Gen.Variant.Graftor.18871_4c851cb065

by malwarelabrobot on February 26th, 2014 in Malware Descriptions.

Trojan.Win32.Jorik.IRCbot.xmq (Kaspersky), Worm.Win32.AutoRun (VIPRE), Trojan.Win32.Malagent!IK (Emsisoft), Gen:Variant.Graftor.18871 (AdAware), Trojan.MSIL.Bladabindi.2.FD (Lavasoft MAS)
Behaviour: Trojan, Worm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Static Analysis
Relationships
Map
Removal Recommendations

MD5: 4c851cb065e13f681e274d939c1a7273
SHA1: 6208b264e6e2f20b97c22228aa8e6aade8c4a020
SHA256: 2f7138097418b16406ab4029a553b3f4185c0e59947e72cbf0f2abf08d66a45d
SSDeep: 768:/H3C2BrX mF1JmBwmL0s0es6vo/DFuB6UJvI5cKNtSRePsP6Jpk/52xY0l7URAzZ:/dBtfZo6ug95RuoPsP6JCqNURsRb
Size: 68096 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC50, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 1999-07-25 08:06:13
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1948
ctfmon.exe:536
WScript.exe:1816
WScript.exe:268
WScript.exe:1676
WScript.exe:1996

The Trojan injects its code into the following process(es):

cService.exe:1708

File activity

The process %original file name%.exe:1948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\WINNIT\0x03847\SYS\cService.exe (68096 bytes)

