MD5: 9014983773a6f71a3cddbc2de3731a72
SHA1: c37da5759810d9c4f9ca855a78e6273c9c7727aa
SHA256: f76df1580a39646095978df7a303c41f3b27a25fa9a9c369f6ac7ae8e80a15cf
SSDeep: 98304:y oon7xTCo23WLcmRlkt5tc4HO2PmGoIo:bo87XjR
Size: 7644553 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, ACProtect141
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit

Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

Process activity

The Dropped creates the following process(es):
No processes have been created.
The Dropped injects its code into the following process(es):

%original file name%.exe:1508

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1508 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\1920y1080.exe (3221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\640y480.exe (3221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\Restore.exe (3221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\800y600.exe (3221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\480y320.exe (3221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\720y480.exe (3221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\autorun.exe (56198 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\autorun.inf (78 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\1280y720.exe (3221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\1366y768.exe (3221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\1680y1050.exe (3221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\1440y810.exe (3221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\1600y900.exe (3221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\1440y900.exe (3221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\autorun.aru (5381 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\1024y768.exe (3221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\autorun.ico (3221 bytes)

Registry activity

The process %original file name%.exe:1508 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 4D 11 67 E9 1B F2 06 99 0B 1C 3D A7 6D 34 6C"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Dropped's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: RagnoTech Softworks
Product Name:
Product Version: 6.0.0.0
Legal Copyright: Copyright (C) RagnoTech Softworks 2011-2016. All rights reserved.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 6.0.1.136
File Description: Low Specs Experience
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Dropped connects to the servers at the folowing location(s):

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

.Owner

EInvalidGraphicOperation

%s%s (*.%s)|*.%2:s

%s*.%s

%s (%s)|%1:s|%s

comctl32.dll

USER32.DLL

Uhl

windows

uxtheme.dll

Proportional

OnKeyDown

OnKeyPress

OnKeyUpx

MAPI32.DLL

msShiftSelect

OnKeyUp

OnKeyUp,

ArrowKeys

vsReport

RICHED32.DLL

TComboBoxExEnumerator

ole32.dll

PasswordChar4

ssHorizontal

OnKeyUp(

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword

crSQLWait

%s (%s)

Uh.WH

Uh.oH

imm32.dll

OnExecutex

HelpKeyword(

OnExecute

AutoHotkeysT

AutoHotkeys

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreviewH

WindowState

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

EInvalidGridOperation

goAlwaysShowEditor

doKeyColFixed

TKeyOption

keyEdit

keyAdd

keyDelete

keyUnique

TKeyOptions

KeyName

KeyValue

KeyOptions

KeyDesc

%s=%s

TMonochromeLookup

1.2.3

Portable Network Graphics

SOFTWARE\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

D:\AutoRunII\Code\AAFont\AATimer.pas

Readme.txt

[email protected]

Http://VVV.cnvcl.org

Http://VVV.yygw.net

[email protected]

hXXp://member.netease.com/~lws

Passion

[email protected]

olepro32.dll

IWebBrowser

IWebBrowserApp

IWebBrowser2

TWebBrowserStatusTextChange

TWebBrowserProgressChange

TWebBrowserCommandStateChange

TWebBrowserTitleChange

TWebBrowserPropertyChange

TWebBrowserBeforeNavigate2

TWebBrowserNewWindow2

TWebBrowserNavigateComplete2

TWebBrowserDocumentComplete

TWebBrowserOnVisible

TWebBrowserOnToolBar

TWebBrowserOnMenuBar

TWebBrowserOnStatusBar

TWebBrowserOnFullScreen

TWebBrowserOnTheaterMode

TWebBrowser

EExeError

TExeImage|eO

TExeImage,eO

Not a PE (WIN32 Executable) file

.rsrc

%d X %d %d Colors

%d X %d %d Bit(s)

%d, "%s"

POPUP "%s"

MENUITEM "%s", %d

RegDeleteKeyExA

advapi32.dll

autorun.exe

File I/O error %d

File isn't an EXE file (1)

Only supported on Windows NT and above

ProfilePort

%s_%s

TSQLTimeStampVariantType

TSQLTimeStampData

SqlTimSt

SQLTimeStamp

Password

TLoginDialog

TPasswordDialog

%s:%s

OnKeyUp0

TDoInstShellExecForm

TDoInstShellExecForm|

DoInstShellExecUnit

Operation Error

The operating system is out of memory or resources.

