Trojan.Delf.GK_1b7b5196bd
Trojan.Win32.Delf.gk (Kaspersky), Trojan.Delf.GK (B) (Emsisoft), Trojan.Delf.GK (AdAware), Trojan.Win32.Sasfis.FD, Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, GenericEmailWorm.YR, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 1b7b5196bd75235f7c6dbb5fa0d761ce
SHA1: a218c93cfd485735bc9376617460db0d9fd7978d
SHA256: 391baf333889f67aaa53c7f1db68d6242dcbe4a48f412572e69515f42244a2a6
SSDeep: 3072:r5GzISZslc9MlKjptTm9GwiKCQ3KBrQ2viZ9 csqhpN7dKog o6mdyzconDQ8r:7SZslc2lKL6YKCQUeZ9Gr5Kog3Qpnka
Size: 160445 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: DownloadManagercerts
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
at.exe:1632
at.exe:3540
at.exe:140
at.exe:3564
at.exe:3668
at.exe:3684
at.exe:3676
at.exe:3660
%original file name%.exe:580
The Trojan injects its code into the following process(es):
%original file name%.exe:312
%original file name%.exe:1888
Explorer.EXE:1140
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:312 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Common Files\Adobe\Updater6\Adobe_Updater.exe (1593 bytes)
%Program Files%\Common Files\Microsoft Shared\DW\DW20.EXE (1095 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwconn1.exe (1607 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\reader_sl.exe (2071 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Eula.exe (2103 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe (887 bytes)
%Program Files%\Messenger\msmsgs.exe (1941 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe (2471 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\ReaderUpdater.exe (903 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe (1195 bytes)
%Program Files%\Internet Explorer\IEXPLORE.EXE (919 bytes)
%Program Files%\Internet Explorer\iedw.exe (1195 bytes)
C:\%original file name%.exe (34 bytes)
%Program Files%\Common Files\Java\Java Update\jucheck.exe (983 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\AcroRd32.exe (1783 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AcrobatUpdater.exe (903 bytes)
%Program Files%\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A93000000001}\Setup.exe (1591 bytes)
%Program Files%\Common Files\Microsoft Shared\MSInfo\msinfo32.exe (2423 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe (887 bytes)
%Program Files%\Common Files\Java\Java Update\jaureg.exe (2103 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwconn2.exe (583 bytes)
%Program Files%\Common Files\Microsoft Shared\Speech\sapisvr.exe (2279 bytes)
%Program Files%\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (1079 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwrmind.exe (1195 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\LogTransport2.exe (647 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwtutor.exe (2007 bytes)
%Program Files%\Internet Explorer\Connection Wizard\inetwiz.exe (1195 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (1255 bytes)
%Program Files%\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe (647 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\AcroBroker.exe (599 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\AcroRd32Info.exe (1195 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe123 (570722 bytes)
%Program Files%\Internet Explorer\Connection Wizard\isignup.exe (1195 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (1015 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\A3DUtility.exe (1143 bytes)
%Program Files%\Common Files\Java\Java Update\jaucheck.exe (1847 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe123 (0 bytes)
The process %original file name%.exe:580 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe123 (2737861 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe123 (0 bytes)
The process %original file name%.exe:1888 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\lsass.exe (601 bytes)
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
C:\uwid.pif (103 bytes)
C:\autorun.inf (228 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wvkrb.txt (3172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winxcwbe.exe (741 bytes)
The Trojan deletes the following file(s):
%WinDir%\lsass.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winxcwbe.exe (0 bytes)
Registry activity
The process at.exe:1632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 2C 4E DE D0 F0 71 80 FC 17 3D 86 22 3F F8 AC"
The process at.exe:3540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 37 C5 B7 DE F9 2C AE D4 BB DC 97 DF 03 70 46"
The process at.exe:140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 9D 41 C4 A1 55 D3 72 4F B6 C4 A1 2C 1D 48 30"
The process at.exe:3564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 7A E0 B7 5F 8B DC 7D 48 94 AB 32 43 D5 95 95"
The process at.exe:3668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 DF 96 09 C7 5C 28 B6 0B 1E 1F 48 04 98 4C A4"
The process at.exe:3684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 A0 8B E4 08 50 FC 5F E7 14 E1 BD 58 2E F9 22"