The process cService.exe:1708 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Offline Web Pages\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\ime\NtTerminate.exe (68096 bytes)
%WinDir%\repair\I.LOVE.YOU.txt.vbs (1887 bytes)
C:\I.LOVE.YOU.txt.vbs (3774 bytes)
%WinDir%\Web\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\Fonts\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\network diagnostic\NtTerminate.exe (68096 bytes)
%WinDir%\ehome\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\NtTerminate.exe (136192 bytes)
C:\TOTALCMD\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\Sun\NtTerminate.exe (68096 bytes)
%WinDir%\Debug\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\Connection Wizard\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\Microsoft.NET\NtTerminate.exe (68096 bytes)
%WinDir%\Offline Web Pages\NtTerminate.exe (68096 bytes)
%WinDir%\Registration\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\Tasks\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\Config\NtTerminate.exe (68096 bytes)
C:\Recycled\NtTerminate.exe (68096 bytes)
%WinDir%\Temp\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\repair\NtTerminate.exe (68096 bytes)
C:\WINNIT\0x03847\SYS\RegistryServiceBackup.vbs (1171 bytes)
%WinDir%\l2schemas\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\srchasst\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\Resources\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\$Reconfig$\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\SoftwareDistribution\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\Cursors\NtTerminate.exe (68096 bytes)
%WinDir%\l2schemas\NtTerminate.exe (68096 bytes)
%WinDir%\system\I.LOVE.YOU.txt.vbs (1887 bytes)
%System%\NtTerminate.exe (68096 bytes)
%WinDir%\Sun\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\AppPatch\NtTerminate.exe (68096 bytes)
%WinDir%\Help\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\twain_32\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\Provisioning\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\Connection Wizard\NtTerminate.exe (68096 bytes)
C:\WINNIT\0x03847\SYS\hhhService.txt (85 bytes)
%WinDir%\network diagnostic\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\addins\NtTerminate.exe (68096 bytes)
%WinDir%\java\NtTerminate.exe (68096 bytes)
%Documents and Settings%\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\Prefetch\NtTerminate.exe (68096 bytes)
%WinDir%\Help\NtTerminate.exe (68096 bytes)
%WinDir%\msagent\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\Config\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\Temp\NtTerminate.exe (68096 bytes)
%WinDir%\inf\NtTerminate.exe (68096 bytes)
%WinDir%\mui\NtTerminate.exe (68096 bytes)
%WinDir%\inf\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\SoftwareDistribution\NtTerminate.exe (68096 bytes)
%WinDir%\srchasst\NtTerminate.exe (68096 bytes)
%WinDir%\mui\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\ServicePackFiles\NtTerminate.exe (68096 bytes)
%WinDir%\java\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\msapps\NtTerminate.exe (68096 bytes)
%WinDir%\msapps\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\Microsoft.NET\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\I.LOVE.YOU.txt.vbs (3774 bytes)
%Documents and Settings%\NtTerminate.exe (68096 bytes)
%WinDir%\Web\NtTerminate.exe (68096 bytes)
%System%\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\Cursors\I.LOVE.YOU.txt.vbs (1887 bytes)
C:\WINNIT\NtTerminate.exe (68096 bytes)
%WinDir%\$NtUninstallXPSEPSCLP$\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\Tasks\NtTerminate.exe (68096 bytes)
%WinDir%\Prefetch\I.LOVE.YOU.txt.vbs (1887 bytes)
C:\virus\NtTerminate.exe (68096 bytes)
%WinDir%\$NtUninstallXPSEPSCLP$\NtTerminate.exe (68096 bytes)
%WinDir%\ServicePackFiles\I.LOVE.YOU.txt.vbs (1887 bytes)
C:\virus\I.LOVE.YOU.txt.vbs (1887 bytes)
C:\Recycled\I.LOVE.YOU.txt.vbs (1887 bytes)
C:\WINNIT\0x03847\SYS\NetworkService.vbs (1102 bytes)
%WinDir%\twain_32\NtTerminate.exe (68096 bytes)
%WinDir%\addins\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\Installer\NtTerminate.exe (68096 bytes)
%WinDir%\Provisioning\NtTerminate.exe (68096 bytes)
%WinDir%\Fonts\NtTerminate.exe (68096 bytes)
%WinDir%\Registration\NtTerminate.exe (68096 bytes)
%Program Files%\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\WinSxS\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\PeerNet\NtTerminate.exe (68096 bytes)
%WinDir%\security\NtTerminate.exe (68096 bytes)
C:\WINNIT\0x03847\SYS\arrayService.vbs (677 bytes)
%WinDir%\msagent\NtTerminate.exe (68096 bytes)
%WinDir%\Driver Cache\NtTerminate.exe (68096 bytes)
%WinDir%\ehome\NtTerminate.exe (68096 bytes)
%WinDir%\AppPatch\I.LOVE.YOU.txt.vbs (1887 bytes)
C:\NtTerminate.exe (136192 bytes)
%WinDir%\Driver Cache\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\Media\NtTerminate.exe (68096 bytes)
%WinDir%\assembly\NtTerminate.exe (68096 bytes)
%Program Files%\NtTerminate.exe (68096 bytes)
%WinDir%\Resources\NtTerminate.exe (68096 bytes)
%WinDir%\system\NtTerminate.exe (68096 bytes)
%WinDir%\$Reconfig$\NtTerminate.exe (68096 bytes)
%WinDir%\Downloaded Program Files\NtTerminate.exe (68096 bytes)
%WinDir%\Debug\NtTerminate.exe (68096 bytes)
%WinDir%\Installer\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\WinSxS\NtTerminate.exe (68096 bytes)
%WinDir%\PeerNet\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\pchealth\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\Downloaded Program Files\I.LOVE.YOU.txt.vbs (1887 bytes)
C:\WINNIT\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\pchealth\NtTerminate.exe (68096 bytes)
C:\TOTALCMD\NtTerminate.exe (68096 bytes)
%WinDir%\ime\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\Media\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\assembly\I.LOVE.YOU.txt.vbs (1887 bytes)
%WinDir%\security\I.LOVE.YOU.txt.vbs (1887 bytes)

The Trojan deletes the following file(s):

%WinDir%\NtTerminate.exe (0 bytes)
C:\NtTerminate.exe (0 bytes)

The process WScript.exe:268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\WINNIT\0x03847\SYS\arrayService.txt (24 bytes)

The process WScript.exe:1676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\WINNIT\0x03847\SYS\arrayService.txt (24 bytes)

Registry activity

The process %original file name%.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 62 52 7D E6 27 35 21 23 B0 6F A2 DC 8B C0 69"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINNIT\0x03847\SYS]
"cService.exe" = "Service"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process ctfmon.exe:536 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

The process cService.exe:1708 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D EA 2E 57 39 A6 AD 5D 29 0E BE 74 E3 FD 98 AF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"wscript.exe" = "Microsoft (R) Windows Based Script Host"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process WScript.exe:1816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 68 16 57 73 E5 C3 BE E8 B6 FB 06 D7 44 6C 13"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]
"UncheckedValue" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

