Gen.Variant.Midie.6956_88afc576d7

by malwarelabrobot on June 6th, 2016 in Malware Descriptions.

Trojan-Dropper.Win32.Daws.awfy (Kaspersky), Gen:Variant.Midie.6956 (B) (Emsisoft), Gen:Variant.Midie.6956 (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 88afc576d7210f5a96b8359ca05729d4
SHA1: ca83169f39fdf9c157917864530db94d85be0d5c
SHA256: cec4b56c5a1f9e1f32c8251611fd5e5af83fb7beef70c72621bcd3cb9a917220
SSDeep: 49152:Sv1lW0AsLYZjD/GKhfomwn/H5hlbTChxKCnFnQXBbrtgb/iQvu0UHO4:4HpLYZjD/lOB/Zhl6hxvWbrtUTrUHO4
Size: 3018223 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftWindowsShortcutfile, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: ??????????
Created at: 2012-03-05 10:37:55
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

wtmps.exe:424
mscaps.exe:1612
@AE1.tmp.exe:1996
%original file name%.exe:968
XP-82C9699D.EXE:324
launch.exe:560
WdExt.exe:2012

The Trojan injects its code into the following process(es):

XP-542ADE6B.EXE:576

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process XP-542ADE6B.EXE:576 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Start Menu\Programs\Startup\¡¡¡¡¡¡.lnk (1250 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\spec.fne (69 bytes)
%System%\ul.dll (2 bytes)
%System%\internet.fne (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\error[1].htm (2 bytes)
%System%\com.run (1425 bytes)
%System%\og.edt (512 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\internet.fne (184 bytes)
%System%\XP-82C9699D.EXE (7386 bytes)
%System%\og.dll (692 bytes)
%System%\eAPI.fne (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%System%\spec.fne (601 bytes)
%System%\krnln.fnr (7433 bytes)
%System%\dp1.fne (601 bytes)
%System%\shell.fne (40 bytes)
%System%\RegEx.fnr (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\RegEx.fnr (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\eAPI.fne (323 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (0 bytes)

The process wtmps.exe:424 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\mscaps.exe (27349 bytes)

The process mscaps.exe:1612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wtime32.dll (29045 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E.tmp (406 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wtmps.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E.tmp (0 bytes)

The process @AE1.tmp.exe:1996 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (406836 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Messenger\Extension\WdExt.exe (216451 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Sp3.tmp (1304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp5.tmp (907 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\adm0.bat (159 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\adm1.bat (196 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (12549 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Se4.tmp (1792 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Se4.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Sp3.tmp (0 bytes)

The process %original file name%.exe:968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\E_4\dp1.fne (114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\krnln.fnr (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\spec.fne (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\shell.fne (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\internet.fne (184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\com.run (266 bytes)
%System%\XP-542ADE6B.EXE (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\RegEx.fnr (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\eAPI.fne (323 bytes)

The process XP-82C9699D.EXE:324 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\E_4\spec.fne (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)

The process launch.exe:560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Temp\adm0.bat (112 bytes)

The process WdExt.exe:2012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Addins\att.dll (18829 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wtmps.exe (31581 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Caches\Files\usd.dll (7933 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Common\Shared\dis.dll (10077 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (12549 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Repairs\sha.dll (7589 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpD.tmp (55476 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Shared\Modules\fil.dll (10805 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp9.tmp (28924 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpC.tmp (36444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpB.tmp (21164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp6.tmp (200332 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp7.tmp (48916 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Defender\launch.exe (18077 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpA.tmp (18508 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp8.tmp (26548 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Identities\"%CurrentUserName%"\arc.dll (103749 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\adm1.bat (156 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp8.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (0 bytes)

Registry activity

The process XP-542ADE6B.EXE:576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 33 63 1E 1B F9 F5 37 C6 2F 68 AB 81 0D C4 27"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Internet Explorer\TypedURLs]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process mscaps.exe:1612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{ef2b00e3-19da-4e78-b118-6b6451b719f2}]
"Locale" = "*"
"StubPath" = "%System%\mscaps.exe /s /n /i:U shell32.dll"
"Version" = "1,125,2406,1"
"ComponentID" = "DirectShow"

The process @AE1.tmp.exe:1996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Temp]
"adm1.bat" = "adm1"
"adm0.bat" = "adm0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 C7 33 4E 7D A3 86 F0 6F 39 7F 50 9C 36 CB 3A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 CF EB 3A 83 71 36 D5 BC DD B1 C2 ED D7 4C FC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process XP-82C9699D.EXE:324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 DD 9A 93 20 81 0A C8 26 65 4F 8F 87 9B 34 2E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XP-542ADE6B" = "%System%\XP-542ADE6B.EXE"