The process at.exe:3676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 8B 84 DE 1B 81 D8 B7 8B 61 49 63 51 DD DB F0"
The process at.exe:3660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 26 12 D4 73 EB AE 26 12 56 10 3A BB 64 01 7A"
The process %original file name%.exe:312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 1D D3 77 B3 34 D3 99 F9 04 BD B0 99 AA C9 72"
The process %original file name%.exe:580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 61 7E 57 04 A6 17 80 EA 63 CD A1 CE 97 33 36"
The process %original file name%.exe:1888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_0" = "2378249673"
[HKCU\Software\Aas\695404737]
"35845605" = "397"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Aas\695404737]
"50183847" = "06A8BB1AD2BF41C19C957B4CFBEDFF1EF2E3DBE4DA4CD047EAD75E66990059CCABC859A6F25DCE12C46ACFD1231BE43A44AD47CB2CB3B9B6631773B6B0B554211CAC18062A3268B25D9944460116DE02E91BDD350C12D825D2A50CC8D8C43714ED90C6C665B92D768DAC66752F17E51E8C3DDE8BAFA8C6BE3B1DD99913135E28"
"43014726" = "0A00687474703A2F2F70656C63706177656C2E666D2E696E74657269612E706C2F6C6F676F732E67696600687474703A2F2F636869636F73746172612E636F6D2F6C6F676F662E67696600687474703A2F2F73756577796C6C69652E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F646577706F696E742D65672E636F6D2F696D616765732F6C6F676F73612E67696600687474703A2F2F7777772E6365796C616E6F67756C6C6172692E636F6D2F6C6F676F662E67696600687474703A2F2F7777772E626C7565637562656372656174697665732E636F6D2F6C6F676F732E67696600687474703A2F2F37323468697A6D6574677275702E636F6D2F696D616765732F6C6F676F73612E67696600687474703A2F2F796176757A74756E63696C2E79612E66756E7069632E64652F696D616765732F6C6F676F732E67696600687474703A2F2F6365766174706173612E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F3137332E3139332E31392E31342F6C6F676F2E676966"
[HKCU\Software\Aas]
"a3_0" = "17001001"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "124"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas\695404737]
"21507363" = "0"
"28676484" = "35"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 DF 3D C4 A8 A1 EE AD B8 F5 2C 91 70 8E E6 B7"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Aas]
"a2_0" = "7729"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_0" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Traybar" = "%WinDir%\lsass.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| 168f82da97782a9be7607a0bf688bb16 | c:\%original file name%.exe |
| ca26b7adc4ad21e6716d3f9715302c28 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\%original file name%.exe |
| 168f82da97782a9be7607a0bf688bb16 | c:\WINDOWS\lsass.exe |
| 7f683b94f6ea7ac0b9c651b40f6d6318 | c:\uwid.pif |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| CODE | 4096 | 45056 | 23040 | 5.52154 | 93141533ea60684ac223e2cc526d78b9 |
| DATA | 49152 | 4096 | 1024 | 3.41191 | e72a82b0f6aeb61144592eaae9f30acb |
| BSS | 53248 | 73728 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 126976 | 4096 | 1024 | 5.40353 | a2871b28e4191cfa4fdb7c6ca3475ba3 |
| .tls | 131072 | 4096 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 135168 | 4096 | 512 | 0.115228 | 18c334b7f458dd856c37780c623b7490 |
| .reloc | 139264 | 4096 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 143360 | 8192 | 2048 | 3.94208 | 8305e9a86ea33eb066019724e8f6271b |
| .aspack | 151552 | 8192 | 5632 | 3.76159 | bebc19802693a6919623ed1bc6c1bc62 |
| .adata | 159744 | 4096 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 2
994915473101ca813ed22112d1fbf53f
75e341efaaecdb082015e3031a179e37
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.idata
.rdata
.reloc
.rsrc
.aspack
.adata
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
spidernt.exe
taskmgr.exe
mstask.exe
Geegly.exe
regedit.exe
msconfig.exe
cmd.exe
);X.WBM
2-U1}}
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
advapi32.dll
oleaut32.dll
GetKeyboardType
-.---)---
|-n}K"
$.--~~~~
F--?F--%F--1F--
U-,,-H-%U-,--------h{hcyryh~yr~y-=-=-=-=-=-=-=-
-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-=-=-=-=-=-=-
-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-=-=-=-=-
--,-/-,-,-_//-,-,-_/
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
RegOpenKeyExA
RegCloseKey
WinExec
GetCPInfo
KWindows
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
'%s' is not a valid time
I/O error %d
Integer overflow Invalid floating point operation
%original file name%.exe_312_rwx_009B0000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
%original file name%.exe_312_rwx_00AC0000_00001000:
|%original file name%.exeM_312_
%original file name%.exe_1888:
.rsrc
c:\sDec
/%s, %u
d.key#
23456789 /
6.00.26
%s, %u %s %u %.2u:%.2u:%.2u %c%.2u%.2u
WinRAR.v.3.2.and.key
ShareReactor.com
dnsapi.dll
iphlpapi.dll
privacycertific
the.bat
gold-certs
sf.net
ftproot
yahoo.com
report
Delivery reports about your e-mail
%s.%s
%s.zip
%d.%d.%d.%d
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
boundary="%s"
Subject: %s
To: %s
From: %s
----=_%s_%.3u_%.4u_%.8X.%.8X
--%s--
name="%s"
Content-Disposition: %s;
filename="%s"
RC%sO:<%s>
MA%sROM:<%s>
%sO %s
E%s %s
%s %s
SMTP
Software\Microsoft\%s %s Manager\%ss
smtp.