The process WScript.exe:268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA C1 03 55 F8 68 CF DD 86 A8 A8 4A 15 BF 73 10"

The process WScript.exe:1676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 99 4C 68 B2 25 B6 F7 1F B1 22 D6 D3 76 42 9E"

The process WScript.exe:1996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 57 F9 82 8D 98 84 17 51 17 DE 71 71 28 21 2E"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Network Services" = "C:\WINNIT\0x03847\SYS\cService.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Registry Services" = "C:\WINNIT\0x03847\SYS\RegistryServiceBackup.vbs"

"Network Services" = "C:\WINNIT\0x03847\SYS\cService.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Registry Services" = "C:\WINNIT\0x03847\SYS\RegistryServiceBackup.vbs"

Network activity (URLs)

URL IP
log.2dt.net 206.41.117.126


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Zex
Product Name: Update Center
Product Version: v1.0
Legal Copyright: Copyright (c) l0v3
Legal Trademarks:
Original Filename: UpdateServiceCenter.exe
Internal Name: UpdateServiceCenter
File Version: v1.0
File Description: service
Comments: with l0v3
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 25708 26112 3.93692 69b6b43289e2927f50d4181762c4c094
.rdata 32768 3066 3072 3.51486 82c897fb0dc9adb2db42f7109da17a8b
.data 36864 7728 7680 3.7309 cf13d98fec3b8d60f98163e4ce69d9c9
.rsrc 45056 163840 30208 5.34479 8f60aed3b598d5e438f13e7348ec3368

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1948
    WScript.exe:1816
    WScript.exe:268
    WScript.exe:1676
    WScript.exe:1996