The .EXE file is invalid (non-Win32 .EXE or error in .EXE image).

The operating system denied access to the specified file.

There was not enough memory to complete the operation.

FormKeyDown

FormKeyUp

UserPassword

\autorun.exe

autorun.ico

This project is protected by password, please input the password:

Password

Invalid Password.

For more information, please visit hXXp://VVV.longtion.com.

TAuUserPassword4ZS

TAuUserPassword

hXXp://get.adobe.com/reader/

Invalid Username or Password, please retry.

Invalid Username or Password, Login Failed.

Login Failed

*.png;*.jpg;*.jpeg;*.bmp;*.emf;*.wmf;*.gif

hXXp://VVV.macromedia.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash

Icons (*.ico)|*.ico

.avi (Video Clip)

.doc (Microsoft Word Document)

.mov (QuickTime Movie)

.mp3 (MP3 Audio File)

.mpg (MPEG Video)

.pdf (Adobe Acrobat Document)

.pps (Microsoft PowerPoint Slide Show)

.ppt (Microsoft PowerPoint Presentation)

.swf (Shockware Flash)

.xls (Microsoft Excel Worksheet)

Windows 2000 or later

Windows XP or later

Windows Vista or later

64-bit Windows

VisitWebsite

ShowLoginPage

SubmitLoginPage

SubmitLogin

SetWindowState

Wait for the process to finish executing

Website URL:

Press any key or click to close sub page

Passed Actions:

Actions (Login Failed)

Actions (Login Passed)

\AutoRunPro.ini

hXXp://VVV.longtion.com/autorunenterprise/autorunpro.htm

hXXp://VVV.longtion.com/autorunpro/autorunpro.htm

hXXp://VVV.longtion.com/flashdemopro/flashdemopro.htm

hXXp://VVV.longtion.com/slideshowpro/slideshowpro.htm

hXXp://VVV.longtion.com/gifanim/gifanim.htm

hXXp://VVV.longtion.com/autorunenterpriseii/autorunpro.htm

hXXp://VVV.longtion.com/appbuilder/appbuilder.htm

hXXp://VVV.longtion.com/dbappbuilder/dbappbuilder.html

\Tips.rtf

mailto:[email protected]

SpinEdit1KeyDown

FileNewCmd

FileOpenCmd

FileSaveCmd

FilePrintCmd

FileExitCmd

EditCutCmd$

EditCopyCmd(

EditPasteCmd,

EditUndoCmd0

EditFontCmd4

FileSaveAsCmd8

Device Error: (%d) %s

(%d) %s

Output File Error: (%d) - %s

Source File Error: (%d) - %s

System Error: (%d) %s

Write Error: (%d) %s

/ MB

Free space on the loaded disc is %s.

This data image requires %s of free space!

fx

Device Error: (%d) %s

(%s) - %s

Erase operation complete!

Erase operation complete.

File Warning(%d): %s

Selected drive does not support re-writable discs of this format.

Can not start erase operation!

Default.ico

echnicalSupport1x

ToolButton_UserPassword

echnicalSupport1Click

Edit2KeyDown

Edit2KeyUp

\autorun.ico

If the "autorun.exe" is running, please terminate it and try again.

autorun.exe

All (*.*)|*.*|wav (*.wav)|*.wav|mid (*.mid)|*.mid|mp3 (*.mp3)|*.mp3

All (*.png;*.gif;*.jpg;*.jpeg;*.bmp;*.ico;*.emf;*.wmf)|*.png;*.gif;*.jpg;*.jpeg;*.bmp;*.ico;*.emf;*.wmf|Portable Network Graphics (*.png)|*.png|GIF Image (*.gif)|*.gif|JPEG Image File (*.jpg)|*.jpg|JPEG Image File (*.jpeg)|*.jpeg|Bitmaps (*.bmp)|*.bmp|Icons (*.ico)|*.ico|Enhanced Metafiles (*.emf)|*.emf|Metafiles (*.wmf)|*.wmf

APE II Object (*.aeo)|*.aeo

All (*.*)|*.*

Adobe PDF files (*.pdf)|*.pdf

SWF (*.swf)|*.swf|All (*.*)|*.*

Report

Website

WebsiteURL

hXXp://VVV.longtion.com/

hXXp://VVV.longtion.com/products.htm

mailto:[email protected]

ReportColumns

ReportGridLines

ReportRowSelect

WebSiteURL

User,Password

[autorun.ico]

ProjectPassword

\Default.ico

\autorun.inf

AUTORUN.EXE

AUTORUN.ICO

Save "autorun.inf" file failed.

