%\ime\imjp8_1\qqjbyjzby.jay (44 bytes)
%WinDir%\ime\imkr6_1\rarqqjyzb.zby (44 bytes)
%WinDir%\ime\imjp8_1\qiaqjjrrz.qyj (44 bytes)
%WinDir%\rarqqjyzb.zby.rra (44 bytes)
%Program Files%\Windows Media Player\aribyqabi.jrazzz (44 bytes)
%WinDir%\ime\imjp8_1\aribyqabi.jra (44 bytes)
%Program Files%\Outlook Express\qqjbyjzby.jaybria.zzz (44 bytes)
%Program Files%\Windows NT\Pinball\iirrqyrab.rra.rziz (44 bytes)
%Program Files%\Outlook Express\iirrqyrab.rrabria.zzz (44 bytes)
%WinDir%\ime\imjp8_1\ayarabria.zzz (44 bytes)
%WinDir%\qqjbyjzby.jay (44 bytes)
%Program Files%\Common Files\Microsoft Shared\MSInfo\zyiyaibyq.yaj (44 bytes)
%Program Files%\NetMeeting\zyiyaibyq.yajayarabria.zzz (44 bytes)
%Program Files%\MSN Gaming Zone\Windows\ayarabria.zzz (44 bytes)
%Program Files%\MSN Gaming Zone\Windows\rarqqjyzb.zbyi (44 bytes)
%Program Files%\Windows Media Player\qiaqjjrrz.qyj (44 bytes)
%WinDir%\ime\imjp8_1\zyiyaibyq.yaj (44 bytes)
%Program Files%\Outlook Express\ayarabria.zzzbria.zzz (44 bytes)
%Program Files%\MSN Gaming Zone\Windows\iirrqyrab.rrai (44 bytes)
%WinDir%\ime\imjp8_1\iirrqyrab.rra (44 bytes)
%WinDir%\inf\ayarabria.zzz (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jyzaar.jbrr.yzb (44 bytes)
%Program Files%\NetMeeting\qiaqjjrrz.qyjayarabria.zzz (44 bytes)
%WinDir%\ime\imjp8_1\aaarizarr.rzi (44 bytes)
%Program Files%\Windows NT\Accessories\aaarizarr.rziz (44 bytes)
%WinDir%\pchealth\helpctr\binaries\zyiyaibyq.yaj (44 bytes)
%Program Files%\Outlook Express\aaarizarr.rzibria.zzz (44 bytes)

The process ijrazyiya.iby:952 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ryqqra.iqzr.yzb (44 bytes)

Registry activity

The process %original file name%.exe:956 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the DeepScan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x32x" = "%WinDir%\xwrm.exe"

The process ijrazyiya.iby:1464 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the DeepScan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x32x" = "%WinDir%\xwrm.exe"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The DeepScan connects to the servers at the folowing location(s):

\xwrm.exe

%WinDir%\xwrm.exe

Software\Microsoft\Windows\CurrentVersion\Run

USER %s 8 * :%s

NICK %s

PONG %s

JOIN #england

PRIVMSG #england :.-:[X-Worm]:-.

1314953876

irc.undernet.org

MAIL FROM:<%s>

RCPT TO:<%s>

--%s--

From:<%s>

To: %s

Subject:%s

boundary="%s"

X-Mailer: Microsoft Outlook Express 6.00.2800.1106

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

charset="windows-1255"

name= "%s%s"

Content-Disposition: attachment; filename="%s%s"

Support

No.reply

8.txtt:

8.htmt2

8.rtft*

8.doct"

8.bdxt

8.phpt

8.jspt

8.cgit

smtp

ws2_32.dll

mmstat.com/

525787904

31014426

2976015040

30280135

775787904

3223205040

3186731264

30280141

2368270448

30280137

2;s:0:"";}4b1355140a48757dd51fa66012318b52

dasf.cn/

3278235648

30280187

1714615040

1360745536

dasf.cn`

ADVAPI32.DLL

RegOpenKeyExA

RegCloseKey

User32.dll

Current_User@msn[1].txt

-new-braces-at-grammys[2].txt

ADM@MS~1.TXT

8.exe

8.scrtt

8.avitJ

8.doctB

8.mp3t:

8.mpgt2

8.xlst*

8.jpgt"

8.zipt

8.isot

8.pdft

8.pptt

8.rart

c:\WINDOWS\_default.pif

stem.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.Wrapper.dll

s.htm

ail\ShieldsUpMsg.htm

Soap.dll

SFC.DLL

WinExec

ayarabria.zzz

c:\WINDOWS\ayarabria.zzz

dLB\Binaries\aaarizarr.rzi.rzi301B7449A0300000010\9.3.0\qiaqjjrrz.qyj

ReadMe.exe

c:\Program Files\Wireshark\ijrazyiya.iby

Menu\Programs\Startup\xedJ7lqdI.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\jyzaar.jbrr.yzb

