GenPack.Backdoor.Generic.183329_086f7cf872
Trojan.Win32.Patched.la (Kaspersky), GenPack:Backdoor.Generic.183329 (B) (Emsisoft), GenPack:Backdoor.Generic.183329 (AdAware), GenericAutorunWorm.YR, TrojanFlySky.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 086f7cf872ca9197d025fad629830624
SHA1: 37a79adc6418c59824ae0838188f1cee03a1d5e1
SHA256: b84ed123e35f0b7e9a8198c4e56e083e915019fe0a27335d4dd3428e3e0a352b
SSDeep: 24576:NPTjRnTHdSDgPl2gm1xa1VVyFDJkqQ0L2SOnTgRD YbDVmgwvp:JjxHd2I2FaDyDRFKS6Tw YbRmN
Size: 1497980 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1972-12-25 08:33:23
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the GenPack's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The GenPack creates the following process(es):
sc.exe:1292
sc.exe:328
sc.exe:1392
net1.exe:536
net1.exe:1308
%original file name%.exe:428
%original file name%.exe:1088
system.exe:664
net.exe:1832
net.exe:972
Rundll32.exe:1268
Rundll32.exe:1684
The GenPack injects its code into the following process(es):
2ADE6B.EXE:1208
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process 2ADE6B.EXE:1208 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040820140409\index.dat (202 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\2ADE6B.lnk (677 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (202 bytes)
%System%\B55985\0f10.inf (3856 bytes)
%System%\B55985\16eb.EDT (2008 bytes)
%System%\B55985\16eb.inf (2728 bytes)
The GenPack deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040820140409\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@vk[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sadpanda[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@youtube[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040820140409 (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)
The process %original file name%.exe:428 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
C:\%original file name%.exe (6770 bytes)
%System%\system.exe (89 bytes)
The process %original file name%.exe:1088 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
%System%\10A216\2ADE6B.EXE (113 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\shell.fne (40 bytes)
%System%\10A216\internet.fne (184 bytes)
%System%\10A216\krnln.fnr (7433 bytes)
%System%\10A216\shell.fne (40 bytes)
%System%\10A216\spec_a.fne (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\krnln.fnr (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\cnvpe.fne (61 bytes)
%System%\42ADE6\DE6B36D0.TXT (7386 bytes)
%System%\10A216\spec.fne (69 bytes)
%System%\10A216\RegEx.fnr (217 bytes)
%System%\10A216\eAPI.fne (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\dp1.fne (114 bytes)
%System%\10A216\cnvpe.fne (61 bytes)
%System%\10A216\dp1.fne (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\eAPI.fne (323 bytes)
%System%\10A216\com.run (266 bytes)
The process system.exe:664 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
%System%\vetsvo.dll (62 bytes)
%System%\odoxvo.dll (21 bytes)
The process Rundll32.exe:1268 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
%WinDir%\Prefetch\WMIPRVSE.EXE-28F301A9.pf (64 bytes)
%System%\CatRoot2 (96 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
%WinDir%\pchealth\helpctr\System\images (4 bytes)
%WinDir%\SoftwareDistribution\Download\7dc26e8888d68d9e04bc52940c0f24b5 (4 bytes)
%WinDir%\SoftwareDistribution\Download\36a2296f631a54daefcc3b56e3d990e2 (4 bytes)
%WinDir%\pchealth\helpctr\System\Remote Assistance (4 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance (4 bytes)
%WinDir%\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee (4 bytes)
%WinDir%\pchealth\helpctr\System\panels (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins3d (4 bytes)
%WinDir%\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af (4 bytes)
%WinDir%\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319 (1732 bytes)
%Documents and Settings%\Default User (540 bytes)
%WinDir%\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9 (4 bytes)
%WinDir%\pchealth\helpctr\System (4 bytes)
C:\$Directory (3508 bytes)
%System%\config (396 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\PresentationFramewo# (4 bytes)
%WinDir%\Prefetch (2500 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\cnvpe.fne (122 bytes)
%WinDir%\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f (4 bytes)
%System%\CatRoot (4 bytes)
%WinDir%\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59 (4 bytes)
%WinDir%\assembly\GAC_32 (4 bytes)
%WinDir%\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.0 (4 bytes)
%System%\10A216\cnvpe.fne (61 bytes)