The process launch.exe:560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 26 AB ED 36 72 04 CC 39 99 20 5D BA 96 B8 2D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender Extension" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Defender\launch.exe"

The process WdExt.exe:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 A4 3B 2A 99 6E F6 C3 C9 84 37 77 8A A8 07 8F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5 File path
4c8959d2be0df53dcf188a133422e316 c:\%original file name%.exe
f1c9f4a1f92588aeb82be5d2d4c2c730 c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Caches\Files\usd.dll
1fcc5b3ed6bc76d70cfa49d051e0dff6 c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Common\Shared\dis.dll
daac1781c9d22f5743ade0cb41feaebf c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Defender\launch.exe
2d9df706d1857434fcaa014df70d1c66 c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Identities\"%CurrentUserName%"\arc.dll
48121560f20700d6d77d21a3db8f11aa c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Messenger\Extension\WdExt.exe
6a9461f260ebb2556b8ae1d0ba93858a c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Repairs\sha.dll
d0c9ada173da923efabb53d5a9b28d54 c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Shared\Modules\fil.dll
fffa05401511ad2a89283c52d0c86472 c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Windows\Addins\att.dll
a67daddcb30335163cf7d99f282f5ae0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\RegEx.fnr
ce2f773275d3fe8b78f4cf067d5e6a0f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\com.run
6d4b2e73f6f8ecff02f19f7e8ef9a8c7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\dp1.fne
25b794b18bd8d03dc9530111cbce4173 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\eAPI.fne
56e9e121d68b5631a360d56b2ef4777f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\internet.fne
1081d7eb7a17faedfa588b93fc85365e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\krnln.fnr
d54753e7fc3ea03aec0181447969c0e8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\shell.fne
1518651c682109e9b9c304c9c109d777 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\spec.fne
a67daddcb30335163cf7d99f282f5ae0 c:\WINDOWS\system32\RegEx.fnr
4c8959d2be0df53dcf188a133422e316 c:\WINDOWS\system32\XP-542ADE6B.EXE
ce2f773275d3fe8b78f4cf067d5e6a0f c:\WINDOWS\system32\com.run
6d4b2e73f6f8ecff02f19f7e8ef9a8c7 c:\WINDOWS\system32\dp1.fne
25b794b18bd8d03dc9530111cbce4173 c:\WINDOWS\system32\eAPI.fne
56e9e121d68b5631a360d56b2ef4777f c:\WINDOWS\system32\internet.fne
1081d7eb7a17faedfa588b93fc85365e c:\WINDOWS\system32\krnln.fnr
78d3c8705f8baf7d34e6a6737d1cfa18 c:\WINDOWS\system32\mscaps.exe
d54753e7fc3ea03aec0181447969c0e8 c:\WINDOWS\system32\shell.fne
1518651c682109e9b9c304c9c109d777 c:\WINDOWS\system32\spec.fne
978888892a1ed13e94d2fcb832a2a6b5 c:\WINDOWS\system32\wtime32.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 2108 2560 3.76997 6dbb11cce72cc16b887018dd4c34d252
.rdata 8192 1478 1536 3.36814 838666d924e8b6e9dfc84f930bd16733
.data 12288 135168 512 0.377955 7d6dcdf3bcb22dca4957ddb77c1c8cbf
.rsrc 147456 17848 20480 2.29668 9893dc80cd34a4f35e71e785f2632270

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://e2847.dspb.akamaiedge.net/
update.microsoft.com 65.55.50.189
windowsupdate.microsoft.com 65.55.50.158


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

XP-542ADE6B.EXE_576:

.text
`.rdata
@.data
.data
.rsrc
user32.dll
KERNEL32.dll
USER32.dll
GetCPInfo
krnln.fne
krnln.fnr
1.1.3
%System%\XP-542ADE6B.EXE
@@shdocvw.dll
{8856F961-340A-11D0-A96B-00C04FD705A2}##0
2,{34A226E0-DF30-11CF-89A9-00A0C9054129},CommandStateChangeConstants,{},{1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDID,{},{1073741880,1073741879,1073741878,1073741877,1073741876,1073741875,1073741874,1073741873,1073741872,1073741871,1073741870,1073741869,1073741868,1073741867,1073741866,1073741865,1073741864,1073741863,1073741862,1073741861,1073741860,1073741859,1073741858,1073741857,1073741856,1073741855,1073741854,1073741853,1073741852,1073741851,1073741850,1073741849,1073741848,1073741847,1073741846,1073741845,1073741844,1073741843,1073741842,1073741841,1073741840,1073741839,1073741838,1073741837,1073741836,1073741835,1073741834,1073741833,1073741832,1073741831,1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDF,{},{1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDEXECOPT,{},{1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},tagREADYSTATE,{},{1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{65507BE0-91A8-11D3-A845-009027220E6D},SecureLockIconConstants,{},{1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}0,{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B},WebBrowser_V1,{100,101,102,103,104,-550,105,106,200,201,202,203,},{212,211,210,209,208,207,206,205,204,},{100,101,102,108,104,105,106,107,113,200,201,204,103,109,110,111,112,}1,{8856F961-340A-11D0-A96B-00C04FD705A2},WebBrowser,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}0,{0002DF01-0000-0000-C000-000000000046},InternetExplorer,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}2,{F41E6981-28E5-11D0-82B4-00A0C90C29C5},ShellWindowTypeConstants,{},{1073741827,1073741826,1073741825,1073741824,},{}0,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},ShellWindows,{0,-4,},{1610743808,},{200,201,}0,{64AB4BB7-111E-11D1-8F79-00C04FC2FBE1},ShellUIHelper,{4,5,6,7,8,9,10,11,13,},{},{}0,{55136805-B2DE-11D1-B9F2-00A0C98BC547},ShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}0,{2F2F1F96-2BC1-4B1C-BE28-EA3774F4676A},ShellShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}
og.edt
hXXp://VVV.yeanqin.com/ul.htm
"nurl\{((\d{1,3},)*\d{1,3})\}
[%s%]
[%f%]
document.all('
document.frames('
.value='';};catch(e){};function a(){};a();
.value='
].selected=true;};catch(e){};function a(){};a();
.options[
.checked='';};catch(e){};function a(){};a();
.checked='checked';};catch(e){};function a(){};a();
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Recycled.exe
ul.dll
og.dll
:\autorun.inf
shellexecute
OLEACC.DLL
keybd_event
WebBrowser

XP-542ADE6B.EXE_576_rwx_0040B000_00018000:

[%s%]
[%f%]
document.all('
document.frames('
.value='';};catch(e){};function a(){};a();
.value='
].selected=true;};catch(e){};function a(){};a();
.options[
.checked='';};catch(e){};function a(){};a();
.checked='checked';};catch(e){};function a(){};a();
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Recycled.exe
ul.dll
og.dll
:\autorun.inf
shellexecute
OLEACC.DLL
user32.dll
keybd_event
WebBrowser


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    wtmps.exe:424
    mscaps.exe:1612
    @AE1.tmp.exe:1996
    %original file name%.exe:968
    XP-82C9699D.EXE:324
    launch.exe:560
    WdExt.exe:2012

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\¡¡¡¡¡¡.lnk (1250 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\spec.fne (69 bytes)
    %System%\ul.dll (2 bytes)
    %System%\internet.fne (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\error[1].htm (2 bytes)
    %System%\com.run (1425 bytes)
    %System%\og.edt (512 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (74 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\internet.fne (184 bytes)
    %System%\XP-82C9699D.EXE (7386 bytes)
    %System%\og.dll (692 bytes)
    %System%\eAPI.fne (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %System%\spec.fne (601 bytes)
    %System%\krnln.fnr (7433 bytes)
    %System%\dp1.fne (601 bytes)
    %System%\shell.fne (40 bytes)
    %System%\RegEx.fnr (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\RegEx.fnr (217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\eAPI.fne (323 bytes)
    %System%\mscaps.exe (27349 bytes)
    %System%\wtime32.dll (29045 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E.tmp (406 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (406836 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Messenger\Extension\WdExt.exe (216451 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Sp3.tmp (1304 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp5.tmp (907 bytes)
    %Documents and Settings%\%current user%\Application Data\Temp\adm0.bat (159 bytes)
    %Documents and Settings%\%current user%\Application Data\Temp\adm1.bat (196 bytes)
    %Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (12549 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Se4.tmp (1792 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\dp1.fne (114 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\krnln.fnr (5442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\shell.fne (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\com.run (266 bytes)
    %System%\XP-542ADE6B.EXE (7386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Addins\att.dll (18829 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wtmps.exe (31581 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Caches\Files\usd.dll (7933 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Common\Shared\dis.dll (10077 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Repairs\sha.dll (7589 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpD.tmp (55476 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Shared\Modules\fil.dll (10805 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp9.tmp (28924 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpC.tmp (36444 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpB.tmp (21164 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp6.tmp (200332 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp7.tmp (48916 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Defender\launch.exe (18077 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpA.tmp (18508 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp8.tmp (26548 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Identities\"%CurrentUserName%"\arc.dll (103749 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "XP-542ADE6B" = "%System%\XP-542ADE6B.EXE"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender Extension" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Defender\launch.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now