GetWindowsDirectoryA

FPTBAWDRF-INOCPANDANTIAMONN32SNOD3NPSSSMSSSCANZONEPROTMONIRWEBMIRCCKDOTROJSAFEJEDITRAYANDASPIDPLORNDLLTRENNSPLNSCHSYSTALERj

KERNEL32.dll

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:956
   ijrazyiya.iby:1464
   ijrazyiya.iby:952

2. Delete the original DeepScan file.
   
3. Delete or disinfect the following files created/modified by the DeepScan:
   

   %WinDir%\ime\imjp8_1\zqyjaaari.zar (44 bytes)
   %WinDir%\ime\imjp8_1\rrziiirrq.yra (44 bytes)
   %WinDir%\Network Diagnostic\zqyjaaari.zar (44 bytes)
   %WinDir%\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\ijrazyiya.iby (44 bytes)
   %WinDir%\ime\imjp8_1\brrararqq.jyz (44 bytes)
   %Program Files%\NetMeeting\ijrazyiya.ibybzbyqqjby.jzb (44 bytes)
   %Program Files%\Windows Media Player\zqyjaaari.zar (44 bytes)
   %Program Files%\WinPcap\yjayayara.bribyqqjby.jzb.yra (44 bytes)
   %Program Files%\Outlook Express\rrziiirrq.yra.zar (44 bytes)
   %Program Files%\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A93000000001}\bzbyqqjby.jzbra.briqjby.jzb (44 bytes)
   %WinDir%\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\qyajqiaqj.jrr (44 bytes)
   %Program Files%\NetMeeting\azzzariby.qabbzbyqqjby.jzb (44 bytes)
   %WinDir%\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\bzbyqqjby.jzb (44 bytes)
   %WinDir%\ime\imjp8_1\qyajqiaqj.jrr (44 bytes)
   %Program Files%\Adobe\Reader 9.0\Reader\azzzariby.qab (44 bytes)
   %WinDir%\ime\imjp8_1\azzzariby.qab (44 bytes)
   %Program Files%\Adobe\Reader 9.0\Reader\brrararqq.jyz (44 bytes)
   %Program Files%\Windows NT\Pinball\bzbyqqjby.jzb.yra (44 bytes)
   %WinDir%\pchealth\helpctr\binaries\brrararqq.jyz (44 bytes)
   %Program Files%\Common Files\Adobe\Updater6\rrziiirrq.yra (44 bytes)
   %Program Files%\Outlook Express\azzzariby.qab.zar (44 bytes)
   %WinDir%\ime\imkr6_1\ijrazyiya.iby (44 bytes)
   %Program Files%\NetMeeting\yjayayara.bribzbyqqjby.jzb (44 bytes)
   %Program Files%\Common Files\Microsoft Shared\MSInfo\yjayayara.bri (44 bytes)
   %Program Files%\Common Files\Microsoft Shared\DW\brrararqq.jyz (44 bytes)
   C:\totalcmd\zqyjaaari.zar (44 bytes)
   %Program Files%\Opera\updatechecker\zqyjaaari.zar (44 bytes)
   %Program Files%\MSN Gaming Zone\Windows\zqyjaaari.zarr (44 bytes)
   %WinDir%\ime\imjp8_1\bzbyqqjby.jzb (44 bytes)
   %Program Files%\Adobe\Reader 9.0\Reader\bzbyqqjby.jzb (44 bytes)
   %Program Files%\Adobe\Reader 9.0\Reader\zqyjaaari.zar (44 bytes)
   %WinDir%\Microsoft.NET\Framework\azzzariby.qab (44 bytes)
   %Program Files%\Windows Media Player\qyajqiaqj.jrr (44 bytes)
   %Program Files%\Outlook Express\yjayayara.bri.zar (44 bytes)
   %WinDir%\brrararqq.jyz (44 bytes)
   %Program Files%\Windows NT\Accessories\rrziiirrq.yra (44 bytes)
   %Program Files%\Windows Media Player\ijrazyiya.iby (44 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\zaiyji.qiyr.yzb (44 bytes)
   %Program Files%\MSN Gaming Zone\Windows\brrararqq.jyzr (44 bytes)
   %WinDir%\pchealth\helpctr\binaries\azzzariby.qab (44 bytes)
   %WinDir%\xwrm.exe (44 bytes)
   %Program Files%\Common Files\Adobe\ARM\1.0\qyajqiaqj.jrr (44 bytes)
   %Program Files%\Opera\qyajqiaqj.jrra.ibybzbyqqjby.jzb (44 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\bzbyqqjby.jzb (44 bytes)