%System% (45028 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Program Files%\Adobe\Reader 9.0\Resource\Font (4 bytes)
%WinDir%\Installer\$PatchCache$\Managed (4 bytes)
%WinDir%\SoftwareDistribution\Download\b5f880834ad67f3d383ffff5f2fa46bd (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client (8 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions (4 bytes)
%Program Files%\Common Files\Microsoft Shared\OFFICE14 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\WPF (4 bytes)
%System%\10A216\shell.fne (40 bytes)
%System%\10A216\dp1.fne (601 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\WPF (4 bytes)
%WinDir%\assembly\GAC_MSIL (36 bytes)
%WinDir%\Microsoft.NET (4 bytes)
%Documents and Settings%\%current user%\MY DOCUMENTS (8 bytes)
%Documents and Settings%\NetworkService\Local Settings (4 bytes)
%Documents and Settings%\All Users\DOCUMENTS (4 bytes)
%WinDir%\WinSxS\Policies (8 bytes)
%WinDir%\SoftwareDistribution\Download (45 bytes)
%System%\oobe\html (4 bytes)
%WinDir%\SoftwareDistribution\Download\f0fea42f69058000617da24986c3b109 (4 bytes)
%WinDir%\ime (4 bytes)
%WinDir%\SoftwareDistribution\Download\196fa81559690e2494e56094df51cdd8 (4 bytes)
%Documents and Settings%\%current user%\Cookies (204 bytes)
C:\ (12 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%WinDir%\SoftwareDistribution\Download\621a08ac003b616bcaa86aa4d4292d50 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (28 bytes)
%System%\10A216\eAPI.fne (1425 bytes)
%Documents and Settings%\ALL USERS (8 bytes)
%Program Files%\Movie Maker (4 bytes)
%System%\10A216 (12 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_32 (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation (4 bytes)
%Documents and Settings%\LocalService (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b (4 bytes)
%WinDir%\WinSxS (212 bytes)
%System%\10A216\spec.fne (601 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualBas# (4 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US (4 bytes)
%WinDir% (2248 bytes)
%WinDir%\pchealth\helpctr\OfflineCache (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users (4 bytes)
%WinDir%\SoftwareDistribution\Download\e0c0da396303f1dd2c82cd2ccc07020d (4 bytes)
%WinDir%\SoftwareDistribution\Download\e79028ac4f02e201b61b2c632cb0fc5e (4 bytes)
C:\PROGRAM FILES (220 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer\Img (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32 (28 bytes)
%WinDir%\SoftwareDistribution\Download\bc81666f3868f34642e3f5adbc2719f9 (4 bytes)
%Documents and Settings% (4 bytes)
%Documents and Settings%\Default User\Local Settings (4 bytes)
%WinDir%\$hf_mig$ (8 bytes)
%System%\spool\XPSEP\amd64 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles (4 bytes)
%WinDir%\ime\imjp8_1 (4 bytes)
%WinDir%\SoftwareDistribution\Download\e8252bbfa91fcf5afb38775b18691074 (4 bytes)
%Program Files%\Adobe\Reader 9.0\Resource (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft (4 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer (4 bytes)
%Documents and Settings%\NetworkService (4 bytes)
%System%\10A216\RegEx.fnr (1281 bytes)
%WinDir%\SoftwareDistribution\Download\8bb5f1c638778df6b77d80bc61ffc63c (4 bytes)
%WinDir%\SoftwareDistribution\Download\b91377d1d56820d9d699c0c2dc7c8e80 (4 bytes)
%WinDir%\SoftwareDistribution\Download\30438597a812a5d1d7979088d451747f (4 bytes)
%System%\oobe (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
%Program Files%\Microsoft Office\Office14 (4 bytes)
%System%\config\SysEvent.Evt (936 bytes)
%WinDir%\Temp (4 bytes)
%WinDir%\Installer (8 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\PresentationFramewo# (4 bytes)
%WinDir%\SoftwareDistribution\Download\ee4e3d4bf0d346e1b8fdee8197195e59 (4 bytes)
%WinDir%\SoftwareDistribution\Download\211409fc1d99b95b32fb0344cad140df (4 bytes)
%WinDir%\SoftwareDistribution\Download\dffcab319e36b852e5b2d51802010a7a (4 bytes)
%System%\10A216\spec_a.fne (601 bytes)
%WinDir%\SoftwareDistribution\Download\299840a657dd26ca3bbf3cee3ec999ba (4 bytes)
%WinDir%\pchealth\helpctr (4 bytes)
%WinDir%\SoftwareDistribution\Download\e5c5fc9bd7a4957f0a45c6db2957c5c9 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (8 bytes)
%WinDir%\SoftwareDistribution\Download\906245b7f0992255b054322b77475594 (4 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\ime\imkr6_1 (4 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo\graphics (4 bytes)
%WinDir%\SoftwareDistribution\Download\248802b74506342031e926839639c729 (4 bytes)
%WinDir%\SoftwareDistribution\Download\cb88a2f03b29735db957d61a63df6504 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers (4 bytes)