tmp%d.%c%c%c
GetWindowsDirectoryA
GetProcessHeap
RegOpenKeyExA
RegCreateKeyExA
RegCloseKey
RegEnumKeyA
.text
G]%Djd
nKey
KERNEL32.DLL
ADVAPI32.dll
MSVCRT.dll
USER32.dll
WS2_32.dll
SHELL32.DLL
ShellExecuteA
%original file name%.exe
c:\%original file name%.exe
hXXp://pelcpawel.fm.interia.pl/logos.gif
hXXp://chicostara.com/logof.gif
hXXp://suewyllie.com/images/logos.gif
hXXp://dewpoint-eg.com/images/logosa.gif
hXXp://VVV.ceylanogullari.com/logof.gif
hXXp://VVV.bluecubecreatives.com/logos.gif
hXXp://724hizmetgrup.com/images/logosa.gif
hXXp://yavuztuncil.ya.funpic.de/images/logos.gif
hXXp://cevatpasa.com/images/logos.gif
hXXp://173.193.19.14/logo.gif
hXXp://89.11
.info/home.gifI888
KERNEL32.dll
h.rata
4.At0<x
Bkrnl.ex
rv:1.9.2.3)
.NEtCLR
.klkjw:9fqwiBu
y/a.sysB
D6c.pBTab
rfig%s:*:
.T&?%x=
\'Web%wW
HTTP)s'PT)a
o.ENHCD`
owWEBWUPD
MM.PFz
?456789:;<=
"#$%&'()* ,-./01230 0
J8CRT!y
SHELL32.dll
SHFileOperationA
%original file name%.exe_1888_rwx_006F0000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
%original file name%.exe_1888_rwx_00700000_00001000:
|%original file name%.exeM_1888_
Explorer.EXE_1140_rwx_00FF0000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
%original file name%.exe_1888_rwx_00801000_0000C000:
%s, %u %s %u %.2u:%.2u:%.2u %c%.2u%.2u
WinRAR.v.3.2.and.key
ShareReactor.com
dnsapi.dll
iphlpapi.dll
privacycertific
the.bat
gold-certs
sf.net
ftproot
yahoo.com
report
Delivery reports about your e-mail
%s.%s
%s.zip
%d.%d.%d.%d
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
boundary="%s"
Subject: %s
To: %s
From: %s
----=_%s_%.3u_%.4u_%.8X.%.8X
--%s--
name="%s"
Content-Disposition: %s;
filename="%s"
RC%sO:<%s>
MA%sROM:<%s>
%sO %s
E%s %s
%s %s
SMTP
Software\Microsoft\%s %s Manager\%ss
smtp.
