Trojan.Clive.B_c12fdee696
Trojan.Win32.Agent.aec (Kaspersky), Trojan.Clive.B (B) (Emsisoft), Trojan.Clive.B (AdAware), GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: c12fdee696bccd1974c9480055b447e2
SHA1: 593287dd4f0bef5c0eed61659cd6b95bf4019845
SHA256: de37e140f47434dd2f0eb82174d99e19d036378c7f49f7d76544405b9895621e
SSDeep: 1536:H1trYE48FMnwGkG4uGIiQozrCRYFd mh4Zzh1wXYqM16bVBJu6:TrYdI8wpGKIUCEmrwXYmZ7
Size: 152064 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: Windows
Created at: 2006-12-13 15:15:04
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1044
wuauclt.exe:1880
NOTEPAD.EXE:1652
NOTEPAD.EXE:3356
netsh.exe:2080
netsh.exe:2912
WINMINE.EXE:3452
The Trojan injects its code into the following process(es):
soundmix.exe:1136
Explorer.EXE:884
File activity
The process %original file name%.exe:1044 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\system.ini (70 bytes)
%System%\soundmix.exe (673 bytes)
The process soundmix.exe:1136 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\drivers\etc\hosts.tmp (1592 bytes)
%System%\dllcache\zipexr.dll (1281 bytes)
The Trojan deletes the following file(s):
%System%\drivers\etc\hosts (0 bytes)
The process wuauclt.exe:1880 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2448 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Trojan deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
Registry activity
The process %original file name%.exe:1044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKCU\Software\adm914\695404737]
"43014726" = "0500687474703A2F2F6D617474666F6C6C2E65752E696E74657269612E706C2F6C6F676F732E67696600687474703A2F2F7374312E646973742E73752E6C742F6C6F676F682E67696600687474703A2F2F6C70626D782E72752F6C6F676F732E67696600687474703A2F2F626A65726D2E6D6173732E68632E72752F6C6F676F682E67696600687474703A2F2F534F536954455F41564552495F534F5369544545452E6861686168"
"14338242" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\adm914\695404737]
"7169121" = "36"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\adm914\695404737]
"35845605" = "169"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC D5 30 8D 8B 19 30 D5 D1 F4 EC B7 CA FA D7 81"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\adm914\695404737]
"28676484" = "35"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\adm914\695404737]
"50183847" = "AB5E0738695C8F8323226F12B1D03D7D79E71A90760ACADED2B04A211637CD4145F6749BEE9023AA532184F995577060D6510DE74D26646EFEDFC32366D2CC8E7771C37E919020908A4DB60C10921A99946050DEA9E148F0FFAB69F3A9524762D4085A5E517FCB0C38FF00DB7E5CB8BFF62F51C41C88B0B67DC3FC07CB089EF3"
"21507363" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
The process soundmix.exe:1136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "0"
[HKCR\exefile\shell\open\command]
"(Default)" = "soundmix %1 %*"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"soundmix" = "%System%\soundmix.exe"
The process NOTEPAD.EXE:1652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 59 DB 02 50 B5 4F A6 BD 65 EF 51 8E DE A0 3C"
The process NOTEPAD.EXE:3356 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 DE 8D 6E 60 FB C4 09 BF 8A 80 0E 8D F1 24 14"
The process netsh.exe:2080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 88 33 C5 F6 2A DE A0 60 08 85 45 B9 B1 66 19"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
The process netsh.exe:2912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 5C 7E FC F2 28 9A 0B BB 63 53 A3 7B B2 D8 A7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