%WinDir%\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501 (4 bytes)
%Documents and Settings%\All Users\Documents\My Music (4 bytes)
%Program Files%\Windows NT (8 bytes)
%WinDir%\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment (4 bytes)
%WinDir%\Web (4 bytes)
C:\totalcmd (4 bytes)
%Program Files%\Common Files\System (4 bytes)
%Program Files%\Windows Media Player (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
%WinDir%\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df (4 bytes)
%WinDir%\AppPatch (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D.tmp (4545 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG (4 bytes)
%WinDir%\SoftwareDistribution\Download\6b7f938fb3db15dab273f3f1702c318c (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 (384 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles (8 bytes)
%WinDir%\msagent (4 bytes)
%Program Files%\Movie Maker\Shared (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc8ea6c22fd142de8dd67336d23310cf (4 bytes)
%System%\wbem (2812 bytes)
%WinDir%\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944 (4 bytes)
%WinDir%\SoftwareDistribution\Download\21cbd3f70584651805685eba1753505f (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs (4 bytes)
%WinDir%\SoftwareDistribution\Download\b6f4642d2b8dc03c5ce1b1a4f77b1bda (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader (96 bytes)
%WinDir%\SoftwareDistribution\Download\9460002f6d8231358fc1eb590f9b1dce (4 bytes)
%System%\42ADE6\DE6B36D0.TXT (896 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft (4 bytes)
%WinDir%\Microsoft.NET\Framework (96 bytes)
%WinDir%\Temp\Perflib_Perfdata_15c.dat (20 bytes)
%System%\mui (4 bytes)
%WinDir%\REGISTRATION (8 bytes)
%System%\spool\XPSEP\i386 (4 bytes)
%WinDir%\SoftwareDistribution\Download\1c47f41cc76cde4c629564d7564f2795 (4 bytes)
%WinDir%\SoftwareDistribution\Download\57b4b90cc3eead9f6c29b58581d03ae4 (4 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
%System%\wbem\Logs\wbemess.log (768 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (980 bytes)
%System%\wbem\Repository\FS\INDEX.BTR (5936 bytes)
%System%\B55985\16eb.inf (4 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\System.DirectorySer# (4 bytes)
%System%\10A216\krnln.fnr (7433 bytes)
%Documents and Settings%\%current user%\Local Settings (20 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_MSIL (28 bytes)
%WinDir%\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig (4 bytes)
%System%\config\systemprofile\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32 (28 bytes)
%System%\B55985\16eb.EDT (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc529fa49cb2cb097fdf1e22d25872da (4 bytes)
%WinDir%\SoftwareDistribution\Download\e104dcd29adf1c6c473a5efad2d509be (4 bytes)
%WinDir%\pchealth\helpctr\Config (4 bytes)
%Program Files%\Adobe\Reader 9.0 (4 bytes)
%WinDir%\Prefetch\086F7CF872CA9197D025FAD629830-2C5DA869.pf (60 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727 (1848 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
%System%\drivers (704 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.ServiceModel# (4 bytes)
%Documents and Settings%\%current user% (28 bytes)
%Program Files%\Common Files\Microsoft Shared\DW (4 bytes)
%WinDir%\Web\printers (4 bytes)
%WinDir%\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2 (4 bytes)
%WinDir%\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975 (4 bytes)
%WinDir%\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\APPLICATION DATA (4 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\cedca0128a48437390192d906f83a717 (4 bytes)
%WinDir%\Help (248 bytes)
%WinDir%\security (4 bytes)
%WinDir%\SoftwareDistribution\Download\a4c07d9275eb613d842cb1e140d8a426 (4 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo (4 bytes)
%System%\config\systemprofile (4 bytes)
%WinDir%\SoftwareDistribution\Download\17e46901add634f15d293735648771e6 (4 bytes)
%WinDir%\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260 (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0e4033a7ec549e982572f0d830cf5d0 (4 bytes)
%WinDir%\SoftwareDistribution\Download\0000894bab70b145c3629920ba907f7a (4 bytes)
%WinDir%\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154 (4 bytes)
%WinDir%\SoftwareDistribution\Download\0c1e5e0ffeb238b1ee5c9ea3a4878374 (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\temp_wincheck.txt (32 bytes)
%System%\config\systemprofile\Local Settings (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security (4 bytes)