\autorun.exe"

\AutoRunPro.chm

autorun.aru

AutoRunPro.exe

autorunpro.exe

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

user32.dll

GetKeyboardType

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegCreateKeyExA

WinExec

GetCPInfo

version.dll

gdi32.dll

SetViewportOrgEx

SetViewportExtEx

UnhookWindowsHookEx

SetWindowsHookExA

SetKeyboardState

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

ActivateKeyboardLayout

winspool.drv

shell32.dll

ShellExecuteExA

ShellExecuteA

FindExecutableA

comdlg32.dll

winmm.dll

5 5$5(5,5054585!6;6

< <$<(<,<0<

2%2s2

:'; ;/;3;;;~;

1 1$1(1,1014181

> >$>(>,>0>4>8><>

5%5*555<5~5

0$060<0{0

7!7%7,7~7

6-616D6}6

; <$<(<,<0<4<

;"<*<.<4<

#0'0 0/03070

11K1h1p1

5&5*5=5_5

90 3'3}3

7%7S7_7l7~7

2!2%2)202

1-181}1

9$:(:,:0:4:

; ;(;0;8;

2"2&2*2.222

4%5u5

"0,060;0

8#8'8 8/8

? ?$?(?,?0?4?8?<?@?\?|?

: :$:(:,:0:4:8:

9)9.969;9

6-71757<7

4&4;4@4`4

4%4U4b4p4}4

55U5i5

0 0$0(0,020

2,2o2|2

3&4 4?4}4

; ;$;(;,;0;4;8;<;

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

3333333

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

33333333330

3333338

3333333330

3333833330

3333330

333333330

3333333333

33333333333333

337373?3

333373?33

33333337

3733333

3337333

3333373

3737333

373333?3

333333333

333?33?333

333373?3

338333?330

33383?3330

3833830

KWindows

UrlMon

rSqlTimSt

[DoInstShellExecUnit

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

ParentEffect.ParentFont

Effect.Transparent

Effect.FontEffect.Shadow.Enabled

!Effect.FontEffect.Gradual.Enabled

Effect.FontEffect.Gradual.Style

Effect.FontEffect.Angle

Effect.FontEffect.Outline

gsTopToBottom"Effect.FontEffect.Gradual.EndColor

Effect.FontEffect.Shadow.OffsetX

Effect.FontEffect.Shadow.OffsetY

HotLink.FadeDelay

HotLink.UnderLine

.Create slide shows from your digital pictures.

!Website: hXXp://VVV.longtion.com/

Support: [email protected]

Sales: [email protected]

3Create applications, database and Web applications.

;Create database applications and Web database applications.

MainForm.ImageList2

KeyPreview

ISO File (*.iso)|*.iso

Lines.Strings

Items.Strings

DoInstShellExecForm

Picture.Data

Constraints.MinHeight

Constraints.MinWidth

Glyph.Data

3337?3373333

3333330333333373333

333033333337

LoginDialog

Database Login

&Password:

PasswordChar

TitleCaptions.Strings

Add UserPassword (Window)

echnicalSupport1

Technical Support...

Visit Website...

PasswordDialog

Enter password

gsCenterToTB"Effect.FontEffect.Gradual.EndColor

o<~k8}h5{g7mY)wa1x] v[)nU#r^.dV&[R'`Y8

jU!iT xb.nY,VG'

eT!hT$gS#iU%fS t_ mX$o[$p\,k[6maE

zdzmSygHta<lY.hT$nZ#lY cQ

kW lX!mY"nZ#n\'n[(o[ p_.ra0tc2ud3ve4xe8xh=mb<qiK

kV"kY$lZ%m[&n]*o^ p_,ra.tc2ve4xf7xf7{h;zj<{mCjb=

lV"nX$nY%n\'o](o_*q`-ra.sb1ud3wf5yh7{j9{j9

jU"mW#lV"mX!oY%p['p^)q_*qa,sc.tc0ud1wf5xg6zi8|k:~m<

jT$oX&nX$pZ&q\(s^*r_,ta.ud1ve2wf5xg6zi8|k:}l;