The process WINMINE.EXE:3452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB BA 49 27 4E A9 59 E4 E6 40 AD 2D 99 BD 35 4D"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 858 bytes in size. The following strings are added to the hosts file listed below:
| 61.129.115.198 | www.xldd.com |
| 61.129.115.198 | www.ojiang.com |
| 61.129.115.198 | www.shuixian.net |
| 61.129.115.198 | www.xlarea.com |
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 10980 | 11264 | 3.88338 | e7fc50f740f137765ace69aeff0f9cd5 |
| .data | 16384 | 1296 | 1536 | 1.38965 | 78a2c61d8db2888d424d60e8ea7437b1 |
| .bss | 20480 | 1504 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 24576 | 2904 | 3072 | 3.09122 | 5a15ea2c22a4e1efe19ed39213c3fb3c |
| .ndata | 28672 | 73728 | 73728 | 5.53795 | fcb7213ab98536b00e79c1c02589778c |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
.data
.idata
.ndata
Win32.Dxclive
\soundmix.exe
\dllcache\zipexr.dll
RECYCLER\autorun.exe
autorun.inf
Software\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
\drivers\etc\hosts.tmp
Kernel32.dll
C:\stop.txt
WindowsApp
shell\open\Command=RECYCLER\autorun.exe -OpenCurDir
shell\explore\Command=RECYCLER\autorun.exe -ExploreCurDir
61.129.115.198 www.xldd.com
61.129.115.198 www.ojiang.com
61.129.115.198 www.shuixian.net
61.129.115.198 www.xlarea.com
%System%\dllcache\zipexr.dll
%System%
soundmix.exe
%System%\soundmix.exe
RegCloseKey
RegOpenKeyExA
GetProcessHeap
ShellExecuteA
PSAPI.DLL
ADVAPI32.DLL
KERNEL32.dll
msvcrt.dll
SHELL32.DLL
USER32.dll
KERNEL32.DLL
http://mattfoll.eu.interia.pl/logos.gif
http://st1.dist.su.lt/logoh.gif
http://lpbmx.ru/logos.gif
http://bjerm.mass.hc.ru/logoh.gif
http://SOSiTE_AVERI_SOSiTEEE.hahah
Q*G.Cwtt$
\.lhh
/34@.NSP
K.FX>Q
.LK'E
Phttp://89.11;
.info/home.gifv*y
.text^
.rdata
]6.dB
4.At%
toskrnl.exe
.klkjw:9fqwielu
sc.pBT
PAD.EXE
UrlA'G
\'Web%f
HTTP)e
/KPCKwWEBWUP
.SEdAUD
MM.PFW.
?.cmd
>>?456789:;<=
!"#$%&'()* ,-./012
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll
SHFileOperationA
soundmix.exe_1136_rwx_00401000_00001000:
Win32.Dxclive
\soundmix.exe
\dllcache\zipexr.dll
RECYCLER\autorun.exe
autorun.inf
Software\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
soundmix.exe_1136_rwx_00408000_00010000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
soundmix.exe
.text
%System%\soundmix.exe
http://mattfoll.eu.interia.pl/logos.gif
http://st1.dist.su.lt/logoh.gif
http://lpbmx.ru/logos.gif
http://bjerm.mass.hc.ru/logoh.gif
http://SOSiTE_AVERI_SOSiTEEE.hahah
Q*G.Cwtt$
\.lhh
/34@.NSP
K.FX>Q
.LK'E
Phttp://89.11;
.info/home.gifv*y
.text^
.rdata
]6.dB
4.At%
toskrnl.exe
.klkjw:9fqwielu
sc.pBT
PAD.EXE
UrlA'G
\'Web%f
HTTP)e
/KPCKwWEBWUP
.SEdAUD
MM.PFW.
?.cmd
>>?456789:;<=
!"#$%&'()* ,-./012
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA
soundmix.exe_1136_rwx_009E0000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
soundmix.exe_1136_rwx_009F0000_00001000:
|soundmix.exeM_1136_
Explorer.EXE_884_rwx_01E90000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
Explorer.EXE_884_rwx_02100000_00001000:
|explorer.exeM_884_
Explorer.EXE_884_rwx_02370000_00001000:
Kernel32.dll
C:\stop.txt
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1044
wuauclt.exe:1880
NOTEPAD.EXE:1652
NOTEPAD.EXE:3356
netsh.exe:2080
netsh.exe:2912
WINMINE.EXE:3452 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\system.ini (70 bytes)
%System%\soundmix.exe (673 bytes)
%System%\drivers\etc\hosts.tmp (1592 bytes)
%System%\dllcache\zipexr.dll (1281 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2448 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"soundmix" = "%System%\soundmix.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