%WinDir%\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e (4 bytes)
%Program Files%\Internet Explorer (4 bytes)
%WinDir%\SoftwareDistribution\Download\8b9a83d2cde55eb19dc502cc2dd04e0d (4 bytes)
%WinDir%\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5 (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.5 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5 (12 bytes)
%Documents and Settings%\LocalService\Local Settings (4 bytes)
%Program Files%\COMMON FILES (8 bytes)
%WinDir%\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9 (4 bytes)
%Program Files%\Common Files\Microsoft Shared (4 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
%WinDir%\Prefetch\EXPLORER.EXE-082F38A9.pf (98 bytes)
%Documents and Settings%\Default User\Start Menu\Programs (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.DirectorySer# (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard (4 bytes)
%Documents and Settings%\All Users\APPLICATION DATA (4 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins (4 bytes)
%System%\oobe\html\mouse (4 bytes)
%System%\wbem\Logs (4 bytes)
%System%\B55985\0f10.inf (8 bytes)
%System%\config\systemprofile\Start Menu\Programs (4 bytes)
%WinDir%\SoftwareDistribution\Download\abaf10b7d55d3716fbb63e0b568cb4b6 (4 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2 (4 bytes)
%WinDir%\assembly (4 bytes)
%WinDir%\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0 (4 bytes)
The GenPack deletes the following file(s):
%System%\wininet.dll (0 bytes)
The process Rundll32.exe:1684 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
%Program Files%\KAV\CDriver.sys (13 bytes)
The GenPack deletes the following file(s):
%Program Files%\KAV\CDriver.sys (0 bytes)
%Program Files%\KAV (0 bytes)
Registry activity
The process 2ADE6B.EXE:1208 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B BF 66 6F 76 18 6C D1 2B A2 ED 5F 65 46 76 F9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The GenPack deletes the following registry key(s):
[HKCU\Software\Microsoft\Internet Explorer\TypedURLs]
The process sc.exe:1292 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 64 2C EB 85 B6 C6 76 C0 6E D2 D6 AB 9E 01 A8"
The process sc.exe:328 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F DD 39 DC 25 85 6D 4A 0F 60 14 07 1D 2C 9F 79"
The process sc.exe:1392 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 39 4E 84 4E A4 6D DB 65 16 2A 02 97 09 A4 1C"
The process net1.exe:536 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 F5 0E C5 FE 63 89 4C 4E 0D 96 28 59 3E F6 F2"
The process net1.exe:1308 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 49 AE 41 22 0A E5 78 F5 D0 D5 77 3C 20 5C 9B"
The process %original file name%.exe:1088 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 14 8D C9 10 5C 9A E5 76 C6 5E 6A 2F E3 8A 5E"
The process net.exe:1832 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 93 27 0E 44 B6 E5 15 F3 33 4F 40 9C C8 C6 78"
The process net.exe:972 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 ED 5D 74 4E B2 F8 BA 77 59 35 9F A4 04 48 6C"
The process Rundll32.exe:1268 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 FD B6 71 09 84 0F C6 1D 05 51 D5 D7 7E 7A CD"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The GenPack modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The GenPack modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The GenPack modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the GenPack adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"System" = "%System%\system.exe"
The GenPack deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process Rundll32.exe:1684 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 AC F3 FA 44 CF FF A5 A1 D3 63 75 54 1F 75 64"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"sc.exe" = "A tool to aid in developing services for WindowsNT"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The GenPack modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The GenPack modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The GenPack modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Dropped PE files
| MD5 | File path |
|---|---|
| 20f2765d1b8b0b84edaeccbff00fc245 | c:\%original file name%.exe |
| 7a4f775abb2f1c97def3e73afa2faedd | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\D.tmp |
| 866735bd10ac922092ef4222d8354876 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_N4\cnvpe.fne |
| 1a4cb15d215a62c64aa38965bd110f55 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_N4\dp1.fne |
| 5846f2b43bc4f935f289dd385d071d48 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_N4\eAPI.fne |