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\WINNIT\0x03847\SYS\cService.exe (68096 bytes)
    %WinDir%\Offline Web Pages\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\ime\NtTerminate.exe (68096 bytes)
    %WinDir%\repair\I.LOVE.YOU.txt.vbs (1887 bytes)
    C:\I.LOVE.YOU.txt.vbs (3774 bytes)
    %WinDir%\Web\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\Fonts\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\network diagnostic\NtTerminate.exe (68096 bytes)
    %WinDir%\ehome\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\NtTerminate.exe (136192 bytes)
    C:\TOTALCMD\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\Sun\NtTerminate.exe (68096 bytes)
    %WinDir%\Debug\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\Connection Wizard\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\Microsoft.NET\NtTerminate.exe (68096 bytes)
    %WinDir%\Offline Web Pages\NtTerminate.exe (68096 bytes)
    %WinDir%\Registration\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\Tasks\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\Config\NtTerminate.exe (68096 bytes)
    C:\Recycled\NtTerminate.exe (68096 bytes)
    %WinDir%\Temp\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\repair\NtTerminate.exe (68096 bytes)
    C:\WINNIT\0x03847\SYS\RegistryServiceBackup.vbs (1171 bytes)
    %WinDir%\l2schemas\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\srchasst\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\Resources\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\$Reconfig$\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\SoftwareDistribution\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\Cursors\NtTerminate.exe (68096 bytes)
    %WinDir%\l2schemas\NtTerminate.exe (68096 bytes)
    %WinDir%\system\I.LOVE.YOU.txt.vbs (1887 bytes)
    %System%\NtTerminate.exe (68096 bytes)
    %WinDir%\Sun\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\AppPatch\NtTerminate.exe (68096 bytes)
    %WinDir%\Help\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\twain_32\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\Provisioning\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\Connection Wizard\NtTerminate.exe (68096 bytes)
    C:\WINNIT\0x03847\SYS\hhhService.txt (85 bytes)
    %WinDir%\network diagnostic\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\addins\NtTerminate.exe (68096 bytes)
    %WinDir%\java\NtTerminate.exe (68096 bytes)
    %Documents and Settings%\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\Prefetch\NtTerminate.exe (68096 bytes)
    %WinDir%\Help\NtTerminate.exe (68096 bytes)
    %WinDir%\msagent\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\Config\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\Temp\NtTerminate.exe (68096 bytes)
    %WinDir%\inf\NtTerminate.exe (68096 bytes)
    %WinDir%\mui\NtTerminate.exe (68096 bytes)
    %WinDir%\inf\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\SoftwareDistribution\NtTerminate.exe (68096 bytes)
    %WinDir%\srchasst\NtTerminate.exe (68096 bytes)
    %WinDir%\mui\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\ServicePackFiles\NtTerminate.exe (68096 bytes)
    %WinDir%\java\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\msapps\NtTerminate.exe (68096 bytes)
    %WinDir%\msapps\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\Microsoft.NET\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\I.LOVE.YOU.txt.vbs (3774 bytes)
    %Documents and Settings%\NtTerminate.exe (68096 bytes)
    %WinDir%\Web\NtTerminate.exe (68096 bytes)
    %System%\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\Cursors\I.LOVE.YOU.txt.vbs (1887 bytes)
    C:\WINNIT\NtTerminate.exe (68096 bytes)
    %WinDir%\$NtUninstallXPSEPSCLP$\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\Tasks\NtTerminate.exe (68096 bytes)
    %WinDir%\Prefetch\I.LOVE.YOU.txt.vbs (1887 bytes)
    C:\virus\NtTerminate.exe (68096 bytes)
    %WinDir%\$NtUninstallXPSEPSCLP$\NtTerminate.exe (68096 bytes)
    %WinDir%\ServicePackFiles\I.LOVE.YOU.txt.vbs (1887 bytes)
    C:\virus\I.LOVE.YOU.txt.vbs (1887 bytes)
    C:\Recycled\I.LOVE.YOU.txt.vbs (1887 bytes)
    C:\WINNIT\0x03847\SYS\NetworkService.vbs (1102 bytes)
    %WinDir%\twain_32\NtTerminate.exe (68096 bytes)
    %WinDir%\addins\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\Installer\NtTerminate.exe (68096 bytes)
    %WinDir%\Provisioning\NtTerminate.exe (68096 bytes)
    %WinDir%\Fonts\NtTerminate.exe (68096 bytes)
    %WinDir%\Registration\NtTerminate.exe (68096 bytes)
    %Program Files%\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\WinSxS\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\PeerNet\NtTerminate.exe (68096 bytes)
    %WinDir%\security\NtTerminate.exe (68096 bytes)
    C:\WINNIT\0x03847\SYS\arrayService.vbs (677 bytes)
    %WinDir%\msagent\NtTerminate.exe (68096 bytes)
    %WinDir%\Driver Cache\NtTerminate.exe (68096 bytes)
    %WinDir%\ehome\NtTerminate.exe (68096 bytes)
    %WinDir%\AppPatch\I.LOVE.YOU.txt.vbs (1887 bytes)
    C:\NtTerminate.exe (136192 bytes)
    %WinDir%\Driver Cache\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\Media\NtTerminate.exe (68096 bytes)
    %WinDir%\assembly\NtTerminate.exe (68096 bytes)
    %Program Files%\NtTerminate.exe (68096 bytes)
    %WinDir%\Resources\NtTerminate.exe (68096 bytes)
    %WinDir%\system\NtTerminate.exe (68096 bytes)
    %WinDir%\$Reconfig$\NtTerminate.exe (68096 bytes)
    %WinDir%\Downloaded Program Files\NtTerminate.exe (68096 bytes)
    %WinDir%\Debug\NtTerminate.exe (68096 bytes)
    %WinDir%\Installer\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\WinSxS\NtTerminate.exe (68096 bytes)
    %WinDir%\PeerNet\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\pchealth\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\Downloaded Program Files\I.LOVE.YOU.txt.vbs (1887 bytes)
    C:\WINNIT\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\pchealth\NtTerminate.exe (68096 bytes)
    C:\TOTALCMD\NtTerminate.exe (68096 bytes)
    %WinDir%\ime\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\Media\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\assembly\I.LOVE.YOU.txt.vbs (1887 bytes)
    %WinDir%\security\I.LOVE.YOU.txt.vbs (1887 bytes)
    C:\WINNIT\0x03847\SYS\arrayService.txt (24 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Network Services" = "C:\WINNIT\0x03847\SYS\cService.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Registry Services" = "C:\WINNIT\0x03847\SYS\RegistryServiceBackup.vbs"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Network Services" = "C:\WINNIT\0x03847\SYS\cService.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Registry Services" = "C:\WINNIT\0x03847\SYS\RegistryServiceBackup.vbs"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now