[UBk`JymQ|nQtiKqfJmfMicLgbMe_Hf^Gd\EbZC`XA_W@[U>YS<YQ:WO8SK4PH1QF0OD.OB,M@*L?)C6 NC/j`OpgZ|ul

RG1cW?qfKd[@\U<XR;[U>ZR;[email protected]?-H? F=)E=&E=&F?&HA(OD.PE/TI3YN8\S?aXDh^LoeSvn]}ud

QH4`S=eZ?_V;_X?TN7WQ:[email protected]= F<*E<(D;'D<%F>'H@)JB PE/SH2XM9]R>`WCe\HlbPrhVxp_

PF4UJ6\R:WK3ZP8UK3RJ3QI2OG0ME.KB.I@,G>*F=)D;'D;'D;'E<(F>'IA*ME.OG0TI5VJ8YO=_UCdZHj`NpiVwp]~wd

|@6$WL6[O7TI.WK3QF0NF/LD-JB I@,G>*F=)D;'A8$B9%D;'E<(H@)KC,OG0RI5XL:ZN<\R@aWEf\JkaOqjWwp]

c[JKB.YM5SH-TH0NC-KB.I@,H? G>*F=)D;'C:&B9%C:&E<(G>*JA-MD0QH4SJ6XN<ZP>_UCe[Ii_MndRrkXxq^~wd

E;)F;%XL4QE-LA I@,H? G>*F=)E<(C:&B9%E<(F=)H? JA-LC/OF2QH4SJ6XN<[Q?aWEg]KlbPqgUun[zs`

qA7%I<&QD.MB.G>*D;'B9%F=)F=)=4 F=)E<(G>*JA-LC/MD0PG3TK7VM9ZP>`VDcYGh^LmfSrkXwp]}vc

KB.D;'F=)H? KB.MD0OF2RI5VM9YP<[Q?aWEe[Ii_MngTslYxq^

KA/=3!E;)@7#I@,C:&I@,KB.LC/OF2QH4SI7VL:ZP>]SA`VDf\Ji_MmcQrkXvo\{ta

JA3E=,HA.IB/RI5OF2RI5UL8XO;]Q?_UCfYIg]Kg`LlfOohTrkWxq]{va

Effect.Alignment

taCenter Effect.FontEffect.Shadow.Enabled

Single File Executable

EXE Files (*.exe)|*.exe

&Website...

If you paid the AutoRun Pro Enterprise II registration fee and received Serial and Key, please enter your NAME, SERIAL and KEY EXACTLY as they appear in the instructions.

GCreate demos, tutorials and presentations. (SWF, EXE, HTM, Autorun CD)

JCreate slide shows from your digital pictures. (SWF, EXE, HTM, Autorun CD)

gsCenterToTB$Effect.FontEffect.Gradual.StartColor

clSkyBlue"Effect.FontEffect.Gradual.EndColor

@Create applications, database applications and Web applications.

BCreate database applications and Web database applications easily.

EditCutCmd

EditCopyCmd

EditPasteCmd

EditUndoCmd

6Rich Text Files (*.rtf)|*.rtf|Text Files (*.txt)|*.txt

FileExitCmd

FileSaveAsCmd

EditFontCmd

Items.Data

Text file (*.txt)|*.txt

-Sub Items for Report (one line for one item):

--.555///

--.RRRhhh

888>>>%%%

.Gu7:A

&&&222]]]

This page will be shown by ShowLoginPage action OnStart event of the project. For more information please see the OnStart event of the project.

zUser must input Authentication Code, CD Key, Serial Number and/or User Name and Password before the AutoRun will continue.

9/*:0 ;1,;1,?60

,#".$" !

70.NFCPGCKC?

=4.SIAmc[

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

TDOINSTSHELLEXECFORM

TLOGINDIALOG

TPASSWORDDIALOG

Modified:Unable to retrieve folder details for "%s". Error code $%x%%s: Missing call to LoadColumnDetails

Rename to %s failed

%s is not a valid BCD value$Could not parse SQL TimeStamp string

Invalid SQL date/time values

Remote Login

OThis operation is not valid because the current image contains no valid header.4The new size provided for image resizing is invalid.oThe "Portable Network Graphics" could not be created because invalid image type parameters have being provided.&Cannot change the size of a JPEG image

JPEG error #%d

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s

UThis "Portable Network Graphics" image is invalid because it has missing image parts.[Could not decompress the image because it contains invalid compressed data.

Description: BThe "Portable Network Graphics" image contains an invalid palette.