| 54d7f04da47522914883a1e14014796b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_N4\krnln.fnr |
| c8b96e70e691ebcbecd73077b5812310 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_N4\shell.fne |
| 8ab5471dc3628a16313bcd33a9b6c721 | c:\WINDOWS\system32\10A216\2ADE6B.EXE |
| a67daddcb30335163cf7d99f282f5ae0 | c:\WINDOWS\system32\10A216\RegEx.fnr |
| 866735bd10ac922092ef4222d8354876 | c:\WINDOWS\system32\10A216\cnvpe.fne |
| ce2f773275d3fe8b78f4cf067d5e6a0f | c:\WINDOWS\system32\10A216\com.run |
| 1a4cb15d215a62c64aa38965bd110f55 | c:\WINDOWS\system32\10A216\dp1.fne |
| 5846f2b43bc4f935f289dd385d071d48 | c:\WINDOWS\system32\10A216\eAPI.fne |
| 299c26fb72a3d286cc24c4a9a9a4a693 | c:\WINDOWS\system32\10A216\internet.fne |
| 54d7f04da47522914883a1e14014796b | c:\WINDOWS\system32\10A216\krnln.fnr |
| c8b96e70e691ebcbecd73077b5812310 | c:\WINDOWS\system32\10A216\shell.fne |
| 8985d73f08638b4b48ecd30759c9e53f | c:\WINDOWS\system32\10A216\spec.fne |
| e6313522df1adcda9d3067704c25f8d4 | c:\WINDOWS\system32\10A216\spec_a.fne |
| 467b48d4c6c14bc70b6812ee0adf4e50 | c:\WINDOWS\system32\odoxvo.dll |
| 524261cc70f2fba9fd30568ad6fbec5b | c:\WINDOWS\system32\system.exe |
| 81fe4fab769454c9f3ae5c0738a01caf | c:\WINDOWS\system32\vetsvo.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the GenPack's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 20972 | 24576 | 4.83039 | 94640f2cc2cdd75285132b04e947d55d |
| .rdata | 28672 | 2634 | 4096 | 2.48139 | 367b7ce38d0c4c17f01e370dc697df5b |
| .data | 32768 | 8024 | 8192 | 3.18636 | 1f439a03b10f37d311a7154a3c22b809 |
| .data | 40960 | 413696 | 413696 | 5.54016 | b98890a3318514733b8af19f91704e2d |
| .rsrc | 454656 | 15344 | 16384 | 2.36013 | 825a8015620dc174a1747b2d60c4feb4 |
| xvjw | 471040 | 4288 | 8192 | 2.50485 | c4d5a265274d42c5fded28445f7e74d0 |
| 479232 | 89088 | 90112 | 4.35915 | 2041fd5db38d9c25e33596439f53dc8c |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The GenPack connects to the servers at the folowing location(s):
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s
2ADE6B.EXE_1208:
.text
.rdata
@.data
.rsrc
krnln.fnr
krnln.fne
USER32.dll
KERNEL32.dll
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
@@shdocvw.dll
{8856F961-340A-11D0-A96B-00C04FD705A2}##02,{34A226E0-DF30-11CF-89A9-00A0C9054129},CommandStateChangeConstants,{},{1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDID,{},{1073741880,1073741879,1073741878,1073741877,1073741876,1073741875,1073741874,1073741873,1073741872,1073741871,1073741870,1073741869,1073741868,1073741867,1073741866,1073741865,1073741864,1073741863,1073741862,1073741861,1073741860,1073741859,1073741858,1073741857,1073741856,1073741855,1073741854,1073741853,1073741852,1073741851,1073741850,1073741849,1073741848,1073741847,1073741846,1073741845,1073741844,1073741843,1073741842,1073741841,1073741840,1073741839,1073741838,1073741837,1073741836,1073741835,1073741834,1073741833,1073741832,1073741831,1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDF,{},{1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDEXECOPT,{},{1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},tagREADYSTATE,{},{1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{65507BE0-91A8-11D3-A845-009027220E6D},SecureLockIconConstants,{},{1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}0,{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B},WebBrowser_V1,{100,101,102,103,104,-550,105,106,200,201,202,203,},{212,211,210,209,208,207,206,205,204,},{100,101,102,108,104,105,106,107,113,200,201,204,103,109,110,111,112,}1,{8856F961-340A-11D0-A96B-00C04FD705A2},WebBrowser,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}0,{0002DF01-0000-0000-C000-000000000046},InternetExplorer,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}2,{F41E6981-28E5-11D0-82B4-00A0C90C29C5},ShellWindowTypeConstants,{},{1073741827,1073741826,1073741825,1073741824,},{}0,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},ShellWindows,{0,-4,},{1610743808,},{200,201,}0,{64AB4BB7-111E-11D1-8F79-00C04FC2FBE1},ShellUIHelper,{4,5,6,7,8,9,10,11,13,},{},{}0,{55136805-B2DE-11D1-B9F2-00A0C98BC547},ShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}0,{2F2F1F96-2BC1-4B1C-BE28-EA3774F4676A},ShellShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}.cn/ul.htm
hXXp://
.com/ul.htm
[%s%]
[%f%]
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Recycled.exe
:\autorun.inf
shellexecute
shlwapi.dll
OLEACC.DLL
user32.dll
keybd_event
WebBrowser
2ADE6B.EXE_1208_rwx_00401000_00001000:
krnln.fnr
krnln.fne
2ADE6B.EXE_1208_rwx_00403000_0001B000:
@@shdocvw.dll