tmp%d.%c%c%c
GetWindowsDirectoryA
GetProcessHeap
RegOpenKeyExA
RegCreateKeyExA
RegCloseKey
RegEnumKeyA
.text
.rsrc
G]%Djd
nKey
KERNEL32.DLL
ADVAPI32.dll
MSVCRT.dll
USER32.dll
WS2_32.dll
%original file name%.exe_1888_rwx_0080E000_00010000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
.rsrc
c:\%original file name%.exe
hXXp://pelcpawel.fm.interia.pl/logos.gif
hXXp://chicostara.com/logof.gif
hXXp://suewyllie.com/images/logos.gif
hXXp://dewpoint-eg.com/images/logosa.gif
hXXp://VVV.ceylanogullari.com/logof.gif
hXXp://VVV.bluecubecreatives.com/logos.gif
hXXp://724hizmetgrup.com/images/logosa.gif
hXXp://yavuztuncil.ya.funpic.de/images/logos.gif
hXXp://cevatpasa.com/images/logos.gif
hXXp://173.193.19.14/logo.gif
hXXp://89.11
.info/home.gifI888
.text
KERNEL32.dll
h.rata
4.At0<x
Bkrnl.ex
rv:1.9.2.3)
.NEtCLR
.klkjw:9fqwiBu
y/a.sysB
D6c.pBTab
rfig%s:*:
.T&?%x=
\'Web%wW
HTTP)s'PT)a
o.ENHCD`
owWEBWUPD
MM.PFz
?456789:;<=
"#$%&'()* ,-./01230 0
J8CRT!y
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA
%original file name%.exe_1888_rwx_00B20000_0108E000:
c:\windows
hXXp://pelcpawel.fm.interia.pl/logos.gif
hXXp://chicostara.com/logof.gif
hXXp://suewyllie.com/images/logos.gif
hXXp://dewpoint-eg.com/images/logosa.gif
hXXp://VVV.ceylanogullari.com/logof.gif
hXXp://VVV.bluecubecreatives.com/logos.gif
hXXp://724hizmetgrup.com/images/logosa.gif
hXXp://yavuztuncil.ya.funpic.de/images/logos.gif
hXXp://cevatpasa.com/images/logos.gif
hXXp://173.193.19.14/logo.gif
%System%\drivers\kdpmm.sys
5200938136
.rsrc
.text
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
KERNEL32.dll
USER32.dll
h.rdata
H.data
.reloc
ntoskrnl.exe
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
hXXp://
ipfltdrv.sys
VVV.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
.adata
M_%d_
%c%d_%d
?456789:;<=
!"#$%&'()* ,-./0123
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
&3&3&3&389
.rdata
.data
Bkrnl.ex
rv:1.9.2.3)
.NEtCLR
.klkjw:9fqwiBu
y/a.sysB
D6c.pBTab
rfig%s:*:
.T&?%x=
\'Web%wW
HTTP)s'PT)a
o.ENHCD`
owWEBWUPD
MM.PFz
"#$%&'()* ,-./01230 0
J8CRT!y
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll
Explorer.EXE_1140_rwx_01E00000_00001000:
|explorer.exeM_1140_
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
at.exe:1632
at.exe:3540
at.exe:140
at.exe:3564
at.exe:3668
at.exe:3684
at.exe:3676
at.exe:3660
%original file name%.exe:580 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Program Files%\Common Files\Adobe\Updater6\Adobe_Updater.exe (1593 bytes)
%Program Files%\Common Files\Microsoft Shared\DW\DW20.EXE (1095 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwconn1.exe (1607 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\reader_sl.exe (2071 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Eula.exe (2103 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe (887 bytes)
%Program Files%\Messenger\msmsgs.exe (1941 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe (2471 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\ReaderUpdater.exe (903 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe (1195 bytes)
%Program Files%\Internet Explorer\IEXPLORE.EXE (919 bytes)
%Program Files%\Internet Explorer\iedw.exe (1195 bytes)
C:\%original file name%.exe (34 bytes)
%Program Files%\Common Files\Java\Java Update\jucheck.exe (983 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\AcroRd32.exe (1783 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AcrobatUpdater.exe (903 bytes)
%Program Files%\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A93000000001}\Setup.exe (1591 bytes)
%Program Files%\Common Files\Microsoft Shared\MSInfo\msinfo32.exe (2423 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe (887 bytes)
%Program Files%\Common Files\Java\Java Update\jaureg.exe (2103 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwconn2.exe (583 bytes)
%Program Files%\Common Files\Microsoft Shared\Speech\sapisvr.exe (2279 bytes)
%Program Files%\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (1079 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwrmind.exe (1195 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\LogTransport2.exe (647 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwtutor.exe (2007 bytes)
%Program Files%\Internet Explorer\Connection Wizard\inetwiz.exe (1195 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (1255 bytes)
%Program Files%\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe (647 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\AcroBroker.exe (599 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\AcroRd32Info.exe (1195 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\%original file name%.exe123 (570722 bytes)
%Program Files%\Internet Explorer\Connection Wizard\isignup.exe (1195 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (1015 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\A3DUtility.exe (1143 bytes)
%Program Files%\Common Files\Java\Java Update\jaucheck.exe (1847 bytes)
%WinDir%\lsass.exe (601 bytes)
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
C:\uwid.pif (103 bytes)
C:\autorun.inf (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wvkrb.txt (3172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winxcwbe.exe (741 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Traybar" = "%WinDir%\lsass.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