The file being readed is not a valid "Portable Network Graphics" image because it contains an invalid header. This file may be corruped, try obtaining it again.nThis "Portable Network Graphics" image is not supported or it might be invalid.

This "Portable Network Graphics" image is not supported because either it's width or height exceeds the maximum size, which is 65535 pixels length.

There is no such palette entry.dThis "Portable Network Graphics" image contains an unknown critical part which could not be decoded.pThis "Portable Network Graphics" image is encoded with an unknown compression scheme which could not be decoded.cThis "Portable Network Graphics" image uses an unknown interlace scheme which could not be decoded.-The chunks must be compatible to be assigned.jThis "Portable Network Graphics" image is invalid because the decoder found an unexpected end of the file.8This "Portable Network Graphics" image contains no data.]The program tried to add a existent critical chunk to the current image which is not allowed.IIt's not allowed to add a new chunk because the current image is invalid.oSome operation could not be performed because the system is out of resources. Close some windows and try again.

Invalid stream operation

Optimizing...jThis "Portable Network Graphics" image is not valid because it contains invalid pieces of data (crc error)yThe "Portable Network Graphics" image could not be loaded because one of its main piece of data (ihdr) might be corrupted

úiled to allocate memory for GIF DIB

Invalid Image trailerAInternal error: Extension Instance does not match Extension Label,Unsupported Application Extension block size

Unknown GIF block type'Object type not supported for operation

Unsupported PixelFormat

Date exceeds maximum of %s

Date is less than minimum of %s#Failed to set calendar date or timeúiled to set maximum selection range$Failed to set calendar min/max rangeúiled to set calendar selected range

No help keyword specified.

Unsupported GIF version

Failed to clear tab control Failed to delete tab at index %d"Failed to retrieve tab at index %d Failed to get object at index %d"Failed to set tab "%s" at index %d Failed to set object at index %d<MultiLine must be True when TabPosition is tpLeft or tpRight

Failed to Save Stream %s is already associated with %sE%d is an invalid PageIndex value. PageIndex must be between 0 and %d=This control requires version 4.70 or greater of COMCTL32.DLL

Value*A key with the name of "%s" already exists

Key "%s" not found%goColMoving is not a supported option%Key may not contain equals sign ("=")

Error setting path: "%s"

Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count#No OnGetItem event handler assigned"Unable to find a Table of Contents

No help found for %s#No context-sensitive help installed

Invalid clipboard format Clipboard does not support Icons

Text exceeds memo capacity.There is no default printer currently selected/Menu '%s' is already being used by another form

(%dx%d)

Value must be between %d and %d

Invalid input value7Invalid input value. Use escape key to abandon changes

%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active0Can only modify an image if it contains a bitmap*A control cannot have itself as its parent

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'

%s property out of range

Thread creation error: %s

Thread Error: %s (%d)0Tab position incompatible with current tab style0Tab style incompatible with current tab position

Scan line index out of range!Cannot change the size of an icon Invalid operation on TOleGraphic$Unknown picture file extension (.%s)

Unsupported clipboard format

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to get data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list Too many rows or columns deleted$%s not in a class registration group

Property %s does not exist

%String list does not allow duplicates

Cannot create file "%s". %s1Fixed column count must be less than column count Fixed row count must be less than row count

Cannot open file "%s". %s

Grid too large for operation

Unable to write to %s

Invalid file name - %s

Invalid stream format$''%s'' is not a valid component name

Invalid property element: %s

Invalid property type: %s

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists

5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

Invalid variant operation

Invalid NULL variant operation%Invalid variant operation (%s%.8x)

%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable2Too many custom variant types have been registered

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

6.0.1.136

6.0.0.0

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Dropped file.
   
3. Delete or disinfect the following files created/modified by the Dropped:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\1920y1080.exe (3221 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\640y480.exe (3221 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\Restore.exe (3221 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\800y600.exe (3221 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\480y320.exe (3221 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\720y480.exe (3221 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\autorun.exe (56198 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\autorun.inf (78 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\1280y720.exe (3221 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\1366y768.exe (3221 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\1680y1050.exe (3221 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\1440y810.exe (3221 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\1600y900.exe (3221 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\1440y900.exe (3221 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\autorun.aru (5381 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\Files\Crysis\1024y768.exe (3221 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\AutoRunPro0\autorun.ico (3221 bytes)

4. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.