{8856F961-340A-11D0-A96B-00C04FD705A2}##02,{34A226E0-DF30-11CF-89A9-00A0C9054129},CommandStateChangeConstants,{},{1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDID,{},{1073741880,1073741879,1073741878,1073741877,1073741876,1073741875,1073741874,1073741873,1073741872,1073741871,1073741870,1073741869,1073741868,1073741867,1073741866,1073741865,1073741864,1073741863,1073741862,1073741861,1073741860,1073741859,1073741858,1073741857,1073741856,1073741855,1073741854,1073741853,1073741852,1073741851,1073741850,1073741849,1073741848,1073741847,1073741846,1073741845,1073741844,1073741843,1073741842,1073741841,1073741840,1073741839,1073741838,1073741837,1073741836,1073741835,1073741834,1073741833,1073741832,1073741831,1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDF,{},{1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDEXECOPT,{},{1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},tagREADYSTATE,{},{1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{65507BE0-91A8-11D3-A845-009027220E6D},SecureLockIconConstants,{},{1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}0,{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B},WebBrowser_V1,{100,101,102,103,104,-550,105,106,200,201,202,203,},{212,211,210,209,208,207,206,205,204,},{100,101,102,108,104,105,106,107,113,200,201,204,103,109,110,111,112,}1,{8856F961-340A-11D0-A96B-00C04FD705A2},WebBrowser,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}0,{0002DF01-0000-0000-C000-000000000046},InternetExplorer,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}2,{F41E6981-28E5-11D0-82B4-00A0C90C29C5},ShellWindowTypeConstants,{},{1073741827,1073741826,1073741825,1073741824,},{}0,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},ShellWindows,{0,-4,},{1610743808,},{200,201,}0,{64AB4BB7-111E-11D1-8F79-00C04FC2FBE1},ShellUIHelper,{4,5,6,7,8,9,10,11,13,},{},{}0,{55136805-B2DE-11D1-B9F2-00A0C98BC547},ShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}0,{2F2F1F96-2BC1-4B1C-BE28-EA3774F4676A},ShellShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}.cn/ul.htm
hXXp://
.com/ul.htm
[%s%]
[%f%]
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Recycled.exe
:\autorun.inf
shellexecute
shlwapi.dll
OLEACC.DLL
user32.dll
keybd_event
WebBrowser
2ADE6B.EXE_1208_rwx_01201000_00030000:
t.It It
.tTPV
FTPjK
FtPj;
F.PjRWj
u.WWj
u.VVj
2ADE6B.EXE_1208_rwx_10001000_000C2000:
|$D.tm
~%UVW
L$$SSh
t%SVh
t$(SSh
u$SShe
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
sc.exe:1292
sc.exe:328
sc.exe:1392
net1.exe:536
net1.exe:1308
%original file name%.exe:428
%original file name%.exe:1088
system.exe:664
net.exe:1832
net.exe:972
Rundll32.exe:1268
Rundll32.exe:1684 - Delete the original GenPack file.
- Delete or disinfect the following files created/modified by the GenPack:
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040820140409\index.dat (202 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\2ADE6B.lnk (677 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (202 bytes)
%System%\B55985\0f10.inf (3856 bytes)
%System%\B55985\16eb.EDT (2008 bytes)
%System%\B55985\16eb.inf (2728 bytes)
C:\%original file name%.exe (6770 bytes)
%System%\system.exe (89 bytes)
%System%\10A216\2ADE6B.EXE (113 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\shell.fne (40 bytes)
%System%\10A216\internet.fne (184 bytes)
%System%\10A216\krnln.fnr (7433 bytes)
%System%\10A216\shell.fne (40 bytes)
%System%\10A216\spec_a.fne (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\krnln.fnr (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\cnvpe.fne (61 bytes)
%System%\42ADE6\DE6B36D0.TXT (7386 bytes)
%System%\10A216\spec.fne (69 bytes)
%System%\10A216\RegEx.fnr (217 bytes)
%System%\10A216\eAPI.fne (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\dp1.fne (114 bytes)
%System%\10A216\cnvpe.fne (61 bytes)
%System%\10A216\dp1.fne (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_N4\eAPI.fne (323 bytes)
%System%\10A216\com.run (266 bytes)
%System%\vetsvo.dll (62 bytes)
%System%\odoxvo.dll (21 bytes)
%WinDir%\Prefetch\WMIPRVSE.EXE-28F301A9.pf (64 bytes)
%System%\CatRoot2 (96 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
%WinDir%\pchealth\helpctr\System\images (4 bytes)
%WinDir%\SoftwareDistribution\Download\7dc26e8888d68d9e04bc52940c0f24b5 (4 bytes)
%WinDir%\SoftwareDistribution\Download\36a2296f631a54daefcc3b56e3d990e2 (4 bytes)
%WinDir%\pchealth\helpctr\System\Remote Assistance (4 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance (4 bytes)
%WinDir%\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee (4 bytes)
%WinDir%\pchealth\helpctr\System\panels (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins3d (4 bytes)