   %WinDir%\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\rrziiirrq.yra (44 bytes)
   %Program Files%\Common Files\Microsoft Shared\DW\bzbyqqjby.jzb (44 bytes)
   %WinDir%\ime\imjp8_1\yjayayara.bri (44 bytes)
   %Program Files%\MSN Gaming Zone\Windows\bzbyqqjby.jzb (44 bytes)
   %Program Files%\MSN Gaming Zone\Windows\rrziiirrq.yrar (44 bytes)
   C:\totalcmd\yjayayara.bri (44 bytes)
   %Program Files%\Common Files\Adobe\ARM\1.0\azzzariby.qab (44 bytes)
   %Program Files%\Adobe\Reader 9.0\Reader\qyajqiaqj.jrr (44 bytes)
   %Program Files%\Windows NT\brrararqq.jyz (44 bytes)
   C:\totalcmd\rrziiirrq.yra (44 bytes)
   %WinDir%\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\zqyjaaari.zar (44 bytes)
   %Program Files%\Outlook Express\brrararqq.jyz.zar (44 bytes)
   %WinDir%\inf\zqyjaaari.zar (44 bytes)
   %WinDir%\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\yjayayara.bri (44 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\yjayayara.briqjby.jzb (44 bytes)
   %Program Files%\Common Files\Adobe\ARM\1.0\yjayayara.bri (44 bytes)
   %Program Files%\Adobe\Reader 9.0\Reader\rrziiirrq.yra (44 bytes)
   %Program Files%\Common Files\Adobe\ARM\1.0\ijrazyiya.iby (44 bytes)
   %Program Files%\MSN Gaming Zone\Windows\qqjbyjzby.jayi (44 bytes)
   %Program Files%\Windows Media Player\zyiyaibyq.yaj (44 bytes)
   %Program Files%\NetMeeting\aribyqabi.jraayarabria.zzz (44 bytes)
   %WinDir%\ime\imjp8_1\qqjbyjzby.jay (44 bytes)
   %WinDir%\ime\imkr6_1\rarqqjyzb.zby (44 bytes)
   %WinDir%\ime\imjp8_1\qiaqjjrrz.qyj (44 bytes)
   %WinDir%\rarqqjyzb.zby.rra (44 bytes)
   %Program Files%\Windows Media Player\aribyqabi.jrazzz (44 bytes)
   %WinDir%\ime\imjp8_1\aribyqabi.jra (44 bytes)
   %Program Files%\Outlook Express\qqjbyjzby.jaybria.zzz (44 bytes)
   %Program Files%\Windows NT\Pinball\iirrqyrab.rra.rziz (44 bytes)
   %Program Files%\Outlook Express\iirrqyrab.rrabria.zzz (44 bytes)
   %WinDir%\ime\imjp8_1\ayarabria.zzz (44 bytes)
   %WinDir%\qqjbyjzby.jay (44 bytes)
   %Program Files%\Common Files\Microsoft Shared\MSInfo\zyiyaibyq.yaj (44 bytes)
   %Program Files%\NetMeeting\zyiyaibyq.yajayarabria.zzz (44 bytes)
   %Program Files%\MSN Gaming Zone\Windows\ayarabria.zzz (44 bytes)
   %Program Files%\MSN Gaming Zone\Windows\rarqqjyzb.zbyi (44 bytes)
   %Program Files%\Windows Media Player\qiaqjjrrz.qyj (44 bytes)
   %WinDir%\ime\imjp8_1\zyiyaibyq.yaj (44 bytes)
   %Program Files%\Outlook Express\ayarabria.zzzbria.zzz (44 bytes)
   %Program Files%\MSN Gaming Zone\Windows\iirrqyrab.rrai (44 bytes)
   %WinDir%\ime\imjp8_1\iirrqyrab.rra (44 bytes)
   %WinDir%\inf\ayarabria.zzz (44 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\jyzaar.jbrr.yzb (44 bytes)
   %Program Files%\NetMeeting\qiaqjjrrz.qyjayarabria.zzz (44 bytes)
   %WinDir%\ime\imjp8_1\aaarizarr.rzi (44 bytes)
   %Program Files%\Windows NT\Accessories\aaarizarr.rziz (44 bytes)
   %WinDir%\pchealth\helpctr\binaries\zyiyaibyq.yaj (44 bytes)
   %Program Files%\Outlook Express\aaarizarr.rzibria.zzz (44 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ryqqra.iqzr.yzb (44 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "x32x" = "%WinDir%\xwrm.exe"
   
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.