%WinDir%\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af (4 bytes)
%WinDir%\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319 (1732 bytes)
%Documents and Settings%\Default User (540 bytes)
%WinDir%\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9 (4 bytes)
C:\$Directory (3508 bytes)
%System%\config (396 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\PresentationFramewo# (4 bytes)
%WinDir%\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f (4 bytes)
%WinDir%\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59 (4 bytes)
%WinDir%\assembly\GAC_32 (4 bytes)
%WinDir%\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.0 (4 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Program Files%\Adobe\Reader 9.0\Resource\Font (4 bytes)
%WinDir%\Installer\$PatchCache$\Managed (4 bytes)
%WinDir%\SoftwareDistribution\Download\b5f880834ad67f3d383ffff5f2fa46bd (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client (8 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions (4 bytes)
%Program Files%\Common Files\Microsoft Shared\OFFICE14 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\WPF (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\WPF (4 bytes)
%WinDir%\assembly\GAC_MSIL (36 bytes)
%Documents and Settings%\%current user%\MY DOCUMENTS (8 bytes)
%Documents and Settings%\NetworkService\Local Settings (4 bytes)
%Documents and Settings%\All Users\DOCUMENTS (4 bytes)
%WinDir%\WinSxS\Policies (8 bytes)
%System%\oobe\html (4 bytes)
%WinDir%\SoftwareDistribution\Download\f0fea42f69058000617da24986c3b109 (4 bytes)
%WinDir%\ime (4 bytes)
%WinDir%\SoftwareDistribution\Download\196fa81559690e2494e56094df51cdd8 (4 bytes)
%Documents and Settings%\%current user%\Cookies (204 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%WinDir%\SoftwareDistribution\Download\621a08ac003b616bcaa86aa4d4292d50 (4 bytes)
%Documents and Settings%\ALL USERS (8 bytes)
%Program Files%\Movie Maker (4 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_32 (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation (4 bytes)
%Documents and Settings%\LocalService (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualBas# (4 bytes)
%WinDir%\pchealth\helpctr\OfflineCache (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users (4 bytes)
%WinDir%\SoftwareDistribution\Download\e0c0da396303f1dd2c82cd2ccc07020d (4 bytes)
%WinDir%\SoftwareDistribution\Download\e79028ac4f02e201b61b2c632cb0fc5e (4 bytes)
C:\PROGRAM FILES (220 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer\Img (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc81666f3868f34642e3f5adbc2719f9 (4 bytes)
%Documents and Settings%\Default User\Local Settings (4 bytes)
%WinDir%\$hf_mig$ (8 bytes)
%System%\spool\XPSEP\amd64 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles (4 bytes)
%WinDir%\ime\imjp8_1 (4 bytes)
%WinDir%\SoftwareDistribution\Download\e8252bbfa91fcf5afb38775b18691074 (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\8bb5f1c638778df6b77d80bc61ffc63c (4 bytes)
%WinDir%\SoftwareDistribution\Download\b91377d1d56820d9d699c0c2dc7c8e80 (4 bytes)
%WinDir%\SoftwareDistribution\Download\30438597a812a5d1d7979088d451747f (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
%Program Files%\Microsoft Office\Office14 (4 bytes)
%System%\config\SysEvent.Evt (936 bytes)
%WinDir%\Temp (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\PresentationFramewo# (4 bytes)
%WinDir%\SoftwareDistribution\Download\ee4e3d4bf0d346e1b8fdee8197195e59 (4 bytes)
%WinDir%\SoftwareDistribution\Download\211409fc1d99b95b32fb0344cad140df (4 bytes)
%WinDir%\SoftwareDistribution\Download\dffcab319e36b852e5b2d51802010a7a (4 bytes)
%WinDir%\SoftwareDistribution\Download\299840a657dd26ca3bbf3cee3ec999ba (4 bytes)
%WinDir%\SoftwareDistribution\Download\e5c5fc9bd7a4957f0a45c6db2957c5c9 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (8 bytes)
%WinDir%\SoftwareDistribution\Download\906245b7f0992255b054322b77475594 (4 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\ime\imkr6_1 (4 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo\graphics (4 bytes)
%WinDir%\SoftwareDistribution\Download\248802b74506342031e926839639c729 (4 bytes)
%WinDir%\SoftwareDistribution\Download\cb88a2f03b29735db957d61a63df6504 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers (4 bytes)
%WinDir%\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501 (4 bytes)
%Documents and Settings%\All Users\Documents\My Music (4 bytes)
%Program Files%\Windows NT (8 bytes)
%WinDir%\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d (4 bytes)
%WinDir%\Web (4 bytes)
C:\totalcmd (4 bytes)
%Program Files%\Common Files\System (4 bytes)
%Program Files%\Windows Media Player (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
%WinDir%\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df (4 bytes)
%WinDir%\AppPatch (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D.tmp (4545 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG (4 bytes)
%WinDir%\SoftwareDistribution\Download\6b7f938fb3db15dab273f3f1702c318c (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 (384 bytes)
%WinDir%\msagent (4 bytes)
%Program Files%\Movie Maker\Shared (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc8ea6c22fd142de8dd67336d23310cf (4 bytes)
%System%\wbem (2812 bytes)
%WinDir%\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944 (4 bytes)
%WinDir%\SoftwareDistribution\Download\21cbd3f70584651805685eba1753505f (4 bytes)
%WinDir%\SoftwareDistribution\Download\b6f4642d2b8dc03c5ce1b1a4f77b1bda (4 bytes)
%WinDir%\SoftwareDistribution\Download\9460002f6d8231358fc1eb590f9b1dce (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_15c.dat (20 bytes)
%System%\mui (4 bytes)
%WinDir%\REGISTRATION (8 bytes)
%System%\spool\XPSEP\i386 (4 bytes)
%WinDir%\SoftwareDistribution\Download\1c47f41cc76cde4c629564d7564f2795 (4 bytes)
%WinDir%\SoftwareDistribution\Download\57b4b90cc3eead9f6c29b58581d03ae4 (4 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
%System%\wbem\Logs\wbemess.log (768 bytes)
%System%\wbem\Repository\FS\INDEX.BTR (5936 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\System.DirectorySer# (4 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_MSIL (28 bytes)
%WinDir%\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig (4 bytes)
%System%\config\systemprofile\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc529fa49cb2cb097fdf1e22d25872da (4 bytes)
%WinDir%\SoftwareDistribution\Download\e104dcd29adf1c6c473a5efad2d509be (4 bytes)
%WinDir%\pchealth\helpctr\Config (4 bytes)
%WinDir%\Prefetch\086F7CF872CA9197D025FAD629830-2C5DA869.pf (60 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
%System%\drivers (704 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.ServiceModel# (4 bytes)
%Program Files%\Common Files\Microsoft Shared\DW (4 bytes)
%WinDir%\Web\printers (4 bytes)
%WinDir%\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2 (4 bytes)
%WinDir%\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975 (4 bytes)
%WinDir%\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\APPLICATION DATA (4 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\cedca0128a48437390192d906f83a717 (4 bytes)
%WinDir%\security (4 bytes)
%WinDir%\SoftwareDistribution\Download\a4c07d9275eb613d842cb1e140d8a426 (4 bytes)
%WinDir%\SoftwareDistribution\Download\17e46901add634f15d293735648771e6 (4 bytes)
%WinDir%\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260 (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0e4033a7ec549e982572f0d830cf5d0 (4 bytes)
%WinDir%\SoftwareDistribution\Download\0000894bab70b145c3629920ba907f7a (4 bytes)
%WinDir%\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154 (4 bytes)
%WinDir%\SoftwareDistribution\Download\0c1e5e0ffeb238b1ee5c9ea3a4878374 (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\temp_wincheck.txt (32 bytes)
%System%\config\systemprofile\Local Settings (4 bytes)
%WinDir%\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e (4 bytes)
%Program Files%\Internet Explorer (4 bytes)
%WinDir%\SoftwareDistribution\Download\8b9a83d2cde55eb19dc502cc2dd04e0d (4 bytes)
%WinDir%\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5 (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.5 (4 bytes)
%Documents and Settings%\LocalService\Local Settings (4 bytes)
%Program Files%\COMMON FILES (8 bytes)
%WinDir%\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9 (4 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
%WinDir%\Prefetch\EXPLORER.EXE-082F38A9.pf (98 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.DirectorySer# (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard (4 bytes)
%Documents and Settings%\All Users\APPLICATION DATA (4 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
%System%\oobe\html\mouse (4 bytes)
%WinDir%\SoftwareDistribution\Download\abaf10b7d55d3716fbb63e0b568cb4b6 (4 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2 (4 bytes)
%WinDir%\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0 (4 bytes)
%Program Files%\KAV\CDriver.sys (13 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"System" = "%System%\system.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
